Currently unfashionable inside Lenovo “consumer laptops”. Photo by sinosplice on Flickr.
A selection of 8 links for you. Makes a lovely salad when added to salad. I’m charlesarthur on Twitter. Observations and links welcome.
How Lenovo’s Superfish ‘malware’ works and what you can do to kill it » Forbes
Lenovo might have made one of the biggest mistakes in its history. By pre-installing software called ‘Superfish ’ to get ads on screens it’s peeved the entire privacy community, which has been aghast this morning on Twitter. There are serious security concerns about Lenovo’s move too as attackers could take Superfish and use it to ensnare some unwitting web users.
Here’s what you need to know about Superfish and what you can do to stop it chucking irksome ads on your browser and leaving you open to hackers.
This is probably the most comprehensive piece on the problems around this, though Lenovo suggests it has only installed it since September 2014. On Thursday night it issued instructions on how to remove it. And here’s a site you can use to check whether it’s affecting you. Read on for more of the implications.
AVAST 2015 Release Candidate 1 (10.0.2202) » Avast forums
Avast is a well-known antivirus program:
Features already introduced in previous AVAST 2015 betas:
• GrimeFighter Free
GrimeFighter will offer free cleaning of junk files and tuning of system settings. These tasks are performed by our Zilch and Torque minions. Other minion functions remain as paid-for features.
• HTTPS scanning
Now, we are able to detect and decrypt TLS/SSL protected traffic in our Web-content filtering component. We are using our own generated certificates that are added into the Root Certificate store in Windows and also into major browsers. This feature will protect you against viruses coming through HTTPs traffic as well as adding compatibility for SPDY+HTTPS/ HTTP 2.0 traffic. You can tune/disable this feature in the settings section.
That “https scanning” is exactly the thing that people are worried about with the Lenovo-installed Superfish. The reason why it’s used is because a lot of malware uses https: to connect to command-and-control servers. Superfish used it because connections to Google are https: and it wanted to insert its own adverts into the Google results stream.
Somehow, the Avast reason seems much preferable. (Link via Jon Honeyball.)
Extracting the SuperFish certificate » Errata Security
I extracted the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. I discuss how down below. The consequence is that I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. Note: this is probably trafficking in illegal access devices under the proposed revisions to the CFAA, so get it now before they change the law.
I used simple reversing to find the certificate. As reported by others, program is packed and self-encrypted (like typical adware/malware). The proper way to reverse engineer this is to run the software in a debugger (or IDApro), setting break point right after it decrypts itself. The goal is to set the right break point before it actually infects your machine – reversers have been known to infect themselves this way.
This is one of the concerning things about Lenovo’s actions: vulnerabilities like this.
Lenovo CTO: we’re working to wipe Superfish app off PCs » WSJ Digits blog
Lenovo is working quickly to wipe all traces of an app it had pre-installed on some consumer laptops, responding to security researchers’ warnings that the app could give attackers a way to steal people’s encrypted Web data or online passwords.
In an interview Thursday, Lenovo’s chief technology officer, Peter Hortensius, acknowledged that “we didn’t do enough” due diligence before installing Superfish, but that the company doesn’t believe laptop owners were harmed by the app. He said the company realized it needs to do more to respond to consumers’ concerns.
Lenovo, the world’s biggest seller of PCs, is working to write software that will delete any data from the Superfish software off laptops on which it had been installed. Hortensius also said the company should have done more due diligence on the security of the Superfish shopping-search app, which was installed from September to December on Lenovo consumer laptops.
Choice quote from Hortensius: “we agree that this was not something that we want to have on the system”. So how did it get there?
Report: 2014 was a bad year for lyrics sites in Google » Search Engine Land
Only one lyrics site saw an increase in visibility from Google’s search results, that is azlyrics.com with a 24% lift.
We saw at the end of December 2013, Rap Genius was penalized for link schemes but then saw themselves back in the search results ten days later. Maybe that manual action had Google’s engineers take a deeper look at the lyrics niche.
One thing, you’d probably see a deeper impact on these lyrics sites in 2015. Google in late December 2014 began showing full lyrics in the search results, which can directly impact the traffic and visibility of these lyrics sites in the Google search results.
How Twitter CEO Dick Costolo keeps his focus » Inc.com
A typical week for Costolo involves 12 to 15 standing meetings, so he has a few rules for efficiency’s sake. First, no cancelling. Freeing up that time may be tempting, but it’s how small problems become big ones. “I’m the connective tissue between all these groups,” he says. “It’s important for me to have context for the issues and challenges everyone’s dealing with.”
Second, no sidebars, ever. Nothing irks Costolo more than someone approaching him in private and saying, “I didn’t want to bring this up in front of everyone, but…” That rewards politics over process, he says: “Everyone on my team knows that that’s not a valid way to start a conversation with me.”
Finally, no PowerPoint. Meetings are for communicating, not wasting time on pretty slides. Instead, Costolo asks managers to type briefings. “If that sounds straight out of the Jeff Bezos playbook, it’s because it is,” he says. “I totally agree with that.”
These seem really good ideas. And there are more; the article isn’t so much about what happens, but how Costolo functions.
What the tech world doesn’t understand about fashion » Racked
at the biggest fashion houses in Europe, there is a general disdain for the connected future that the tech world fetishizes.
“We don’t like [e-commerce]. I don’t care,” Miuccia Prada said in 2013. “We think that, for luxury, it’s not right. Personally, I’m not interested.” As Bloomberg details, this is the case for many luxury brands. Some fashion OGs, like Valentino, don’t even use computers. Anna Wintour famously carries a flip phone. “The problem with technology is it’s a bit cold. It’s a bit sharp,” said Carine Roitfeld, CR Fashion Book EIC and former French Vogue chief.
This aversion actually makes perfect sense. Fashion is, by its very nature, exclusive. It’s about creating an identity, a brand, that is so cool that people will spend thousands and thousands of dollars to acquire a tiny piece of it. If you make that identity widely available, you risk diluting it. This delicate balance is something that the oldest fashion stalwarts have spent a hundred or more years perfecting.
Terrific piece which neatly illustrates (with examples) the gulf between tech and fashion: quite a lot of it is in the language that attaches to things.
A computer can tell real Jackson Pollocks from fakes » Smithsonian
according to many connoisseurs, critics and fakers don’t give the painter enough credit. There are indeed complexities to Pollock’s drip art that show it to be the genuine article. And now there’s a computer program helping to make a science out of the deciphering.
The software uses “computational methods to characterize the low-level numerical differences between original Pollock drip paintings and drip paintings done by others attempting to mimic this signature style,” says Inderscience Publishers. You give it a scan of the possible Pollock, and the program goes to work extracting 4024 numerical image descriptors that the human eye would have trouble deciphering as accurately.
I guess we have to add “art authenticator” to the list of white-collar jobs that computers will wipe out in time.