If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing.
I think you'll find more bang for your malicious buck elsewhere.
An attacker can still steal the private key, or identify a flaw in the signature checking code. It looks like there are a variety of other, more constrained attacks: https://theupdateframework.io/docs/security/#attacks-and-wea... But overall, it seems to me that you can make an attacker's life considerably more difficult, for a comparatively small effort.
But let's not let an opportunity to paint Dell as some evil yet incompetent corporation slip through our fingers.
At a minimum this is definitely a process failure due to incompetence.
"Dell is posting unsigned update executables" is a loaded statement that implies this was intentional. Dell has been signing updates since before most infosec engineers were in middle school ogling cheerleaders. It's alarmist and highly unlikely this was intentional.
The armchair wolves already smell blood and are assigning blame before a postmortem has even begun.
If they haven't pulled the "corrupt" firmware after it's been up and broken for weeks, I don't think anyone needs to rescind the "incompetent" label.
For all we know, the failure was in his employer's proxy server and the corrupt file was cached.
Let's not wait for facts though, proceed immediately to the crucifixion of Dell.
With everyone quick on the trigger to throw someone under the bus, imagine being a coworker in such a toxic environment.
I paid Dell a bunch of money for a laptop. They pushed a bios update, that ubuntu kindly relayed to me that meant when I closed the lid and put the laptop in my bag as I sat beside my daughter's ICU bed, it fried the motherboard. No really. That was the /purpose/ of the bios "upgrade." Warranty after they remotely fried my machine? No, because it worked as designed.
So yeah going bayesian given none of us can be 100% sure about anything, my prior on Dell is they suck donkeys' gonads on all levels. Competence, honesty, service, everything - until evidence shows otherwise and I've just told you why.
Why is your prior that Dell are competent even when evidence suggests otherwise?
At the time i was probably a little preoccupied and just clicked yes, safe in the delusion that no distro nor any hardware vendor would ever push a laptop bricking bios update.
Sibling got it. Feel disabled sleep so if you didn’t shut it down and wait before closing the lid and putting in your bag it fried the mobo. Yeah. If you treated your laptop like a laptop the way you’d used it hundreds of times that was now like tossing it in the dishwasher.
Unbelievable. Yet it happened. I hate Dell. I’m not letting go of that anger. Ubuntu, meh. Pretty poor but still not Dell.
This causes major problems for laptops that are ever located inside bags.
Best to do that without telling your customers that long established behaviour would kill it. Dell.
clueless VPs want their products to behave like Apple's, but then beancounters won't sign a budget for iteration. MVP is shipped, turns out it's always buggy.
Or is this more of a "Who's going to notice that the functionality they use every day has been disabled?" kind of idea?
The only feature here is that you're no longer allowed to do something that was an important part of how the computer worked. That's the headline of the press release, and the goal of the software.
You can still sue them for frying your machine; it's not a legitimate intent for them to have.
https://hacks.mozilla.org/2019/05/technical-details-on-the-r...
and their idrac based firmware updater downloads http(s)://downloads.dell.com/Catalog/Catalog.xml.gz without checking the signature -- and by default without verifying https certificates when using https :D