2015-02-19

Regarding Lenovo preinstalling SSL-breaking MITM on their machines

One of my fears day-to-day is that my own employer will make a similar mistake. This could have so easily been my employer, instead of Lenovo. And I have no standing or ability in my employer to prevent it, especially not pro-actively. Nobody does, in any of the Windows OEMs.

The OEM gets paid for every instance that gets shipped, and for every instance that gets run, and for every demo preload that gets upgraded to a paying user.

And when something like this happens, the tech and infosec savvy people in an OEM company will run headlong into the people who have bonuses and promotions riding on "cultivating" the "relationships" with the "partners" that wrote the shit. Ripping the software out, backing out the damage, and apologizing will negatively impact their salary, so they will go to the mat and break out all the corporate political long knives to stonewall the issue.

I hate everything about OEM preloads. I tell people that when they do buy a retail Windows machine, they should immediately take it to a Microsoft Store and purchase a "Signature Editions" Windows reload. The staff there will take the new machine, scrub off the OEM install, install a fresh clean lean un-crapified Windows, and then put the old valid license key back on the machine. (Since they are Microsoft, they can generate and load valid license keys at will.)

Or if you can't stomach paying Microsoft $99 to give you the machine you thought you had already bought, at least download a copy of "PC Decrapifier" and immediately run it on your new machine the very first time you turn it on.

2 comments:

  1. It's worth noting that the root CA will not be removed when uninstalling the software, so PC Decrapifier is not enough in this case. You have to manually remove the CA to avoid HTTPS MITM at coffee shops and such.

    (To be clear, the associated private key for the root CA is now public knowledge)

    ReplyDelete
  2. It's worth noting that the root CA will not be removed when uninstalling the software, so PC Decrapifier is not enough in this case. You have to manually remove the CA to avoid HTTPS MITM at coffee shops and such.

    (To be clear, the associated private key for the root CA is now public knowledge)

    ReplyDelete