Failures

by Mike Masnick


Filed Under:
superfish, vulnerability

Companies:
komodia, lenovo, superfish



Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did

from the first-rule-of-holes dept

I pointed out earlier that it was fairly astounding that Superfish was basically remaining mostly quiet on the whole controversy over its software. If you've been under a rock, earlier this week, the security community pointed out how Superfish's software (installed by default on certain Lenovo laptops) created a massive security vulnerability. Superfish itself is adware, but that's the least of the problems. The software doesn't track your behavior like other adware, but instead tries to insert other buying options when you're viewing images of certain products. It tries to find the same or similar products that you can buy for less and tell you about them. I could see how that might be interesting for some people on some shopping sites if they chose to use the software. But, by being a default bloatware install on Lenovo laptops, there was no choice. Furthermore, it apparently was trying to do this on every website. And that's where the real problem came in.

Because many websites these days are encrypted via HTTPS (to better protect privacy), Superfish teamed up with a sneaky company named Komodia, to install a really nasty and poorly implemented "trick." It installed its own, self-signed root certificate, and would then effectively offer up fake security certificates for ANY and EVERY HTTPS connection. And, of course, it used the same key on every install, and that key was easily cracked (password: komodia), meaning that anyone who had this installed, was basically open to a massive and hugely dangerous man-in-the-middle attack on any HTTPS connection. That's HUGE.

And Superfish still won't cop to it. Its website has nothing about this whole thing. Its Facebook page has nothing. Its Twitter feed only has that post from yesterday saying that Lenovo would soon be putting out a statement clarifying things -- but Lenovo's statement (which has changed over time) admits that there were problems and the company is working hard to remove all the damage that Superfish has done. And Superfish still doesn't get it. Its latest press statement shows that the company is in total denial about what kind of mess it helped create. It is still defending the whole "adware" thing, rather than the security hole. And, its only comment on the security hole is "some other company did that."
Superfish Statement from CEO

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish's software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.
This is not the time for your marketing speak. This is the time you apologize for putting many, many, many people at serious risk. Stop with the PR-sanitized "enhance their shopping experience."
Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish's search engine) in January 2015.
This statement is almost entirely pure bullshit. No one has complained about Superfish storing personal data, but it absolutely does present a security risk. A massive one. A incredibly humungous, cannot be overstated, sized-security risk. And Superfish says it "does not present a security risk"? Bullshit. And then to say "a vulnerability was introduced unintentionally by a 3rd party." That's passing the buck. Yes, it's Komodia (which Superfish doesn't name) who appears to have done this, but it's Superfish who decided to use Komodia's braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn't spot this kind of security mess.

Finally, disabling the software isn't even the main part of the issue, since the dangerous root certificate still remained after that. And, yes, actions are now being taken to fix that, but no thanks to Supefish and its refusal to admit what happened.
Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish's visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish's success.
Again, bullshit. If you took great pride in the quality of your software, you'd stop this marketing-speak and admit that you seriously screwed up and put many people at risk. Anyone with a modicum of understanding of how HTTPS and certificate systems work would recognize quickly what a dangerous situation this was, but neither Superfish nor Lenovo did. At least Lenovo now seems to be trying to make things right, while Superfish remains in total denial, hoping that a combination of mostly silence and bullshit "statements from the CEO" written by marketing are the way to solve this mess.

This is not how you solve a mess up of this size. You need to own it. You need to come clean and admit that you messed up, how you messed up, why you messed up and what you're going to do to make sure it never, ever happens again. Superfish didn't do that, and at this point it's probably too late to try to turn that around.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    S. T. Stone (profile), 20 Feb 2015 @ 4:10pm

    Statement from the General Public

    Fuck you, Superfish.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 4:26pm

    I won't be holding my breath waiting for an apology from an adware company like Superfish.

    But if history is any guide, the one thing we can count on is that Superfish will change its name. Disgraced organizations always do.

    reply to this | link to this | view in chronology ]

  • identicon
    Matthew A. Sawtell, 20 Feb 2015 @ 4:29pm

    Hm... looks like the powers to be in Beijing...

    ... need to get a better bunch of managers at Lenovo and elsewhere if they expect a better level of penetration that folks in Washington, London, and Moscow have.

    reply to this | link to this | view in chronology ]

  • icon
    beltorak (profile), 20 Feb 2015 @ 4:35pm

    and we thought technologically clueless lawmakers were the only bad thing we had to worry about

    Yes, it's Komodia (which Superfish doesn't name) who appears to have done this, but it's Superfish who decided to use Komodia's braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn't spot this kind of security mess.


    This goes beyond calling out that their tests suck. Maybe their tests do not. How many laptop provisioners have a line item in their test suite "does not expose user to massive MitM"? Probably none (arguments can be made that they should....)

    This is purely and simply "technology and security cluelessness" in spades.

    Because any halfway decent laptop provisioner should know the end result of what they are purchasing from their subcontractors. Even hearing a high level, 30,000 feet description of the process ("we inject ads into shopping sites for you by decrypting web sites and reencrypting it so the user doesn't notice") would have had any halfway competent neuron exposed to the security disasters in recent years lighting up like a distress flair. This conversation absolutely should have happened between superfish and komodia, or lenovo and superfish.

    Being this ignorant of technology and security, for lawmakers and provisioners alike, is flat out unacceptable.

    reply to this | link to this | view in chronology ]

  • identicon
    Alan, 20 Feb 2015 @ 4:36pm

    If Superfish doesn't think it's a big deal...

    If Superfish doesn't feel that a man-in-the-middle is a big deal, I suggest they send me a check for all their profits on a quarterly basis. I'll make sure to promptly deposit the proceeds into their bank account for them.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 5:02pm

      Re: If Superfish doesn't think it's a big deal...

      Only profits?

      You need to think big and ask that to deposit their check for all their revenue!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 20 Feb 2015 @ 4:38pm

    Ease up!

    Man... before, my life was a scattered mess. I had all ads, scripts, trackers, banking sites, email—you name it—managed by all sorts of entities. With SuperFish, everything just goes through the same place. It really gave my online life a focus.

    reply to this | link to this | view in chronology ]

  • identicon
    PRMan, 20 Feb 2015 @ 4:42pm

    Not just HTTPS/SSL

    This affects ANY service which uses certificates:

    VPNs
    some SOAP web services
    SSH logins
    S/MIME e-mail
    Secure FTP
    PGP
    etc.

    reply to this | link to this | view in chronology ]

  • icon
    DeComposer (profile), 20 Feb 2015 @ 5:09pm

    Can we show harm?

    CLASS ACTION!

    reply to this | link to this | view in chronology ]

  • icon
    MO'B (profile), 20 Feb 2015 @ 5:58pm

    I think I figured it out

    Lenovo has in-house lawyers who don't need extra work, so when they caught wind of this BS, they told Lenovo to StFU and make this go away ASAP!
    StupidFish, on the other hand, has a lawyer that charges by the hour, and has told them to just deny and spin, deny and spin, all the while mentally spending the hoards of cash they will make when the first breach can be tied back to this fine product!
    In that light, the continued denials make more sense!

    reply to this | link to this | view in chronology ]

  • icon
    tracyanne (profile), 20 Feb 2015 @ 6:07pm

    I'm really glad of two decisions I made since I retired

    Never use Windows again ever, and always source computers from where I have control over what goes into them, even when the OS is pre installed.

    reply to this | link to this | view in chronology ]

    • identicon
      jim, 21 Feb 2015 @ 6:27am

      Re: I'm really glad of two decisions I made since I retired

      What makes you think this only affects dos/windows? Never heard of Linux,or mac photography? One of the great things is offline storage, and photo interpretation done by third party online, that's where I believe I've seen the ads for super fish before, even on my mint machine. Don't have a Mac yet, but I would believe that feature would be available to them also. By does sound like a neat feature, built in mitm attacks, I wonder if ad aware is on board with the companies or the consumers?

      reply to this | link to this | view in chronology ]

      • icon
        tracyanne (profile), 21 Feb 2015 @ 7:53pm

        Never heard of Linux,or mac photography?

        The "patented Technology" sounds very similar to the way KDE's Semantic desktop is implemented, as it pertains to photo recognition in Digikam.

        This particular instance, Superfish, is really just yet another example of the shenanigans you get through out the Windows ecosystem.

        The idea itself may be sound, but typically it is corporate interests that foist insecure or badly implemented software on unsuspecting users, where even technically proficient users are generally caught out, because the software is closed source/proprietary, and no can easily inspect it, and no one but the proprietor can do anything about it, until it's too late, and mostly the proprietor won't do anything because the functionality that everyone hates is the feature they most want.

        And unlike where there was a huge out cry at Canonical, for instance with their Dash search, and Canonical was very transparent about the whole process, mostly nothing gets done, because Corporate interests supersede user interests, and transparency is considered a bug, not a feature.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 23 Feb 2015 @ 9:50am

          Re: Never heard of Linux,or mac photography?

          "The "patented Technology" sounds very similar to the way KDE's Semantic desktop is implemented, as it pertains to photo recognition in Digikam."

          KDE's "semantic desktop" has several serious security issues, it's true. That's why I have it disabled and recommend disabling it to everyone else as well.

          reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 23 Feb 2015 @ 9:48am

        Re: Re: I'm really glad of two decisions I made since I retired

        "One of the great things is offline storage, and photo interpretation done by third party online"

        No, that's a terrible thing.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 8:52pm

    Superfish is all about transparency? So what was the nature of the deal they made with Lenovo? How much did they pay Lenovo? Where where they making money?

    I posted a link earlier to an interview the Superfish CEO gave where he says they are a company of geniuses (14% have PhDs) and they don't sugarcoat anything. If something sucks, they say so.

    Well Adi Pinhas, your software sucks, your handling of this situation sucks, and now your brand has negative equity. It does look like neat technology, but if building it into adware / malware is where they are at, the company must be in pretty bad shape.

    reply to this | link to this | view in chronology ]

  • icon
    lythic (profile), 20 Feb 2015 @ 9:21pm

    Komodia is one guy...

    Komodia isn't a company, it's one random guy with a few years of a psychology degree. Who the hell would use security software from someone with no actual knowledge or experience with encryption and security protocols?

    reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 20 Feb 2015 @ 11:36pm

      Re: Komodia is one guy...

      Someone able to use his psychology background to dazzle a bunch of idiot investors & business types. See cause in those positions people with degrees are forced out and replaced with figureheads who answer to the shareholders above all others. It makes money, it must be good.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Feb 2015 @ 9:25am

      Re: Komodia is one guy...

      Who the hell would use security software from someone with no actual knowledge or experience with encryption and security protocols?
      Uh... everyone? It seems like the "security" industry (not just software but the TSA, etc.) is based mostly on snake oil and theater.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 23 Feb 2015 @ 9:54am

        Re: Re: Komodia is one guy...

        Komodia is not a security company. It's the exact opposite: they make spyware.

        "It seems like the "security" industry (not just software but the TSA, etc.) is based mostly on snake oil and theater."

        That's because the security industry (this is true whether it's physical or digital security) has a long history of overstating their claims. However, if you ignore their hyperbole and deception, security companies do actually offer some real help in keeping yourself secure.

        This is in contrast to the TSA, which I don't think actually offers real help toward that end.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 11:47pm

    a chinese company admit mistake and an american company deny it? the world has change.

    reply to this | link to this | view in chronology ]

  • icon
    Peter (profile), 21 Feb 2015 @ 12:10am

    Follow the money

    This marvel of technology could never have been built without generous support from the following sponsors:

    https://www.crunchbase.com/organization/superfish/investors

    reply to this | link to this | view in chronology ]

  • icon
    Paul Renault (profile), 21 Feb 2015 @ 4:49am

    US-Cert added an Alert for Superfish

    https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing

    T he Alert fingers Komodia Redirector's SDK (Komodia is offline from a DDOS attack right now), as well as other vendors' products:
    http://www.kb.cert.org/vuls/id/529496
    ".. the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys.."

    Care to try to back up your claim that it's safe, Mr. Pinhas?

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 21 Feb 2015 @ 2:23pm

    Damn, it sounds like SuperFish might just be another NSA affiliate shop.

    The bullshit sounds an awful lot like the sort of thing that drops out of NSA.PR.BS spokes-person's mouth shortly after each Snowden Expose.

    Perhaps the Superfish software is not faulty at all, but was designed to do exactly what it does - on purpose.

    Fishfood for thought.

    ---

    reply to this | link to this | view in chronology ]

  • identicon
    Reality bites, 22 Feb 2015 @ 7:03am

    Cash is all corporate clowns listen too.

    When it hits the big corporate parasite at the top, then heads role, until then its business as usual.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 23 Feb 2015 @ 9:45am

    Topping Lenovo in extreme badness

    Superfish's transparent effort to put the blame on one of their suppliers (while claiming that their software doesn't present a security risk) is even worse than Lenovo's incredibly awful responses to the fiasco.

    Both Superfish and Komodia have pretty shady histories. Komodia is to blame for creating incompetently implemented malware, Superfish is to blame for creating malware that includes Komodia's incompetent engine, and Lenovo is to blame for using Superfish's software.

    There's plenty of blame to go around here, Superfish. You aren't doing yourself any favors by pretending that you don't deserve a very large portion of it.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.