Lenovo pre-installs PCs with HTTPS hijacking adware
-
Since the adware is doing the MITM, it has the private key stored locally, so anyone can get a hold of this private key and use it against an Lenovo computers.
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections
-
Wipe the laptop and install FreeBSD…
-
Great, just great… I've be recommending Lenovo machines and now I need to make a few calls.
-
I'm sure this highly engineered MITM attack is just a accident. They didn't mean to do it…
-
[Lenovo honestly thought you’d enjoy that Superfish HTTPS spyware
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
](http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/) -
"Yeah - Not everyone gets to read your supposedly encrypted banking, email, whatever traffic…. Just us, and whoever we decide to share with...
How is that a security issue?"
I'm sure thats what they were thinking anyway.
-
Should be called Superphish.
-
Share it? You can pop the keys out faster than getting them from Lenovo by e-mail!
http://www.theregister.co.uk/2015/02/20/lenovo_caves_in_face_of_public_firestorm_release_superfish_killer
Security experts are warning that the Superfish code is so badly designed that it is easy to extract the private key to its root CA certificate. This private key can be used to generate SSL certificates that a nefarious website can use to masquerade as a legit site.
and how to clean it
http://www.zdnet.com/article/how-to-remove-superfish-adware-from-your-laptop/
-
Yeahhhhhh…. Noooooo...
If they are underhanded enough to install something like that on my computer, who else knows what else is lurking yet undiscovered.
I'd burn the whole install. Format/Wipe the drive, install OS from Base OEM distro.
-
how do we know hardware is not already compromised too right from get free of charge ??
-
To me this speaks volumes to what Lenovo thinks about their customers.
Not that all manufacturers don't hate us but need our $$ so we're a necessary evil, Lenovo got caught.
RSA got caught too and nobody cares, so…
-
I always wondered about the big blue split. Seemed mighty strange at the time. Maybe in 40 years we will get the truth…
Anybody remember this:
http://www.washingtonpost.com/wp-srv/politics/special/campfin/stories/circuit070898.htm -
I remember extremely clearly…
-
Even Homeland Security is "urging" Lenovo customers to remove it
http://yro.slashdot.org/story/15/02/20/2357234/homeland-security-urges-lenovo-customers-to-remove-superfish
-
The rabbit hole goes even deeper :o :o
http://www.securityweek.com/superfish-ssl-interception-library-found-several-applications-researchers
-
Oh how wonderful…
-
And it would be good if this class action scared other companies into removing some of the pre-installed crapware from their distributions:
http://www.law360.com/articles/623675/lenovo-hit-with-class-suit-over-pcs-preloaded-spywareMaybe it is time to get serious about jumping from the Windows ship?
-
I would have expected that you would already have jumped ship for the most part.
You seem like such a smart guy.
-
Maybe it is time to get serious about jumping from the Windows ship?
Yeah because you can't do this in FreeBSD or Linux? Why would you blame Microsoft for a Lenovo issue? Seems like the Chinese have learned something from us, greed!
-
I think Microsoft is a known offender by now. Too many complicated holes for it to be an accident.
