I posted about this about 7 months ago on HN, https://news.ycombinator.com/item?id=9881674, I also tweeted it out. Dell responded to my tweet saying there has been no breach and our data was secure. Obviously I didn't and don't believe them, and their main response was report it to the FTC. That is crap, admit it, fix it and deal with the issue.
What totally pissed me off is that it was my sons laptop they called on and they called him directly since his number was listed when he called in for real Dell support about 3 months prior to the scam call. They had convinced him they were Dell until I walked into his room and heard 30 seconds of the call and asked why he called them, soon as he said he didn't I told him to hang up. They were persistent, calling him back many times over the next 2 months. I had to block the number to finally get it to stop and my son says he got a new call just a few weeks ago, new number same scam but at least he is smarter about it now.
I had the same problem last April, and had a surprisingly difficult time finding any more info about it. All Dell forum threads say that they know nothing about it and refer you to the FTC site. The really disturbing part was they used my mobile number, which had been spam-free until the Dell issue.
Summary of my battle:
Keept them on the phone as long as possible, asked stupid questions, and tried to piss them off as much as humanly possible - I managed to get a "find a pen, remove the cap and stick it up your ass" after 2 hours on the phone with them. I kept them on the phone while my 4mb download took 45mins.
Just read your description, it is nearly identical to what they were trying to get my son to do. They wanted remote access and telling him that his computer was attacking other people and their "monitoring" caught it. Really was an elaborate explanation when I heard it, but so insane to anyone that knows how this all works. But to a 17 yr old it seemed reasonable, even plausible especially with the quick talking, pushy nature of these guys. That was until I got my son to stop and think about it for a minute, then he saw the stupidity in what they were saying.
It was a great lesson for him, and while I had sworn off Dell quite a long time ago, this made him now say no thanks to Dell. His new laptop is a Toshiba, not that they or any company is immune, but the fact Dell won't even publicly address it and help to protect their customers to me is really the sign of a bad corporation. He even convinced 3 of the kids in his high school that were buying new laptops to avoid Dell, so hopefully people keep spreading the word and it starts affecting Dell in the only place they will apparently listen.
It's good that you managed to intervene - I know a lot of Dell owners that are not well equipped to handle these sorts of calls. Hopefully the worst that comes of it is a small fee.
At least it is good to see word getting out - that is likely the first step to any reasonable resolution.
I've accepted that we live in an age where no one can secure data that is coveted by determined attackers. Even companies with the best infosec are often taken down by the simplest social engineering or clumsy spear-phisihng attempts that work well enough.
I hope this changes as we migrate away from passwords and passphrases to mandatory two factor login with physical keyfob tokens, from C to Rust, and from putting things directly onto the internet to putting everything behind a IPS/IDS that updates itself via signatures, honepots, etc. Especially in the home where no one runs IPS, the same way early consumer OS's didn't bother to ship with firewalls.
Phones need something like this too, especially with blocking known spammer numbers/providers. Everyday I get an Indian call center impersonating either state farm or blue cross. I have no way to stop this as they randomize the phone number each time, often in mocking ways like starting with a movie 555 prefix or having a prefix starting with 1.
I also don't want a relationship with companies like Dell where they store all my info. Why can't I buy something via a private OpenID/Persona-like system that has a tokenized version of my credit card and Dell just ships the product? I must have hundreds of accounts spread out with various sites, vendors, etc. Each of them ripe for the taking by scammers and hackers with my real name, stored card, etc.
I hope this stuff is what breaks the camel's back. IT security right now is a nightmare. I suspect it will get much worse before it gets better. Cryptolocker didn't suddenly fix corporate IT security. From what I can tell, its just as bad as its ever been.
Because retailers figured out a while ago that having a personal relationship with their customers (knowing everything about them) is EXTREMELY valuable. Think of the merchant wars with MC/Visa/ApplePay...etc as well as how much they sink into loyalty programs. Knowing your customer pays off in spades (until you have a security breach and get sued into oblivion).
Would be nice to be able to opt-in to a "forget everything you know about me" program - Newegg would probably get tons of business from paranoid nerds with an option like that in place.
I agree that there is no way to prevent the determined hacker or state actor from breaking into just about anything they want. Just like putting locks on our doors keeps the common criminal out for the most part, but the determined guy/gal will find his way in.
What always bothers me more is how caviler many companies, especially many marketing companies I have seen, are with our personal details. As recently as just a few years ago I was fixing one such marketing company's issues, like using sequential id's on exposed web links sent in emails. Which all you had to do was increment the id and you could get personal details for other people from the database (which had happened). They fixed that issue and some others but still never addressed security as a whole, which just bugged me. Plain text passwords in a database, no encryption on sensitive data etc. And I see it over and over, a company won't change unless they are forced to, and then it is change only enough to appear secure, not be secure.
It does feel like Internet security depends on the software equivalent of Shōji doors, windows and dividers. We need some stronger construction. No offense to traditional Japanese architecture intended. It's just descriptive.
I don't know if it's related but I found something deeply worrying a couple of months ago. I purchased a laptop on Dell's website at my home address using a personal email and my personal paypal account. No reference anywhere to my job or employer. A couple of weeks later I receive a call from India on the mobile number provided to Dell, from a guy pretending to be from Dell (and he might have been) who wanted to discuss how he could do business with my employer which he mentioned by name (a large corporation).
At that time I thought that Dell's commercials were unacceptably pushy, googling their private clients to find a way in their employer. It didn't occur to me that this might have been a scam using Dell's database.
Axciom, Epsilon and similar companies track your credit card purchases and correlate them with a profile of who they think you are. If you work for a large corporation that is probably easier to identify than a small one.
I assumed that when I buy something on a card, it's more or less private. The transaction should be known only to: me, the merchant, our respective banks, Visa, and I guess the IRS if they come and ask for it.
If I understand correctly, youre saying my entire purchase history is shared with random third party marketing companies. Full transaction data, PII included, no anonymization.
Ok, I'll add to that a couple more details. Many ecommerce companies sell your purchase history to third parties as well, just like the credit card companies. This allows others to market to you more directly.
There is at least one company that has built technology that will monitor most all these purchases, monitor the IP's from them and the browser profile to identify a specific machine that you use. Then when you go to work, or are on your mobile they also will tag that traffic as you too. They have gotten so good they can serve ads that are relevant to your wife if she happens to be on your computer surfing the web for shoes say, but serve you different ads if you are on the same computer. They use data feeds from many sources, but ecommerce transactions, credit card transactions and companies like acxiom that let them match those with real people, incomes and household details make it very powerful.
In marketing we use Axiom and others a lot, their data used to be more vague and educated guesses about people. Now though, they have gotten it down pretty well, including how many animals, kids and your income/debt etc. They collect data from tax collectors offices, county records, city records, plus companies that will sell transaction data and other pieces so they can get a full picture. They of course work with Equifax, TransUnion etc too so they can build a whole economic profile on a person.
These companies are also what allow marketers to send you an email about their product/company after all you have done is visited their website. You don't have to enter anything or click on anything, but they will know who you are, who you work for and whether you fit their market profile in general. Poorly done it is extremely creepy, correctly done it can be an amazing conversion booster.
I am from Brazil, and I am openly dissident of our government, and here assassinations (And other unpleasant things) DO happen to dissidents (example: in the last year a couple anti-government bloggers all in the same region where "murdered", the police claim it was just normal murder, but the coincidence is too great to be just normal murder, they were obviously assassinated).
What happen, if some day the government decide to assassinate me? They can just waltz in with a market company, offer a lot of money (or if they refuse, a lot of pain), get my data, and know all that stuff about me.
Then, they can do with me, what they did with Toninho and Celso Daniel: intercept them on the street, kill them, and pretend it was a robbery gone wrong.
Toninho case was very obvious: He was intercepted while fetching some suits he had bought before, using the tech you mentioned, assassins would know for certain that he was there, since they could know he would need to eventually fetch the suits, and that once inside the building, you could intercept him at the exit, indeed as he was exiting the shopping mall that had the clothing store, another car drove by, shot him (not "at his direction", but at him, directly, Toninho died instantly because of direct hits), and sped away. The police claimed it was a random incident where random criminals randomly passing by got pissed off at him cutting them off in the traffic and killed him, beside all that being unlikely, Toninho had some days earlier said to the press that should "something happen" to him, stuff were already set for his successor.
So what matters to me is: How I don't get tracked, unless I go "off grid survivalist style" ?
Your concern is totally valid, I luckily do not live in a country that I feel I need to be on guard at the level you do but it still doesn't mean I appreciate all the data collection either.
That said, there are things people can do with companies like Acxiom to help reduce the data collection. At least in the US (not sure overseas) if you as a consumer submit a request to be removed from their lists they must honor your request and remove you, many US states have strict laws about this and I believe the Federal laws also have strict restrictions. The catch 22 to this is that you can wind up back in the collection at a later date because of activity you take or because of a timeout period (from what I understand). You can read about Acxiom's policy and opt-out here: https://isapps.acxiom.com/optout/optout.aspx
As a point too, you may check out the data collection from Acxiom, as I believe they actively collect and use data in your home country, as they do in many counties. Equifax, Experian and TransUnion all also work in the US and overseas and collect/sell vast amounts of data on individuals. The very fact they collect so much data does make people (including me) nervous because I personally feel they do not take security of the data nearly serious enough, as recent security issues have shown at most of them. But that I guess is a different issue/post.
That is correct. Banks and credit card companies merchandise this information to their partners, which leads to this kind of thing. Check your cards' terms of services if you want to be somewhat horrified.
Banks are disgusting. They get a cut already from the purchase which ought to be more than enough to deliver this and make a profit. But no it's not enough.
I don't use facebook but do use a credit card. Hard to opt out of that in the modern world. God these people are filth.
Well, I don't know how hard is it in the USA, but I use cash most of the time and know several people who do the same. Sure, sometimes you need to make wire transfer, or pay with credit card, or paypal for that matter. But at least shopping in the supermarket is possible with cash.
Then I do hope that you do not own a cashback etc bonus card, or your can be quite sure that your personal consumption related high resolution data will end up in some buyers pocket.
And all that for a cheaper (and cheap) bread-knife.
A serious question, though I assume that you were joking: is it more creepy to have your own actions tracked and accurately tied to you, or other people's actions tracked and inaccurately tied to you? Both sound pretty awful to me, but I think I'd prefer the former if those were the only two options.
What stops these guys from selling to all the major health insurers.
Been buying too much sugar? Dental insurance up. Too much butter? Health insurance up. Bought three times the median amount of headache tablets? That's a paddlin'. Bought more alcohol than normal? Car insurance up.
Opt out to keep off their radar? They assume the worst and charge you double?
Example sentence from mid-naughts: "I've heard several stories of USG bulk tapping Internet interconnection points, but it's never been substantiated."
Thinking from first principles lets us see incentives and probable outcomes before they are "substantiated" (adopted by the media).
I personally don't think shopper data is affecting insurance policies quite yet. But the groundwork is there (Acxiom etc), and the "great" thing about data is it stays around forever!
I'd guess a timeframe of 10 years, but does it really matter as to when?
> What stops these guys from selling to all the major health insurers.
Is this a response to my comment? I would guess that the answer is "nothing but the temporary protection of the law", but, assuming that protection is eventually revoked, it makes it all the more worrisome for me to have a random stranger's data taken as my own.
In the UK we have a company called Boots which used to be a pharmaceutical giant and is now a high street toothpaste and moisturiser giant. At the counter, they always ask if I have a 'Boots card' (purchase tracking card). I say no, because I don't, and they are often confused - because it's weird to not only have presented one immediately, but to claim not to own one. I'm then told I can be given my 'points' on a receipt so that I can add them to my (non-existent) card later.
I'm not a tin foil hat type, but I really don't like filling my wallet with tracking cards and can't be bothered to claim the miniscule compensatory benefits provided in return for proffering my purchase (and also location, hygiene, etc.) information.
Saying 'no' is almost more hassle than simply submitting, however, which is probably exactly what the company would like to hear. Suggestions welcome for brushing off this nuisance without a) Avoiding their shops entirely (not practical) or b) Being rude to cashiers.
Sometimes I do use several bonus cards, when there's some significant benefit (say, sale-out only for bonus-card owners). Guilty that. But I do not use them often and of course I don't use my real name when signing up for it. Or if I do — only when I use my CC anyway, which is rare.
Surely if you use your CC one time with this card they have your real details. After that every cash purchase where you use this card is tied back to you. Not hard to believe they do this and you should assume the worst.
Purchase and transaction histories provide very rich data profiles and are a big business. There are also several companies that match up this "offline" data with online profiles so you can be targeted online.
PII is not available, it is anonymized. There are laws around this. Purchase data itself is usually grouped into major purchase types, not amounts or actual goods purchased.
For that detail, it would be the CRM/ERP systems of the manufacturer that has that information tied to a serial number and this is why they ask you to register your product when you buy it. Some manufacturers might work with data providers to exchange this data (serial numbers in exchange for purchase histories) but it's rarely done at scale because of cost, complexity, legal/security risk and lack of options to benefit from it.
> PII is not available, it is anonymized. There are laws around this.
But we've seen how useless even apparently well meaning anonymisation is—think of the AOL search results. I can't imagine how utterly useless it becomes when it is done by people in whose interest it is to do it poorly, while remaining just within the law.
There is a difference. Yes search results can reveal a lot, even just a few hundred likes on Facebook can reveal your entire personality [1]. However this data is not regulated the same as actual personal information like names, address, gov id numbers, credit card data, etc. even though it should be.
The protection of the law does add to the security. Also anonymization of the PII (scrubbing into just a serial number) combined with the dilution of purchases into larger categories provides lots of protection. Your google search history is lot more detailed and granular than most of the purchase data you can buy through data markets. You might be able to figure out a basic "profile" and maybe use lookalike modeling but it would be incredibly difficult to actually distill that to a discrete person.
There's also been a push to buy "insights" rather than just data to get more ROI with less effort/cost so instead of buying purchase histories you would just buy a segment of people interested in buying washing machines for example.
Agreed. I work on pharmacy data, which is additionally subject to HIPAA compliance. While the the pharmacy data does technically not contain anything identifiable, it is frightening how easily someone can match their own company's records up to a data set that is supposedly anonymous.
You mean Apple, the company that until recently forced you to give them cc data in order to install any app on your device, regardless of the app being a paid or free one?
Literally every interaction with a 3rd party should be considered public knowledge as it is almost always shared with enough 3rd parties to guarantee that is the case.
Now think about what a company like Google or Facebook knows about you. And then ask yourself if you ever want to use their services again (besides those that everybody is forced to "use", such as GoogleAnalytics.).
Tracking server-side is fine, it is assumed the server logs contain a record of my visits and I have no problem with that. I think what most people object to is the third-party tracking that so many people use.
Company A tracking my visits to Company A's website = OK
Company A using Google Analytics to track my visits (while also enabling Google to track me across multiple sites) = Not OK
EDIT: (replying here as we've reached max comment depth) - I was unaware that it is possible to use Google Analytics server-side only (is this true?) but I hope my original point is still clear, DIY tracking is fine.
You misunderstand. There have been several commentators here on HN saying that they are moving Google Analytics server side. They seem to think that people are only objecting to the cookie or the presence of the JS rather than objecting to the pervasive cross-site tracking.
Are you are aware that Google provide you with a method to do this regardless that doesn't rely on random script blocking? Details here https://tools.google.com/dlpage/gaoptout
Yes. GA has server-side API's available to premium accounts.
You can also just host the ga.js file yourself. Or run a reverse proxy or any of a dozen other methods to collect data and pass it to GA. Using the standard 3rd party tag is just for convenience.
You mean GoogleAnalytics-tracking on the server side? Please expand on that, I'm not very versed in all that marketing spy-modules. Do you mean that some internet-shop (or blog or whatever) makes a request to GA or some similar service to share that I was at their website? If so, what information do they share? My IP, cookies or what? I always assumed that very point of GA was outsourcing tracking users to some other service (Google) which could try somehow guess who I am based on flash-cookies and me appearing on other websites with GA. But how would that work server-side?
Even just your UA string is enough in most cases to make educated guesses. See here: https://www.eff.org/deeplinks/2010/01/tracking-by-user-agent... . The server will get that UA string, and it can make subsequent calls (or serve you content that will automatically make calls, like hidden <img> tags...) to further restrict the search space. You can have middleware that does this transparently.
I'm not in that particular market, but I know people who are and tbh more often than not I think it's an arms race the individual simply cannot win. Unless there's a conscious effort from browser-makers to actively counter tracking practices, you should assume everything you do on the web is public and can be tracked by multiple parties.
But the question is if GA and others actually accept these kind of requests: remember that someone with such and such UA (or IP, or whatever) has visited that website? And if people actually use it? I still have my doubts that tracking someone by UA is possible — there will be collisions for the large part of the market — but that some analytics service is actually doing it? It's easy to track me if Google can "reach" to the client side when visiting some website: they can use cookies, all HTTP-request data, even flash-cookies maybe. It's a no brainer to track individual with information like this. But guessing who is who just by UA? This doesn't seem that trivial, so I wonder if they really do that.
Yes. It's all just data in the end. Javascript can handle collecting all the information outside of setting cookies. But cookies are outdated and just a fallback now so all you need is the javascript to run.
This can be as simple as hosting a copy of GA.js yourself but there are plenty of options like using the server-side API if you have GA enterprise or just using a reverse-proxy like Nginx with some rewriting logic.
3rd-party only means it's a different domain (with security usually implemented at the browser level) - it's not some magical wall of isolation.
Everytime you access a website a server is serving you files. Apache (and most web servers) keep logs of this. With Apache defaults you get IP address, the route accessed, and the User-Agent of the user. This is rudimentary information, but if you have these logs from multiple sites, it's pretty easy to roughly track someone. Tracking images in emails use this same principle, a unique link to krick.png is put in an email sent to you, and if it gets served by the server (shows up in the access logs) it's pretty reasonable to assume that you read the email.
If you want to see a simplified version of what this log looks like, run 'python -m SimpleHTTPServer' and visit localhost:8000.
Have you even read my message? Or the thread you are answering to for that matter? The question is not how website owner knows I visited his website, that much is pretty obvious, but if it is the case that server-side tracking somehow allows to use GoogleAnalytics as well (that is, to notify Google from server side who has visited their website) and if this is the case — how does it exactly work. Because that's what JupiterMoon seems to be claiming.
Because non-capitalist countries have a much better record of protecting and respecting personal privacy. Really?
The answers to this are twofold: Better national information security support* and regulation; Consumer action to chose vendors that demonstrate that they value personal privacy and prioritise information security.
* Which includes not deliberately, as a matter of policy, undermining security technologies and standards.
The best track record of protecting have Social Market countries. Social Capitalism, also called "Social Democracy", "Nordic Model", "Democratic Socialism", etc is generally the best model.
In a pure capitalist model it is okay if Facebook shares all your data with advertisers – if you don’t like Facebook, just vote with your money and go to Google+.
Sure but no country on earth, not even the USA, has anything close to a pure capitalist system in that sense. Furthermore Nordic Model countries vary, but are very much capitalist. From wikipedia:
"Sweden's industry is overwhelmingly in private control; unlike some other industrialized Western countries, such as Austria, Italy or Finland, state owned enterprises were always of minor importance."
In fact I think I can make a strong argument that capitalism relies on property rights and therefore the rule of law, which tends to support individual rights in general including privacy.
Yes. Every country is in some way "social", but social market economies focus strongly on keeping a balance.
Especially in the US the balance has been skewed since forever towards capitalism.
Historically, Social Market Economies evolved in countries where the population was supportive of socialist and communist uprisings, but the ruling class tried to keep the economy, and implemented the same benefits as in a socialist system in the existing market economy (See Bismarck’s Social Welfare model in Germany and the history of Bismarck vs. the Social Democrats on this).
What I'm arguing against us the implication that such 'social market' economies are in any way not capitalist or less capitalist than others. Its a false premse. Nordic model national economies can be very capitalism friendly or very statist.
It already happens unofficially. How do you think banks assess your lending/borrowing habits when you apply for a loan? There are detective agencies who track credit cards and other things (like a few examples someone gave in this very thread).
There is a huge difference between a "private" rating system and a public rating that uses your friends against you as manipulation. See Extra Credit's description[1] of how this works.
We aren't there yet, but consider that Facebook wants to use your social network associations in your credit score[2].
Jesus. If that first video is true, then that's what should be top-upvoted submission on HN. Why isn't it better known? I mean, at least I personally never heard about it and I might be not the most informed person on the Internet, but certainly I'm not the least. And this is much more important thing to know than… well, everything I usually hear on the news.
I don't get often surprised by all that dystopian stuff, because I assume we already are quite fucked, but this one did surprise me. That's just crazy.
That video has been submitted numerous times, but it never got any attention.
To be clear, I believe there is some disagreement as if this is one or multiple programs in China, but that doesn't really matter; we need to defend against the establishment of this kind of program regardless.
The trick where positive reinforcement is used to trick people into wanting to participate is utterly terrifying... because it will work. It's obvious that it will work, because it is effectively the weaponization of "high school clique"-style tribalism and carefully re-framed self interest.
For some perspective, the weaponization of cliques and "othering" is very old, and it has worked for just as long. We call it politics.
But a state sponsored gamified social network where the incentives are all designed by the ruling class, and the penalties have the force of law, is pretty darn awful.
Hopefully the affected citizens prove to be as unpredictable and hard to control as others have in the past, because that's really their only hope.
It looks like it is starting to get some attention at least. Here is HN discussion of the article that seems possibly the primary source for the video:
https://news.ycombinator.com/item?id=10329733
It sounds like the system does not currently use politics and such, but the government would like to combine it with the existing citizen tracking system which is employer based.
I think the US system is fairly insidious as well and has more government influence than it might seem (look into "redlining" for instance and the role the government played). Creditors can know quite a bit about your private life (particularly if you significantly outside the mainstream) and I don't think it is that uncommon for individuals to share credit scores. In any case, I think it is worth considering how "social trust systems" work everywhere and not just in the worst imagininable case. It is harder to think about in the less obviously centralized cases.
Thanks - that is a really good video - I had heard about that scheme but I hadn't thought about the implications for an entire society of using gamification in that way.
American living in Europe here. In some ways, having no credit history is worse than having bad credit. For example, when I signed up for my first 'post-paid' mobile contract, I had to put a much larger deposit down than my friends with bad credit did. Theirs was about $500 and mine was $1000.
Look at ways to establish at least some credit history sooner rather than later, as this will make things easier in the future. For example, even if you do not need a store credit card, you might get one and charge routine purchases and pay the full about each month. This avoids any extra costs and builds credit history.
You're a "ghost". Your FICO credit score will probably be pretty OK (in the 600s) if you have no derogatory credit, but with no (US) history of high credit, and no established history of attachment to your job and address, any loan analyst worth their salary will be skeptical.
You will probably have to pay a rate premium unless you go through a lender such as a credit union that you have an existing relationship with. Your provable income will be your biggest asset.
As a non-US citizen, it makes sense that you will be perceived as a higher risk of absconding since you could leave the country permanently at any time.
But in my defense I have a very common name, in fact the same name of a major politician. The email address I provided Dell was a single use disposable email address. So I have no idea of how they managed to correlate me to my employer.
I recently experienced this with a software vendor after trialing some of their software. It's one of those forms where you have to enter some personal info before downloading the installer, and while I provided them with my email address I deliberately dodged entering my employer information. Imagine my surprise when I get a phone call from them at work asking how that software was working out for me.
To be fair, I hated the software and wasn't going to buy it. That phone call certainly didn't nudge me in their direction though.
I ordered a laptop from Dell, providing no information about my small employer. I ordered it from my own laptop but it was on my work's WiFi when I ordered it.
They called to confirm some BS about the order, and mentioned my employer's name. I was pretty stunned. I'm thinking they correlate IP address of your purchase on Dell.com with employer, I've heard such databases are available, but it's pretty surprising to me... not sure what else they do, except yeah, maybe googling their customers.
It doesn't sound like Dell has been very effective here: likely attackers downloaded the database raw or it's one of their many contractors who log in remotely. Last time I saw that interface it was a web form that someone could access from any machine!
This is serious.
If you have customer data, you need to log access to that data, and you need to audit access to that data, and (very important!) you need to have a zero-tolerance policy. This isn't trivial to set up, but it's necessary; The CTO is responsible here, not some "website hackers".
>If you have customer data, you need to log access to that data, and you need to audit access to that data, and (very important!) you need to have a zero-tolerance policy.
In an ideal world yes, but sadly here on planet reality I would be surprised if Dell even knows where all of its "customer data" is regardless of what certifications they are in compliance with.
They share that data with 100's of 3rd parties from outsourcing some of their own support services to some 5 man consultancy form Singapore that the CFO heard about on his last flight that sells them advanced analytics.
While it's true that today customer data isn't shared that easily (at least in newer organizations that care about this) with an organization as old as Dell they might have data sharing relationships going past 2-3 decades that trump that and that sadly many people even C level at Dell might not be aware off.
Not to mention that under the various 3rd party clauses many organizations pretty much use customer data as a commodity delegating it's distribution to various low level sale's execs that would send it to who ever would take it as long as they can get more accurate predictions for the next quarter to hit their targets.
The CTO is responsible here, not some "website hackers".
If only that bore up in reality - you need only look at any number of recent high profile breaches (TalkTalk, for instance), to see that the "hacked" (incompetent) party gets sympathy, the exploiter gets prison time.
As to how this is happening - quite likely exactly as you say. They have extreme staff churn in their Indian operations, and all it takes is a few dishonest individuals to make this sort of thing become widespread. I've even had Dell sales reps contact me from their personal email address trying to get me to scam Dell (buy servers, I get commission, you return, I give you 50% of commission, deal?), so this is as unsurprising as it gets.
I think it's systemic, and we need to be very clear what we want a company (like Dell) to do in this situation.
Programmers are not usually held accountable for their own bugs, and I think that needs to change too. I don't recommend prison time, but maybe just some humility?
Bankers do the same thing: Past performance is not a guarantee of future results, and I get they're just doing their best, so why don't they put their own money in the same pot?
Heck, we expect the cafe to refund our coffee if they mix it up wrong, so why can't we just push that message upwards?
> Programmers are not usually held accountable for their own bugs, and I think that needs to change too.
I disagree. Bugs are created and will be created; it is up to the proper process to test the system and get rid of them. A bug that goes into production code is a collective failure. Why do you blame the programmer, but won't blame the tester, or the guy who designed the test, or the guy who designed whole workflow, or the architect who planned the system?
> Why do you blame the programmer, but won't blame the tester, or the guy who designed the test, or the guy who designed whole workflow, or the architect who planned the system?
Where did you get the idea that I don't?
I think people make mistakes sometimes (myself included), but I don't somehow think that diminishes the mistake.
I also think the programmer has less responsibility than the architect, or the CTO (which is why we pay them more). I don't like that shit only runs downhill.
The best programmers have a choice of where they work, and will avoid environments that have a reputation for excessive blaming or scapegoating.
So it's a self-defeating strategy for a company to take. Only the desperate need apply.
Better to create an environment like the fabled NASA software lab, where individuals are never blamed -- only the "process". That will attract high-quality applicants.
Then Mark Zuckerberg and Larry Page are responsible for a lot of things...
But as long as they come and cry on stage about how we should trust them and help them make the world more "open and connected" I guess it makes it okay.
If the NSA, Sony and the Director of the CIA can't protect their data, how am I supposed to realistically ensure less educated\tech savvy family members, customers, employees protect theirs?
Even if everything leaks, and there is a story everyday of the week for anyone paying attention, things have become too big to fail.
It's like the Steve Carell character says at the end of the 'Big Short' -
"There's going to be a bailout. They knew the taxpayers would bail them out. They just didn't care. And in a few years we'll go back to what we were always doing...blame the immigrants and poor people"
I think this attitude is a big part of the problem: Bugs aren't inevitable, not everything leaks, software doesn't have to be slow and bloating, and how were we supposed to know shouldn't be a defence.
I'm not happy about the status quo, and I'm becoming increasingly convinced that combining criticism and humility is the only way out.
Second this. In fact, I would rather argue that its better to stop forcing online registration of computers until the privacy of those who register is guaranteed. Its not as if registration is even needed, they already have a tag attached to each device, so they can track sales using that.
On the other hand, this problem is not specific to only Dell. Take the online web-forms of any other major Tech seller like Asus, Samsung, Motorola or HTC and their website sucks. Almost every one of them looks poorly designed and unprofessional which is more worrying.
It's not just tracking sales though, it's CRM, so every time they speak to someone about replacement/warrantee they need to know who they spoke to and audit frequent complaints either as abuse or something systemic that needs to be chased with a supplier.
I know why Dell needs to do this, but the C-suite is responsible for dieselgate and this kind of thing needs to be developed smartly, with taste, and with a consideration about what can fail (and how bad it can get). Bread and butter: Encrypt everything, long audit trail; Sysadmins don't need to read the databases (and can log need for keys), engineering doesn't need to read personal data, helpdesk don't need to log into servers, and no service needs unauthenticated and unlogged read (even internally; e.g. for automated reporting); Get audited by someone competent.
I handled 1bn daily records with 100% uptime, and max 6hr delay reporting using a single server, so there is no excuse except an incompetent CTO.
I actually wonder if Dell was hacked or this is some 3rd party info sharing that got leaked the old fashion way.
The problem with these types of cold call scams is that they do not scale, it seems a bit odd that a group could target a company the the likes of Dell would resort to such tactics (And yes I am fully aware that they could've breached Dell and sold the data but then I'm not sure that phone scammers would be in their price range).
My bet would be on a 3rd party losing some data or getting hit, or even just employees doing it the really old fashion way print out couple of 1000's of profiles and go to work your operation most likely wont scale much beyond that anyhow.
But in general allot of that info could've been fished even the Dell support tag. Dell's own support website has an auto detect feature that scans for it on your machine it supports .NET HTTP distro app, ActiveX and a few other plugin methods and if you have the Dell Support bloat ware installed I think even JavaScript could potentially work.
(Don't remember if Dell was affected but over the years multiple laptop vendors were found to leak support info over LAN/Ethernet as they run various services both during boot and later through the bloatware they ship the machines with)
If you have the support tag you usually can access old tickets opened on that tag either online or by social engineering their support team (With IBM support in the UK if you have the S/N you'll see all past tickets in their system) the rest of the data like name and phone numbers can be found out quite easily.
So if you want to scam people by pretending to be Dell support you should be able to do it without actually needing access to their customer DB.
Throwaway account because I just shared this story with a buddy of mine:
I, too, have received these "Dell" tech support calls and angrily yell at them as I hang up within 15seconds.
Lately though, I received a bombardment of calls (15 to be exact) in the past 3 days from the same number. I answered the one of them, and it had the same 1minute 10s message saying to call the number back regarding a computer threat they found on my computer (the voicemails are all 1min 10s).
These calls woke my kids and I up every..damn..day. The calls kept coming on my work and personal line. Without dialing back the number, I'll never know how this crap even started.
I feel bad for others out there who may actually fall for these kind of tactics
I prefer not to hang up right away. Instead, I try to waste a bit of their time. For automated calls, I just put down the phone and wait a while to hang up.
But for people? I try other means of time wasting, so they can't call someone else to scam them.
Last time they called, I told them that it was good that they called, because my computer had detected a virus on their computer and that I wanted them to download an install malware.exe to remove it.
Next time they claim to call from Microsoft, I think I'll tell them I'm glad they've called, because I really need to speak to Bill Gates. Or if he's not available, Steve Ballmer.
I guess Bill might not answer his own phone any more, but I have to admit that I wonder what Bill does if he gets a call from them?
Maybe next time I should say that I'm Bill Gates and they're all fired?
At least this is more amusing than simply hanging up in disgust. And it helps slow down the rate at which they scam new people, even more so the more people who do this.
I had a lot of fun with someone from "Microsoft IT Support" just before Christmas : )
Tried to do a reverse phish and connect to their TeamViewer[0] but I didn't have time.
At least for an hour I bothered them by being the most clueless user I could get myself to be, "mistyping" urls so I ended up on tech websites instead. I also made notes to add to my previous guesswork on how they manage to fool users.
[0]: Yep, that or another seemingly legitimate remote access tool is what they use around here. Why TeamViewer cannot stop them I have no idea, these kinds of connections (India(?) to rural Western Europe) should stick out like a sore thumb in the data sets IK would guess?
But none of those legitimate ones try to connect to me (IT tech, TeamViewer should know), my brothers and in-laws across the country etc etc all in the same day.
Off the top of my head typical TeamViewer usage should be more like some new, some recurring I think.
Put the phone on speakerphone with the volume down, don't listen to them at all and just get on with what you were doing, make some occasional noises to keep them interested. They normally get fed up after about 5-10 mins though.
If you do decide to call back, make sure you check the number online first. There are some phone scams that involve getting people to call back pay-to-talk (I don't know what the proper term is) numbers.
It would be nice - not a solution, but an improvement nevertheless - if there was something like a "firewall" for phones, that allowed you to block calls based on the caller.
I have never been harassed like that, but I have often wished for a feature like that.
Sincerely, thank you for reporting this and helping bring it to the spotlight. It's too easy for things like this to fall under the radar of any major acknowledgement, letting corporations get away with major scandals without any accountability.
Am I the only one thinking that we've lost total control over the machines and data we've created. It seems like nothing is safe and or verifiable anymore. Add to this the backdrop of governments wanting backdoors. People calling you in the US pretending to be from the "IRS" and yet nothing is/ can be done about it?
Maybe its really high time for C and its buffer overflows to go... And SQL injection.
We're tech savy here, yet sometime even we fall for these things. Its starting to get actually expensive.
I hate to be all conspiracy theory about this, but if/when the banks fall down like this....
From one of the comments in the article, it's probably more like we've lost control of how businesses work. Many people don't like the phrase "race to the bottom", but that's what comes to mind when you get to see how personal data is handled to third parties and/or cheap, expendable workforce.
At that point, one would expect to see increasing regulation kick in. It did historically for other kinds of service, e.g. financial services, insurance, public transport &c.
Assuming an averagely careless programmer, a language made out of shotguns will produce more errors than a language with the occasional presence of shotguns.
When simply trying to concatenate 2 strings can result in arbitrary code getting executed, memory leaks, actual data-loss or fatal program instability (or all of those), it's pretty obvious the C language itself is made out of shotguns.
Making simple things simple and safe will produce fewer errors and fewer security issues. I don't see how anyone can try to argue anything else.
C doesn't even have strings, but you would typically be using char arrays instead. All you need is a pointer to the array in order to access it.
However, if you just have the pointer then you are lacking to essential pieces of information, the length of the string and the capacity of the string.
The length of the string is however by convention determined by the first NULL byte (zero termination), so it is important that there is a NULL byte within the bounds of the allocated array.
Concatenating two "strings", is not particularily difficult, it just needs to be done with care.
If you find it complicated, then you should not use C, nor should you use it for things it's not intended for.
If you find it complicated, then you should not use C, nor should you use it for things it's not intended for.
In theory, string handling in C is straightforward enough. In practice, string handling in C is the source of a crazy number of security vulnerabilities and other bugs, even in popular and relatively well regarded software written by experts.
No-one should still need to use C in 2016. We know how to fix many of its problems and create much better programming languages now. Unfortunately, there is so much momentum behind the C ecosystem that in reality there are few practical alternatives yet, at least for low-level systems programming or high-performance number crunching work. Worse, there may not be enough commercial justification for the few organisations big enough to significantly move the industry in a better direction to actually commit the resources to do so, and this seems unlikely to change unless and until influential people start to care about the real costs of poor quality software.
Yes, I'm hoping that as Rust matures and its ecosystem grows we will start to see some improvements in the robustness of low-level software. It's one of the few alternative languages I see that seems to have significant potential in that area right now.
It's much more complicated than it seems. It's one thing to understand how to use C strings in a benign environment and quite another to be sure you don't create a security weakness with them.
> Concatenating two "strings", is not particularily difficult, it just needs to be done with care.
Driving home is not particularly difficult, it just needs to be done with care. Consequently tens of thousands die every year doing it.
Really, it's probably the case that if you find it simple, you shouldn't be using C. You will make mistakes doing that, and if you don't think so, those mistakes will be released.
Now, about things C was intended for... It was intended for everything. Nowadays we have better options for most uses, but it was indeed intended for web development.
> it's pretty obvious the language itself is made out of shotguns.
You are hitting the hammer where there is no nail! In this instance, the Dell WEBSITE was hacked which are (99% of the time) written in high-level programming languages like php, python or Java. No sane business uses C/C++ to develop a website. C/C++ is used for INTERNAL SYSTEM PROGRAMMING and those systems are already linux based and almost impossible to hack (Even in the rare instance that they DO get hacked, C/C++ has nothing to do with it).
I work with a team in India. I can assure you the Dell tech reps log into Dell's system and are not hacking via the website. This is an inside job and there are no simple ways around it. Cost benefit analysis shows Dell they can allow you to get ripped off. They are still are selling computers and saving tons of money offshoring. They have no reason to correct this problem. Glad I build my own PC's at home.
Making simple things simple and safe will produce fewer errors and fewer security issues. I don't see how anyone can try to argue anything else
Making things simple and safe is what leads an average careless programmmer to develop insecure websites. It's not simple to write a non trivial website that is safe for sensitive data. And the language is a small part of overall system security.
There are lots of alternative "safe" string libraries for C, so string handling is not a good argument against C.
If they could prevent/stop caller id spoofing, that would be a big help in at least the detection phase of phone system security. It's really hard to identify a threat if they can look like they're anybody.
This would also prevent instances of SWATing (someone calls a hoax call into a local police department to force a deployment to a hostile situation where one does not exist).
> People calling you in the US pretending to be from the "IRS" and yet nothing is/ can be done about it?
Not quite sure I understand your premise on that one. You can't stop people from pretending to be from the IRS any more than you can stop criminal activity by outlawing it.
Essentially anyone can call anyone else and pretend to be from a government agency. Ultimately you're going to have to verify that or otherwise know better, there is no practical technical means to stop it. There's a certain level of personal responsibility that comes into play there. That goes with similar things like falling for investment scams over the phone as well. Such should be pursued by the authorities obviously - and you're still responsible for your own person regardless, you can't be saved from everything: the IRS doesn't call people like that, it would take 30 seconds to figure that out via google. The same type of problem would arise if an impostor showed up at your door pretending to be from the IRS. How do you stop it completely? You don't, you arrest after the fact if you can; if it gets widespread enough to be a big problem, you attempt education outreach to teach people not to fall for it. These types of scams are ancient, and will never stop existing (the scammers will always adapt); the only highly effective means of stopping it is awareness.
I think the suggestion would be something like having SSL certificates tied to phone numbers the way they're currently tied to domain names, such that there's a difference between a call from some phone number that when reverse-lookuped says "the IRS", and a call that actually shows up as being from "[padlock] the IRS"; and eventually the former could become "[x] Probably Not Actually The IRS".
These scams rely on nobody tracing them back. The phone system is completely insecure, loses are too small to prosecute properly, and it hits mostly people who don't know how to defend themselves. The whole idea of unauthorized phone systems and impersonating officials is probably only going to go away after it actually hits someone who "matters". For example soon after a well known politician's house gets swated a few times and they learn it's how hard is it to track it down. (if the caller knows how to protect themselves and do a few redirections, that is)
SS7, which carries telephony routing and ID info, doesn't have anything like message signing or SSL certs. It was designed with the assumption that telcos trusted each other. Then came VoIP, and with it, signal transfer points which forward call ID info. There's firewall-type filtering at signal transfer points, but it doesn't help much with validating the original source of a call.
I know that too well unfortunately - worked in a voip telco which allowed users to set any callid as long as they signed a paper promising to be good. (standard procedure) The funny thing is that SIP does allow signing signaling via TLS, it's just not used that way.
But that doesn't mean there's no solution for tracing calls. It needs just one extra law for telcos to solve most of this issue: "Either you can prove/point to the interconnect which originated this call, or you take full responsibility for this call and its contents." Then law enforcement can just continue to the next company and the next until they get to the subscriber.
Two answers to questions I expect: - What about international numbers? If you get a call from Russia claiming it's IRS, that's really not plausible - that can be understood by everyone. If telco gets a call from Russia with US callerid, then again, its their responsibility to only choose partners which they can query to check if that's valid. (it's not a huge barrier - telcos are already aware of various international issues)
- This will require registration of all subscribers with real details, what about privacy? Yes, yes it will.
There's quite a few fields in SS7 not accessible via SIP, one of which should indicate whether or not the call was originated internationally or not.
Whether or not a call with domestic looking CPN from an international location will be accepted is up to the switches handling it, but they're designed to successfully complete a call in almost any possible circumstance. It's possible that the international gateway might rewrite the CPN field with something else, but I doubt they'd go as far as refusing to let it through.
The screen parameter within SS7 details whether or not the CPN field has been defined by the end user. Most SIP users won't have access to this either, but the vast majority of calls from them (but not from other sources) will look like the number is user provided. For that reason, some voicemail systems that've historically let you log in automatically just by setting your CPN to the subscriber number have started to only let you do that when the screen parameter is set to network provided.
You do realize that if "they" took C away from us, then all we would be allowed to use is closed source lock-in oriented ecosystems to the point we wouldn't even be able to trust the very language itself. That's always been the dream, trusted computing all the way from boot to .NET (or similar). You can not in the same breath call for secure computing and spread propaganda against C. (I know it's too much of a leap for most, but it's the same non sequitur as being against government's tight grip on society and for gun control at the same time.)
I don't get it. What's wrong with using something like Haskell or Rust?
The security there is in the type system at compile time, no Trusted Computing shenanigans, and you still avoid buffer overflows and SQL injections (if you use them properly).
Even something as lowly as Python mostly protects you from buffer overflows.
Regardless of the language, if it had a closed source runtime interpreter and/or VM that you forbade you from performing various sequences of operations on hardware that you "own", actively fought against you seeing what it was doing, etc - then you would no more be able to "trust" it than back-doored cryptography. (I'm getting sleeping, so that may sound wrong. Though it's been a popular troll/advocacy touch point since at least the mid 90s, so there should be plenty of resources out there if your are more curious. ie FSF for starters.)
That is not what either Rust or Haskell are. It would behoove you to have a passing familiarity with what someone says before responding to them combatively
What I am talking about is that some languages make writing safe code easier, that is code that behaves well as a program when compiled to machine language (or interpreted as is). Especially in the face of hostile inputs.
As an example, it is pretty hard to make your Python interpreter crash with a segfault using just pure Python code. (It is, of course, easy to generate a Python exception.)
Even though, this safety doesn't come at the expense of power: it is easy to tell the interpreter to get out of the way and let you muck around with raw bytes (ie by calling into C).
In the case of Python, the safety-by-default comes at the expense of performance. In the case of Haskell, it is either performance or program complexity. (Ie you can write fast Haskell code, but it looks weird.)
If you do call into something low level, it will be clearly visibly in your code that something potentially dangerous is going on.
Safe and correct behaviour by default is good. Profiling can help you find the few spots where you want to take over safety obligations from the automatic systems in return for extra performance.
Computers are great at brain augmentation devices - but if you spend all your time building the device, then you'll get a poor outcome and have wasted (most of) your life. That's the practical reason we want both mass produced hardware and transparent (and hence, controllable) hardware state. A world of augmented minds is much more problematic when a central authority can and does monitor everyone's mind, not the least of which because in such a state revolution would be trivial to eliminate even in it's earliest forms. And I believe all thinking humans have learned by now to distrust any system that can perpetuate itself so perfectly, and so indefinitely.
Fair. Although you could imagine a world where things like the original .Net trusted computing initiative succeeded in full force, and you could not purchase general purpose PC that let you execute any unmanaged code. Just look at the phone market, you can execute C code technically sure - but in unprivileged user space - with hardware you "own". (yes I know about rooting, but this is rhetoric about a hypothetical)
You're saying that the only replacement at the level of C would be an opaque proprietary solution, but I'm not sure why that would be true. I'm personally rooting for Rust.
It's going to take a lot more than a new programming language to fix the problems. If there's 10 million dollars worth of data to steal, that's enough to pay an entire team of professionals to work full time for a year or more on stealing the data, with a huge payout.
Being secure against that kind of attack is going to require an entire paradigm shift in how we approach security. New languages, new operating systems, and new assumptions about how much an attacker has compromised, including learning to keep things heavily compartmentalized.
Because there's huge amounts of money at stake, I believe banks operate with a far higher level of security than average companies doing business online ... for them its an existential threat.
Far more likely it's call centre staff who work for dell customer support abusing their system access than an external hack, this seems quite common across almost all brands and industries
Years ago at work, I noticed Dell's emails had an unsubscribe link that went to a "manage account" kind of interface. The idea was you enter your email address, go to some kind of "Manage Subscriptions" page, and you could opt out. Unfortunately, you could also see a bunch of Personally Identifiable Information including your first and last names, possibly your mailing address, and other information.
I reported this to Dell and got back a very dismissive, abrasive email saying something to the effect of "Well how else are we going to let people unsubscribe?", claiming that they had no other legal option. I just changed all my info to junk and left it at that; eventually they closed that hole, but it wouldn't surprise me if some site exists that still allows people to harvest anybody's information from Dell using nothing but their email address.
Back in February of 2013 I bought an XPS 13" convertible (nice btw, shocked it doesn't ship with Pro) and whilst it was on the way I got 2 very convincing looking shipping tracking scam emails that ask to run some executable and enter some details. They had the correct model of laptop and very specific timing. I've never had any other spam like in before it since.
Sadly gmail has removed the spam from so long ago and the initial Dell contact email must have been sent from a form as I only have the service desk reply with my correct shipping number to track myself.
Something doesn't make sense: How can it be worthwhile for the attackers to invest that much time in gaining access to one computer?
Given wrong numbers and that many people won't answer the phone, be near the computer, have time at that moment, or be willing to cooperate, and then add the time it takes to talk an end user through such a process, will they gain access to even one computer every 2 hours? How can that pay off?
There are many, many more efficient attacks. How about good old-fashioned spam?
The purpose of the scam is not to gain access to computers. The purpose of the scam is to fleece unsuspecting Dell customers. The scammers gain the trust of their victim by using misappropriated Dell customer data. They charge exorbitant fees for unnecessary services to the less technically competent.
My assumption is that the scammers are based in India or somewhere else where dollars go quite a bit farther than the US. Even apart from the potential for fraudulent charges, spending a few days to earn a few hundred dollars is definitely worth it in a country where the average income for a year is around $1300.
The title should really be changed, there is no confirmation they were hacked. I have an equally plausible theory -- You used the same username and password somewhere else that got hacked, or your credentials were stolen through some infostealing malware. Account takeover is a huge problem these days, it wouldn't surprise me if there is a tool out there written specifically to validate combo lists against Dell's website.
Same here back in mid-2015. We got a call from scammers with valid service ids of some of our equipment from Dell. I hope Dell comes clean on all of this.
I don't know about you, but where I live (Sweden) there are strict rules on how you can store personal data and who has access to it. It's also against the law to put people in "databases". I guess we still remember WW2 and how the Nazi used such registers ...
> It's also against the law to put people in "databases".
I find this very hard to believe. At face value I interpret this as saying that no company doing business in Sweden has any sort of customer database. Is this correct?
You need the customer's consent. So if they opt-in it's alright in most cases. But you can only store their personal data if you absolutely need to, and in a secure way. For example only store post address if you intend to send them snail male.
You can for example only have someone in your CRM if they are a customer. And if they ask you to remove their data, you must remove all information about them.
You do not have to worry if your company and all your equipment is located outside Sweden though. But as for example Facebook have a data-center in Sweden, you can actually request them to remove all your data.
Example of illegal database is a database for direct marketing. Or a register of race, religion or preferences.
It's been some time (10 years or so) since I've last bought a prepackaged computer (I build my desktops from parts) but do you really have to register your personal information with the manufacturer when you buy a prebuilt computer? Why would there be a need to do that anyway, wouldn't the serial number of the machine be enough for warranty purposes?
Well, generally speaking, if you order a computer online (as most people probably do) you give them your name, address, and phone number so they can ship it to you.
14:43 UTC+1, site not loading, DNS error (domain not resolved).
It seems DNS this was hosted on godaddy, but can't see the content now.
It was pointing to shared hosting on dreamhost.
The domain will expire in August, so that is not the problem.
The domain is in status clientUpdateProhibited, clientTransferProhibited, clientRenewProhibited, clientDeleteProhibited... the whois has been updated today.
Suggestion: if you are affected by this, get your attorney to reach out to Dell and get a response on record. You might be surprised. Their legal team will understand the risks of sweeping under the carpet or denying something they know about.
Superphish showed us that Dell is clearly willing to do something of that nature, but the data the hackers are alleged to possess (shared secrets, support histories, ...) isn't the kind of thing you'd sell. There is no proof, but there the author certainly presents plenty of evidence. Unless you have access to information outside this article, the most likely hypothesis is that their database was compromised.
I'd rather bet that real Dell outsourced tech support to some company in India, where very often business ethics towards customer records is virtually non-existent. But what else can you expect? If you are not paying decent money, be prepared that your data woll be sold, unless you are ReallY able to enforce control over it. I seriously doubt that Dell tech support is ISO 27000 compliant.
> If you are not paying decent money, be prepared that your data woll be sold, unless you are ReallY able to enforce control over it
From what I can see from a bit of Googling, Dell does pay their tech support people decent money. If Glassdoor is to be believed [1] [2], Dell tech support people in India make about 340k rupees a year, or about 28k per month.
That appears to be a middle class income for an Indian city dweller [3] [4].
[2] If the above link does not work without you being logged into a Glassdoor account, try Googling for "how much does dell pay tech support people in india" and clicking the Glassdoor result.
ommunist can correct me but I believe he was referring to having Dell tech support being located in a western country, instead of being based in asia. Yes it's more expensive to keep operations here, but we are more familiar with the business practices as well as the laws. Of course this is a price of "the race to the bottom".
Almost everywhere in the world had been doing business for thousands of years before the US existed. It's pretty careless to say that Asians are not 'familiar with business practices'.
They may not be all about your business practices. If yours get too weird and uptight they'll just return to doing business with the rest of the world and won't miss you too much.
It's fairly well known and accepted that regulations and rules in western countries are FAR stricter than those in Asian and Indian countries. If you care about privacy EU > US > everywhere else (any non western country has literally zero protections or laws about privacy that are enforced), if you care about workers being treated decently EU and US are bastions of fairly mediocre to bad treatment, everywhere else is sweatshops and de facto slavery.
Sweatshops and de facto slavery isn’t everywhere, but you’re kinda right, countries which were colonies before – mostly in Africa, Asia and South America – tend to have less wealth and prosperity.
They also are countries where there were enough immigrants that the native population was mostly displaced – it’s unfair to put them in the same category as colonies where only a tiny immigrant population ruled over the native population.
And even in some of these countries the wealth and prosperity for the native population has been an issue even in the past decades.
Either chaostheory edited their post o you missed a "the" before "business practices", presumably referring to the business practices of western countries.
EDIT: let's say you did, even though I doubt it. Even then I feel that it's pretty obvious that I was referring to familiarity with western business practices (and laws) and not business practices in general.
What do I expect? I expect the people that I send sensitive data to to be able to protect it. Blaming their overseas offices and partners doesn't make it better or relieve them of responsibility.
And Dell isn't some too-cheap-to-be-true, fly-by-night operation. Saying that their customers were basically asking for it is bollocks as well.
What do I expect? I expect the people that I send sensitive data to to be able to protect it.
Desire, maybe, but expect? That's so far from reality are there any grounds for expecting that these days? Has any company successfully kept /all/ sensitive data from hackers?
At one point in the 1990s, Dell shifted all of its tech support to India, ruining its world-class staff in Round Rock (TX).
Complaints got so bad that they re-established the Round Rock organization for corporate customers; retail buyers were still stuck with the offshore staff.
Funny how the more things change the more they stay the same. In Australia they outsourced all their support to India. They nearly lost numerous big corporate and government accounts, so they brought back support to Ausyralua for corporates pretty quickly.
I can't understand why these overseas call centres are do terrible! I don't want to resort to racial stereotyping, what is it though that cause such dreadful customer service experiences?!?
Who cares where it is? Regardless of the country or the salary, phone support workers can be corrupted by a relatively small chunk of cash. Since when has first line tech support ever been a comfortable, dependable 'job for life'. Go blame India if it makes you happy, but bored and broke workers will sell you out anywhere in the world.
>If you are not paying decent money, be prepared that your data woll be sold,
This is a terrible idea. How do I determine what is decent money enough not to have my information leaked? Do I have to buy Macs for life in order to prove that I don't want my information leaked? that's silly!
> I'd rather bet that real Dell outsourced tech support to some company in India, where very often business ethics towards customer records is virtually non-existent.
Can you provide a citation to support your claim about business ethics in India? That's a rather negative statement about a large number of people. I've downvoted your comment but I'm happy to reverse that if you can back up your claim.
What totally pissed me off is that it was my sons laptop they called on and they called him directly since his number was listed when he called in for real Dell support about 3 months prior to the scam call. They had convinced him they were Dell until I walked into his room and heard 30 seconds of the call and asked why he called them, soon as he said he didn't I told him to hang up. They were persistent, calling him back many times over the next 2 months. I had to block the number to finally get it to stop and my son says he got a new call just a few weeks ago, new number same scam but at least he is smarter about it now.