Good afternoon,
Thought Qihoo's mysterious activities, written up in this piece by Tech in
Asia, might be of interest to those on this list. It looks like the team there
is continuing the investigation -- apparently there's a weird cookie file that
gets sent to a Qihoo server every time a user opens IE. Anyone interested in
helping or learning more should email:
editors(at)techinasia(dot).com
Cheers,
Melissa
Melissa Chan | Correspondent | Al Jazeera English || John S. Knight
Journalism Fellow | Stanford University
email | mcha...@stanford.edu | twitter | @melissakchan | mobile |
909.618.5287
Link: http://www.techinasia.com/massive-expose-blasts-qihoo-360-cancer-internet/
Expose Blasts Qihoo 360 as ‘Cancer of the Internet’; Qihoo Denies Everything
China’s Qihoo 360 has a lot of enemies. I’m not just talking about Baidu,
either; lots of net users dislike the company for its dirty tactics and China’s
State Administration for Industry and Commerce (SAIC) has printed publicly that
the company has engaged in behaviors most people would call fraudulent. But a
recent expose conducted by an independent investigator and printed in the
National Business Daily– supposedly the result of months of investigation —
suggests that Qihoo is doing an awful lot more than most of its users are even
aware of.
The National Business Daily (hereafter: NBD) report presents a laundry list of
accusations about Qihoo software, backing many of them up with illustrated
screenshots demonstrating what’s going on behind the scenes. Among the many
allegations: that Qihoo’s 360 Safe Browser contains a massive security flaw
that messes with users Windows DLL files, that it can expose users’ passwords,
that it tells users sketchy online payment sites are safe, and that it is
making connections the user isn’t aware of even when it’s just loading a blank
page. The report also contains more familiar charges like Qihoo products
masquerading as official Microsoft patches, forcibly deleting competitor
products as “unsafe”, etc.
Qihoo 360 has categorically denied all of the allegations contained in the
report in a post on its official BBS forums. From Qihoo’s official translation
of its response, provided to Tech in Asiaby a Qihoo representative:
The article appears to be an “aggregation” of most of the past false
allegations and claims made by our competitors and our foes. It takes those
claims from sources such as an “anonymous individual”, a person who lost a
lawsuit against us, and a former malware/virus creator, without any basic fact
checking. It also completely ignores all the clarification and statements Qihoo
360 has made regarding these false claims, and even ignore [sic] high-profile
court rulings in the past, in order to portrait [sic] a totally biased story
against Qihoo 360. We are not surprised that someone hates us so much that it
[sic] keeps record of all those [sic] garbage and is willing to recycle it in
the public domain over and over again. It is not difficult to conclude that
there has to be huge economic interest of our foes behind such [an] outrageous
attack. We take it very seriously!
In its statement, Qihoo also says that it has filed a complaint against NBD
with GAPP (a government organ that regulates the press) and that it plans to
sue NBD in court, and will additionally sue “anyone who intentionally spreads
such rumor for defamation.”
When asked to respond directly to specific allegations contained in the report,
a representative from Qihoo refused, saying that previously published
statements should serve as a sufficient response to any questions the report
raises. Later, however, the company did publish a number of clarifications that
directly address some of the report’s specific allegations.
It is clear that Qihoo’s management considers this report and other “attacks”
to be related to its competitors. In a public statement yesterday, Qihoo CEO
Zhou Hongyi told reporters that the report and others like it were related to
Qihoo’s decision to enter the search engine field. Zhou said that the NBD
report was an attempt to “smear” Qihoo. “I think that the essence of this is
that 360 decided to take on the big players in China,” he said, “as long as we
keep doing search, these kind of smear attacks will continue.”
Qihoo representatives declined to produce any evidence backing up the
implication that its competitors are somehow behind the NBD report. A Qihoo
representative did link me to this article, which suggests that several of the
sources in the NBD report are being paid by Tencentto publish attacks about
Qihoo. However, the article contains no evidence to support these claims, and
its author is an anonymous Tianya user identified only as shengsheng72011.
After an extended exchange of emails with Tech in Asia, a Qihoo representative
implied that Qihoo does have evidence its competitors are behind the NBD piece,
but declined to share any, writing: “Sorry mister, the evidences are for the
court proceedings.”
Although it obviously doesn’t contain any evidence of a connection to Qihoo
competitors, theNBD report does admit that the independent investigator making
these claims is biased — he told the NBD he is openly opposed to Qihoo 360,
which he considers a “cancer” that should be “cut out” from the internet. His
fundamental beef with the company comes from what he interprets to be its
frequent violation of the principle of least privilege. Least privilege is a
widely accepted computer programming concept that says that any given program
should only be automatically given access to what it needs to access to
function. Qihoo, the investigator says, breaks this principle frequently.
(You can think about “least privilege” sort of like a repair man: if he shows
up to your house and you aren’t home to let him in, he’ll generally just come
back later instead of breaking in on his own. Software that ignores the
principle of least privilege is more like a repair man who just walks into your
house and starts making repairs whether you’re home and aware of his visit or
not. The investigator who spoke with the NBD put it even more bluntly: Qihoo is
like a residential manager who, when he gets reports of a dog barking, just
breaks into the house and shoots the dog. In other words, the investigator is
saying Qihoo’s software does way too much in the background without making it
clear what is happening and asking the users’ permission.)
Of course, the principle of least privilege is not a law, and even if Qihoo’s
software is violating it, there isn’t necessarily anything illegal about that.
It does, however, raise privacy concerns for some users. Qihoo representatives
refused to respond to a direct query about whether or not the company’s
software violates the principle of least privilege.
As with most things relating to Qihoo these days, the NBD report has spiraled
into a pretty ugly he-said she-said mess. We’re a bit tired of that story here
at Tech in Asia, so in the coming weeks, we’ll be conducting our own
investigation into Qihoo’s applications to try to assess what, if anything,
they are doing wrong.
If you have expertise in web security and would like to assist in our
investigation, please get it touch with us: editors(at)techinasia(dot)com.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech