Did you hear about superfish this year? [Sean] Yes. This is the Lenovo laptop scandal, isn’t it? Yeah this is the bit of software that was installed on pretty much every consumer Lenovo laptop. It was so bad that the US department of homeland security issued an advisory saying that this needs to be uninstalled. And to understand why it’s so bad we need to understand Man In The Middle attacks. There have been a lot of techniques for intercepting traffic for a long long time. One of the earliest ones I remember was called ARP spoofing or ARP poisoning. You’ve got your router sitting in the middle. Cause all routers have a little aerial and some lights on them. And you’ve got computers connected to this. And what you do is you bring your computer onto an open Wi-Fi network, something like that, connect your computer, and your computer just announces, “Hello! I’m now the router.” I’m simplifying massively here but basically the network is built on trust. And so the computers just kind of believe it. And so the computers and the router and sending all their packets to you first and then you’re forwarding them on to the right locations. So everything’s going through you. 10 or 15 years ago this was terrible because pretty much everything was sent in plain text. Email passwords, websites, everything was going through plain text. So you could just sit there and provided your computer was fast enough, your network card was good enough, you could see every bit of traffic on this network and just kind of slurp all the password out. Obviously massively illegal without the consent of everyone on the network so Don’t do that! Umm, but the solution to that is SSL. Your computer sitting here, and the server out here. As all servers look like computers from the 1990s. Your computer sends requests saying “Hello, I would like to talk securely.” “These are the protocols I can support. These are my details.” And the server comes back, “Yeah, okay. Here’s my public key.” I know Computerphile has done, you’ve done public and private key before.
-Yeah, he’s sat behind me. So yeah, go watch his video about public and private key cryptography if you want to know the details about that. Basically the server sends back a long series of numbers. Your computer can sign messages with these and encrypt messages with these. And they can only be unlocked by that server because maths. I’m not going to try to explain more than that. You can lock messages, only they can unlock them. Which is great because your attacker, who is sitting in the middle here, and reading everything will just see noise. Except all we’ve really done is just moved the problem back a stage because that first bit, that “Hello, I would like to talk securely.” “Yeah okay. Here’s my private (sic. meant “public”) key.” That has to go in plain text. And someone in the middle can change that. They can take that public key that was sent by the server and just go, “Um, no. I’m going to have that! Here’s my public key instead.” You’re actually going here, and then here. Your computer here doesn’t know the difference. It then encrypts the message with the attacker’s public key. Sends it back here. Attacker opens it. Decrypts it. Reads it. Goes “okay.” and then sends the message that should have been sent from your computer all properly encrypted. Server goes, “All right, we’ve got an encrypted connection going on here.” Sends the encrypted packet. The attacker, who can do this now, unlocks it, goes “yeah, all right,” and then re-encrypts it with their key, sends it on to you and now every single communication is going through the attacker. No one knows anything is wrong. That is your classic Man In The Middle attack. The solution to this is something called signed certificates. This is why setting up a secure server on the web costs a little bit of money right now. I mean it may not in the future. The Electronic Frontier Foundation and Mozilla and trying to set up a thing to make this free. Hopefully by the end of the year it will be. But the idea is that there’s a third party vouching for the set of the public keys you’re exchanging. I’ve had to do this. I set up a secure server about a year ago now. What I had to do when I was setting it up I had to write “It’s going to run this website, it’s going to be on this address, it’s going to use these protocols” and they would generate this set of public and private keys. And then over an existing secure connection, one that I knew to be good, I send that private key off to something that is called a certifi- How do I draw a certificate authority? [Sean] I think it’s going to be a faceless office. Or why don’t we do a factory then we know that’s kind of indus… Haha, we’re going to the Internet factory, there we go. Factory of the Internet, all right, there we go, we got a padlock factory there. No no, it’s not a padlock. I’ve drawn a padlock here, it’s not. It’s a set of keys. It’s what we call public and private keys. I generate my keys. I make them. And I send them over a connection I know to be secure to this company. There’s like half a dozen big ones in the world. Maybe 50 or 100 or so small regional ones. And what they do is they check, all right these keys we’ve got. Are they definitely from this server? Yes. And if you want one of the green padlocks with your company name on it they ask you to, I don’t know, fax something on headed paper, something like that. It’s probably still a fax machine actually, which is why it’s so expensive, know you, to keep the fax machine running. They get this. They check it’s coming from the right server. They check it’s the right keys. And then they do maths to them. And now those keys are now signed by that company with their own private key, which no one else has. So now, when I do that initial back and worth, so person comes along, they talk to my server, and they say “Hello. I would like to talk securely.” And my server says, “All right. Here is my public key. It’s been signed by those folks over there.” And the company says, “Ah! Oh yeah, okay! That’s great.” And if the attacker changes one bit of those keys, – in the computer sense -, one 1 or 0 in there, the maths doesn’t add up any more. And more than that, not only does the maths not add up, they can’t generate any new keys and sign them because they don’t have the private key for any of these big companies. So the attacker’s completely out of luck. If they change it, it’d be like when you try logging into a public wi-fi network, it pops up “Hey! You need to log in. We need your details.” Sometimes that’s a man in the middle attack and they are taking stuff you are trying to send to the server. And they’re getting in the way and sending, “no we’re going to send back our page instead.” This warning will pop up and say “we’re meant to be on a secure connection to Gmail but we’re not! YWAA!. Panic everyone run. Big red screen.” Which of course now most people have now trained themselves to click through, but you know, you try. Okay, the attacker can’t intercept the keys any more. Not without sending up all sorts of red flags, which is fine. But again all we’ve done is we’ve moved the problem back a stage because how do you know which certificate authorities to trust? And that’s when for end users, for people like you and me web browsing, when you do have to take it on trust. Because when you bought your smart phone- when I bought this I trusted Apple. They installed a list of maybe probably about 100 certificate authorities, those factories on there. They installed their public keys on there. So they don’t really go over the air to start with. They’re pre-installed with your device. If you install a web browser, that would be over a connection you know to be secure or hopefully. And you install that and say “Right, I’m trusting these companies because my browser manufacturer trusts them.” It’s okay, we now have keys on this server signed by the factory here. And that factory is trusted by whoever made your browser or your device. So we have this complete network of trust that’s set up. That means the attacker can’t change the keys. And there are two obvious weak points there. One is the certificate authority. If you can get them to fraudulently sign keys then all the people who trust them are completely out of luck. And that happened, that happened to a Dutch certificate authority that is now bankrupt because no one trusts them. Somehow they got conned, coerced, bribed, no one knows, but they generated a completely valid, signed certificate for Google. They had no right to do that, no permission to do that but they generated a certificate for the whole of Google with their signature on it saying, “We trust this.” And that somehow made it to Iran where someone manage a massive man in the middle attack on enormous numbers of Iranian web users. So they were all seeing a big green padlock with “Google” written in it. If they looked at the details, which a couple of people – if you’re paranoid, you check the details on this. And someone is asking “Why is this certificate for Google signed by someone in the Netherlands? That doesn’t make sense.” And that was how it was found out. That wasn’t a genuine Google certificate. But most people wouldn’t know that. They’re talking to Gmail. They’re seeing a big green Google certificate in there. They think all’s well. – So they’re basically looking at their Gmail emails, but it’s all going through somewhere else. It’s all going through an attacker. The keys that are being replace, they couldn’t do it for every website, but they’ve done it for this one, they’ve done it for Google. So every bit of Google traffic that went through them, they were swapping out the keys. They were opening everything, looking at it, all this is all happening in milliseconds obviously. Open it. Store it. Put the new keys on it that you’ve got. Send it onwards. And it’s terrible. It’s a devastating attack if you can pull it off. And there is a genuine concern that governments can do this. That governments can go to certificate authorities and say, “Right. This is the government here. We need you to generate some fake certificates.” Or they can just steal the private keys. If they can steal the certificate authority’s private keys, they can generate their own keys without even the authority knowing. I mean, it’s a devastating attack if they can pull it off. Can they? I’d be surprised if the NSA couldn’t do that somehow. Whether they actually choose to do it is another matter. Because if they do, and it gets found out, not only have they bankrupted a fairly major company, that no one trusts any more, but they’ve blown their cover. So I suspect that yeah they can do it, but they use it in very very rare situations where they haven’t got another option. Whether they should, I’m not getting into that debate. That’s one weak spot. The other is the list of trusted authorities on your phone or on your computer. Because if an attacker can get an extra entry in there, if they can get themselves in there, then they can just generate new keys on the fly and every single connection would be intercepted. So that’s what Superfish did. They wanted to insert advertising. Superfish was a program that took your Google searches and added a little bit more advertising in it for them, which is a terrible idea! But Google switched to secure searching for everyone. So Superfish, which is such a bad idea, they installed themselves as a trusted certificate provider. And it wasn’t even sitting out in the networks, it was this little program sitting on your own computer looking at all your traffic and doing a man in the middle attack on it and inserting their own adverts. That authority is sitting on your computer signing keys on the fly. Which means that the private key, the numbers that should never ever be seen, is sitting on your computer and can be extracted. It was the same on every single computer so as soon as one attacker pulled it off one computer, every single installation is vulnerable, because every single computer that has superfish trusts superfish. So if someone in the middle pretends to be superfish, which they can do because they have that private key, then that attacker can man in the middle every single secure website out there. And they know you’ve got it because they can see Lenovo on the back of your computer in the coffee shop. There’s ways, there’s uninstallers out there now. Lenovo promised not to do it again. Superfish, as far as I know, does not exist as a bit of software any more. But it’s one short-sighted company that used every ignorant shortcut in the book to try to make a few adverts appear. Just because of that, tens of thousands maybe hundreds of thousands of computers, I don’t know, perhaps a million, I don’t know how many they make in a year. But all those were made vulnerable to a really really terrible attack just because one company wanted to sell a few ads. And it’s very very difficult for people who go into a bad place and use a card because if you complain to your bank then the strip club owner will just say, “He was with four girls all night, and four thousand pounds is what that costs at our place.” How long have we not been recording? That’s a really good question. This is because I’m an idiot. I love it. We’re three quarters of the way through and he says, “Why are we not recording?” We did that for the drone footage in Chernobyl. We had a monitor on the drone footage with a remote link. And we’re getting our shots. And I look in and go “Our GoPro is not rolling. Oh!” Bring the drone back down. Change the battery in the drone. Oh man!

Man in the Middle Attacks & Superfish – Computerphile
Tagged on:                                                     

100 thoughts on “Man in the Middle Attacks & Superfish – Computerphile

  • October 10, 2017 at 7:04 pm
    Permalink

    I don't even know why anyone trusts NSA after the incident with Edward Snowden

    Reply
  • October 11, 2017 at 8:23 am
    Permalink

    It's actually worse than that. SSL is near to useless on any site that carries third party advertising. The advertiser doesn't need Superfish, they can run Javascript in your browser that logs your keystrokes or scans for password fields.

    The advertising is served via a different certificate than the one covering the site you visit, yet there is no mention of this in the browser's SSL info. It is as if the connection from your browser to the advertiser doesn't exist. Yet, using a wiretrace you can see that it does.
    .
    Not a lot of end users know that.

    Reply
  • October 14, 2017 at 3:40 pm
    Permalink

    Funilly enough Superfish is also the name of a javascript library we use at my current work as well as the chippy down the road.

    Reply
  • October 18, 2017 at 11:14 pm
    Permalink

    Certainly more than 1 million

    Reply
  • October 19, 2017 at 8:31 pm
    Permalink

    padlock should be in opened position when you drew it if we use that analogy:))

    Reply
  • October 23, 2017 at 9:39 pm
    Permalink

    I have a lenovo laptop but I'm okay because I always do a fresh install of any operating system and then get the drivers I need.

    Reply
  • October 27, 2017 at 10:22 am
    Permalink

    I've been using the same lenovo laptop since 2012! How come no one told me about this?

    Reply
  • November 4, 2017 at 9:15 pm
    Permalink

    I think this is happening to The Pirate Bay.

    Reply
  • November 21, 2017 at 10:00 pm
    Permalink

    4:22 CA does not generate a set of public and private keys for you. You do that yourself. As they pointed out in the annotation at 2:48 you NEVER share you private key. What you do is create a `Certificate Signing Request (CSR)`. Which basically contains your Public Key, websites URL and few other insignificant details.

    So no fax machines needed 🙁
    It is still a good video and a starting point. Because OpenSSL is one big and complicated system

    Reply
  • November 27, 2017 at 10:46 pm
    Permalink

    Great work, you guys go into more depth than the average tutorials and the information is strong.

    Reply
  • December 5, 2017 at 10:29 pm
    Permalink

    How do you check who signed the certificate on Chrome?

    Reply
  • January 10, 2018 at 12:57 am
    Permalink

    The ROOTER

    Reply
  • January 19, 2018 at 11:12 pm
    Permalink

    the video has 384,384 view right now

    Reply
  • January 30, 2018 at 2:17 am
    Permalink

    So happy now that we can get free certificates from lets encrypt. the internet will soon become a more secure place

    Reply
  • February 6, 2018 at 7:12 am
    Permalink

    ARP spoofing still works just fine on a sadly large number of devices. Quite useful when you need to sniff the network traffic from a closed device and you have a crappy consumer router.

    Reply
  • February 6, 2018 at 7:23 am
    Permalink

    It's very sad that this all could've been avoided if they had just generated a CA on first boot.

    Reply
  • February 11, 2018 at 12:58 am
    Permalink

    "Simplifying massively here"

    Reply
  • February 15, 2018 at 2:31 am
    Permalink

    Another issue: What if the attacker sitting on your network tells your computer that google prefers http over https, encrypts your packets, and forwards them to google?

    Reply
  • February 15, 2018 at 2:35 pm
    Permalink

    7:54 Does "sign keys" mean "issue certificates"?

    Reply
  • February 27, 2018 at 5:06 am
    Permalink

    But what prevents the attacker from just getting the certificate authority keys from their own device? This doesn't make sense to me.

    Reply
  • March 8, 2018 at 2:31 pm
    Permalink

    Let's Encrypt provides free renewable 3 month SSL keys.

    Reply
  • April 1, 2018 at 3:07 am
    Permalink

    Everyone should check their web browser certificates on a regular basis. Remove any certificates that have expired.

    Reply
  • April 24, 2018 at 9:57 pm
    Permalink

    "All servers look like computers from the 1990s" mine looks like a potato…

    Reply
  • April 27, 2018 at 8:36 pm
    Permalink

    " they do maths to them." Real specific tom

    Reply
  • May 4, 2018 at 1:57 am
    Permalink

    Superfish sounds like a new IP for the GameCube.

    Reply
  • May 9, 2018 at 9:25 am
    Permalink

    But superfish is just a company for swimming at

    Reply
  • May 10, 2018 at 6:57 am
    Permalink

    aaaaaaaaand ssl strip came out 🌚

    Reply
  • May 11, 2018 at 2:42 am
    Permalink

    What if a middle man were middle maned by another middle man?

    Reply
  • May 13, 2018 at 3:05 am
    Permalink

    "Do maths to them"

    Reply
  • June 3, 2018 at 1:26 am
    Permalink

    So simply the company who provides that security authorithy, or whatever its called, is the man in the middle. #YIKES

    Reply
  • June 4, 2018 at 4:33 pm
    Permalink

    That sound the marker makes on that sheet of paper gets my hairs on end !!!! Darn !!!

    Reply
  • June 19, 2018 at 4:06 pm
    Permalink

    But this threat is the case only in open Wi-Fi network, isn't it? When I'm at home and I'm connecting my own private, secured by password Wi-Fi connection nothing bad can happen, can it?

    Reply
  • June 19, 2018 at 4:12 pm
    Permalink

    Are Lenovo and Superfish the same thing?

    Reply
  • June 20, 2018 at 8:43 pm
    Permalink

    I actually heard about this in 2016. Why am I watching this?

    Also, this is why I won't ever buy a Lenovo laptop, call me paranoid…

    Reply
  • June 25, 2018 at 10:42 pm
    Permalink

    Just watched this with my Lenovo laptop sitting next to me.. Which I bought in 2014… Luckily now running Linux but still, that's insane

    Reply
  • July 4, 2018 at 11:10 pm
    Permalink

    Just goes to show… never underestimate the utterly desperate things greedy people will do to make a quick and easy buck.
    Also, would this affect just their laptops, or their phones and tablets as well? I've got a Yoga Tab sitting around here somewhere, largely unused, but might as well secure it…

    Reply
  • July 13, 2018 at 8:55 am
    Permalink

    What happens to device that are too old, and didn't come with the public keys for the certificate authorities ?

    Reply
  • August 3, 2018 at 5:28 pm
    Permalink

    I've noticed some ISPs add adverts to traffic also, is that different than the Lenovo superfish malware nightmare? How secure are firewall caches?

    Reply
  • August 9, 2018 at 4:34 am
    Permalink

    Whoever made the thumbnail is a digital art Leonardo Da Vinci

    Reply
  • August 10, 2018 at 12:55 pm
    Permalink

    2:25 this needs to be a meme or a gif

    Reply
  • August 24, 2018 at 5:40 am
    Permalink

    DuckDuckGo lol Someone's hiding something 😉

    Reply
  • August 27, 2018 at 1:27 pm
    Permalink

    Superfish wasn't just on computers at one stage it was also on websites.

    Reply
  • August 28, 2018 at 7:21 pm
    Permalink

    I’m starting with the man in the middle, I’m asking him to stop stealing my passwords!

    Reply
  • August 28, 2018 at 9:35 pm
    Permalink

    Someone can explain the Xmas Tree attack ? Which is related with the port scan and router bugging ?

    Reply
  • September 3, 2018 at 2:27 pm
    Permalink

    Let's encrypt is free

    Reply
  • September 20, 2018 at 2:12 am
    Permalink

    6:17
    Email,
    Password,
    Shoe size
    I wonder what are they trying to know ( ͡° ͜ʖ ͡°)

    Reply
  • September 21, 2018 at 9:16 am
    Permalink

    Pleas by more lenovo and cheap stuff. Pleas

    Reply
  • September 27, 2018 at 12:35 am
    Permalink

    Public and Private Key Encryption….. Because…maths.

    Reply
  • October 2, 2018 at 6:06 pm
    Permalink

    Its the two drums and a symbol fall of a cliff guy

    Reply
  • October 4, 2018 at 4:18 pm
    Permalink

    This man talking to the points, Thanks a lot man .

    Reply
  • October 15, 2018 at 9:27 pm
    Permalink

    Isn’t it great that we can all get feee SSL certificates.

    Reply
  • October 19, 2018 at 12:50 am
    Permalink

    SuperFish is SuperFishy

    Reply
  • November 9, 2018 at 6:04 pm
    Permalink

    MORE TOM SCOTT PLS

    Reply
  • November 14, 2018 at 2:11 am
    Permalink

    Great video, not only the step by step explanation but really appreciate how "little" emphasis you showed to the particular incident. This a HUGE issue overall and applies far more than just Superfish installed on a single machine, not just because xyz company wants to see what you are doing. But because someone ELSE can use it for FAR more malicious purposes.

    Reply
  • November 17, 2018 at 4:29 pm
    Permalink

    I a little bit scared to say , ive heard somthing about
    TPM 
    backdoor built in?
    sorry for caps, also mem leak with cpu can be read
    ?

    Reply
  • November 18, 2018 at 9:29 am
    Permalink

    6:17 who else noticed the joke?

    Reply
  • November 30, 2018 at 4:53 am
    Permalink

    0:59 "Basically the network is built on trust. And so the computers just kind of believe it."
    Hm . . .
    WELL THAT'S GREAT!!

    Reply
  • December 3, 2018 at 11:28 pm
    Permalink

    Isn't that what happened to Github when they got DDOSed?

    Reply
  • December 4, 2018 at 1:13 am
    Permalink

    the. rooter and me: a guide to wiredriving in Britain

    Reply
  • December 10, 2018 at 11:21 pm
    Permalink

    Shoe size …. lol …. I know little things amuse little minds ….

    Reply
  • December 21, 2018 at 9:17 pm
    Permalink

    I like how Computerphile promotes Duckduckgo implicitly.

    Reply
  • December 23, 2018 at 12:11 am
    Permalink

    What if you could reverse engineer a private key? That would be absolutely disasterous.

    Reply
  • December 26, 2018 at 2:40 am
    Permalink

    Ssl for free gives you free ssl certificates that last for 3 months

    Reply
  • January 1, 2019 at 9:59 pm
    Permalink

    I am fascinated by the 'IBM' paper with the holes which you guys use. Not the American 11 by 17 or whatever, of course

    Reply
  • January 7, 2019 at 2:04 pm
    Permalink

    "then they do maths to them"

    Reply
  • January 11, 2019 at 1:31 pm
    Permalink

    Tom in the Middle hahah

    Reply
  • January 12, 2019 at 4:08 am
    Permalink

    This channel is pure class. Thanks.

    Reply
  • January 22, 2019 at 4:32 pm
    Permalink

    Wow that was explained so well, and the story was super interesting
    Like+Subscribe
    Get us more videos like this 🙂

    Reply
  • January 23, 2019 at 6:33 am
    Permalink

    It's cool looking back at this video and seeing him comment on a free certificate authority being in the works and today… We have that with Let's Encrypt!

    Reply
  • January 27, 2019 at 3:56 am
    Permalink

    Hello! I am the router!

    Reply
  • January 27, 2019 at 8:40 pm
    Permalink

    Why is the server British? 3:20

    Reply
  • January 28, 2019 at 9:40 am
    Permalink

    out of luck

    Reply
  • January 31, 2019 at 2:45 am
    Permalink

    2:10 Jean Ralphio

    Reply
  • January 31, 2019 at 2:46 pm
    Permalink

    I don't quite understand, the whole point of signing a message with a key is so that you know that that person has to be the one who sent it right? Or at least someone who has that private key. You check with their public key if they used their private key without actually having their private key. Why do you need an authority for that? You can just have a library of public keys, right? That library can be widely distributed to ensure the validity of the library. I don't see the problem here.

    Reply
  • February 6, 2019 at 8:39 am
    Permalink

    Great explanation to a complex topic. Thanks.

    Reply
  • February 17, 2019 at 8:39 pm
    Permalink

    Wasn't one of the Snowden leaks that NSA does and can spoof certificate authority for SSL?

    Reply
  • February 19, 2019 at 2:40 am
    Permalink

    There was so much potential at 4:46 to fix the drawing by attaching a circle to the end of the factory and making it look like a giant key.

    Reply
  • March 2, 2019 at 12:45 am
    Permalink

    "rooter"

    Reply
  • March 4, 2019 at 3:02 am
    Permalink

    I feel like this was just a casual computer nerd conversation that they just decided to film.

    Reply
  • March 4, 2019 at 6:49 am
    Permalink

    What's a rooter?

    Reply
  • March 5, 2019 at 7:44 pm
    Permalink

    Look into the makers of 'Superfish." "Former" IDF intelligence core programmer. This looks like an Intel OP under guise of "targeted advertising" to me. Targeted ads were the required "plausible deniability." Also superfish company komodia doubled as a "parental monitoring/parental control company. I'm getting ready to do a video on it. There are connections to Intel contractors etc. Think about how superfish may be combined with other seemingly local vulnerabilities to remotely root servers. Anyhow I dont buy the targeted advertising part. Just part of a coverup for what I like to call incremental backdoors.

    Reply
  • March 14, 2019 at 4:49 pm
    Permalink

    I was a support person for NSA while in Turkey, and I believe NSA is ok. NSA does current collecting and only looks at suspect addys.

    Reply
  • March 20, 2019 at 7:01 pm
    Permalink

    You know whats also rather strange ? Google not noticing a massive amount of multi-user traffic coming from a single attacker ip … usually there is fair usage policy where this kind of activity (an entire DNS provider had to fall as well I presume) from a single/small amount of ip address should definitely raise a flag

    Reply
  • March 27, 2019 at 1:04 pm
    Permalink

    Chernobble?

    Reply
  • March 29, 2019 at 11:18 pm
    Permalink

    Hey. Pst. Dell Blackfish.

    Reply
  • April 3, 2019 at 7:35 am
    Permalink

    yeet let's encrypt is here

    Reply
  • April 6, 2019 at 3:58 pm
    Permalink

    Tom's face when he asks 'how do I draw a certificate authority?'

    Reply
  • April 15, 2019 at 11:48 am
    Permalink

    I'm gonna arp your rooter if you say router like rooter one more time!

    Reply
  • May 11, 2019 at 11:28 pm
    Permalink

    The NSA does have the ability to these, but I on record they don't because of legal reasons

    Reply
  • May 19, 2019 at 10:02 am
    Permalink

    6:27 slow it down to 0.25x speed thank me later

    Reply
  • June 7, 2019 at 11:55 pm
    Permalink

    @4:25 Why are you sending your private key to this padlock factory?

    Reply
  • July 1, 2019 at 1:31 am
    Permalink

    Why do the producers of these videos insist on randomly zooming in and out, particularly doing a close-up of the speaker's face? It's amateurish and off-putting and serves no purpose.
    Along with the obligatory out-takes at the end, that stuff was stale 15 years ago.

    Reply
  • July 15, 2019 at 1:48 pm
    Permalink

    Worst part of the story, is that Lenovo is nothing but a branding of… IBM !!! 🙁

    Reply
  • July 18, 2019 at 11:44 am
    Permalink

    I dont know man, in an attempt to simplify things the teacher skips out on a lot of details. Thats a bummer, Oh well

    Reply
  • July 25, 2019 at 11:49 am
    Permalink

    Ahh, so that's why the red "Insecure connection" screen pops up when I'm running a local server and I goto a domain which points to localhost.

    Reply
  • August 16, 2019 at 2:48 am
    Permalink

    I would think that both of the two vulnerabilities (the CA and device) could potentially be resolved by a sort of an 'odd man out' protocol that would periodically ask all of your CAs for a list of the CAs that they trust, and if only very few or none of them trust a CA you have, that CA is removed.

    Reply
  • August 17, 2019 at 8:49 pm
    Permalink

    sounds like capitalism to me… just doing what it does best!

    Reply
  • August 17, 2019 at 8:57 pm
    Permalink

    superfish was worth 40M so I guess what he did actually pay off?!?!

    Reply
  • August 21, 2019 at 12:50 pm
    Permalink

    Tip of the iceberg, really. Intel TM, it's what's inside that counts 😉

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *