Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish The US government's Computer Emergency Readiness Team (US-CERT) has said the Superfish ad-injecting malware installed by Lenovo on its new laptops is a "critical" threat to security. Chinese PC peddler Lenovo bundled the software nasty to make a fast buck from its cheap, low-margin hardware: the application hijacks web …
In terms of 'get off my lawn' probably not. But that is not the main problem.
This technique is another example of businesses deciding unilaterally to 'enhance the user experience' in ways that are calculated to be profitable to the busines and exploitative of the user.
"Well... NSA won't serve you ads. IGMC...."
I wouldn't be surprised if the NSA hasn't tried to set up its own ad broker in order to spy on you while serving you ads. Setting up companies is an old trick in the book of secret services.
So it is actually likely that Superfish is in fact owned/controlled by the Mossad.
Chutzpah is a Yiddish word that means barefaced cheek (a classic example is the man who murdered his parents and then threw himself at the mercy of the court because he was an orphan). You cannot wear a chutzpah.
I suspect you may have mean the skull cap known as the kippah in Hebrew or yarmulke in Yiddish.
Lenovo will take all the heat (most of it rightfully) especially being a Chinese company but honestly those Superfish folks are the ones that belong in jail. I believe they are an American company so we can go after them. They are like the American version of Phorm (but far worse) and will try and get their malware installed (java update perhaps?) some other way now if left unchecked.
Wow too late. Can't make this stuff up.
"But Superfish, founded and led by former Intel employee and ex-surveillance boffin Adi Pinhas, has been criticised by users the world over since its inception in 2006. In one Apple Mac forum started in 2012 and continuing into the following year was full of complaints about a technology called Window Shopper, built by Superfish. It appears to have found its way onto people’s machines by being bundled with other software, in one case alongside an Oracle Java download, in another via an “Awesome Screenshot” extension. "
http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/
These Superfish guys many of which are from Israel are exactly the type of amoral people supposedly the British intelligence services were supposed to be more like. Based on the news the last few days its safe to say they are.
http://www.theregister.co.uk/2015/01/26/idf_unit_820_gchq_tech_incubator_analysis/
So, the CTO of Lenovo doesn't want to argue with the security guys, merely to contradict everything they are saying about the safety of the software Lenovo forced on their customers. You know, if they had said (to paraphrase) "It seemed like a good idea at the time, we realize it really wasn't now, sorry about that", it may have minimized the repercussions. All this "Well, it's not that bad is it?" type waffling is making damn sure I never buy a Lenovo.
(Note, I take it as a bad sign when a company starts referring to customers as "consumers". "Consumer" is a macroeconomic term to differentiate between the general public that buys and "consumes" resources, goods and services, from those who provide and produce resources, goods and services. For example the term "consumer price index". I have no idea why companies, starting 10 or 15 years ago, thought it was remotely a good idea to start referring to their customers as "consumers". But I think it shows a general contempt for their customers, and indicates the company no longer views their customers as customers but as an aggregate lump that is bound by the laws of economics to buy ("consume") their products. They then act all surprised when it turns out the customers can turn away and buy someone else's products.)
A really exasperating point is that it will downgrade connections to SSL V2 and SSL V3 connections on request to your MITM bogus server in addition to converting its cert to a trusted certificate. What have we been wasting our time for over the last 10 years by trying to improve security. It's the Sony rootkit all over again, easily appropriated and usable by anyone out there with bad intent.
And that twin headed hydra Konovo/Lomodia gives us the same assurances Sony did back in the day that nothing's wrong. We've heard it all before, denial, spin, eventual capitulation. Time for some class action lawsuits by some fortune 500 companies who will soon get hit by a quick spearfish attack enabled by using Komodia's severely broken software.
"As someone a bit dumb but interested, would this be possible if HTTP2 was being used?"
Yes it would still be possible. HTTP/2 only changes the wire format of the HTTP layer messages and makes TLSv1.2 the minimal version. The SSL/TLS encryption protocol is where the attack is happening. They can use all the trusted CA trickery to intercept connections of any type (email, ssh, even VPN, ... whatever uses SSL/TLS). The downgrade to SSLv2/v3 on the server connection would not be possible in HTTP/2, but that is not a necessary part of the hijack anyway.
I'm sure the webcam at the top of my laptop screen has started glowing red a la HAL 9000. Ah, it's just all the crapware this thing came with vying with each other to spy on me, insert ads etc.
Well it would do if I hadn't nuked the disc with dd and extreme prejudice, and peeled off and binned the Windows sticker at receipt time.
Now I just need to replace the BIOS, hard disc firmware and audit a few 100GB of source code and I can downgrade my tin foil suit to just a hat.
"You can't do that Jon errr Dave"
For good measure you should also kill any form of internal speakers and microphone and for Pete's sake, do something about the EM radiation your keyboard and screen emits all around.
And, erm, that's about all you can do before black helicopters will come after you when law enforcement will notice you have something you're trying to hide.
Anyway one of your upvotes is from me.
as secure boot is there to make sure you won't be able to run a different install image than the one mandated by your hardware vendor. After all when secure boot will turn out not to help against bootsector malware (as it'll simply add its key to the firmware before infection) Microsoft will mandate stricter control on the keys.
Or malware will just hide in the huge mess we call EFI.
>As if I needed another reason to nuke the entire preinstallation of any and all computers I buy
I think the point is that these system have OEM Windows with no installation media, specifically to allow this bundling mess to exist. Isn't MS great? It is so good of them to help clean it up.
So yes, if you want to buy another Windows license to replace the one you've just paid for which came with the PC, you can. Or put anything-but-Windows on it.
Sounds like "baddie Pinch Ass" but with some letters left out...as in:
The perpetrator of the sexual assault on the underground, who was caught pinching women's asses (whereupon the animals involved started braying loudly and got distressed), was arrested and ordered to change his name to one which would reflect the offence he had committed.
Being unmasked, he decided to change his career and become a fishing expert. He was arrested for covertly bundling malware on people's computers, which is not an offence per se, while failing to publicise the full name that had been forced upon him by the court (a serious offence for which he was ordered to change his name again to reflect his new offence. Any suggestions are welcome).
Nice that government's Computer Emergency Readiness Team (US-CERT) had jumped in and is giving consumer's a heads up including instructions. So how many users actually have heard about this? Or even know about US-CERT? Things are quiet in the mainstream press, though if they pick it up, I'm sure I'll get few friends calling who are "worried".
Superfish, founded in 2006, is a small company based in Palo Alto, California
Of course, the folks at Superfish will likely just get a wrist slap for this while individual white hat hackers often get jail time
On the other hand, they still have the death penalty for corporations, even for quite small infringements. One can reasonably hope that pretty soon, once the class actions get started, the first quote above will have to be modified to read
... was a small company based in Palo Alto, California
The other intrusive thought I keep having, is did any part of the Cthuluesque entity that is the US government have anything to do with this, and if so, why?
I bought my son a Lenovo laptop about 9 months ago. It took me at least two hours to clean up all the adware/spyware/malware it came with. I blamed Curry's (amazingly it was the cheapest place) for it. It now appears that it was all Lenovo's fault.
Fortunately, I am paranoid so I inspected all the software and certs I could find to see what it was and removed everything I wasn't familiar with (which was pretty much all the 3rd party software)but some of it was very difficult to remove and would probably have been beyond the ability of the average user.
I am not impressed.
Apologies, this is a crosspost from one of the other threads but it seemed worth it
The ironic thing in all this is that the same Komodia software is being used both as scamware / hijack software, and as website protection software. Hows that for amazing marketing???
We now know that the following scamware uses it
CartCrunch Israel LTD
WiredTools LTD
Say Media Group LTD
Over the Rainbow Tech
System Alerts
ArcadeGiant
Objectify Media Inc
Catalytix Web Services
OptimizerMonitor
While the following supposed security filters use it
Atom Security, Inc
Infoweise
KeepMyFamilySecure
Komodia
Kurupira
Lavasoft
Lenovo
Qustodio
Superfish
Websecure Ltd
I've also picked up hints from elsewhere that a number of toolbar programs also use it
Until we have a definitive list of just who else licenced the Komodia software we have to assume that ANY web-filtering security software is suspect unless otherwise proven
Forbes might want to answer to how SuperFish made it to #64 on their most promising companies (http://www.forbes.com/companies/superfish/).
It's as if they'd rated a company called "SuperHigh" whose business model involved salesmen on corners near high schools without determining that the little packets those salesmen were weren't exactly suitable for minors.
He said it wasn't working as nicely as his Macbook and so hadn't used it much since he bought it.
Well no sh*t! Machine was struggling to do anything in less than 3-4 minutes.
Just uninstalled twenty four pieces of bloatware off of it and ran a full adware scan etc. etc.
Now it's running nice and smoothly...as it should have done in the first place.
Thanks Advent! Well done!
It's just so idiotic. Imagine Ford selling you a new Mondeo and then just as you leave the forecourt they weld a 500KG anchor to the rear axle.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
