Paul Thurrott and ZDNet Independently Slam Microsofts Newest Surface, Surfacegate Has Begun
-
@scottalanmiller said:
@BBigford said:
@scottalanmiller said:
Got caught attempting to steal from the drawer four times and showed zero remorse
I must be completely missing something here... For how much they've been smeared in the news over the last year, can you elaborate on that one? Or was that the one on Josh Duggar?
They did the network shim hijack. The one associated with Superfish. That was one epic. That alone is unforgiveable and that they had a single customer since that time is, to me, inexcusable on the part of any IT department or business with knowledge of it. That was so deliberate, evil and remorseless that they should have been completely shunned. They were not and they took advantage of it. This was done through elaborate means that gave normal shops no means of bypassing - clean installs could not get around it.
They pulled an SSL cert manoeuvre, I believe, but I don't remember the details.
They did a BIOS level bloatware (which is malware when you don't want it, so malware) installation that could not be bypassed via reinstallation. You do a clean install and software that you never authorized was pushed onto your machine without permission or authorization. They got caught just doing it with bloatware, but what they intended to use it for before getting caught we will never know. that the system was compromised at the hardware level (below root level) is what it was, however.
Then they did the shared, 12345678 password backdoor issue this week.
That's four. I think I missed one or two. They've had so many issues it is pretty much impossible to track.
That's on top of running the scam that we got stuck with at Spiceworld 2014. They ran a promotion to win a laptop. My wife won and they wouldn't even respond to us until we threatened legal action. We went through them directly, they blew us off. We went through SW, both they and SW blew us off. We went public, they got their promotional people to pretend it didn't matter. We starting talking lawyer and grand theft and... a week later our superfish enabled, networking broken, no wifi crippled Yoga 2 arrived.
(For reference, at the event they lied to my wife and told her that they had no Yoga 2s there and she would get it by mail. She was the first winner. All of the MALE winners after her were handed a Yoga 2 on the spot, the very one Dominica had already won and they refused to give her. Technically, they gave hers away. Our guess is that they were guessing that she was female and unlikely to make a fuss and that they could blow her off and since they have no community presence had no idea who she was and that she would get a lot of attention when they didn't honour their commitment. But that is just speculation as to why they did it.)
That laptop giveaway is messed up. Sorry you had to go through that. There was one more thing I wanted to add about shortcomings. With the first of the Lenovo Twist models, there was a caching SSD. Take that out, and you are completely locked out of the BIOS. You could substitute it for a bootable M.2 SATA SSD, but you lose the BIOS. BIOS malware is unforgivable, but I didn't realize a clean install couldn't get rid of the Superfish exploit.
-
@scottalanmiller said:
@BBigford said:
@scottalanmiller said:
Got caught attempting to steal from the drawer four times and showed zero remorse
I must be completely missing something here... For how much they've been smeared in the news over the last year, can you elaborate on that one? Or was that the one on Josh Duggar?
They did the network shim hijack. The one associated with Superfish. That was one epic. That alone is unforgiveable and that they had a single customer since that time is, to me, inexcusable on the part of any IT department or business with knowledge of it. That was so deliberate, evil and remorseless that they should have been completely shunned. They were not and they took advantage of it. This was done through elaborate means that gave normal shops no means of bypassing - clean installs could not get around it.
This was only on consumer grade equipment - not that that should matter, I just think it's worth mentioning. The business class gear never had this shim problem.
Scott has argued something about the Yoga's being a middle class machine that would easily see it's way into businesses or something to that effect. -
@Dashrender said:
This was only on consumer grade equipment - not that that should matter, I just think it's worth mentioning. The business class gear never had this shim problem.
Scott has argued something about the Yoga's being a middle class machine that would easily see it's way into businesses or something to that effect.Yes, it is on machines with Windows Pro that are sold to businesses as business machines. It was only defined as "consumer" after the fact to lessen the impact of the event. It was a business class machine prior to that and by all normal standards is a business machine (business OS, business name, marketed to businesses, etc.)
-
@Dashrender said:
Scott has argued something about the Yoga's being a middle class machine that would easily see it's way into businesses or something to that effect.
What makes it even sort of in the consumer category? How do you normally define one versus the other? I know that the "vendor claims" is kind of the guide, but normally it is by "who it is meant for." And the Yoga Pro was all about... Pro.
-
@scottalanmiller said:
This was done through elaborate means that gave normal shops no means of bypassing - clean installs could not get around it.How could a clean install not wipe that out? The software just provided a means of a man in the middle attack, a clean install takes that software out...
-
@BBigford said:
but I didn't realize a clean install couldn't get rid of the Superfish exploit.
The Superfish exploit was built into the WiFi driver. That's why you couldn't get around it. The hardware had been modified so you couldn't run the OEM driver on the machine.
to solve this problem, I ended up replacing the WiFi NIC with an OEM intel card and driver - not the kind of solution anyone should have to do.
-
@Dashrender said:
@BBigford said:
but I didn't realize a clean install couldn't get rid of the Superfish exploit.
The Superfish exploit was built into the WiFi driver.
Apparently, I need to stop speed reading white papers. That is pretty crazy.
-
@BBigford said:
but I didn't realize a clean install couldn't get rid of the Superfish exploit.
You could by installing a completely unsupported OS. But reinstalling the included OS would not, because the only available drivers (online or otherwise) had superfish in it. So you had to go to extreme lengths to get a working install. (Superfish actually broke our network stack, that's how we found it.) Officially the didn't support Windows 10, but Windows 10 had working clean drivers, so you could go to Windows 10 Preview to get the Yoga 2 Pro to work without superfish. But we could find no Windows 8 or 8.1 option that wasn't tainted.
-
@scottalanmiller said:
so you could go to Windows 10 Preview to get the Yoga 2 Pro to work without superfish.As much as you dislike Lenovo, I half expected you just to sell the laptop after winning it.
-
@BBigford said:
@scottalanmiller said:
This was done through elaborate means that gave normal shops no means of bypassing - clean installs could not get around it.How could a clean install not wipe that out? The software just provided a means of a man in the middle attack, a clean install takes that software out...
Because no driver existed except the tainted one. You could turn off networking of course. but the included hardware had no means of working without the shim on the supported OS versions (all current Windows at the time.)
They went to great lengths to target the workarounds that businesses would use.
-
@scottalanmiller said:
Because no driver existed except the tainted one. You could turn off networking of course. but the included hardware had no means of working without the shim on the supported OS versions (all current Windows at the time.)
Ok yeah that is pretty unforgivable. Just that one by itself aside from the others. That is an intentional man in the middle. I knew Superfish was a fairly big exploit, but I didn't realize it was THAT ugly under the surface when it came to Lenovo.
-
@BBigford said:
@scottalanmiller said:
so you could go to Windows 10 Preview to get the Yoga 2 Pro to work without superfish.As much as you dislike Lenovo, I half expected you just to sell the laptop after winning it.
It's my wife's and we tried hard to get it to work. But at this point, we realize that it is just isn't good enough to put up with. It's not up to par with any of our cheaper gear. She didn't want to buy something else, but is so sick of it now that she doesn't want to deal with it anymore.
Yes, Windows 10 Preview would work. But it wasn't official supported or even released (obviously.) So that means a lot of extra work and tons of bugs. Not exactly a valid fix, but it got us by,.
-
@BBigford said:
@scottalanmiller said:
Because no driver existed except the tainted one. You could turn off networking of course. but the included hardware had no means of working without the shim on the supported OS versions (all current Windows at the time.)
Ok yeah that is pretty unforgivable. Just that one by itself aside from the others. That is an intentional man in the middle. I knew Superfish was a fairly big exploit, but I didn't realize it was THAT ugly under the surface when it came to Lenovo.
Yeah. It was bad.
We actually discovered it because it made MangoLassi unable to load. That's how we figured out there was a shim... it was acting as an HTTP proxy but wasn't advanced enough to pass websockets.
-
Well, I just ordered a surface pro 4 for a client. We shall see how this goes.
