Paul Thurrott and ZDNet Independently Slam Microsofts Newest Surface, Surfacegate Has Begun

bbigford

@scottalanmiller said:
This was done through elaborate means that gave normal shops no means of bypassing - clean installs could not get around it.

How could a clean install not wipe that out? The software just provided a means of a man in the middle attack, a clean install takes that software out...

Dashrender

@BBigford said:

but I didn't realize a clean install couldn't get rid of the Superfish exploit.

The Superfish exploit was built into the WiFi driver. That's why you couldn't get around it. The hardware had been modified so you couldn't run the OEM driver on the machine.

to solve this problem, I ended up replacing the WiFi NIC with an OEM intel card and driver - not the kind of solution anyone should have to do.

bbigford

@Dashrender said:

@BBigford said:

but I didn't realize a clean install couldn't get rid of the Superfish exploit.

The Superfish exploit was built into the WiFi driver.

Apparently, I need to stop speed reading white papers. That is pretty crazy.

scottalanmiller

@BBigford said:

but I didn't realize a clean install couldn't get rid of the Superfish exploit.

You could by installing a completely unsupported OS. But reinstalling the included OS would not, because the only available drivers (online or otherwise) had superfish in it. So you had to go to extreme lengths to get a working install. (Superfish actually broke our network stack, that's how we found it.) Officially the didn't support Windows 10, but Windows 10 had working clean drivers, so you could go to Windows 10 Preview to get the Yoga 2 Pro to work without superfish. But we could find no Windows 8 or 8.1 option that wasn't tainted.

bbigford

@scottalanmiller said:
so you could go to Windows 10 Preview to get the Yoga 2 Pro to work without superfish.

As much as you dislike Lenovo, I half expected you just to sell the laptop after winning it.

scottalanmiller

@BBigford said:

@scottalanmiller said:
This was done through elaborate means that gave normal shops no means of bypassing - clean installs could not get around it.

How could a clean install not wipe that out? The software just provided a means of a man in the middle attack, a clean install takes that software out...

Because no driver existed except the tainted one. You could turn off networking of course. but the included hardware had no means of working without the shim on the supported OS versions (all current Windows at the time.)

They went to great lengths to target the workarounds that businesses would use.

bbigford

@scottalanmiller said:

Because no driver existed except the tainted one. You could turn off networking of course. but the included hardware had no means of working without the shim on the supported OS versions (all current Windows at the time.)

Ok yeah that is pretty unforgivable. Just that one by itself aside from the others. That is an intentional man in the middle. I knew Superfish was a fairly big exploit, but I didn't realize it was THAT ugly under the surface when it came to Lenovo.

scottalanmiller

@BBigford said:

@scottalanmiller said:
so you could go to Windows 10 Preview to get the Yoga 2 Pro to work without superfish.

As much as you dislike Lenovo, I half expected you just to sell the laptop after winning it.

It's my wife's and we tried hard to get it to work. But at this point, we realize that it is just isn't good enough to put up with. It's not up to par with any of our cheaper gear. She didn't want to buy something else, but is so sick of it now that she doesn't want to deal with it anymore.

Yes, Windows 10 Preview would work. But it wasn't official supported or even released (obviously.) So that means a lot of extra work and tons of bugs. Not exactly a valid fix, but it got us by,.

scottalanmiller

@BBigford said:

@scottalanmiller said:

Because no driver existed except the tainted one. You could turn off networking of course. but the included hardware had no means of working without the shim on the supported OS versions (all current Windows at the time.)

Ok yeah that is pretty unforgivable. Just that one by itself aside from the others. That is an intentional man in the middle. I knew Superfish was a fairly big exploit, but I didn't realize it was THAT ugly under the surface when it came to Lenovo.

Yeah. It was bad.

We actually discovered it because it made MangoLassi unable to load. That's how we figured out there was a shim... it was acting as an HTTP proxy but wasn't advanced enough to pass websockets.

JaredBusch

Well, I just ordered a surface pro 4 for a client. We shall see how this goes.