Hacker News new | ask | show | jobs
by jgwest 4129 days ago
I think it's interesting that this BADWARE install was found more or less accidentally... apparently by some tech dude noticing that his bank login presented a Silverfish-issued CA cert.

Shouldn't the possiblity have been forseen and addressed beforehand?

Perhaps by...

(1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?

(2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?

If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...
4 comments
bigbugbag 4129 days ago
I don't know where you got the idea that this got discovered accidentally by this one tech dude. Actually quite a bunch of people have been complaining online about this for months, then for some reason it blew up when the matter got the attention of the tech and sec communities.

see those for example: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Persona... http://www.thestudentroom.co.uk/showthread.php?t=3013039 https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-...

link
GauntletWizard 4129 days ago
(3) Google; Chrome has a rather sophisticated mechanism for detecting MITM attacks, in that it's distributed with pinned certs for several Google properties, and phones home with reports of errors it receives. This is how the DigiNotar leak[1] was discovered.

Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.

[1] http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...

link
pilif 4129 days ago
Chrome does not warn if the non-official root certificate is custom installed on the local machine. It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too.

Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

link
AnthonyMouse 4129 days ago
> Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

It's really kind of a giant security vulnerability. If an attacker can compromise the machine doing the MITM on all the encrypted connections then they get every password and credit card number for every user in your company for every website.

link
harryjo 4129 days ago
Sure, but once you allow local administrator access to your machine, the "guest" can modify your data and software however it wants, so you've already lost.
link
userbinator 4129 days ago
web filtering, I think, is nothing but a sign of mistrust against the users.

What if it's the user who wants this filtering?

I run a local proxy that MITMs to filter out ads, tracking scripts, and other undesirable things. It works in all the browsers I use regularly, and any browsers that happen to be embedded in apps, because this way the stuff I want filtered out never even reaches the browser.

link
pestaa 4129 days ago
Can you please tell more about your setup? Why a handful of browser plugins were not enough in your case?
link
Immortalin 4129 days ago
Filtering reverse proxies e.g. privoxy have an advantage over browser plugins as they work on the network level instead on the DOM. This means that it work as an universal adblock regardless of what OS or browser you are running. It's especially useful when you are on mobile safari or chrome as they don't support adblocks.
link
zurn 4129 days ago
The only way Google "needs" to collude with corporate MITM tools is its desire to court user base from corporate IT depts (allowed de jure in many countries that have weak privacy legislation).

Usually Chrome is eager to show security-related notifications but for this there isn't even a yellow notification bar with "OK, got it" option.

link
josteink 4129 days ago
I think this is another example of how Google clearly puts its own interests ahead of its users.

Google wants to further promote it's closed Chrome ecosystem, and to do that it needs to gain corporate support, for among other things, its Chromebooks and ChromeOS platform.

And it's obviously more important to appease corporate IT than to protect users security.

Built in Google-spying and now, support for corporate spying too? I wouldn't trust a Chromebook as far as I can throw it.

link
mike_hearn 4129 days ago
That's a very impressive case of double think.

Google codes Chrome in order to make it more useful for various kinds of customers, such as customers who have virus scanners.

And this becomes "Google putting its own interests ahead of its users"?

Back here in reality, that's called the customer is always right and is a fundamental tenet of business.

link
cookiecaper 4129 days ago
There are many legitimate reasons to MITM web traffic. We don't need to disallow the practice, we need to build a framework that contemplates this need and provides a robust, stable architecture for it which makes it easy to distinguish between good listeners and bad listeners.
link
chinathrow 4129 days ago
Yes, "It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too." <-- this has to go away the sooner the better. Even corporations with a large interest in MITMing their employees (mostly banks, mil, gov) should realize, that this is bad security practice and will lead to all sort of other problems

Banks... imagine the irony.

link
mcbridematt 4128 days ago
Perhaps Chrome's MITM detection should only ignore private certs (for web filtering) if configured so via Group Policy or similar mechanism?
link
josteink 4129 days ago
> Chrome has a rather sophisticated mechanism for detecting MITM attacks

Which obviously didn't work here, as Chrome was one of the most affected targets.

Firefox on the other hand, was more or less absent altogether. I know which browser I will trust.

link
TazeTSchnitzel 4129 days ago
Superfish will infect Fx also, it's just that Lenovo didn't pre-install Fx and the installer only runs once.
link
josteink 4127 days ago
If you install superfish and then chrome, you will be affected. If you install superfish, then Firefox, you won't.

Thus Firefox is the more secure browser.

link
mike_hearn 4129 days ago
Superfish is not a man in the middle, by definition. It's running on your local computer. That's not the middle. That's the start. Consider that Superfish could have just done binary patching on the browser binaries instead of fiddling the local SSL configuration ... it's put there by the computer manufacturer so they can do anything they like.
link
wampus 4129 days ago
It's called a "man in the middle" because it intercepts connections between the source and destination. The physical location is irrelevant.
link
nothrabannosir 4129 days ago
That list is public; if you are in the business of writing these proxies anyway, fetching that list and using it as do-not-mitm exceptions is not a stretch. Which, unfortunately, defeats this nice side-effect of certificate pinning. People could have learned from the Diginotar mistake (being: mitm'ing ssl-pinned certs).
link
AnthonyMouse 4129 days ago
> (1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?

It was installed by the OEM. Doesn't really help if it only notifies the OEM.

> (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?

The general solution to what you're talking about is to prohibit the OEMs from installing anything by default. The problem is the OEMs wouldn't like it and Microsoft has to keep the OEMs happy lest they get any bright ideas about offering their computers with Ubuntu for $50 less than Windows.

link
scholia 4129 days ago
It's not just that the OEMs wouldn't like it. The US DoJ sued Microsoft (and tried to break it up) to prevent it from having any control over what they do. In fact, Microsoft doesn't know what OEMs are installing as "Windows" unless it goes out and buys one of their PCs.

Otherwise, some OEMs have tried installing versions of Linux, with negative financial results. A few are still trying. The real problems are selling and supporting them.

link
AnthonyMouse 4129 days ago
> Otherwise, some OEMs have tried installing versions of Linux, with negative financial results. A few are still trying. The real problems are selling and supporting them.

The problem seems to be that they're always trying to put them on budget machines, which is completely the wrong market. It's chasing the customers who pinch the last penny and you're never going to make any money from them regardless. Meanwhile those customers don't know what an "Ubuntu" is but pick it because it's cheaper, and then you get overrun with support calls when they want to install Turbo Tax.

The place where it makes much more sense is the corporate and professional markets where the customers actually know what they're buying. An IT department which is just going to nuke whatever the OEM installs in favor of their own volume licensed disk image would be happy to save the cost of a [redundant] Windows license for every machine. And professionals like programmers and scientists who actually use Linux would appreciate being able to buy workstation-class hardware with official driver support.

link
scholia 4127 days ago
You are exactly right on both counts.

The main attempt to sell Linux to end users was the use of different versions on netbooks, which were mainly bought on price by relatively clueless users.

I talked to one supplier about the obvious cost-of-Linux-support problem at their launch. We won't do support, they said, it will be like an appliance: we'll just reset to factory condition.

You can imagine how that turned out...

link
fnordfnordfnord 4129 days ago
>some OEMs have tried installing versions of Linux, with negative financial results.

Which isn't much of a surprise considering what I have observed so far (in trying to purchase a Linux PC). I can't recall ever having seen an OEM offer Linux for more than a sparse subset of their product line, usually mid-tier or low-tier machines.

>A few are still trying.

Which ones? The situation may have changed since I last paid any attention a few years ago.

>The real problems are selling and supporting them.

The MVP here is to merely accept returns for units that turned out to be particularly troublesome; which they usually do (ie: the Samsung UEFI thing from 2013).

A non-Microsoft UEFI key thing might be nice as well, but that's another story.

link
scholia 4129 days ago
Wal-Mart sold Linux machines at one time, and maybe still does. Dell does. A lot of small suppliers do (because they don't get such big OEM discounts on Windows and don't have high-volume automated production lines). But the real problem is that one "support incident" eats the profit from about five sales, or more.

If you think there's a market for Linux PCs, you can always set up a company to sell them. You wouldn't be the first to try, but you might be the first to succeed ;-)

link
fnordfnordfnord 4129 days ago
>Dell does.

Dell used to. I just contacted Dell sales and according to "Hazel" they do not offer any non-Windows OS for consumer products nor will they sell a system sans-OS.

>But the real problem is that one "support incident" eats the profit from about five sales, or more.

Meh, there is a lot of room for argument here. I think the real problem, after MS' many anti-competitive shenanigans is that most people just think MS Windows is synonymous with "computer". Those who really want a Linux PC will just buy the hardware they want and install it themselves.

>If you think there's a market for Linux PCs, you can always set up a company to sell them. You wouldn't be the first to try, but you might be the first to succeed ;-)

Someone someday will probably succeed at that. I'm probably not that someone, and that day may not be today. I do think that there is a small market for it, and there could be a bigger one, maybe if/after Gaben has any success with SteamOS. OTOH, if we ever have a modular laptop standard with a commodity peripheral market then maybe not, as there would be less need. (given that the only OEM pc's I have purchased in the last 10 years were laptops).

link
scholia 4127 days ago
> Meh, there is a lot of room for argument here.

Not really. I got my info from senior managers at some of the (very large, Taiwanese) companies concerned.

> I think the real problem, after MS' many anti-competitive shenanigans is that most people just think MS Windows is synonymous with "computer".

Microsoft has never been accused or taken to court for any "anti-competitive shenanigans" re the success of Windows, only for ways it tried to exploit that success.

> Those who really want a Linux PC will just buy the hardware they want and install it themselves.

Yes, exactly. And they will install whichever of the 157 versions they prefer. These are among the reasons why it's hard to make a profit selling Linux PCs.

link
dbdr 4128 days ago
> Dell used to. I just contacted Dell sales and according to "Hazel" they do not offer any non-Windows OS for consumer products nor will they sell a system sans-OS.

They do, it's called "Project Sputnik". It's targeted at developers though, which is a market that clearly makes sense, as AnthonyMouse pointed out.

http://www.dell.com/learn/us/en/555/campaigns/xps-linux-lapt...

The XPS 13 review yesterday was interesting, but I think I need a more beefy machine. Anyone has experience with this precision developer edition on Linux?

For a company specialized in Linux PCs, there is System76.

link
aragot 4129 days ago
... or they could develop badware for Ubuntu.
link
Buge 4129 days ago
I found it by myself several weeks before all this news came out.

I got my new Lenovo Y50, visited my own website with it and decided to see how my https cert looked. I got quite scared when I saw I was being MITMed but I googled it and there were already a ton of forum posts saying it's just stuff bundled with Lenovo. So I uninstalled it.

link
rst 4129 days ago
Note that uninstalling the program doesn't completely undo the damage; you also need to get rid of the trusted certificate that it uses to make all of its forged certs look legitimate to the browsers. (The private key for that cert has been widely distributed, and at this point, anyone can use it to make a cert for your bank that will look legitimate to your machine so long as the Superfish root cert remains in place.)

Complete instructions here: http://www.pcworld.com/article/2886278/how-to-remove-the-dan...

link