I think it's interesting that this BADWARE install was found more or less accidentally... apparently by some tech dude noticing that his bank login presented a Silverfish-issued CA cert.
Shouldn't the possiblity have been forseen and addressed beforehand?
Perhaps by...
(1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?
(2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...
I don't know where you got the idea that this got discovered accidentally by this one tech dude. Actually quite a bunch of people have been complaining online about this for months, then for some reason it blew up when the matter got the attention of the tech and sec communities.
(3) Google; Chrome has a rather sophisticated mechanism for detecting MITM attacks, in that it's distributed with pinned certs for several Google properties, and phones home with reports of errors it receives. This is how the DigiNotar leak[1] was discovered.
Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.
> (1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?
It was installed by the OEM. Doesn't really help if it only notifies the OEM.
> (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
The general solution to what you're talking about is to prohibit the OEMs from installing anything by default. The problem is the OEMs wouldn't like it and Microsoft has to keep the OEMs happy lest they get any bright ideas about offering their computers with Ubuntu for $50 less than Windows.
I found it by myself several weeks before all this news came out.
I got my new Lenovo Y50, visited my own website with it and decided to see how my https cert looked. I got quite scared when I saw I was being MITMed but I googled it and there were already a ton of forum posts saying it's just stuff bundled with Lenovo. So I uninstalled it.
Maybe it's not just you, however I think a potential factor to give one more attention is that you can do something about the first, at least in the short term.
Besides cleaning your box, you can blame Lenovo, stop buying their products, promote the boycott, etc. All things that regular people can do and serves as an anger/stress/steam release valve.
The NSA news, even though it is/should be a much more important or pressing issue, it's something you "can't do anything about". I mean, ostensibly you can do a lot as a citizen, however most of those actions have long term effects and thus are not as useful as a release valve. It involves commitment and even sacrifice, whereas blaming a corporation (however righ you might be) is much more immediate and serves the purpose of having someone to blame for that and lots of other stuff, i.e. you can then blame the general state of IT security, then how the govt does nothing about it, how privay is nowadays non-existent, think of the children, etc.
I also believe another factor is the way news have found a way to tap into this need for the audience to have a release valve. Something or someone to be angry at and so all your problems can be channeled to that. Where I live I've seen a growing amount of newspapers and news media that just basically do a certain journalism that does not bring anything to the table but things to be raging about.
I guess it's easier to sell stuff when you can easily get people "on your side", and since there's always a lot of people angry at something, it becomes easy to have an audience.
So what's the point then (from the POV of the media) of bringing "important" (for different values of important) news to the front page when that would require their audience to commit to actions that would last several years (change your country's politics for example) and thus not as easily enticed to "get on your side" (and thus buy your media), if on the other hand you could bring, I guess you could call them "anger-bait" (like click-bait) news, and have everyone talk about it by virtue of functioning as an escape valve where people relieve their stress, fear, anger, etc?
I'm not saying it's a good thing, but I've seen more and more evidence that points in this direction, and I guess that would be my answer as to why one has much more attention than the other.
Edit:
As an analogy, I read somewhere about the recent Charlie Hebdo (sp?) attack and how it got disproportionate attention vs the two thousand killed by ISIS (I believe it was ISIS... or Borok Haram?). Maybe it's a similar thing. You believe you are able to do "more" when it's close to home (Western nation) vs far (somewhere in Africa, far away from me).
Browser plugins can read SSL pages no problem. So why did Superfish not just present itself like a browser plugin? Then it's just normal bloatware and probably pulls in the same profit. Some people might uninstall it is the only reason I can think why they didn't go this route. They could have pre-bundled Chrome and FF to avoid having users ok the plugin installation.
> So why did Superfish not just present itself like a browser plugin
They did this for years, actually. They paid add-on developers to bundle their shopping app with the developer's app. I remember this going on ~2010/2011 at least.
I suspect flash is generally used to play sounds from chat messages - the https man-in-the-middle detection is heavily sampled, as referenced in https://www.linshunghuang.com/papers/mitm.pdf.
[I work at FB, but not on sounds or directly on https man-in-the-middle detection.]
But this problem is not only about CA certs. If the application sits in the same computer it can intercept the SSL libs used in the application (wininet for IE, and the Firefox and Chrome used libs) to watch and modify SSL connections.
This can be done without any proxy or certificate installation.
I recently bought one of these and didn't even boot it into windows before ripping out the drive and tossing in a linux installation on my SSD. Never been more grateful to be technologically competent. Also, I am wiping that drive.
Holy shit, I bought a lenovo Z50-70, ripped out my drive, and put in a linux drive. I've never been happier to have some semblance of control over these things.
we see several reasons to be concerned about this practice in the case of Superfish and others. Chief among those is privacy—the Superfish software can see all of the computer user's activity, including banking, email and Facebook traffic.
Never mind that Facebook sees all the computer user's Facebook traffic, and cross-indexes it with every other bit of data gleaned from their vast graph and uses it for profit.
Just to be clear, Facebook and Google hate any software that allows users to modify content within their walled gardens (whether that's an adblock, ad injector, or other). These companies want a totally controllable user experience in order to maximize their own user metrics and monetization.
My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies. As users and developers, we want to retain this ability.
Adware sucks, and there are dozens of anti-virus companies who should be all over anyone who tries to pull this crap. The problem here is not with MITM, SSL packet inspection or modification. The problem here is that Lenovo allowed themselves to be turned into a distribution channel for a poorly implemented, spammy piece of adware for a few extra pennies.
> My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies.
They already have, with HTTP/2. Encryption is mandated for HTTP/2 so something like Privoxy (or even just a caching proxy) has to use a Superfish-like method to bypass the encryption. The only alternative is to modify the browser, which they are also locking down with unchangeable ChromeOS and limiting plugins to only officially sanctioned ones.
...and you won't really even be able to just not use HTTP/2 because the web will be much slower as pipelining is not even implemented in Chrome, and Firefox will no doubt drop it soon. Websites optimized for HTTP/2 could take minutes to load without pipelining.
The real irony is that neither Google nor Mozilla determined what software caused pipelining problems, so guess what, it was Superfish and its like. Instead they made a new protocol that requires Superfish-like MITM interception, to work around problems caused by Superfish-like MITM malware.
[+] [-] jgwest|11 years ago|reply
Shouldn't the possiblity have been forseen and addressed beforehand?
Perhaps by...
(1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?
(2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...
[+] [-] bigbugbag|11 years ago|reply
see those for example: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Persona... http://www.thestudentroom.co.uk/showthread.php?t=3013039 https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-...
[+] [-] GauntletWizard|11 years ago|reply
Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.
[1] http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...
[+] [-] AnthonyMouse|11 years ago|reply
It was installed by the OEM. Doesn't really help if it only notifies the OEM.
> (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
The general solution to what you're talking about is to prohibit the OEMs from installing anything by default. The problem is the OEMs wouldn't like it and Microsoft has to keep the OEMs happy lest they get any bright ideas about offering their computers with Ubuntu for $50 less than Windows.
[+] [-] Buge|11 years ago|reply
I got my new Lenovo Y50, visited my own website with it and decided to see how my https cert looked. I got quite scared when I saw I was being MITMed but I googled it and there were already a ton of forum posts saying it's just stuff bundled with Lenovo. So I uninstalled it.
[+] [-] ademarre|11 years ago|reply
https://news.ycombinator.com/item?id=9076351
[+] [-] dredmorbius|11 years ago|reply
If it wasn't for the SIM story, I'd have missed the Five Eyes legal restraints dodge:
https://plus.google.com/104092656004159577193/posts/2ncBEdPV...
Via: https://news.ycombinator.com/item?id=9077061
[+] [-] dfox|11 years ago|reply
The SIM heist confirms that few entities have capabilities that almost everyone assumed they have.
Superfish enable anyone to attack significant percent of internet users.
[+] [-] saganus|11 years ago|reply
Besides cleaning your box, you can blame Lenovo, stop buying their products, promote the boycott, etc. All things that regular people can do and serves as an anger/stress/steam release valve.
The NSA news, even though it is/should be a much more important or pressing issue, it's something you "can't do anything about". I mean, ostensibly you can do a lot as a citizen, however most of those actions have long term effects and thus are not as useful as a release valve. It involves commitment and even sacrifice, whereas blaming a corporation (however righ you might be) is much more immediate and serves the purpose of having someone to blame for that and lots of other stuff, i.e. you can then blame the general state of IT security, then how the govt does nothing about it, how privay is nowadays non-existent, think of the children, etc.
I also believe another factor is the way news have found a way to tap into this need for the audience to have a release valve. Something or someone to be angry at and so all your problems can be channeled to that. Where I live I've seen a growing amount of newspapers and news media that just basically do a certain journalism that does not bring anything to the table but things to be raging about.
I guess it's easier to sell stuff when you can easily get people "on your side", and since there's always a lot of people angry at something, it becomes easy to have an audience.
So what's the point then (from the POV of the media) of bringing "important" (for different values of important) news to the front page when that would require their audience to commit to actions that would last several years (change your country's politics for example) and thus not as easily enticed to "get on your side" (and thus buy your media), if on the other hand you could bring, I guess you could call them "anger-bait" (like click-bait) news, and have everyone talk about it by virtue of functioning as an escape valve where people relieve their stress, fear, anger, etc?
I'm not saying it's a good thing, but I've seen more and more evidence that points in this direction, and I guess that would be my answer as to why one has much more attention than the other.
Edit:
As an analogy, I read somewhere about the recent Charlie Hebdo (sp?) attack and how it got disproportionate attention vs the two thousand killed by ISIS (I believe it was ISIS... or Borok Haram?). Maybe it's a similar thing. You believe you are able to do "more" when it's close to home (Western nation) vs far (somewhere in Africa, far away from me).
[+] [-] logn|11 years ago|reply
[+] [-] practicalpants|11 years ago|reply
They did this for years, actually. They paid add-on developers to bundle their shopping app with the developer's app. I remember this going on ~2010/2011 at least.
People were not happy about it to say the least.
[+] [-] ProAm|11 years ago|reply
[+] [-] TazeTSchnitzel|11 years ago|reply
[+] [-] nissehulth|11 years ago|reply
[+] [-] chinathrow|11 years ago|reply
https://twitter.com/ow/status/568935755344580608
Superfish: Go shame yourself. If I was an investor in your company, I'd pull my money now.
[+] [-] whytry|11 years ago|reply
[+] [-] reedloden|11 years ago|reply
(another reason to put Flash behind click-to-play and/or push for HTML5 video)
[+] [-] mkjones|11 years ago|reply
[I work at FB, but not on sounds or directly on https man-in-the-middle detection.]
[+] [-] eli|11 years ago|reply
[+] [-] timothya|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] wslh|11 years ago|reply
This can be done without any proxy or certificate installation.
[+] [-] robbintt|11 years ago|reply
[+] [-] SixSigma|11 years ago|reply
[+] [-] TazeTSchnitzel|11 years ago|reply
[+] [-] robbintt|11 years ago|reply
[+] [-] romanovcode|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] aosmith|11 years ago|reply
[+] [-] scrollaway|11 years ago|reply
[+] [-] larvaetron|11 years ago|reply
This is the second article I've read that states this - Superfish does no such thing.
[+] [-] maxerickson|11 years ago|reply
https://web.archive.org/web/20150220003144/http://www.komodi...
installed as a LSP:
http://en.wikipedia.org/wiki/Layered_Service_Provider
"modify the windows networking stack" is not an absurd description of that.
[+] [-] quotemstr|11 years ago|reply
https://stackoverflow.com/questions/16269624/the-truth-behin...
[+] [-] jrochkind1|11 years ago|reply
[+] [-] iancarroll|11 years ago|reply
[+] [-] ams6110|11 years ago|reply
Never mind that Facebook sees all the computer user's Facebook traffic, and cross-indexes it with every other bit of data gleaned from their vast graph and uses it for profit.
[+] [-] zevyoura|11 years ago|reply
[+] [-] nugget|11 years ago|reply
My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies. As users and developers, we want to retain this ability.
Adware sucks, and there are dozens of anti-virus companies who should be all over anyone who tries to pull this crap. The problem here is not with MITM, SSL packet inspection or modification. The problem here is that Lenovo allowed themselves to be turned into a distribution channel for a poorly implemented, spammy piece of adware for a few extra pennies.
[+] [-] madeofpalk|11 years ago|reply
[+] [-] bsdetector|11 years ago|reply
They already have, with HTTP/2. Encryption is mandated for HTTP/2 so something like Privoxy (or even just a caching proxy) has to use a Superfish-like method to bypass the encryption. The only alternative is to modify the browser, which they are also locking down with unchangeable ChromeOS and limiting plugins to only officially sanctioned ones.
...and you won't really even be able to just not use HTTP/2 because the web will be much slower as pipelining is not even implemented in Chrome, and Firefox will no doubt drop it soon. Websites optimized for HTTP/2 could take minutes to load without pipelining.
The real irony is that neither Google nor Mozilla determined what software caused pipelining problems, so guess what, it was Superfish and its like. Instead they made a new protocol that requires Superfish-like MITM interception, to work around problems caused by Superfish-like MITM malware.
[+] [-] mentat|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] whytry|11 years ago|reply