The Lenovo Thinkpad costs more than the MacBook Pro

The Lenovo Thinkpad costs more than the MacBook Pro with similar specs. Should an average user just opt for the MBP?

image

Update: BYOD confirms Lenovo stock at a local bestbuy has SuperFish installed.

https://bug1134506.bugzilla.mozilla.org/attachment.cgi?id=8566794

 

 

Here is why: Lenovo has been installing ad-ware on their computers generates advertisements  targeting the user with an organic sub-system that is native to the computer…and it shipped that way.

Imagine if you will,  having contract or agreement with a device manufacturer, and they will embed a hidden application on all their devices so that when their customers open a web browser, the ads shown are generated by the data that is collected and trended from your own usage. They also tell the device maker that you would also like to serve up ads on sites that require an SSL (secure socket layer) certificate….like your bank account login portal, like your encrypted internet email and other web services you subscribe to.  Purchasing an SSL certificate is cheap and easy. It’s supposed to come from a certificate authority (CA),  and a remote client (you on your laptop, handset or desktop) to distribute to secure connections for the following:

What SSL is supposed to do

Lenovo was accused of installing ad-ware called SuperFish, on their consumer PC’s, with the intent to deliver them to their customer. The Ad-ware was engineered to utilize an SSL hijack exploit that enabled a vulnerability to allow decryption of SSL data without the client or the server being alerted.

Their response:

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,”

Lenovo

The level of jackassery in Lenovo’s response to the SuperFish accusation earned the following retort from Robert Graham, CEO of Errata Security:

 This is a bald-face lie “It’s obvious that there is a security problem here.

Robert Graham

Errata Security, CEO

Graham also cracked the Self issued SuperFish SSL Certification password: Komodia. Komodia.com (currently BD due to a little too much traffic) would yield the following:

Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.

Lenovo said that current devices are not shipping with SuperFish, the Ad-Ware that used the SSL hijack. However IDC estimates the number of devices with the propensity of vulnerability is 16M. The SSL vulnerability exists, irrespective of the fact that the user may have removed Ad-ware.

Lenovo has a history taking interest in device lines that the previous owner no longer wants around.  The IBM personal portable and desktop computing lines, and Motorola Mobility. After Google had the chance to fully check MMI both in the lab, and in the court room, they decided to sell their $12 Billion dollar acquisition to Lenovo, for $1.2 Billion, minus the team working on a modular handset project, and all but 2000 of the patent portfolio.  The intellectual property proved ineffective as a shield for Android against Microsoft, and the decision to roll them off followed shortly after.

Here are some screen caps that could spark your interest in the Lenovo/SSL debacle.

superfish self issued and signed SSL
SSL issued to Band Of America…by SuperFish

 

 

 

 

 

 

 

 

 

 

the top 5 Certificate Authority issuers and their market ahare
Current top 5 Certificate Authority for SSL Certificates and their marketshare
An unrelated SSL spoof ala godaddy
an unrelated SSL spoof ala Godaddy

 

 

 

 

 

 

 

 

 

 

an SSL certificate generated by GlobalSign
an SSL certificate generated by GlobalSign

 

 

 

 

 

 

 

 

 

Certificates issued on an iOS device via provisioning profile
Certificates issued on an iOS device via provisioning profile

 

 

 

 

 

 

 

 

 

 

Provisioning profile with a certification bundle in the payload
Provisioning profile with a certification bundle in the payload
%d bloggers like this: