Snowdon is a dummy

http://www.theregister.co.uk/2015/02/20/superfish_is_malware_us_government/

+Updates The US government's Computer Emergency Readiness Team (US-CERT) has said the Superfish ad-injecting malware installed by Lenovo on its new laptops is a "critical" threat to security.

Chinese PC peddler Lenovo bundled the software nasty to make a fast buck from its cheap, low-margin hardware: the application hijacks web browsers to inject ads into pages, even HTTPS encrypted websites, using an egregious root CA certificate.

"Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate," US-CERT said on Friday, urging people to remove the adware.

"Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system."

In a detailed rundown – including instructions on how to remove the badware – the Homeland Security team said select Lenovo Windows laptops built since September 2014* harbor Superfish VisualDiscovery. Lenope stopped bundling the software in January 2015.

The malware installs its own root CA certificate so it can silently intercept and decrypt HTTPS connections, allowing it to tamper with pages – namely, injecting ads to stuff to buy online.

For example, if you visit bankofamerica.com on an affected laptop, your web browser is hijacked to connect through Superfish's software, but the user is none the wiser. The Superfish root CA certificate convinces the browser that everything is OK.

The private key for this certificate is hardcoded into VisualDiscovery's executable, and easily extractable. This means anyone can use it to create spoof websites that will be trusted by vulnerable laptops, allowing miscreants to pull off man-in-the-middle attacks and steal login passwords.

In other words, your connection to, say, gmail.com on a Lenovo laptop may look legit with a little padlock in the top corner of the window, but in reality the website could be malicious and masquerading as the real site so it can learn your login details.

The CERT advisory says Superfish uses Komodia's Redirector with SSL Digestor to intercept web connections. It points out that the same code is also used in free parental control software dubbed KeepMyFamilySecure (the irony), and it is not exclusive to Lenovo products. Other apps and products are bundling the adware.

Superfish, founded in 2006, is a small company based in Palo Alto, California, and has reportedly received about $20m in funding since 2009. Journalist Thomas Fox-Brewster has more on the background of Superfish and Komodia, here.

Microsoft agrees that this whole mess is bad news for users. On Friday the Redmond giant told El Reg its antivirus software Windows Defender now "detects and removes the Superfish software from Lenovo devices."

And sources familiar with the matter told us Microsoft's tool not only removes the Superfish software, but also the rather cheeky root certificate.

'Despite the false and misleading statements...'
Superfish insists computer users have nothing to worry about, and contradicts the US government's assertion that this is a major problem.

"Despite the false and misleading statements made by some media commentators and bloggers, the Superfish code does not present a security risk," its CEO Adi Pinhas told El Reg in a statement, adding that the company doesn't store or share personal data.

"Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped," he explained.

"Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat."

There's no word from Lenovo on the US government's Superfish alert. On Thursday the PC maker's CTO Peter Hortensius said his firm isn't "trying to get into an argument with the security guys," and insisted the code was safe to use. ®

Updated at 1407 Pacific Time (2207 UTC)
It's claimed the Komodia proxy server used by the Superfish adware is worse than previously thought: any man-in-the-middle attacker can create a spoof HTTPS website that is trusted by laptops with the Superfish root CA certificate installed, without having to use the extracted private key. Self-signed SSL certificates are converted into valid ones, we're told.

"All the users out there with Komodia-powered Parental Control software or adware [can] have their banking connections easily intercepted. Well, good job," says CloudFlare security bod Filippo Valsorda.

"It's catastrophic. It's the only way all this mess could have been even worse."

Updated at 1515 Pacific Time (2315 UTC)
* US-CERT initially said Lenovo was bundling Superfish's software since 2010, although has since corrected that to September 2014 after Lenovo complained. In a statement to El Reg, the computer giant said:

The 2010 date is not accurate. Lenovo has stated it preloaded this particular piece of software from Superfish starting in September 2014. Superfish has been around for years and its products have been available for download from sources other than Lenovo.

Tips and corrections

I have been curious in how Snowden is still leaking stories. Are these stories part of the same information dump which Snowden gave to Greenwald?

Constitution Check: Will the government’s global wiretap program ever be subject to challenge?

Lyle Denniston, the National Constitution Center’s constitutional literacy adviser, explains why the Supreme Court turned away a challenge on Monday to government spying under the Foreign Intelligence Surveillance Act.

THE STATEMENT AT ISSUE:

“Disclosures over the past two years have called into question whether judicial oversight of national security surveillance is adequate to prevent abuse and preserve the constitutional balance between liberty and security….

Through this case, this court has the opportunity to provide guidance concerning the role that federal judges should play in ensuring that the government’s surveillance practices are consistent with the Constitution.”

– Excerpt from a legal document filed in the Supreme Court in the case of Daoud v. United States. On Monday, the Supreme Court refused to hear that case, after the federal government chose not to file a reply to it. It was one of the first cases in which a person accused of crime has been told by the government that he was a target of a secret intelligence monitoring and that some of the evidence would be used against him at his trial.

WE CHECKED THE CONSTITUTION, AND…

Nearly four decades ago, in 1978, there was a constitutional coincidence – two events, occurring fairly close together, that would seem entirely unconnected, but over time would become intertwined. The courts, however, have yet to figure out a way to make the two work in tandem to serve both the cause of national security and the cause of personal liberty.

In June of that year, the Supreme Court, in a routine criminal case, Franks v. Delaware, ruled that an individual accused of crime would have the right under the Fourth Amendment to challenge the legality of a police search of his belongings, if the individual could first make a fairly convincing argument that the search was not legal. A judge would look at the basis for the police search, the arguments police had made in getting a warrant, and then decide if the accused individual could go ahead with a challenge to the legality of the police action.

In October of that year, President Jimmy Carter signed into law the Foreign Intelligence Surveillance Act, setting up a court system in which the government could seek permission to carry out electronic eavesdropping aimed at the threatening actions of a “foreign power” or its agents. “The bill I am signing today,” the President said, “sacrifices neither the security nor our civil liberties.” The measure, he added, strikes “that difficult balance.”

One of the features of that new law was a mandate by Congress that, if government electronic intelligence-gathering uncovered evidence that would be used to prosecute an individual for a crime, that person would be told about it, and have the opportunity to challenge it. As that law has operated over the years since, it has become clear that only those facing criminal charges are likely to be told that they were monitored; anyone else whose conversations had been overheard has not been told about it, so they had no way to contend that the monitoring was illegal or unconstitutional.

Through the 37 years since then, one thing has become clear: no one has ever had the opportunity to challenge in court whether government spying under the 1978 law was actually done illegally or in violation of the Constitution. There are two reasons for that. First, no one who simply suspects they were overheard by an intelligence-gathering wiretap has been able to prove that they were, so they could not show they had been harmed and thus had no legal claim. Or so the Supreme Court said two years ago, in the case of Clapper v. Amnesty International.

Second, no one who has been told that they were overheard (because they were charged with a crime based partly on evidence from such a wiretap) has ever been given actual access to the secret papers that gave the government authority to do the wiretapping, so they had no basis to claim it was begun or carried out illegally. The government has been able routinely to block demands for such access, claiming national security reasons.

But that circumstance appeared to have changed about a year ago. A federal trial judge in Chicago, Sharon Johnson Coleman, actually ordered the federal government to share with a defense attorney who had a Top Secret clearance some of the background papers on secret intelligence surveillance.

The judge did that in the case of a 19-year-old from Hillside, Ill., Adel Daoud, who had been charged with planning to bomb a bar in the Loop section of downtown Chicago, as a terrorist act. An FBI undercover agent who learned of Daoud’s online conversations about bomb-making and “jihad” worked out the plot with him, and provided him with a fake bomb that, of course, would not detonate.

The government had notified Daoud’s lawyers that some evidence from a secret wiretap would be used at his trial. Judge Coleman rejected the government’s argument that it would endanger national security if the background papers regarding that surveillance were shared with a defense lawyer, even one with sufficient clearance to see such papers. The judge relied upon the Supreme Court’s decision in the Franks v. Delaware case, and her own authority under the 1978 intelligence surveillance law to weigh demands for access.

These developments appeared to be a near-perfect alignment of facts and legal developments to set up a clear-cut court test of the legality of the massive foreign-intelligence surveillance program that has been revealed through the disclosures of former security analyst Edward Snowden.

However, Judge Coleman’s order of disclosure was overturned by the U.S. Court of Appeals for the Seventh Circuit, finding that the trial judge had not followed the required procedures for ordering such a disclosure. Daoud’s lawyers decided to press the issue in the Supreme Court, filing a case there last December asking the court to apply the Franks v. Delaware precedent, and sort out who should get access to the background papers of spying, in a case like Daoud’s.

As matters would turn out, however, the federal government’s lawyers chose to waive their right to respond to the Daoud case. The Supreme Court had the option of calling for a government response, but it did not do so. The case came up before the Justices, then, as only a one-sided matter, and that kind of case does not get reviewed. The Daoud case was denied on Monday without an explanation and without any indication that any Justice had voted to hear it.

So, again, as in other cases that had failed to draw the Justices into an analysis of the balance of security and privacy in the global wiretapping context, challengers had to await another case with not much reason to anticipate a different outcome.

Our Supreme Court is set up in such a way where they have the choice of what they decide to take up. I think sooner or later a case concerning the issue of the government's surveillance system will come before the court they will decide to hear.

(Reuters) - A Russian lawyer for Edward Snowden said on Tuesday the fugitive former U.S. spy agency contractor who leaked details of the government's mass surveillance programs was working with American and German lawyers to return home.

Anatoly Kucherena, who has links to the Kremlin, was speaking at a news conference to present a book he has written about his client. Moscow granted Snowden asylum in 2013, straining already tense ties with Washington.

"I won't keep it secret that he... wants to return back home. And we are doing everything possible now to solve this issue. There is a group of U.S. lawyers, there is also a group of German lawyers and I'm dealing with it on the Russian side."

The United States wants Snowden to stand trial for leaking extensive secrets of electronic surveillance programs by the National Security Agency (NSA). Russia has repeatedly refused to extradite him.

Snowden has said in the past he would like to return home if he was assured he would be given a fair trial.

Snowden has said in the past he would like to return home if he was assured he would be given a fair trial.

I'm all for giving him a fair trial.