and their idrac based firmware updater downloads http(s)://downloads.dell.com/Catalog/Catalog.xml.gz without checking the signature -- and by default without verifying https certificates when using https :D
>Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news
If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing.
So basically you're targeting a tiny fraction of power users who are capable and motivated to find and exploit a vulnerability on their own machine which bypasses update signing.
I think you'll find more bang for your malicious buck elsewhere.
So wouldn't this logic also apply to updates that are signed with an invalid signature? And at that point, it sounds like you're saying that once something is signed and distributed, no one will ever try to compromise that and you're free and clear for the rest of time, which seems...dubious.
My mental model is that requiring updates to be signed delivers a lot of security bang for your buck. Do you disagree?
An attacker can still steal the private key, or identify a flaw in the signature checking code. It looks like there are a variety of other, more constrained attacks: https://theupdateframework.io/docs/security/#attacks-and-wea... But overall, it seems to me that you can make an attacker's life considerably more difficult, for a comparatively small effort.
I don't disagree with everything you said, but I don't see how "therefore, you don't need to worry about a critical update without a signature" follows. The reason that it provides a lot of value is specifically because it helps you notice things like what's going on now so you can avoid installing unsigned updates.
I'll probably be tarred and feathered for this opinion, but "everything works out of the box" Mac feels like wishful thinking
Every time Apple pushes an update that causes some bizarre issue, people talk about it at length
On the one hand, software is written by humans. Humans make mistakes
On the other hand, Apple by design supports such a tiny set of hardware (that they largely build themselves and tightly couple to their software) that it's strange they're unable to iron out the issues in test before pushing the updates and ending making the tech news cycle when something goes wrong
I can't help but wonder if this requirement if secrecy for a big bang marketing event that is called wwdc is to blame as well. At least the different teams working in the same product should have access to the complete product, right?
I don’t really share your experience, but otoh I rarely have problems with MacOS. Although to be fair, I also do my best to wait the better part of a year before updating. So I’m always ~1 year behind, but then I also avoid a lot of the teething problems.
I don't use a Mac so I can't exactly cite specific issues I've had. But I've definitely seen a lot of them posted and reported on HN, ArsTechnica, Reddit and other places
Due to how small Apple's hardware list is, issues directly impact a much larger percentage of their userbase
Another was Finder copy to SMB wouldn't error but file would be corrupted (copying from any other computer to the same SMB no problem. Copying by rsync from the same mac, no problem, just finder)
My Airpods often don't connect. Solution, reboot Mac (after trying several other things)
Network starts failing. Solution, reboot (after trying several other things)
I can catalog many many more. I also have a Windows 10 (now 11) machine. It's had no more (nor less) problems.
What kind of router are you using? I had a bunch of network issue when I turned on RSTP on my network for some reason. They’re all fixed since I turned that off and ICMP snooping (I have Ubiquiti equipment). Can’t say much about your SMB issue, we have a mount drive at work and been solid since I’ve been here.
> software reliability is a general problem, not specific to Apple. Why test, when you are already working at the next release ? If there are issues, please upgrade to the latest version. Rinse and repeat. /s
I've tried gnome-firmware (same backend) on literally every linux system I've ever owned and have never seen an available update for any of my hardware.
The Berkeley Software Distribution (BSD) part of the kernel provides the Portable Operating System Interface (POSIX) application programming interface (API, BSD system calls), the Unix process model atop Mach tasks, basic security policies, user and group ids, permissions, the network protocol stack (protocols), the virtual file system code (including a file system independent journaling layer), several local file systems such as Hierarchical File System (HFS, HFS Plus (HFS+)) and Apple File System (APFS), the Network File System (NFS) client and server, cryptographic framework, UNIX System V inter-process communication (IPC), audit subsystem, mandatory access control, and some of the locking primitives.[7] The BSD code present in XNU has been most recently synchronised with that from the FreeBSD kernel. Although much of it has been significantly modified, code sharing still occurs between Apple and the FreeBSD Project as of 2009.[8]
> Darwin - which consists of the XNU kernel, IOkit (a driver model), and POSIX compatibility via a BSD compatibility layer - makes up part of macOS (as well as iOS, tvOS, and others) includes a few subsystems (such as the VFS, process model, and network implementation) from (older versions of) FreeBSD, but is mostly an independent implementation.
> This firmware update has been periodically failing since I got this laptop from work several weeks ago, and only today did I put in the effort to track down where it was hiding the logs with the real reason
If they haven't pulled the "corrupt" firmware after it's been up and broken for weeks, I don't think anyone needs to rescind the "incompetent" label.
I paid Dell a bunch of money for a laptop. They pushed a bios update, that ubuntu kindly relayed to me that meant when I closed the lid and put the laptop in my bag as I sat beside my daughter's ICU bed, it fried the motherboard. No really. That was the /purpose/ of the bios "upgrade." Warranty after they remotely fried my machine? No, because it worked as designed.
So yeah going bayesian given none of us can be 100% sure about anything, my prior on Dell is they suck donkeys' gonads on all levels. Competence, honesty, service, everything - until evidence shows otherwise and I've just told you why.
Why is your prior that Dell are competent even when evidence suggests otherwise?
Can you give more information about what the stated purpose of the upgrade was? Surely they didn't actually tell you they wanted to brick your laptop remotely?
I assumed it was a fast boot thing. I hate it and have been fighting it for years. I can’t believe a company of the size insists on being so anti consumer.
I'm speculating, but recently there's been a trend to prevent laptops from sleeping by disabling the existing functionality, because... companies hate customers?
This causes major problems for laptops that are ever located inside bags.
clueless VPs want their products to behave like Apple's, but then beancounters won't sign a budget for iteration. MVP is shipped, turns out it's always buggy.
What, Apple advertises sleep and then decides "you know what, even though it works fine, and is heavily used, and is essential for enabling laptops to be portable, which is the only advantage they have over desktops - we should just stop that from working"?
Or is this more of a "Who's going to notice that the functionality they use every day has been disabled?" kind of idea?
The only feature here is that you're no longer allowed to do something that was an important part of how the computer worked. That's the headline of the press release, and the goal of the software.
At the time i was probably a little preoccupied and just clicked yes, safe in the delusion that no distro nor any hardware vendor would ever push a laptop bricking bios update.
Sibling got it. Feel disabled sleep so if you didn’t shut it down and wait before closing the lid and putting in your bag it fried the mobo. Yeah. If you treated your laptop like a laptop the way you’d used it hundreds of times that was now like tossing it in the dishwasher.
Unbelievable. Yet it happened. I hate Dell. I’m not letting go of that anger. Ubuntu, meh. Pretty poor but still not Dell.
"Dell is posting unsigned update executables" is a loaded statement that implies this was intentional. Dell has been signing updates since before most infosec engineers were in middle school ogling cheerleaders. It's alarmist and highly unlikely this was intentional.
That still wouldn’t excuse that someone clearly didn’t verify their work. No matter what the reason, ownership of this task was released before it should have been.
You're right.
A headline of "Dell's website is serving up unsigned updates" would be correct. But to garner more clicks and hype that's not how they've worded their tweet, instead it's worded to make it sound like Dell are doing this on purpose.
yesterday they were also serving a update catalog index that did not match it's signature https://downloads.dell.com/catalog/CatalogIndex.gz // https://downloads.dell.com/catalog/CatalogIndex.gz -- but that was fixed after I complained
and their idrac based firmware updater downloads http(s)://downloads.dell.com/Catalog/Catalog.xml.gz without checking the signature -- and by default without verifying https certificates when using https :D
>Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news
If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing.
So basically you're targeting a tiny fraction of power users who are capable and motivated to find and exploit a vulnerability on their own machine which bypasses update signing.
I think you'll find more bang for your malicious buck elsewhere.
So wouldn't this logic also apply to updates that are signed with an invalid signature? And at that point, it sounds like you're saying that once something is signed and distributed, no one will ever try to compromise that and you're free and clear for the rest of time, which seems...dubious.
My mental model is that requiring updates to be signed delivers a lot of security bang for your buck. Do you disagree?
An attacker can still steal the private key, or identify a flaw in the signature checking code. It looks like there are a variety of other, more constrained attacks: https://theupdateframework.io/docs/security/#attacks-and-wea... But overall, it seems to me that you can make an attacker's life considerably more difficult, for a comparatively small effort.
I don't disagree with everything you said, but I don't see how "therefore, you don't need to worry about a critical update without a signature" follows. The reason that it provides a lot of value is specifically because it helps you notice things like what's going on now so you can avoid installing unsigned updates.
But posting unsigned updates (if you somehow found a way to do that) would set off alarms in about 10 seconds, as we can see by this thread.
If I were a hacker in the same situation I'd keep looking for a more realistic strategy.
Unless it's some crazy 4D chess and the hackers are trying to distract Dell's security team while they are deploying another real attack.
Does anyone seriously think that attackers won’t try every single potential avenue regardless of how “realistic” it seems?
Yes. I wouldn't be burning write access to Dell's update servers on something so unlikely to achieve an objective.
Dell must have calculated that Microsoft will take the blame for this.
I mean, someone is, who knows if it is Dell or not. probably Dell doesn't know either, based on their usual software quality.
Wow that’s almost as bad as Firefox five years ago … except this probably doesn’t compromise privacy addons that will get someone killed.
https://hacks.mozilla.org/2019/05/technical-details-on-the-r...
[flagged]
I'll probably be tarred and feathered for this opinion, but "everything works out of the box" Mac feels like wishful thinking
Every time Apple pushes an update that causes some bizarre issue, people talk about it at length
On the one hand, software is written by humans. Humans make mistakes
On the other hand, Apple by design supports such a tiny set of hardware (that they largely build themselves and tightly couple to their software) that it's strange they're unable to iron out the issues in test before pushing the updates and ending making the tech news cycle when something goes wrong
> that it's strange they're unable to iron out the issues in test before ...
It's the deadlines.
"Must ship feature before WWDC"
I can't help but wonder if this requirement if secrecy for a big bang marketing event that is called wwdc is to blame as well. At least the different teams working in the same product should have access to the complete product, right?
Last major update broke all my vpns for a while. Really not fun having to switch to ssh bastions to do anything.
I don’t really share your experience, but otoh I rarely have problems with MacOS. Although to be fair, I also do my best to wait the better part of a year before updating. So I’m always ~1 year behind, but then I also avoid a lot of the teething problems.
I don't use a Mac so I can't exactly cite specific issues I've had. But I've definitely seen a lot of them posted and reported on HN, ArsTechnica, Reddit and other places
Due to how small Apple's hardware list is, issues directly impact a much larger percentage of their userbase
> On the one hand, software is written by humans. Humans make mistakes
That's why we had proceses and testing. But they are too expensive. /s
a) most thinkpads come with a physical camera shutter https://support.lenovo.com/us/en/solutions/ht512980-what-is-...
b) this story is about Windows. Linux has its own firmware update solution https://fwupd.org/
> I’m just gonna stay on my easy-to-use, reliable, everything-works-out-of-the-box Mac.
Where do I get one of those? I've ran into just as many problems with my Macs.
Latest is Airplay stopped working: https://discussions.apple.com/thread/255783202?sortBy=rank
Another was Finder copy to SMB wouldn't error but file would be corrupted (copying from any other computer to the same SMB no problem. Copying by rsync from the same mac, no problem, just finder)
My Airpods often don't connect. Solution, reboot Mac (after trying several other things)
Network starts failing. Solution, reboot (after trying several other things)
I can catalog many many more. I also have a Windows 10 (now 11) machine. It's had no more (nor less) problems.
What kind of router are you using? I had a bunch of network issue when I turned on RSTP on my network for some reason. They’re all fixed since I turned that off and ICMP snooping (I have Ubiquiti equipment). Can’t say much about your SMB issue, we have a mount drive at work and been solid since I’ve been here.
> Solution, reboot Mac
They copied this feature from Windows. /s
Apple definitely knows their audience, unfortunately they've been straying a little bit from the mission lately on software reliability.
> software reliability is a general problem, not specific to Apple. Why test, when you are already working at the next release ? If there are issues, please upgrade to the latest version. Rinse and repeat. /s
Yeah, on Linux you get all of the same firmware issues, but with no vendor software support to update it!
I dual boot windows so that I can download all of my PC's firmware updaters.
What? I've been upgrading my laptops with fwupdmgr for years without any issue.
I've tried gnome-firmware (same backend) on literally every linux system I've ever owned and have never seen an available update for any of my hardware.
If you don't own supported hardware, that's not really super surprising: https://fwupd.org/lvfs/vendors/
[flagged]
No it doesn't, it just has a bsd syscall adaption layer
The Berkeley Software Distribution (BSD) part of the kernel provides the Portable Operating System Interface (POSIX) application programming interface (API, BSD system calls), the Unix process model atop Mach tasks, basic security policies, user and group ids, permissions, the network protocol stack (protocols), the virtual file system code (including a file system independent journaling layer), several local file systems such as Hierarchical File System (HFS, HFS Plus (HFS+)) and Apple File System (APFS), the Network File System (NFS) client and server, cryptographic framework, UNIX System V inter-process communication (IPC), audit subsystem, mandatory access control, and some of the locking primitives.[7] The BSD code present in XNU has been most recently synchronised with that from the FreeBSD kernel. Although much of it has been significantly modified, code sharing still occurs between Apple and the FreeBSD Project as of 2009.[8]
You should read the official wiki. https://wiki.freebsd.org/Myths#FreeBSD_is_Just_macOS_Without...
> Darwin - which consists of the XNU kernel, IOkit (a driver model), and POSIX compatibility via a BSD compatibility layer - makes up part of macOS (as well as iOS, tvOS, and others) includes a few subsystems (such as the VFS, process model, and network implementation) from (older versions of) FreeBSD, but is mostly an independent implementation.
The two operating systems do share a lot of code, for example most userland utilities and the C library on macOS are derived from FreeBSD versions.
Or the upload to their CDN was truncated or corrupted, and the signature check worked as designed.
But let's not let an opportunity to paint Dell as some evil yet incompetent corporation slip through our fingers.
> This firmware update has been periodically failing since I got this laptop from work several weeks ago, and only today did I put in the effort to track down where it was hiding the logs with the real reason
If they haven't pulled the "corrupt" firmware after it's been up and broken for weeks, I don't think anyone needs to rescind the "incompetent" label.
The only evidence we have is a single anecdote on Mastodon sparse on details and nothing you said can be validated.
For all we know, the failure was in his employer's proxy server and the corrupt file was cached.
Let's not wait for facts though, proceed immediately to the crucifixion of Dell.
With everyone quick on the trigger to throw someone under the bus, imagine being a coworker in such a toxic environment.
Crucifixion? Really? Come on now...
I paid Dell a bunch of money for a laptop. They pushed a bios update, that ubuntu kindly relayed to me that meant when I closed the lid and put the laptop in my bag as I sat beside my daughter's ICU bed, it fried the motherboard. No really. That was the /purpose/ of the bios "upgrade." Warranty after they remotely fried my machine? No, because it worked as designed.
So yeah going bayesian given none of us can be 100% sure about anything, my prior on Dell is they suck donkeys' gonads on all levels. Competence, honesty, service, everything - until evidence shows otherwise and I've just told you why.
Why is your prior that Dell are competent even when evidence suggests otherwise?
Can you give more information about what the stated purpose of the upgrade was? Surely they didn't actually tell you they wanted to brick your laptop remotely?
I assumed it was a fast boot thing. I hate it and have been fighting it for years. I can’t believe a company of the size insists on being so anti consumer.
I'm speculating, but recently there's been a trend to prevent laptops from sleeping by disabling the existing functionality, because... companies hate customers?
This causes major problems for laptops that are ever located inside bags.
> companies hate customers?
clueless VPs want their products to behave like Apple's, but then beancounters won't sign a budget for iteration. MVP is shipped, turns out it's always buggy.
What, Apple advertises sleep and then decides "you know what, even though it works fine, and is heavily used, and is essential for enabling laptops to be portable, which is the only advantage they have over desktops - we should just stop that from working"?
Or is this more of a "Who's going to notice that the functionality they use every day has been disabled?" kind of idea?
The only feature here is that you're no longer allowed to do something that was an important part of how the computer worked. That's the headline of the press release, and the goal of the software.
Yep.
Best to do that without telling your customers that long established behaviour would kill it. Dell.
> Warranty after they remotely fried my machine? No, because it worked as designed.
You can still sue them for frying your machine; it's not a legitimate intent for them to have.
Why would you voluntarily use an OS that installs BIOS updates (broken or not) without consent? It's egregious even if the timing wasn't inconvenient.
Sure wouldn’t ever again!
At the time i was probably a little preoccupied and just clicked yes, safe in the delusion that no distro nor any hardware vendor would ever push a laptop bricking bios update.
Sibling got it. Feel disabled sleep so if you didn’t shut it down and wait before closing the lid and putting in your bag it fried the mobo. Yeah. If you treated your laptop like a laptop the way you’d used it hundreds of times that was now like tossing it in the dishwasher.
Unbelievable. Yet it happened. I hate Dell. I’m not letting go of that anger. Ubuntu, meh. Pretty poor but still not Dell.
Surely for something so important, they'd verify it rather than let it sit around for the public to point out.
At a minimum this is definitely a process failure due to incompetence.
Maybe it was file system corruption, who knows?
"Dell is posting unsigned update executables" is a loaded statement that implies this was intentional. Dell has been signing updates since before most infosec engineers were in middle school ogling cheerleaders. It's alarmist and highly unlikely this was intentional.
That still wouldn’t excuse that someone clearly didn’t verify their work. No matter what the reason, ownership of this task was released before it should have been.
You have no evidence of that not happening. It could be corruption after the fact or failure during replication.
The armchair wolves already smell blood and are assigning blame before a postmortem has even begun.
You're right. A headline of "Dell's website is serving up unsigned updates" would be correct. But to garner more clicks and hype that's not how they've worded their tweet, instead it's worded to make it sound like Dell are doing this on purpose.
The original “tweet” didn’t attempt to infer reason or assign blame though. All it did is state two facts, according to their system
Dell is a large player in storage integrity for servers for exactly this purpose.