Companies should never try to intercept their users' encrypted traffic

[Permalink]

2 Likes

…will inevitably put users’ privacy and security at risk.

Well what’s more important - that? Or my year-end bonus?

5 Likes

This is jaw-dropping on every level. “Ohai, in the interests of doing a deal that slightly plumps up our bottom line, we’ve subverted the normal working of your computer to insert annoying ads you don’t want to see on sites where they wouldn’t normally appear, in the process inadvertently exposing you to all manner of insidious attacks. And then we have the gall to pretend that this is something that our customers want.”

It’s rather as if a car manufacturer decided to recalibrate the speedometer to make it read 30mph when you are actually doing 50mph, then claimed they’d done it so that you’d be pleasantly surprised when you arrived at your destination much sooner than you expected. Who wouldn’t want that?

9 Likes

the web 1.0 dotcom i worked for in 2000 raised $10 million from VC to do almost exactly this - within a few weeks of starting there (in a non-technical capacity), i asked one of the engineers how they were going to protect secure traffic - “huh? oh, hmmm” - hilarity and a frantic search for a new business model ensued

15 years later, and with all the vast knowledge gained about dealing with private information and we get the exact same failure? - it boggles the mind

4 Likes

And just like false deeds being sold for bridges, I’m sure it’s going to keep happening over and over again.

For another thing, we’ve also learnt that Lenovo are untrustworthy shitbags and we should never buy any of their products again.

3 Likes

You’re assuming that it was about bottom line, and not about introducing a state-sponsored backdoor that looked like it was about the bottom line.

They are a Chinese company, after all.

1 Like

Ah hrrm, I think my only issue with this, is the “uhhh, come on this was so the Chinese government” sort of peev, but it is amusing: of course, much more respectable businesses have been doing this for years.

For instance, with Skype, where they don’t give end to end encryption, and anyone who has done any government business at all, just naturally assumed that was for the government and it could be spied on. Yahoo Messenger used to be that way. Glad they changed. Many private porn exchanges GCHQ slurped up later. Tons and tons of user porn. My opinion: do you really want to see me naked? While Skype was - shock - found to be working for the US Government, Yahoo Messenger, perhaps, was just a bad victim of meany GCHQ agents.

More respectable… frankly, they did do it better. My friends and I didn’t care if the US (or their lackey GCHQ) slurped up our data. It worked, and worked pretty well. But, this? Was crap.

Though, which is worse: China, who makes little pretensions to being for liberty or human rights… doing this sort of thing? Or the US and UK doing it? From that angle, yeah, these guys are working for the wrong side. They would be much more happy in North Korea or China, where they could be themselves without lip service to things like “democracy” and “liberty” which they don’t believe in.

“Intel pervs” should maybe become a term.

1 Like

The bigger difference is that China doesn’t want your user porn.

They want your company’s lunch money.

Superfish could also be pure incompetence. The scuttlebutt around the office (mine is right above a new Lenovo office) is that there’s plenty of that to go around as well.

1 Like

At $DAYJOB, we get asked for similar services all the time - not the “violate everybody’s privacy and endanger everybody’s security just so we can serve ads” version, but the “make sure everything anybody downloads from their browsers gets checked by the antivirus” version. There are a number of commercial products that perform services like that (mostly hardware with lots of encryption chips or at least multiplication accelerators), from the usual security appliance companies. I don’t know if other parts of my company do that (probably), but my organization hasn’t found any that can do even a half-baked job of it without burning far more CPU than most of our potential customers are willing to pay for.

One big difference between the security-appliance version and the privacy-invader version is that Lenovo’s used one set of keys for everybody; the more secure versions typically use one set per customer, so the customer’s only in danger if THEIR password gets out, and most of the market seems to be financial-sector companies who have to log everything for regulatory reasons anyway, so it’s not tapping the machines employees are doing most of their personal browsing on.

2 Likes

So sad that Apple products are the best way to avoid preinstalled malware.

2 Likes

These things are good, in a way. They are relatively(!) harmless, while being high-profile. They attract our attention, and, more important, attention of antimalware providers and various technicians. There are now online checks for browsers; go to a page, get told results.

I see it as a sort of crude, unsophisticated, weakened-strain vaccine that has mild side effects in comparison with getting the full-brunt of a real infection.

2 Likes

Never been happier to be a mac user. “You’re Not the Customer. You’re the Product.” - Tim Cook

Yep, it could be.

It could be… :smile:

Only China is known to rely a lot on plausibly deniable attacks, where the “plausible deniability” comes from the actual attack tool being something found in criminal circles and is openly available for download.

I saw that once, for instance, in a sophisticated attack against a “free tibet” organization.

There has also been a lot of this very sort of mass surveillance onshore, in China. It is routine for Chinese handsets, for instance, to be compromised, and this has made international news here and there. It is also routine for Chinese PCs and even other electronic devices to be compromised in similar manner.

Another method they rely on is simply leaving a number of security vulnerabilities in their products. That is one of the more assured means of “plausible deniability”. It was an accident. Only counterintelligence has to grit their teeth when people buy into that, because they can’t talk about catching those vulnerabilities being used.

China isn’t stupid, though, and you can pretty well expect that they very well might have much more sophisticated capabilities hidden in there. When you have the source code, you can have all the security vulnerabilities. And when you actually control the coding of the source code, you can inject very clever ones.

As for onshore (US) Chinese businesses… the real reason people call the CIA “the company” in fictional parlance is from the method of using cover companies, where the employees can use the term “the company” as code in everyday, dual meaning conversations. This might mean full ownership, but often simply indicates a false division created. Far easier to have a fake division of IBM in… France… then to create your own full fledged company.

So, yeah, I wouldn’t buy Lenovo… just a suggestion. US Businesses getting hacked does create a side business of controlling what China sees. But, I wouldn’t want to make my company into a honeypot.

1 Like

China has a habit of doing this onshore, where they can tamp down on negative publicity, and have some reliance of continued infection. Lenovo probably isn’t going to be purchased by any company or individual that is wary of the possibility of being hacked by China.

But there is a sort who will, and that sort is the type of person that might be a friendly, or otherwise be a very easy target. So it probably was not such a stupid decision to make. There can be a trade off: if you implant secret surveillance and get caught, the target becomes suspicious. But if the target is “easy” then finding something trivial caught can actually set them even more at ease. It gives a kind of dulling “cry wolf” about it to the target.

They could rightly bet, as well, not many “state sponsored” cries about this will go out, not in this environment. And it isn’t, in any of the press.

Not true, actually. Did everyone forget that time that a bunch of iPods shipped with malware on them, infected from the factory in China?

Best way to avoid malware is to run Linux.

I still give it 50/50 between incompetence and espionage. I promised not to repeat some of the stuff I was told by newly assimilated Lenovo folks, but literally, it sounds to me like the company is filled both with people (likely) tied to the Chinese government, and as well, people with no grasp of information security.

“When you have the source code, you can have all the security
vulnerabilities. And when you actually control the coding of the source
code, you can inject very clever ones.”

Superfish is from a third party company based in Israel; Lenovo doesn’t own the source.

Only China is known to rely a lot on plausibly deniable attacks

Once in a while, yeah. Ever checked your server logs, though? Last time I did, it still looked like ~80% of attacks were coming from IP addresses directly registered to Chinese government or educational institutions.

1 Like

Some Mac Apps Now Come with Bundled Crapware, So Hone Your BS Detector

1 Like

On my machines it is a wild hodgepodge that looks like scattered all over the world. My guess is botnets.

What kind of threats are you getting? SSH password guesses? SMTP password guesses from spambots? Bash vulnerability CGI exploits? Others? What do you consider the worst, worse than just the unceasing sound of heavy rain on a poorly supported soundboard-like tin roof that is sometimes found leaking?

I’d go even 80/20. (How much of the 80 is known to the 20 and used without the awareness of the 80s is an open question.)

The 20s can just wait until the 80s get what seems to them to be a “good idea” and then silently rejoice. Same results, more plausible deniability.

Doesn’t excuse you from the needed vigilance; in many cases there are ancient, never updated linux devices lurking on the networks in printers and accesspoints and other embedded devices, dozing their holey dreams and waiting to become a relay station for the Mosquito injection framework or something else in the hands of a capable attacker.

…the alternative is automatic updates, which happen in the most inconvenient time, and run a risk of things suddenly stopping working and sending you into a mad chase just when you needed the device the most.

And then there are the embedded controllers, too dumb for an actual full-blown OS but still too smart for their own good. And with the cost of SoCs that falls faster than a politico’s reputation, even the full-blown OS chips are finding their ways into such seemingly dumb applications as IoT lights, because the cost of the chip will be smaller than the cost of developing for a weaker, less generic chip.

The risk of the state sponsored attacks is fairly low for a not-a-prime-target. The risk of a botnet raid is worse. If the latter uses the same holes as the former, there will be more incidents; the admins, made aware of the hole by either a security bulletin or a ISP call about their machine saturating the uplink with DDoS packets (and having to madly scramble to the console even before their morning coffee - hint, if it lasted over the whole weekend it will wait another half-hour easily - only to find they made a mildly fatal mistake a month before when patching a hole, ouch), will then go patching it. It is quite like patching holes in fences because of foxes or coyotes or other low-ish level nuisance (crying “coyote” is maybe the equivalent) and in the same time closing the real wolves’ access routes, often before they get to walk around.

Depends on the threat model. If your prime adversaries include the Chinese, it may be a good idea. Or if you play really high stakes. Otherwise you may get away with running whatever hardware you get hands on, and just process-explorer all that runs on it and get rid of processes that aren’t important. Conserves memory and CPU, as a bonus (or as a primary goal).

I’d even believe that in most cases it is. Cockup before conspiracy. Depends on if you prefer living in a world of many high-end adversaries or in a world of just a few of them and the rest being a bumbling-idiots filler.

The end result is the same, anyway.

Which incidents are you thinking about? There were quite many, and a “chinese handsets compromised” gives me the affair of British and US spooks hacking into the largest SIM card manufacturer’s computers and getting hands on the Ki keys. With Huawei only tangentially mentioned.

It’s not just the Chinese. It’s bloody everybody.

[insert a picture of a thousand-yard-stare of a battle-weary burnt-out shell of a sysadmin aware of too much]

1 Like

Yep, and everything I am saying is wild speculation. I just work in app security, and that at a very low key everyday commercial company. Have seen some stuff in my career, is all, as it sounds like you have.

Second party from another country. Win-win. If that company is unaware of being used in this way, win-win-win.

I was thinking other components of the Lenovo system. Firmware, hardware, OS, etc.

As I noted to another poster, while getting detected against a hard target is a big no-no, getting detected by an already easy target can help build the “cry wolf” meter up, lulling them. Anyone buying Lenovo is an soft target. Pumping up that lull is a dependable tactic. Really can be scary. They will end up explaining away everything for the attacker.

Yes, I do check the logs sometimes, in my current role. Though, for us, at my company, Russia/Ukraine tends to be more of the threat and on the logs. Kind of a financial company, which their organized crime likes to target more then China does. (Have seen China hack US financial companies, though. Surprised me, at the time. 100% track back to their government, too. )

Have seen China targeting straight from their shore, and hear the stats from other companies… they definitely like to do a lot of hacking from their shore. I would laugh at it, if I hadn’t also heard from peers how they get into DoD facilities, run agents as coders at a major infrastructure corporations, and worm their way into very well protected defense contractor facilities… besides the overall reports from consultancies finding a general, ‘across the board’, supermassive cyberdump of American IP and other intangible assets.

Kind of concerned, as a number of plausible predictions out there indicate China is facing a potentially very hard road economically as the 3d printing industry ramps up over the next ten and twenty years.

1 Like