I'm curious what legal stance Lenovo customers have here - their secure HTTPS connections are being MITMed intentionally - surely that's hacking, or some national security violation?
It actually depends whether or not the practice is directly or indirectly agreed to by the user in the Terms of Use, Privacy Policy or similar document. Now, it's likely that users do agree to it, but if the language in their policies wasn't broad enough to cover action like this, theoretically it would be a violation of the Computer Fraud and Abuse Act, as exceeding authorized use.
This won't hold for Germany though. There is a concept of surprising clause (überraschende Klausel) as well as the concept of an unethical clause (sittenwidrige Klausel). In this case I would assume that both would hold even if there is some clause in the EULA.
The BigCo argument holds in Germany unfortunately as well...
At least PunkBuster is spying for a relatively noble purpose: preventing cheating in online games. Cheating absolutely destroys the experience in multiplayer games and has killed many games.
This is spying with the sole purpose of spreading ads and making money.
So because a few people decide to cheat at a game they paid for, everyone who paid full price for the game is forced to install spyware which can and does modify files on your pc, take screenshots as you play the game, monitor your mouse inputs, keyboard, etc...?
I think that is fine, personally. Obviously others might not. You have to specifically agree to install/allow PunkBuster, and you can choose to play on servers that don't use PunkBuster. With Lenovo not only is there no opt-out, but you're not even aware of the adware and root CA installation.
The "spyware" only spies on modifications to the game client in any way and tries to detect non-human involvement, which of course includes inspecting the file system and RAM. In theory it could harvest irrelevant information from your hard drive or memory, but no reverse engineer has ever made such a claim to my knowledge.
Valve Anti-Cheat does very similar things, but is run by what many consider to be a trustworthy company, so not that many people take issue with it. If one trusts the company that distributes the spyware, it's not really a problem, in my opinion. If Valve were to ever violate that trust, it would severely harm their business.
I also strongly disagree with DRM, because it only harms other players while providing no benefits. In contrast, online cheaters can completely ruin the playing experience for online games, and have heavily contributed to the death of some games.
I also have no issue if people decide to cheat when in single-player mode. If you pay for the game you should be able to do whatever you want if you're not affecting others. It's only a problem when they're playing with other people over the Internet. PunkBuster and VAC only run when you're playing in online mode.
It's not fine because, as is the case with Superfish, this type of software leaves gaping security holes that blackhats can exploit no matter how noble the vendor is.
What security holes does PunkBuster introduce? Adware like Superfish and game client modification detection like PunkBuster are very different kinds of software. I do not support anything like Superfish.
It's not just because they are a big company though. The "community", the industry and the government all share blame for the lack of liability for software.
Edit: It's pretty bad form to downvote new accounts becuase you disagree. Imagine if I didn't know about hellbanning.
Ask yourself what open source licenses, corporate EULAs and the NSAs defense have in common. The best hope here is that Lenovo explicitly promised someone something they didn't keep.
You can bet that if the NSA manages to use this to hoover up some tasty HTTPS, this scandal will be lauded as a big boost to "national security" behind the scenes, and nobody will be punished. For all we know NSA had a hand in engineering this.
Of course, if some government data is stolen as a result, then the whole thing will be thrown under the bus and deemed a threat to "national security".
I hope anyone who uses terms like "national security" does it in full awareness of what Orwell meant by newspeak and doublethink.
Impersonating a CA is not transparent and risks losing that CA if anyone finds out it's forging certs. They probably can do that, but it's a risky nuclear option.
This is a transparent dragnet that can easily be blamed away, which has been shown to be much more preferable in the NSA's M.O.
The sad thing is we don't need to invoke the big bad NSA here. There is absolutely positively nothing about this that suggests it is anything other than bog-standard SSL incompetence.
And to be clear, I mean, absolutely nothing. This isn't a slightly unlikely thing that still leaves room to wonder about "plausible deniability"... this is a thing that happens all the damned time and the NSA need at most sit back and passively reap the benefits, along with hackers and criminals.
Somebody somewhere wanted to get in on the advertising gig because it looks like free money. Their first attempt didn't work on HTTPS sites. Some techie was ordered to fix it. Said techie read a few things on a few sites and typed in the magic commands to "make it work" and probably literally didn't even know that they'd just annihilated security for all their users... they literally just knew that this made their software "work", and for them, pretty much the first time they clicked on to an HTTPS page and saw their own ads, the story ended. Ship it.
To a first approximation, nobody using SSL in some manner understands SSL.
It does seem like this is more of an amateur hour screw-up. It isn't beyond the NSA to plant developers that can insert backdoors on their behalf or set up front companies to sell vulnerable libraries but one would hope that they have enough sense not to leave cleartext passwords in a binary. Of course that could be an intentional misdirection so one never really knows.
I really don't agree. Every government has an official CA, and last time one was caught (France with fake Google certs IIRC), nothing happened at all. Most CAs are too big to fall anyway.
The employers that I know of who do government work require that all computers/phones work is performed on be of certain manufacturers which are US companies, an issue like this is the exact thing they cite as the reason for not using foreign companies as providers of such hardware. So the chance of government data being stolen is minimal, so the chance of the US government caring much is unlikely. So I doubt this will wind up under that bus.
Isn't superfish (or is it Phish?) a US/Israeli company?
Some of the code inserted is pretty strange, including functions to checks for lenevo, bestbuy.com and isPayingCountry() with a list of country identifiers:
The code you linked is nothing out of the ordinary as far as adware in Chrome plug-ins etc. go. For an example have a look at the source code[1] of "Awesome Screenshot"[2] which is used by ~1,4M users and also calls home to 7 different hosts[3]. This is just one of many many Chrome plug-ins that is injecting ads and Google encourages this[4]. It makes sense to limit injections to markets they can serve / are affiliates in.
I think what you meant to say is that the existing laws that make something like this illegal should be enforceable in a meaningful way against large manufacturers and retailers.
