Man in the Middle Attacks & Superfish - Computerphile

After this video I can't help but imagine each of the computerfile guys are kept seated in a different corner of that room and the camera just swivels around when he needs to make a new video

You know something's bad when you hear Tom Scott say "never ever"

2:21 - "And they can only be unlocked by that server, because maths."
10/10 best explanation of public and private key crypto. XD

There was so much potential at 4:46 to fix the drawing by attaching a circle to the end of the factory and making it look like a giant key.

even if superfish had been secure its still a super sketchy thing that lenovo was shipping their computers with adware

This seems so easy when Tom Scott explains it. Everything seems easy when Tom Scott explains it.
Tom Scott, would you mind becomming a teacher at my school?

So good to see Tom Scott on Computerphile again.

*sees intro*
*NOTICES I'M ON A LENOVO LAPTOP*

That golden moment of pure sadness and dissappointment of Tom at 6:35

"lenovo promised not to do it again" *the fact that they did it in the first place is mind-boggling*

"Extremely illegal, so DON'T do that!"
You'd think that the people doing that honestly don't care about that.

2:46 he meant "Here's my Public Key". I'd advise that you add an annotation just so no one gets confused.

The private key is not shared with the certificate authority either. Simply because they don't need it.
Regarding the possibility that NSA have keys to do MITM attacks: it's basically the same problem Turing faced when he broke Enigma. If they can do that, they can use it only as a very last resort and only when the message is extremely important because as soon as someone will find out which authority they use (and when you use it, it's only a matter of time), everyone will dump the authority and they would need to start from scratch again.

I just looked up some other famous hacks of the year and I found out that just about _a month_ after this video was uploaded, it was revealed that Dell _basically did the same damn thing_! It was the _exact_ same principle and even after the Superfish debacle, Dell _still_ didn't react and kept quiet until the vulnerability was made public.

Ahh, so that's why the red _"Insecure connection"_ screen pops up when I'm running a local server and I goto a domain which points to localhost.

8:58 - Anyone else go up and click the green padlock in the URL at this point in the video?

Just a heads up, the NSA is cracking encryption based on 1024 bit primes, at a rate of roughly 1 per year including RSA and subsequent iterations. sooo we should have switched to 2048 bit by now, but at this point 4096 should be being prepped.

Unfortunately, this is one of the misplaced trust aspects of networking which is carried forward into IPv6. Router advertisements carry no validation; anything attached to the network can claim to be a router and set a prefix for the network. It's the same sad story for NDP. Yes, there is SEND, but it's an addon afterthought which is by no means mandatory to implement.
wow...not just echo, but ringing echo as well. There has to be a happy medium between this and dragging everyone into a studio.

4:26: I'm quite sure you mean to say public key. Do not ever send your private key to your CA people :-).

the computerphile thumbnails look like those old goosebump book covers that were around ages ago

Computerphile videos involving Mr. Scott are by far my favorite. Theyre all great, but I really enjoy how he talks about things.

Internet Factory would make a great album name.

1:58 - Why is Robert Miles just randomly sitting in the room with them? XD Just to have a listen?

Tom's face when he asks 'how do I draw a certificate authority?'

Tom Scott's videos on Computerphile are my favorite videos!

Great work, you guys go into more depth than the average tutorials and the information is strong.

"All servers look like computers of 99s"
-Tom Scott

Great video, not only the step by step explanation but really appreciate how "little" emphasis you showed to the particular incident. This a HUGE issue overall and applies far more than just Superfish installed on a single machine, not just because xyz company wants to see what you are doing. But because someone ELSE can use it for FAR more malicious purposes.

I love seeing +Tom Scott on this channel but every time I do he reminds how much of my internet life is built on ignoring the security holes everywhere in it.

This was such a great thorough explanation and build-up. I would probably send this video to people just to teach them about SSL.

4:25 No, Mr. Scott, the reason it's called a PRIVATE key is that it's private; you don't send it anywhere but your own server. The CA only needs your public key to apply its signature.

Wooo! Tom Scott!

This is a good case for Microsoft demanding that OEM manufacturers providing untouched installation media for Windows and clean installations without any 3rd party software for new OEM machines. Having worked for Microsoft Support I can tell you that most problems people have with Windows, especially when new versions are launched (Vista is a good example), are caused by OEMs that don't know what they are doing. Pre-installing lots of craplets, incompatible drivers, bungling up the installation of language packs or straight up changing/removing parts of Windows.
I'm not sure if that is still the case but the only major OEM manufacturer that provided clean Windows installation media was Dell. All the others only had "recovery discs" which contained all the crap pre-installed software.

Please Tom Scott on more often, He's amazing at explaining concepts and is just generally entertaining.

Tom! You do NOT send the private key over for signing by the CA, only the public key.

It'd be great if you'd make a video on the rootkit they installed on all of their laptops too: Lenovo Service Engine (LSE). Apparently, even if you wiped the harddrive and installed Windows from a disk they didn't provide, it'd still install their crapware, because it's hidden in the BIOS. I've heard it was even updating itself over an unsecured connection, so anyone could man-in-the-middle it to install their own rootkit without users knowing.

(3:45) This video was published on October 2015.
Last time I checked, you still have to pay for this security.

I love Tom Scott and his massive simplifications. Keep on doing what you're doing Tom!

I love that the advert that was shown before this video started, at least for me, was for Lenovo.

Bloatware like superfish is the reason that whenever I get a new laptop the first thing I do is format the disk and install windows directly from Microsoft. Most stuff business pre-load on your computer is totally useless, but at least once it has been legitimately dangerous.

Wwhhhhhhhhhhat?! They did _what_?!
I knew preinstalled OSes were unusable but that's playing in a totally different league there.

We had fun in Rwanda a couple of years back. The tax department forced everyone who runs a business to install electronic billing machine (EBM) software onto their computer in order to issue electronic receipts for every sale, no matter what size business you had. Many foreigners sensibly bought second laptops to install it, because they didnt' trust installing government software onto their personal computers. I kind of assumed that I was probably already monitored, and didn't have the money for a new laptop just for taxes, so I installed it on my personal laptop which was already pretty old. In fact, it was so old that it promptly crashed about a month later. It was illegal to remove the software from your computer without government permission, but it was late on a Friday night. My options were to go without a computer all weekend until the offices opened on Monday and I could tell them what happened, or go ahead and reinstall Windows. I opted for the latter and sent an e-mail explainig what I was doing and why. I was promptly issued with a $200 fine! I kicked up a storm on Twitter, shouting about how unethical it was to be forced to install government software in the first place, and they backed down, but wow was I angry about it. They've since relented and now offer people the ability to create EBMs online, but it did very little for the country's image or trust among business owners. I don't think there's any method on earth that can protect you when the government says you have to install their software by law. 😏

Love the videos with Tom,just hopes he does more stuff similar to this in his channel.

First part : This is so sketchy even the NSA would probably only ever use it scarcely
Second part : An advertising company and manufacturer used this on loads of computers to try to make some extra cash

"Yeah, this is the bit of software that was installed on rpetty much every consumer Lenovo laptop." Yeah, so I was gripped by fear for a minute, there, because I had definitely been using a ThinkPad for over a year when this video came out. Luckily, I looked up Superfish, and apparently Lenovo began to bundle Superfish adware with their computers in September of 2014, which was a few months after I got mine.
Thinking back, I'm pretty sure that I still ended up dealing with Superfish at some point, but it wasn't because Lenovo put it there, it was because I was eighteen and consequently a huge dumbass.

And this is why you NEVER EVER EVER EVER EVER EVER, use the factory image for ANYTHING!
And Certificate authorities need to be above governments not tied down to one country , a bit like that building in France where the keep the kilo.

Tom Scott on Computerphile, what a day to be alive!

*listens to the start*
*looks at computer*
well crap...

Got my Master's in CS 5 years ago, but I wish that back then I had some lectures that were explained this well, as for most of your video's Tom. You are such a clear speaker, (as goes for the speakers in most computerphile video's).
I mean, even though I know about most topics; refreshing my knowledge via these video's doesn't hurt a bit, it feels great!
Keep'em coming.

you really know how to simplify complex subjects, why I love computer/numberphile.

You should consider doing a segment on the thrust of the paper "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice".

Tom Scott is an amazing teacher , perhaps the best teacher in computerphile

Yes! Finally another Tom Scott Computerphile episode!

I would think that both of the two vulnerabilities (the CA and device) could potentially be resolved by a sort of an 'odd man out' protocol that would periodically ask all of your CAs for a list of the CAs that they trust, and if only very few or none of them trust a CA you have, that CA is removed.

amazing video that touches upon one of the biggest security concerns with Internet usage

This channel is a godsend for anyone studying for Security +

Tom needs to be on this channel more often. Get right on that, Computerphile.

It's always good when its Tom :)

computerphile needs more tom scott

+Art of the Problem has a great series on the language of coins and public key encryption.

Great explanation to a complex topic. Thanks.

quick clarification: superfish was the company that made the adware, the program was called visualdiscovery.

Thank you for making these videos

Which each episode of computerphile I watch I get more and more paranoid about my online safety, eh I won't change anything though.

I love Tom's videos. :D

Great video as always computerphile/scott!

Exactly what I was looking for, thank you. :)

Good thing I bought a Lenovo in 2012. It shouldn't have anything on it, and I haven't noticed anything wrong.

Really informative stuff! Thanks!

It's cool looking back at this video and seeing him comment on a free certificate authority being in the works and today... We have that with Let's Encrypt!

That sound the marker makes on that sheet of paper gets my hairs on end !!!! Darn !!!

Also the way superfish was written you never got the red warning, even if a website had a wrong certificate. The superfish in the middle always inserted its "valid" certificate.

There should be zero debate over whether the NSA should or not.

Lovely explained. Way to go Tom Scott

i would have never thought of doing this, but i actually have to defend the fax machine: i work in a small company where we mill and turn metal parts, and we work with a lot of small companies that install handrails ond so on. for us its a lot easier to just get the technical drawing per fax, than having them send it per email, downloading it and then printing it, especially since we are ol three people, so we only occasionally can check our mails, and then only have a little ut of time. but i9f we get the drawing per fax, we once in a while take a look into the office, see the new fax and take it to our workstaton to programm the maschine

8:01 hahah their headquarter was in my home town - i bike past their former building every day still, it always looked fishy lol

9:37 - RIP Tom Scott, died of NSA...

Lenovo promised to not do it again... but they did. :(

i don't work in the tech field and never will, but i still love to learn about this stuff!

Funilly enough Superfish is also the name of a javascript library we use at my current work as well as the chippy down the road.

Tom is an excellent story teller. probably the best in the planet .. :D

You should have mentioned HSTS and key pinning as mechanisms for making HTTPS more secure. :)

I dropped my Lenovo by accident a couple years ago, which broke the hard drive and rendered that version of Windows unrecoverable. It's so strange, but I guess that was a really good thing; I switched out the hard drive and just installed linux, since I didn't know about the OEM key under the battery and didn't feel like torrenting, and haven't gone back since.

You know whats also rather strange ? Google not noticing a massive amount of multi-user traffic coming from a single attacker ip ... usually there is fair usage policy where this kind of activity (an entire DNS provider had to fall as well I presume) from a single/small amount of ip address should definitely raise a flag

This man talking to the points, Thanks a lot man .

That pen scratching on paper gave me goose bumps

Tom Scott, how is it that I've been watching you on TH-cam for over a decade and you didn't look a day over 20 when I first saw you. You still look the same 10 years later. It's uncanny mate, the way you hold your age. How ' you do it?

One thing to keep in mind, the 'Trusted' Certifying authorities are subject to the will of the domain in which they reside. What happens if an official of the regime comes to them and put a bag of cash and a gun on the table and tells them to choose? The man in the middle gets an official stamp of approval.

"Hello I would like to talk securely" - "Hey ok, here's my private key!"
😏🤪

padlock should be in opened position when you drew it if we use that analogy:))

Tom can you do a video about set the routing table correct in networksetup?
Thanks in advance.

I heard it was a wifi adapter that was placed in the Root CA system/network, which isn't supposed to be connected to any other networks, like internet, at all..

I've noticed some ISPs add adverts to traffic also, is that different than the Lenovo superfish malware nightmare? How secure are firewall caches?

You’re awesome! Thanks for the information

6:13 well at least he's using the best search engine.

The factory is absolutely hilarious. :D greate vid :D Oh and thats why you _!ALLWAYS!_ either buy your computer without OS preinstalled or run a clean install as soon as you get your hands on it. Of course dumping the disk to some other storage, to restore the factory default in case you have to send it in for any reason

Question.
Tom said over there that the attacker, after reading the encrypted transmission/key, could change it to his own to do MITM attacks. Why would they though? Is it not easier and safer for them to keep it the same?

For downloading a browser, you can also check the hashsum of the downloaded file and compare it to what it should be - although of course you again only push the problem one step further because you must get the information what it should be over a secure connection.

Tom Scott we love you!

I can't get over Superfish not even having the foresight to generate a new private/public keypair for each installation. They just hardcoded the same private key in every single installation. I can't believe nobody working on Superfish at the time saw this coming.