Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps

Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."

List 'em in the summary, slashdot.

List 'em in the summary, slashdot.

Re:List 'em in the summary, slashdot.

[DarkOx]

        CartCrunch Israel LTD
        WiredTools LTD
        Say Media Group LTD
        Over the Rainbow Tech
        System Alerts
        ArcadeGiant
        Objectify Media Inc
        Catalytix Web Services
        OptimizerMonitor

Re:List 'em in the summary, slashdot.

That would make it too easy for the readers.

Re:List 'em in the summary, slashdot.

More importantly, they wouldn't get their cut of the ad revenues generated after sending people to other sites.

Re:List 'em in the summary, slashdot.

That's supposed to be the list? Thanks, Ars Technicrap. Nnot only is that not "at least 12", the few things on that list that are actual software are already known to be malware.

Re:List 'em in the summary, slashdot.

You cannot expect much out of Ars, their security editor (Dan Goodin) is a writer with no background in computer security. He pretty much posts other people's stuff without being able to identify the chaff from the wheat. Pure click bait.

Re:List 'em in the summary, slashdot.

[sectokia]

Check out his recent article in which he 'verifies' the security of a binary by checking it with a train of trust that goes back to a root certificate.... that was downloaded with the binary.... ahahahah. But yeah Ars are basically full social justice warriors now. every so often they post some article how they are 'taking a stance' on some fad of the day. Anything to rustle up new customers.

Re:List 'em in the summary, slashdot.

[Deathlizard]

So basically, all of the names make it look like it's an Adware firm. Awesome.

Is this really news to the security community at this point? I've been saying that Adware is a virus for almost a decade now and they're finally starting to see it?

Does this mean that the AV Firms (MS, Mcafee, Norton, ETC) are finally going to get tough on adware infections? Something tells me no. I'll believe it when Conduit, Dealio, Wajam and the like get flagged my more than 1/2 of the AV Vendors out there.

Re:List 'em in the summary, slashdot.

The difference between adware vendors versus malware vendors is that adware vendors are like that fast-talking door to door vacuum bed salesperson who stomps a foot in the door and muscles in, in order to demand someone see their wares, while malware is the overt home invader with the sawed off 12 gauge.

I treat both the same, even though one is quasi-legal and not. Ads get blocked via extensions, router ACLs, blacklists via SpywareBlaster, and hosts files, click-to-play is used for everything else, and I run my browser in a sandbox, and that in a VM, so no matter how compromised the VM gets... that junk stays in the virtual machine and won't affect the VM where I am doing work.

Mossad connection

CartCrunch Israel LTD
        WiredTools LTD
        Say Media Group LTD
        Over the Rainbow Tech
        System Alerts
        ArcadeGiant
        Objectify Media Inc
        Catalytix Web Services
        OptimizerMonitor

Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

Re:Mossad connection

But Israel is an ally.

Re:Mossad connection

Israel is an "ally" only to the extent we allow them to be in order to serve our own interests. Mossad isn't a friend so much as the (irresponsible and unhinged) enemy of an enemy.

Re:Mossad connection

[wiredlogic]

They're a paper ally because they provide a convenient way to funnel our "aid" money into domestic arms production. A state that is always at war always needs bullets and we're only too happy to buy them on the American taxpayer's behalf, "gratis". This helps float the MIC when we're in between wars. Holocaust guilt prevents any criticism from gaining public traction.

Re:Mossad connection

[ChunderDownunder]

Ziva David is still hot though, right?

Re:Mossad connection

[msauve]

OK, if you say so.

Re:Mossad connection

ICQ was the original mossad spyware and they've been at it ever since.

I wonder. How many American tax dollars did Israel funnel to China (Lenovo) to get this stuff installed on PCs?

Re:Mossad connection

> Holocaust guilt prevents any criticism from gaining public traction.

To be fair, there are plenty of militant Islamists in Palestine not so different from ISIS who'd happily repeat the Holocost.

I don't like some of the heavy-handed things Israel has done but the people they're up against aren't exactly nice....

Re:Mossad connection

There are plenty of militant anti-Semites in just about every country who would happily repeat The Holocaust. Your statement is meaningless. Need I remind you that Hitler had no particular faith?

Re:Mossad connection

Ha, what a joke, Superfish is a mistake - kiddie part timer work. Look up "Turbine". Look up the NSA's fast response to the Sony hack. They Intercepted the SK's program, grabbed their data, used the SK program as a dropper for the NSA program.
The NSA program can flash permanently any HDD. FOREVER!! Only physical destruction of the drive can remove it.
The NSA will use this kiddie stuff but mostly its too lowly to even care about.

Re:Mossad connection

[Severus+Snape]

Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

I love a good conspiracy as much as the next one but calm yourself. No idea why you got the + mod points. Jumping to random conclusions based on conjecture is silly. That said, I'm sure MOSSAD likes to get up to all kinds of evil shit. Just like their Five Eyes, Russian, and Chinese colleges do. Homeland Security and Microsoft reacted to Superfish because the information was in the public domain. In the same way we are reacting to it by discussing it right now.

Re:Mossad connection

[Blaskowicz]

The relationship "is an enemy of an enemy" is so far reaching that Israel is an enemy of an enemy of Iran, Iran is an enemy of an enemy of the US and the US is an enemy of an enemy of Israel. So, Iran and the US should ally to destroy Israel, or US and Israel should ally to destroy Iran, or Iran and Israel should ally to destroy the US. Or have everyone kill each other, but it isn't easy to ensure total destruction of everyone in this scenario. More satisfying solutions are "do nothing" (no one dies), or every one nukes itself (no cheating)

Re:Mossad connection

[cavreader]

They are an ally because they have developed several weapons technologies that the US military uses. They are US allies because the US intelligence community comes in a distant second place when it comes to collecting data in that part of the world and need Israel to provide the information they are incapable of collecting on their own. They are US allies because it is the only thing keeping Israel from selling their weapons technology on the open market. China has already shown interest in the Israeli missile and drone technologies. And countries do not have friends they have interests and the Israeli and US interests are pretty well aligned most of the time.

Re:Mossad connection

"Holocaust guilt"

Yeah. Can we not do that anymore, I had no part in it.

Re:Mossad connection

This Komodia/Superfish crap is likely Mossad sponsored

Sure, because China and the United States were never involved in electronic espionage in any form.

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Re:Mossad connection

[Demonoid-Penguin]

Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored.

Yep. Definitely Mossad. Coz who else would use Komodia as the certificate password. Not enough proof? The guy who runs Komodia used to be a programmer for Mossad. (till they gave him the boot for being a moron)

In other news, spyware modules in an attack against a movie studio prove it was North Korea - obviously pissed about an intelligent blockbuster satire that threatened to provoke a rebellion. Don't listen to those communists like Krebbs who pedal the SAAS malware lie.
Still not convinced it's all a simple plot even an idiot with the attention span of a goldfish on amphetamines in a shopping centre sees right through? Those North Korean (commie bastards) used the same IP addresses to launch their attack (don't listen to the commie lies about how they are commonly used anonymous proxies)

Komodia is a woody word! And so is Disney! AND Komodia == comode == toilet. And we all know what Walt used glass tables for!
Seven Dwarfs == Seven Secret Agencies! Those damn shape-shifting lizard people are pissing with us!

P.S. Do not believe those commie "false flag" lies either... (compilation time stamps can't be faked).

As the guy living in the local bus shelter told me " IT's all connected. And he would know.

Re:Mossad connection

It's well documented that Hitler was Catholic; Hitler had a very particular faith.

Re:Mossad connection

Only on Slashdot does dog whistle antisemitism gets considered "Insightful"!

Re: Mossad connection

FYI: the Israelis already have a CA in your browser. Startcom.
And unlike the other CA's, this one is not motivated by profit, but it gives away certificates for free to anyone who asks.

Re:Mossad connection

[PlusFiveTroll]

Gentlemen, you can't fight in here! This is the War Room!

Re: Mossad connection

They didn't have to funnel monies there. Several years ago right after China bought the IBM computer group, their was a high level delegation group visit to is real from China, no one security wise knew what it was about. Remember China is one country that likes to know what is going on, and not have to pay for it. Maybe?

Re: Mossad connection

[jjo]

Not only on Slashdot, more's the pity.

Re:Mossad connection

[jafac]

oooh. someone "gets it". Finally.

If the software is this bad

[fustakrakich]

I would contend there are problems in the hardware also. This one runs deep. Everything on the market needs further inspection. More so now with all the governments demanding backdoors.

Re:If the software is this bad

[jones_supa]

It's becoming too complicated to verify everything. Last week it was revealed how NSA has a spyware kit for firmwares of all HDD brands. It's getting pretty crazy.

Re:If the software is this bad

[fustakrakich]

Sounds like computer cleanup is a great business opportunity.

Re:If the software is this bad

Sure, but in the bigger picture, the lion's share of all these security problems lay firmly in Window's lap. It's almost impossible to imagine an app with this kimodia garbage getting signed by Apple, or inserted into a Linux/BSD repo.

We're not even talking about PEBKAC here, it's an extraordinarily serious issue that affects the entire Windows ecosphere because it's prepackaged. Every box that ships with Windows comes from a vendor who only cares about making a few extra cents per unit.

Notice I didn't necessarily say Microsoft was to blame, just that using Windows is like playing Russian roulette with your financial and social well-being. "It's getting pretty crazy" because just by booting up a Windows system means 5 of the 6 chambers have a bullet.

Re: If the software is this bad

Goto fail.

Re: If the software is this bad

Yes, but an end user on other platforms like OS X can install downloaded software just like Windows. App Store apps are vetted and sandboxed, but that really limits what they can do, so will not become the default anytime soon.

NSA much?

I smell the hand of a three-letter agency? Or perhaps this is too gauche a manoeuvre and they'd be more subtle than this?

Legality

[BitZtream]

I'm fairly certain just installing this software is illegal.

Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

It violates the same laws that were used to put Kevin Mitnick in jail (and lets be clear, he deserved it), unauthorized access to a computer system and unauthorized access to data flowing across a network.

Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this. Its a scam from the very beginning, theres no 'well, maybe its not bad' or 'maybe it was an accident' to it. This is outright bullshit behavior by companies trying to sell a product to someone and then turn that someone into the product for someone else. The entire legal system AND THE PUBLIC need to come down on this like a ton of bricks and make it clear that its unacceptable and will not be tolerated. And by not tolerated I mean 'you will be jailed, not fined'.

Re:Legality

[Dunbal]

The law does not and should not shield you from breaking the law.

Re:Legality

C does not protect you from buffer overflow. Should it? Or would that be an infringement on my freedoms?

Re:Legality

Should it?

No, you should git gud, scrub, and stop writing shit code.

Re:Legality

[oodaloop]

Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this

Yeah! And while we're at it, I'd like a pony. A white one.

Re:Legality

[DarkOx]

Yes it would in fringe on your freedoms. Its the MMU's job to enforce the Law not big brother Compilers.

Re:Legality

git: 'gud' is not a git command. See 'git --help'.

Re: Legality

[jd2112]

Careful. That pony could be a Trojan Horse. Albeit a small one.

Re:Legality

[gnasher719]

Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

Says who?

What is confusing you is that the sale isn't completed until you accept the EULA. It may be true that you can't read the EULA when you hand over the money, but in that case you can take the computer or software home, read the EULA, decide that you don't want to accept it, take the computer back to the store and get your money back.

That said, a computer which allows a third party to read for example a credit card number that I enter into my browser, is not "fit for purpose", and on these grounds you should be able to return it to the seller and get your money back if you live in the EU or some other places.

Re:Legality

My recollection of the law is that the inability to read the EULA simply means that any returns policy is unenforceable and the vendor needs to accept a return.

I've never seen a court decision that magically invalidates the EULA which is presented on first start-up or in paper form in the box.

Re:Legality

Lenovo says Superfish is a TrustE certified third-party software vendor.

What Does the TRUSTe Seal Mean?
The TRUSTe seal is a signal that this website adheres to privacy best practices and values your online privacy.

What good is TrustE certification? How much would it cost a malware lab to acquire TrustE certification?

Re:Legality

[thegarbz]

Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

Do you have a citation for that. I'm pretty sure the courts have ruled nothing of the sort. Now I've heard the ruling that someone can't refuse a refund in full for a product where the EULA could not be ready before the purchase, but I have never heard of a EULA being invalidated unless there was no way to signify acceptance. What I mean by that is "By turning this product on you agree to our EULA" is invalid, but turning the product on, being presented with the EULA and then being given the option to accept is perfectly fine.

Re:Legality

Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

Says who?

What is confusing you is that the sale isn't completed until you accept the EULA. It may be true that you can't read the EULA when you hand over the money, but in that case you can take the computer or software home, read the EULA, decide that you don't want to accept it, take the computer back to the store and get your money back.

Very true. Although you might have to download the EULA to read it, just in case breaking the seal on the cardboard box constitutes EULA acceptance.

That said, a computer which allows a third party to read for example a credit card number that I enter into my browser, is not "fit for purpose", and on these grounds you should be able to return it to the seller and get your money back if you live in the EU or some other places.

That depends on what you agreed to as far as the OS and who defines "fit for purpose". If the browser is capable of encryption and it makes a successful connection to your banking system, then it likely meets the legal definition. Otherwise, one could argue all damn day as to what "purpose" a browser has these days, or more importantly, what it is legally forced to provide.

Re:Legality

so if i get my 12 year old nephew to setup my computer because i'm "bad with computers" and he is "good with computers" and he clicks though the EULA am i legally bound. i didn't accept it and my nephew if to young to be bound by a contract so what happens.

Re:Legality

Exactly. It's a hardware issue. Our machines are junk.

Re:Legality

[NotFamous]

Hang'em high, I say.

Sorry, they are too big to fail.

Re:Legality

What is confusing you is that the sale isn't completed until you accept the EULA. It may be true that you can't read the EULA when you hand over the money, but in that case you can take the computer or software home, read the EULA, decide that you don't want to accept it, take the computer back to the store and get your money back.

Isn't it clever how lawyers disguise unethical practice of law?

The legal profession is in a position of ethical conflict of interest with respect to the nature, scope, and form of contract law. Allowing a sale to be reclassified as a contracting event is a really clever way to broaden the scope of contract law, and make the legal system as a whole more complex, harder to understand, perhaps even contradictory.

The more complex the law, the more far reaching the law, the greater the demand for the services of legal professionals. It's not a conspiracy, but simply a lot of unethical people. Not much different from the slave owners in the South, when you think about it.

The use of software could be governed by a pretty simple law, instead of an ugly and complex mix of law, precedent, and contract, but where's the fun in that?

The real question is: why are you dumb enough to fall for this? Why are Americans dump enough to allow their lawyers to create a Land of the Lawsuit? Why are they dumb enough to let their lawyers create all kinds of abusive provisions in contract law, in property law, in copyright law, in patent law?

We won't say anything about the 2700 pages of law text making up the federal tax code (let alone the 70k pages of history, rulings, policies, and commentary that underlay it).

Dumber than rocks.

Build your own

Which is why you should always build your own system.

Woz was right.

Block off programmatic access to cert trust.

[mysidia]

The browsers/OSes should harden by eliminating the ability for 3rd party software to automatically install a certificate or CA as trusted into the system database. They should also remove any functionality that allows a 'globally' wildcarded certifacte to be deployed to the browser

Basically, when the computer's hostname is assigned, or during user profile creation, the trusted certificate store should be reinitialized with only stock certificates approved by the OS maker or browser vendor.

A machine-specific keypair should be generated and used to stamp all the certificates with a local trust signature.

Any access to the machine keypair / stamp should be available only through an interactive approval process.

Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.

Re:Block off programmatic access to cert trust.

[BitZtream]

And if your machine can automatically do all those things ... so can third party software because in order for you to do everything you want to do, there has to be a pragmatic way to do so, and if the OS can do it, so can any other software that has admin rights.

Either way, you don't want to put that sort of power into the vendors hands, since it means they effectively have created the Apple App store, and if thats what you really want, just buy a Mac and stop using Windows (your first mistake).

The only way to prevent this sort of thing is by not installing software that does it.

But lets ignore all the problems with what you're suggesting and assume it works ... Lenovo would have just approved the certs before they shipped the machine. Or the machine would prompt the user, who would blindly do so on boot, just like all the other things users blindly do.

If you want to prevent this from happening, put the people who do this AND the people who make the decisions to do this, IN JAIL.

Both the developers who write the code to do it and the management who tells them to do so. Assign some personal responsibility for this shit and watch how it suddenly changes. The problem in America is that anyone in a company can basically do whatever they want and hide behind 'the company' who then gets some minor fine (Relatively) and the guy who did it doesn't care one bit.

Re:Block off programmatic access to cert trust.

Block off access to everything, full stop. There shouldn't be any ability to tamper with the OS so fundamentally and so easily. Silent misconfigurations like this can be devastating and there's really no way to tell beyond the installation of an application. Applications similarly aren't obligated to tell you what they're up to so we're all just taking chances trusting people we don't know. Those people increasingly are looking like scumbags. It used to be that we could trust the vendor, now it seems that's not the case either. The next stop is we won't be able to trust the OS manufacturer, then we won't be able to trust the hardware vendor, etc... How far down the chain of trust do we need to go before we realize none of these organizations can be trusted?

Re:Block off programmatic access to cert trust.

[Shados]

Woo, and now a company can't have its own internal CA deployed automatically. And how would software with their own certificate store (ie: Firefox doesn't use the system store) be able to harden itself so much? Its just a piece of software like any other.

And its probably not a "globally wildcarded certificate" that's deployed to the browser, its just a CA. And if a CA is trusted, it can sign arbitrary certificates. You want to be able to do this automatically at least in corporate environment, and manually for development tools.

Re:Block off programmatic access to cert trust.

Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.

You just broke the mass-imaging process at every fortune-500 company.

Re:Block off programmatic access to cert trust.

[mysidia]

You want to be able to do this automatically at least in corporate environment, and manually for development tools.

We buy certs for corporate resources. It's not necessary to have an internal CA, and from a security standpoint it's probably not very safe, since the CA is more likely to be compromised than a public CA which has more carefully implemented and audited controls.

Woo, and now a company can't have its own internal CA deployed automatically.

Why not? Just make it so that upon joining to a domain a Volume licensed copy of Windows, a domain certificate trust mark will optionally be enabled, And certificates can be installed by group policy, but only to computers that are a member of the AD domain whose administrator digitally signed the policy, and only with Enterprise or Server edition of Windows installed on the workstation.

Re:Block off programmatic access to cert trust.

[mysidia]

and if the OS can do it, so can any other software that has admin rights.

What would cause you to think that?

Administrator is a user privilege level inside the operating system. Nothing says that an admin level user can necessarily do everything. You can even make an operating system that has no such thing as admin rights, if you want.

You can certainly lockdown certain capabilities so they are available to the OS but not to 3rd party software.

One thing they could require you to do would be to visit a Microsoft website and go through a process that requires the end user to answer a captcha, login to an account, and supply a copy of the certificate, to receive a validation mark, before a local trust mark can be added, then the marked certificate can be downloaded and imported, before proceeding with a GUI-driven process.

Without the computer-specific Microsoft validation mark on the certificate, the 'Import' API calls will simply refuse to import the certificate to the trust database.

And when the cert is verified, the trust authorization validation chain's signature can be verified as well.

Re:Block off programmatic access to cert trust.

[swb]

We buy certs for corporate resources.

Purchased certs are too expensive to buy for every possible thing you might want to encrypt without a certificate error. There's all manner of internally facing services that don't need public certificate verification and a perfectly useful method of distributing trust for those certificates.

I would grant you, though, that there should be some kind of security setting that makes adding a root CA much more difficult for non-domain members. But don't make it impossible, that could set an ugly precedent for taking away the ability to require only third party trust.

Re:Block off programmatic access to cert trust.

[nyet]

That is a feature, not a bug. The whole point to Windows GP is to allow your boss to push bogus root CAs into your work machines' store (without you knowing it, let alone preventing it) so the corp proxy can MITM sniff all of your https traffic at will. Remove that ability, and expect your local PHB to whine incessantly.

Never mind that the idiots running the IT dept have no clue how bad it is to deploy a CA that can automatically sign forged certs arbitrarily. And most employees are clueless enough to never bother checking their trust root CA list.

Unrestricted MS group policy push means all of TLS/SSL is a complete sham.

Hopefully this Superfish fiasco will bring this to light, However, I am not optimistic, given the quality of reporting on it so far, and the fact that employers do not want their employees to know exactly how much the corporate proxy has compromised the entirety of internet security.

I know the response is "well just trust your IT dept, they won't let their bogus root CA priv key fall into the wrong hands; corporate proxies are for your own good".

Right.

Re:Block off programmatic access to cert trust.

[nyet]

There shouldn't be any ability to tamper with the OS so fundamentally and so easily.

Guess what? If you use a windows machine at work, your boss can already install whatever bogus root CA's he wants into your machine without you knowing it, via GP. And he'll claim he has to, because w/o it, the corporate proxy can't MITM you.

Re:Block off programmatic access to cert trust.

The only way to do this is to take control away from the user to do so. That causes collateral damage.

Re:Block off programmatic access to cert trust.

You're buying certs from entities that are likely compromised by the NSA and other agencies. Generating your own certs is safer in this case.

Re: Block off programmatic access to cert trust.

Now all of your internal services can't be resolvable out in public DNS... One would hope.. So what are you paying a CA to verify exactly? Do you have an obvious trademark in your internal names that you're betting on all CAs respecting?

Are you sure a CA wouldn't issue a very to anybody else for those internal names?

Re:Block off programmatic access to cert trust.

[spire3661]

UGH. Dont use your work computer for personal stuff. TLS/SSL is a sham to you because you have the unreasonable expectation that the machine is yours to do with as you please.. Here's a clue, its not. Dont do YOUR computing on someone else's computer...

Re:Block off programmatic access to cert trust.

[mysidia]

Unrestricted MS group policy push means all of TLS/SSL is a complete sham.

Correct me if I am wrong.... but group policy is downloaded over CIFS via SYSVOL, and there is no encryption or digital signing of the file being downloaded, so a MITM could insert an altered group policy of the attacker's choice, including bogus certificates to be installed... of the attacker's choice.

Re:ShitFucker: A program we should all have!

yeah binary analysis on the fly should be included in current antimalware programs, not just file hashes. it should be automatic and do the work without you busting a nut trying to examine shit yourself.

for *nix this should include a 'suck and spit' program which tears apart the newly downloaded binaries and checks them for shit before installing them.

install your own OS image!

I thought we all learned 20+ years ago that OS images from manufacturers could not be trusted. Doesn't everyone install their own OS image upon buying a new system any more? If not, well fine, but this is what you are going to get.

Now that HW is being increasingly compromised of course have yet another problem to contend with, but that doesn't mean installing your own OS has become a bad idea. It's still absolutely necessary, and anyone not doing it is begging for problems.

Boycotts for Israeli-made software

Many places are giving up on American software due to potential spying. Will Israeli software companies see a similar backlash?

Superfish is present in Flash Video Downloader

The last time I checked a version of Superfish was installed in the Flash Video Downloader for Android available from the official Mozilla Addons download website.

In the FVD source I have locally, the files of interest are superfish_titles.txt and superfish.js which are both in the modules/ directory.

I can't remember if the same source kit is used for desktop Firefox.

Re:Superfish is present in Flash Video Downloader

[operator_error]

You may be right, I don't know. I just want to point out an open-source javacript is called superfish, and I'm pretty sure this library is something else entirely, and benign. http://users.tpg.com.au/j_birc...

Re:Superfish is present in Flash Video Downloader

[jorgevillalobos]

The version of Superfish included in Firefox add-ons (at least the ones on addons.mozilla.org) don't do any cert store manipulation. All they do is inject scripts into shopping sites to show offer ads.

Re:Superfish is present in Flash Video Downloader

[ColdWetDog]

This is the top of the superfish.js listing. Not that I understand Javascript very well (where are the line numbers?) but it seems fairly innocuous...

*
  * Superfish v1.4.8 - jQuery menu widget
  * Copyright (c) 2008 Joel Birch
  *
  * Dual licensed under the MIT and GPL licenses:
  * http://www.opensource.org/lice...
  * http://www.gnu.org/licenses/gp...
  *
  * CHANGELOG: http://users.tpg.com.au/j_birc...
  */ ;(function($){
        $.fn.superfish = function(op){

                var sf = $.fn.superfish,
                        c = sf.c,
                        $arrow = $([' '].join('')),
                        over = function(){
                                var $$ = $(this), menu = getMenu($$);
                                clearTimeout(menu.sfTimer);
                                $$.showSuperfishUl().siblings().hideSuperfishUl();
                        }, .....

Microsoft's fault

[countach]

Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

Re:Microsoft's fault

[Shados]

Because somehow Apple doesn't get hit with anti-trust suits over it because anyone with the power to hit them is using an iphone and wouldn't want their convenience to take a hit.

The rest of the world however, has to at least give the law some lip service.

Re:Microsoft's fault

[nyet]

Allowing unrestricted remote access to your machine's trusted root CA list via GP is a feature of windows.

Why would they remove it? It is for the "enterprise".

Re:Microsoft's fault

[Solandri]

Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

I think Apple prohibiting carriers from doing this sort of stuff is more about keeping competitors under their thumb, not about protecting users. They're not above pulling this crap themselves at their users' expense. They surreptitiously slurped up users' location and wifi SSID data to build their own wifi map (the following year, they dumped the company they'd been paying to lease such a map). You know, the same thing Google got in trouble for because they went to the trouble to try to do it the right way, and had their own employees drive around doing the data gathering (not their Android users), then found out later they'd recorded a lot more than SSID.

Re:Microsoft's fault

[spire3661]

Such is the price MS pays for being a convicted abusive monopolist... Apple doesnt get hit because they dont have an actual monopoly on anything so they cant abuse it.

Re:Microsoft's fault

Microsoft got in anti-trust trouble for doing exactly this.

Well, really, they were strong-arming PC makers in to not bundling netscape or products that competed with microsoft products/services and they got in trouble for that.

They were, though, also trying to establish a clean and consistent computing environment. Previous to 95 (In the 3.1x) days it was really common for PC vendors to ship with a shell replacement, or a program that sat on top of 3.1 and offered an alternate UI. Microsoft saw this as a bad thing since it was really confusing to end-users. (Said shells were often really awful and buggy too.)

Fast forward to today, and we cant' trust anyone. Least of all PC vendors that dump outright malware on to the systems they sell that make them objectively worse. "Walled Garden" setups that Apple, Google, and Microsoft are selling on their phones and tablets are wildly popular.. Largely in part because they offer a curated, safe, easy, appliance-like computing experience.

Sure you have your PC in comparison your phone/tablet: Never get a virus, never crash, always start up quickly, and offer a simple touch interface that's always consistent.

SONY BMG ROOTKIT revisited

"Most people don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President, Global digital business, Sony BMG

http://www.f-secure.com/weblog...

http://www.f-secure.com/weblog...

Your mean "Code you own"?

[l2718]

This is a software issue, not a hardware issue. Unless you propose to personally code the entire operating system and every application program, that is not practical.

That said, replacing the preinstalled OS with a free one is my first step when buying a new computer. Most recently I managed to buy a PC without an OS at all, but that's rare,

Manufactures have to be held responsible.

Preinstalled vulnerabilities have to be deemed illegal, and compensated for. Software bugs happen, but installing a software for money being exploited with no use to the user (or ending a trial Antivirus) , should be illegal. I am talking about preinstalled software for the purposes of money. Yes the cost of the system is off set by the Adware. The rapid decline of the PC markets makes it seem easier for companies to install Adware to circumvent the cost. Support for money or giving a better product has went the way of the Unicorn. This should be illegal. A lot of individuals do not know what a acceptable application is vs a preinstalled, and this is how I make my money fixing Windows PCs.

          Might kill my business, but this has got worse over the years.

Time to switch to chromebook

I am getting tired of all the Malware on windows. As soon as the Chromebook Pixel 2 gets released (assuming it has more RAM and 64GB+ of SSD storage as well as a 16x9 AR).
I am not sure why I have been holding off this long since about 1 year ago I stopped using most of Microsoft tools in favor of Google Apps for business (collaboration features of google docs/drive are just better and gmail + calendar are significantly better IMHO).
Either way, after look at my use pattern over the past year and the type of work I do - I cannot imagine why I need to stay with a Windows Laptop with the increased Malware/exposure risk.

 

Re: Time to switch to chromebook

Yea, definitely put 100% of your data in googles cloud. It'll be safe there... /s

Last year...

... I realized my non-blessed Firefox suddenly was unable to reach Google(SSL). Merely searching sounded an alert about Google not being who I thought it was, but in IE and Chrome everything worked like a charm.

What I thought at the time was that "they" (yes, "they" at our central IT dept.) were probably checking what we searched. We're fairly conscious about law-mandated secrecy and the network is not mine, after all. My decision to use Google(SSL) also was based on work needs; in the end, I quit having privacy because I thought they had the obligation to ensure good use of the network.

Now I wonder whether they knew what is happening at all...

Dude, we want a UNICORN pony!

[billstewart]

Not just any boring vanilla pony - we want a unicorn pony and rainbows and the whole bit!

Lenovo probably will fire somebody, for embarrassing them, but it won't change the number of vendors of crapware out there. Lenovo's certainly not going to take the kind of financial hit that Gemalto did when the public found that the GCHQ had pwned all the SIM cards they sold. Maybe one or two adware companies will lose a non-trivial percentage, but there's a market for sleazy advertising and there's a market for having software companies pay to Add Valuable Features to your hardware.

Re:Dude, we want a UNICORN pony!

[mlts]

In my experience, the average person buying a system with crapware on this doesn't care about it, provided it doesn't slow their machine down. It is just like the people who spill their lives onto social networks. They don't care who reads it, so likely wouldn't care to be tracked by "marketing browser experience enhancement" software.

The real takeaway from this is for people to pack their own parachute -- image off the drive's original software (just in case), wipe the drive [1], then install the OS from clean media, and from there, install applications. Of course, it doesn't hurt to make a zero-level image after the machine is installed, updated, drivers loaded, and activated, so a complete "bare metal" reinstall is just reloading that image.

[1]: Boot a Linux CD, dd if=/dev/zero of=/dev/hdx if the drive is a HDD, blkdiscard -v /dev/hdx if the drive is a SSD.

Re:Mossad connection is a red herring

[billstewart]

Israel doesn't have a lot of revenue sources or natural resources, so high-tech products like software are important to them, even more so than growing oranges on Palestinian land. And everybody has to serve in the army, except a few specially exempted groups, so just about everybody with a college education has been in the Army before they got that high-tech job, and a lot of them did computer jobs in the Army as well as marching around with Uzis, because every army these days needs computer technology. That doesn't mean that every high-tech company in Israel, or even every sleazy adware company in Israel, is a front for Mossad.

Homeland Security has two highly obvious reasons to put out urgent guidance to remove crapware - there's a Congressional partisan squabble that's caught their budget in the crossfire, so they want to get positive press mention rather than the negative mention they'd get if they didn't do that, and the NSA's just gotten caught bugging every computer in the world so Homeland Security needs to talk about anybody else they can being dangerous and scary.

Besides, if it really was Mossad, they'd have done a much better job.

Only 1 categorized as a malicious trojan???

[davidwr]

of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider.

Why aren't they all categorized as malicious trojans by all major antivirus providers?

Re:Only 1 categorized as a malicious trojan???

of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider.

Why aren't they all categorized as malicious trojans by all major antivirus providers?

Palm grease.

Not "any" HDD Re:Mossad connection

[davidwr]

The NSA program can flash permanently any HDD. FOREVER!!

There are some older drives out there that aren't flashable, at least not over the normal computer/drive connection (look for "service" connections on late-1990s/early-2000s drives).

In light of these revelations, expect vendors to sell (at a premium of course) drives which can't be "flashed" without setting a physical switch/jumper.

Re:Not "any" HDD Re:Mossad connection

[PlusFiveTroll]

>drives which can't be "flashed" without setting a physical switch/jumper.

Protects existing kit from updates, but we have heard of supposed intercept programs by the NSA where they capture your hardware in shipping and replace it.

And now COMODO

https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html

Viber

You should go dig into Talmon Marcus, Viber's chief, thats a dodgy money trail out of Cyprus but when you dig into the people they seem to be in the US.

His previous company did a lot of very similar apps. MP3 encoders with malware, Video recorders... with malware. All bundled open source, given free, but with spyware added.

I think you'll find the NSA is the biggest customer, and hence the funder for a lot of these apps. It just happens that people who worked for the spy agencies know who to sell to, so they leave and make spyware knowing its a profitable market with hidden buyers.

Barak Weichselbaum = IDF's Intelligence Core

Komodia's own 'About page' listed its head as former Israeli Defence force Intelligence Core. (It's taken down now but you can get a cache of it from DuckDuck).

"Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF's Intelligence Core."

Note he's a programmer from the *Intelligence* core, not a foot soldiers, a hacker/spy.

This is the same as Vibers head (Viber = messaging app believed to be Mossad spyware), who was a CIO in the IDF, he pretends he is a Chief Information Officer, but the CIO designation in the IDF is a Chief *INFORMATION* Officer. He also was a hacker/spy not a food soldier.

The customer is likely the NSA, General Alexander paid for a lot of noise to fill his database with.

pick a nit

[Spazmania]

[bypasses] secure sockets layer protections by modifying the network stack of computers that run its underlying code. Specifically, Komodia installs a self-signed root CA certificate

Picking a nit:

1. Installing a new CA certificate does not modify the network stack. Adding and removing CA certificates is an ordinary operation.

2. All root certificates are self-signed. If your certificate is signed by something else, it's not a root certificate.

Browser warning?

[jordan314]

Couldn't browsers detect and warn you if you're using a self-signed root CA certificate?

Re:Browser warning?

Browsers do that (yes, I realize your question might be ironic/sarcastic).

Corporate browsers are usually "extended" to include self-signed / in-house-made certificates as one of the listed as acceptable, thus you never end up receiving a notice about the odd certificate.

The only way to know it is by using an external, unaltered browser, which is frowned upon (and forbidden) because not evaluated by the house's "security experts". :-/

Re:Mossad connection is a red herring

[DrXym]

Besides, if it really was Mossad, they'd have done a much better job.

If it was really Mossad they'd be installing the code onto PCs used by their enemies for intelligence gathering. They wouldn't be installing it onto new PCs so they could popup ads for penis enlargement pills.

Aaaarrrggghhh!!! No Mod points

[CaptainOfSpray]

So many damn funny/insightful posts in this thread, and my points expired at midnight....

Komodia = Mossad SSL intercept

There's two parts to this, firstly the Komodia software, this is an SSL intercept run by an ex-Isreal intelligence officer. In other words software written by an Israeli spook for the purpose of tapping SSLs.

(See the cahceh of Komodias own about page: "Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF's Intelligence Core.").

The second part is all the software that uses it for nefarious purposes, and in the processes spreads this software with the backdoor present in it. That has all manner of things about it, some are games, some are crapware, some are other things. That's just the vehicles to install this tap. One of the media front companies, e.g. "Say Media Group" from TelAviv pays those game sellers to install this spyware with their software installing this tap along the way.

Re:Komodia = Mossad SSL intercept

[DrXym]

Stop being so silly. If Mossad was involved with this software then they wouldn't scream it from an about page. There wouldn't be an about page. There wouldn't be a product at all. If they wanted to infect PCs they would do so in a targeted way and they wouldn't shout about it.

It is more likely that this guy left their services and applied some of the tricks he learned to a commercial purpose - writing a library that allows various spyware / adware libraries to hijack clicks and traffic and inject their own affiliate ids / ads / search results into the response.

No one says it's a good or honourable thing but the primary motivation appears to be money and nothing else. It's still a security threat. It's still utterly reprehensible. But it seems to be the guy enriching his own pocket.

Re:Komodia = Mossad SSL intercept

'Scream'? They don't.

The software uses a library, that library comes from a company that provide intercept software to security agencies, that company in term touts the Mossad links of its people as evidence of its spook friendly nature.

They've also TAKEN DOWN THE PAGE, you read about it in the cache. So it's only people who follow the malware to the library and to the company and to the about page and then make the link to the bunch of similar Israeli companies that push this malware.

No, there's a number of these ex Mossad spooks, and they all do this surveillance/malware, which is far too much of a co-incidence. Ex *Intelligence* officers too. The standard refute is that "army service is compulsary so its not problem that they are all ex IDF". Except they're not ex IDF, they're ex programmers of spyware/hacks for the Intelligence branch of the IDF. This is no different.

Re:Komodia = Mossad SSL intercept

[DrXym]

It's quite different. Anyone doing work for mossad wouldn't announce it in any way, shape or form whether they took the page down later or not. If they took the page down it might be because they are the centre of a shitstorm at the moment.. You can't rationalize around this because no rationalization makes any sense. Spy agencies would not and do not do this.

Re:Mossad connection is a red herring

[Simon+Brooke]

Not actually true. Ultra-orthodox Jews do not (yet) have to serve in the army.

<sarcasm>After all, the ultra-orthodox never provoke any trouble with the Palestinians, so why should they contribute to defence?</sarcasm>