Fw: [Cryptography] Lenovo laptops with preloaded adware and an evil CA
Evening, Forwarding this to this list as I am aware thinkpad is popular. Looks though like Lenovo is shipping a really dirty adware How can they have fallen for this? Regards, William Original Message From: Christian Barcenas <christian@cbarcenas.com> Sent: Thursday, February 19, 2015 9:47 AM To: cryptography@metzdowd.com Subject: [Cryptography] Lenovo laptops with preloaded adware and an evil CA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's some interesting buzz online [1][2][3] about "Superfish", a bit of adware that Lenovo has apparently been preloading on some of its computers over the past few months. While preloaded adware is bad enough, Superfish does something even worse: to allow itself to MITM SSL-/TLS-protected web traffic, it installs a CA into the Windows trusted root certificate store. This CA is apparently pre-generated and its corresponding private key comes with every installation of Superfish. Furthermore, uninstalling Superfish does not remove this CA, so all users running Lenovo's tainted Windows installation are affected, even if they took the time to uninstall Superfish. A user on Twitter has apparently forged a certificate for Bank of America's online banking system [4] and I expect that we will see more of these shenanigans to come to light over the next few days. According to a thread on Lenovo's customer support forum [1], they are no longer pushing this adware on customers and are asking the authoring company to push a fix for this ASAP. Mozilla also has an issue on their tracker to mark the offending cert as "untrusted" in NSS. [5] Thoughts? [1] https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-ad... [2] http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new... [3] https://news.ycombinator.com/item?id=9072424 [4] https://twitter.com/kennwhite/status/568270748638318593/photo/1 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1134506 - -- Christian Barcenas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU5Yc2AAoJEJDIWKpke1EfA4IH/RUZ/g6g195FMQs843MlJ3mF H4162211XSXxmPBaJn2vg5ibWgTSWZVpxHvpo1iZb0thJTfJW1W8Aa3rHmyo5Y89 siAM0LujFlq3KkacIfEX01QL9/fDeiYZgm73KIO4M7/1O6J+tsU9XnLS66UbR6WX xxJ/3uqlFFaGrkykqvtEnIeOYrgqnXcHakW+uSOFPEPnOTYNcUxFXq36N4fPFM67 vL0Vbzf42aAgj5I6dlhm2Fhzo72KjpYu6x0QU2tv1UNKDbKEgnCoFjv2yOZ5Gb1h uQx7ktUoop7vj99LKShKm64oWJ+8CE5IQEnkJ6YR3aNf17WniDcihi8TecUW7Yw= =00Ds -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/02/15 08:41 PM, William Muriithi wrote:
Evening,
Forwarding this to this list as I am aware thinkpad is popular. Looks though like Lenovo is shipping a really dirty adware
How can they have fallen for this?
Regards,
William
It is inexcusable and I will not defend their actions, regardless of the reasoning. To entertain a guess at your question though; The laptop market has extremely tight profit margins and is fairly saturated with both boutique and budget players. I suspect someone behind Superfish came to Lenovo offering a very sweet bundling deal. So sweet, that the people responsible for vetting software partners didn't want to look too closely because they didn't want to risk finding a reason to say no. This will hurt Lenovo, badly. Given their initial presser claiming to have reviewed the issue and that they found no significant security concern is worse than laughable. They had an opportunity to get out ahead of this PR crisis with a good explanation and a genuine sounding "mea culpa", but instead they effectively "double-downed" on their position that is a non-issue. That shows either embarrassing levels of incompetence at best or wilful desire to sacrifice their customer safety in the interest of saving face at worst. tl;dr: They got handed a bag of money and then dun goofed when it blew up in their face. - -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU5pc+AAoJECChztQA3mh0Kj0P/3onjcLNox8jEUmwfS4qrDxf Wy9FoKWCX5n7L7W8Sv6SkLKG+AwwSGGVx12sKDOztEooRD9a8kp1NOlO+6m50FyM vrNIyrrH5FQXyIU5dgUcZnWqd6Qx+u8lwOMeeuKhSahrdX1mV8YmYQHbxybcLmPS MQz6zC9Th54EG3aaEJDzui7C9wZl4JHDgx+e7aaSJQ7KkGqh/ngBvWrdpqY6QVur p48D7NoaqP7LY6AXfAIHxM22focA+DC6/mF7NP/znf0eFyUSCRaUCSg3ndSTpKGK saBJ0Pk6SbIbwA1nz8FGlnA7NNLeywK1B/mrMpAR4Mydj74j1DRjCMNYAFUF+9Bm jeiz1uCaG66aCEGvSBIgzzdE2PW8GKVQ0LiQh6y3TuYwhlnd0ow0ApikTvATDUbp c5ZfcB1T7/R1TanHNxGfInIE/PGwfRW5oHA4r6+9VT85VoKrLfROoQJ5tVfrcbdB 5PqTsnCyJv74PHSQQmgP9tqI//urut9Rc1JMrBV8g3ZadIleSqsijezFBgYhDa2J Zm+LPTp90a73jXXyPODJxqtBT6kPSUFuvUdbAmBzs+pvjc5p2KW+f1PU0Gx2kVU7 AGUfcf1ze0n+SPtvmjqtPQH3b9mB1ojnY0luXyZb1Up+4YZZ3/zivm4S6x+h7eU8 Rk1G26nMsxCZjQ9TgmC+ =MMUY -----END PGP SIGNATURE-----
On Thu, Feb 19, 2015 at 08:41:16PM -0500, William Muriithi wrote:
Evening,
Forwarding this to this list as I am aware thinkpad is popular. Looks though like Lenovo is shipping a really dirty adware
How can they have fallen for this?
Well they never did ship it on thinkpads, only on select consumer models (which thinkpads are not). -- Len Sorensen
participants (3)
-
Digimer -
Lennart Sorensen -
William Muriithi