Technology for Traveling

scottalanmiller

@Dashrender said:

You couldn't install the USB NIC into Windows 8.1?

I assume that replacing the hardware would have us to potentially bypassed it. But having a fully compromised system is never a good idea. It's like having a thief in a room and just saying "be sure not to use that room." Better to clean house rather than avoiding the room.

Dashrender

@scottalanmiller said:

@Dashrender said:

You couldn't install the USB NIC into Windows 8.1?

I assume that replacing the hardware would have us to potentially bypassed it. But having a fully compromised system is never a good idea. It's like having a thief in a room and just saying "be sure not to use that room." Better to clean house rather than avoiding the room.

But you could simply not install the Lenovo driver either, wouldn't solve your problem?

Are you still stuck using a USB wireless NIC?

scottalanmiller

Lenovo made the sole driver for the hardware.

Dashrender

@scottalanmiller said:

Lenovo made the sole driver for the hardware.

Yes, just don't install it... i.e. leave the hardware unused. therefore you have no thief to worry about - assuming you're stuck using a USB wireless card anyway... I'm assuming that's what you are doing in Windows 10.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

Lenovo made the sole driver for the hardware.

Yes, just don't install it... i.e. leave the hardware unused. therefore you have no thief to worry about - assuming you're stuck using a USB wireless card anyway... I'm assuming that's what you are doing in Windows 10.

1. We couldn't know that the hardware was flaky until we had the software working.
2. Not leaving known malware on the system. No way, even today, how much malware Lenovo had installed or was attempting to get on there. Or how deep it goes. No way to be confident that that driver does not touch other things.

If this was any end user and they knew that they had been rooted, our answer every time is that they need to reinstall clean. This is no different, not a special case. Leaving a root kit and software from a known malicious entity on there would be completely unacceptable.

Dashrender

You're confusing the issue again.

I'm assuming you are starting with a clean/fresh install of WINDOWS 8.1 with no Lenovo Crap on it! so, you wipe it.. and because you aren't going to install the Lenovo drives, you have no network access.

So you install a USB wireless card and the associated drivers, again on your clean install Windows 8.1 machine.
What's wrong with this setup?

scottalanmiller

@Dashrender said:

You're confusing the issue again.

I'm assuming you are starting with a clean/fresh install of WINDOWS 8.1 with no Lenovo Crap on it! so, you wipe it.. and because you aren't going to install the Lenovo drives, you have no network access.

So you install a USB wireless card and the associated drivers, again on your clean install Windows 8.1 machine.
What's wrong with this setup?

If we knew all of the facts at the time that would be a slightly less good version of what happened. We are in the same boat but updated to Windows 10 now.

I have no idea where you are going with this. The troubleshooting was done, the issue identified. Later another issue was identified. Why go back to Windows 8.1? I see no logic there. We don't want old Windows just to have it be old.

Dashrender

Because I'm trying to understand - are the driver and the Superfish thing really one in the same?

I thought I heard that other vendors like Asus or Acer also included Superfish, but in digging around for a min or two I can't seem to find anything to corroborate that.

So I guess in the end what my point is - is finding out the Superfish only affected Lenovo and from what Scott is saying, it required both the shim'ed driver package and the software package on the machine, making these two components part of the same issue.

I had a complete misunderstanding of the problem before.

scottalanmiller

@Dashrender said:

Because I'm trying to understand - are the driver and the Superfish thing really one in the same?

No reason to suspect otherwise. Why would the question get asked? Superfish worked by being a shim. The network driver had a shim. Unless you suspect that they did the same thing twice on the same boxes and no one noticed that there were TWO shims.

scottalanmiller

@Dashrender said:

I thought I heard that other vendors like Asus or Acer also included Superfish, but in digging around for a min or two I can't seem to find anything to corroborate that.

Definitely not. It would be really big news if anyone else was ever caught doing something like this. It is a really big deal that Lenovo stands alone as the most evil computer vendor there has ever been. This isn't (yet) and industry issue. This is all about Lenovo.

scottalanmiller

@Dashrender said:

So I guess in the end what my point is - is finding out the Superfish only affected Lenovo and from what Scott is saying, it required both the shim'ed driver package and the software package on the machine, making these two components part of the same issue.

The driver IS the software package on the machine. And the machine would not be online without it. The only thing required was the network driver and you were shimmed. The belief is that that shim was Superfish, not a second shim. There is no reason, other than the fact that it is Lenovo, to suspect more than one shim.

Dashrender

@scottalanmiller said:

@Dashrender said:

Because I'm trying to understand - are the driver and the Superfish thing really one in the same?

No reason to suspect otherwise. Why would the question get asked? Superfish worked by being a shim. The network driver had a shim. Unless you suspect that they did the same thing twice on the same boxes and no one noticed that there were TWO shims.

Yes I assumed they were separate, and you had two shims.

Dashrender

@scottalanmiller said:

@Dashrender said:

So I guess in the end what my point is - is finding out the Superfish only affected Lenovo and from what Scott is saying, it required both the shim'ed driver package and the software package on the machine, making these two components part of the same issue.

The driver IS the software package on the machine. And the machine would not be online without it. The only thing required was the network driver and you were shimmed. The belief is that that shim was Superfish, not a second shim. There is no reason, other than the fact that it is Lenovo, to suspect more than one shim.

Then explain how the SSL cert got there? Are you saying the SSL cert was inserted into Windows through the WNIC driver?

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Because I'm trying to understand - are the driver and the Superfish thing really one in the same?

No reason to suspect otherwise. Why would the question get asked? Superfish worked by being a shim. The network driver had a shim. Unless you suspect that they did the same thing twice on the same boxes and no one noticed that there were TWO shims.

Yes I assumed they were separate, and you had two shims.

Possible, I suppose. But we never had any reason to believe so.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

So I guess in the end what my point is - is finding out the Superfish only affected Lenovo and from what Scott is saying, it required both the shim'ed driver package and the software package on the machine, making these two components part of the same issue.

The driver IS the software package on the machine. And the machine would not be online without it. The only thing required was the network driver and you were shimmed. The belief is that that shim was Superfish, not a second shim. There is no reason, other than the fact that it is Lenovo, to suspect more than one shim.

Then explain how the SSL cert got there? Are you saying the SSL cert was inserted into Windows through the WNIC driver?

SSL cert is a different issue. Related, but you are shimmed and vulnerable without it.

Dashrender

The whole reason we found out about Superfish is because of the Self-Signed Cert in the Root Cert store.

Dashrender

@scottalanmiller While I agree that you're vulnerable without the Cert, please help me understand how we are vulnerable?

scottalanmiller

@Dashrender said:

The whole reason we found out about Superfish is because of the Self-Signed Cert in the Root Cert store.

When I first heard about it, it was because of the network shim. We reported the shim months ahead of the root cert being mentioned. But to do what it does Superfish has to actually hijack your connection. It's the shim that is the really nasty part.

scottalanmiller

@Dashrender said:

@scottalanmiller While I agree that you're vulnerable without the Cert, please help me understand how we are vulnerable?

Because they control your network. They can inject anything that they want, read anything that they want. A shim means you are rooted. They own you.

Dashrender

I think this makes the situation even worse than I believed it was before.

It's one thing if Lenovo takes a piece of software from a 3rd party and just installs it.. that software then goes and installs a shim to the network to allow them to do whatever they want....

it's whole different when the vendor, Lenovo, actually modifies their own driver to install the shim as low as possible to prevent it's lack of use - it's one of those situations where "they couldn't have helped but to know how bad this was."