Lenovo Owns Motorola Discussion
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
It's a shim, a man in the middle attack. They could chose what to send after the fact, after they had already gotten access to anything on the network.
-
@JaredBusch said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
Fucking seriously? FFS, this is publicly known information.
It was bad that Lenovo did it. It was worse that they covered it up.
Lenovo has lied and covered it up and repeatedly done this.Superfish related:
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://thehackernews.com/2015/09/lenovo-laptop-virus.html
https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptopsOh look. they did things AFTER superfish...
https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/It doesn't appear to me that any of you have read those articles.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@JaredBusch said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
Fucking seriously? FFS, this is publicly known information.
It was bad that Lenovo did it. It was worse that they covered it up.
Lenovo has lied and covered it up and repeatedly done this.Superfish related:
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://thehackernews.com/2015/09/lenovo-laptop-virus.html
https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptopsOh look. they did things AFTER superfish...
https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/It doesn't appear to me that any of you have read those articles.
Are you being intentionally stupid?
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@JaredBusch said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
Fucking seriously? FFS, this is publicly known information.
It was bad that Lenovo did it. It was worse that they covered it up.
Lenovo has lied and covered it up and repeatedly done this.Superfish related:
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://thehackernews.com/2015/09/lenovo-laptop-virus.html
https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptopsOh look. they did things AFTER superfish...
https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/It doesn't appear to me that any of you have read those articles.
You are simply being obtuse at this point and are trolling. At least try and make it entertaining when you troll.
-
@DustinB3403 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@JaredBusch said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
Fucking seriously? FFS, this is publicly known information.
It was bad that Lenovo did it. It was worse that they covered it up.
Lenovo has lied and covered it up and repeatedly done this.Superfish related:
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://thehackernews.com/2015/09/lenovo-laptop-virus.html
https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptopsOh look. they did things AFTER superfish...
https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/It doesn't appear to me that any of you have read those articles.
You are simply being obtuse at this point and are trolling. At least try and make it entertaining when you troll.
It's okay to take off your tin foil hats.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@DustinB3403 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@JaredBusch said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
Fucking seriously? FFS, this is publicly known information.
It was bad that Lenovo did it. It was worse that they covered it up.
Lenovo has lied and covered it up and repeatedly done this.Superfish related:
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://thehackernews.com/2015/09/lenovo-laptop-virus.html
https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptopsOh look. they did things AFTER superfish...
https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/It doesn't appear to me that any of you have read those articles.
You are simply being obtuse at this point and are trolling. At least try and make it entertaining when you troll.
It's okay to take off your tin foil hats.
So you ARE saying that I'm lying. Just to be clear.
It's like having had your bank broken into, the crooks already cracked the safe, the cops show up and tell the bank owners to "stop being crazy, those guys that just broke into the safe are innocent" and leaving.
Tin foil hat doesn't really apply to a situation like this. Tin foil hat is a conspiracy reference. If you know what a conspiracy is, you'd be clear that it's not a reference that ever applies to either 1) a single entity or 2) a normal self serving business process.
Example... a shop lifter taking candy from a corner store. Under no circumstances, can it happening or someone fearing that it happened or might happen be connected to a conspiracy. Conspiring is the act of people acting together. Something, obviously, a lone actor cannot do.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@DustinB3403 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@JaredBusch said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@travisdh1 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
Everything. Literally everything.
I was just curious how he knows what was harvested. Did he capture packets being sent to them, was it all data? I'd like to see the results he's has showing all of his data was going there.
Fucking seriously? FFS, this is publicly known information.
It was bad that Lenovo did it. It was worse that they covered it up.
Lenovo has lied and covered it up and repeatedly done this.Superfish related:
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://thehackernews.com/2015/09/lenovo-laptop-virus.html
https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptopsOh look. they did things AFTER superfish...
https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/It doesn't appear to me that any of you have read those articles.
You are simply being obtuse at this point and are trolling. At least try and make it entertaining when you troll.
It's okay to take off your tin foil hats.
So you ARE saying that I'm lying. Just to be clear.
It's like having had your bank broken into, the crooks already cracked the safe, the cops show up and tell the bank owners to "stop being crazy, those guys that just broke into the safe are innocent" and leaving.
Tin foil hat doesn't really apply to a situation like this. Tin foil hat is a conspiracy reference. If you know what a conspiracy is, you'd be clear that it's not a reference that ever applies to either 1) a single entity or 2) a normal self serving business process.
Example... a shop lifter taking candy from a corner store. Under no circumstances, can it happening or someone fearing that it happened or might happen be connected to a conspiracy. Conspiring is the act of people acting together. Something, obviously, a lone actor cannot do.
... You all make it as such. Adware using a stupid method to insert ads into your web pages, somehow translates to OH NOES! Lenovo is stealing all my data!!! Lenovo is spying! China is spying through Lenovo! Quick, put on your tin foil hats!
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
China is spying through Lenovo!
You just totally made that up to make this sound ridiculous. No one but you suggested anything of the sort.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
You all make it as such.
Because that is what it is. Period. End of story. Injecting a man in the middle attack to hijack data (and yes, it breaks web sites because they are modifying it, too) is data theft, regardless of if they have yet shipped it off or not. It's a crime, it is theft. This is black and white, no possible excuse territory.
Pretending that breaking into someone's encrypted data isn't a crime or theft is ridiculous. Calling something a conspiracy to try to downplay data theft is incredible.
-
If you think that criminal activity, theft (and there was other theft beyond this, and there were people paid to do what you were doing on other communities to post things to downplay physical theft and other scams), hijacked functionality are "trivial" matters, that's fine. But this is victim shaming and is not okay. It's not ethically okay, and it is certainly not okay in this community.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
If you think that criminal activity, theft (and there was other theft beyond this, and there were people paid to do what you were doing on other communities to post things to downplay physical theft and other scams), hijacked functionality are "trivial" matters, that's fine. But this is victim shaming and is not okay. It's not ethically okay, and it is certainly not okay in this community.
I'm certainly not shaming anyone, and certainly not calling anyone a liar. That's a pretty far-fetched accusation and uncalled for.
I do not think it's to the extent many make it out to be. All of your data is not being pirated by Lenovo. That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
"However, the software blocked the browsers from notifying or warning the user about not visiting the malicious websites the links of which the pre-installed adware posted. The adware could steal valuable information such as Social Security Number, private credentials, and similar sensitive data. This, claims the FTC, was a clear proof of the way Lenovo compromised the privacy of consumers.
The preloaded software “could access consumers’ sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on,” stated Maureen Ohlhausen, the acting chairman of FTC. The FTC also noted that the data stolen by VisualDiscovery was not received by or sent to Superfish, the Palo Alto, California-based firm."
https://www.hackread.com/lenovo-to-pay-millions-for-secretly-installing-adware-in-750000-laptops/
Calling software the hijacks data and makes it available to third party "adware" because it "could also show ads" is a form of social engineering. Yes, it is also adware, but primarily it is a breach of security, that it shows ads as well is just a bit of misdirection to make it easier to confuse people from the actual problem.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
If you think that criminal activity, theft (and there was other theft beyond this, and there were people paid to do what you were doing on other communities to post things to downplay physical theft and other scams), hijacked functionality are "trivial" matters, that's fine. But this is victim shaming and is not okay. It's not ethically okay, and it is certainly not okay in this community.
I'm certainly not shaming anyone, and certainly not calling anyone a liar. That's a pretty far-fetched accusation and uncalled for.
I do not think it's to the extent many make it out to be. All of your data is not being pirated by Lenovo. That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
Do you know what a man in the middle is, particularly Superfish? FFS you're a dumbass if you think that the Superfish event was selective in what data it stood between and captured.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
I'm certainly not shaming anyone, and certainly not calling anyone a liar. That's a pretty far-fetched accusation and uncalled for.
You are attempting to make those of us who had our security compromised look bad by asking us to prove what was taking (that onus is on Lenovo, not us, and anyone defending them), and downplaying what stealing banking and other private data means, trying to cover malware by calling it adware, and by misdirecting one crime by pointing out that likely others do it too (like the US fed.)
All of your "it's not that bad" is based on one key point - I have to be lying about what Lenovo did. Either they did it, and you have to be appalled and angry at them, or they didn't do it and you are calling me a liar. The only other option seems to be supporting the attack on me (and others) as a good thing. What am I missing?
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
All of your data is not being pirated by Lenovo.
THIS is shaming. THIS is downplaying and trying to trivialize that any of my data was exposed and they took what they wanted, but since they left something, I'm "overreacting" is the implication.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
That you think it's relevant is part of the shaming. You think that since they selectively stole what they wanted or what went over the wire and not absolutely everything ever made, that we shouldn't have concerns or that the issue isn't real? You have basically said that it's perfectly fine to steal selective things, as long as it isn't everything. And since it was only selective we, the victims, need to shut up and go away because we aren't really victims to your standards.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
That you think it's relevant is part of the shaming. You think that since they selectively stole what they wanted or what went over the wire and not absolutely everything ever made, that we shouldn't have concerns or that the issue isn't real? You have basically said that it's perfectly fine to steal selective things, as long as it isn't everything. And since it was only selective we, the victims, need to shut up and go away because we aren't really victims to your standards.
Scott, SCOTT it's fine, I'm just going to steal all of the money in your one bank account, but I'll leave your Bitcoin alone. You have to be okay with it because I'm leaving you with something!
P.S. Please enjoy these ads for other malware laden lenovo products
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
That's a pretty far-fetched accusation and uncalled for.
So let's break it down.
Do you or do you not believe that I and others were hit with Lenovo's man in the middle attack that allowed them to selectively harvest anything that they wanted that crossed my wire, even stuff that was encrypted, since the man in the middle was inside the network stack and bypassed SSL?
If you don't believe me, how does that not mean you think that I am lying, since this is what I am claiming?
Assuming you say that you do believe me, and that Lenovo had access to anything that they wanted and could steal anything that they chose.... then how can you ever think it is okay to downplay that or try how is it not victim shaming once we've identified that we are victims to try to make it seem irrelevant and that we shouldn't be upset that Lenovo compromised us? How is anything you are saying not victim shaming if you aren't calling me a liar? I only see two possibilities here.
-
I'm one of the lucky ones, I caught Lenovo doing this on a fresh build, brand new machine. Because pretty much the first thing that I did was go to MangoLassi and discover that Lenovo had essentially disabled the community. So I knew instantly that something was wrong. Then tracked down what was going on. But for a lot of people, they had all of their data compromised.
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties. That they are Chinese, American, etc. really make zero difference. And I think that the parties doing the processing for Lenovo were in the US, not China, I doubt that they would ever have transmitted the info to China, Lenovo was just selling the attack, I'm sure, not trying to use the stolen data. They were paid to steal it, not to use it.
-
Here is a little more about the attack, because some of these details are really, really important. First, the cert is only part of the story, not the whole thing. There was a shim as well. But the root cert bit is what completely compromised computers to blind third parties:
"The biggest problem with Superfish isn’t the adware itself so much as the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store—a hallowed area usually reserved for trusted certificates from major companies like Microsoft and VeriSign—and then resigns all SSL certificates presented by HTTPS sites with its own certificate."
So part of the problem is that no one will ever know how much data was stolen, because they didn't have to steal it through Lenovo, through SuperFish, or through anyone that they are known to be connected to. It could be stolen by an "at arms length" partner who just knows of the breach, and in many cases might simply be stolen by unrelated third parties. Lenovo didn't just sell the security of its customers out from under them, they threw them under the security bus on top of it. They disabled the entire SSL ecosystem for their little "ad faking" attack, which is likely illegal on its own, but in a totally different way.
Lenovo's empty claim is that while trying to commit a small crime, they accidentally committed a big one. But that's a pathetic and implausible excuse. Only a total idiot would think that Lenovo could be that stupid. Everyone involved had to known absolutely how clearly insecure this was and how it would breach security everywhere, no one could possible claim to be so dumb and work in IT and not know this. Lenovo is hoping that we dont' notice how obviously untrue the "accident" claim has to be. And other sites claim that the data was stolen, not just opened up and ready to be stolen.
But part of the problem is, we will never know who all used this to steal data. It's impossible to know. As the data was just opened up to the world. No one, not even Lenovo, can figure out who all got it.