[Cryptography] Lenovo laptops with preloaded adware and an evil CA

Christian Huitema huitema at huitema.net
Sun Feb 22 00:21:02 EST 2015


> So ex-surveillance agents, operating in both the private and public
spheres, have ostensibly 
> combined their powers to force ads onto people’s computers, leaving web
users open to other 
> forms of attack.  That’s startling and frightening for anyone who cares
about privacy or security.

One way to look at that is that these agents are rubbing our collective
noses in our past collective mistakes. In that case, the collective mistake
is the reliance on WebPKI and its multitude of root CA, combined with the
apparent facility with which everybody and their evil twin manages to insert
their own certificate in the "root files" of our devices.

IanG in another thread expressed his outrage at the prevalence of phishing,
an outrage that many share. Again, this phishing is largely due to our past
collective mistakes, like the ease with which any midlevel hacker can fake
the origin of an email, the ease with simple SQL injection attacks can still
be used to hack websites, or the ease with which zero-day bugs in various
document parsers can be used to plant viruses on unsuspecting targets. To
name a few.

A particular example of phishing led to the recently disclosed attack on SIM
cards. But phishing was not the only past mistake there. Static shared
secrets, really? No forward secrecy? What year is this, 1994? Or 1984 maybe?

In a sense, that's a wake-up call. Stuff was kind of OK because the world
was a nice place and the business was good. Not anymore. 

-- Christian Huitema





More information about the cryptography mailing list