11 comments

[ 4.8 ms ] story [ 33.9 ms ] thread
what an awful title
Awfultitle or Stupidtitle?
I made up the title and I still had to laugh!

In all seriousness, how stupid could Lenovo really be?

I take it back. Lenovo could be even more stupid. Did you see the comments by their CTO about how their problems are just "theoretical"?
Awful title, but the first article I've found (and I tried googling) that actually summarizes what the heck is going on from the ground up. Thanks for posting.
I write a technology business article a day; darn near impossible to come up with good titles daily. Still, I'd rather have a good title, then an awful title, and only last a boring title.
I don't like how he says the key was "cracked."

The key was sitting there in the binary in plaintext. Any college student with a few years of Unix tools under his belt could have done it in an hour.

That's how horrible this tool was. Anyone who noticed this months ago could have been using this key to MITM people.

Sure, but even though it was easy it still required "cracking". In the beginning the secret was not know but in the end the 'adversary' was able to determine the secret. In my mind "cracking" a password or a code refers to uncovering the secret which is exactly what was done in this case. If the password would have been brute forced over a couple of days you would probably call it cracking. The same principle should apply even if you guess the password to be "password" in the first try.
I'm pretty sure if you had sensitive documents sitting on your desktop while your laptop was at a cafe and I moved your mouse to turn off the screen saver and opened the document, a good prosecution could spin that as "Cracking".

It's a buzz word for sure, but unfortunately our industry is full of them

> Any college student with a few years of Unix tools under his belt

I was doing stuff like this when 15 using just Windows notepad and knowing jack squat about Linux. Seriously, anyone at any age who knows anything about (non-web) programming would find it by just opening an .exe in said notepad. That's how horrible this tool was.

And I don't believe that no one noticed it and that it wasn't exploited already. It's just too easy to find.