How Lenovo’s spyware works

If you’ve recently bought a Lenovo computer and you’ve been reading about “Superfish,” should you panic? Yes.

Well, no. Panic never produces useful results. But you should definitely act. If you can, return the computer and get a different brand. If you can’t, take prompt steps to remove the spyware.

The best approach is to install Windows (or Linux) from scratch, overwriting the existing operating system, and not using Lenovo’s installation package. The problem isn’t just the spyware; it’s that Lenovo has shown itself to be basically untrustworthy. Even if we assume it accepted Superfish stupidly rather than knowing it was committing a major security breach, Lenovo was notified on January 21 that Superfish used a self-signed root certificate to intercept SSL communications and didn’t respond until the publicity became overwhelming, almost a month later. Update: Superfish was reported for falsifying Google search results on Lenovo’s forums back in September 2014, though that report didn’t note the SSL hijacking.

The root certificate issue may need some explaining. The SSL certificate system, which is central to secure Web communications, relies private/public encryption keys. When you connect with authenticated HTTPS to a server, it queries the server using encrypted data, based on the public certificate. It can respond correctly only if it has the corresponding private key.

But how do you know that the certificate is authentic? The answer is “digital signing.” A key is authenticated with encrypted data from a certificate authority (CA), and the same public-private trick is used to verify the signature’s authenticity.

But isn’t that begging the question? You still need to know whether the CA is authentic. A CA’s certificate can be signed by another CA, and such chains are necessary to handle the vast number of SSL certificates on the Internet. Ultimately it comes down to a trusted source, a “root certificate.” Browsers ship with one or more root certificates, which they trust by default. If a root certificate is compromised, the whole system comes crashing down. It can claim that fake certificates are genuine and allow impersonation of websites that collect your credit card numbers and other personal data.

Lenovo’s Superfish installs a rogue root certificate. It uses it to intercept your secure communications and modify them. It “self-signs” the certificate, so your browser will trust it. You think you have a secure, private channel to a site like Google, but Superfish is listening to every bit you transfer. This is what’s known as a “man in the middle” attack. It decrypts your data, does things with it, and then re-encrypts the modified data and sends it on its way.

Lenovo is intercepting secure communication by feeding users false data. I’m no lawyer, but shouldn’t that be grounds for criminal charges?

The private key is on the computer which runs Lenovo’s subverted version of Windows. It’s password protected, but a little reverse engineering of the software has turned up the password, which is a rather weak one and is now all over the Internet. This means that others can impersonate the impersonator, doing far worse things than injecting ads into your browser.

The CA system is inherently fragile. Superfish isn’t the first to have thought of this scam. There are lots of opportunities for criminals and governments (pardon the redundancy) to steal information this way.

It appears that Lenovo’s removal package, introduced after intense public pressure, removes the Superfish software but not the bogus certificate.

Lenovo has been shamelessly lying:

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly.

Where do we start? Lenovo makes unspecified claims about “false and misleading statements” without denying anythying in particular. The issue isn’t merely a “security risk,” but an actual, willful breach. Whether it shares the intercepted data with a third party is irrelevant. The claim that a software bug “unintentionally” created the forged certificate and man-in-the-middle interception is ludicrous.

The “third party” in question is a company called Komodia, which devised the interception technology and used its own name as the password for the bogus certificate. According to Forbes, Komodia’s founder, Barak Weichselbaum, “was once a programmer in Israel’s IDF’s Intelligence Core.” Komodia used to offer an “SSL hijacker,” no longer on their website although the Internet Archive still has the page. Komodia explains that “the hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.” Purely unintentionally, of course.

Just by the way, here’s a filk on the subject:


Words: Gary McGath, Copyright 2015

Music: “Superchicken”

When your data is in danger,
When it’s picked up by a stranger,
And they never asked for your permission,
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
If it looks like you have well and truly caught it,
You should have known it was infected when you bought it.
Now you understand the risk
Of SSL faked on the disk;
A painful death for them is what you’re wishin’.
There is someone you can blame
For putting spyware on your disk:
Lenoooooooooovo’s Superphishin’!
Lenoooooooooovo’s Superphishin’!

Posted in Tech. Tags: , , , . Comments Off on How Lenovo’s spyware works

Kickstarter project: Files That Last

After lots of planning, preparation, and nervousness, today I’m launching a Kickstarter campaign to help fund the completion and publication of my e-book, Files That Last! This is a book to explain the importance of keeping digital data alive for a long time and how to do it. I’m dragging preservation out of the library niche where it’s been so long and creating an e-book for “everygeek.”

If you want to fund the project ($10 will get you a DRM-free copy when it comes out), I’ll be grateful. If you can spread the word in appropriate places, that would be even better. I’m already making good progress on it and have pledged, if the project is funded, to have it out in the spring. The Files That Last page has two banners with HTML which you can paste where you think it will do the most good.Banner: I'm a preservation geek / Support Files that Last

I’ll be looking for professional proofreading and cover design and will pay real money for it. If you can recommend someone who can do either, let me know.

Paraphrasing Abby, “You’ll have your files for all time if you read FTL!”

Posted in Tech. Tags: , , . Comments Off on Kickstarter project: Files That Last

The anti-Agile manifesto

This post is a big shift from what I’ve been writing here before, but it’s my blog and I can do that if I want. :) Besides, I’m sure there are regular readers who are interested in this topic.

Lately I’ve been exposed more than I like to something called “Agile Development.” It’s a software development methodology which codifies the bad habits of many programmers. Its founding document is the “Agile Manifesto.” Its main tenets are brief:

We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
That is, while there is value in the items on the right, we value the items on the left more.

Expressions like the last one nearly always mean “We don’t care about the items on the right.”

The first point is meaningless. Individuals are the ones who do the work. Processes are how they do it. They aren’t commensurable. Placing either one “over” the other just doesn’t mean anything. And really, today’s world is much too interactive for effective software development. Programmers need to be able to concentrate, not to be interrupted every five minutes with e-mail and instant messages and constantly shifted from one task to another.

The second disparages documentation. If you’ve ever tried to work with uncommented, undocumented code, you know what a pain it is. Working software that subsequent programmers can’t figure out doesn’t stay working.

“Customer collaboration over contract negotiation” actually does make sense, and it’s what attracts people to agile development. But watch out for everything else that comes with this package deal.

A plan for developing software should include allocating time and resources for responding to change, but just reacting to changes can’t replace planning.

The Agile line depends heavily on a straw man. If you don’t use Agile, its proponents tell us, you have to use Waterfall. Then we must have been using Waterfall all our lives, being ignorant of the glory of Agile. What? You’d never heard of it till the Agile people told you? Neither had I. Wikipedia tells us (as of this writing, the always-necessary caveat with that source) that “[s]ince no formal software development methodologies existed at the time, this hardware-oriented model was simply adapted for software development.[citation needed]” Adopted by whom? Citation needed, indeed. In the Waterfall approach, you gather all requirements, then you do the design, then you implement it, then you verify it, and finally you go into maintenance. There is no overlap; one stage must finish before the next starts. This seems to mean you don’t do any prototyping during the first two stages, and you don’t test the code until it’s completely written. You always do development this way, don’t you? No? I don’t either. Maybe those people doing secret government contracts are the ones who do. That would help explain why they cost so much.

Less formally, Agile means things like putting the emphasis on getting something that demonstrates some functionality over sustainable design. Agile advocates tend to say that planning for future refactoring of code is a waste of time. If you have to change data bases down the line, you’ll just throw the whole thing out and start over anyway. If the code was written on those assumptions, that will be all you can do.

In my long experience in software development, certain things are consistent, and they aren’t Waterfall. Managers want software rushed out, often on the basis of inadequate specifications. They want something now, and they’ll worry later about having something maintainable. Developers don’t like to comment their code and don’t particularly like to take the trouble of planning for flexibility from the start.

I do have to grant the strength of the third point again, the one that carries all the nonsense along with it. Software managers like to keep programmers in isolation. They’re afraid of what we’ll say to the users: things like “That’s a bad idea” or “It’ll take a long time to implement that for very little benefit” or “why not do this instead?” There’s a common saying among programmers: “I must be a mushroom. They keep me in the dark and feed me bullshit.” Grabbing on to an argument for actually talking to the users, and seeing their bad habits confirmed, they’re naturally attracted to Agile.

But we’re also the programmers who have to maintain the previous developers’ uncommented, unplanned spaghetti code, and that isn’t fun. We’re the ones who’ll have to deal with unexpected changes later on, and that will be hard if we wrote novella-sized subroutines that do everything. We should be pushing the idea of communicating with users without swallowing the whole package of bad design practices. Maybe that could have its own buzzword. Sensible Development, anyone?