Oh I'm sure they had lots of meetings about the contracts and pay structure, and they may have done testing to make sure it didn't break things, but apparently no one did a security review. Sadly, this doesn't surprise me that much.
If they did know about the problem, they could have fixed it. If the app simply generated a new key as part of first-time use, then it would just be run-of-the-mill crapware rather than a gaping security hole. Even if Lenovo has malicious intent, it would still have been in their best interests to do at least that, yet they didn't. Hence I assume it was incompetence.
It doesn't take a "security review" to spot a gaping security and privacy violation like this.
Any engineer with even the slightest clue of how a browser and "the internet" works would have called this out during the first "How does this product work?"-presentation.
(Which, possibly unfairly, is one reason I'm leaning more towards ansible than saltstack to this day -- I mean, if stuff like that got through... what else, in more complex areas of the system?)
The problem in Lenovo's situation is, calling it incompetence is the real stretch. You could call Charles Manson incompetent saying he just didn't know what he was doing was wrong, but everyone knows he was just evil.
Never falsely attribute to incompetence what is actually ascribable to malice. You can't come in here with a straight face and say that no one at Lenovo considered the security risk of including this software. If it was considered and they pushed ahead with it anyway, that's malice.
I don't think anyone there thought/realized that they were including a backdoor usable by any number of third parties (by virtue of installing a mitm-cert, and giving away the key). And this case is much worse than any other crapware-by-way-of-oem than I've heard of. But given the amount of nasty stuff most vendors seem to install on systems -- it appears to me that no one really looks at what is installed, or gives much thought to the consequences.
It's negligent, and in this case probably criminally so -- and that might constitute "an evil" -- but I don't think this is the result of someone's overt intentional evil act. I don't think anyone actually did consider the security risk of this particular piece of software. Maybe I'm naive, but if nothing else, the risk of lawsuits/backlash seems too great in this case.
I don't like ads and bloatware, but I think calling them "evil" is diluting what "evil" means.
I might be wrong, of course. But I don't think any of the big OEMs does any real review of the crap that is installed on computers -- and I think forgetting to generate an unique cert/key on post-install/first run is an error -- not intentional. Deciding to install this kind of crap strikes me as a very poor decision -- but I'm still not sure I'd consider it evil. Evil would be using the Intel management co-prosessor to do something similar -- presumably then a clean install wouldn't help.
But that argument means either that these companies do not have a security team (we know they do), that the security team signed off on this (we know they wouldn't), or the security team raised the risk and management chose to ignore it. There's absolutely no option that says "no one ever thought of this risk", at least not in the world we live in. I've worked in enterprise security and I still work in the security industry. There is just no way that this software got approved to be put in a default install and had no review from the security department.
That's what I meant by invoking the opposite of Hanlon's razor. Sure, never attribute to malice what can be explained by ignorance. But my point is, you can't explain this one with ignorance. There is just no way that Lenovo has hired a security team that would do a review of this and say it looks fine, and no way a company the size and stature of Lenovo would not have a competent security team. The only logical answer is that this was raised as a risk and management chose to accept the risk.
I'm not saying they're evil (I used that word to describe Charles Manson), nor that their end goal was for users to be compromised. Merely that they had to know this was a bad idea, and they chose to do it anyway.
You may be right. I'm inclined to believe the provisioning team in Lenovo is understaffed, and that they don't really do much security analysis at all. So I believe their negligent, and that their process is negligent. But I'm open to the idea that I might very well be wrong about that. Either way, it doesn't speak very highly of what kind of quality one can expect to get when shopping Lenovo products.
I generally agree, but this is a situation that can be explained by either an embarrassing level of incompetence or a pretty minor amount of malice (or even indifference). So I'll assume malice until I see them own up to that much incompetence.
Operations the size of Lenovo have a fairly intense vetting process before a product goes to market.
I find it very hard to believe that no red flags were raised by any of the engineers, managers and especially lawyers who must have screened this "feature" for problems.
It seems more plausible that the problem was known from the beginning (it is by design after all) and Lenovo decided to risk it.
My own experience makes me suspect the same thing. I used to work for a company that was, at the time, trying to develop a privacy-enhancing product (ironically enough...) which did something somewhat similar (although not on the size of this fuckup -- they'd be intercepting, but not tampering with, encrypted traffic, and storing encrypted private data).
Virtually everyone in the engineering team raised a flag when the imbec...uhm, the Product Manager came up with the idea. We pointed out that a) this burdens us with the responsibility of storing sensitive data which can, at least, have significant legal implications and that b) even if it's encrypted data, it may be a little hard to market a privacy device that works by uploading user data to our server as a first step without being transparent about the whole process. Oh, and c) that the data recovery mechanism he proposed (which involved storing the users' private keys on our servers as well, just in case they lost their precious little gimmick) was, in this case, entirely retarded.
The whole thing didn't even make it to Legal, because everyone in the decision tree just thought that since there's no plaintext data being stored, there's no potential for a lawsuit (and when we told the PM about Lavabit, he came back two hours later saying he Googled it and that we're covered since we're not an e-mail provider). The bright heads in Marketing weren't exactly sure about the whole transparency thing. They thought we should keep it simple and just tell people that their data is safely encrypted and be done with it, because end-users don't need to know about tech mumbo-jumbo like encryption keys and all that.
I don't work there anymore (thank God) and they haven't launched in the meantime, but when I left, they were basically working on implementing this clusterfuck.
I'm sorry I can't be more specific than this (for obvious reasons, I hope). The point is, however, that decisions as complex as these (there's a stack of paperwork thicker than the Osbourne-1 involved in preloading anything on a laptop) are made through an elaborate process, not made "by mistake".
Someone knew there was a problem. The problem may have ended up misunderstood or washed out along the decision chain (although I find that fairly unlikely), but someone, at some point, decided this was ok.
Once one vendor in your space says "we filter HTTPS traffic for nasty viruses!", it becomes a marketing weapon, and lots of customers think "well, why should I go with A when B protects me better?"
> Operations the size of Lenovo have a fairly intense vetting process before a product goes to market.
How does that go along with a gigantic fuckup like this? Ipso facto there was no vetting, otherwise this wouldn't happen. What did they expect, that this wouldn't come out, that this wouldn't damage their brand even further? If it was done out of malice it is still poorly vetted and incompetent malice.
Just repeat, “Never ascribe to malice that which can adequately be explained by incompetence.”
They probably didn't figure out that anyone would have a problem with this. For them, it's just a cool gimmick to get some money. That it is a gaping security hole which makes about 0.42 % of user population mad, probably never occurred to them.
Unfortunately, for the 0.42 % (that is us, reading this site, and people of similar interests) it will be hard going to explain to the next 4.2 % why this is so bad. The remaining approximately 96 % of population will stay largely uninterested.
Yea, read again. I claim that even if there was malice there necessarily was an element of incompetence present in that case as well.
> it will be hard going to explain to the next 4.2 % why this is so bad
Why? People aren't interested in exact details, that's why they rely on 0.42%. You can illustrate the magnitudes of moronity required to design some of their products and lack of respect for security by explaining that they approach those that are needed to drive a car which has chainsaw strapped on its steering wheel. This isn't mere buffer-overflows due to bad coding, these are comatose levels of stupidity.
Hopefully we .42 will inform our fellow 4.2ers when they come to us for advice when buying a new laptop/anything Lenovo makes. I don't think it will be so hard to explain it to them. They already know what adware is. Just mention it comes installed ready to track you. Always listening while you're visiting bank.com.
I doubt the usual lawyer assigned to this understands SSL and certificates well enough to say anything about it. They worry mostly about contracts, and this is a technical thing.
If they did know about the problem, they could have fixed it. If the app simply generated a new key as part of first-time use, then it would just be run-of-the-mill crapware rather than a gaping security hole. Even if Lenovo has malicious intent, it would still have been in their best interests to do at least that, yet they didn't. Hence I assume it was incompetence.