> What were they thinking? D: Security is hard. Lets go shopping.
On Thu, Feb 19, 2015 at 7:02 AM, Hazel <[email protected]> wrote: > So, for those who haven't seen this yet... > > According to Errata Security[0], The Register[1] and ZDNet[2], it > turns out that Lenovo has been shipping a piece of adware/malware > called "Superfish" on their Yoga 2 laptops, which includes their own > bogus root CA certificate in order to inject ads into HTTPS sites. > > Except they've installed the *PRIVATE* key[3] onto every one of these > laptops as part of that software, so someone who has extracted this > private key could use it to compromise SSL connections made by these > laptops. > > And Lenovo are saying that "we have requested that Superfish > auto-update a fix that addresses these issues". Which fills me with > deep confidence. > > What were they thinking? D: > > > Cheers, > > Hazel > > [0] http://blog.erratasec.com/2015/02/some-notes-on-superfish.html > [1] http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/ > [2] "A Google security engineer, Chris Palmer, confirmed on Twitter > that Superfish was intercepting SSL/TLS connections and injecting its > own self-signed certificates for all sites on a Yoga 2 laptop, > including for Bank of America." -- > > http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/ > [3] The encrypted (in the same sense DRM is "encrypted") private key > -- https://twitter.com/supersat/status/568329299494744065) > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
