Anyone posted the Lenovo malware news yet?
-
The FISA courts have an insanely low number of rejections for warrants.
Well they don't have a lot of time to examine each warrant when they have to spend so much time acquitting cops who shoot unarmed citizens.
-
fox
Uh oh, now you've done it! @accalia has been summoned back to this thread.
Must offer a sacrifice...
-
Well they don't have a lot of time to examine each warrant when they have to spend so much time acquitting cops who shoot unarmed citizens.
Wrong courts. Yes, I know, you were trying to make a joke. It wasn't very funny though, so I decided to take it to tend the rabbits.
-
-
Close.
-
It's only a matter of time before someone who works at the NSA decides to use this stuff for their personal projects. Either to ruin an ex-girlfriend or in some money-making scheme.
Huh? They even have a internal term for that kind of breach LOVEINT and it seems a rather common breach.
First article i found:
-
Shhh... dude, they'll hear you
You expect they're not reading this topic? We've probably hit enough keywords for them to archive this thread.
-
Huh? They even have a internal term for that kind of breach LOVEINT and it seems a rather common breach.
Of course they do. We'd call that "De kat op het spek binden" - google comes up with "Trusting the cat to the bacon".
-
-
Just In case Homeland security Are eaves Dropping, I've cunningly hidden my Islamist message in the content of this post
-
Why would you be okay with spyware being put on your computer, even if it is by the government?
Yeah, I have no problem with them doing whatever to all them crazy foreigners. Government is best when treated like a claymore: Front towards enemy.
-
Front towards enemy.
Well, that would explain why they look like giant assholes all the time.
-
Shhh... dude, they'll hear you
Especially if you have a Samsung TV.
You expect they're not reading this topic? We've probably hit enough keywords for them to archive this
threadwebsite
-
Isn't Lenovo the brand all the crazy-security-conscious Lunix users buy?
Their hardware is generally very robust.
Why did it take so long for this to be detected?
Because the malware is part of Lenovo's factory Windows image, and therefore has no effect at all on crazy-security-conscious Linux users?
-
Should probably check the Lenovo I bought 6 weeks ago. I did remove everything Lenovo installed from it though.
Removing Superfish via Programs & Features might not remove the vulnerable spoofing cert from the Windows trusted root certs cache; better check that explicitly.
-
i prefer to be sure and the only way to be sure is DBAN
I've had Acer laptops delivered to the school with DBAN-proof foistware installed.
-
-
Good point.
Looks like Superfish got removed when I was removing the bloatware when I first bought it, but I'll check that.
-
I've had Acer laptops delivered to the school with DBAN-proof foistware installed.
NOT WANT DO I!
-
Here's how to kick it in the head. Also does no harm if applied to unaffected machines.
-
-
CNet has loaded a SuperFish detector. If you're too lazy to dig for it yourself, go here:
http://www.cnet.com/how-to/lenovo-superfish-adware-uninstall-fix/
-
except the trackpad, yuck
Yeah the Thinkpad trackpads are a bit iffy. I'm not a fan of the layout of some of the keyboard either - not sure if that's all models or just the ones we use.
-
Removing Superfish via Programs & Features
mightwill not remove the vulnerable spoofing cert from the Windows trusted root certs cache;better check thatexplicitly remove it.FTFY
And when I get home, I need to explicitly check Firefox too. Cause that's another thing that doesn't get cleaned up. Yoga Pro2.
[edit] I had uninstalled the software a while ago. Killed the cert last night. Then learned there's more...
-
Then learned there's more...
I got the cert earlier thanks to @flabdablet pointing it out.
-
the rootkit that the vendor may have helpfully preinstalled, not so much. i prefer to be sure and the only way to be sure is DBAN
Good luck with that if they installed a modified firmware
Also AVG thinks that its OK to do this too:
-
It's worse than you think: https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/
The Komodia proxy copies the server certificate almost entirely... What will it do with **alternative names**?
Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.
Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it's a completely valid certificate.
So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.
An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.
-
It's worse than you think: https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/
Wow. The authors of Komodia are bad and should feel bad.
-
Yeah the Thinkpad trackpads are a bit iffy.
Do they still have the "clitoris" mouse between the G, H, B keys? I remember preferring that one to the trackpad on my ancient P166 Thinkpad.
-
This shit would actually be super-useful for some stuff I'm doing, if it weren't wrong and evil as all fuck.
-
I've been trying to ask the security researchers for the fingerprints of the other intercepting CAs they've seen (using the same software) so that I can turn around and submit them to the Chrome builtin revocation list. I probably could be trying harder, though.
-
This shit would actually be super-useful for some stuff I'm doing, if it weren't wrong and evil as all fuck.
Either you're doing it locally (in which case just add your own CA), or for other people (in which case what you're doing is wrong and evil as fuck). This thing is just full of WTFs.
-
Do they still have the "clitoris" mouse between the G, H, B keys? I remember preferring that one to the trackpad on my ancient P166 Thinkpad.
That's what feminism did for us. Before feminism, nobody knew where to find it.
-
Wow. The authors of Komodia are bad and should feel bad.
Looking at who they are, I would say that their paymasters in Mossad would disagree with you.
-
Looking at who they are, I would say that their paymasters in Mossad would disagree with you.
That's absurd. Mossad can get a real CA to do it instead (the real default set of CAs will include at least one in Israel) and then they can do whatever they want. They really do not need to compromise everyone else in the process.
-
If you find out, link the bug number. Mozilla, Microsoft, and Apple have their own revocation lists and defect trackers and would be happy to party on.
-
Wow. The authors of Komodia are bad and should
feel badbe taken out and shot.Fixed that for you.
-
They really do not need to compromise everyone else in the process.
But (puts on tinfoil hat) it has worked very well so far, hasn't it?
It reminds me of my own security training, where we were told that in the modern world, Minox cameras and the like were far less probable attack devices than the humble photocopier, or (in really primitive places) the extra carbon copy.Meanwhile a lot of people are suddenly focussed on dodgy certificates being added to the pool, thus deflecting attention from the huge issue of SIM encryption theft by NSA/GCHQ, or their actual infiltration of the CAs.
-
Do they still have the "clitoris" mouse between the G, H, B keys? I remember preferring that one to the trackpad on my ancient P166 Thinkpad.
Yes. To each his/her own. I've never liked it; I find it more difficult to control than the trackpad. It seems like the pointer always moves too fast and winds up in the far corner of the screen, or too slow and takes forever to drift to what I'm trying to point at. The sweet spot in the middle exists, but is hard to hit. I used it enough on a previous laptop that I don't think it's just lack of practice.
-
Yeah the Thinkpad trackpads are a bit iffy.
I have two complaints: Using the edge of the trackpad to scoll is unreliable. Half the time, if I move my finger along the edge to scroll, it just moves the pointer, and occasionally it will scroll when my finger isn't near the edge.
Tap-to-click seems to have re-enabled itself. I click on things I don't want to click on just trying to move the pointer. I'm sure I disabled this when I first got it, but it's on now and I can't disable it again. Either the setting has disappeared or I've gone blind; I've looked in all the places I would logically expect to find it.
Also, it's a couple of years old and AFAICT it doesn't support any kind of multi-finger gestures, but I won't call that a complaint, because I've never used one that does, so I don't know what I'm missing. Or maybe it does, but I'm Doing It Wrong™.
-
Does yours have the trackpad where the trackpad actually presses down when you click it?
Those are worse.About 45ish seconds in.
https://www.youtube.com/watch?v=RY70JFZ_cAE
The only multi-finger gesture I have enabled is scroll.
-
Does yours have the trackpad where the trackpad actually presses down when you click it?
No, for which I am thankful. If you're going to put that much effort into a trackpad, you might as well just forget the trackpad and use a touchscreen.
-
Apparently they're binning them and reverting to proper trackpads this year.
-
No, for which I am thankful. If you're going to put that much effort into a trackpad, you might as well just forget the trackpad and use a touchscreen.
Don't tell Apple.
-
The sweet spot in the middle exists, but is hard to hit.
Why do you think I call it the clitoris mouse?
-
Don't tell Apple.
They at least bother to have non-sucking multi-touch on their trackpads. I'm guessing that the techniques they're using are patented up the wazoo as nobody seems to be trying properly to copy them. I wonder when will they go out of patent…
-
I'm guessing that the techniques they're using are patented up the wazoo as nobody seems to be trying properly to copy them.
Well, at least they didn't patent having rounded corners on the touchpad.... probably.
-
I thought they patented the concept of rounded rectangles a while back.
-
I thought they patented the concept of rounded rectangles a while back.
Wasn't that a design patent, not a functional patent?
-
Yes it was, but it genuinely was a design patent (application) for an arbitrary rectangle with arbitrarily rounded corners.
The button and screen shown weren't part of the claim, and neither the corner radius nor aspect ratio was specified.
Insane and should have been invalid, yet was granted - at least initially.