Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did
from the first-rule-of-holes dept
I pointed out earlier that it was fairly astounding that Superfish was basically remaining mostly quiet on the whole controversy over its software. If you’ve been under a rock, earlier this week, the security community pointed out how Superfish’s software (installed by default on certain Lenovo laptops) created a massive security vulnerability. Superfish itself is adware, but that’s the least of the problems. The software doesn’t track your behavior like other adware, but instead tries to insert other buying options when you’re viewing images of certain products. It tries to find the same or similar products that you can buy for less and tell you about them. I could see how that might be interesting for some people on some shopping sites if they chose to use the software. But, by being a default bloatware install on Lenovo laptops, there was no choice. Furthermore, it apparently was trying to do this on every website. And that’s where the real problem came in.
Because many websites these days are encrypted via HTTPS (to better protect privacy), Superfish teamed up with a sneaky company named Komodia, to install a really nasty and poorly implemented “trick.” It installed its own, self-signed root certificate, and would then effectively offer up fake security certificates for ANY and EVERY HTTPS connection. And, of course, it used the same key on every install, and that key was easily cracked (password: komodia), meaning that anyone who had this installed, was basically open to a massive and hugely dangerous man-in-the-middle attack on any HTTPS connection. That’s HUGE.
And Superfish still won’t cop to it. Its website has nothing about this whole thing. Its Facebook page has nothing. Its Twitter feed only has that post from yesterday saying that Lenovo would soon be putting out a statement clarifying things — but Lenovo’s statement (which has changed over time) admits that there were problems and the company is working hard to remove all the damage that Superfish has done. And Superfish still doesn’t get it. Its latest press statement shows that the company is in total denial about what kind of mess it helped create. It is still defending the whole “adware” thing, rather than the security hole. And, its only comment on the security hole is “some other company did that.”
Superfish Statement from CEO
There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.
This is not the time for your marketing speak. This is the time you apologize for putting many, many, many people at serious risk. Stop with the PR-sanitized “enhance their shopping experience.”
Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish’s search engine) in January 2015.
This statement is almost entirely pure bullshit. No one has complained about Superfish storing personal data, but it absolutely does present a security risk. A massive one. A incredibly humungous, cannot be overstated, sized-security risk. And Superfish says it “does not present a security risk”? Bullshit. And then to say “a vulnerability was introduced unintentionally by a 3rd party.” That’s passing the buck. Yes, it’s Komodia (which Superfish doesn’t name) who appears to have done this, but it’s Superfish who decided to use Komodia’s braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn’t spot this kind of security mess.
Finally, disabling the software isn’t even the main part of the issue, since the dangerous root certificate still remained after that. And, yes, actions are now being taken to fix that, but no thanks to Supefish and its refusal to admit what happened.
Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish’s visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish’s success.
Again, bullshit. If you took great pride in the quality of your software, you’d stop this marketing-speak and admit that you seriously screwed up and put many people at risk. Anyone with a modicum of understanding of how HTTPS and certificate systems work would recognize quickly what a dangerous situation this was, but neither Superfish nor Lenovo did. At least Lenovo now seems to be trying to make things right, while Superfish remains in total denial, hoping that a combination of mostly silence and bullshit “statements from the CEO” written by marketing are the way to solve this mess.
This is not how you solve a mess up of this size. You need to own it. You need to come clean and admit that you messed up, how you messed up, why you messed up and what you’re going to do to make sure it never, ever happens again. Superfish didn’t do that, and at this point it’s probably too late to try to turn that around.
Filed Under: superfish, vulnerability
Companies: komodia, lenovo, superfish
Comments on “Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did”
Statement from the General Public
Fuck you, Superfish.
Re: Re:
And the horse you rode in on.
Re: Re:
Perhaps they can change it to SuperPhish.
I won’t be holding my breath waiting for an apology from an adware company like Superfish.
But if history is any guide, the one thing we can count on is that Superfish will change its name. Disgraced organizations always do.
Re: Re:
I replied to the wrong comment. 🙂
Re: Re:
“…Superfish will change its name…” ding ding ding
Hm... looks like the powers to be in Beijing...
… need to get a better bunch of managers at Lenovo and elsewhere if they expect a better level of penetration that folks in Washington, London, and Moscow have.
and we thought technologically clueless lawmakers were the only bad thing we had to worry about
This goes beyond calling out that their tests suck. Maybe their tests do not. How many laptop provisioners have a line item in their test suite “does not expose user to massive MitM”? Probably none (arguments can be made that they should….)
This is purely and simply “technology and security cluelessness” in spades.
Because any halfway decent laptop provisioner should know the end result of what they are purchasing from their subcontractors. Even hearing a high level, 30,000 feet description of the process (“we inject ads into shopping sites for you by decrypting web sites and reencrypting it so the user doesn’t notice”) would have had any halfway competent neuron exposed to the security disasters in recent years lighting up like a distress flair. This conversation absolutely should have happened between superfish and komodia, or lenovo and superfish.
Being this ignorant of technology and security, for lawmakers and provisioners alike, is flat out unacceptable.
If Superfish doesn't think it's a big deal...
If Superfish doesn’t feel that a man-in-the-middle is a big deal, I suggest they send me a check for all their profits on a quarterly basis. I’ll make sure to promptly deposit the proceeds into their bank account for them.
Re: If Superfish doesn't think it's a big deal...
Only profits?
You need to think big and ask that to deposit their check for all their revenue!
Ease up!
Man… before, my life was a scattered mess. I had all ads, scripts, trackers, banking sites, email—you name it—managed by all sorts of entities. With SuperFish, everything just goes through the same place. It really gave my online life a focus.
Not just HTTPS/SSL
This affects ANY service which uses certificates:
VPNs
some SOAP web services
SSH logins
S/MIME e-mail
Secure FTP
PGP
etc.
Re: Not just HTTPS/SSL
they should just rebrand themselves as “Root-in-a-Box”
Re: Not just HTTPS/SSL
SSH and PGP have their own separate key hierarchies.
Can we show harm?
CLASS ACTION!
Re: Re:
We deliver:
http://www.pcworld.com/article/2887392/lenovo-hit-with-lawsuit-over-superfish-snafu.html
I think I figured it out
Lenovo has in-house lawyers who don’t need extra work, so when they caught wind of this BS, they told Lenovo to StFU and make this go away ASAP!
StupidFish, on the other hand, has a lawyer that charges by the hour, and has told them to just deny and spin, deny and spin, all the while mentally spending the hoards of cash they will make when the first breach can be tied back to this fine product!
In that light, the continued denials make more sense!
I'm really glad of two decisions I made since I retired
Never use Windows again ever, and always source computers from where I have control over what goes into them, even when the OS is pre installed.
Re: I'm really glad of two decisions I made since I retired
What makes you think this only affects dos/windows? Never heard of Linux,or mac photography? One of the great things is offline storage, and photo interpretation done by third party online, that’s where I believe I’ve seen the ads for super fish before, even on my mint machine. Don’t have a Mac yet, but I would believe that feature would be available to them also. By does sound like a neat feature, built in mitm attacks, I wonder if ad aware is on board with the companies or the consumers?
Re: Re: Never heard of Linux,or mac photography?
The “patented Technology” sounds very similar to the way KDE’s Semantic desktop is implemented, as it pertains to photo recognition in Digikam.
This particular instance, Superfish, is really just yet another example of the shenanigans you get through out the Windows ecosystem.
The idea itself may be sound, but typically it is corporate interests that foist insecure or badly implemented software on unsuspecting users, where even technically proficient users are generally caught out, because the software is closed source/proprietary, and no can easily inspect it, and no one but the proprietor can do anything about it, until it’s too late, and mostly the proprietor won’t do anything because the functionality that everyone hates is the feature they most want.
And unlike where there was a huge out cry at Canonical, for instance with their Dash search, and Canonical was very transparent about the whole process, mostly nothing gets done, because Corporate interests supersede user interests, and transparency is considered a bug, not a feature.
Re: Re: Re: Never heard of Linux,or mac photography?
“The “patented Technology” sounds very similar to the way KDE’s Semantic desktop is implemented, as it pertains to photo recognition in Digikam.”
KDE’s “semantic desktop” has several serious security issues, it’s true. That’s why I have it disabled and recommend disabling it to everyone else as well.
Re: Re: I'm really glad of two decisions I made since I retired
“One of the great things is offline storage, and photo interpretation done by third party online”
No, that’s a terrible thing.
Superfish is all about transparency? So what was the nature of the deal they made with Lenovo? How much did they pay Lenovo? Where where they making money?
I posted a link earlier to an interview the Superfish CEO gave where he says they are a company of geniuses (14% have PhDs) and they don’t sugarcoat anything. If something sucks, they say so.
Well Adi Pinhas, your software sucks, your handling of this situation sucks, and now your brand has negative equity. It does look like neat technology, but if building it into adware / malware is where they are at, the company must be in pretty bad shape.
Komodia is one guy...
Komodia isn’t a company, it’s one random guy with a few years of a psychology degree. Who the hell would use security software from someone with no actual knowledge or experience with encryption and security protocols?
Re: Komodia is one guy...
Someone able to use his psychology background to dazzle a bunch of idiot investors & business types. See cause in those positions people with degrees are forced out and replaced with figureheads who answer to the shareholders above all others. It makes money, it must be good.
Re: Komodia is one guy...
Uh… everyone? It seems like the “security” industry (not just software but the TSA, etc.) is based mostly on snake oil and theater.
Re: Re: Komodia is one guy...
Komodia is not a security company. It’s the exact opposite: they make spyware.
“It seems like the “security” industry (not just software but the TSA, etc.) is based mostly on snake oil and theater.”
That’s because the security industry (this is true whether it’s physical or digital security) has a long history of overstating their claims. However, if you ignore their hyperbole and deception, security companies do actually offer some real help in keeping yourself secure.
This is in contrast to the TSA, which I don’t think actually offers real help toward that end.
a chinese company admit mistake and an american company deny it? the world has change.
Follow the money
This marvel of technology could never have been built without generous support from the following sponsors:
https://www.crunchbase.com/organization/superfish/investors
Re: Follow the money
Three of these VCs are Israeli. Could there be a Mossad connection???????? Let’s ask Tom Draper!
US-Cert added an Alert for Superfish
https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing
The Alert fingers Komodia Redirector’s SDK (Komodia is offline from a DDOS attack right now), as well as other vendors’ products:
http://www.kb.cert.org/vuls/id/529496
“.. the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys..”
Care to try to back up your claim that it’s safe, Mr. Pinhas?
Damn, it sounds like SuperFish might just be another NSA affiliate shop.
The bullshit sounds an awful lot like the sort of thing that drops out of NSA.PR.BS spokes-person’s mouth shortly after each Snowden Expose.
Perhaps the Superfish software is not faulty at all, but was designed to do exactly what it does – on purpose.
Fishfood for thought.
—
Cash is all corporate clowns listen too.
When it hits the big corporate parasite at the top, then heads role, until then its business as usual.
Topping Lenovo in extreme badness
Superfish’s transparent effort to put the blame on one of their suppliers (while claiming that their software doesn’t present a security risk) is even worse than Lenovo’s incredibly awful responses to the fiasco.
Both Superfish and Komodia have pretty shady histories. Komodia is to blame for creating incompetently implemented malware, Superfish is to blame for creating malware that includes Komodia’s incompetent engine, and Lenovo is to blame for using Superfish’s software.
There’s plenty of blame to go around here, Superfish. You aren’t doing yourself any favors by pretending that you don’t deserve a very large portion of it.