Superfish (aka Reason #4,927 to like Linux)

Chat about just about anything else
Post Reply
User avatar
dXTC
Level 4
Level 4
Posts: 201
Joined: Fri Dec 26, 2014 3:19 pm
Location: Closer to the Derby than I care to admit

Superfish (aka Reason #4,927 to like Linux)

Post by dXTC » Fri Feb 20, 2015 9:35 am

Have you ever wondered if all that bloatware that is pre-loaded on most MS Windows-based products could really do damage?

Click here and watch as an IT security nightmare comes true. -> Article on The Verge: http://www.theverge.com/2015/2/19/80675 ... ta-hackers

TL:DR version: On many Lenovo PCs sold between September and December 2014 (including the highly-touted Yoga Pro) is a "partner program" called Superfish, which "looks at" pictures of objects and tries to send ads to you for similar products. In order to get around HTTPS sites (where most online vendors keep their product photos), it establishes an unrestricted root certificate for itself, with a specific passphrase. Unfortunately, that passphrase has now been compromised, and hackers can now use Man-In-The-Middle attacks against users, who think that the .EXE that's been sent to them has been digitally verified by Microsoft.

On top of that, Superfish gets around HTTPS as mentioned above, leaving a gaping hole in SSL.

And Lenovo had the gall to say that it doesn't see any substantial security risk.

Oops.
dXTC
-----
IT oldie, Linux newbie, and all-around goofy fellow.
Mint Cinnamon on Dell XPS 210, Optiplex 760, Inspiron N4110 and Latitude E4200;
Mint Xfce on Lenovo Ideapad S10.
Some OS X and WinXP too; I'm multi-platform like that.

User avatar
xenopeek
Level 24
Level 24
Posts: 24059
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Superfish (aka Reason #4,927 to like Linux)

Post by xenopeek » Fri Feb 20, 2015 10:26 am

This is some crazy scary stuff. Whenever you request a secure connection to a website (like your bank), this program intercepts that request, fakes the certificate, and acts as a proxy between your browser and the website. As I understand it, this program effectively wiretaps all your secure traffic :shock: And worse, the password for the fake root certificate has been cracked, meaning that malicious websites or programs that would use a certificate signed by that fake root certificate would be automatically marked as trusted on these computers! What a mess :(

Now this isn't immediately a reason to like Linux and not also like Windows; it's just that when a company pulls a stunt like this, installing a bloatware program to effectively rendering HTTPS useless, you recall why you prefer installing the OS on your own so there's no bloatware :wink:
Image

User avatar
tdockery97
Level 14
Level 14
Posts: 5064
Joined: Sun Jan 10, 2010 8:54 am
Location: Salem, Oregon
Contact:

Re: Superfish (aka Reason #4,927 to like Linux)

Post by tdockery97 » Fri Feb 20, 2015 10:58 am

xenopeek wrote:Now this isn't immediately a reason to like Linux and not also like Windows; it's just that when a company pulls a stunt like this, installing a bloatware program to effectively rendering HTTPS useless, you recall why you prefer installing the OS on your own so there's no bloatware :wink:
I agree. When buying a new desktop or laptop system in this day and age, it can be worth paying an extra $100 for a retail copy of Windows. You get a nice clean install without the scary adware/malware that manufacturers include.
Mint 19.2 Cinnamon

User avatar
dXTC
Level 4
Level 4
Posts: 201
Joined: Fri Dec 26, 2014 3:19 pm
Location: Closer to the Derby than I care to admit

Re: Superfish (aka Reason #4,927 to like Linux)

Post by dXTC » Fri Feb 20, 2015 11:25 am

tdockery97 wrote:
xenopeek wrote:Now this isn't immediately a reason to like Linux and not also like Windows; it's just that when a company pulls a stunt like this, installing a bloatware program to effectively rendering HTTPS useless, you recall why you prefer installing the OS on your own so there's no bloatware :wink:
I agree. When buying a new desktop or laptop system in this day and age, it can be worth paying an extra $100 for a retail copy of Windows. You get a nice clean install without the scary adware/malware that manufacturers include.
Allow me to clarify my position. I don't necessarily hate Windows. I still kinda like it, in fact. However, bloatware is rampant in the Windows community-- has been since before the turn of the century-- and I'm surprised that situations like this Superfish fiasco aren't more common. With Linux, I know what gets loaded onto my machines-- and I have the license to change what I don't like.

Microsoft has noticed the bloatware phenomenon, and is trying to capitalize on it with their Signature Edition PCs: items built by other manufacturers that have been reimaged with a clean Windows installation, with no trialware or other junk software added. Good luck with that, MS.
dXTC
-----
IT oldie, Linux newbie, and all-around goofy fellow.
Mint Cinnamon on Dell XPS 210, Optiplex 760, Inspiron N4110 and Latitude E4200;
Mint Xfce on Lenovo Ideapad S10.
Some OS X and WinXP too; I'm multi-platform like that.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Superfish (aka Reason #4,927 to like Linux)

Post by killer de bug » Fri Feb 20, 2015 2:14 pm

tdockery97 wrote: I agree. When buying a new desktop or laptop system in this day and age, it can be worth paying an extra $100 for a retail copy of Windows. You get a nice clean install without the scary adware/malware that manufacturers include.
Or install Linux Mint for free and be safe.
As you are not using your windows license but since you paid it with your new laptop, ask for a refund. Here in Europe it works well.

And finally give 50 or 100 $ to the Linux Mint team :)
If it ain't broke, fix it until it is.

User avatar
MartyMint
Level 5
Level 5
Posts: 953
Joined: Thu Dec 27, 2012 10:50 pm

Re: Superfish (aka Reason #4,927 to like Linux)

Post by MartyMint » Fri Feb 20, 2015 6:18 pm

My last 3 laptops have only had Windows on them for the few hours it takes to set up, then image the drive, then do a complete wipe (including recovery partitions)...

...then install my preferred distro (Ubuntu Studio, Mint MATE, PCLinuxOS MATE...etc...)


I keep the image of the complete Windows install on removable, long term storage, for re-sale or handing down the laptop to anyone that has a preference for Microsoft's offering.

User avatar
xenopeek
Level 24
Level 24
Posts: 24059
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Superfish (aka Reason #4,927 to like Linux)

Post by xenopeek » Sat Feb 21, 2015 4:41 am

Superfish doubles down, says HTTPS-busting adware poses no security risk

A fun read that :| With the update that you don't even need to extract the root certificate's password or sign your faked certificates with it, because Superfish will automatically sign websites' invalid certificates with its root certificate!

What does that mean? So you make a website, run a phishing scam to trick people into visiting it, you have an invalid certificate on the website so normally browsers would say "hey this is fishy! don't trust this website!", but because Superfish signs the invalid certificate with its own root certificate browsers say "okay, this indeed is <insert website you don't want credentials to fall in hands of criminals of>"... No security risk?

Edit: okay, so this goes beyond Lenovo: Lenovo wasn't the only one using SSL certs that unlock every SSL site on the Internet. The technology to wiretap secure traffic for Superfish, built by Komodia, is used in many other programs: Will the madness never end? Komodia SSL certificates are EVERYWHERE.

As explained in those articles, there is a "valid" reason to wiretap secure traffic for example to allow virus scanners to listen in. Difference being, virus scanners would generate a certificate per user—which is a lot better than the Komodia certificates that is the same for all users worldwide.
Image

User avatar
excollier
Level 4
Level 4
Posts: 460
Joined: Mon Oct 01, 2012 3:31 pm
Location: Donegal, Ireland

Re: Superfish (aka Reason #4,927 to like Linux)

Post by excollier » Sat Feb 21, 2015 5:48 am

Sounds Superfishy to me...
Registered Linux user #557695
Mint 17.3 XFCE &Debian 9.1 XFCE dual boot (desktop), Raspbian Jessie (Raspberry Pi)
Windows 10 VM (I know) so I can work from home.

User avatar
Pierre
Level 18
Level 18
Posts: 8902
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Superfish (aka Reason #4,927 to like Linux)

Post by Pierre » Sat Feb 21, 2015 9:35 am

don't normally defend the M$, but in this case:
Some new PCs come pre-installed with programs, toolbars, utilities and screensavers that you might not want and may never use. This can slow down your computer and junk up your Start screen or desktop. When you buy a new PC at Microsoft Store, we ensure there's no third-party junkware or trialware installed.
it's called "Signature Edition" :
http://www.microsoftstore.com/store?Sit ... D=33363200

as usual - it's only available in North America.
:twisted:
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

lexon
Level 6
Level 6
Posts: 1085
Joined: Sat Jan 31, 2009 10:53 pm
Location: MA USA

Re: Superfish (aka Reason #4,927 to like Linux)

Post by lexon » Tue Feb 24, 2015 5:36 pm

Don't know much about his but have been reading the news articles. This Superfish is suppose to be firmware. Where is it installed?
I have older HP and Acer laptops with Mint 16 17 only. No Windows so not an issue for me. Just curious.
I might need a new laptop in the future.
I learned years ago, Failure is not an option. It comes bundled with Windows.

L
Lindows, Linspire, Freespire, Ubuntu, Mint 15 Cinnamon, Mint 16 XFCE, Mint 17 Cinnamon 64 bit. MInt 19 64 bit Cinnamon.

User avatar
dXTC
Level 4
Level 4
Posts: 201
Joined: Fri Dec 26, 2014 3:19 pm
Location: Closer to the Derby than I care to admit

Re: Superfish (aka Reason #4,927 to like Linux)

Post by dXTC » Tue Feb 24, 2015 6:05 pm

lexon wrote:Don't know much about his but have been reading the news articles. This Superfish is suppose to be firmware. Where is it installed?
I have older HP and Acer laptops with Mint 16 17 only. No Windows so not an issue for me. Just curious.
I might need a new laptop in the future.
I learned years ago, Failure is not an option. It comes bundled with Windows.

L
There are two components to Superfish; neither is in firmware. The first is an adware application that Lenovo preinstalled on many of their laptops. That's right, Lenovo knowingly did this. It shows up as an installed app and can be removed. It's annoying, sure, but relatively low harm.

However, even before presented to the user, Superfish establishes an unscoped (read: universal) root certificate in order to get at pictures that hide in URLs that use HTTPS or SSL (such as online shopping sites). This second component is more dangerous. Uninstalling the adware doesn't automatically remove the root certificate, giving the average user a false sense of security. Since the root certificate's password has by now been compromised, hackers can use that root certificate to fool users into installing whatever they want, all the while making their malware look digitally verified by Microsoft.

There is a way to remove the root certificate, allowing regular use; Lenovo, after getting oh so much flak from the IT security sector, finally published the procedure for removing it. However, Superfish still exists in the "recovery" partition of the Lenovo laptop's hard drive; if the user tries to perform a "factory reset", Superfish will simply be reloaded as it was at the factory, complete with compromised root certificate.

The "Signature Editions", as mentioned by Pierre as well as myself earlier in this thread, have had their hard drives wiped by Microsoft (which kills Superfish) and replaced with a "pure" Windows install. If I'm ever forced to have a Windows machine, I might have to go the Signature route. But then again, I have another choice. :D
dXTC
-----
IT oldie, Linux newbie, and all-around goofy fellow.
Mint Cinnamon on Dell XPS 210, Optiplex 760, Inspiron N4110 and Latitude E4200;
Mint Xfce on Lenovo Ideapad S10.
Some OS X and WinXP too; I'm multi-platform like that.

lexon
Level 6
Level 6
Posts: 1085
Joined: Sat Jan 31, 2009 10:53 pm
Location: MA USA

Re: Superfish (aka Reason #4,927 to like Linux)

Post by lexon » Tue Feb 24, 2015 7:33 pm

Very interesting. Thanks. I did read somewhere about maybe firmware.
My only concern in the future will be possibly the software Windows is suppose to put in PC's to prevent using another Operating System. Have not read about that issue in sometime. I guess it was suppose to happen when Windows 8 came out.

L
Lindows, Linspire, Freespire, Ubuntu, Mint 15 Cinnamon, Mint 16 XFCE, Mint 17 Cinnamon 64 bit. MInt 19 64 bit Cinnamon.

User avatar
Pierre
Level 18
Level 18
Posts: 8902
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Superfish (aka Reason #4,927 to like Linux)

Post by Pierre » Tue Feb 24, 2015 10:58 pm

Ad-blocking software is 'worse than Superfish' :
http://www.bbc.com/news/technology-31586610
:evil:
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

peterldg
Level 2
Level 2
Posts: 63
Joined: Sat Aug 10, 2013 11:30 am

Re: Superfish (aka Reason #4,927 to like Linux)

Post by peterldg » Sun Mar 08, 2015 12:11 pm

killer de bug wrote: As you are not using your windows license but since you paid it with your new laptop, ask for a refund. Here in Europe it works well.

And finally give 50 or 100 $ to the Linux Mint team :)
Wait- so Europe makes MS provide a refund if you say you aren't going to use their OS? Does the refund also apply to Apple? How do you apply for the refund?

I'm enjoying my Windows 10 tech preview.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Superfish (aka Reason #4,927 to like Linux)

Post by killer de bug » Sun Mar 08, 2015 12:44 pm

For Apple I don't know.

For each countries the procedure is probably different. I used Asus french website to get the refund.

Read this: http://www.zdnet.com/article/the-window ... -in-italy/
http://www.theopensourcerer.com/2009/07 ... amazon-uk/
If it ain't broke, fix it until it is.

Fuzzy Penquin
Level 3
Level 3
Posts: 175
Joined: Wed Feb 27, 2013 4:25 pm

Re: Superfish (aka Reason #4,927 to like Linux)

Post by Fuzzy Penquin » Thu Mar 12, 2015 12:29 pm

Ugh, I am one of the affected Superfish Lenovo users. I needed a Windows laptop for work, and I ended up buying a Lenovo because of previous excellent experiences with IBM ThinkPads. A month later I found out about Superfish. I was NOT pleased. That stupid thing is very deeply embedded into the OS. Although it has now been removed by me, I still don't trust that laptop to be secure. Did I get all of Superfish out? Are there other Superfish-like malwares embedded into the OS? I will be reinstalling Windows from an ISO downloaded directly from Microsoft as soon as I have the time to deal with a full install and OS configuration. I wish this laptop had been available at MS's Signature Store so that I would not have had to go through this. The laptop itself is a great piece of hardware, and it's physical properties and specs fit what I needed out of a laptop.

I am still so mad at Lenovo.... :evil: I sent them a nasty feedback message over this. First time I've ever felt the need or desire to do so to any company. I usually just say "well that sucks" and chalk it up to a lesson learned or something, when something isn't 100% peachy about a product. But this, this was way beyond just a simple malfunction or poor quality control. This was actually BAD. And so they got a nasty-gram from me. I'm sure they don't really care, but if enough people scream, and refuse to buy their computers in the future, maybe they will learn something from this. Maybe. I hope. Ugh....
Intel i7-3770k 3.5GHz, 16GB 1600MHz RAM, 2x 1TB HDD, MSI Z77A-G45 Thunderbolt motherboard, Nvidia GTX1080, Mint 19.1 64-bit w/Cinnamon.

I am a n00b! Please assume zero knowledge on my part. Sorry for any dumb questions, I am still learning.

Post Reply

Return to “Open chat”