Superfish superinsecure!
February 19, 2015 7:05 AM Subscribe

It's been revealed that Lenovo preinstalls "Superfish", a piece of malware which -- among other things -- opens a monstrous security hole. This affects most Lenovo computers sold in the last two years.

Coverage from Techcrunch, Engadget, ZDNet, TripWire, and the BBC.

posted by Chocolate Pickle (174 comments total) 51 users marked this as a favorite

Ugh. I really wish commercial advertisement wasn't so lucrative. I am not entirely sure all the blame lays with Lenovo.

I also wish it was feasible to build your own laptop.
posted by royalsong at 7:18 AM on February 19, 2015

I am not entirely sure all the blame lays with Lenovo.

I can see no way to not blame Lenovo entirely and fully. They are the ones who decided to do this.
posted by five fresh fish at 7:21 AM on February 19, 2015 [36 favorites]

Well, this is an interesting juxtaposition with the revelation of the Equation Group earlier this week.
posted by NoxAeternum at 7:21 AM on February 19, 2015 [1 favorite]

Marc Rogers:

1.Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make.
2.Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do.
3.Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections.
4.Superfish uses a deprecated SHA1 certificate. SHA1 has been replaced by SHA-256 because attacks against SHA1 are now feasible with ordinary computing hardware. This is insult on top of injury. Not only are they compromising peoples SSL connections but they are doing it in the most cavalier, insecure way possible.
5.Even worse, they use crackable 1024-bit RSA!
6.The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords.
7.If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages.

posted by Chocolate Pickle at 7:22 AM on February 19, 2015 [25 favorites]

The technical details of this are appalling. Lenovo computers are preloaded with software that deliberately hijacks secure connections - a locally-preinstalled Man In The Middle attack, hooray for everything - but that's somehow not the worst of it.

Lenovo's removal instructions turn off the proxy, but don't disable the offending unrestricted Root Certificate, and on top of that, the MITM software service comes with the private key for that cert embedded into it, which has already been extracted and put on pastebin somewhere.

The upshot of this is that anyone can use that information to transparently MITM any connection from any affected Lenovo machine even if the software has been uninstalled. And somehow that's not the worst part either.

Even worse than that is the fact that anyone can use that information to certify that malicious executables come from anyone they want, up to and including Lenovo or Microsoft.

From a networks security perspective, this is Last-Testament End-Times sort of worst-case scenario.

I am not entirely sure all the blame lays with Lenovo.

There is no way, none, that 100% of the blame for this does not lie with Lenovo.
posted by mhoye at 7:24 AM on February 19, 2015 [81 favorites]

royalsong - you may be interested in this https://www.crowdsupply.com/kosagi/novena-open-laptop
posted by The Vice Admiral of the Narrow Seas at 7:25 AM on February 19, 2015 [3 favorites]

For the first time in my life, I find myself eagerly awaiting the inevitable blizzard of lawsuits.
posted by Slothrup at 7:26 AM on February 19, 2015 [6 favorites]

Don't miss this choice link from the Forbes article. This is some serious amateur hour shit.
posted by trunk muffins at 7:27 AM on February 19, 2015 [3 favorites]

Well, this is an interesting juxtaposition with the revelation of the Equation Group earlier this week.

On Monday we learned this NSA "Equation Group" has 0wned everything for 14 years. On Wednesday, Lenovo announced a consumer version of everything getting 0wned! Isn't Moore's Law amazing?
posted by mhoye at 7:29 AM on February 19, 2015 [5 favorites]

I also wish it was feasible to build your own laptop.

It is possible to wipe the hdd and image yourself, but that's not something a typical user can do terribly easily.
posted by bonehead at 7:31 AM on February 19, 2015 [1 favorite]

~~Another good breakdown here.~~
nm, missed it in the post
posted by quinndexter at 7:33 AM on February 19, 2015

I had to remove both this and some third-party start menu (not immediately obviously harmful but I don't want that shit) from my Lenovo gaming laptop last year. Wasn't too painful, but yeah I was fucking pissed they were there to begin with.

The thing is I haven't found any other maker of economical but still decent performing gaming laptops. This might be the last straw though. Next time it'll have to be somebody else. And my next non-gaming laptop is going to not have a nub. (Honestly they've already fucked with the Thinkpad line too much.)
posted by kmz at 7:33 AM on February 19, 2015

It is possible to wipe the hdd and image yourself

You're still trusting Lenovo not to have "added value" to the UEFI.
posted by reprise the theme song and roll the credits at 7:33 AM on February 19, 2015 [28 favorites]

I also wish it was feasible to build your own laptop.

You can buy a laptop chassis that just includes the CPU, motherboard, screen and GPU. In some cases you can even buy chassis with MXM slots for dGPUs. You then add in memory, SSD and OS and you're good to go. But it costs actual money because you're probably going to want to use decent parts for a nice laptop.

This is your race to the bottom. When a quad core laptop gets sold on a Fry's special page for $258 something's gotta give and it sure as hell isn't going to be corporate profits. Look at Microsoft with their Signature Edition crap. The headline feature is a PC without all the shit that idiot OEMs install for the extra $$$ per install.

This is what computing has come to. The most powerful machines ever made and they're pretty much used to try and dupe the poor saps with every piece of junkware and crapware that they can.
posted by Talez at 7:38 AM on February 19, 2015 [18 favorites]

I just checked my Lenovo laptop for Superfish at this site and it says it's ok.
posted by rocket88 at 7:39 AM on February 19, 2015 [4 favorites]

I just read about this over at Ars Technica. What an utter frack-up on Lenovo's part. Does no one vet the added software?
posted by Thorzdad at 7:39 AM on February 19, 2015

I had to remove both this and some third-party start menu (not immediately obviously harmful but I don't want that shit) from my Lenovo gaming laptop last year. Wasn't too painful, but yeah I was fucking pissed they were there to begin with.

You should take a second look in your certificate stores. Uninstalling the Superfish software does not remove the certificate that leaves your machine vulnerable.
posted by ymgve at 7:40 AM on February 19, 2015 [2 favorites]

Man, if only there were an operating system that didn't have this spyware shit preinstalled.
posted by Geckwoistmeinauto at 7:40 AM on February 19, 2015 [12 favorites]

I just checked my Lenovo laptop for Superfish at this site and it says it's ok.

This is pretty much the worst thing to be "testing" on some random website.
posted by Sys Rq at 7:42 AM on February 19, 2015 [7 favorites]

The truly terrifying thing about all these recently disclosures about the NSA, hackable cars, and now this Lenovo thing and god-knows-what-else-I-can't-remember-because-my-mind-is-blocking-it-out is this: Basically, Slashdot has been right all along.
If you need me, I'll be in a dark faraday cage with a bowl of grits.
posted by entropicamericana at 7:42 AM on February 19, 2015 [11 favorites]

Man, if only there were an operating system that didn't have this spyware shit preinstalled.

If Lenovo had preinstalled Linux, they could have pulled the same stunt. And then there's the bits of hardware that are virtually impossible for you to affect: UEFI, microcode in the CPU, the entire RF subsystem in your phone...
posted by Slothrup at 7:43 AM on February 19, 2015 [12 favorites]

Microsoft should make it easy for end users to wipe the pre-loaded Windows and start from scratch using a Microsoft-supplied ISO combined with the installation key provided with the machine. Unfortunately, they do the exact opposite because when you buy a Windows machine, the bloatware/spyware/malware actually subsidizes the price. Hopefully this incident will spur some change but I doubt it.
posted by Poldo at 7:43 AM on February 19, 2015 [3 favorites]

I also wish it was feasible to build your own laptop.

I don't know much about it (other than that bunnie is involved), but there's the Novena open laptop.
posted by exogenous at 7:44 AM on February 19, 2015 [3 favorites]

Ars Technica coverage.
posted by Chocolate Pickle at 7:50 AM on February 19, 2015 [3 favorites]

This is very sad news for me. I have been using Thinkpads since they came out. I like them because I like the trackpoint (and hate touch pads), and because I can drop them, which I inadvertently do from time to time, with a high probability of survivability. But if they are coming preloaded with malware, how can I continue to use them? Especially in light of Lenovo's official corporate reaction, which seems to be doing the minimum they can do to pretend to address the problem, while continuing, publicly, to support the software and its pre-installation. I hope that continued pressure from customers will show them the error of their thinking.
posted by ubiquity at 7:52 AM on February 19, 2015 [3 favorites]

If Lenovo had preinstalled Linux, they could have pulled the same stunt.

True, but it is significantly simpler to re-install a clean Linux image than a (legal) Windows one, unless you pay for a new retail copy of Windows.

And then there's the bits of hardware that are virtually impossible for you to affect: UEFI, microcode in the CPU, the entire RF subsystem in your phone...

There are people are working towards freeing these things. If you don't mind the dated hardware, you can get a pretty good mostly-Free (as in speech) laptop here.
posted by Poldo at 7:54 AM on February 19, 2015 [4 favorites]

This is officially a "pardon me, please hold still while your assets are seized, buildings burnt to the ground, and executives who had any idea this was happening blinded and sent into the desert" kind of moment.

Quite seriously, this should end the company as a viable entity. What business should ever buy anything again from a manufacturer willing to do this kind of shit to its customers?
posted by delfin at 7:55 AM on February 19, 2015 [15 favorites]

A correction: it seems that they only installed Superfish between October and December of 2014, not for two years as I said.
posted by Chocolate Pickle at 7:59 AM on February 19, 2015

This is officially a "pardon me, please hold still while your assets are seized, buildings burnt to the ground, and executives who had any idea this was happening blinded and sent into the desert" kind of moment.

A correction: it seems that they only installed Superfish between October and December of 2014, not for two years as I said.

Unblind the executives.
posted by fairmettle at 8:02 AM on February 19, 2015 [2 favorites]

Barbarians at the Gates? This is barbarians building the gates, and then giving copies of the keys to all the other barbarians.
posted by ubiquity at 8:03 AM on February 19, 2015 [6 favorites]

>this should end the company as a viable entity.

That would be nice. I remember thinking the same thing when the news broke that Jack-In-The-Box was selling deadly contaminated shitburgers, and then being mildly astonished the next day to find that the Jack-In-The-Box near my apartment had a line out the door and no free tables. Call me a cynic, but I will not be holding my breath while waiting for Lenovo's business to collapse.
posted by Sing Or Swim at 8:04 AM on February 19, 2015 [4 favorites]

Call me a cynic, but I will not be holding my breath while waiting for Lenovo's business to collapse.

Yeah, and poison burgers are something that the public actually understands.

One thing that all the computer security news over the past decade has convinced me of is that the vast majority of people neither know nor care about it.

Add me to the Debbie Downer chorus.
posted by Noisy Pink Bubbles at 8:09 AM on February 19, 2015 [2 favorites]

Another brand gets added to my "Never again" list. I encountered similar problems when a former employer decided to save a few cents per desktop and go with HP instead of the Dell systems I recommended. Good manufacturers will provide clean installs of your OS of choice, whereas bad manufacturers will make you jump through hoops auditing all the crapware they bundle along with their equipment.

Caveat Emptor.
posted by endotoxin at 8:10 AM on February 19, 2015 [1 favorite]

Sadly, I agree that "should" and "will" have very different definitions.
posted by delfin at 8:10 AM on February 19, 2015

Yeah, remember how Sony collapsed after the rootkit thing? I wonder whatever happened to that company.
posted by kmz at 8:11 AM on February 19, 2015 [14 favorites]

Yeah, remember how Sony collapsed after the rootkit thing? I wonder whatever happened to that company.

You mean the one with the great corporate security?
posted by Noisy Pink Bubbles at 8:16 AM on February 19, 2015 [2 favorites]

Robert Graham extracted and cracked the password of the superfish certificate
posted by beukeboom at 8:29 AM on February 19, 2015 [12 favorites]

Yea, I'm a Lenovo fanboi and own multiple devices of theirs. The older stuff is just amazing and some of the newer stuff is pretty nice as well.

That said, this is a fucked up move on their part. Doesn't impact me much since I tend to do a system wipe and reinstall without all the crapware and 'utilities' any prebuilt machine comes loaded with these days but still, this remains a huge mistake on their end. It's a shame.

I'm much less inclined to send my non-techie relatives and friends to Lenovo if this is the sort of shady shit they're inclined to pull.
posted by RolandOfEld at 8:30 AM on February 19, 2015 [2 favorites]

Been watching this blow up over the last day or two. Lenovo reps are going to have fun explaining their company's stance to a lot of corporate buyers over the next week or two I suspect.

Sadly nothing will really change - everything is terrible & most people don't care enough to make it better.
posted by pharm at 8:31 AM on February 19, 2015 [2 favorites]

Yeah, remember how Sony collapsed after the rootkit thing? I wonder whatever happened to that company.

They've basically stopped being an electronics company. They make most of their money selling insurance policies in Japan.
posted by dirigibleman at 8:36 AM on February 19, 2015 [6 favorites]

They've basically stopped being an electronics company. They make most of their money selling insurance policies in Japan.

Ah, the GE model.
posted by NoxAeternum at 8:43 AM on February 19, 2015 [6 favorites]

They've basically stopped being an electronics company.

I would think that's a more long-term, systemic corporate issue -- not something that was really related to their computer security problems.
posted by Noisy Pink Bubbles at 8:46 AM on February 19, 2015

And I was just warming to Lenovo again after they brought back the old TrackPoint buttons.
posted by Iridic at 8:48 AM on February 19, 2015

Lenovo statement.

They still don’t appear to understand that they’ve added a public key to the user’s keystore that lets anyone MITM every site on the internet. The corresponding private key is publically available (it’s been extracted from the binary) and anyone can use it to impersonate any website they like.

It’s an astonishing "fuck you" to Lenovo’s customers & they don’t even seem to appreciate the enormity of what they’ve done.
posted by pharm at 8:48 AM on February 19, 2015 [18 favorites]

It might be unclear to people just skimming, so just to reiterate: all affected lenovo laptops have a rogue root CA cert, with private keys in the wild, and lenovo's removal instructions don't fix it. All SSL connections on these machines are compromised (and not in a theoretical way, but in a trivial to exploit way).
posted by ryanrs at 8:50 AM on February 19, 2015 [11 favorites]

Pre-installed crapwar with vulnerabilities is an ongoing nightmare for the Windows and Android ecosystems.
posted by humanfont at 8:50 AM on February 19, 2015 [1 favorite]

I honestly don't understand how a company like Lenovo could decide this is a good idea. I mean sure, some biz-dev asshole realizes they can make 30 pieces of silver per customer installing this bullshit. But there's technical people at Lenovo too, engineers who understand the risks not only of installing adware in general but specifically this SSL MITM attack. Those engineers had to actually implement the bundle with the malware, didn't they say anything?

Part of me wonders if this bullshit happened in part because of Lenovo being a Chinese company. There's certainly adware coming from US companies too but there's been a bit more caution in deploying it. From my understanding the Chinese Internet is awash in adware, and of course Internet security is generally compromised in China. Maybe this subversion doesn't seem so shocking to the Chinese engineers building the Lenovo system images?
posted by Nelson at 8:51 AM on February 19, 2015 [4 favorites]

great thread. I bought a Lenovo laptop in August (which means I might have missed Superfish, yay). As mentioned upthread, they installed a 3rd party "start menu" replacement (Pokki) which does ease the pain of moving to Win 8, but some consider it malware (it slips in some paid links) and it's a bugger to remove.

Geez, the Metro part itself is bloatware as far as I'm concerned. It came loaded with apps I don't care to use, as well as ads ads ads.
posted by Artful Codger at 8:51 AM on February 19, 2015 [1 favorite]

hi5 pharm
posted by ryanrs at 8:51 AM on February 19, 2015 [1 favorite]

Any knowledge as to whether or not PC Decrapifier removes this?
posted by plinth at 9:01 AM on February 19, 2015

if you are not following the delightful and informative Infosec Taylor Swift, well, get on that.
posted by kagredon at 9:02 AM on February 19, 2015 [14 favorites]

I don't know much about it (other than that bunnie is involved), but there's the Novena open laptop.

I have one (well, I got the board-only option). It's a really neat piece of hardware, although not, probably, a drop-in replacement for most people's everyday laptop use case.

I think we're going to get to a point before long where it's relatively trivial to assemble a decent laptop-like device. There's a lot of really capable, tiny form-factor hardware emerging these days. A high end smartphone is probably more capable than all but one or two of the laptops I've ever owned.

On the downside, it doesn't seem like we're going to have much reason to think we can trust most of the hardware...
posted by brennen at 9:04 AM on February 19, 2015 [1 favorite]

Here's another copy of the decrypted Superfish certificate. This is all an attacker needs to greatly subvert the security of every Lenovo laptop sold with SuperFish on it.

It appears the Lenovo malware was built with the Komodia Ad injection SDK. Komodia's business appears to be selling malware toolkits; the CEO is Barak Weichselbaum.

Lenovo's statement is breathtakingly irresponsible and inaccurate. I suspect they've just created a lot of extra liability for themselves asserting they "do not find any evidence to substantiate security concerns".
posted by Nelson at 9:19 AM on February 19, 2015 [4 favorites]

I don't place 100% of the blame on Lenovo because it's a third party software that is trying to capitalize on the advertising market. I'm not saying Lenovo is blameless, they're not. Either someone said they didn't care or someone didn't do enough research on the software they were installing. But that software was made by someone, and thus some of the blame lands there.

I just worry that this opens up a can of worms and gives more companies ideas to do this kind of thing.. marketed as "safe and private and not like those Lenovo guys."
posted by royalsong at 9:24 AM on February 19, 2015

Seems like a great way to facilitate industrial espionage. I wonder if this might spur a more decentralized PC market, can't trust US vendors, can't trust Chinese vendors...
posted by ethansr at 9:27 AM on February 19, 2015 [1 favorite]

The bad part of this is that uninstalling their software leaves the bad certificate in place, meaning the laptop could still be tricked with a man-in-the-middle attack to compromise the user's data.
posted by nickggully at 9:29 AM on February 19, 2015 [1 favorite]

> "Those engineers had to actually implement the bundle with the malware, didn't they say anything?"

Do you -want- to be looking for a job in this economy? Engineers are like slaves; they don't get a say. Do what you're told, or get replaced.
posted by I-Write-Essays at 9:31 AM on February 19, 2015

As the esteemed Infosec Taylor Swift said, this totally goes against professional ethics. However, I assume this was some suit decision and all they saw was the dollar signs in their eyes. "Ethics, schmethics, I have to make my numbers."
posted by fifteen schnitzengruben is my limit at 9:35 AM on February 19, 2015

There's something darkly comic about easy this Superfish bollocks would make it to spearphish. Or maybe that was the plan all along? After all, signing your cert with your company name hardly screams "subtlety."
posted by fifthrider at 9:35 AM on February 19, 2015

Seems like a great way to facilitate industrial espionage.

I don't have proof but I often feel that historically, M$ has deliberately turned a blind eye to the designed-in insecurity of Windows, because it is the rotting meat upon which a 3rd party security industry can grow and prosper. I think that for advertising malware they have a similar "meh" attitude, especially when their Windows licencees are installing Windows onto PCs on their behalf.
posted by Artful Codger at 9:39 AM on February 19, 2015 [2 favorites]

Oh how I wish for a world where Richard Stallman is dismissed as a paranoid lunatic, instead of this world where he's dismissed as a paranoid lunatic despite being proven right in new and terrifying ways every single week.
posted by [expletive deleted] at 9:50 AM on February 19, 2015 [39 favorites]

I'm guessing some Lenovo employees use laptops from this era. I'm guessed we may well see an illustration, to Lenovo directly, of the security risks.
posted by Bovine Love at 9:52 AM on February 19, 2015 [10 favorites]

Ugh. I really wish commercial advertisement wasn't so lucrative. I am not entirely sure all the blame lays with Lenovo.

Sure, and don't blame jewelry thieves because, you know, jewelry is so damn valuable. And that car thief? Well, it was an awfully nice car.
posted by Bovine Love at 9:54 AM on February 19, 2015 [5 favorites]

1) Would several governments please expand criminal negligence to the computer space, so that more then lawsuits are thrown at these people? I'm sure if car companies tried a bunch of this stuff, they'd wind up in jail.

2) Does anyone else make laptops that sturdy? I am clumsy at times, and have dropped my 4-year old ThinkPad a bunch of times without damage, and most other laptops don't bounce like that.
posted by Canageek at 9:54 AM on February 19, 2015

Forbes has an article on the history of Superfish; the company dates back to 2006 and its Window Shopper product was pegged as malware at least as far back as 2010. The CEO is Adi Pinhas. The company made $38M last year.
posted by Nelson at 10:02 AM on February 19, 2015 [1 favorite]

Man, this is pretty astonishing. I buy Lenovos for the build quality, and the first thing I do is wipe the hdd and install linux. I figure that all laptops come with reams of crapware installed, and although for that the few seconds I see what Lenovo provides, I'm pretty apalled, it's never affected me.

But this is just nuts. Like others here I'm wondering, what's the best replacement for a Lenovo laptop in terms of build quality?
posted by Alex404 at 10:09 AM on February 19, 2015 [2 favorites]

What's crazy is that this isn't some unintentional consequence - to MITM all traffic for the purpose of serving ads takes a lot of planning & work. It's such a stunningly bad idea that it boggles the mind. I generally liked Lenovo but I hope this permanently damages their reputation & sales. It's like some sort of supervillian bullshit where they have to kill millions of people to save a handful or something.
posted by GuyZero at 10:19 AM on February 19, 2015 [1 favorite]

I don't have proof but I often feel that historically, M$ has deliberately turned a blind eye to the designed-in insecurity of Windows, because it is the rotting meat upon which a 3rd party security industry can grow and prosper.

Your premise makes no sense. Why would Microsoft want to enable other companies to make money at the cost of their own reputation and stability?

If you want to educate yourself, look up DEP, the re-engineering of IIS for security, EMET, heap isolation, delay free... Microsoft is far from faultless in their security blunders but they've done an excellent job of turning themselves around and putting a focus on defense innovation.

Or start here.
posted by Candleman at 10:20 AM on February 19, 2015 [7 favorites]

Ugh. I really wish commercial advertisement wasn't so lucrative. I am not entirely sure all the blame lays with Lenovo.

Having worked in online ads, sure, it's lucrative, but it's really not THAT lucrative. Not competely-disable-all-web-security lucrative.

Although to these ad-based bloatware companies the move to HTTPS is an existential threat. That said, sometimes you have to ask whether your product is actually worth making. Hopefully this will kill this terrible product once and for all.

And yes, I say this as someone who think online ads have a legitimate place in the world. Just not Superfish.
posted by GuyZero at 10:22 AM on February 19, 2015

the pi-top provides a laptop-like enclosure for a raspberry pi or similar. Projects like this are a good way to reuse old laptop screens, you can buy driver boards for those on ebay. The nice thing is that these computers are becoming more and more powerful each year, so your laptop can keep leveling up.

That option works well for people who won't be badly affected by Superfish anyway because they know how to do a clean backup and full re-install, how to wipe root certs, etc. (this is not to say it is a bad option, I encourage folks in that position to vote with their dollars and stop buying Lenovo), but there's going to be a ton of people who can't or won't do that, and I'm not sure what consumer-ready M$ laptop to recommend to them. Seems there's a space for some company to fill the niche and say "We will not ship products with bloatware, because we respect our customers," but I don't know if anyone will.
posted by kagredon at 10:23 AM on February 19, 2015

To paraphrase Eric Turkewitz via Popehat, "Outsource your malware, outsource your ethics and your reputation."
posted by rhizome at 10:23 AM on February 19, 2015 [1 favorite]

I bought my last...four?...five? laptops from Lenovo. Nothing recently enough to be affected by this, but it looks like I'm done with them. What's a decent laptop for someone who isn't planning to wipe it and install Linux, or build their own from scratch?
posted by echo target at 10:23 AM on February 19, 2015 [2 favorites]

Sure, and don't blame jewelry thieves because, you know, jewelry is so damn valuable. And that car thief? Well, it was an awfully nice car.

I'm not sure how thieves are involved.

Blame Lenovo.
Also blame Superfish. Hold the third party accountable
And more overarching I want to place blame on whatever parts of our society and economy that makes advertising profitable to the point that this kind of thing happens in the first place.

Unless you're saying that Superfish isn't to blame because they're just capitalizing on the advertisement atmosphere of the web. To which I respectfully disagree that advertisement is as useful as jewelry or cars.
posted by royalsong at 10:25 AM on February 19, 2015

I think what they're saying is that plenty of companies seem to be doing just fine in the current climate around web advertising without critically compromising the security of their customers' personal information, and so that blame should rest squarely on Superfish and Lenovo.
posted by kagredon at 10:29 AM on February 19, 2015 [2 favorites]

True, but it is significantly simpler to re-install a clean Linux image than a (legal) Windows one, unless you pay for a new retail copy of Windows.True, but it is significantly simpler to re-install a clean Linux image than a (legal) Windows one, unless you pay for a new retail copy of Windows.

It's not especially difficult to download and install a fully legitimate vanilla copy of Windows nowadays, and thanks to the product key being embedded in the BIOS. So that makes things quite a bit easier for getting a hopefully legitimate image of Windows from scratch (although of course it's still possible for the firmware to be doing something unpleasant below the OS).
posted by ambrosen at 10:29 AM on February 19, 2015 [4 favorites]

Ugh. I really wish commercial advertisement wasn't so lucrative.

The Internet's focus on ad-driven business models is completely driven by the much more mature advertising industry. You have salespeople in a profession with generations, human generations, of expertise influencing companies and websites that the best money derives from forcing the people to look at product and brand imagery, both from the inside and the outside.

Advertising goes where the people are, and if there isn't as much advertising there as the advertising industry thinks is possible (which always equals "more"), they train the sales howitzers on the things the people are spending their time with. It's a broad-based, industry-wide, capitalist attack on a medium.
posted by rhizome at 10:31 AM on February 19, 2015 [2 favorites]

One of the most ironic facets in all this is that the Free Software Foundation recommends older Thinkpads (the X60 and the X200 in particular) because the BIOS has been fully reverse-engineered for Libreboot. Richard Stallman actually uses a Lenovo laptop.

Not too long ago, I was reading a thread on reddit about Stallman's fight with the Emacs maintainer to keep LLVM out. People were questioning his sanity based on his using an ancient Thinkpad to keep his computing as free of proprietary drivers, BIOS and firmware as possible. Then literally a week later the Equation Group shit comes out.

Now this shit from Lenovo makes me wonder if he isn't being paranoid enough. If they let this shit go, who's to know the Libreboot BIOS isn't being totally compromised by some microcode buried somewhere? At the very least, the HDD or flash controller he uses may already be compromised and the NSA might have total access to even RMS's laptop. It seems no matter how paranoid you are these days, you can never be paranoid enough.
posted by [expletive deleted] at 10:44 AM on February 19, 2015 [15 favorites]

Unless you're saying that Superfish isn't to blame because they're just capitalizing on the advertisement atmosphere of the web. To which I respectfully disagree that advertisement is as useful as jewelry or cars.

But the consumer didn't buy anything from Superfish, they bought it from Lenovo, and Lenovo sold them out. That was entirely Lenovo's decision. They trusted Lenovo, not Superfish. Now, you might argue that Lenovo didn't know or some such, but Lenovo is certainly plenty big enough, and with enough lawyers and engineers to be responsible (morally and legally) for its deals and actions. And, even after being shown what is wrong, insists there isn't really a problem,so they won't be able to argue they were mislead, as they have been clearly shown the reality and deny the problem.
posted by Bovine Love at 10:46 AM on February 19, 2015 [2 favorites]

What's the old saw, the only secure computer is one you keep in a locked room 30 feet underground and never, ever turn on?

In any case, if you have a Lenovo laptop, you may wish to go here: https://canibesuperphished.com/. If there are no warnings, you have the Superfish certificate installed and are vulnerable to MITM attacks.
posted by fifteen schnitzengruben is my limit at 10:49 AM on February 19, 2015 [2 favorites]

The Internet's focus on ad-driven business models is completely driven by ~~the much more mature advertising industry~~ people's critical judgment being totally short-circuited by the appearance of the word "free".

(FTFY)
posted by Slothrup at 10:56 AM on February 19, 2015 [1 favorite]

So the shitty ASUS was a good choice then.
posted by maryr at 10:57 AM on February 19, 2015 [4 favorites]

Speaking of officially pre-installed BIOS malware, CompuTrace also ships in some number of machines and is exploitable by remote atackers. Kaspersky describes CompuTrace as malware:

A user can mistakenly recognize Computrace as malicious software because it uses so many tricks popular in modern malware: anti-debugging and anti-reverse engineering techniques, injection into memory of other processes, establishment of secret communications, patching system files on disk, keeping configuration files encrypted, and dropping a Windows executable right from the BIOS/firmware.

Vulnerabilities in the code were demoed at BlackHat 2014, but A/V software continues to ignore it:

Kamluk and Sacco noted in their Black Hat talk that Computrace, though it acts like malware in a number of ways, is not detected by antivirus engines. And there are a number of good reasons for that, not the least of which is that Computrace is a well-known piece of software that is whitelisted by most antivirus companies, trusted by large numbers of hardware companies and developed by a legitimate business.

The problem with Computrace isn’t that it’s outright malicious, but rather that vulnerabilities in it can turn the useful tool into a powerful weapon for cybercriminals.

The worst part about this sort of insidious malware is that it has been going on for years and is effectively a "forever day" sort of vulnerability. Deactivate the CompuTrace Rootkit (CoreLabs, 2009):

We have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agent's reporting address to be controlled.

As a result, the anti-theft agent allows a highly persistent and stealth form of rootkit that can re-utilize many existing features that come pre-installed in BIOS firmware and can survive operating system reinstallation and hard disk wiping or replacement

posted by autopilot at 10:59 AM on February 19, 2015 [1 favorite]

Wow, I just happen to be reading this on a T60 Thinkpad, which I bought from some dude on Craigslist because it was cheap and Thinkpads have a good reputation. I should see about installing Libreboot!

I've been fantasizing about building my own computer from scratch for years now, pretty much ever since I got into firmware development and figured out what I would need to know to actually do it. The temptation to dig in and solder up my own custom machine from scratch has grown increasingly tempting with all this recent crap about the Equation Group.

But really, so what? I can protect myself, I guess, with a lot of work, but I can't become a computer manufacturer, so I can't solve the problem for anyone else - and nobody would buy my crappy, expensive, underpowered machines if I did, because they would suck. So how do we get out of this situation, where anyone who is actually benefiting from the integrated global technological economy is more or less guaranteed to be completely screwed over by it?
posted by Mars Saxman at 11:01 AM on February 19, 2015 [2 favorites]

fifteen schnitzengruben is my limit: In any case, if you have a Lenovo laptop, you may wish to go here: https://canibesuperphished.com/. If there are no warnings, you have the Superfish certificate installed and are vulnerable to MITM attacks.

This check seems counter-intuitive, since the warnings I get from that page make it look like I can be superfished. e.g. "Your connection is not private", "Attackers might be trying to steal your information", and "NET::ERR_CERT_AUTHORITY_INVALID". So No Warnings means Bad, but these Scary Warnings means Good? (Disclaimer: on a old T60 that has been imaged by corporate IT)
posted by achrise at 11:11 AM on February 19, 2015 [1 favorite]

achrise: That's my interpretation. (Lenovo X1 Carbon w/512 GB SSDD ;) )
posted by ZenMasterThis at 11:21 AM on February 19, 2015

InfoSec Taylor Swift seems to imply that McAfee was complicit, making the bundled AV not notice this on purpose?
posted by ctmf at 11:22 AM on February 19, 2015

Yes. That site has it's cert signed by the Superfish private key. You'll only make a TLS connection if your browser trusts the corresponding public key, which it will only do if the key has been added to the list of trusted CAs.
posted by pharm at 11:23 AM on February 19, 2015 [2 favorites]

Man, if only there were an operating system that didn't have this spyware shit preinstalled.

Man, if only I could install linux on my inherited Lenovo ideapad. It's so complicated I bought and rooted a Chromebook instead because it was cheaper than time I would have spent Yak bio-engineering.
posted by srboisvert at 11:23 AM on February 19, 2015 [1 favorite]

Does anyone have anything in regards to whether Superfish's public key is somehow stored in the ESE chip that is present in the Thinkpad hardware?

We don't have a ton of Lenovo hardware and we always rebuild with a custom image but I was wondering if some of these Superfish keys might also be interacting with the ESE TCG-/TCPA-Technology present in modern Thinkpads?
posted by vuron at 11:23 AM on February 19, 2015

Is there a way to tell by model if your computer is likely affected? I have seen various places say it affects *consumer* models...so would business models not be? And where is the cutoff?

I have a Lenovo Thinkpad Yoga (most recent iteration, but don't remember when it was made). It is not with me, so I can't check those sites (although I think the idea of most of these sites is super sketchy, but whatever)...but it would be helpful if there were a general list of models affected.
posted by subversiveasset at 11:24 AM on February 19, 2015

Unfortunately Lenovo is not exactly being forthcoming in what laptops came with Superfish pre-installed. It might be that their business class laptops did not come with it pre-installed and that Superfish was exclusively targeted at the rubes in the home user market because Malware pre-installed might allow them to reduce their end-user costs.

I can't even imagine the panic attacks that big companies with lots of road warriors armed with Thinkpads must be going through right now. I mean hopefully they don't just give Factory direct laptops to sales but you never know.
posted by vuron at 11:29 AM on February 19, 2015 [1 favorite]

So how do we get out of this situation, where anyone who is actually benefiting from the integrated global technological economy is more or less guaranteed to be completely screwed over by it?

Well, if you have firmware expertise, you might want to check out this project. Firmware seems to be the biggest hole in their project, and it seems from their funding amount that there is a reasonably high demand for what you want. If I had experience with firmware development, I would be breaking down their door.

InfoSec Taylor Swift seems to imply that McAfee was complicit, making the bundled AV not notice this on purpose?

AV companies are definitely complicit industry-wide in allowing this dangerous crap to proliferate. Their business model is actually pretty similar to a large degree. McAfee is so bad these days that I would consider it malware.

God help people using Windows these days. And God help me when I'm finally employed again and get to again support deployments of consumer machines that higher-ups inevitably buy because they're so attractively priced.

I totally understand how datacenters can get away with paying Unix admins minimum wage, if you're competent and don't have to support Windows machines, you can basically just get paid to read all day (at least that's how I've seen lots of positions advertised).
posted by [expletive deleted] at 11:31 AM on February 19, 2015 [4 favorites]

Is there a way to tell by model if your computer is likely affected?

From Lenovo:

Superfish may have appeared on these models on products shipped between September and December of 2014:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
posted by ROU_Xenophobe at 11:31 AM on February 19, 2015 [4 favorites]

(FTFY)

The word "free" does not appear in advertising, nor on site/company collateral, often enough for that to make sense/be funny.
posted by rhizome at 11:38 AM on February 19, 2015

The issue with Lenovo pushing this sort of crapware onto their machines is that hardware margins continue to get squeezed to zero. It's nearly a money-losing proposition to make laptops these days unless you're Apple. I understand the temptation to push hardware margins below zero and make up the difference with some sort of ad service, but it's simply a terrible decision.

Winnow your product line Lenovo and charge a price with some low, positive margin. Don't try to make up a loss with shit like this.
posted by GuyZero at 11:44 AM on February 19, 2015 [1 favorite]

Whew no T series or X series on that list. Sometimes it's nice that business users get the nice stuff rather than the horrible consumer grade crap. I guess that means that now you just need to worry about all your technically inept family members that bought a consumer grade Lenovo in the last year hopefully you made plans on visiting your mom/dad/uncle/cousin/niece sometime soon.
posted by vuron at 11:47 AM on February 19, 2015 [1 favorite]

I have a recent Lenovo (a T440s) and it's clean. No Superfish.

What's more, it's literally the best laptop I've ever owned. I look at other people's laptops and feel guilty. It's like in my invisible backpack, it's so good: I've got laptop privilege and no one even knows.

Basically, this seems like a terrible decision, and I'm outraged, but I'm also typing my outrage on a Lenovo laptop that puts the MacBook Air to shame, so I can't get that outraged.
posted by anotherpanacea at 12:29 PM on February 19, 2015 [4 favorites]

While I agree with the justified disgust towards Lenovo's practices and don't think they're excusable in any way, as noted by [expletive deleted] above, some of their models are probably still the best bet for most people when it comes to the security/trustworthiness vs convenience trade-off.
posted by Bangaioh at 12:53 PM on February 19, 2015

While the T/X/M series are seemingly free of the malware (likely because Lenovo has higher margins on business class laptops) it seems like those of us that typically don't have to deal with consumer grade crap in our careers are likely going to view this through a privileged lens, i.e. "At least I'm not a pleb with consumer grade crap" even though the consumers that are going to be impacted the most by this aren't actually going to ever hear about this malware much less get it successfully mitigated on their machines. We might go "oh well sucks to be them" but I'm kinda terrified about the idea of a ton of consumer data being exposed as bad actors put up all sorts of phishing sites that take advantage of this frankly stupid choice on Lenovo's part. That aggregate cost will get passed on to the guys smart enough to avoid getting consumer grade stuff.
posted by vuron at 1:02 PM on February 19, 2015 [2 favorites]

Also, with a name like Superfish, why should we accept the story that this was all about serving ads? I'd just as soon assume that the ads are just cover for the real business model of selling private user data to thieves, stalkers and repressive governments.

Because the software was installed in the open rather than hidden as a rootkit? It's blatant about what it does, it's just doing stupid things. Because it's installed on cheap consumer laptops rather than the business class ones where the real data of interest would be located?

Hanlon's razor almost certainly applies here.
posted by Candleman at 1:12 PM on February 19, 2015

I gave in and actually used meme generator
posted by Bovine Love at 1:28 PM on February 19, 2015

vuron: That aggregate cost will get passed on to the guys smart enough to avoid getting consumer grade stuff.

Basically. It's not exactly the herd immunity argument for vaccines but I think it's worth being concerned about the wider implications of millions of normal users having their security compromised even if we're doing this thinking smugly from our computer-tuner ivory towers here.
posted by whittaker at 1:29 PM on February 19, 2015

I can't believe no one's done this yet:

Superfish! Superfish! It's super fishy...
posted by dirigibleman at 1:50 PM on February 19, 2015 [1 favorite]

The name Komodia is interesting. It's a transliteration of the company's Hebrew name which appears to be derived from a foreign word. I think it's most likely to be "comedy" or "Komodo", as in "Komodo is one of the 17,508 islands that compose the Republic of Indonesia."

The spelling isn't what one would expect in either case, but I tend to think it's the latter. Why? Well, Komodo is best known for being the home of the largest lizard in the world, the Komodo Dragon. And that's especially appropriate, because the Komodo Dragon is also the world's only monitor with a venomous bite.
posted by Joe in Australia at 1:51 PM on February 19, 2015 [1 favorite]

It's superfish, superfish
It's superfishy
Yowwww!
posted by turbid dahlia at 1:59 PM on February 19, 2015 [2 favorites]

I'm was surprised Lenovo's PR machine decided to weasel so much with their official statement:

"Superfish was previously included on some consumer notebook products[...]to help customers potentially discover interesting products while shopping."

"The relationship with Superfish is not financially significant; our goal was to enhance the experience for users."

I guess that's just the standard line for any/all of the bloatware these companies preinstall, but it stretches incredulity here.
posted by nobody at 2:29 PM on February 19, 2015 [6 favorites]

I wonder how much they were paid to sell our their users? Probably just a couple bucks. Anyone here know enough about this industry to give a good guess?
posted by ryanrs at 2:40 PM on February 19, 2015 [1 favorite]

So Taylor Swift says:

Note that #Superfish testing websites are NOT VALID ON FIREFOX. You must test using Internet Explorer or Chrome.

Is this a point in FireFox's favor, or does it just meant the people who wrote the testing websites didn't bother to implement them so they worked in FireFox?
posted by benito.strauss at 2:48 PM on February 19, 2015 [1 favorite]

One place I was reading said that IE and Chrome share trusted certificates, but FF has (for the most part) its own set. So, that is (for the most part) a point in FF's favor.
posted by subversiveasset at 2:54 PM on February 19, 2015

Yeah, Chrome on Windows relies heavily on IE, including relying on IE's certificate stores and proxy settings.
posted by I-baLL at 3:24 PM on February 19, 2015

To be pedantic, Chrome relies on shared services and global settings within Windows available to all applications such as Windows' Certificate Store (common resources like this being designed for this precise purpose) not IE specifically.

Those certs are used for many functions including executable code-signing which is also compromised by this—nothing to do with web browsing.

Run certmgr.msc from the command line and take a gander!
posted by whittaker at 3:32 PM on February 19, 2015 [4 favorites]

One of the reasons I've always been a Thinkpad buyer is that Lenovo makes it relatively easy to do a crapware-less reinstall. When you use the factory restore procedure, you can select which components get installed, so you can leave off Norton or whatever other bundled crap is normally on the load. I'm left wondering if Superfish is unselectable.
posted by wierdo at 3:52 PM on February 19, 2015

To add to the parade of crap, The NSA infiltrated the biggest manufacturer of SIM cards and stole the private keys, effectively rendering cellular encryption useless.
posted by dirigibleman at 3:56 PM on February 19, 2015 [2 favorites]

My score for Lenovo Z50, bought Aug of last year.
filippo.io/Badfish tester in Chrome says I am one of the afflicted.

Following their removal instructions:
- there was supposed to have been 'superfish' installed, but I didn't find it. I might have removed it just because, when I was doing some earlier cleanup. Does anyone know whether superfish app goes by another name?
- using certmgr.msc, I found and deleted the superfish certificate from Windows.
- checked Firefox, no superfish cert found (but man oh man, the number of certificates in there. How many are necessary? How many issuers can be trusted?)
- retested chrome and firefox browsers on above url: ok

For the NSA... airgap. Yikes.
posted by Artful Codger at 4:02 PM on February 19, 2015

Researchers broke GSM encryption in 1999, at least the export version. GSM encryption has always been weak.
posted by GuyZero at 4:47 PM on February 19, 2015

That would be nice. I remember thinking the same thing when the news broke that Jack-In-The-Box was selling deadly contaminated shitburgers, and then being mildly astonished the next day to find that the Jack-In-The-Box near my apartment had a line out the door and no free tables. Call me a cynic, but I will not be holding my breath while waiting for Lenovo's business to collapse.
posted by Sing Or Swim at 8:04 AM

Since you've told this story on the blue before, here are some clarifications:

It's worth noting that Jack-in-Box was following FDA cooking temperature guidelines (although not Washington State guidelines, where the poisonings happened) and that the contaminated meat came from a 3rd party (Vons?). Also, a promotion that had customers lining up out the doors was the main reason they weren't cooking things as long as they should have in the first place.
posted by sideshow at 6:24 PM on February 19, 2015 [3 favorites]

On an Android Lenovo A8-50 tablet, purchased last week and not within the range Lenovo suggests is compromised, I see a vulnerability warning on Filippo's site when I use the device's native browser, but NOT on Chrome.

Does this confirm that the problem is anything that includes Komodia certificates, and not Lenovo per se?
posted by gusandrews at 6:31 PM on February 19, 2015 [2 favorites]

- there was supposed to have been 'superfish' installed, but I didn't find it. I might have removed it just because, when I was doing some earlier cleanup. Does anyone know whether superfish app goes by another name?

Visual Discovery.
posted by ROU_Xenophobe at 6:47 PM on February 19, 2015

Firefox doesn't use (trust) the OS's certificate store for various historical and practical reasons; it comes with its own. Mozilla's definition of a trusted CA and how to manage those certs is often significantly different from that of some OS vendors.

As a trivial example, you can still find some old 1024-bit RSA certs (no longer big enough to be believed secure) in Microsoft's CA store, whereas Mozilla deprecated them in 2013 and eventually pulled them all in Sept (?) 2014. At least this was true the last time I checked in December.
posted by introp at 7:52 PM on February 19, 2015 [2 favorites]

>> Does anyone know whether superfish app goes by another name?

ROU_Xenophobe: Visual Discovery.

Thanks! I just had another look; I apparently don't have that beastie installed either.
posted by Artful Codger at 8:11 PM on February 19, 2015

It's not clear Firefox is safe: EFF notes "The fact that there are significant numbers of Firefox victims somewhat contradicts the speculation that Firefox is safe because it doesn't use the Windows root store.".

As an aside, the EFF SSL Observatory seems increasingly important to me. I wish I understood it better. It basically looks at SSL certificates used in the wild to look for odd attacks. It's discovered a lot of shenanigans in the past couple of years.
posted by Nelson at 8:19 PM on February 19, 2015 [2 favorites]

please disregard my comment I was clearly deeply confused
posted by gusandrews at 8:27 PM on February 19, 2015

Hey guys, it gets even worse. I just cracked open my ThinkPad T430 and the TPM is actually just a piece of stale popcorn soldered to the motherboard. Please advise.
posted by qxntpqbbbqxl at 11:20 PM on February 19, 2015 [3 favorites]

Researchers broke GSM encryption in 1999, at least the export version.

It is related to compromised keys, so kind of on-topic, but that was 2G GSM that was broken in 1999. With the keys from the SIMs, the NSA and GCHQ can access any communications on compromised mobile devices (and it's a large proportion of SIMs that may be compromised).
posted by ambrosen at 12:05 AM on February 20, 2015

From EFF: How to Remove Superfish Adware From Your Lenovo Computer
posted by MonkeyToes at 5:10 AM on February 20, 2015

It's not clear Firefox is safe: EFF notes "The fact that there are significant numbers of Firefox victims somewhat contradicts the speculation that Firefox is safe because it doesn't use the Windows root store.".

You make a good point, and I didn't mean to imply that Firefox is safe from this attack. Presumably Superfish software running on a box can install its cert into the Firefox CA list with no trouble. I was thinking along the lines of Lenovo's terrible "uninstallation" instructions which had one remove the Superfish software but didn't instruct one to clean up the tainted OS CA list.
posted by introp at 7:43 AM on February 20, 2015

Superfish has doubled down on their marvelous product.

Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”

Superfish was only preinstalled on Lenovo PCs, not other devices, she said. “This was a small scale test to see if consumers would like the feature.”

AT&T says it tracks "the webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter... AT&T Internet Preferences works independently of your browser's privacy settings regarding cookies, do-not-track, and private browsing. If you opt-in to AT&T Internet Preferences, AT&T will still be able to collect and use your Web browsing information independent of those settings."

AT&T's attack on the customers appears to be at the network level, not some amateur-hour malware on the user's computer. In some ways that's worse, a full time VPN is viable protection but is a pain in the ass.

In the past the FTC has been willing to step in and regulate this kind of nonsense from Internet companies. Here's hoping they're paying attention to this latest expansion of advertiser surveillance.
posted by Nelson at 7:51 AM on February 20, 2015 [3 favorites]

A Tangled Mass: The Android Root Certificate Stores. Short paper summarizing similar SSL certificate shenanigans from various mobile phone providers.
posted by Nelson at 8:44 AM on February 20, 2015

Have you actually looked at the list of Root Certificate Authorities in Windows?

Do you really think that Superfish is the only one you should be worried about? Just the number of certificates (probably) controlled by the Chinese Govt or NSA is enough to ensure that nothing is *really* secure.
posted by blue_beetle at 9:40 AM on February 20, 2015

> It’s an astonishing "fuck you" to Lenovo’s customers & they don’t even seem to appreciate the enormity of what they’ve done.

The silver lining is that Lenovo's user base, more than any other Windows PC manufacturer, contains a huge number of techies who understand the magnitude of this. Here's to hoping this is not something that will be easily forgotten.
posted by qxntpqbbbqxl

I bought a Lenovo Thinkpad because I wanted the ruggedness. No, I will not ever buy or recommend another Lenovo product because Fuck You, Lenovo. It's naked greed and disdain for customers.
posted by theora55 at 9:44 AM on February 20, 2015

We were just talking about this in a previous computer security thread.

For me, the big question is, where was the command and control server? Where was the data going? Lenovo HQ in Beijing? It surprises me that during the time the command server was active, nobody traced it.
posted by charlie don't surf at 9:49 AM on February 20, 2015

I regret confounding the problem of so many trusted root CAs with the Superfish SSL certificate. Superfish intercepts all traffic from arbitrary websites and replaces it with its own SSL certificate. Also the Superfish root cert is compromised and public, so that any hacker can use it to subvert all SSL security on Lenovo laptops.

SSL's trust model is definitely a problem, but the Lenovo / Superfish fiasco is a complete travesty.
posted by Nelson at 9:53 AM on February 20, 2015 [2 favorites]

Even worse than that is the fact that anyone can use that information to certify that malicious executables come from anyone they want, up to and including Lenovo or Microsoft.

Does this give the same code signing capabilities as the Flame malware had and allow impersonation of Windows Update servers and stuff like that, then?
posted by XMLicious at 11:56 AM on February 20, 2015

XMLicious: Does this give the same code signing capabilities as the Flame malware had and allow impersonation of Windows Update servers and stuff like that, then?

I believe the Windows Update service keeps its own black box cert store. You can absolutely sign malicious executables that can be engineered to run in other circumstances, though.
posted by whittaker at 1:34 PM on February 20, 2015 [2 favorites]

Lenovo CTO Admits It ‘Messed Up’ Allowing Major Security Hole Onto PCs. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”

These are not the people you want building computers for you.
posted by Nelson at 5:04 PM on February 20, 2015 [1 favorite]

"Mistakes were made."

Ars Technical is all over this story.

Superfish doubles down, says HTTPS-busting adware poses no security risk
Update: It turns out the vulnerability is easier to exploit than previously known. As this post was being prepared, a security researcher published new findings showing that a malicious hacker doesn't need the easily-extracted Superfish private key to perform a man-in-the-middle attack on PCs that have the Komodia proxy installed. That's because the proxy will re-sign invalid certs and make them appear valid to the browser.

“SSL hijacker” behind Superfish debacle imperils large number of users
Lenovo wasn't the only one using SSL certs that unlock every SSL site on the Internet.
posted by charlie don't surf at 5:17 PM on February 20, 2015 [2 favorites]

I hear Microsoft is going to issue an update that removes this crapware.
posted by humanfont at 5:22 PM on February 20, 2015

Lenovo just released a Superfish removal tool. Do you trust downloading it from Lenovo, on a Superfish-compromised machine?

Windows Defender, McAfee update fully removes Lenovo's dangerous Superfish malware
posted by charlie don't surf at 5:35 PM on February 20, 2015

OMFG. A month ago, Lenovo responded to complaints about Superfish. They intended to upgrade it.

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.
posted by charlie don't surf at 5:41 PM on February 20, 2015

“We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”

Whoopsy-daisy!

I predicted yesterday that Lenovo CTO Peter Hortensius is going to be spending more time with his family within six months. I'm certainly generous in my timeframe, but I do see that Lenovo's fiscal year starts in April. Just sayin'.
posted by rhizome at 6:11 PM on February 20, 2015 [2 favorites]

Hahahaha. No. Peter Hortensius and other executives will probably get a bonus.

"I have a bunch of very embarrassed engineers on my staff right now," Lenovo CTO Peter Hortensius said in an interview Thursday. "They missed this."
posted by dilaudid at 6:21 PM on February 20, 2015 [2 favorites]

> Robert Graham extracted and cracked the password of the superfish certificate

aaand the password was easily guessed from the company name. Didn't realize that Hanlon's Razor was double-edged.
posted by scruss at 6:49 AM on February 21, 2015 [1 favorite]

Hahahaha. No. Peter Hortensius and other executives will probably get a bonus.

Perhaps, and I'm getting a little ahead of myself here, but to be sure they are still in damage control. Blaming underlings doesn't work 100% of the time and this story is quite new.
posted by rhizome at 11:25 AM on February 21, 2015

Komodia claims to have been DDOSed. Superfish's website seems to be okay.

The archived page for Komodia's SSL injector is...something else. The idea that it was marketed or sold primarily as an SDK for developing parental control software and the like sure reads like a fig leaf to me, though maybe it just seems sinister in light what's already happened.
posted by kagredon at 8:29 PM on February 21, 2015 [1 favorite]

Hmm.. is it thousands of people (like me) trying repeatedly to access their website? Or should I believe a sob story from those scumbags?

The other archived links are interesting, like the iOS redirector. This is total snake oil. They aren't selling an app, because it would never get through the App Store. They're selling source code, so you can write your own fake Safari with their hack. And then you have to manually load it on a target iOS device by Provisioning as a test app with Xcode. And ironically, Provisioning requires a valid SSL certificate, in order for you to provision an app that uses their faked certificate. I love their sales pitch:

The current way to do parental control is to develop a browser and by using iOS security features lock out Safari and other applications that the child can use to surf the Internet.

Hey Mom, Safarl isn't working! I guess I'll just use Snapchat!
posted by charlie don't surf at 9:35 PM on February 21, 2015 [1 favorite]

"Parental control" by hijacking SSL is sinister, too.
posted by Nelson at 6:05 AM on February 22, 2015 [1 favorite]

The default OS X parental "controls" get around the issue by not proxying any HTTPS traffic at all making it useless for letting kids access services like, say, Google Docs. I'm not sure which is worse - total shutdown or an insecure MITM proxy.
posted by GuyZero at 9:04 AM on February 22, 2015

There are so many issues here that I feel like a summary is in order. Just to help me keep it straight, at least. (This is all from my understanding of what I've read, so it's possible I've misunderstood something here or there.)

So. Lenovo sold computers with SuperFish preinstalled.

Problem 1) Almost certainly, this was done solely because they were paid for every machine on which they installed it. Any claim that it was for their customers' benefit is an outright lie.

Problem 2) The SuperFish software is adware, barely even pretending to offer the user anything of value. "Browser pop up behavior" is acting against the users' interest. I have not experienced the software myself, so perhaps there is some redeeming value in it, but every description I've read makes this seem very unlikely.

So far, we're in ugly-but-not-uncommon territory, and we haven't reached the privacy / security threats.

Problem 3) SuperFish operates by intercepting a user's web traffic, sending some of that data to a SuperFish server that analyzes it and chooses "relevant" ads to be shown to the user. This is troubling enough when such tracking and data collection are done by large, well-known corporations with strict privacy policies and some need to maintain a reasonable public image. Sending such data to a company that produces nothing of value and exists primarily to exploit the economics of computer sales [ahem... personal opinion there], is far worse.

Problem 3.5) SuperFish intercepts encrypted web traffic in addition to regular traffic. Very often, encrypted connections are used for sensitive information, both sensitive in terms of the data being sent to a server (login information, credit card numbers, personal data) and sensitive in terms of the information being accessed. To intercept such traffic and send it to a central server is a major privacy violation, compounding on Problem 3.

It is important to point out here that encrypted web traffic can be intercepted by software on a user's machine without creating a major security threat. Many antivirus programs do this in a secure way, for example. So by themselves, the above problems are basically privacy issues. However, SuperFish implements the traffic capture in a ridiculously insecure way, leading to two massive security issues, either one of which breaks web security on an "infected" computer by itself:

Problem 4) In the process of intercepting all web traffic, SuperFish does not validate the certificates it receives over encrypted connections. This means that it breaks the security guarantees provided by the protocol used for making secure connections to websites, and so any number of attacks are possible against the user, including intercepting data, modifying data, and spoofing legitimate websites. With the regular security guarantees of the protocol in place, all of these attacks would at least produce large, scary warnings for the end user, if not fail outright, but with SuperFish installed, the user would see absolutely nothing amiss.

Problem 5) SuperFish installs its own certificate into the sets of certificates implicitly trusted by the operating system and web browsers on that system. This can be done reasonably securely, with a strong, unique key generated for any individual running the software. SuperFish installs a certificate with the same key on every machine. And it is generated using obsolete, less-secure algorithms. And its password is the name of the company that produces the web-traffic-interception software, Komodia. This means that anyone can make a certificate that is trusted by this certificate, creating a website or a piece of software a SuperFish-infected machine will implicitly trust. This goes beyond Problem 4, as it applies to security checks the OS performs on software as well as security checks on accessing websites via secure connections.

It's not quite clear to me, but I believe that other applications that integrate Komodia's library for intercepting web traffic will introduce these same flaws to any system on which they are installed. So the issue probably extends well beyond SuperFish, but it is the first such application that has received widespread attention.

The story in short: Lenovo was paid to install useless, user-antagonistic software on many computers they sold, which they likely chose to do in order to save money / reduce the price of the computers. Lenovo failed to see that this software introduced some obvious, major privacy issues that even a cursory inspection would bring to light. Lenovo also missed two incredibly major security flaws in the software that compromised the security of every computer on which it was installed. When at least some of these issues were pointed out to them, they discontinued the installation of the software, apparently until the privacy issues could be fixed. They still failed to see the security flaws. Even when several security researchers were explaining the problems, Lenovo at least briefly issued a statement saying their own analysis had uncovered none. Finally, they admitted they screwed up and are trying to help people remove the software and fix the holes it introduces (along with Microsoft and the US government, at this point, because the problems are so dangerous and widespread).

Meanwhile, the stories of SuperFish, Komodia, and the people therein... We have less to go on there, other than the statement released by the CEO of SuperFish that shows that he is, um... untrustworthy (at best). I'm curious to see what more comes out in that direction.
posted by whatnotever at 10:05 AM on February 22, 2015 [9 favorites]

SSL-busting code that threatened Lenovo users found in a dozen more apps

A security researcher who goes by the Twitter handle @TheWack0lian said an additional piece of software known as SecureTeen also installed Komodia-enabled certificates. Over the weekend, the researcher also published findings documenting rootkit technology in Komodia code that allows it to remain hidden from key operating system functions.

posted by XMLicious at 2:26 PM on February 22, 2015

"Parental control" by hijacking SSL is sinister, too.

Oh, for sure--but the idea that "parental control" was the primary idea feels like browsing the concrete shoe mold aisle (for art projects!) at Honest Mike's Home Goods.
posted by kagredon at 5:34 PM on February 22, 2015 [1 favorite]

"Parental control" is a legal use, which is probably important. Lenovo's use is presumably legal-ish if they got people to click on a license ("you agree that the operating system may record information for customer satisfaction purposes" or something like that), but many obvious use-cases are flat out illegal.

It's a good thing I'm lazy; I bet someone could make a lot of money selling an "email backup solution" that would be easy (i.e., trojan-like) to install, that would grab all email sent from all accounts on a particular computer. For archival purposes only, you understand.

It would be advertised in Angry Dads Monthly and You Think He's Cheating On You? Quarterly, and I bet it would sell like hotcakes.
posted by Joe in Australia at 7:25 PM on February 22, 2015 [1 favorite]

I have been trying to remember where I saw a similar type of MITM product. I searched and searched, and I finally found it here.

Courtyard Marriott in Times Square is spying on and manipulating your Internet

This bullshit has been commonly accepted practice for years. Commonly accepted by greedy corporate bastards. And there is an endless supply of unscrupulous service providers for those greedy corporate bastards. So is anyone surprised that Marriott jammed everyone's wifi, to force people to use their adware-infested wifi?
posted by charlie don't surf at 11:04 PM on February 22, 2015 [1 favorite]

Ars Technica: SSL-busting code that threatened Lenovo users found in a dozen more apps

According to Facebook's Richard, more than a dozen software applications other than Superfish use Komodia code. Besides Trojan.Nurjax, the programs named included:

CartCrunch Israel LTD
WiredTools LTD
Say Media Group LTD
Over the Rainbow Tech
System Alerts
ArcadeGiant
Objectify Media Inc
Catalytix Web Services
OptimizerMonitor

A security researcher who goes by the Twitter handle @TheWack0lian said an additional piece of software known as SecureTeen also installed Komodia-enabled certificates.

posted by Chocolate Pickle at 11:08 AM on February 23, 2015

It defies belief that of all the technical people at Lenovo who were involved in the inclusion of this package with their computers, including CTO Hortensius, simply having the word "fish" in the name, in this day and age, never raised a flag.
posted by rhizome at 12:16 PM on February 23, 2015 [1 favorite]

Oh man Ars is just hammering on this, and hitting the nail on the head. Keep watching them.

Lenovo users lawyer up over hole-filled, HTTPS-breaking Superfish adware

San Diego blogger Jessica Bennett filed a lawsuit in federal court last week, charging Lenovo and Superfish with violating state and federal wiretap laws, trespassing on personal property, and violating California's unfair competition law. In addition to this, a Pennsylvania law firm put out a press release on Friday that asked Lenovo customers to participate in a class action lawsuit investigation regarding the presence of Superfish on their computers...

.. Bennett invokes a California statute that prohibits using any means to “purposefully intercept the content of a communication over any 'telegraph or telephone wire, line, cable, or instrument,' or to read or attempt to read or learn the content of any such communications without the consent of all parties to the communication,” as well as federal laws against wiretapping. She asks the court to let Lenovo users file a class complaint.

Lenovo is screwed. Komodia is screwed too.

I have been uber-schadenfreuding lately, this is usually where I am entitled to gloat as a Mac user. I spent some time trying to think of any time Apple included crapware. Some people don't like iWork or the other iApps, but that's not crapware, they are Apple's core apps. There are legendary bundled apps like Graphing Calculator, developed in secret and given to Apple for free. I recall one third-party app bundled with Macs, Art Director's Toolkit. I don't think it qualifies as crapware since it's an app that never runs unless you call it deliberately. Most people never even knew it was there, but I used it many times every day.

Then it hit me. There was one serious crapware incident on Macs. It was an app that everyone hated, a third-party product by a company that paid Apple big money to make it the default app. I remember the MacWorld keynote when people booed Steve Jobs, when he announced it.

But I think this is a special case. Apple got their revenge so I think I'm still entitled to schadenfreude.
posted by charlie don't surf at 7:31 PM on February 23, 2015 [1 favorite]

charlie don't surf: "Lenovo is screwed. Komodia is screwed too."

I'm assuming Lenovo at least believes it'll be covered by the EULA.
posted by Mitheral at 7:46 PM on February 23, 2015

What sort of anti-competition argument would Jessica Bennett be able to make?
posted by Joe in Australia at 8:01 PM on February 23, 2015

I'm assuming Lenovo at least believes it'll be covered by the EULA.

You can't use a contract to shield yourself from prosecution of criminal acts. The wiretapping charges will stick.

I think the anticompetitive acts, via fraud and deceptive business practices are pretty clear, according to her legal filing.

I have spoken on two separate occasions with Lenovo phone support, both times they insisted that this Superfish software was not installed by Lenovo and that it is malicious and should be removed, at which time they offered to charge me either a one-time fee of $120, or sell me a monthly software support subscription. I insisted that this Superfish software came pre-installed from the factory, citing where it said "Install Date" in the "Programs and Features" (which was the same install date as the rest of the Lenovo software), as well as the registry entry where Superfish is listed under the "MFGApps" string value.

They are so screwed.
posted by charlie don't surf at 8:35 PM on February 23, 2015

What sort of anti-competition argument would Jessica Bennett be able to make?

It's a pretty broad statute that includes any kind of fraudulent/unlawful conduct. The relevant excerpt from the court filing:

Defendants’ conduct as alleged herein constitutes unlawful, unfair, and fraudulent business acts and practices. As a proximate result of Defendants’ unlawful installation and operation of the spyware on the computers of Plaintiff and the Class Members, Plaintiff and Class Members suffered harm and lost money and/or property.

By engaging in the above described acts and practices, Defendants have committed one or more acts of unfair competition within the meaning of the UCL.

Defendants’ business practices and acts are “fraudulent” because they are likely to deceive, and did deceive Plaintiff and members of the consuming public.

Specifically, Defendants intentionally and misleadingly sold new computers with preinstalled Spyware.
posted by kagredon at 9:32 PM on February 23, 2015

Thanks for that. I think it's a bit funny that you guys treat fraud as if it merely hampered other, more honest, businesses competing for the same market. In Australia we treat fraud as an injury to the consumer, while unfair competition would be a way to describe a raft of measures like third-line forcing, restrictive sales agreements, and so forth; things that hurt the market as a whole.
posted by Joe in Australia at 9:43 PM on February 23, 2015

The California Business and Professional Code is pretty interesting, it is sort of an extension of the Uniform Commercial Code, but with stronger consumer protections in some pretty weird areas. Just as an example, there are lengthy definitions of hotels and handbills, and then it appears to define an act of putting handbills under the doors in hotel rooms without the proprietor's permission as some sort of unfairly competitive act. That's about as far as I was willing to follow it down that rabbit hole, it seems obvious that this was new law enacted around some specific legal case involving handbills in hotels. But this does raise an interesting argument, inserting ads into a competitor's web pages is sort of analogous to putting handbills under a hotel door, advertising cheaper rates at the hotel across the street.

The filing is an interesting mix of State and Federal crimes, and then the unfair competition is a civil case, it can only be filed by the CA Attorney General as a class action. The state has a huge incentive to file, since potentially there were millions of individual acts of fraud, and it looks like up to $6500 in fines for each act. That could mean billions in penalties, and it goes straight into the State Treasury general fund.
posted by charlie don't surf at 10:33 PM on February 23, 2015

You can't use a contract to shield yourself from prosecution of criminal acts.

mmmmm...yeah but is it even a criminal act with consent?

(a) Any person who, by means of any machine, instrument, or
contrivance, or in any other manner, intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line,
cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to
the communication, or in any unauthorized manner, reads, ...

California Penal Code section 631a
posted by ctmf at 10:55 PM on February 23, 2015

Clickwrap has generally (if weakly) been held up in court, but if Lenovo wants to play the EULA card they risk opening it back up to their eventual detriment.
posted by rhizome at 11:01 PM on February 23, 2015

Also, from 631a, "intentionally" and "willfully." Could Lenovo play stupid, claiming they didn't know exactly what the program did internally, only that Superfish, Inc. paid them to install some advertising app?

Lenovo's immediate response sure seemed designed to support the "stupid" theory.
posted by ctmf at 11:11 PM on February 23, 2015

Thanks for that. I think it's a bit funny that you guys treat fraud as if it merely hampered other, more honest, businesses competing for the same market. In Australia we treat fraud as an injury to the consumer, while unfair competition would be a way to describe a raft of measures like third-line forcing, restrictive sales agreements, and so forth; things that hurt the market as a whole.

The cynical answer is that we think hampering your business competitors is a much greater sin than injuring customers.
posted by kagredon at 12:19 AM on February 24, 2015

Also, from 631a, "intentionally" and "willfully." Could Lenovo play stupid, claiming they didn't know exactly what the program did internally, only that Superfish, Inc. paid them to install some advertising app?

Doesn't matter. It requires consent from ALL parties in the communication. I am certain that the websites did not consent to wiretapping, they took serious countermeasures to prevent interception, which Superfish subverted. I think that's going to weigh heavily against them.

The cynical answer is that we think hampering your business competitors is a much greater sin than injuring customers.

I think you can make a convincing case that hampering your competitors can screw up the entire market, which can harm all consumers, even those who did not buy the product. They were harmed indirectly. This was a winning argument in US v. Microsoft.
posted by charlie don't surf at 5:54 AM on February 24, 2015

Joe in Australia: "I think it's a bit funny that you guys treat fraud as if it merely hampered other, more honest, businesses competing for the same market. "

Sorry for the derail, but that's simply not the case. Generally speaking, fraud refers to a lie intended to cause someone act to their detriment. I imagine this holds true under the law in most countries. For example, when I sued a large health insurance company in small claims court in the US, one element of my racketeering claim was fraud, in that the company misrepresented the terms of its coverage.
posted by exogenous at 6:04 AM on February 24, 2015 [1 favorite]

Lenovo Sued Over Superfish Adware -NPR.org
posted by blueberry at 6:41 AM on February 25, 2015

Oh wow, NPR mindlessly repeating the government or big businesses' lines of bullshit, whooda thunk it?
posted by entropicamericana at 7:37 AM on February 25, 2015

Lenovo’s Chief Technology Officer Discusses the Superfish Adware Fiasco. The guy keeps repeating the "we were improving the user experience" nonsense, it's embarassing. Otherwise mostly owns up to the mistake.
posted by Nelson at 6:24 PM on February 25, 2015

When he says, "we were improving the user experience," he's not talking to the people affected or security researchers, he's talking to the board and shareholders. He has to hold that wall up.
posted by rhizome at 7:47 PM on February 25, 2015 [1 favorite]

« Older Medium is the message | not safe for work ❤ Newer »

This thread has been archived and is closed to new comments

MetaFilter

Superfish superinsecure!
February 19, 2015 7:05 AM Subscribe

Tags

Share

Superfish superinsecure! February 19, 2015 7:05 AM Subscribe

Tags

Share

Superfish superinsecure!
February 19, 2015 7:05 AM Subscribe