Technology for Traveling

Dashrender

@scottalanmiller said:

@Dashrender said:

So I guess in the end what my point is - is finding out the Superfish only affected Lenovo and from what Scott is saying, it required both the shim'ed driver package and the software package on the machine, making these two components part of the same issue.

The driver IS the software package on the machine. And the machine would not be online without it. The only thing required was the network driver and you were shimmed. The belief is that that shim was Superfish, not a second shim. There is no reason, other than the fact that it is Lenovo, to suspect more than one shim.

Then explain how the SSL cert got there? Are you saying the SSL cert was inserted into Windows through the WNIC driver?

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Because I'm trying to understand - are the driver and the Superfish thing really one in the same?

No reason to suspect otherwise. Why would the question get asked? Superfish worked by being a shim. The network driver had a shim. Unless you suspect that they did the same thing twice on the same boxes and no one noticed that there were TWO shims.

Yes I assumed they were separate, and you had two shims.

Possible, I suppose. But we never had any reason to believe so.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

So I guess in the end what my point is - is finding out the Superfish only affected Lenovo and from what Scott is saying, it required both the shim'ed driver package and the software package on the machine, making these two components part of the same issue.

The driver IS the software package on the machine. And the machine would not be online without it. The only thing required was the network driver and you were shimmed. The belief is that that shim was Superfish, not a second shim. There is no reason, other than the fact that it is Lenovo, to suspect more than one shim.

Then explain how the SSL cert got there? Are you saying the SSL cert was inserted into Windows through the WNIC driver?

SSL cert is a different issue. Related, but you are shimmed and vulnerable without it.

Dashrender

The whole reason we found out about Superfish is because of the Self-Signed Cert in the Root Cert store.

Dashrender

@scottalanmiller While I agree that you're vulnerable without the Cert, please help me understand how we are vulnerable?

scottalanmiller

@Dashrender said:

The whole reason we found out about Superfish is because of the Self-Signed Cert in the Root Cert store.

When I first heard about it, it was because of the network shim. We reported the shim months ahead of the root cert being mentioned. But to do what it does Superfish has to actually hijack your connection. It's the shim that is the really nasty part.

scottalanmiller

@Dashrender said:

@scottalanmiller While I agree that you're vulnerable without the Cert, please help me understand how we are vulnerable?

Because they control your network. They can inject anything that they want, read anything that they want. A shim means you are rooted. They own you.

Dashrender

I think this makes the situation even worse than I believed it was before.

It's one thing if Lenovo takes a piece of software from a 3rd party and just installs it.. that software then goes and installs a shim to the network to allow them to do whatever they want....

it's whole different when the vendor, Lenovo, actually modifies their own driver to install the shim as low as possible to prevent it's lack of use - it's one of those situations where "they couldn't have helped but to know how bad this was."

Dashrender

I agree that you reported what you thought was a likely a shim in the driver (though I don't think you had any specific coding proof at the time). Then a month or so later the Superfish story broke....

This disconnect is what lead me to believe they were unrelated.

scottalanmiller

@Dashrender said:

I agree that you reported what you thought was a likely a shim in the driver (though I don't think you had any specific coding proof at the time). Then a month or so later the Superfish story broke....

This disconnect is what lead me to believe they were unrelated.

Just took that long for people to believe the reports It was closer to five months.

scottalanmiller

@Dashrender said:

I think this makes the situation even worse than I believed it was before.

It's one thing if Lenovo takes a piece of software from a 3rd party and just installs it.. that software then goes and installs a shim to the network to allow them to do whatever they want....

it's whole different when the vendor, Lenovo, actually modifies their own driver to install the shim as low as possible to prevent it's lack of use - it's one of those situations where "they couldn't have helped but to know how bad this was."

Yes, it is really hard to overstate just how bad this was.