1. 43

  2. 13

    The SSL private key has been extracted and its password cracked.

    1. 1

      Reverse engineering with strings! Always the state of the art I aspire to. =)

      That’s really bad, though. If some guy with strings and OpenSSL can crack it, then black hats certainly have it and it’s safe to assume it’s being used in the wild.

      1. 5

        Considering the password was the name of the company that made the product, I’m guessing they weren’t trying very hard to be secretive. The password and the private key have to be on the local machine to operate, which means there’s no hiding the password anyway.

        Of course what would have made much more sense (if any sense can be made with such a stupid product) is for this malware to generate a random key on first run so each machine has its own keys. Though it’s sort of baffling how a team of developers with enough technical knowledge of SSL to write a MITM proxy would not understand the most fundamental security problem with doing such a thing, let alone distributing it with the same keys on every machine.

    2. 11
      1. 8

        Because it is going around: “just install Linux” may be the first nerdy response, but is flawed.

        1. Linux is not an option for many. Sorry.
        2. Those are the cheap machines - Linux is even less of on option to the buyer group that buys them.
        3. This is a trust issue - Linux might fix the particular technical issue, but not the trust issue with Lenovo.
        4. Lenovo is a hardware vendor. They have now qualms of breaking a basic security feature of your machine. They will also have no problems with doing that further down the stack - your HDD firmware, your other hardware modules, your EFI. Linux will not help there.

        Trust is hard to build and easily broken.

        1. 13

          Trust is hard to build and easily broken.

          Unless you’re Google, then it’s only an issue for about a month and we forget about it.

          1. 1

            That’s rather debatable. If you accept the premise that Google keeps collected data safe and doesn’t leak it, they have a good track record.

            Also, using services of low-trusted suppliers is still a valid option.

          2. 3

            Clearly you forgot the most fatal flaw… that you should be installing OpenBSD? ;)

          3. 8

            Wow. I guess we should just go ahead and stop deluding ourselves that there can be any kind of privacy on the internet.

            And seriously, to insert ads? ADS? It’s not even sexy anymore; I liked it better when I thought that I was being spied on by governments.

            1. 2

              I just followed Lenovo’s instructions [0] to uninstall SuperFish on a friend’s computer (Lenovo Yoga 2, Win 8.1). These instructions are NOT sufficient. After uninstalling SuperFish through the normal windows uninstallation program, and the Root CA certs for IE and Firefox, suddenly none of the HTTPS sites worked! The browser complained (rightly), that the the certificate is wrong because it is signed by SuperFish.

              I had to do some research to detect, that there is still a service called VisualDiscovery, which is activated on startup. Looking in the properties I can see that it starts “C:\Program Files (x86)\Lenovo\VisualDiscovery\VisualDiscovery.exe”. I stopped it and now it works as supposed. But I still have to find a way how to uninstall this stuff.

              I’m a Linux guy, but I find it crazy, that after uninstalling VisualDiscovery/SuperFish there are still executables and a service remaining on the disk! This is crazy.

              [0] http://support.lenovo.com/us/en/product_security/superfish_uninstall