Gator anyone? Seriously this is such a bad idea... and sadly.. Lenovo had been come to be seen as a good alternative to Dell, HP, Apple and others given some of the concerns with certain TLA's. This is right up there with AT&T requiring people to pay to NOT have their web usage tagged and monitored for targeted ads. I do not like the way things are moving.
- b > On Feb 19, 2015, at 7:06 AM, Matt Simmons <[email protected] > <mailto:[email protected]>> wrote: > > > What were they thinking? D: > > Security is hard. Lets go shopping. > > On Thu, Feb 19, 2015 at 7:02 AM, Hazel <[email protected] > <mailto:[email protected]>> wrote: > So, for those who haven't seen this yet... > > According to Errata Security[0], The Register[1] and ZDNet[2], it > turns out that Lenovo has been shipping a piece of adware/malware > called "Superfish" on their Yoga 2 laptops, which includes their own > bogus root CA certificate in order to inject ads into HTTPS sites. > > Except they've installed the *PRIVATE* key[3] onto every one of these > laptops as part of that software, so someone who has extracted this > private key could use it to compromise SSL connections made by these > laptops. > > And Lenovo are saying that "we have requested that Superfish > auto-update a fix that addresses these issues". Which fills me with > deep confidence. > > What were they thinking? D: > > > Cheers, > > Hazel > > [0] http://blog.erratasec.com/2015/02/some-notes-on-superfish.html > <http://blog.erratasec.com/2015/02/some-notes-on-superfish.html> > [1] http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/ > <http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/> > [2] "A Google security engineer, Chris Palmer, confirmed on Twitter > that Superfish was intercepting SSL/TLS connections and injecting its > own self-signed certificates for all sites on a Yoga 2 laptop, > including for Bank of America." -- > http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/ > > <http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/> > [3] The encrypted (in the same sense DRM is "encrypted") private key > -- https://twitter.com/supersat/status/568329299494744065 > <https://twitter.com/supersat/status/568329299494744065>) > _______________________________________________ > Discuss mailing list > [email protected] <mailto:[email protected]> > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > <https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss> > This list provided by the League of Professional System Administrators > http://lopsa.org/ <http://lopsa.org/> > > _______________________________________________ > Discuss mailing list > [email protected] <mailto:[email protected]> > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ - b Branson Matheson [email protected] <mailto:[email protected]>
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
