Lenovo Owns Motorola Discussion
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
I'm certainly not shaming anyone, and certainly not calling anyone a liar. That's a pretty far-fetched accusation and uncalled for.
You are attempting to make those of us who had our security compromised look bad by asking us to prove what was taking (that onus is on Lenovo, not us, and anyone defending them), and downplaying what stealing banking and other private data means, trying to cover malware by calling it adware, and by misdirecting one crime by pointing out that likely others do it too (like the US fed.)
All of your "it's not that bad" is based on one key point - I have to be lying about what Lenovo did. Either they did it, and you have to be appalled and angry at them, or they didn't do it and you are calling me a liar. The only other option seems to be supporting the attack on me (and others) as a good thing. What am I missing?
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
All of your data is not being pirated by Lenovo.
THIS is shaming. THIS is downplaying and trying to trivialize that any of my data was exposed and they took what they wanted, but since they left something, I'm "overreacting" is the implication.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
That you think it's relevant is part of the shaming. You think that since they selectively stole what they wanted or what went over the wire and not absolutely everything ever made, that we shouldn't have concerns or that the issue isn't real? You have basically said that it's perfectly fine to steal selective things, as long as it isn't everything. And since it was only selective we, the victims, need to shut up and go away because we aren't really victims to your standards.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
That you think it's relevant is part of the shaming. You think that since they selectively stole what they wanted or what went over the wire and not absolutely everything ever made, that we shouldn't have concerns or that the issue isn't real? You have basically said that it's perfectly fine to steal selective things, as long as it isn't everything. And since it was only selective we, the victims, need to shut up and go away because we aren't really victims to your standards.
Scott, SCOTT it's fine, I'm just going to steal all of the money in your one bank account, but I'll leave your Bitcoin alone. You have to be okay with it because I'm leaving you with something!
P.S. Please enjoy these ads for other malware laden lenovo products
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
That's a pretty far-fetched accusation and uncalled for.
So let's break it down.
Do you or do you not believe that I and others were hit with Lenovo's man in the middle attack that allowed them to selectively harvest anything that they wanted that crossed my wire, even stuff that was encrypted, since the man in the middle was inside the network stack and bypassed SSL?
If you don't believe me, how does that not mean you think that I am lying, since this is what I am claiming?
Assuming you say that you do believe me, and that Lenovo had access to anything that they wanted and could steal anything that they chose.... then how can you ever think it is okay to downplay that or try how is it not victim shaming once we've identified that we are victims to try to make it seem irrelevant and that we shouldn't be upset that Lenovo compromised us? How is anything you are saying not victim shaming if you aren't calling me a liar? I only see two possibilities here.
-
I'm one of the lucky ones, I caught Lenovo doing this on a fresh build, brand new machine. Because pretty much the first thing that I did was go to MangoLassi and discover that Lenovo had essentially disabled the community. So I knew instantly that something was wrong. Then tracked down what was going on. But for a lot of people, they had all of their data compromised.
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties. That they are Chinese, American, etc. really make zero difference. And I think that the parties doing the processing for Lenovo were in the US, not China, I doubt that they would ever have transmitted the info to China, Lenovo was just selling the attack, I'm sure, not trying to use the stolen data. They were paid to steal it, not to use it.
-
Here is a little more about the attack, because some of these details are really, really important. First, the cert is only part of the story, not the whole thing. There was a shim as well. But the root cert bit is what completely compromised computers to blind third parties:
"The biggest problem with Superfish isn’t the adware itself so much as the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store—a hallowed area usually reserved for trusted certificates from major companies like Microsoft and VeriSign—and then resigns all SSL certificates presented by HTTPS sites with its own certificate."
So part of the problem is that no one will ever know how much data was stolen, because they didn't have to steal it through Lenovo, through SuperFish, or through anyone that they are known to be connected to. It could be stolen by an "at arms length" partner who just knows of the breach, and in many cases might simply be stolen by unrelated third parties. Lenovo didn't just sell the security of its customers out from under them, they threw them under the security bus on top of it. They disabled the entire SSL ecosystem for their little "ad faking" attack, which is likely illegal on its own, but in a totally different way.
Lenovo's empty claim is that while trying to commit a small crime, they accidentally committed a big one. But that's a pathetic and implausible excuse. Only a total idiot would think that Lenovo could be that stupid. Everyone involved had to known absolutely how clearly insecure this was and how it would breach security everywhere, no one could possible claim to be so dumb and work in IT and not know this. Lenovo is hoping that we dont' notice how obviously untrue the "accident" claim has to be. And other sites claim that the data was stolen, not just opened up and ready to be stolen.
But part of the problem is, we will never know who all used this to steal data. It's impossible to know. As the data was just opened up to the world. No one, not even Lenovo, can figure out who all got it.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
"However, the software blocked the browsers from notifying or warning the user about not visiting the malicious websites the links of which the pre-installed adware posted. The adware could steal valuable information such as Social Security Number, private credentials, and similar sensitive data. This, claims the FTC, was a clear proof of the way Lenovo compromised the privacy of consumers.
The preloaded software “could access consumers’ sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on,” stated Maureen Ohlhausen, the acting chairman of FTC. The FTC also noted that the data stolen by VisualDiscovery was not received by or sent to Superfish, the Palo Alto, California-based firm."
https://www.hackread.com/lenovo-to-pay-millions-for-secretly-installing-adware-in-750000-laptops/
Calling software the hijacks data and makes it available to third party "adware" because it "could also show ads" is a form of social engineering. Yes, it is also adware, but primarily it is a breach of security, that it shows ads as well is just a bit of misdirection to make it easier to confuse people from the actual problem.
I seen a whole lot of "could"s in there. Someone inside a retail store "could" steal something... Just because he could, doesn't mean he is stealing.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
I'm one of the people that they harvested.
What data did they harvest from you?
"However, the software blocked the browsers from notifying or warning the user about not visiting the malicious websites the links of which the pre-installed adware posted. The adware could steal valuable information such as Social Security Number, private credentials, and similar sensitive data. This, claims the FTC, was a clear proof of the way Lenovo compromised the privacy of consumers.
The preloaded software “could access consumers’ sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on,” stated Maureen Ohlhausen, the acting chairman of FTC. The FTC also noted that the data stolen by VisualDiscovery was not received by or sent to Superfish, the Palo Alto, California-based firm."
https://www.hackread.com/lenovo-to-pay-millions-for-secretly-installing-adware-in-750000-laptops/
Calling software the hijacks data and makes it available to third party "adware" because it "could also show ads" is a form of social engineering. Yes, it is also adware, but primarily it is a breach of security, that it shows ads as well is just a bit of misdirection to make it easier to confuse people from the actual problem.
I seen a whole lot of "could"s in there. Someone inside a retail store "could" steal something... Just because he could, doesn't mean he is stealing.
Someone could also with this data find out where you live, rape your wife/you/kids/ kidnap anyone in your family, hold your data at ransom / blackmail you or your family / target ads to you / take all of your money from your bank accounts / bitcoin etc etc etc.
So just shut it already as you aren't making a case for "this wasn't so bad". You're trolling and IMO (not that it matters) bordering on getting banned from the community for being a dumb ass.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties.
I have never said it's okay. Now you are calling me a liar and shaming me, though not as pathetically as others.
-
Would you be cool if I installed camera's throughout your house without you knowing? Including in the shower, toilet, tub and then saying "oh I was doing it to make sure that as a renter in my property you weren't doing something illegal".
No you'd be pissed, there is zero excuse for Lenovo's actions here, none at all.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties.
I have never said it's okay. Now you are calling me a liar and shaming me, though not as pathetically as others.
You've stated that, this data wasn't stolen. But viewing it at all without consent is theft. FFS
-
@DustinB3403 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties.
I have never said it's okay. Now you are calling me a liar and shaming me, though not as pathetically as others.
You've stated that, this data wasn't stolen. But viewing it at all without consent is theft. FFS
The ultimate usage of this Superfish issue, is beyond comparison of pretty much anything performed anywhere else. The scale of things that were accessible in essentially plain-text was anything and everything that a user went to on their computer.
This includes things such as bank details, health records, social security information, family details, personal accounts like facebook, everything was logged in plain-text and easily ready to be used by who knows who.
Edit and the access to these details weren't limited to just a 3 letter agency, but literally anyone who knew what to look for and what to adjust with the vulnerability.
-
Worse than superfish (which, in theory is no long a problem) is that they lied about it.
And that they then did nearly the same thing again.
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
I seen a whole lot of "could"s in there. Someone inside a retail store "could" steal something... Just because he could, doesn't mean he is stealing.
THIS IS NOT OKAY.
Someone "in a store" is not the same as someone who broke in and was caught grabbing the data. We aren't talking about a bank customer. We are talking about a bank robber who broke in, breached the safe, and now you are trying to pretend that even if you can't prove that they made off with any money that they were just innocent.
THIS is victim shaming. The onus is on YOU now, point blank, to defend your position.
-
@JaredBusch said in Lenovo Owns Motorola Discussion:
Worse than superfish (which, in theory is no long a problem) is that they lied about it.
And that they then did nearly the same thing again.
And worse than that, is that people will defend them and try to pretend that it is okay that they did this!
-
@Obsolesce said in Lenovo Owns Motorola Discussion:
I do not think it's to the extent many make it out to be. All of your data is not being pirated by Lenovo. That is the idea that seems to be going around that I can't agree with, and therefore can't share the same opinions.
Actually this bit has nothing to do with Lenovo, aside from being the cause of the problem.
The shit ass coding was cracked and could enable anyone to put malicious code on their website to make use of Superfish.
-
@DustinB3403 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties.
I have never said it's okay. Now you are calling me a liar and shaming me, though not as pathetically as others.
You've stated that, this data wasn't stolen. But viewing it at all without consent is theft. FFS
And even just breaking and entering, preparing to steal it, is enough. Talking about how much was taking is part of his misdirection tactic. Bottom line is that it doesn't matter at all if they actually took something or not. That's a social engineering tactic.
-
@DustinB3403 said in Lenovo Owns Motorola Discussion:
Edit and the access to these details weren't limited to just a 3 letter agency, but literally anyone who knew what to look for and what to adjust with the vulnerability.
And probably a lot of people who just stumbled upon it. It's like a bank robber that opened your safe, then left with something or nothing we don't know, then just left it for random people wandering by to plunder.
-
@scottalanmiller said in Lenovo Owns Motorola Discussion:
@DustinB3403 said in Lenovo Owns Motorola Discussion:
@Obsolesce said in Lenovo Owns Motorola Discussion:
@scottalanmiller said in Lenovo Owns Motorola Discussion:
You can't really feel okay with having your banking data, SS#, private family info, spousal info, kids' info, all taken by a group of third parties.
I have never said it's okay. Now you are calling me a liar and shaming me, though not as pathetically as others.
You've stated that, this data wasn't stolen. But viewing it at all without consent is theft. FFS
And even just breaking and entering, preparing to steal it, is enough. Talking about how much was taking is part of his misdirection tactic. Bottom line is that it doesn't matter at all if they actually took something or not. That's a social engineering tactic.
Exactly.
Planning a murder for hire is illegal. Even if no murder took place or money exchanged hands.
Planning a bank robbery is illegal, even if no robbery takes place or money stolen.
This is only different in that security was breached and data was stolen.