Thanks for sharing Melissa. Around 27% of Internet users in China use the Qihoo "Safe Browser". After the man-in-the-middle attack on GitHub in China just over a month ago, we made some tests accessing websites with invalid SSL certificates in different browsers. The Qihoo browser shows a green check suggesting that the website is safe ( https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle). I also noticed how, when installing the browser, Qihoo attempts to add a range of other software. And, even without browsing, it starts sending data to lots of different IP addresses. Investigating what is sent to where is on our list of things to do.
Martin Johnson Founder of GreatFire.org | FreeWeibo.com | Unblock.cn.com PGP key <https://en.greatfire.org/contact> On Wed, Mar 6, 2013 at 5:50 AM, Melissa Chan <mcha...@stanford.edu> wrote: > Good afternoon, > > Thought Qihoo's mysterious activities, written up in this piece by Tech in > Asia, might be of interest to those on this list. It looks like the team > there is continuing the investigation -- apparently there's a weird cookie > file that gets sent to a Qihoo server every time a user opens IE. Anyone > interested in helping or learning more should email: > > editors(at)techinasia(dot).com > > Cheers, > > Melissa > > > Melissa Chan | Correspondent | Al Jazeera English || John S. Knight > Journalism Fellow | Stanford University > email | mcha...@stanford.edu | twitter | @melissakchan | mobile > | 909.618.5287 > > > Link: > http://www.techinasia.com/massive-expose-blasts-qihoo-360-cancer-internet/ > > > Expose Blasts Qihoo 360 as ‘Cancer of the Internet’; Qihoo Denies > Everything<http://www.techinasia.com/massive-expose-blasts-qihoo-360-cancer-internet/> > > China’s Qihoo 360 <http://techinasia.com/tag/qihoo-360> has a lot of > enemies. I’m not just talking about Baidu<http://techinasia.com/tag/baidu>, > either; lots of net users dislike the company for its dirty > tactics<http://www.techinasia.com/360-safe-browser-malware/> and > China’s State Administration for Industry and Commerce (SAIC) has printed > publicly<http://www.saic.gov.cn/ywdt/gsyw/dfdt/xxb/201301/t20130130_133021.html> > that > the company has engaged in behaviors most people would call > fraudulent<http://www.techinasia.com/qihoo-committing-fraud-google-making-huge-mistake/>. > But a recent expose conducted by an independent investigator and printed > in the *National Business > Daily*<http://www.nbd.com.cn/features/273?preview=true>– > supposedly the result of months of investigation — suggests that Qihoo is > doing an awful lot more than most of its users are even aware of. > > The *National Business Daily* (hereafter: *NBD*) report presents a > laundry list of accusations about Qihoo software, backing many of them up > with illustrated screenshots demonstrating what’s going on behind the > scenes. Among the many allegations: that Qihoo’s 360 Safe Browser contains > a massive security flaw that messes with users Windows DLL files, that it > can expose users’ passwords, that it tells users sketchy online payment > sites are safe, and that it is making connections the user isn’t aware of > even when it’s just loading a blank page. The report also contains more > familiar charges like Qihoo products masquerading as official Microsoft > patches, forcibly deleting competitor products as “unsafe”, etc. > > Qihoo 360 has categorically denied all of the allegations contained in the > report in a post on its official BBS > forums<http://bbs.360safe.com/thread-602169-1-1.html>. > From Qihoo’s official translation of its response, provided to *Tech in > Asia*by a Qihoo representative: > > The article appears to be an “aggregation” of most of the past false > allegations and claims made by our competitors and our foes. It takes those > claims from sources such as an “anonymous individual”, a person who lost a > lawsuit against us, and a former malware/virus creator, without any basic > fact checking. It also completely ignores all the clarification and > statements Qihoo 360 has made regarding these false claims, and even ignore > [sic] high-profile court rulings in the past, in order to portrait [sic] a > totally biased story against Qihoo 360. We are not surprised that someone > hates us so much that it [sic] keeps record of all those [sic] garbage and > is willing to recycle it in the public domain over and over again. It is > not difficult to conclude that there has to be huge economic interest of > our foes behind such [an] outrageous attack. We take it very seriously! > > In its statement, Qihoo also says that it has filed a complaint against * > NBD* with GAPP (a government organ that regulates the press) and that it > plans to sue *NBD* in court, and will additionally sue “anyone who > intentionally spreads such rumor for defamation.” > > When asked to respond directly to specific allegations contained in the > report, a representative from Qihoo refused, saying that previously > published statements should serve as a sufficient response to any questions > the report raises. Later, however, the company did publish a number of > clarifications <http://tech.sina.com.cn/i/2013-02-28/20578099689.shtml> that > directly address some of the report’s specific allegations. > > It is clear that Qihoo’s management considers this report and other > “attacks” to be related to its competitors. In a public statement > yesterday <http://tech.sina.com.cn/i/2013-02-28/20578099689.shtml>, Qihoo > CEO Zhou Hongyi <http://techinasia.com/tag/zhou-hongyi> told reporters > that the report and others like it were related to Qihoo’s decision to enter > the search engine field<http://www.techinasia.com/qihoo-360-search-engine/>. > Zhou said that the *NBD* report was an attempt to “smear” Qihoo. “I think > that the essence of this is that 360 decided to take on the big players in > China,” he said, “as long as we keep doing search, these kind of smear > attacks will continue.” > > Qihoo representatives declined to produce any evidence backing up the > implication that its competitors are somehow behind the *NBD* report. A > Qihoo representative did link me to this > article<http://bbs.tianya.cn/post-itinfo-215810-1.shtml>, > which suggests that several of the sources in the *NBD* report are being > paid by Tencent <http://techinasia.com/tag/tencent>to publish attacks > about Qihoo. However, the article contains no evidence to support these > claims, and its author is an anonymous Tianya user identified only as > shengsheng72011 <http://www.tianya.cn/57321557>. > > After an extended exchange of emails with *Tech in Asia*, a Qihoo > representative implied that Qihoo does have evidence its competitors are > behind the *NBD* piece, but declined to share any, writing: “Sorry > mister, the evidences are for the court proceedings.” > > Although it obviously doesn’t contain any evidence of a connection to > Qihoo competitors, the*NBD* report *does* admit that the independent > investigator making these claims is biased — he told the *NBD* he is > openly opposed to Qihoo 360, which he considers a “cancer” that should be > “cut out” from the internet. His fundamental beef with the company comes > from what he interprets to be its frequent violation of the principle of > least privilege<http://en.wikipedia.org/wiki/Principle_of_least_privilege>. > Least privilege is a widely accepted computer programming concept that says > that any given program should only be automatically given access to what it > *needs* to access to function. Qihoo, the investigator says, breaks this > principle frequently. > > (You can think about “least privilege” sort of like a repair man: if he > shows up to your house and you aren’t home to let him in, he’ll generally > just come back later instead of breaking in on his own. Software that > ignores the principle of least privilege is more like a repair man who just > walks into your house and starts making repairs whether you’re home and > aware of his visit or not. The investigator who spoke with the *NBD* put > it even more bluntly: Qihoo is like a residential manager who, when he gets > reports of a dog barking, just breaks into the house and shoots the dog. In > other words, the investigator is saying Qihoo’s software does way too much > in the background without making it clear what is happening and asking the > users’ permission.) > > Of course, the principle of least privilege is not a law, and even if > Qihoo’s software is violating it, there isn’t necessarily anything illegal > about that. It does, however, raise privacy concerns for some users. Qihoo > representatives refused to respond to a direct query about whether or not > the company’s software violates the principle of least privilege. > > As with most things relating to Qihoo these days, the *NBD* report has > spiraled into a pretty ugly he-said she-said mess. We’re a bit tired of > that story here at *Tech in Asia*, so in the coming weeks, we’ll be > conducting our own investigation into Qihoo’s applications to try to assess > what, if anything, they are doing wrong. > > If you have expertise in web security and would like to assist in our > investigation, please get it touch with us: editors(at)techinasia(dot)com. > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
