Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'
from the find-a-new-cto dept
Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little “hack” to get around the fact that the adware wouldn’t work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo’s first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.
In fact, the company is still in denial mode. Lenovo’s CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were “theoretical.”
WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.
Hortensius: We?re not trying to get into an argument with the security guys. They?re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.
Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don’t recall, after security folks pointed out what a security disaster the rootkit was, Sony’s response was to dismiss the concerns as… theoretical:
“Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
In both cases, these technologies opened up giant, massive vulnerabilities on people’s computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don’t know if anyone abused these problems. This ignores that (1) it’s quite possible people have been abusing these vulnerabilities for months and it’s just not public yet, and (2) more importantly, it doesn’t fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it’s widely known.
Handwaving this off as a “theoretical” concern is not just missing the point — it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I’ve been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn’t one infected this way). Every time I’ve dabbled with other laptops I’ve regretted it. But Lenovo’s response to this is very quickly convincing me that the company should never get any more money from me. It’s not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn’t recognize what it has done.
Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish
Comments on “Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'”
But Lenovo’s response to this is very quickly convincing me that the company should never get any more money from me.
If everybody voted with their wallets and caused a lot of financial damage to the companies that act like this (see Sony, EA etc) they’d be at least more transparent and swift in their responses, or even avoid stupidity altogether. But instead people simply keep buying out of ignorance or masochism…
Re: Re:
The problem is that they are all so bad, consumers have to just buy into the lesser evil.
Re: Re: Re:
Citibank bought my parents’ mortgage with 5 months left on it and then tried to hide so they would default on it after 30 years of perfect payments.
Where does my dad bank now? You guessed it.
They tried to STEAL HIS HOUSE! And he still does business with them.
Re: Re: Re: Re:
Is that because citi owns the bank, or bought the bank and runs it, or the competition is that poor for customers? Its amazing how many mom and pop banks there are, with cities on the board.
Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.
One red flag to remember, If you do not detect or know of any fraud, there is probably fraud occuring.
This is like letting a murderer off because his bullet missed the victom.
Re: Re:
It’s more like letting the murderer off because the victim’s body was never found…
Re: Re: Re:
yes, that is better.
Re: Re: Re:
“Well, can’t have a murder without a witness.”
– Tombstone (1993)
Re: Re:
I’m sure that with Lenovo having done something this bad that they will get a punishment just as horrible as Sony received for its rootkit scandal.
Re: Re: Re:
So they’re going to get hacked 24 times in the next 4 years? Awesome. Can’t wait to see it.
Re: Re:
You’re not being spied on if you don’t know you’re being spied on.
Meanwhile, in the Middle Ages...
“Yes, there’s a big honking hole in my castle wall, but no enemy troops have stormed in through it so any concerns about it are all theoretical.”
-King Peter Hortensius the First (and last)
Re: Meanwhile, in the Middle Ages...
you mean “… but as far as we know, no enemy troops have come through it …”
At a minimum
That would be called the second step in the long road to trying to regain anything like trust. But the head-rolling needs to go beyond that. Every single executive who was aware of this and didn’t object to it needs to be fired for gross incompetence. Seriously, this isn’t something that you need to be an engineer to spot.
The first step would be for them to actually come out and say what they did wrong (so we know they get it), and to stop with the incredible claim that they were doing it because they thought everyone would love it. They haven’t even done that much yet.
Re: Old marketing maxim
Re: Re: Old marketing maxim
Oops, I meant to type this:
“It takes months to find a customer, but only seconds to lose one.”
Some variations of this suggests it’s years instead of months. You start to wonder if the guys in marketing are aware of this.
In other news
Beef industry spokesman: We’re not trying to get into an argument with the health guys. They’re dealing with theoretical concerns. We have no insight that anything serious has occurred. But we agree that Salmonella was not something we want to have in our beef, and we realized we needed to do more.
Most people, I think, don’t even know what Salmonella is, so why should they care about it?
Re: In other news
It’s funny that such a standard PR dodge also happens to be the entire raison d’etre for marketing: people don’t know what this is, and it’s our job to make them want to spend money on it anyway.
On an unrelated note, I’ve been hearing lots of great things about Aquagenic Urticaria, and I can’t wait to get me a whole big mess of it.
Every active exploit was at one point simply theoretical. Since this is such a juicy vector, I can’t imagine it will be long before it’s part of the standard toolkit. If it isn’t already.
Re: Re:
If someone from the Ministry of Truth paid to have Superfish installed, then it probably already is in their standard toolkit of exploits.
Re: Re: Re:
There is already a root certificate in our certificate stores listed as belonging to the US government. I’m sure there are others in there we don’t know about.
Re: Re:
And the authors of the affected software used to love pointing this out. To quote Moxie Marlinspike (IIRC, and from memory), “Microsoft claimed it wasn’t exploitable, so I released a tool that exploits it”. MS has gotten better about acknowledging bugs without attached exploits; Lenovo are falling back on a strategy about 10 years out of date.
Re: Re: Re:
Quoted from these slides, page 18 (re: sslsniff; the Defcon 17/2009 talk video is available too):
And then in 2002…
● Microsoft did something particularly annoying, so I blew this up by publishing it.
● Microsoft claimed that it was impossible to exploit.
● So I also published the tool that exploits it.
What does this say about Lenovo Security beyond this product?
If this is the impact a serious security concern results, I have zero to nil confidence that an actual breach of Lenovo would be met with a shrug by the company. Therefore, I have no confidence in their security, their processes, and therefore their products.
Nothing personal, Lenovo, I just don’t fuck around with products when the manufacturer doesn’t due bare diligence in protecting their own shit.
Superfish
Sounds like one of those cutesy names those jerks at the alphabet-soup agencies like to call their systems
Re: Re:
Superfish
Sounds like one of those cutesy names those jerks at the alphabet-soup agencies like to call their systems
Almost, but not quite. You see, the alphabets name theirs in all-caps.
They packaged that certificate up and made it valid for code signing so it can be used to install a root kit that Windows will not object to.
Yeap, simply theoretical.
http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/
No wonder they were adverse to doing something about it. Every time it comes to state spyware there’s always a lie about why it isn’t this or that to prevent doing something about it till their nose is rubbed in it.
I have one of the affected computers and I had already uninstalled the crap that did this and disabled a bunch of background crap they have that looks like it is made for remote administration.
I hope this kills off bundleware. Nobody deserves to get hit with this kind of garbage.
ALL threats are theoretical; otherwise, they’re called attacks.
Re: Re:
Exactly. And just because you don’t know a murderer, doesn’t proove they don’t exist.
Their defence seems tailored at reducing the stock hit, by exploiting less knowledgeable investors. That is not uncommon for chumps beating drums in WSJ.
Re: Re:
Just as theoretical as the Theory of gravity. The first exploit should arrive by monday.
Lenovo just insured I will never buy a product from them.
Ever.
I certainly hope this denial was worth it.
Barry Allen: [After he’s already gained superpowers] Dark energy, antimatter, X-elements… those are all theoretical!
Harrison Wells: How theoretical are you, Mr. Allen?
— The Flash, pilot.
Theoretical, practical, it’s just semantics.
This kind of response is to be expected. It shouldn’t surprise you anymore. The same kind of incompetence that led to this being included leads to the denials being published. How fast do you expect things to move inside the company?
Alternatively, even if some higher ups have now been briefed by competent personnel, they might still want to go this way. Try to deflect as much damage by sowing some doubt into the non-technical people. Those that don’t understand what the whole thing is about. Let them hear conflicting information that makes them want to stop reading whilst we root out the cause. It’s not a clever strategy either, but denial is a very natural reaction.
With these recurring situations I’d prefer to take a psychologist’s perspective to try and understand it rather than getting upset every time. That’s not to say that you have to stay quiet, but it does help keep your sanity I believe.
Re: Re:
“This kind of response is to be expected. It shouldn’t surprise you anymore.”
I doubt that anyone is surprised. That response does amplify the outrage and condemnation of the company, though, as it should.
“With these recurring situations I’d prefer to take a psychologist’s perspective to try and understand it rather than getting upset every time.”
I think most people here understand it just fine! However, understanding a thing doesn’t mean that it won’t upset you. Particularly when the upset is 100% justified.
Has anyone looked at the terms and conditions that come with these Lenovo laptops? Do they disclose that Lenovo intentionally infected them with malware before they left the factory?
If not, Lenovo needs to get sued for selling infected computers.