[Hidden-tech] Lenovo pre-installed adware

Roger Williams roger at qux.com
Thu Feb 19 19:01:21 EST 2015


Those who are concerned their PC may contain this critical vulnerability (all of the recent Lenovo G, U, Y, Z, S, Flex, MIIX, YOGA, and E Series) can check at https://filippo.io/Badfish/. (The website was designed by one of the same researchers who published a site to scan websites for the catastrophic Heartbleed weakness in OpenSSL.)

-- 
Roger Williams <roger at qux.com>
Chief Technical Officer, Qux Corporation

On 19 Feb 2015, at 17:25, Tim Boudreau <niftiness at gmail.com> wrote:

> None of the articles quite spell out just how bad this is:
> 
> If you go to an internet cafe, or use a wifi network you don't trust (say, in an airport), and you have a Lenovo laptop with the stock Windows install on it, anybody can set up a web site that pretends to be your bank, set up their DNS server to send connections to, say, bankofamerica.com to the fake site, and you will get no indication that it is not really your bank.  None at all.
> 
> SSL certificates are what your computer uses for proof that the website it thinks it's talking to really is what it says it is.  Your computer has a small number of "root certificates" that are owned by companies like Verisign.  Companies that want a "trusted" web site buy an HTTPS certificate that was signed using one of those "root certificates" - signing is a mathematical operation that lets your computer prove that the certificate it got from, say, bankofamerica.com, is vouched for by one of the companies that holds a "root certificate".
> 
> If you poison the well, as Lenovo did, by including inside your Windows install an untrustworthy root certificate, then you cannot trust that any web site is what it says it is.
> 
> -Tim
> 
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
> 
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members   
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members



Google

More information about the Hidden-discuss mailing list