Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Thad]

I wouldn't say it's as dire as all that. Between end users who don't read stories like this and corporate netadmins who this doesn't affect (because they wipe every new computer and install their own software anyway), there are a whole lot of customers who aren't going to be worried about this, and given that it only affects a small subset of Lenovo computers and has already been removed from machines that are currently shipping, I don't really see it gaining traction in the mainstream press.

It COULD impact their bottom line, especially if they continue to bungle the response. And the story COULD mushroom if anybody finds this to be a broader problem that exists on more computers, especially if it's not limited to Lenovo after all. But from what we know now, I'd expect it to go mostly unnoticed.

[MarsDragon]

Well, the security guys at my job were saying that they didn't even need to crack the certificate, they could just MITM any machine with this software on it because the certificate doesn't actually bother to verify anything. I did watch them MITM a machine, complete with SSL failure and Snapfish signing the certificate anyway. EDIT: The main security guy commented on Hacker News about it, including screenshots of how broken it is.

So that's bad...but again, it's too small a proportion of computers to make anyone really sit up and take notice. Even if it is a hilarious security failure on every level.

[Thad]

Lots more from Ars.

Superfish doubles down, says HTTPS-busting adware poses no security risk

The statement, e-mailed to Ars by a Superfish spokeswoman and attributed to company CEO Adi Pinhas, is notable for making no reference to secure sockets layer, transport layer security, HTTPS, or any other form of encryption.

Which is interesting, because Komodia, the company Superfish hired to make the software, DOES make reference to secure sockets layer in its pitch for the software. In fact, its website explicitly referred to its software as an SSL hijacker.

Oh, and I had a feeling this was coming: no, it's not just Lenovo crapware; researchers have discovered 12 other programs that use Komodia's root cert (and password "komodia"). Including the ironically-named Keep My Family Secure.

Komodia's site is currently down due to a DDoS attack. While I stand by my prediction that this isn't going to make a major impact on Lenovo's bottom line, I think Komodia is probably going to have to change its name if it wants to stay in business.

[Brantly B.]

I mean it already sounds like a small country populated by toilets.

[Büge]

I was just about to say.

[Thad]

It probably doesn't mean that in Hebrew.

[Thad]

Komodia's software's been found in Ad-Aware Web Companion too, but Lavasoft is copping to it and investigating whether any of it is still there in the latest version -- and is preparing to release a new version today if necessary.

A similar vulnerability has been found in privacy software called PrivDog; this one isn't by Komodia. (But it IS affiliated with Comodo, so you can go ahead and continue with the toilet jokes.)

It bears adding that, by their nature, programs designed to scan websites for malware have to intercept SSL traffic before it's encrypted (or after it's decrypted); otherwise they'd be completely useless on any site with an https: prefix. But there's a difference between installing a root cert that gives a security app access to your encrypted sessions and installing one that automatically trusts self-signed certs.

[Thad]

It appears that Lenovo is doing some serious course correction. Ars:

Lenovo announced today that it will stop shipping PCs with adware and bloatware and that it now aims to be the "leader in providing cleaner, safer PCs."

[...]

Lenovo's plan comes in two parts. First, the company will scale back preinstalled software. Its systems will include the operating system and any necessary drivers and software to make the hardware work (to, for example, support fingerprint readers or 3D cameras). It will also include some Lenovo applications (such as the ThinkVantage System Update software, which is a genuinely useful app for updating drivers and system firmware) and security software.

More nebulously, the company also says that in "some countries" it will include software that is "customarily expected." Our understanding is that in some markets, particularly non-Western ones, there are expectations about, for example, default browsers and search engines. The company's statement will allow it to continue to meet these expectations.

[...]

The second part of the plan is that the company will list all the software that is preloaded on its PCs and explain what each piece of software is for.

It remains to be seen what this is going to mean in real life. But if Lenovo starts shipping with something close to stock Windows, that's going to make them a hell of a lot more appealing to guys like me.

[Lyrai]

To be fair, someone internally probably told them that that's what they'd have to do to appeal to guys like you. I.E., guys who know exactly how badly and how terribly they fucked the poodle with their adware.

[Thad]

Sure. But people tell management shit like that all the time. Management doesn't usually listen.

I get your point that in a world where companies did their jobs, listened to their experts, and served their customers, this would not be considered notable or laudable. But we live in a world where this is, sadly, a pretty rare thing.

[Brantly B.]

I think they just realized that this is not just good PR, it's a relatively untapped market. The runaway success of "stock" mobile options like the Nexus 7 helps too.

[Thad]

Doesn't hurt, but I'm inclined to believe that the Nexus line is successful because it's cheap, not because it's stock Android. If people were willing to pay full price for stock Android, then Android Silver wouldn't have tanked so hard so fast.

[Brantly B.]

Just talking corporate reasoning, not hard facts. The Nexus 7 took off because not only is it cheap but it's actually an amazingly well-engineered piece of hardware that readily outperforms many, many tablets that are more than twice its price tag.

(The Nexus 9, on the other hand, is a rushed piece of shit that's deservedly tanking, so that tells most of the story right there.)

[Thad]

I have to figure that cost factors into corporate reasoning, though -- possibly more than any other single factor. If it didn't, there never would have been crapware on those machines in the first place.

Lenovo (presumably) can't afford to subsidize hardware the way Google can, but it's already pretty well-known for making solid (if not always pretty) hardware for relatively low prices, and my observation has been that it's been pretty hugely successful. (In addition to having something of a cult fanbase that loves the mouse nub.)

It's also been doing the "laptop that converts into a tablet" thing longer than anybody else, and while I haven't looked at the numbers I suspect that's probably the biggest growth market among Windows PC's right now.

All of which is tangential to the removal of crapware. It'll be interesting to see how low Lenovo can keep its costs -- I suspect they were probably telling the truth when they said they didn't get a substantial amount of money from Superfish; I'm betting that, per machine, the crapware doesn't make them much money and that it's more of an aggregate thing, and I'm also willing to bet that the biggest preinstall money comes from the antivirus vendors, and AV will still be included on new machines.

tl;dr I suspect Lenovo's price points to stay where they are, not rise or fall. But they're already pretty good.

I DID love my first-gen Nexus 7, and I love my Nexus 5 too. Glad I didn't end up waiting for the Nexus 9; I'm pretty happy with my Galaxy S 10.5, and I don't find the Samsung TouchWiz stuff too intrusive (I hear it's way better on the new devices than it used to be). I still intend to install CM on it if CM ever gets around to an official port (I'd rather not fuck around with the unofficial ports o XDA-Developers), but it's pretty okay out of the box.

[Brantly B.]

I wouldn't be too surprised if their agreement wasn't even with Superfish directly but some kind of nebulous software package provider. If that's the case the whole "we're not preinstalling any more software" thing might just mean "we canceled our contract with the agency that manages software for us and we're not getting a new one". Which is still a positive thing.

[Mongrel]

Ars: It turns out that if you're with AT&T and want them to not overtly spy on all your web traffic, that costs $29/mo more!

[Mongrel]

Krugman: Apple and the self-surveillance state

There are possibly some reasons that things might shake out differently, but that caveat said, it's a pretty cogent analysis.

Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today — that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now. Well, one thing that’s very clear if you spend any time around the rich — and one of the very few things that I, who by and large never worry about money, sometimes envy — is that rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.

[Mongrel]

"Tabnabbing", a fascinating new take on phishing attacks.

[Büge]

Was that website intending to alert my antivirus program?

[Mongrel]

Quite possibly. He is using his own site as an example of how it works.