Um, this is missing even a link to an explanation of what the issue actually is, seems to just assume the reader knows. I do not and googling isn't working out. Am I being dense?
Someone extracted the certificate from superfish and found that the key was protected with a password. The password turned out to be "komodia" which is a company that makes an ssl redirector. this has lead to people looking at komodia certificates.
Komodia is a company that makes an SSL hijacking product, as described on their site:
Our advanced SSL hijacker SDK is a brand new technology that allows you to
access data that was encrypted using SSL and perform on the fly SSL
decryption. The hijacker uses Komodia’s Redirector platform to allow you
easy access to the data and the ability to modify, redirect, block, and
record the data without triggering the target browser’s certification
warning. [1]
A necessary feature of such a product appears to be the inclusion of the private SSL key in any product using their hijacking tech and the installation of komodia as a valid certificate in the OS certificate store. Therefore, anyone who wants can buy a product using Komodia, extract the private SSL key, and MITM at will any computer infected with any product using Komodia software.
Any website protected by SSL where that SSL authority isn't pinned by chrome (do other browsers have such tech?) is now trivially vulnerable to SSL hijacking by, eg, anyone in the same coffee shop or local network. And, of course, between that user and their destination site.
The current kerfuffle is due to the fact that Lenovo was caught pre-installing Superfish, an adware/spyware product -- for the users benefit! -- that, in turn, installed the Komodia ssl hijacking toolkit and broke SSL on any such infected computer.
The race is now on for every goddamn script kiddie in the entire world to the bank accounts of any suckers that trusted Lenovo. Go up to Seattle where windows laptops are more common, roll into a coffee shop, and I bet you can earn yourself some bank account logins.
ps -- this is a reason people buy macs. You get a vanilla OS install; that's currently only really available for Windows afaik from the Microsoft store.
I've barely touched a Windows machine in many years, so I'm a bit out of touch. How difficult is it to do a clean, vanilla install on one of these computers these days? I imagine that's the first thing you'd want to do after pulling it out of the box.
It's trivial to do even for a complete non-techie (just click next, next, ok, type something, next, next, done) and has been for a long time. The problem is that if you bought a computer with Windows that has bundled crapware, you won't get the vanilla Windows - the installation/recovery medium will have the same crapware bundled. You need to get your hands on a clean Windows, which usually means buying it (or pirating it, as was common in the past - yet another case where what you pirate is better for you than what you buy).
The last few times I've tried to install Windows on things, it was actually surprisingly horrible. The problem is, the generic install media has basically no drivers on it, so you have to go fetch it all manually, from all the respective manufacturers' web sites. It is, of course, fairly hard to download your network driver without a network driver, so you'd better have another computer and some USB storage around. Also, many of the drivers come only in the form of installer bundles that are themselves hundreds of megabytes and full of crapware.
In comparison, installing Ubuntu is a breeze, almost all the drivers you need are included with the install media and installed automatically, etc. Unless you have brand new, just-released hardware, it "just works", and even with brand new hardware there tend to be guides on the internet that are still easier than getting drivers installed on Windows.
Actual thing that happened: My mom said she needed to reformat an old laptop but didn't have the Windows media and wondered what to do. On a lark I suggested installing Ubuntu. A few weeks later, having not heard anything, I asked what happened to the laptop. She said she installed Ubuntu and it worked great. Never asked me a single question.
I've been amazed for years at how inferior the process of setting up a new Windows machine is to Linux, especially after hearing for years about how Linux supposedly was difficult compared to windows.
Not just the drivers, but pretty much everything I need for a new Linux system is available through apt. For windows, one must go to a dozen websites, download packages, and click next 10 times in each idiosyncratic install "wizard".
I had a similar experience with my mother, as well – I was constantly having to intervene with tech-support before I installed Ubuntu on her machine.
> I've been amazed for years at how inferior the process of setting up a new Windows machine is to Linux, especially after hearing for years about how Linux supposedly was difficult compared to windows.
That's because it is. Windows: do nothing, it's already installed. Linux: you have to install.
People compare what they have to do to get Windows on a new machine, which almost always (unless it's an Apple) already has it installed, with what they have to do to get Linux on a new machine, which almost always requires it to be installed. Even the simplest installer will be more difficult than "nothing".
If computers didn't come with any preinstalled operating system, the general opinion would be different.
(That said, most of the "Linux is difficult to install" sentiment is probably either based on outdated information from the time when you had to manually configure everything, or someone who had difficulties because of unsupported or poorly supported hardware.)
Sure, I agree with that. People who believed Linux was difficult to install rarely tried the same process with a Windows CD. Back in the day, I had plenty of mysterious, unsolvable issues like reboot loops trying to install Windows 2000 and 98.
I'm more thinking about setting up a new system. Whether it's Windows or Linux, I need to obtain things like an FTP program, a photo editor, a torrent manager, firefox, and so forth. It's a lot easier on Debian than Windows because you can get all of those in 5 minutes from the command line.
I wonder how long ago were you trying that. Since Windows 7 all drivers download themselves via Windows Update. So as long as you're not using a bootleg CD key for your Windows, it should install as smoothly as Ubuntu, only with more stuff working OOTB.
I would have to agree with the ease of loading vanilla windows. I've done it quite easily with both an Alienware 14 (2013) and a Sony Vaio that is 4 years old. I downloaded the proper copy of Windows from the MS site, which was Win 7 Ultimate 64bit for the Sony, and make a disk or usb stick. Then it was a few prompts and that was it. Instead of letting Windows Update load the drivers, I found my specific build on the Sony site with the correct drivers for all the bits and pieces. I did not install any of the free software, or Sony-specific software, which was easily to discern on the downloads page. Same for the Alienware. BTW, I have installed, used and programmed on OSX, Minix, FreeBSD, Ubuntu, Backbox, and others. I find the Windows/Linux/BSD/OS X comments on usage to be about preference rather than actual steps involved.
EDIT: I had the OEM Product Key on the Sony and AW, and they both registered fine without a problem, no need for pirated versions or any taxes.
Microsoft actually lets you download install media for Windows 7 and Windows 8 these days. You just need the license key. I haven't tried that for OEM, though.
Some people are saying that Lenovo's UEFI only allows an re-install from the Lenovo-provided Windows disks, otherwise it will show the Windows piracy warnings after a few weeks. However, I suspect that falls in the category of First World problems atm.
How should the UEFI cause the piracy warning to be displayed? Much more likely: Those people got their 'other' installation medium from ~somewhere~ and the activation failed.
Booh for Lenovo's actions and a crappy recovery medium, but I highly doubt that _this_ is actually more than FUD.
For someone who has no experience and cannot count on some knowledgeable help, it's not trivial but they usually end up using the computer with the preloaded crapware without really noticing anything.
For most of us hacker news reader, it's nothing out of the ordinary. It can be a little bumpy once in a while (UEFI sometimes) and it's usually faster to simply take 30 minutes to uninstall the crapware.
Personnally I start by imaging the hard drive, then I wipe ip and install whatever is required at the time usually a gnu/linux flavor or a windows 7.
For people reading this, probably not hard, merely annoying. Though note that you may have to pay for the install media; the recovery disk / partition is infected with the same adware/spyware that came preinstalled.
For most people, it's not going to happen without help.
Don't you actually need to buy a new license? I don't think you can activate any 3rd party installer (say downloads via microsoft.com, making an usb key) with the oem serial? Not sure though, the only windows license I'm currently using isn't OEM, it's a full 8.1 pro license.
This does sound like a good argument for wiping the OEM windows 7 pro partition on my laptop, and install a windows 10 trial or something (I currently just run Debian GNU/Linux on it -- but it's technically dual-boot).
Dell is about the only manufacturer that will let you get generic install DVDs. They use a bios based licensing system these days so you don't even have to deal with those issues so much.
Don't know why you are downvoted. Before I switched to Mac (now I know what a good choice I made!), I find that installing fresh Windows without piracy is incredibly hard. The so called OEM embedded serial key works only sometime; Other times, the fresh Windows will ask me to buy and activate it. Utterly confusing even for a techie like me.
Dealing with the windows tax crap is hardly news, buying new overpriced hardware to benefit from a golden prison is neither an acceptable solution for somewhat facing the issue nor what a techie would do.
The easy option is to phone microsoft support and explain the problem, you most probably will be given a new valid key. Other options for techies includes using OEM install medium or installing a free software OS.
Nowadays there's no licence key to type anymore, it's included in the hardware sold with windows 8 (which is worse).
When you join the military, either through conscription or of your own free will, their first job is to train you psychologically so that your beliefs are aligned with theirs.
Yup, and it is a temporary effect - that is why there is a graduated rank structure. As the mental conditioning (to put it charitably) wears off, you are further removed from danger and positions where immediate obedience to orders is necessary.
lol, first of all - it is corps, not core. Second, these are the same people that monitor cctv feeds of border fences - it isn't some elite unit of super hackers.
Nah, it was a copy writer. I don't know much arabic, but I know the correct translation for a lot of military words, including corps. I know that because it was once important to me, but 10 years later I can tell you that the Marine Corps has as much influence on my decisions now as the girlscouts of america :) That was the original point of this thread - addressing the silly idea that this spyware is somehow related to the IDF...
Do you have a dog in this fight you're picking, or some inside knowledge you're not letting on about, maybe? You seem pretty sure of yourself, and deeply invested in the innocence of somebody you presumably don't know. Or am I making a mistaken presumption that you don't know Barak?
> Do you have a dog in this fight you're picking...
No more than you. The neurolinguistic programming is a nice touch, by disagreeing and providing a counter argument in a voluntary exchange of ideas - I have picked a fight and therefor become an aggressor!
> ...some inside knowledge you're not letting on about, maybe?
Probably the years spent in the military.
> You seem pretty sure of yourself, and deeply invested in the innocence of somebody you presumably don't know.
I am sure of myself, I have an easily defensible position founded on solid reasoning. What innocence are you talking about?
> Or am I making a mistaken presumption that you don't know Barak?
I do not know him or anybody that works for Komodia or Lenovo. Terms and conditions apply, this message may cause rectal hemorrhaging.
You're the aggressor because of how many times and how aggressively you've replied in this thread, not because I've neurolinguistically programmed you by analyzing which direction you dart your eyes or resort to rectal metaphors.
So what branch of which country's military do you get your mental conditioning from?
It seems to me that the burden of explanation should be on those that are pointing to this guy's military record as some sort of potential link to Israeli spy masters... but it isn't that complicated. If the majority of Israeli citizens are forced to render service to the military for a period of time, then using the flawed logic, all actions by Israeli citizens are attributable to the military. That is ridiculous. Some would agree to a point, but then shriek "IDF’s Intelligence Core". That is also ridiculous, as it is not some sort of elite group info sec pros - it is a very broad group of people flying desks.
If this guy had been in a part of the US military (all volunteer, which shows disposition) that frequently gets loaned out to the CIA or NSA (Force recon, Delta, Seals, etc) then the concern would be reasonable, but that isn't the case here.
I don't think I can follow your reasoning. It sounds like you're saying the service record actually is relevant but only in some cases and it's not clear when that is except when it's obviously ridiculous. Did you mean to say his service might not be relevant?
Hmm, I don't know how I could be any more clear - any further distillation would be repetitious. Consider the situation with an eye to formal logic:
Catholicism doesn't allow for condoms. Most Irish are catholic. Therefor most Irish don't use condoms.
The logic isn't sound. The conclusion might be true (I know nothing about Irish birth control), but the statement can't be logically proven given the proceeding input.
The military spies. Most citizens are required to be in the military. Therefor most citizens are spies.
Again, the logic doesn't follow and is obviously flawed.
Right but that's not the logic being presented which is why I'm confused. Nobody said that because he has a service record it must be relevant. I may be just misunderstanding, thanks for taking the time to try and explain.
The fact that they're "flying desks" instead of airplanes does not make them any less menacing to everyone's privacy and security that they're invading.
I'd mistakenly assumed that phrase had filtered into popular culture. Flying a desk is a euphemism for performing tasks of little importance, administrative busy work, pushing paper... while seated behind a desk.
I know what you meant, you're just not understanding what I mean. Powerpoint Ranger is another term for someone in the military flying a desk.
As we all know thanks to Edward Snowden, there are many Powerpoint Rangers in the military invading privacy, operating lethal drones, and killing people from their flying desks.
My point is that you don't have to be in an elite group info sec pros to menace people's privacy and security.
You claimed that "these are the same people that monitor cctv feeds of border fences - it isn't some elite unit of super hackers.", so even if you don't consider those tasks of much importance, and even if they're not some elite unit of super hacker, that doesn't cancel out the fact that they're menacing to everyone's privacy and security that they're invading.
However distasteful Lenovo's business decision to bundle adware on their consumer laptops, the finger of blame should now rightly point to the third-party software provider, Komodia.
Lenovo did not vet the software properly before bundling it and heads should roll, but I do not think they are deliberately evil or malicious.
If Lenovo are to be condemned, then the entire open-source community must also condemn itself for allowing OpenSSL and Bash to have remained vulnerable for so long. Just like Lenovo, our eyes were wide shut, and it took a shock to open them.
No. You are saying that anyone who creates software with a security bug in it should be condemned. Komodia built their software with a very serious security hole, intentionally, to sell a product with HTTPS sniffing abilities.
Just because Lenovo didn't build the software, doesn't mean they are not guilty of overlooking a serious security vulnerability by including software which provides no benefit to its customers. It's an insult to customers.
The bugs you find in openSSL and Bash are not insults, they are mistakes made by people who don't get money out of their work (and who don't go out of their way to sell / track information). Security is hard to build correctly, easy to break.
MITMing your own SSL connections can be done safely, and for good reasons (Charles proxy being a good example of both). These guys are doing it unsafely, and for bad reasons. However, those two parts are unrelated! This stuff could easily have been safe had they known what they were doing, or prioritized that. I don't think it's fair to say that the security hole itself is intentional. Certainly if they hadn't built the product in the first place the hole wouldn't exist, but building the product doesn't imply the hole had to be there.
The fundamental problem is that software like this greatly increases your attack surface, and thus should only be used with careful consideration if the benefits are worthwhile. Instead, Lenovo put its users at risk without informing them or providing them with any benefit.
Yes, another use-case is if you are running Privoxy on your local computer; would be great if you could MITM all local SSL connections instead of having to manually whitelist specific sites.
"Point to the supplier" is a standard tactic, but also wrong.
They did put their customers up to harm, for no other reason then trying to squeeze another buck out of them. They provide no additional benefit to the customer.
OpenSSL and Bash are free services providing benefit to their users.
Openssl and bash serve useful purposes and don't try to sneakily alter the user experience without being upfront about it. Pretty big difference, there.
Lenovo is to blame for deliberately bundling adware with their hardware.
Komodia is to blame for making the software they make and the way they do it.
Open-source is irrelevant to this matter, but if anything the tech community is to blame for telling the world that the lock in the browser and https means the connection is secure.
