[Hidden-tech] Lenovo pre-installed adware

[Tim Boudreau]

None of the articles quite spell out just how bad this is:

If you go to an internet cafe, or use a wifi network you don't trust (say,
in an airport), and you have a Lenovo laptop with the stock Windows install
on it, *anybody can set up a web site that pretends to be your bank, set up
their DNS server to send connections to, say, bankofamerica.com
<http://bankofamerica.com> to the fake site, and you will get no
indication that it is not really your bank.  None at all.*

SSL certificates are what your computer uses for proof that the website it
thinks it's talking to really *is* what it says it is.  Your computer has a
small number of "root certificates" that are owned by companies like
Verisign.  Companies that want a "trusted" web site buy an HTTPS
certificate that was signed using one of those "root certificates" -
signing is a mathematical operation that lets your computer prove that the
certificate it got from, say, bankofamerica.com, is vouched for by one of
the companies that holds a "root certificate".

If you poison the well, as Lenovo did, by including inside your Windows
install an untrustworthy root certificate, then you cannot trust that any
web site is what it says it is.

-Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20150219/61ad7b2f/attachment.html