When we recently moved to a new home, I had to get a lawnmower. Having experience with petrol powered ones, I
knew I wanted an electric powered mower. It has worked well and I enjoy not having to smell exhaust fumes.
But the Makita designers have made an odd design choice.
Earlier this morning it was reported that
Lenovo is installing adware to their new laptops.
This piece of adware is called SuperFish, and it basically MITM’s your connections — including secure ones — and
inserts ads into webpages you visit. This in itself should be alarming and is an extremely scummy thing to do, but now
things have taken a turn for the worse. Yes, it can get even worse.
Since Lenovo has installed a root CA of their own on the computer, they can basically make your browser trust any site
they want by using the CA to create certificates for them. But now everyone can. A
people have already extracted the private key from the
adware app and bruteforced the terrible, inexcusably bad password. A password of only 7 characters in length, consisting
of nothing but lowercase a–z characters. komodia. Really, that’s it right there.
So now anyone can create certificates that new Lenovo machines automatically trust. Shame on you, Lenovo.
And yes, I know Lenovo is not directly responsible because they didn’t make the adware, but they shouldn’t have
added some in the first place. At the very least they should have had oversight, because this is complete buffoonery.
Hopefully some heads will roll as a result. This race to the bottom where laptops are preinstalled with bloat in ever
increasing crappiness must stop.
In case you are using a Lenovo computer and want to check if you are vulnerable, try
going here. If you get a security warning from your browser, you are safe. If not,
douse your computer in some holy water and go make an angry call to Lenovo support.