• Welcome to BellGab.com Archive.
 

Don't buy Lenovo. They don't deserve your business.

Started by MV/Liberace!, February 19, 2015, 05:40:51 PM

MV/Liberace!

Lenovo installs an HTTPS "man in the middle" attack on their laptops:

arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/

wr250

Quote from: MV on February 19, 2015, 05:40:51 PM
Lenovo installs an HTTPS "man in the middle" attack on their laptops:

arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/

yes i posted that in the function random thread. and i dont think they are the only one ... can i come up with a specific example? no, but it wouldnt surprise me.

MV/Liberace!

Quote from: wr250 on February 19, 2015, 05:47:20 PM
yes i posted that in the function random thread. and i dont think they are the only one ... can i come up with a specific example? no, but it wouldnt surprise me.

no, they're not the first.  i heard a few years ago about an OEM shipping their machines with what could be categorized as malware.  i forget who it was or what it did.  probably sony.

wr250

Quote from: MV on February 19, 2015, 06:00:06 PM
no, they're not the first.  i heard a few years ago about an OEM shipping their machines with what could be categorized as malware.  i forget who it was or what it did.  probably sony.

and thus the recommendation to wipe/replace the drive and re-install windows from a std windows dvd, using the key stuck to the machine.

wr250

the superfish password has been cracked. this allows anyone to use the superfish cert to spy on user activities . the password is "komodia"  -no quotes-
http://thestack.com/superfish-password-komodia-self-signed-190215

MV/Liberace!

Quote from: wr250 on February 19, 2015, 06:15:06 PM
and thus the recommendation to wipe/replace the drive and re-install windows from a std windows dvd, using the key stuck to the machine.

Exactly. That's the first thing that should be done with every new computer.

cweb

It sucks that you can't just use your new computer immediately, because you have to clean off all of the shit the OEM puts on it.

https://filippo.io/Badfish/ links to a Superfish "detector" page, with instructions on how to remove. I'm sure a clean OS reinstall is better than this, though.

I thought I was paranoid for going through and uninstalling strange-looking stuff bundled with my PC. Guess not. In the future, I'm taking wr's advice and doing an OS reinstall.

Juan

That's why I build my own computers.  It's not very hard anymore.  Install the OS directly from the Windows disc.

MV/Liberace!

Quote from: Juan on February 20, 2015, 02:19:25 PM
Install the OS directly from the Windows disc.

Yeah, you want to use a Microsoft branded OEM Windows disc and use the product key off of the machine.  Not a recovery disc.

wr250

Quote from: MV on February 20, 2015, 02:47:18 PM
Yeah, you want to use a Microsoft branded OEM Windows disc and use the product key off of the machine.  Not a recovery disc.
or use a windows branded disk and use the instructions here

ManiacMatt

Quote from: MV on February 20, 2015, 02:47:18 PM
Yeah, you want to use a Microsoft branded OEM Windows disc and use the product key off of the machine.  Not a recovery disc.

This may be a dumb question, but why use the product key off of the machine and not the disc?  I'm not talking about a recovery disc, but the OEM Windows disc.  Doesn't the product key have to match the software?

wr250

Quote from: ManiacMatt on February 20, 2015, 03:22:20 PM
This may be a dumb question, but why use the product key off of the machine and not the disc?  I'm not talking about a recovery disc, but the OEM Windows disc.  Doesn't the product key have to match the software?
yes and no. a home premium key is a home premium key. however , once you know its home premium you can take any windows disk and modify it to install any edition from it. i linked tot the instructions above. the other thing is to know if the key is for 32 bit or 64 bit. these are NOT interchangeable. some machines (with UEFI) may "self activate" , others need activation. the reason to keep the key is, if you call the manufacturer for help, they may want that key thats stuck on the machine. otherwise they might simply say in a pakistani voice "you have changed the version of windows, we charge .99 cents a minute, your credit card please", no matter if the problem is a dead laptop charger (because it caught on fire) or an actual windows problem.

in addition , you can download the appropriate disk image from microsoft ,modify as i described in a link above, then burn it yourself. http://www.microsoft.com/en-us/evalcenter/evaluate-windows-7-enterprise (requires registration) ive not tried these, but there is no reason they should not be able to be modified and work.

other older versions are no longer available, and you must buy or pirate them.


cweb

One of the things that really bothers me is the question of whether OEMs (or component manufacturers) are packaging something deeper into machines. I think something was recently posted about a group that was putting spyware/backdoor/whatever onto hard drive firmware. That shit doesn't come out in the wash. It's no reason to do any less diligence, but it's terrifying to think about. Just gotta go about your computing while minimizing risks, it seems.

wr250

Quote from: cweb on February 21, 2015, 08:19:45 AM
One of the things that really bothers me is the question of whether OEMs (or component manufacturers) are packaging something deeper into machines. I think something was recently posted about a group that was putting spyware/backdoor/whatever onto hard drive firmware. That shit doesn't come out in the wash. It's no reason to do any less diligence, but it's terrifying to think about. Just gotta go about your computing while minimizing risks, it seems.
here is the article :  http://www.reuters.com/article/2015/02/17/us-usa-cyberspying-idUSKBN0LK1QV20150217 apparently you need the source code of the drive(s). they get this by impersonating a developer, or even (as a govt agency) say "if you want to sell us your equipment ,we need the source code for all firmware for an audit" , or perhaps by hacking in like they do to other countries.

WOTR

Fuck Me.  They were only doing it to enhance the user experience?

"Lenovo’s semi-apologetic statement on the scandal characterises the company’s relationship with Superfish as ‘not financially significant’, declaring that its goal was ‘to enhance the experience for users’."

I am getting really sick of all of these companies trying to make my "experience" with their product better by spying on me.

There is a reason that I load a new OS on my android.  I know that my provider packaged an extra 20 programs that I will never use to make my experience better- but I would prefer it gone (and they do not allow it to be erased.)

I have also reloaded my OS on my computers so I don't worry too much (though I wonder how much of this Microsoft preloads themselves...)

cweb

And now the point that Komodia had multiple clients which may also be affected...
http://www.tomsitpro.com/articles/superfish-security-exploit-komodia,1-2469.html
QuoteKomodia, the company behind the code that caused the whole issue, also has other products, including parental control and traffic intercept software. This software has the same issue as the Superfish ad platform. The flaw... surreptitiously intercepts encrypted traffic between users and the website they are communicating with, mimicking the genuine certificate so as not to break HTTPS.
On the heels of this (pun intended) comes the announcement of a Barbie doll that uses speech sample recognition to converse "semi-intelligently" with children. I'd love to hack one of these.
"Mommy says you were an accident."
"Santa isn't real."
"Could it be angelsh?"

wr250

Quote from: cweb on February 23, 2015, 11:35:07 AM
And now the point that Komodia had multiple clients which may also be affected...
http://www.tomsitpro.com/articles/superfish-security-exploit-komodia,1-2469.htmlOn the heels of this (pun intended) comes the announcement of a Barbie doll that uses speech sample recognition to converse "semi-intelligently" with children. I'd love to hack one of these.
"Mommy says you were an accident."
"Santa isn't real."
"Could it be angelsh?"
it has the noory software addon ?


b_dubb

Is there a fix to this?  A non-profit I work with in the area just got Lenovo laptops and I'd like to make sure their machines aren't riddled with shit.  Should I just wipe them and reinstall Windows 7 from my builders OEM license?

wr250

Quote from: b_dubb on February 23, 2015, 09:10:59 PM
Is there a fix to this?  A non-profit I work with in the area just got Lenovo laptops and I'd like to make sure their machines aren't riddled with shit.  Should I just wipe them and reinstall Windows 7 from my builders OEM license?
use your OEM disk ,and hte serial plastered on the machine, as i posted above a 32 bit disk can (with alterations) install any windows 7 version. same with 64bit.

zeebo

This sucks.  I love Thinkpads.  Wouldn't even think of buying a different laptop.  Now I'm all mixed up.

I see Lenovo had a portable wireless monitor they were promoting in 2013, but all I can find are 'first looks' and no actual monitors for sale.  It basically gives you a bit of freedom to use your PC or laptop like a large tablet, so long as you stay in wireless range.  Does anyone know what happened to this?

wr250

Quote from: zeebo on February 23, 2015, 10:17:23 PM
This sucks.  I love Thinkpads.  Wouldn't even think of buying a different laptop.  Now I'm all mixed up.

buy the thinkpad, do as posted above, or use linux.

MV/Liberace!

Quote from: wr250 on February 24, 2015, 06:04:25 AM
buy the thinkpad, do as posted above, or use linux.

that sort of mitigates the whole notion of punishing lenovo for this, though.

zeebo

If I boycott lenovo, it may end up like all my vows to leave my bank, which I never do because it's too inconvenient, and also because all the other ones suck too for some reason or another.   :(

b_dubb

ZEEBO ... JOIN A CREDIT UNION.  ALSO ... DON'T BUY LENOVO



cweb

Somebody needs to create a universal ROM for Smart TVs. So you can reimage that shit too.

I know there's probably a crazy variety of hardware, but that would be pretty sweet. For now, fuck Smart TV- get media boxes.

Powered by SMFPacks Menu Editor Mod