Blogs | Créer un Blog | Avertir le modérateur


Dell Studio XPS 1645 Battery

I've written this article on Lenovo hardware, indeed I've used ThinkPads for the last 15 years as professional journalist and loved them dearly – the keyboard is superb, the build quality excellent, and my current custom system has lettering on keys worn off from repeated hammering.But in light of the Superfish case, the firm can forget about any more repeat business. Enough is enough; this case is as egregious as the Sony rootkit debacle a decade ago that led to the music company being shunned by the security conscious.No one does clean PC builds any more. They almost all come loaded with trial versions of applications, sample packs of stuff, and OEM tools. You expect it, and savvy users know to wipe clean any new machine. Non-savvy users are left to put up with it.But although this stuff is annoying, there's a world of difference between getting a month's free trial of Norton or LoJack that's easily identifiable – and having something like Superfish's gear installed surreptitiously. Lenovo didn’t make any clear mention of having such code on its systems, because had it done so no one would have bought its hardware.Thankfully, ThinkPads weren't getting the Superfish software, only consumer PCs. But that doesn't change the fact that Lenovo had such contempt for a portion of its user base that it was willing to sacrifice their privacy and security to make 30 pieces of silver.

If Lenovo is willing to build poorly written crapware like Superfish into its systems then the company can no longer be trusted to maintain even a pretense of having its customer's best interests at heart.It'll be sad to let go of my laptop when it reaches end of life, but Lenovo won’t be getting another cent of my PC budget from now on. Based on the feedback we're getting from readers quite a few of you feel the same way. Lenovo is attempting to defuse controversy over its pre-installed Superfish crapware – which appears to have run man-in-the-middle attacks against consumers in order to sling ads – by saying it has discontinued use of the visual-recognition technology on new laptops and promising to review outstanding concerns.Superfish reportedly intercepted users' traffic to sling ads at them even when they were visiting banking websites.The adware-on-steroids installs its own self-signed root CA certificate in Windows before generating certificates on the fly for each attempted SSL connection. Superfish even served fake certs in order to MiTM banking websites, it has been reported.

The issue provoked isolated complaints on Lenovo tech forums over recent months, with Lenovo issuing an official response in January. Social media program manager Mark Hopkins said:To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.But the problem only hit the mainstream after security researcher Marc Rogers wrote about it on Wednesday (here), provoking the angriest reaction against a tech firm since the Sony BMG rootkit affair back in 2005.Lenovo was deliberately breaking secure connections, making it easier in the process for any attackers to spoof any HTTPS website, say researchers. Obtaining a private key from one Lenovo laptop would allow the technically knowledgeable to snoop on the web traffic of any other Lenovo users on the same network.

That’s all aside from the more immediate concerns that Lenovo was spying on users' bank/medical/dating web data before monetising it through pop-up ads.The earliest Lenovo forum posting on the issue dates back to June 2014.Quizzed by El Reg, Lenovo issued a statement stating that it had ditched the technology and further claiming that it had disabled existing installations. This goes further on this front than its previous line in public forums that it would simply update the adware.Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish. Superfish was preloaded onto a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish.Simply removing the adware – which is already detected as unwanted by many security software firms – doesn’t deal with the problem and users need to remove the certificate manually. Microsoft has an explanation on how to do this here.Robert Graham of Errata Security has put together a well-written blog post explaining how Superfish works here. An FAQ by security veteran Graham Cluley on the Tripwire blog can be found here.

The controversy has served to generate a debate about the economics of the PC manufacturing business, which suffers from notoriously low margins, among security experts.Lenovo is in hot water after being caught intentionally shipping laptops with software that steals web traffic using man-in-the-middle attacks.The "Superfish" software was present on laptops sold until late last month and stole all manner of web traffic using fake, self-signed, root certificates to inject advertisements into sessions.The computer giant removed Superfish software after furious users reported the attacks on its forums.One screenshot taken by an unhappy user shows a certificate masquerading as being issued by Bank of America.Another user posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted. "A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that ... Lenovo would facilitate such applications pre bundled with new laptops," the user wrote on the Lenovo forums.

Forum administrator and Lenovo employee Mark Hopkins said following dozens of angry posts that new laptops will no longer be sold with Superfish. The company has also asked the company behind the program to issue an update squashing pop-up ads."Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues," Hopkins said."As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues."The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine."Facebook engineering director Mike Shaver raised the alarm about the ad/bloatware on Twitter, and found SuperFish certificates posted by different users had shared the same RSA key."Lenovo installs a MITM cert and proxy called SuperFish, on new laptops, so it can inject ads? Someone tell me that's not the world I'm in," Shaver said.

Microsoft has released an early preview of Windows Phone 10, and we put it through its paces on a Lumia 630, one of just a few supported devices.In the official announcement, Director of Program Management Gabe Aul does not refer to Windows Phone 10, but rather “Windows 10 Technical Preview for phones”.It's all part of Microsoft’s push towards “one Windows” across PCs, tablets and phones.First impressions are not great. The preview is a little jerky as you scroll through the Start screen and the improvements are underwhelming for a major new release.Note, however, that the Lumia 630 is a budget device, easily obtained for under £100. It runs a quad core Qualcomm Snapdragon 400 chipset.If the operating system is being rebuilt though, a shortage of new features is no surprise. The priority is to get the platform right. But how different is Windows 10 for phones from Windows Phone 8.1, at the operating system level?

Currently that is hard to answer completely, since Microsoft has not yet released the Windows 10 SDK and seems to be holding back developer details for its Build conference at the end of April. The company has already stated that DirectX 12 will work across phones, tablets, PCs and Xbox One, though details of device support are not available.One thing we do know is that Microsoft is making a strong push towards “universal apps”, which use the Windows Runtime, as first seen in the Windows 8 “Metro” environment. That push is surfaced here in apps that are now the same across phone and PC versions of Windows 10, including Calculator, Alarms, Sound Recorder (new to Windows Phone) and Windows Feedback. There is also a new Settings app which may or may not share code, but does now have a similar look and feel on PC and phone, with many of the same sections and shared icons.

Les commentaires sont fermés.