If I was responsible for buying workstations for an office, I would definitely choose a standard business configuration over building it myself. Anything else and the manufacturer (Lenovo, Dell, HP) lose money on their support costs. Either way, this indicates an organizational dysfunction so severe there's no way I can trust Lenovo with my personal or business security again.Įxactly, and if they have enough volume, they can really nail down any lingering bugs or problems in the chipsets or firmware and it turns into a rock-solid system. One of two options remains: either nobody in Lenovo reviewed this software from a privacy and security perspective, or they did review it and the business deal overruled the security team's ability to veto it. I don't consider this a technical failure, it's a business failure. Not only was it malicious, it was incompetent too. Yes you read that right: every device with this malware had the public and private key used to decrypt the TLS traffic of every other device with this malware, effectively exposing every user to have all of their traffic not only decrypted, but also MITM'd again. I want to emphasize how bad the TLS MITM malware was (adware is too nice a term): they installed a TLS MITM attack by adding the same CA public key to the trust store of every non-business device they sold, and proxied the internet traffic through an on-device proxy that contained the private key to that CA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |