Categories
Technology and Internet

Lenovo and men in the middle

Another week, another scandal. The general public might pass by without noticing the recent news about Lenovo computers but the tech community in the Internet is incredulous. What we witnessed was serious and a betrayal of the customer confidence, so in this post I will try to briefly cover everything that I’ve read about the issue and point out how this affects who bought a Lenovo computer in the last 6 months.

What happened

Basically the computers were sold with a piece of very intrusive ad-ware (that could be called malware since it is not that different). This software supposedly stands in the middle of every Internet connection that the computer makes (even secure ones) and tries to inspect its contents and inject advertisement on the websites that the users visits [source] [prof].

On the technical level, this software was able to avoid the securities measures and alerts implemented by browsers by issuing a self-signed root certificate that was added to the list of Trusted Certificate Authorities. This way it was able to trick the browser into thinking that it was connecting to the valid website, issuing certificates when needed, when instead it was talking with the ad-ware (SuperFish) and the secure connection was instead being made by it [source].

What are the consequences

Besides users being spied and secure connection being compromised (for example.with bank websites) by the hardware vendor, like many as already stated, this leaves a huge security hole that can be exploited by people with bad intentions. [source]

In fact as we can see in this tweet, once this issue was uncovered people started digging into the subject and already uncovered the private key, with gives the anyone the ability to sign certificates, tricking the affected users into believing they are visiting the correct website when in reality they are on a malicious one. According with some articles it was relatively easy and the password is the same for every machine.  [source]

What can be done

Thankfully, given the enormous pressure on the Internet and media attention, the company tried some excuses and provided some tools to remove the software. But … there is always a but, the less alert users might not know they are vulnerable and it seems the certificate problem is still persisting (probably the worst issue). Fortunately Microsoft stepped in and its windows defender tool that comes bundled with the operating system will automatically clear the software and reset all certificates. [source]

For the most suspicious users, some people created tools to check if the machines are still vulnerable (here and here).

Summing up, this serves as a reminder to be careful with the software that you install in your computer. If possible, when acquiring a new machine, the first step is to clean the disc and install everything yourself, i recommend using a Linux based operating system.

P.S.: Digging into the root of the issue and knowing who crafted the problematic software.

Categories
Random Bits

Laura Poitras’ CITIZENFOUR Awarded Oscar for Best Documentary in 2014

Laura Poitras’ CITIZENFOUR Awarded Oscar for Best Documentary in 2014 by EFF

Categories
Random Bits

Why Privacy Matters

Categories
Random Bits

“Nothing to hide” is not a good argument

When talking about privacy and online surveillance (a topic that has been in the spotlight over the last year) with friends, colleagues and people that haven’t given much thought about these issues, the most common answer i hear is (as you’ve already guessed) “I’ve nothing to hide”, which is fallacious argument. Arguing with someone that has this mindset is really difficult because most of the time (in my experience) it means one of 4 things:

  1. I don’t care.
  2. I don’t know the quantity and/or quality of  information that can be gathered.
  3. I don’t believe small pieces of unrelated information leaked in different places will be added up to build a more complete profile.
  4. I’m not really aware of what the implications of surveillance are.

Trying to convince this person that privacy in the age of the Internet is a topic worth discussing is really hard (it got a little easier after last year’s events).

Today I’ve read an essay that really sums up some of the arguments i would use to show to someone that privacy matters. It is a long read but it worths the time spent:

Why Privacy Matters Even if You Have ‘Nothing to Hide