Smart Tech and Dumb Tech, or Supply Chain for the people

Computer World has an interesting article on Superfish, an “adware” program that shipped with certain versions of Lenovo laptops. As the article points out:

But it gets worse. It turns out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.

The “smart tech” side: the article refers to a very interesting and well-written description of how Robert Graham at Errata Security extracted the private key used by this product. This article is a must read.

The “dumb tech” side: everything else about this situation. Superfish installs its own self-signed certificate into the the Microsoft certificate cache, and then re-signs the certificate for every site the browser sees.. It is beyond me how anyone with even the barest knowledge of network security thought this was a good idea. It completely subverts the entire trust system on which X.509 certificates, and thus SSL encryption, are based.

This also speaks very poorly of Lenovo’s judgement. I do understand that they cannot fully vet every library used by every piece of software they pre-install. I also understand that pre-loading software is one of the tools vendors use to keep their prices down (thank you Microsoft); no one should have any illusion that software is there for the customer. But I sincerely hope that Lenovo pays a severe market penalty for this incident; if we want any change to vendor crapware, this is how it’s going to have to happen.

For the consumer though, the lesson is clear: no matter whether or not you think it might useful, delete every single piece of software shipped on a new computer that you didn’t ask for. Companies have their own computer images for a reason, and now you know why. It’s sad that individuals need to be concerned with supply chain management.

Comments are closed.