It’s funny, how obsessed we are with qualifications these days. Kids go to school and are immediately thrust into a relentless machine of tests, league tables, and exams. They are ruthlessly judged on grades, yet both the knowledge and qualifications those grades represent so often boil down to relatively useless pieces of paper. It doesn’t even end for the poor youngsters when they leave school, for we are now in an age in which when on moving on from school a greater number of them than ever before are expected to go to university. They emerge three years later carrying a student debt and a freshly-printed degree certificate, only to find that all this education hasn’t really taught them the stuff they really need to do whatever job they land.
A gold standard of education is revealed as an expensive piece of paper with a networking opportunity if you are lucky. You need it to get the job, but in most cases the job overestimates the requirement for it. When a prospective employer ignores twenty years of industry experience to ask you what class of degree you got twenty years ago you begin to see the farcical nature of the situation.
In our hackspaces, we see plenty of people engaged in this educational treadmill. From high schoolers desperately seeking to learn something other than simply how to regurgitate the textbook, through university students seeking an environment closer to an industrial lab or workshop, to perhaps most interestingly those young people who have eschewed university and gone straight from school into their own startups.
You want to put your credit card number into a web site. You know to look for a secure web site. But what does that really prove? And now that so many electronic projects have Web servers (ok, I’ll say it… the Internet of Things), do you need to secure your web server?
There was a time when getting a secure certificate (at least one that was meaningful) cost a pretty penny. However, a new initiative backed by some major players (like Cisco, Google, Mozilla, and many others) wants to give you a free SSL certificate. One reason they can afford to do this is they have automated the verification process so the cost to provide a certificate is very low.
If you’ve ever purchased a new computer then you are probably familiar with the barrage of bloatware that comes pre-installed. Usually there are system tools, antivirus software trials, and a whole bunch of other things that most of us never wanted in the first place. Well now we can add Superfish spyware to the list.
You may wonder what makes this case so special. A lot of PC’s come with software pre-installed that collect usage statistics for the manufacturer. Superfish is a somewhat extreme case of this. The software actually installs a self-signed root HTTPS certificate. Then, the software uses its own certificates for every single HTTPS session the user opens. If you visit your online banking portal for example, you won’t actually get the certificate from your bank. Instead, you’ll receive a certificate signed by Superfish. Your PC will trust it, because it already has the root certificate installed. This is essentially a man in the middle attack performed by software installed by Lenovo. Superfish uses this ability to do things to your encrypted connection including collecting data, and injecting ads.
As if that wasn’t bad enough, their certificate is actually using a deprecated SHA-1 certificate that uses 1024-bit RSA encryption. This level of encryption is weak and susceptible to attack. In fact, it was reported that [Rob Graham], CEO of Errata Security has already cracked the certificate and revealed the private key. With the private key known to the public, an attacker can easily spoof any HTTPS certificate and systems that are infected with Superfish will just trust it. The user will have no idea that they are visiting a fake phishing website.
Since this discovery was made, Lenovo has released a statement saying that Superfish was installed on some systems that shipped between September and December of 2014. They claim that server-side interactions have been disabled since January, which disables Superfish. They have no plans to pre-load Superfish on any new systems.