Lenovo hardware compromised

Quote:

Originally Posted by Rbneader

If you're going to be outraged, get outraged at the reasonable culprit (Chinese government, in this case), not just the popular target.

Is the Chinese government the culprit here? Don't get me wrong, they are as guilty of tracking the activities of people as other governments. On the other hand, these invasive practices are not the domain of governments alone. I routinely configure and modify my devices to limit what they leak and who they leak to simply because it is also a common practice among businesses.

[Rbneader]

Quote:

Originally Posted by BWinmill

Is the Chinese government the culprit here? Don't get me wrong, they are as guilty of tracking the activities of people as other governments. On the other hand, these invasive practices are not the domain of governments alone. I routinely configure and modify my devices to limit what they leak and who they leak to simply because it is also a common practice among businesses.

Yeah, that post was typed out in a hurry and I should have expanded.

They're more likely the culprit then the NSA, and since the person I was responding to was conflating businesses and governmental agencies I just went with that assumption and didn't try to rebut it. The complex world of business-government deals is tricky and if someone is just going to assume they're all the same it would take a major off-topic debate to get all the facts straightened out. My post was more aimed at 'if you're going to blame a governmental agency, blame the right one, because the US doesn't run the planet'.

The Chinese government at the very least is fostering an environment where this kind of thing is acceptable and expected...and for a major international Chinese company to put out a product that hijacks all encrypted connections, I would be very surprised if the government weren't involved somewhere.

You're right that this could easily simply be a business-as-stupid-as-usual screwup, though.

[Bilbo1967]

Quote:

Originally Posted by Rbneader

Hm. I didn't read the sentence that way - the way the sentence is constructed seems to me to be 'Of course Lenovo doesn't think they're Facebook, Lenovo is a subsidiary of the NSA'. You could be right, I just didn't read it that way.

It could certainly be read either way I think. It just seemed unlikely to me that anybody would suggest that a Chinese company was part of the NSA.

[AlexBell]

Quote:

Originally Posted by Rbneader

Hm. I didn't read the sentence that way - the way the sentence is constructed seems to me to be 'Of course Lenovo doesn't think they're Facebook, Lenovo is a subsidiary of the NSA'. You could be right, I just didn't read it that way.

Yes, I did imply that Lenovo is a subsidiary of the NSA. I wrote in haste, influenced by the recent news from Kapersky that the NSA has implanted spyware on the hard drives of many computers.

And I accept that the NSA is not the only villain around. But any number of wrongs don't make a right.

[bgalbrecht]

Actually, it appears that the blame mostly rests on an Israeli firm, Komodia, whose tools were used by Superfish. According to Forbes, there are other apps that are unsafe because they are using the Komodia libraries, including at least one parental control product. Ars Technica article with more details on why Komodia is incompetent.

[crich70]

Quote:

Originally Posted by AlexBell

Yes, I did imply that Lenovo is a subsidiary of the NSA. I wrote in haste, influenced by the recent news from Kapersky that the NSA has implanted spyware on the hard drives of many computers.

And I accept that the NSA is not the only villain around. But any number of wrongs don't make a right.

True. Of course our world is ever more paranoid with how we hear more and more about various news items that end up under the P&R forum banner. Who is responsible for what is easy to confuse.

[eschwartz]

Of course, the best way to protect yourself is to have done the smart thing and installed your own operating system. You can do a clean reinstall of Windows, or better yet some linux distro which gives you a lot more control over what is on your system.

[Freehunter]

Looks like Lenovo is not the only one with a problem. Worse it is security software vendors.

Security software found using Superfish-style code, as attacks get simpler | Ars Technica http://arstechnica.com/security/2015...s-get-simpler/

Quote:

"Two more software makers have been caught adding dangerous, Superfish-style man-in-the-middle code to the applications they publish. The development is significant because it involves AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet's Transport Layer Security certificates, making it the world's biggest certificate authority."

Quote:

"Late last week came word that self-signed Secure Sockets Layer certificates installed by a company called Komodia caused most browsers to trust any self-signed certificate that used the same easily extracted private key. That was bad, but now, researchers have discovered vulnerabilities in the closely related proxy software of interception applications from Komodia and Comodo. The new insight makes it even easier for attackers to forge trusted credentials that impersonate Bank of America, Google, or any other HTTPS-protected destination on the Internet."

Worse than Superfish? Comodo-affiliated PrivDog compromises web security too | PCWorld http://www.pcworld.com/article/28876...-security.html

Quote:

"New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users’ PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo."

Quote:

"However, it’s not just Superfish or PrivDog that open such security holes on computers. Researchers determined that the Superfish vulnerability was actually in a third-party software development kit from a company called Komodia. The same SDK is used in other products as well, including parental control applications, VPN clients and software from a security vendor called Lavasoft."

I used to use Lavasoft Ad-aware, but got out of the habit of updating. Just use a sacrificial old laptop and limit where I go. Just use a regular antivirus and Malwarebytes Anti-Malware and scan regularly now.

Freehunter

[fjtorres]

Lenovo swears they won't be preloading crapware any more:

http://www.zdnet.com/article/lenovo-...tag=TREc64629f

Quote:

"We are starting immediately, and by the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications," the company said in a statement. "This should eliminate what our industry calls 'adware' and 'bloatware.' For some countries, certain applications customarily expected by users will also be included."

I'm not impressed.
Three exceptions too many among the four.

More at the source.

[murg]

Quote:

For some countries, certain applications customarily expected by users will also be included.

This about lets anything be pre-installed.

[fjtorres]

Quote:

Originally Posted by murg

This about lets anything be pre-installed.

Uh-huh.
Plus they admit they'll keep on bundling in "security software" and their own junkware apps. New rules? Pretty much the same as the old rules.

Perhaps someone who uses a current Lenovo system can comment, but the one I purchased a few years back included recovery software that (mostly) let the end user select which software to install.

Of course, software changes with the times and we certainly live in an era where businesses are willing to ship very invasive software for economic (or political?) gain. And, of course, the nature of Superfish makes Lenovo's inclusion of the software highly suspect.

[eschwartz]

I don't know, the two Lenovo laptops I have seen recently were both owned by the type of people who couldn't wait until after booting Windows for the first time before wiping the hard drive and installing Arch Linux.

[fjtorres]

From ZDNET, a possible "solution" to the crapware problem:

http://www.zdnet.com/article/is-it-t...tag=TRE17cfd61

Of note:

Quote:

Fortunately, thanks to some reporting by Forbes staffer Thomas Fox-Brewster, we know the depressing answer to one of those questions:

According to sources with knowledge of the deal, Lenovo certainly made less than $500,000 from Superfish. Forbes believes the deal was only worth between $200,000 and $250,000, a paltry sum given the massive earnings at the Chinese giant and the potential legal and PR costs the company has and will incur throughout the Superfish aftermath...
Seriously, Lenovo customers, they sold you out for pocket change.

I am positive that Superfish made an order of magnitude more from this sleazy deal.

Quote:

So maybe Microsoft can insist that its OEM partners stop polluting new PCs with unwanted software? Sorry, that's not going to happen.

For one thing, there's the painful memory of those awful antitrust actions. For years, Microsoft was forbidden from taking any action that would inhibit the freedom of its hardware partners to install third-party software:

The unintended consequence of allowing PC makers to substitute and support any software they want? Middleware became crapware. Desktops were splattered with icons for unwanted software. Preloaded media players and toolbars and add-ons and trial editions slowed PCs to a crawl. Even today, some retail PCs are crammed with so much third-party software that they take forever to start up. Microsoft still can't legally do anything to make your overall Windows experience better when you buy a Windows PC sold by an OEM. All they can do is try to shame their OEM partners into doing the right thing.

The U.S. consent decree ended a few years ago, but its painful memories live on in Redmond. And there are much fresher memories of billion-dollar spankings from the EU. Any attempt to actually prevent OEMs from installing non-Microsoft software on a new PC would be an open invitation for a new round of antitrust hearings and a few more billions of dollars/Euros in fines.

Quote:

So why not ask the U.S. Federal Trade Commission and its European counterparts to force PC makers to 'fess up and disclose every single penny, literally, that they received to pollute your PC? If the required disclosures included a list of 53 programs whose average utility is less than zero and for which the OEM collected a penny or so, would that perhaps be incentive for those OEMs to turn down some of those deals?

More at the source.

[PeterT]

Some of the models I've seen include finger print scanners for security. Probably this is what they mean by "Security Software"