Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did
from the first-rule-of-holes dept
I pointed out earlier that it was fairly astounding that Superfish was basically remaining mostly quiet on the whole controversy over its software. If you've been under a rock, earlier this week, the security community pointed out how Superfish's software (installed by default on certain Lenovo laptops) created a massive security vulnerability. Superfish itself is adware, but that's the least of the problems. The software doesn't track your behavior like other adware, but instead tries to insert other buying options when you're viewing images of certain products. It tries to find the same or similar products that you can buy for less and tell you about them. I could see how that might be interesting for some people on some shopping sites if they chose to use the software. But, by being a default bloatware install on Lenovo laptops, there was no choice. Furthermore, it apparently was trying to do this on every website. And that's where the real problem came in.Because many websites these days are encrypted via HTTPS (to better protect privacy), Superfish teamed up with a sneaky company named Komodia, to install a really nasty and poorly implemented "trick." It installed its own, self-signed root certificate, and would then effectively offer up fake security certificates for ANY and EVERY HTTPS connection. And, of course, it used the same key on every install, and that key was easily cracked (password: komodia), meaning that anyone who had this installed, was basically open to a massive and hugely dangerous man-in-the-middle attack on any HTTPS connection. That's HUGE.
And Superfish still won't cop to it. Its website has nothing about this whole thing. Its Facebook page has nothing. Its Twitter feed only has that post from yesterday saying that Lenovo would soon be putting out a statement clarifying things -- but Lenovo's statement (which has changed over time) admits that there were problems and the company is working hard to remove all the damage that Superfish has done. And Superfish still doesn't get it. Its latest press statement shows that the company is in total denial about what kind of mess it helped create. It is still defending the whole "adware" thing, rather than the security hole. And, its only comment on the security hole is "some other company did that."
Superfish Statement from CEOThis is not the time for your marketing speak. This is the time you apologize for putting many, many, many people at serious risk. Stop with the PR-sanitized "enhance their shopping experience."
There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish's software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.
Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish's search engine) in January 2015.This statement is almost entirely pure bullshit. No one has complained about Superfish storing personal data, but it absolutely does present a security risk. A massive one. A incredibly humungous, cannot be overstated, sized-security risk. And Superfish says it "does not present a security risk"? Bullshit. And then to say "a vulnerability was introduced unintentionally by a 3rd party." That's passing the buck. Yes, it's Komodia (which Superfish doesn't name) who appears to have done this, but it's Superfish who decided to use Komodia's braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn't spot this kind of security mess.
Finally, disabling the software isn't even the main part of the issue, since the dangerous root certificate still remained after that. And, yes, actions are now being taken to fix that, but no thanks to Supefish and its refusal to admit what happened.
Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish's visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish's success.Again, bullshit. If you took great pride in the quality of your software, you'd stop this marketing-speak and admit that you seriously screwed up and put many people at risk. Anyone with a modicum of understanding of how HTTPS and certificate systems work would recognize quickly what a dangerous situation this was, but neither Superfish nor Lenovo did. At least Lenovo now seems to be trying to make things right, while Superfish remains in total denial, hoping that a combination of mostly silence and bullshit "statements from the CEO" written by marketing are the way to solve this mess.
This is not how you solve a mess up of this size. You need to own it. You need to come clean and admit that you messed up, how you messed up, why you messed up and what you're going to do to make sure it never, ever happens again. Superfish didn't do that, and at this point it's probably too late to try to turn that around.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: superfish, vulnerability
Companies: komodia, lenovo, superfish
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fuck you, Superfish.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
But if history is any guide, the one thing we can count on is that Superfish will change its name. Disgraced organizations always do.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Hm... looks like the powers to be in Beijing...
[ link to this | view in chronology ]
and we thought technologically clueless lawmakers were the only bad thing we had to worry about
This goes beyond calling out that their tests suck. Maybe their tests do not. How many laptop provisioners have a line item in their test suite "does not expose user to massive MitM"? Probably none (arguments can be made that they should....)
This is purely and simply "technology and security cluelessness" in spades.
Because any halfway decent laptop provisioner should know the end result of what they are purchasing from their subcontractors. Even hearing a high level, 30,000 feet description of the process ("we inject ads into shopping sites for you by decrypting web sites and reencrypting it so the user doesn't notice") would have had any halfway competent neuron exposed to the security disasters in recent years lighting up like a distress flair. This conversation absolutely should have happened between superfish and komodia, or lenovo and superfish.
Being this ignorant of technology and security, for lawmakers and provisioners alike, is flat out unacceptable.
[ link to this | view in chronology ]
If Superfish doesn't think it's a big deal...
[ link to this | view in chronology ]
Re: If Superfish doesn't think it's a big deal...
You need to think big and ask that to deposit their check for all their revenue!
[ link to this | view in chronology ]
Ease up!
[ link to this | view in chronology ]
Not just HTTPS/SSL
VPNs
some SOAP web services
SSH logins
S/MIME e-mail
Secure FTP
PGP
etc.
[ link to this | view in chronology ]
Re: Not just HTTPS/SSL
[ link to this | view in chronology ]
Re: Not just HTTPS/SSL
[ link to this | view in chronology ]
CLASS ACTION!
[ link to this | view in chronology ]
Re:
http://www.pcworld.com/article/2887392/lenovo-hit-with-lawsuit-over-superfish-snafu.html
[ link to this | view in chronology ]
I think I figured it out
StupidFish, on the other hand, has a lawyer that charges by the hour, and has told them to just deny and spin, deny and spin, all the while mentally spending the hoards of cash they will make when the first breach can be tied back to this fine product!
In that light, the continued denials make more sense!
[ link to this | view in chronology ]
I'm really glad of two decisions I made since I retired
[ link to this | view in chronology ]
Re: I'm really glad of two decisions I made since I retired
[ link to this | view in chronology ]
Never heard of Linux,or mac photography?
This particular instance, Superfish, is really just yet another example of the shenanigans you get through out the Windows ecosystem.
The idea itself may be sound, but typically it is corporate interests that foist insecure or badly implemented software on unsuspecting users, where even technically proficient users are generally caught out, because the software is closed source/proprietary, and no can easily inspect it, and no one but the proprietor can do anything about it, until it's too late, and mostly the proprietor won't do anything because the functionality that everyone hates is the feature they most want.
And unlike where there was a huge out cry at Canonical, for instance with their Dash search, and Canonical was very transparent about the whole process, mostly nothing gets done, because Corporate interests supersede user interests, and transparency is considered a bug, not a feature.
[ link to this | view in chronology ]
Re: Never heard of Linux,or mac photography?
KDE's "semantic desktop" has several serious security issues, it's true. That's why I have it disabled and recommend disabling it to everyone else as well.
[ link to this | view in chronology ]
Re: Re: I'm really glad of two decisions I made since I retired
No, that's a terrible thing.
[ link to this | view in chronology ]
I posted a link earlier to an interview the Superfish CEO gave where he says they are a company of geniuses (14% have PhDs) and they don't sugarcoat anything. If something sucks, they say so.
Well Adi Pinhas, your software sucks, your handling of this situation sucks, and now your brand has negative equity. It does look like neat technology, but if building it into adware / malware is where they are at, the company must be in pretty bad shape.
[ link to this | view in chronology ]
Komodia is one guy...
[ link to this | view in chronology ]
Re: Komodia is one guy...
[ link to this | view in chronology ]
Re: Komodia is one guy...
[ link to this | view in chronology ]
Re: Re: Komodia is one guy...
"It seems like the "security" industry (not just software but the TSA, etc.) is based mostly on snake oil and theater."
That's because the security industry (this is true whether it's physical or digital security) has a long history of overstating their claims. However, if you ignore their hyperbole and deception, security companies do actually offer some real help in keeping yourself secure.
This is in contrast to the TSA, which I don't think actually offers real help toward that end.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Follow the money
https://www.crunchbase.com/organization/superfish/investors
[ link to this | view in chronology ]
Re: Follow the money
[ link to this | view in chronology ]
US-Cert added an Alert for Superfish
T he Alert fingers Komodia Redirector's SDK (Komodia is offline from a DDOS attack right now), as well as other vendors' products:
http://www.kb.cert.org/vuls/id/529496
".. the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys.."
Care to try to back up your claim that it's safe, Mr. Pinhas?
[ link to this | view in chronology ]
The bullshit sounds an awful lot like the sort of thing that drops out of NSA.PR.BS spokes-person's mouth shortly after each Snowden Expose.
Perhaps the Superfish software is not faulty at all, but was designed to do exactly what it does - on purpose.
Fishfood for thought.
---
[ link to this | view in chronology ]
Cash is all corporate clowns listen too.
[ link to this | view in chronology ]
Topping Lenovo in extreme badness
Both Superfish and Komodia have pretty shady histories. Komodia is to blame for creating incompetently implemented malware, Superfish is to blame for creating malware that includes Komodia's incompetent engine, and Lenovo is to blame for using Superfish's software.
There's plenty of blame to go around here, Superfish. You aren't doing yourself any favors by pretending that you don't deserve a very large portion of it.
[ link to this | view in chronology ]