How Lenovo’s spyware works

If you’ve recently bought a Lenovo computer and you’ve been reading about “Superfish,” should you panic? Yes.

Well, no. Panic never produces useful results. But you should definitely act. If you can, return the computer and get a different brand. If you can’t, take prompt steps to remove the spyware.

The best approach is to install Windows (or Linux) from scratch, overwriting the existing operating system, and not using Lenovo’s installation package. The problem isn’t just the spyware; it’s that Lenovo has shown itself to be basically untrustworthy. Even if we assume it accepted Superfish stupidly rather than knowing it was committing a major security breach, Lenovo was notified on January 21 that Superfish used a self-signed root certificate to intercept SSL communications and didn’t respond until the publicity became overwhelming, almost a month later. Update: Superfish was reported for falsifying Google search results on Lenovo’s forums back in September 2014, though that report didn’t note the SSL hijacking.

The root certificate issue may need some explaining. The SSL certificate system, which is central to secure Web communications, relies private/public encryption keys. When you connect with authenticated HTTPS to a server, it queries the server using encrypted data, based on the public certificate. It can respond correctly only if it has the corresponding private key.

But how do you know that the certificate is authentic? The answer is “digital signing.” A key is authenticated with encrypted data from a certificate authority (CA), and the same public-private trick is used to verify the signature’s authenticity.

But isn’t that begging the question? You still need to know whether the CA is authentic. A CA’s certificate can be signed by another CA, and such chains are necessary to handle the vast number of SSL certificates on the Internet. Ultimately it comes down to a trusted source, a “root certificate.” Browsers ship with one or more root certificates, which they trust by default. If a root certificate is compromised, the whole system comes crashing down. It can claim that fake certificates are genuine and allow impersonation of websites that collect your credit card numbers and other personal data.

Lenovo’s Superfish installs a rogue root certificate. It uses it to intercept your secure communications and modify them. It “self-signs” the certificate, so your browser will trust it. You think you have a secure, private channel to a site like Google, but Superfish is listening to every bit you transfer. This is what’s known as a “man in the middle” attack. It decrypts your data, does things with it, and then re-encrypts the modified data and sends it on its way.

Lenovo is intercepting secure communication by feeding users false data. I’m no lawyer, but shouldn’t that be grounds for criminal charges?

The private key is on the computer which runs Lenovo’s subverted version of Windows. It’s password protected, but a little reverse engineering of the software has turned up the password, which is a rather weak one and is now all over the Internet. This means that others can impersonate the impersonator, doing far worse things than injecting ads into your browser.

The CA system is inherently fragile. Superfish isn’t the first to have thought of this scam. There are lots of opportunities for criminals and governments (pardon the redundancy) to steal information this way.

It appears that Lenovo’s removal package, introduced after intense public pressure, removes the Superfish software but not the bogus certificate.

Lenovo has been shamelessly lying:

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly.

Where do we start? Lenovo makes unspecified claims about “false and misleading statements” without denying anythying in particular. The issue isn’t merely a “security risk,” but an actual, willful breach. Whether it shares the intercepted data with a third party is irrelevant. The claim that a software bug “unintentionally” created the forged certificate and man-in-the-middle interception is ludicrous.

The “third party” in question is a company called Komodia, which devised the interception technology and used its own name as the password for the bogus certificate. According to Forbes, Komodia’s founder, Barak Weichselbaum, “was once a programmer in Israel’s IDF’s Intelligence Core.” Komodia used to offer an “SSL hijacker,” no longer on their website although the Internet Archive still has the page. Komodia explains that “the hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.” Purely unintentionally, of course.

Just by the way, here’s a filk on the subject:

Superphishin’

Words: Gary McGath, Copyright 2015

Music: “Superchicken”

When your data is in danger,
When it’s picked up by a stranger,
And they never asked for your permission,
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
 
If it looks like you have well and truly caught it,
You should have known it was infected when you bought it.
 
Now you understand the risk
Of SSL faked on the disk;
A painful death for them is what you’re wishin’.
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
Lenoooooooooovo’s Superphishin’!

Posted in Tech. Tags: , , , . Comments Off on How Lenovo’s spyware works

Urban legends are contagious

A couple of days ago I saw a tweet claiming that people in California are throwing “measles parties” to deliberately expose their children to measles. It linked to a story on the LA Times website. All the responses that I saw to the tweet were about how dumb those people are.

There’s only one problem: The article actually says there have been no reports of measles parties. The article presents a warning by state epidemiologist Dr. Gil Chavez, but states:

Chavez issued the statement after KQED reported that a Marin County mother had been invited to expose her two young children to a child who had contracted measles. The mother, [redacted], whose 6- and 8-year-olds are not vaccinated, told KQED that she declined the offer.

The Times was not able to reach [redacted] on Monday and has not been able to confirm that any measles parties have taken place.

The added emphasis is mine, and I’ve redacted the mother’s name since I don’t want to add to the wave of harassment she’s undoubtedly going to get from morons.

How can anyone read that article and think that people are actually holding measles parties? Credulous people read not the words in the article, but what they want to believe. A lot of people want to think (not entirely without reason) that the anti-vaccination crowd is stupid, so they’ll look at an article and see only the warning against “measles parties,” possibly not even reading past that sentence, and invent the rest in their heads.

(People did once deliberately expose their children to measles, chicken pox, and the like, figuring they’d get those diseases anyway, and it might as well be at a planned time. That was a different time, though, when vaccines weren’t widely available or didn’t exist at all. It also doesn’t help that in some cases, the site throws a pop-up in front of the story saying it doesn’t like your browser.)

People can even be credulous about unsupported claims of the existence of unsupported claims. Recently on Google+ I saw a post whose headline said that somebody was asserting that there are 300 million 5-year-old prostitutes in the US. It linked to an article that didn’t cite anything close to that claim being made by anyone. The author might have intended the headline as obvious hyperbole, but commenters accepted that someone was making that claim, and the Google+ poster didn’t bother to correct them.

When a story is in line with people’s prior assumptions, they’ll very often swallow it without any critical thought. It fits their narrative, so it must be true. I have to watch out that I’m not doing the same thing. At first I though that Darren Wilson’s shooting of Michael Brown in Ferguson was a typical case of unjustified police violence, but the evidence I’ve read about since then clearly discredits the story of an unresisting Brown saying “Don’t shoot!” The story was plausible, because of irregularities in the police investigation and the Ferguson police’s horrible record, but it wasn’t true. It took me a while to realize that, and many people are still convinced it’s true in spite of the forensic evidence.

Perhaps we need to be especially careful when our first reaction to a report is “Just as I expected!” What we expect isn’t always true.

Posted in General. Tags: , . Comments Off on Urban legends are contagious

Requests vs. demands

When people in the filk community need help, I sometimes try to help out, by assisting personally, providing money, or publicizing the situation. The community and the people in it are important to me, and I believe in voluntary assistance as a matter of good will. Once in a great while, though, I’ll see a request containing a statement that amounts to: “I shouldn’t really have to ask for this. I should get it from the government as a matter of entitlement.” When it’s put in those terms, it becomes a demand, and I ignore it.

Offering help is a transaction, but the price I ask isn’t high; it’s simply the recognition that I acted freely out of good will and out of recognition of the recipient’s value. Or to put it more simply, gratitude and respect for my autonomy. Anyone who claims to be entitled to my money is saying I’m just a cash source to tap.

It isn’t a deal-killer if you just think you’re entitled to my money. I might enjoy shocking you by showing that people are willing to help without a gun pointed at their heads. But if I think you’ll interpret my help as recognition of your claim upon me, forget it. I’m not the Bishop of Digne.

Posted in General. Tags: , . Comments Off on Requests vs. demands

Review: Swann Viewcam

Looking for something to augment my home security, I picked up a Swann Viewcam. It’s offered as a basic home security camera with local storage and Wi-Fi capabilities. The idea is good, and the camera itself doesn’t seem too bad, but the software makes it a disaster. First I downloaded the Mac application. It’s unintuitive, without text labels on its controls. It provides no reliable status indication for the device. Sometimes it would say the device was “off,” but at other times it would just show the last image received. If it’s monitoring an empty room, it can take a while to realize that nothing is being updated. The camera’s Wi-Fi range is poor, even in a relatively small home like mine.

The iOS application is even weaker, and it bombards you with ads. (Have they forgotten that the people using it have just paid them a fair amount of money for the device?) It doesn’t provide any status indication beyond showing incoming video or not. It required me to log in repeatedly; that isn’t even a security feature, since it pre-loaded the user and password fields and just made me tap “Log in” to continue.

All this wouldn’t be fatal if the device and software performed their basic function of storing video. Last night I noticed no files were being stored, but I let it run overnight just to be sure. This morning there were still no files stored in the folder I’d designated. I’d put a Micro SD card into the device to store video locally; that likewise had nothing on it.

Zero stars. This device will soon be going back to the store.

Posted in General. Tags: , . Comments Off on Review: Swann Viewcam

Toward a renewed liberalism

The word “liberal” has many meanings and even more meaningless usages. My trusty Merriam-Webster includes the definition “not bound by authoritarianism, orthodoxy, or traditional forms,” and that’s what I’m focusing on here. “Liberalism” as a political camp includes many positions which aren’t at all liberal in this sense, but for a long time it included a genuinely liberal stream of thought, including support for free speech and equality under the law.

Lately, many who used to call themselves “liberal” have rebranded themselves as “progressive.” This term recalls the early 20th century movement, best known for Woodrow Wilson, which promoted such illilberal values as censorship, war, racism, and prohibition. Few if any neo-progressives have given rejection of liberal values as their reason, and the trend hasn’t followed clear ideological lines, but there’s a case for drawing a distinction between the old liberals, who were genuinely liberal in some respects, and the new progressives, who are much less often so.

The big shift has been in attitudes toward free speech. Progressives generally despise the Citizens United decision, which says that people keep their free-speech rights when they act through corporations. Some want to make First Amendment exceptions for ill-defined “hate speech.” Public colleges and universities, once centers for free-wheeling debate and disagreement, have imposed Constitutionally dubious speech codes and sometimes even restricted controversial views to tiny “free speech zones,” with permits to speek freely required in advance.

The liberal ideal goes beyond issues of law. It includes tolerance in non-governmental institutions of people expressing opposing views. It expects employers not to care about their employees’ private views as long as they keep them separate from their work. It urges communities to accept people of any religion or none and to tolerate even deservedly unpopular people.

It’s an ideal that has lost ground. Mozilla forced CEO Brendan Eich out because it didn’t like his past political contributions, and progressives cheered. I routinely see vicious denunciations on the Internet of every Republican in the country. Some science fiction conventions have adopted “harassment policies” which prohibit insulting and embarrassing speech. An often-quoted article on Vox, titled “The truth about “political correctness” is that it doesn’t actually exist” suggests that dismissing any claim of offense as silly demonstrates only insufficient sensitivity.

People who are liberal on these issues haven’t disappeared; they’re just on the defensive. Many of them don’t know how to answer the charge of “insensitivity.” They don’t like the prospect of being insulted and smeared. Many of them have juggled a mix of inconsistent views throughout their lives, which makes it harder to take a principled and consistent stand. Many people are liberal only when it’s convenient; they’ll march for free speech in Paris one day, then call for Internet censorship to “fight terrorism” the next. If they marched for a better reason than just show, they need to learn consistency.

In spite of the difficulties, there’s room for a renewal of liberalism. Many political liberals, conservatives, libertarians, and even socialists believe in this ideal; we don’t have to agree with each other on everything to make this a common cause. In fact, we have an advantage. The people who can’t stand any dissent from their line can unite only with people who agree with them on everything. When people who hold differing views stand up together against censors, it’s going to bewilder them.

Many people find it hard to separate their personal opinion of people from the way they should be treated in a public context. Tolerance is not approval. This distinction is at the heart of the liberal ideal, but it doesn’t come naturally to people. Tribalism, the division of the world into “my people” and “those ‘people,'” comes more easily. However, a society in which censure doesn’t lead to censorship offers huge rewards and is worth working for.

Posted in General. Tags: , . 9 Comments »