RE hardware compromise:

I've been reading this in various reporting services. This is one link, there are others if you do a websearch:

http://www.foxnews.com/tech/2015/02/...nto-cyber-spy/

I make no claims that this is fact, but who know for sure?

I'll definitely do a web search. I've found stories are very hit or miss with Fox News, and sometimes they really miss, taking things out of context, using hyperbole, etc. On the other hand, there aren't that many news sources that are very trustworthy anyway. Too many of them sensationalize since the name of the game nowadays is clickbait. I trust the BBC more than most of them, but even they have their biases.

In any event, on a FB forum some people are claiming that this Superfish that comes preinstalled can allow a hacker to spy on even a Linux system. That doesn't seem possible since it's designed to run under Windows. If you've formatted your hard drive, wiped Windows, and installed your favorite Linux distro, how the hell is this Superfish supposed to still be running? Some people on FB have been claiming that it still runs anyway, but that doesn't seem possible unless it's somehow hardwired into the laptop's very architecture. That doesn't seem possible since there are instructions on the Internet on how to remove it. Methinks I've encountered some people who don't know diddly squat about Linux.

Note: It is indeed possible to get malware on a Linux system if you're dumb enough to install a trojan, typing in your root password, but it seems to me that this Superfish thing is toast as soon as the hard drive is wiped. Am I wrong?

RE Superfish, the reports I'm reading are related only to Windows and saying the some of the removal instructions will miss the cookie-like files it created, resulting in it continuing to act. Again, only under Windows. If they have dual boot, then that may be problem. I'm strictly Linux, so not a problem here.

Wiping the entire drive would seem to be a fix, if somewhat overkill. Reports say the some backups can be safely restored after a drive wipe, but I have no experience to back that.

The one I'm really worried about is the hard drive SW installed in the factory, see my previous link for info on this.

Superfish is adware that has malware characteristics. It installs a self-signed root certificate into the Windows certificate store and the Firefox (for Windows) certificate store. When a browser makes a connection to a TLS/SSL server, the Superfish service generates, on the fly, a certificate that spoofs the actual destination. It presents this certificate to the browser, and the browser thinks it has connected to the server. Then the Superfish service connects to the real destination and fetches pages. The service receives TLS/SSL content from the server, decrypts it, inserts advertisements, and then sends the modified content to the browser.

This is pure man-in-the-middle attack against TLS. It has a number of very bad characteristics:

• It hides any warnings you might normally receive if the true server's certificate was revoked or expired
• The same private key is used on every machine containing Superfish; thus, it's possible for an attacker to spoof any site s/he wishes and those with affected Lenovo laptops would never know
• The certificate was protected with a simple word -- "komodia" -- that a researcher was able to crack in 10 seconds
• The Superfish service has full visibility into everything happening in the browser, in clear text

Superfish was present on certain factory-shipped consumer (not business) Lenovo laptops only, built between September 2014 and February 2015. Server-side interactions were disabled in January; no ad insertion is happening now. You can remove Superfish without rebuilding your PC. Lenovo laptops running Linux are not affected. Windows VMs you built yourself are not affected. Anyone claiming that Superfish can allow an attacker to penetrate these is wrong.

All manufacturers are guilty of filling their PCs with bloatware -- it's the only way they make money. Lenovo usually isn't the worst, but in this case they really fscked up. Of course, someone from Superfish is trying to pass the buck to an unnamed third party.

---

More information on hard drive firmware hacking by the Equation Group:

http://arstechnica.com/information-t...sive-backdoor/
http://arstechnica.com/security/2015...found-at-last/

Just to add to the mess, there are other software using the same/similar certificate approach. These are used by some very big companies. From the article:

..."One is parental control software from Komodia called "Keep My Family Secure," a second is parental control software marketed by an outfit called Qustodio, and the third is a known as Kurupira Webfilter."...

The article may be found on Ars Technica:

http://arstechnica.com/security/2015...mber-of-users/

Again, this appears to be limited (now) to the Windows platform. But I think (opinion) this could compromise everyone if data is shared across windows based servers. It never stops.

Minor correction: All big name manufacturers. See system76.com, and others.

Sharing across servers isn't enough. When I wrote "Superfish service" earlier, "service" is in the context of Windows here. A Windows service is some code that runs on the machine at boot or when invoked and stays running. Services have to be installed (typically via an .MSI file) before they can be invoked. Connecting a PC to a file share on which Superfish got installed will not spread Superfish to the PC.

Good point.

Lenovo is made in China. LOTS of hardware/firmware is made in China. CPUs/GPUs and firmware contain code (microcode, but code).

Ken Thompson, the co-developer of C, wrote a response to an ACM award in their August, 1984 issue of "Communications of the ACM". The first part of his response leads up to this paragraph:
While Thompson explains how to create a bugged binary of the C compiler it is also possible to do the same with other code, including those mentioned above. For example, the US government had Texas Instruments insert code bound for Iraq into their printers so that they could be shut down/controlled (remotely). During the 1992 invasion of Iraq their printers were shut down and printed orders/commands could not be delivered.

Disclaimer -- all of this TI stuff is from my memory, such as it is, and may be entirely part of Internet legends.

What is NOT legend is the attempt by Cisco to introduce spyware in my Cisco E2500 wifi firmware. Had they not gotten greedy and tried to force me to register for a Cisco cloud account I wouldn't have been inspired to google the clumzy attempt and learn about the real nature of the firmware upgrade. My response was to replace the firmware with DD-WRT. However, I am accepting on faith that DD-WRT wasn't compiled with an infected C compiler and contains malware which is not present in the source that was compiled.

Of related interest: http://lwn.net/SubscriberLink/633273/c9289d60f24feba9/

> Minor correction: All big name manufacturers. See system76.com, and others.

ronw, you are in the US, as am I. I believe that system76 et al are more expensive not only because of their lower volumes, but also because, thanks to bloatware, trialware, nagware, and worse, the Windows Tax is actually negative.
That is, Dell, Lenovo, and HP may actually pay less for Windows (net of marketing dollars from Microsoft) than they receive in these incentives.

Indeed.

I only have one data point, my own laptop from System76. Comparably spec'd machines from Dell and Lenovo were roughly $100 cheaper; so less than 10% in 'savings'. That was an easy decision: send my money to a nice bunch of people in Colorado, or help MegaCorp meet its quarterly projections for Wall St.