Out-Of-the-Box Exploitation Possible On PCs From Top 5 OEMs (arstechnica.com) 81
According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks. Dan Goodin, reports for Ars Technica: The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.Duo Security adds: Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain. All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can't protect you when an OEM vendor cripples them with pre-installed software.
Apple is doing it right (Score:1)
Why that kind of crap happening on both smartphones and computers, is there anyone still surprised why Apple didn't want carriers to install their own crapware on iPhones?
Re: (Score:2)
Re: (Score:3)
Now I think I'll just get a Mac. It's not my first choice, but thanks to how the major Linux distros have ruined themselves I have no choice.
Come on in, the water's fine!
Seriously, like many others, once you start digging into OS X, you will find that it is the "Linux" you always dreamed-of. "Linux" in quotes, because OS X is actually a Certified Unix.
And you will also find out that, despite the shrill language of the Apple-Haters around here (the vast majority of whom have never even TOUCHED an OS X Mac), there is QUITE the serious OS going on under the hood.
Re: (Score:1)
Windows NT 4.0 with Interix installed is a Certified Unix, too.
I have OS X installed on both of my iMac G4s. I wish it was easier to run NetBSD on them, but closed hardware is closed hardware.
Re: (Score:2)
Windows NT 4.0 with Interix installed is a Certified Unix, too.
I have OS X installed on both of my iMac G4s. I wish it was easier to run NetBSD on them, but closed hardware is closed hardware.
What's "closed" about the hardware? Oh, you mean like pretty much EVERY GPU on the market, right.
Why would you want to bother running NetBSD when OS X is a kissing-cousin to same?
Besides, have you even LOOKED? Check out this Google Search [google.com]. Looks like there are a number of NetBSD Options for PPC Macs.
Re: (Score:2)
I may not be able to speak for NetBSD, but the PPC G4 is (was) perfectly supported in Linux (I'm running Ubuntu 10.04 on my PowerMac G4 Quicksilver).
Re: (Score:3)
I have fallen into the same hole as the grandparent. I'm not happy with the desktops on the major Linux distros, I could hack my own or use an off-brand distro, but then there is the issue of updates, and just spending time fiddling with it, when I have many other things to do. So, I went the OS X route because it is usable out of the box. Plus, I'm not liking the route MS is going with Windows, where they can do an update/forced restart anytime. That and the telemetry privacy concerns.
All and all, I ge
Re: (Score:2)
I have fallen into the same hole as the grandparent. I'm not happy with the desktops on the major Linux distros, I could hack my own or use an off-brand distro, but then there is the issue of updates, and just spending time fiddling with it, when I have many other things to do. So, I went the OS X route because it is usable out of the box. Plus, I'm not liking the route MS is going with Windows, where they can do an update/forced restart anytime. That and the telemetry privacy concerns.
All and all, I get about 95% of what I like with Linux on OS X. Ansible, borg, xz, and other utilities install with little issue with brew, and with proper ACL setting, /usr/local can be kept owned as root, while letting an admin user do updates. XCode isn't bad, as I've had to write Objective C code to watch the thermal and memory pressure of a machine, and have it throttle an app before either got out of hand. OS X Server's git server is decent, and eventually I may just buy a Mac Mini for running a LDAP server and VPN server, although I have no clue if it can support 2FA, which is a must. Plus, since Mac Minis support ESXi, I can use it for another compute node if I need.
I'm no expert on 2FA; but a second on Google revealed this thread [apple.com], which could be helpful.
OS X El Capitan and iOS 9 have also introduced 2FA through use of an AppleID; but I'm not sure if/how that applies to LDAP.
This Google Search [google.com] may prove helpful on the LDAP on OS X front.
Re: (Score:2)
I might fiddle with Duo security, or just fire up a VM whose sole purpose in life is to handle VPN duty. That way, it is isolated, and can be hardened well. Nice thing about OS X and Linux is that they play well together.
Re: (Score:2)
I might fiddle with Duo security, or just fire up a VM whose sole purpose in life is to handle VPN duty. That way, it is isolated, and can be hardened well. Nice thing about OS X and Linux is that they play well together.
I'll just have to take your word for it. I got over my "working ON my computer" phase a LONG time ago. Now I just want something that works. And IMHO, life's just too frickin' short for Linux. ;-)
Re: (Score:2)
My experience (this decade) has been that Linux will work on the majority of hardware on the market. True, you might have to install video drivers (and I had one laptop that needed me to install the ethernet driver, but it worked following that)
Re: (Score:2)
Been there, done that. That includes owning Macs and working with real Unix. If you are a power user, you will just find Macs annoying. If you are a serious old school Unix user, you will find it's certification laughable.
Although the real problem with MacOS is not MacOS itself. It's the hardware. You get stuck with strange novelty form factors targeted to n00bs. They don't even have a proper workstation model any more.
Re: (Score:3)
Been there, done that. That includes owning Macs and working with real Unix. If you are a power user, you will just find Macs annoying. If you are a serious old school Unix user, you will find it's certification laughable.
Although the real problem with MacOS is not MacOS itself. It's the hardware. You get stuck with strange novelty form factors targeted to n00bs. They don't even have a proper workstation model any more.
That's funny. I have been seeing more and more "power users" and "real Unix" users that are generally quite happy with their Macs and OS X.
As for a "proper workstation", that definition is going by the wayside more and more with each passing year. If you really want to have a "tinkerer's box", then I suggest you build yourself a nice Hackintosh. Recommended hardware lists and help forums abound.
Why do you think that Apple turns a blind eye to the Hackintosh Community? Do you really think they couldn't R
Re: (Score:1)
I am not trying to troll you but I like my computer's environment set a particular way and I am actually genuinely interested in knowing if the OSX GUI can now support my workflow instead of me having to adapt so here goes; I use a multi-monitor setup with a panel on both screens, each of the panels has its own Application launcher, t
Re: (Score:2)
I am writing this from a laptop running Kubuntu 16.04 and while there are things which I find inconvenient/annoying, I am generally pretty happy with the overall experience. I am not trying to troll you but I like my computer's environment set a particular way and I am actually genuinely interested in knowing if the OSX GUI can now support my workflow instead of me having to adapt so here goes; I use a multi-monitor setup with a panel on both screens, each of the panels has its own Application launcher, taskbar (which shows only applications from the screen the panel is on and does not autosort/group applications) and a notifications tray and I like to use focus-follows-mouse instead of click-to-focus. Last time I checked (with Yosemite, a friend let me keep their old Mac Book Pro for a month to play with), OSX wouldn't let me do either of these things (I could not get the dock to show up on both screens or get it to not group windows of the same application together and even when i eventually managed to get focus-follows-mouse working, the unified toolbar (which I couldn't switch off) made it nearly impossible to use). I realise someone somewhere might think that the interface of OS X is perfect but as far as I am concerned, I could not see myself using it in it's default configuration and since I couldn't modify it either, I didn't really see the point of getting a Mac if I was going to install Kubuntu on it at the end of the day anyway.
Ok, let's tackle these one-at-a-time. If I misunderstand, let me know and I will try to realign my thinking... I am not an expert in all things regarding multiple desktops and docks; but I might be able to help.
Keep in mind that no OS has everything; but the question is, can you "get there". And I think that the answer in your case is "Yes".
1. Multiple Docks. I am not sure if any of these might help; but there sure are a LOT of choices [macupdate.com]!
2. Multiple Desktops (Spaces). Again, not sure if any of these wil
Re: (Score:1)
When I said I wanted a panel on both screen, I meant something like what KDE has but since you're not a Linux person, you can think of the Windows 7 panel (which has the start button, the taskbar, notifications tray and a clock) but where Windows 7 only lets you have the panel on the primary display, I want it on both displays (and the taskbar on each panel to display programs that are running on that screen). The only alternative to the standard dock that OS X
Re: (Score:2)
orry for the delayed reply, been very busy.
No worries! I'm much the same...
;-) but, hey, there isn't anything wrong with swimming upstream: You want what you
I wish I could find a screenshot of what you are talking about with KDE's "Panels".
BTW, I noticed you other Post about trying to get KDE to Compile under OS X, and I must say, it seems you are REALLY Swimming Upstream here. I mean, I find TONS of references and even solutions for making KDE Look and even Act like OS X; but really nothing on making OS X look and act like KDE. JUS' sayin'...
Re: (Score:2)
Ah, Focus-follows-mouse. My favorite thing about classic UNIX desktops (CDE, 4DWM, FVWM). I don't think you can do that in modern GNOME, much less in OS X. For you next item - Out-of-Box OS X ships with a Dock (Warf in GNUStep terms), which is not what you are looking for in this case. You would need to find a third party panel, which would likely include it's own task picker.
And hey - I think I agree with you that the main reason to buy Apple hardware is the OS. I've always been an Apple fan (but I le
Re: (Score:1)
I tried to get KDE to build on OS X as a last ditch effort, ran into dependency hell which I couldn't resolve despite a lot of effort and in the end figured that it was probably not worth the time I was pouring into it.
The only real gripe I have with Linux is the problems SystemD is introducing by trying to 'correct' the Un
Re: (Score:2)
Systemd is easily my biggest complaint as well. I have seen so many weird errors pop up since systemd became the default, so many systems suddenly refuse to boot (over what used to be non-fatal errors), or have issues when they are running because of strange defaults (and despite what the pro-systemd crowd says, if it worked before and systemd was the only thing that changed then it is systemd's fault. It breaks the UNIX way of "be as compatible as possible" and now systemd on Debian is going to break nohu
Re: (Score:2)
Some comments really do look like they've been generated by Eliza. This is especially true of the intentionally vague ones. It's hard to evaluate something that by it's very nature can't be quantified.
Linux, the headless box in the closet (Score:2)
Re: (Score:2)
Step 1: Disable anonymous posting.
Re: Is Linux really any better? (Score:2)
Re: (Score:2)
Linux/GNU is a fine OS for monolithic servers with minimal update needs and it works fine as a base kernel to run a completely different environment and API on top, as is the case with Android.
Re:Apple is **MS Windows** doing it right (Score:2)
I've been building my own PCs from parts since 386 days. I've only had a small fraction of the Windows problems others complain about. Even good Linux compatibility. OK, it may help that the "No" and "Cancel" buttons are my friends, especially when someone is generously offering to install something for me. And I look out for those
OEM Rescue Kit (Score:5, Interesting)
OEM Rescue Kit [distrowatch.com]
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
No, because the TSA would want to look inside each packet, and would induce latency. ;) And filter nothing anyway...
Yeah, they just look...
Re: (Score:2)
Hmm.... (Score:1)
So what Windows OEMs are left that don't fuck up their computers? Let's start by eliminating the five mentioned in TFS, and also Microsoft, Sony and Samsung because they have a history of abusing their customers and have terrible support. That leaves us with... LG, Toshiba and MSI. And a bunch of tiny companies.
No wonder the PC market is declining so hard.
Re: Hmm.... (Score:5, Interesting)
A clean install may not work [arstechnica.com]. There is a hook in Windows 8 and later that allows OEM firmware to supply a list of software to install after a clean install.
The feature was originally designed so Windows could automatically install necessary OEM-specific drivers without requiring a custom installer be used. Sadly, OEMs have used it to install vulnerable crapware.
You just can't win against crapware.
Re: (Score:2)
Re: (Score:3)
This has been a best practice for decades. It doesn't matter what the platform is, be it a Dell that was on special from Amazon, a Mac, an Oracle box, or a POWER8 that will be used for LPARs... it gets completely flattened and installed from scratch. Even my smartphones and tablets get erased and reflashed from scratch.
The Dell cheapie I bought, I just bought OEM Windows install media, stuffed a SSD in there, and it works fine. With most drivers being from Windows or OEM stuff, there is no Dell specific
Re: (Score:3)
You'd have to be a moron to buy anything from Dell or Lenovo by choice, after the root certificate crap they both pulled.
Well, at least you described the average computer user accurately, who still believes a "root" problem is caused by dandelions growing in their yard.
This would also imply that the average computer user knows or cares about computer security. They care about price when buying a computer, not security, hence the reason they go to the vendor with the most subsidized OEM crapware on the machine.
Re: Hmm.... (Score:2)
Re: (Score:1)
You'd have to be a moron to buy anything from Dell or Lenovo by choice, after the root certificate crap they both pulled. So what Windows OEMs are left that don't fuck up their computers? Let's start by eliminating the five mentioned in TFS, and also Microsoft, Sony and Samsung because they have a history of abusing their customers and have terrible support. That leaves us with... LG, Toshiba and MSI. And a bunch of tiny companies. No wonder the PC market is declining so hard.
Except Lenovo only installed it on a select few consumer models. They are still the goto in the Corporate world. Dell however is complete garbage now.
Considering the computer store I worked for... (Score:1)
made more from pre-installed software, especially games, than we did from the hardware, this problem will never go away. The closer to malware that the software is, generally the more profitable it is.
So the question is (Score:2)
are the OEMs getting paid to put this crap on there, is it just that cheap to let someone else do it (and buy some liability insurance), or a combination of the two?
Step 1: buy the box Step 2: wipe, install clean OS (Score:2)
I had had enough with bloatware years ago, so now it's nothing but OEM Windows (if not Linux) for me.
It shouldn't be allowed (Score:3)
The updaters frequently expose their programming interfaces
The dirty beggars.
Sensationalized news (Score:2)
Let's put this into perspective.
If your attacker can either A) hack into the Internet back-end routers; or B) physically colocate on your private network, he can hack your PC during an update check.
If we assume update checks are sufficiently frequent, then your most likely attack is from a PC on your network--a neighbor or white van that's connected to your wifi, assuming it's not encrypted with a non-trivial password ("lemonade_ghost_riders" would keep the NSA out if they had to brute-force your WPA2--
Re:Sensationalized news (Score:5, Informative)
A) hack into the Internet back-end routers; or B) physically colocate on your private network
Or just compromised DNS on your router. There are an awful lot of vulnerable router firmwares out there still in common use.
Such an attack would need to connect to the local wifi, spoof ARP packets of the router at your particular device, spoof ARP packets of your device at the router, and interpose itself.
You give coffee shops too much credit. Log into router after getting on free wifi, because the username and password are still set to the factory default. Change default DNS servers handed out on DHCP to your external host. No need to spoof anything.
For that matter, if the coffee shop has a lower power AP, you can just bring in a discreet high-powered AP and use the same SSID. Laptops will just connect to the highest powered signal with the same SSID. Instant MITM.
Re: (Score:2)
True. My point was mostly that the general theme of security news is "OOOOOOOOOOOOOH SCARY HACKERS WILL HIJACK YOUR PRECIOUS DELICATE LITTLE PC ACROSS THE INTERNET!" and people imagine sitting at home, unwrapping a new desktop, turning it on, and getting hacked 4,000 times. That doesn't happen.
Hacking home routers is actually really hard from outside. Most routers don't expose any open ports to the WAN side, so you can't just route around their broken Web apps. There's this continuing myth that you c
Re: (Score:2)
Right. This would assume that their router had been hacked via the previous PC and was already running the attack.
Re: (Score:2)
Most routers don't expose any open ports to the WAN side
Depends on the ISP. At least around here, UPC wants port 443, Netia both 443 and 4567, for their backdoors.
Re: (Score:2)
I bought my router from Amazon.
Re: (Score:2)
Re: (Score:2)
Not sure what you're asking. But a small business that happens to be cheap will be using an off-the-shelf consumer router as their "access point" and will require no password to connect and join the network. Yes, routers generally let wireless clients access the administration features, provided they know the password (still set to default). Not every consumer even owns a wired device.
Re: (Score:2)
Re: (Score:2)
So you don't mean just any coffee shop. That's a multinational corporation. Don't assume most small businesses are even willing to spend enough on a router with a guest network.
Re: (Score:1)
Let's put this into perspective.
If your attacker can either A) hack into the Internet back-end routers; or B) physically colocate on your private network, he can hack your PC during an update check.
If we assume update checks are sufficiently frequent, then your most likely attack is from a PC on your network--a neighbor or white van that's connected to your wifi, assuming it's not encrypted with a non-trivial password ("lemonade_ghost_riders" would keep the NSA out if they had to brute-force your WPA2--don't use that password; it's public knowledge now).
The only reasonable scenario is a targeted attack by an infected machine on coffee-shop wifi. Such an attack would need to connect to the local wifi, spoof ARP packets of the router at your particular device, spoof ARP packets of your device at the router, and interpose itself. Not impossible, but very much not reasonable if two competing devices are attempting to do it.
Exactly. If you're being victimized by a man in the middle attack you have a *lot* more to worry about than your Dell/Lenovo/HP driver update suite being non-encrypted.
A problem? (Score:2)
expose their programming interfaces, making them easy to reverse engineer
I fail to see how this statement should ever be construed as bad. If done properly, knowing the programming interfaces and how they work should in no way compromise the security of the system.
Also, while it's good that the new Lenovo utility employs all the security best practices and it wouldn't hurt to have signed manifests, if TLS is working properly the signed manifest seems likely to be a mostly redundant security feature.
Solution isn't that hard (Score:2)
Put Windows onto a USB stick.
Download Double Driver and put on stick.
Back up the drivers using Double Driver onto a folder on the aforementioned stick.
Start the Windows 10 install. Go have dinner.
Copy the drivers to the hard drive.
Reinstall any drivers from the folder on the drive as and when you need them. I tend to find the default wireless one provided by Microsoft to be rather flakey.
That's why it's so important to clean up a new box (Score:2)
I wasn't even worried about security from OEM updaters; I just don't want to spend the time, bandwidth and CPU cycles checking two sources - especially since any driver
Re: (Score:2)
Then Windows 10 proceeds to install the OEM crapware automatically, since it is embedded in the system BIOS.