Lenovo and Superfish Are Giving Us Deja-vu

lenova superfishEver since Edward Snowden’s revelations about the NSA’s extensive spying program, security has been in the spotlight. Over the past several weeks, the adware known as Superfish has been the hot topic.

Back in 2014, China-based OEM admitted to pre-loading Superfish adware on Lenovo PCs during the second half of 2014. Two new lawsuits were filed on February 23, 2015 against Lenovo and adware maker Superfish in the federal courts of California for putting consumers at risk of information theft and hacker spying.

One plaintiff, David Hunter of NC, claims that both Lenovo and Superfish violated the U.S. Electronic Communications Privacy Act among other laws and has requested that the court demand for the firms to hand back any revenue acquired by selling consumer’s browsing data and also the money earned from the adware advertising.

Another plaintiff, Jessica Bennett, stated that her laptop was damaged as a result of Superfish. She further accuses Lenovo and Superfish of making money at the expense of invading her privacy.

Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base…I cannot overstate how evil this is.” The Superfish adware is said to be more than just pesky. It’s the most virulent, evil adware you could find.

By installing a single self-signed root certificate across all of Lenovo’s affected machines, Superfish intentionally pokes a gigantic hole into your browser security and allows anyone on your Wi-Fi network to hijack your browser silently and collect your bank credentials, passwords and anything else you might conceivably type there.

This can be even more of a nightmare for companies who risk their private information, and their employees, from being exposed.

Errata Security’s Robert Graham said, “I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a café wifi hotspot.”

Our deja-vu comes from the Sony DRM rootkit scandal of 2005, in which Sony automatically installed malware onto users’ computers whenever someone loaded certain CDs. That rootkit malware could be hijacked by another hacker and in its greed, Sony did nothing to stop piracy and compromised the security of millions of users.

Lenovo claims it installed Superfish to “enhance our user’s shopping experience.”

 

American Bar Association cautions against file sharing lawsuits

downloadThe American Bar Association is urging its 400,000-lawyer membership to be more prudent and show restraint when it comes to lodging online file sharing lawsuits.

In a detailed whitepaper advising the US Government on how to best tackle online piracy, the association writes [PDF]: “Finally, while it is technically possible for trademark and copyright owners to proceed with civil litigation against the consuming public who affirmatively seek out counterfeited products or pirated content or engage in illegal file sharing, campaigns like this have been expensive, do not yield significant financial returns, and can cause a public relations problem for the plaintiff in addressing its consuming public.”

In conclusion the paper suggests to institute SOPA-like anti-piracy measures, including injunctions against companies that host servers with copyright infringing material. In an interesting turnaround, the association says that lawsuits against individual file-sharers are ineffective and counterproductive as a whole.

The Intellectual Property Law division of the group noted as Exhibit A the litigation campaigns of the RIAA (Recording Industry Association of America) and MPAA (Motion Picture Association of America).

This 113-page memo has been largely overlooked in the press. TorrentFreak was the first site to discover its existence. The ABA says that filing of lawsuits against individuals has been proven ineffective in the past and it is unlikely to curb piracy rates.

For instance, the Recording Industry of America (“RIAA”) initiated a campaign several years ago against consumers who engaged in illegal file sharing of copyrighted music. During that time, the RIAA initiated lawsuits against over 18,000 individual users, most of whom paid a few hundred dollars in settlements to avoid the potential for statutory damages of $150,000 per infringing use. More recently, the RIAA has abandoned its former policy of directly bringing cases against consumers in favor of expanding its focus on educating the consuming public about avoiding piracy. The Motion Picture Association of America (“MPAA”) followed in the RIAA’s footsteps with its own set of lawsuits directed against consumers who engaged in the illegal file sharing of copyrighted films and other video, though on a vastly smaller scale. It, too, later abandoned this approach.

 

With this said, the more preferable course of action seems to be in enacting legislation that targets infringing websites such as the torrent tracker, The Pirate Bay. Since its hard to prosecute site owners outside the US, a more indirect approach is suggested. Legislation that is aimed at cutting off funding, advertising and halting funds through cooperation of banks and payment processors. The whitepaper also calls for legislation that would allow injunction against hosting companies that store the websites on their servers. Interestingly enough, the association could not reach a consensus on doing the same for domain registrars and search engines.

Much of the suggestions have been previously included in the oft-criticized SOPA and PIPA bills.