

The Superfish Funder List - wglb
http://qntra.net/2015/02/the-superfish-funder-list/

======
Fede_V
One of the most effective ways we can shut down companies that make this kind
of crapware is public shaming.

Publicly naming companies and executives associated with this horrendous
breach of privacy and security should hopefully serve as a deterrent for VCs
who are considering making a quick buck by funding companies that are fucking
over non-tech literate consumers.

~~~
keslag
Publicly shaming Comcast doesn't seem to be working, at all. I think it's good
in theory, but doesn't work so well in practice.

~~~
TheCraiggers
You and the parent are both right. The problem with Comcast is that many
people (I being one of them) have no choice in the matter. It doesn't matter
how much I despise my ISP, for they are literally the only game in town. My
vocation dictates I have high-speed internet, thus I'm forced to work with
Comcast.

Shaming Lenovo or its partners can make a difference because people _do_ have
a choice here. There are many laptop vendors out there. And if "Vintage
Investment Partners" becomes well enough known as something the public finds
distasteful, it could conceivably cause other companies to shun them as well.

You know, at least until they change their name. Still, I'd argue that if
people cared enough, this approach would work in non-monopolistic cases.

~~~
at-fates-hands
>>> for they are literally the only game in town

I live in the Midwest and thought the same thing. After some research, I found
several smaller companies who offer high speed internet, including the local
telecom company.

I guess it boils down to if you're willing to pay more or pay the same and get
slightly slower speeds without having to deal with Comcast and their horrible
customer service.

------
murbard2
Why is Superfish getting all of the heat, while Komodia gets comparatively
very little?

A product that injects ads in your web traffic is crapware, but the scandal
here isn't that superfish was crapware, the scandal is the security hole it
introduced, which compromised Lenovo users. Yes, we all hate crapware, but
there's a big difference between bothering people with sneaky, unwanted, ads,
and opening the doors for malicious parties to intercept their online banking
credentials.

However, a SSL intercepting software does not need to expose such a security
flaw. It was only Komodia's moronic implementation which did so. If instead of
using a fixed private CA key, they had generated one on the fly when the
software is run for the first time, users wouldn't have been exposed.

Regarding the VCs, I would give them the benefit of the doubt as well. What
where they pitched? SuperFish was about shopping using image recognition. For
all I know, they raised money on a pitch about offering a search service, and
then ended up pivoting. I don't know for sure if that's the case, but it's
possible, and the VCs should get a chance to tell their side of the story
before being dragged in the mud.

~~~
ffumarola
It's not just that Komodia used the same root cert. It goes a bit deeper than
that: [https://blog.filippo.io/komodia-superfish-ssl-validation-
is-...](https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/)

~~~
patcheudor
Also covered on HN first:

[https://news.ycombinator.com/item?id=9078536](https://news.ycombinator.com/item?id=9078536)

------
guenther1977
See superfish advisors who are prof. from MIT, Yale...
[http://www.home.superfish.com/#!board-
members/c1whv](http://www.home.superfish.com/#!board-members/c1whv) Professor
Tomaso Poggio, PH.D – MIT Prof Lior Wolf – MIT/Tel Aviv Professor Yosi Keller
– Yale/Bar-Ilan Olga Russakovsky, PH.D – Stanford (Fei-Fei) Ron Bekkerman,
PH.D - University of Massachusetts

~~~
anon012012
They're all in computer vision, machine learning, ect... I doubt they helped
for more than the visual search engine.

~~~
nailer
I doubt the investors really knew about the MITM attacks with the universal
private key either. I think Superfish and Komodia did something bad, but the
buck should stop with them.

~~~
glesica
Why? It was probably pressure from the investors that drove them to do it. You
can't say to someone "get this done no matter the cost" and then expect to be
held blameless when they do something shady.

It's kind of like a mob boss who says to his lieutenant, "Boy, it sure would
be helpful to us if that grocery store burned down". How else were they
supposed to monetize their tech? They did exactly what everyone else does and
found a way to use it for advertising.

------
1ris
What about criminal prosecution? In plenty jurisdictions this is illegal.
Wiretaping, unauthorised access, unauthorised decryption, "Hacking", breach of
privacy (manybe even copyright infringement; they edited other peoples content
without their permission) or something like that is usually prosecuted harshly
if it's done by a individual. I hope a company does not get away with it.

~~~
rpedroso
I hope that there will be legal ramifications to discourage this kind of
behavior, but ultimately, the vendor that packaged Superfish with the
computers is a Chinese company who will probably claim that this kind of thing
is permitted by their EULA.

~~~
seanmcdirmid
What does it matter that Lenovo is chinese and Superfish Israeli?

~~~
rpedroso
Although Superfish was founded in Israel, they're headquartered in Palo Alto
now.

The nationality of Lenovo is relevant insofar as it affects the applicability
of US law. IANAL so I can't say how relevant that fact is, but I suspect it
complicates litigation..

~~~
seanmcdirmid
As long as lenovo makes money in the USA, they are easily subject to
litigation there.

------
Pxtl
So what the hell do we buy now? HP's quality has hit rock bottom and is
starting to dig, Lenovo is doing their best to destroy the Thinkpad brand,
Asus is incapable of making a device without at least one fatal flaw... is
Apple the only one making laptops that aren't garbage anymroe?

------
finnn
>CoinBase, an similar anti-privacy company

Really? How is looking at public blockchain data at all similar to installing
malware?

~~~
scintill76
Some Bitcoiners don't like Coinbase's know-your-customer measures for anti
money-laundering. Reddit's /r/bitcoin has had reports of people being suprised
about what documentation they have to provide; or having their accounts shut
down because they withdrew their bitcoins to an address Coinbase determined
was connected to something shady, or put a joking reference to drugs in their
transaction memo field.

~~~
fragsworth
But that's entirely because they have to comply with federal law, not because
they're "anti-privacy".

------
comboy
Apart from discouraging future VCs, legit question - do you think those listed
ones had any idea about how does it exactly works? I mean, you need to be
careful what you support, so I think that list is great anyway, just wondering
how it usually looks like.

~~~
hnnewguy
It's their obligation as owners to know what their portfolio companies are up
to. When the big investors who supply capital to these funds ask questions,
"We don't know what they are up to" is not a reasonable answer.

------
ronreiter
As an Israeli, all I can say is that I am ashamed.

~~~
rabbyte
As a human, you needn't be culpable for offenses perpetrated by others
regardless of their relation to you. If you belong to principles and help the
people to foster them, your only shame will be from your own failures; a shame
you can actually do something about. I'm a proud American but it doesn't mean
what people think it means.

~~~
Tepix
Shouldn't it work both ways then? If you're not culpable for offenses, why are
you proud of achievments that you have nothing to do with?

~~~
madaxe_again
Jingoism.

~~~
rayiner
Hardly.

Countries inculcate values, educate people on the public dime, support R&D,
etc. People should be proud when those policies bear fruit. E.g. Sergei Brin's
family emigrated to the U.S. when he was six, because of Soviet discrimination
against Jews. E.g. they were graded harder on university entrance exams, or
given tougher exams altogether. He went to public high school and college, and
went to graduate school at Stanford on a National Science Foundation
fellowship. And Stanford, as an institution, heavily benefits from public
spending on research.

So why shouldn't Americans take a little credit for Brin's success?

~~~
murbard2
Because they overwhelmingly had nothing to do with it.

~~~
tptacek
You intuitively know that's probably false.

You would have no trouble sketching a ranked list of countries more and less
likely to produce Google. You would be shocked to see Google emerge from
Burma. You would be surprised to see the world's powerhouse search engine
emerge from Greece, Spain, or Italy. Even among the top-tier countries, if you
had to put money on it, you'd need an extremely good payoff to bet on anyone
but the US.

If the US has "overwhelmingly nothing to do" with the success of Google, you
have to believe Brin could have moved to Greece, or even Burma, and
successfully built that company. Most of us probably don't even believe he
could have succeeded in Germany, or the Netherlands.

Even if you stipulate away all the extrinsic network-effects stuff --- ie,
stipulate he'd have gotten funded despite parking his company in Greece ---
you would not place the same bet for his hypothetical attempt to buid Google
in Greece.

~~~
murbard2
You're completely missing the point. The message I'm responding to says:

"So why shouldn't Americans take a little credit for Brin's success?"

I'm not saying that living in America had nothing to do with it, it obviously
did. I'm saying that the overwhelming majority of Americans had nothing to do
with it, ergo being proud to be American is, in general, about as warranted as
being proud that your favorite team won a tournament.

If you're a founding father, fought in the revolutionary war, influenced
legislation in a historically significant ways, or did something of the sort,
you may have a claim to be "proud", otherwise, you're a spectator, just like
most people.

~~~
tptacek
I'm not sure I can get my head around a debt owed to America the country that
is not implicitly therefore owed to the American people. Teachers taught at
schools that produced the professionals that built Google. Engineers designed
the roads that workers built. I could just go on and on listing this stuff.
Google benefited from an infrastructure built by all Americans.

I think there's an element of the narrative fallacy implicated in the idea
that the historical figures have a cause to be proud of American achievements,
but ordinary people don't. Ordinary people are instrumental in everything
achieved by those historical figures. The contributions of historical figures
are immediately available to our consideration, because our stories revolve
around them. Availability is usually a pernicious bias rather than a helpful
signal.

 _later: it 's also worth considering whether the fallacy might be in our
concept of "pride", and who "deserves" "pride". There are practical reasons to
attribute American successes to America; it reinforces them, motivates us to
continue doing what works. There are fewer practical reasons to accord
accolades to historical figures._

~~~
murbard2
This is severely misguided. If you're Tim Berners Lee, then yes, Google
success could be a source of pride, because you enabled the success of this
company by inventing the web. If you were one of Larry Page's professor, then
maybe you can take some pride in the accomplishments of your student. If
you're Sergey Brin's mom, you can be proud of how successful the son you
raised has become. But that pride has nothing to do with being "British"
"American" or "Russian". It has to do with your personal contribution to
Google's success.

At the end of the day, either you've had a measurable contribution to
something of value, and you can be proud of that, or you didn't, and you don't
get to be proud just because people who have a similar passport to yours have.

~~~
tptacek
You insist on using the word "pride", which Rayiner didn't. If you'd like,
I'll stipulate that ordinary Americans shouldn't feel "proud" of Google, so
that we can move back to the actual discussion of whether Americans should
"take a little credit for" Google.

~~~
murbard2
The discussion was started by Tepix which referred to pride. And no, merely
being American does not give you credit for Google. For most people, it's very
hard to know if they've made the environment better or worse for Google.

------
shrektoo
It may be immature but this Adi Pinhas guy sounds like he's a bit of a dick:
[http://www.home.superfish.com/#!about-
us/c1eqi](http://www.home.superfish.com/#!about-us/c1eqi)

~~~
psykovsky
Sounds? Where? All I see on that page is a photo of him and a LinkedIn link.

~~~
cheepin
I think it's a pun on his surname

------
madaxe_again
Surely Mossad are somewhere in there too? I can't imagine an intelligence
agency _not_ having an interest in this.

~~~
mobiplayer
It is a clumsy implementation at best and not ideal for any covert operation,
why would a serious intelligence agency have any interest in this?

~~~
madaxe_again
Free and easy intercepts with a straightforward "it wasn't us!".

~~~
mobiplayer
Haha fair enough! I guess blaming private companies and investors is a good
way to move attention from yourself.

------
devy
2015 Silicon Valley Startup Hall of Shames award goes to .... Superfish!

------
tek-cyb-org
even thgough im Palestinian and these guys are Israeli, should we really be
blaming superfish? this company makes software, seams like a bunch of hackers
to me. Lenovo is the real culprit here.

~~~
matthewmacleod
Yes, we should be blaming them. The product serves a bad purpose, and doesn't
even have the redeeming quality of being well-implemented.

~~~
rpedroso
Not to mention how reluctant they were to even admit the security issues
presented by Superfish installations. They (and Lenovo) repeatedly denied that
the injection of a trusted root certificate posed a security threat.

Spin your mistakes however you want in a press release, but don't lie about
security vulnerabilities that put users at risk.

------
deitcher
Eh. Investors invest in lots of companies, some of which make pretty bad
mistakes. I think Superfish should be forced to wither on the vine because of
this - and especially because it pawned off responsibility by saying, "hey, it
was those guys, not us!" as should Lenovo ("it is just theoretical!"), but I
doubt the investors explicitly backed something with the intent to break
security. Few do.

~~~
mobiplayer
Few do, I can probably agree with that. But it's not like investors through
money out of the window unknowingly of where it ends. They either knew about
it and didn't care about it or they just didn't care about it in any case,
because following due diligence would've raised some red lights.

~~~
ptaipale
Most likely someone showed them some Powerpoint slides, and the hapless
investors just did not understand that there could be serious privacy and
security implications.

That doesn't mean they aren't responsible and shouldn't burn their fingers;
investors actually _should_ look into these things when they decide where to
invest.

~~~
deitcher
Depends who the investors are. I know some really first-class ones... then
again, I know some dumb ones...

------
hoodoof
Draper Fisher Jurvetson = SuperFish? Classy.

Ultimately its worth remembering this is Windows..... Microsoft has to be
responsible for the crapware installed when people buy a Windows computer. The
reasonable conclusion is that if you buy Windows you risk stuff like this
because Windows resellers install crapware on top of clean Windows builds.

~~~
yitchelle
Not so sure that you can pile all the responsibility onto Microsoft for this
debacle. If your favorite Linux distro is to include some adware crap on it,
should Linus take the blame?

Ultimately, Lenovo should take the full blame for this.

edit: grammar

~~~
serf
False analogy, for a few reasons.

Linus is the maintainer of the Linux _kernel_. Linux is a product of the work
of many people.

Linux is free, and can be redistributed without securing licensing or rights
to do so.

Microsoft Windows is a proprietary product, which many people are only exposed
to from the initial install on their bought hardware. The company who supplies
the hardware, along with the company that supplies the software engage in
contractual deals to allow this to happen.

Microsoft's image benefits when it is known that they do due-dilligence in
checking out the suppliers who they allow to represent their product through
licensing.

How are you okay with companies who create malware for corporations for pay?
They deserve no responsibility themselves for simply existing with nefarious
motivations? Microsoft requires licensing their product to use it, and goes an
extra step by providing evaluation of the products which use their licensed
software, and are vocally against the addition of crapware; but they take no
blame when they allow their product to be continually licensed by a vendor
that does harm to the image?

To answer your question: The distribution that is responsible for spreading
the adware should be held responsible, as should the developers of that
adware. That's likely why Mint became so popular (numbers wise) after all the
Ubuntu fiascos in semi-recent history.

I don't think it's as simple as a one-party fault. Sorry.

