Skip to content

Lenovo Superfish Komodia — Greed, Stupidity and Idiocy

Meanwhile you should have heard about the Lenovo hardware that had Superfish installed, an adware injecting software that uses an SSL hijacker SDK made by Komodia. If not then duck it.

I'd classify that as a Maximum Credible Accident (MCA) which was only possible due to greed, stupidity and idiocy.

  • Greed – Lenovo was greedy enough to deploy Superfish on its hardware, probably just for a few bugs revenue more per machine.
  • Stupidity – Superfish was stupid enough to use the Komodia SSL hijacker, just to be able to inject ads into https connections. Hopefully without knowing what they were doing, else it would had been double stupid stupidity. However, and of course they are greedy as well, because all ad sellers are.
  • Idiocy – Komodia was idiots enough to implement an SSL hijacker SDK and embed a root CA certificate in the software using it and super idiocy chose "komodia" as all private keys' password, making the certificate available to anyone and grandpa.

Extracting the certificate was fairly easy, see here for Superfish and here for other software developed with the SDK. The hit list is lead by parental control softwares.

Now, as if that wasn't enough, according to Forbes the loser behind founder of Komodia was once a programmer in Israel’s IDF’s Intelligence Core. Really? I'm not impressed.

Or wait, here's room for conspiracy theories! Let Superfish be a venture capital startup, financed by Israelis, which maybe is not that far fetched. What if the whole concept just serves the idea to spread an SSL hijacker to be able to intercept HTTPS connections and inject man-in-the-middle attacks? Sounds like a good plan? Yeah, well done, goal achieved, it couldn't be better ;-)

Lenovo shut down the servers that enable Superfish to function and provides a removal tool and instructions for the software and certificates. The list of affected models is quite extensive:

Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch 
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Hopefully this incident will teach Lenovo a lesson to not fiddle around with the customer too much..

Hallo NSA?! Ich nutze Tor und Tails und Cryptozeugs!

Ich bin Extremist!

Eigen TOR

XKeyscore-Quellcode: Tor-Nutzer werden von der NSA als Extremisten markiert und überwacht

Dabei sollte ich das besser gar nicht benutzen, denn alleine dadurch mache ich mich schon zum Freiwild. Eigen-Tor: Gefahren der Tor-Nutzung im Alltag

William Binney heute in der Anhörung im NSA-Untersuchungsausschuss: Die Vollüberwachung der Gesellschaft ist die größte Bedrohung der Demokratie seit dem amerikanischen Bürgerkrieg.

Ups, da hab ich doch glatt auf netzpolitik.org verlinkt, jetzt bin ich Doppel-Extremist.

Eigentlich ja Dreifach-Extremist, denn Mails verschlüssel ich schon seit Jahren (falls denn jemand mitmacht) mit GnuPG.

Damit ein für alle Mal klar ist was ich von euch NSA-Arschgeigen & Co halte: Und Du, NSA, brauchst da nichts weiter zu speichern und analysieren.

Yours sincerely,
The Tororist


LOL, Coingen

For only 0.05 BTC you can have an altcoin generated, tweak a few parameters, add an icon, pay 0.10 BTC to have the Coingen branding removed on the start page, another 0.05 BTC extra to have source code included.

Think you can market an altcoin better than Dogecoin, Catcoin, or even Litecoin? Want to create your own coin and get in on this gravy train? Follow this simple form to get started with your very own altcoin!
No, I won't include a link, I'm pretty sure you'll dig it out if you need to, dig as in mining, diggin' it, digga?

Geez, how lame is that?

https://cryptoparty.org/ and they serve an invalid certificate because it has expired.
Since 2013-09-14

Update 2014-01-03T22:01+0100
Ok ok, as a comment mentioned
https://cryptoparty.org/ is now located at https://cryptoparty.in/
Nevertheless..

If Tweets Don't Flow ...

... consider relocating to Iceland -- at least in Twitter world.

Twitter's new country based censorship feature takes your profile's country setting into account, so if you receive Tweet withheld or @Username withheld in place of the affected tweet or account, you might want to change that setting to something more liberal. I think Iceland is a quite good bet..

I ain't a twit tweeting on twitter, I make my dents on identi.ca instead.


Belarus 317-3 -- The End of the Internet as they know it

Belarus 317-3 -- a law that will change life of Belarusian people. It will be forbidden to use ISPs and sites not registered in Belarus for email, banking, commerce, business, shopping, whatever, you name it. Only on sites and servers in Belarus. Only on machines and by means registered with the government. Only with data retention for one year even in private house holds. Only through filters to be setup by ISPs. With filter criteria defined by the government. Total control.

http://www.techdirt.com/articles/20120103/07193917260/no-belarus-is-not-cut-off-internet-new-restrictions-are-still-pretty-bad.shtml
http://www.heise.de/newsticker/meldung/Weissrussland-reglementiert-Internetnutzung-1403099.html

Update: The cbronline article is very inaccurate in that it talks about accessing foreign sites would be illegal, which is not the case. Doing business on and by means through foreign sites will be illegal.