[liberationtech] Qihoo 360 in China.

[Melissa Chan]

Good afternoon,

Thought Qihoo's mysterious activities, written up in this piece by Tech in Asia, might be of interest to those on this list.  It looks like the team there is continuing the investigation -- apparently there's a weird cookie file that gets sent to a Qihoo server every time a user opens IE.  Anyone interested in helping or learning more should email:

editors(at)techinasia(dot).com

Cheers,

Melissa


Melissa Chan  |  Correspondent  |  Al Jazeera English  ||  John S. Knight Journalism Fellow  |  Stanford University
email  |  mchan02 at stanford.edu  |  twitter  |  @melissakchan  |  mobile  |  909.618.5287


Link: http://www.techinasia.com/massive-expose-blasts-qihoo-360-cancer-internet/


Expose Blasts Qihoo 360 as ‘Cancer of the Internet’; Qihoo Denies Everything


China’s Qihoo 360 has a lot of enemies. I’m not just talking about Baidu, either; lots of net users dislike the company for its dirty tactics and China’s State Administration for Industry and Commerce (SAIC) has printed publicly that the company has engaged in behaviors most people would call fraudulent. But a recent expose conducted by an independent investigator and printed in the National Business Daily– supposedly the result of months of investigation — suggests that Qihoo is doing an awful lot more than most of its users are even aware of.

The National Business Daily (hereafter: NBD) report presents a laundry list of accusations about Qihoo software, backing many of them up with illustrated screenshots demonstrating what’s going on behind the scenes. Among the many allegations: that Qihoo’s 360 Safe Browser contains a massive security flaw that messes with users Windows DLL files, that it can expose users’ passwords, that it tells users sketchy online payment sites are safe, and that it is making connections the user isn’t aware of even when it’s just loading a blank page. The report also contains more familiar charges like Qihoo products masquerading as official Microsoft patches, forcibly deleting competitor products as “unsafe”, etc.

Qihoo 360 has categorically denied all of the allegations contained in the report in a post on its official BBS forums. From Qihoo’s official translation of its response, provided to Tech in Asiaby a Qihoo representative:

The article appears to be an “aggregation” of most of the past false allegations and claims made by our competitors and our foes. It takes those claims from sources such as an “anonymous individual”, a person who lost a lawsuit against us, and a former malware/virus creator, without any basic fact checking. It also completely ignores all the clarification and statements Qihoo 360 has made regarding these false claims, and even ignore [sic] high-profile court rulings in the past, in order to portrait [sic] a totally biased story against Qihoo 360. We are not surprised that someone hates us so much that it [sic] keeps record of all those [sic] garbage and is willing to recycle it in the public domain over and over again. It is not difficult to conclude that there has to be huge economic interest of our foes behind such [an] outrageous attack. We take it very seriously!

In its statement, Qihoo also says that it has filed a complaint against NBD with GAPP (a government organ that regulates the press) and that it plans to sue NBD in court, and will additionally sue “anyone who intentionally spreads such rumor for defamation.”

When asked to respond directly to specific allegations contained in the report, a representative from Qihoo refused, saying that previously published statements should serve as a sufficient response to any questions the report raises. Later, however, the company did publish a number of clarifications that directly address some of the report’s specific allegations.

It is clear that Qihoo’s management considers this report and other “attacks” to be related to its competitors. In a public statement yesterday, Qihoo CEO Zhou Hongyi told reporters that the report and others like it were related to Qihoo’s decision to enter the search engine field. Zhou said that the NBD report was an attempt to “smear” Qihoo. “I think that the essence of this is that 360 decided to take on the big players in China,” he said, “as long as we keep doing search, these kind of smear attacks will continue.”

Qihoo representatives declined to produce any evidence backing up the implication that its competitors are somehow behind the NBD report. A Qihoo representative did link me to this article, which suggests that several of the sources in the NBD report are being paid by Tencentto publish attacks about Qihoo. However, the article contains no evidence to support these claims, and its author is an anonymous Tianya user identified only as shengsheng72011.

After an extended exchange of emails with Tech in Asia, a Qihoo representative implied that Qihoo does have evidence its competitors are behind the NBD piece, but declined to share any, writing: “Sorry mister, the evidences are for the court proceedings.”

Although it obviously doesn’t contain any evidence of a connection to Qihoo competitors, theNBD report does admit that the independent investigator making these claims is biased — he told the NBD he is openly opposed to Qihoo 360, which he considers a “cancer” that should be “cut out” from the internet. His fundamental beef with the company comes from what he interprets to be its frequent violation of the principle of least privilege. Least privilege is a widely accepted computer programming concept that says that any given program should only be automatically given access to what it needs to access to function. Qihoo, the investigator says, breaks this principle frequently.

(You can think about “least privilege” sort of like a repair man: if he shows up to your house and you aren’t home to let him in, he’ll generally just come back later instead of breaking in on his own. Software that ignores the principle of least privilege is more like a repair man who just walks into your house and starts making repairs whether you’re home and aware of his visit or not. The investigator who spoke with the NBD put it even more bluntly: Qihoo is like a residential manager who, when he gets reports of a dog barking, just breaks into the house and shoots the dog. In other words, the investigator is saying Qihoo’s software does way too much in the background without making it clear what is happening and asking the users’ permission.)

Of course, the principle of least privilege is not a law, and even if Qihoo’s software is violating it, there isn’t necessarily anything illegal about that. It does, however, raise privacy concerns for some users. Qihoo representatives refused to respond to a direct query about whether or not the company’s software violates the principle of least privilege.

As with most things relating to Qihoo these days, the NBD report has spiraled into a pretty ugly he-said she-said mess. We’re a bit tired of that story here at Tech in Asia, so in the coming weeks, we’ll be conducting our own investigation into Qihoo’s applications to try to assess what, if anything, they are doing wrong.

If you have expertise in web security and would like to assist in our investigation, please get it touch with us: editors(at)techinasia(dot)com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130305/c48c77ba/attachment.html>