Comment Re:Umm.... (Score 1) 153
The Italian word for 'masturbate.'
The Italian word for 'masturbate.'
"... the writing is on the wall for console monopolies when computers are becoming a commodity everyday device."
Your comment is as retarded today as it was when it was first parroted some 20-odd years ago.
Uh, yea. Trust of ANY program on your computer. Damage is done and continuing to be dealt.
"In less than a day it has gone from scandal to basically resolved."
What? Not even close! What about the damage this shit does to OTHER PROGRAMS I INSTALL that Lenovo has no business touching? Their fix DOESN'T FIX THAT.
And you call the issue resolved? How easy to appease are you?
Nah, still only need those two pieces of equipment I listed. What's changed is the access list. Odds are there's a makerspace with a half-decent 3D printer available. Just take your design over there and print it out.
The discussion is far from moot. Security also involves mitigation. By assuming your OS is fucked in the first place, you get programs that should in theory provide more security by using their own stuff instead of the OS, thus mitigating (or outright eliminating in some cases) the specific threat to the point of rendering it useless. Thus, even if the OS isn't actually compromised, you've still greatly managed to increase your security over the baseline.
"I got news for you if your primary OS cert store gets fucked you are fucked."
Given the history of the NSA and Microsoft, you're better off assuming the OS cert store is fucked in the first place, sir.
There's a good reason to have security on every program with its own rules.
Their removal tool is garbage and does nothing to fix any damage done to the cert stores of browsers like FireFox and Opera, and will not fix your Thunderbird cert store either, if any of those were infected.
"Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own."
Nope. Having your own cert store protects you if the primary OS cert store gets fucked.
My god it is like the lessons of granular security have just been totally forgotten, these days.
Wrong. You can live hot-swap. This is a trick that has been around for ages for single-BIOS machines. You boot up with a known good BIOS, after the system has loaded up, while it's still live, you pull the good BIOS chip, insert the bricked one, run your firmware update. Did you even read the entirety of my original statement where this was specified?
Who needs the case? Also, nobody in this thread mentioned laptops specificaly.
Also, we've got 3-D printing. Just print a shell. Plenty of stuff out there already made up for several nearly-standard laptop logic boards.
I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.
I wouldn't trust Lenovo, anyways. They can't keep a story straight.
We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.
Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.
"Well, it just so happens that when you install a nice, secure OS instead of the spyware that comes with your Lenovo product, you do not have to worry about this issue"
Except this stuff can hit FF and Opera and Thunderbird, which don't use the OS's cert store. Which means FireFox on Linux and BSD can get fucked as well.
And since this crapware is utilized as the base for many other programs, many of which have Linux ports, you can be rest-assured that there are quite likely infected Linux machines.
Well, no surprise someone freely espousing OSS nonsense wouldn't have half a fucking clue what they're talking about.
Yup, lying sacks of shit. I caught them in their lie, too.
They say they stopped this in December?
Why does this say it stopped in January here in the official topic?
Why does this updated "security advisory" state February as the actual stopping month?
Lenovo is a lying sack of shit. We should start a change.org petition and tell the Gov't to bar Lenovo from all future USGov't contracts.
" they SAY there is a removal script.
does it do a complete job?"
Not. Even. Close.
You might clean out the cert store for Windows, but that does nothing if you have FF/Thunderbird or Opera installed. They have their own cert stores and those get infected, too. Lenovo won't touch those programs.
"Money is the root of all money." -- the moving finger