Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers

An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission. Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick. Also at ZDnet.

All the more reason...

[AltGrendel]

...to wipe the box and install some other OS.

Re:All the more reason...

[thieh]

Time to ditch the dark side (windows).

Re:All the more reason...

Installed Linux Mint on my Lenovo Yoga 2 late last year. Works well. No sleazy bloatware.

Re:All the more reason...

[NotInHere]

s/other //

FTFY

Re:All the more reason...

Which is fine for you and me and everyone else reading /. but no so much for the majority of people buying an off-the-shelf Laptop from Lenovo.

Re:All the more reason...

[cdrudge]

Why ditch Windows when it's allegedly Lenovo that did the dirty work. If Lenovo shipped a laptop with Linux installed on it with a similar piece of malware, would you be saying ditch Linux too?

Re:All the more reason...

[number6x]

I second the recommendation for Linux Mint on the Yoga 2. I never booted the copy of Windows that came with it. Set the bios and used a flash drive to install Linux Mint 17 to the SSD and had a great laptop with no malware, shareware or crapware.

And best of all, no Windows 8!

Re:All the more reason...

[Thor+Ablestar]

Yes. Any new computer is to be completely wiped and reinstalled from scratch. And, if possible, with reflashing of BIOS and every firmware imaginable.

Re:All the more reason...

Serious Question - So these Lenovo computers most likely come with UEFI. I recently tried wiping a new UEFI Lenovo PC and re installing using a WIN 7 CD, and the key was retrieved using a tool to read the OS. When It came time to "activate" the fresh WIN 7 OS, that key would not be accepted. Lenovo support said they couldn't provide another key, and that only the recovery CD would work. Are there any known workarounds for this?

Re:All the more reason...

Because its Microsoft that originally pushed the no OS disc provided your software is all on the hard drive that allows this kind of crap to happen.

Re: All the more reason...

You need the OEM activation certificates that match the secret in the uefi.

Re:All the more reason...

Don't forget to reflash EVERY blob of NAND or ROM inside that box, especially the hard drive firmware. And make sure that the present firmware actually does the flash command you believe you're asking of it, rather than lying about success. I hope you didn't download that new firmware (when's the last time your HDD vendor did that?) on a Lenovo, that's riddled with unsound root certificates.

Are you sure that some magical combination of ASM.JS opcodes, as they are being decoded by your CPU, don't trigger a carefully crafted pagetable bug? Is your RAM hammer proof? That's a nice WIFI card you have hooked up to the PCIe bus, what does it really do with malformed data? What about your phone's baseband, and the teeny remotely operated JVM inside your SIM card?

Re: All the more reason...

Call MS.

Re:All the more reason...

[jeff4747]

Yes, using the BIOS to flash the BIOS will definately remove any malware.

Oh wait.....

Re:All the more reason...

[Thor+Ablestar]

I have the similar problem with HP book that had no drivers at all except a recovery Win7 CD. My attempt to reinstall a Win8.1 from scratch failed due to absence of drivers. Moreover, there ARE good drivers for it but Win8.1 insists on replacement of them with fresh but incompatible drivers. As a result, I gave the book to my Windows-only friend and switched to Lenovo. I don't use Windows, but at least the Windows drivers for Lenovo are downloadable from their site.

Re:All the more reason...

[geogob]

Yes, and use only self-written OS and self-written programs.

Re:All the more reason...

[geogob]

Just pull the plug and battery during the process. You'll get definitely rid of the malware.

Re:All the more reason...

[LordWabbit2]

I ALWAYS format a new laptop, don't need or want their stooped recovery partition, waste of space. Can understand how the other 90% of people on the planet love it, but for me it's a waste of space.

Re:All the more reason...

[gmack]

I strongly suggest avoiding Lenovo completely. They already fail to boot if there is an unrecognized wifi card ( I had to hack the BIOS) and for their latest move towards evilness refuse to charge both third party and batteries the system detects as too old.

Re:All the more reason...

[Thor+Ablestar]

At least when some our Russian programmer found a hidden Chinese (?) hypervisor in new Intel boards he has found that reflashing actually cures the problem. https://xakep.ru/2011/12/26/58... (in Russian). And also, Russians have a proggie that detects it.

Also, the HDD bug can either run before a system - and it will be quite interesting to look how it will break GELI - or become resident. If it uses VM to become resident - it will be detected. If not - a system (I don't speak about Windows) will overwrite it.

Re:All the more reason...

...to wipe the box and install some other OS.

I agree. But I don't think that OS X will run on that.

Re:All the more reason...

[jeff4747]

Because persistent storage technology doesn't exist.

Re:All the more reason...

Time to ditch the dark side (windows).

I agree. MacBooks don't come with any of that crapware.

CAPTCHA: Joyfully

Re:All the more reason...

[geekmux]

Which is fine for you and me and everyone else reading /. but no so much for the majority of people buying an off-the-shelf Laptop from Lenovo.

Seriously, how dumbed down does a Linux installer need to get in order for the average moron to wipe and re-install their YouTube/Netflix binge box?

We've already turned the right-clicking, mouse-wielding user into a drooling baby that just points at the large colorful tiles on the touchscreen to make it "go".

I'm really starting to wonder if the Year of the Linux Desktop is directly tied to reducing the average consumer IQ level to that of a goat. Better start working on the voice recognition interfaces now, since our future appears to be an idiot yelling at a server to make it reboot.

Re:All the more reason...

That's not ditching in the sense that was being talked about.

Re:All the more reason...

Those that aren't clueless themselves.

Ignoring problems that only target one audience just means it is going to grow and continue to take more with it. When it comes your turn, who do you expect to speak up for you?

Re:All the more reason...

[Kierthos]

To be completely safe from any unwanted software on the laptop, strike the laptop repeatedly with a 10-pound sledgehammer.

Once the laptop has been reduced to a pile of plastic and metal shards, it is now safe to use. (Provided you wear safety gloves when handling the shards.)

Re:All the more reason...

[Streetlight]

I'm not sure crapware is now the problem. Crapware can generally be removed and for the unwashed masses one can get a Windows machine without crapware using Microsoft's Signature program.

The problem is hidden malware in firmware in devices like hard drives. No computer manufacturer can be immune to that if they buy parts that are infected when intercepted during shipping between the manufacturer and the computer assembler or end user by some three letter agency. The same for the finished computer. And what about malware hidden so deeply into computer parts where the firmware can't be rewritten? If Intel's or AMD's parts are corrupted in this way during manufacture, swapping out the part will never solve the problem.

Re:All the more reason...

[mlts]

Even wiping the box may not work. For example in the case of LoJack for Laptops, there is BIOS support that can get a machine to reload the utility even if the main BIOS is reflashed and all media (hard disks, SSD, etc.) are erased. In the case of this product, it can be a good thing, but this same technology that can protect a laptop can be used to reinstall spyware.

Re:All the more reason...

[deadweight]

Mint is EASIER to install AND use than Windblows 8. My wife learned Mint in about 30 seconds - "Look, just like Windows 7 except the laptop now recovers from hard shut downs without you doing anything"

Re:All the more reason...

Um, what? Me thinks you don't understand how technology works.

Re:All the more reason...

[JohnFen]

That was because of Microsoft? I hate, hate, hate that practice, but I assumed that it was just because the computer manufacturers wanted to save a dime.

Re:All the more reason...

[JohnFen]

I was going to say something like this. Linux has been as easy (or easier, with some distros) to install as Windows for years now.

Re:All the more reason...

Refusing to charge third-party batteries and batteries that are "too old" is not necessarily evil. Have you ever seen any of those videos on YouTube of the battery fires ("convert your laptop into a flaming grill") and explosions that can happen when you mistreat a LiOn battery?

"Look Ma, I saved $40 by buying this no-name battery; then lost $2,000 when my laptop burned itself up because the battery and laptop charging circuits weren't quite compatible; then lost $200,000 when the flaming laptop started a fire that burnt my home down! But I saved $40!"

Re:All the more reason...

[Holi]

Citation please. I can find no mention that it was Microsoft who pushed this practice.

Re:All the more reason...

The malware will remain in the storage, but by cutting the power during reflashing, you stand a very good chance of bricking the machine, which will place the malware into dormancy.

Re:All the more reason...

[praxis]

We are all clueless about some things. I, for one, care about clueless computer users because I can help them. I hope to foster a helpful culture so that others can enlighten me about things *I* am clueless about. Or, in other words, technologists should elevate technology for everyone.

Re:All the more reason...

[zlives]

as it turns out, not one of my devices or the any blob inside is hammer proof.
i hope this pigeon makes it to /. to answer your curiosity.

Re:All the more reason...

[sexconker]

Whoosh.

Re:All the more reason...

[Cro+Magnon]

Last time I tried to install Linux, admittedly more than a few years ago by now, it was very much YMMV. Sometimes it WAS easier than Windows, but other times it was a royal PITA. With the same distro.

Re:All the more reason...

[mlts]

I'm the same way. The recovery partition is just a chunk from the HDD, so malware can easily seize control of that. Plus, I prefer server operating systems (paid for, of course.) Some laptop makers like Dell can ship a business-line model with a server OS, and since it comes from the OEM, there is a good chance the OS can just activate from the BIOS certificates. I have yet to see a machine shipping with a server OS have any crapware on it, other than maybe some administration tools.

I wish laptop makers could do what Tandy did in the early 80s... put an OS instance in ROM. Have a read-only SSD section set aside that would boot up Windows PE or even an image of whatever Windows edition came with the machine, with drivers merged in as well (easy to do with Vista and newer's WIM functionality.) This way, the box can be completely reinstalled and barring a flash of BIOS or other firmware, there can be high confidence a malware infection is eradicated.

Re:All the more reason...

[mlts]

Even on Macs, I prefer to zero out the HDD and install completely cleanly, as a matter of course [1]. In fact, on any hardware, be it POWER7, SPARC, x86, and others, zeroing out the storage and installing clean is a good idea. This not just ensures that one has a clean OS, but anything that was stashed previously is gone. No cruft, no oddball transient stuff that might have accidently wound up on the HDD during QA or testing (assuming the box was tested), just a working OS (hopefully.)

[1]: It isn't hard to download the install image of the latest OS X, write it to a USB flash drive, then use a Linux drive to boot, TRIM the entire SSD, boot from the OS X drive, and install from scratch.

Re:All the more reason...

[kheldan]

Or, just wipe it and install the same OS, but from a generic source.

Of course I have yet to see a piece of software that I couldn't in some way uninstall or totally disable, even if it meant manually hacking it out of the registry and deleting it's files.

I've never bought a new, pre-built computer before; can you get them without any OS installed?

Re:All the more reason...

[muindaur]

Those of us that get their personal info stolen when some clueless user clicks a phishing e-mail that lets a trojan into a healthcare provider.

Re:All the more reason...

[deadweight]

Bought a new laptop for my son for Christmas. Thanks to a flaw in Windows 8 drivers, the wifi would go offline. Burned a Mint CD and installed it. Could not have been easier - click click click. He wanted Windows 7 for school and that was a nightmare X 100. Toshiba had NO 7 drivers since this was sold with 8, so it was about two days of Google-Fu, trial and errror, and scavenger hunts to find drivers that worked. You really should try Mint - I cannot imagine how anything could be easier.

Re:All the more reason...

Time to ditch the dark side (windows).

For a site supposedly for "nerds" some of the comments here are fucking retarded. You actually think because a program that you dont like was installed on an OS that you then need to ditch the OS itself?

Re: All the more reason...

You could just repartition the drive.

Re: All the more reason...

You'd have to be really old to remember when people said that.
You are an idiot.

Re: All the more reason...

Same with brakes on your car. My god think or your kids in that car. Car makers should make it mandatory that all brake work be done at a licensed dealer. We cant have people putting random parts on their car.

Re:All the more reason...

[Khyber]

"Yes, using the BIOS to flash the BIOS will definately remove any malware.

Oh wait....."

While you jest, this is how we used to fix broken BIOS - swap with a known good one that has had it's contents dumped, boot the machine, remove BIOS, insert briced BIOS chip, re-flash with the known good image ripped from the boot BIOS.

In fact, that's how many systems operate today, as they come with a secondary backup BIOS.

Re: All the more reason...

time to try off the Windows 8.1 sucks wagon... that ship has sailed... don't follow, lead

Re:All the more reason...

[Billly+Gates]

If Ubuntu won the marketshare wars this same unit would come with fake certificates, false Ubuntu app stores, and other crapware too.

Yes we here would know better and fix this but the average Joe would not.

Jail time and a massive fine by the FTC. If this came from China new fines and trade laws were violated too as this is a financial backdoor planted and considered an act of espionage by the Chinese. Lovely and I hope someone in the whitehouse has a pair of balls to go after Lenovo for this. It also shows the marketers are going now too far. Whats next?

Re:All the more reason...

[Billly+Gates]

They do this on purpose to cut down on support costs.

This is stupid as it actually increases due to angry users calling India to get their start menu back

Re: All the more reason...

[BlueTrin]

To get rid of the malware just unplug the computer and replug it after counting to 30, that should teach the malware.

Re: All the more reason...

I like your advice bud you one in a million ðYðY.

Re: All the more reason...

[BlueTrin]

Indeed his advice of ditching the OS is based on a superfishal analysis.

Re: All the more reason...

You are very lucky, finding hammer proof pigeons is surprisingly hard.

Re:All the more reason...

[jeff4747]

The problem is the "swap" step. You are either relying on the infected system to actually do the swap, or you need to attach the chip to a separate system to install a known good image.

The latter option is not easily available to most people.

Re:All the more reason...

[david_thornley]

Microsoft will sell you a Signature Edition computer that comes with no crapware from other vendors (I leave the question of whether Windows counts as an exercise to the reader).

Re:All the more reason...

[david_thornley]

Can't you do the same thing by making the recovery discs suggested? They'll still have the crapware, but so will the Tandy ROMs.

Re:All the more reason...

[Khyber]

Wrong. You can live hot-swap. This is a trick that has been around for ages for single-BIOS machines. You boot up with a known good BIOS, after the system has loaded up, while it's still live, you pull the good BIOS chip, insert the bricked one, run your firmware update. Did you even read the entirety of my original statement where this was specified?

Re:All the more reason...

[mlts]

I personally use a disk image utility to clone the drives before the machine ever boots for the first time, but almost all non-IT people end up losing the recovery disks, or just not making them in the first place. This is why having an OS image in ROM (or technically read-only SSD) would be useful.

The ideal would be both install media, as well as a recovery instance. This way, one could boot the machine, mount the volumes, and save off documents to external media in preparation for a complete format and reinstall. A recovery instance would also be useful for fixing boot issues, or even dealing with malware (although it is best to reinstall if malware is present.)

Re:All the more reason...

[JohnFen]

Yes, but that has nothing to do with why computers don't come with a DVD of Windows anymore. I'd always raged at the OEMs for that, but apparently I should have been raging at Microsoft.

Also, the "signature edition" stuff is just insulting. I'm not about to buy an OS twice just to get what I should have had in the first place.

Re:All the more reason...

No, ditch Windows. If I'm buying a computer and have to pay the MS tax, I want it to come with a fully functioning windows OS sans crapware. In the old days, it was possible: Despite whatever came installed from the factory, I was given a clean (and generic) Windows install disc along with separate driver disks (if needed). Now, you get Windows-on-the-machine only, complete with whatever malware it comes with. If you're really lucky, you get a recover CD or recovery partition, but malware is included on those as well.

So in your example with Linux, I don't have to ditch Linux, because I have the generic recovery disc for free (implicitly, because I can d/l any of a number of distros that wouldn't include the malware)

Re:All the more reason...

hard to take somebody seriously when the use the term "proggie."

Re:All the more reason...

It is YOU who evidently doesn't know why doing the suggested thing is a bad idea. Who is it again, who doesn't understand how technology works?

Re:All the more reason...

It's hard to take someone seriously when they cannot properly spell, maintain grammatical syntax, or even be bothered to use a fucking capital letter. L2Grammarz n00b.

Re:All the more reason...

[jeff4747]

You boot up with a known good BIOS, after the system has loaded up, while it's still live, you pull the good BIOS chip, insert the bricked one, run your firmware update

And since the malware is already running, it writes itself into the new chip.

Does it inject

[invictusvoyd]

Ad's even after you go through the gentoo stage 3 , compile your custom kernel and build your userspace from source ?

Re: Does it inject

I'm pretty sure it wouldn't survive a did if= /dev/zero of=/dev/sda

Re:Does it inject

[hcs_$reboot]

If it comes from the disk firmware, even Gentoo can't get rid of it!

Re:Does it inject

Not as often as you inject superfluous apostrophes.

Re:Does it inject

No, but it also isn't a basement-dwelling virgin like yourself.

Re:Does it inject

You need to start from stage 1.

Re:Does it inject

If that's the case, I see a class action coming on the horizon.

Re:Does it inject

[Thor+Ablestar]

Disk firmware version is not a standalone program. It's a Windows (and maybe Mac) parasite as all the Equation group. You cannot catch it without using a Windows. If it does not find a host to infect it has exactly 3 ways: 1) Self-destruct, and the problem is solved, 2) Pretend to be nonexistent, and problem is at least nonexistent while you use Gentoo, 3) Crash and be sent to Kaspersky.

Re:Does it inject

[Just+Some+Guy]

No, because it would presume you are broke and have more time than money.

Re:Does it inject

No. But in theory they could.

Malware that resides in your NIC's firmware has proof of concept. Layer 3 snooping and packet injection would be trivial. It would be easiest on a wireless NIC since those devices usually consist of a fairly powerful ARM or MIPS core connected to DSPs and the associated high frequency analog voodoo required to make wireless networking work. They're really embedded systems that run a closed, encrypted binary blob of software you don't have access too.

Then again, why bother fiddling with your network communications when your bad-actor device is likely connected directly to PCI express.. And has full access to your system anyway.

Re:Does it inject

[suutar]

true... but if it were the NIC bios, it could perhaps be OS-neutral, just pretending "yeah, the other end had this in the html that came in, honest". At least for non-https.

Re: Does it inject

A lawsuit against who? US Federal agencies in a US federal court? Let me know how that works out for you.

Re:Does it inject

[Joey+Vegetables]

Heck no. By then, the Internet as we know it will no longer exist, Lenovo will have been out of business for decades, and the IPv22 networks that connect the nanobrains that governments will embed inside our mitochondria, at birth, will no longer understand how to process or route IPv[46] packets.

Re: Does it inject

[mlts]

If it isn't firmware level, a blkdiscard /dev/sda on a SSD should purge anything for good, and definitely not recoverable by any known means.

Re: Does it inject

You are either trolling, or your English comprehension isn't any better than a 5th grader.

If you have to be paranoid

Do that with OpenBSD.

Hardly allegedly

[OzPeter]

From the ZDnet link

The issue has remained latent since Mark Hopkins, a Lenovo social media program manager, confirmed in January that the company was installing the Superfish Visual Discovery software on some of its products in order to serve ads.

Re:Hardly allegedly

[TheBogBrushZone]

Not allegedly at all. My new Y50 (3 weeks old) came with Superfish pre-installed, phoney root certificates and all. Luckily I've encountered Superfish before when they were trying to insinuate themselves into every extension they could on the Chrome Web Store so it was easy to spot and obliterate.

Re:Hardly allegedly

http://forums.lenovo.com/t5/Le...

Re:Hardly allegedly

[Dutch+Gun]

And here's the kicker:

Hopkins defended the adware, saying that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”

I mean, damn... How stupid do they think people are, that they can actually present this adware as a positive thing for consumers?

Even though Hopkins says the company has stopped installing the software on computers, it appears that’s only “temporary” until the company behind the software makes some tweaks to stop pop-ups.

Aaand... they're just going to tweak it so it's less noticeable. Nice. This software creates a potential man-in-the-middle attack by installing it's own signed certificate on your system so it can show embedded ads even if you have a secure connection. Nasty, nasty stuff from a privacy concern. This could easily become malware if not for the "good graces" of whatever code it's running or site that's intercepting your connection.

I hate to say this, but I really think we're going to need some new comprehensive privacy and advertising laws. I'm usually one to let the market shake itself out first and see what happens, but we've ended up here, with companies showing absolutely no restraint on how far they're willing to go to extract your personal data for marketing purposes.

Until we get such laws, I will never again purchase computer hardware from a large vendor like this (at least, Lenovo is forever out). For the last few years, I've been using a local boutique shop that specializes in custom computer builds. One of their nicest "features" is that they don't install any extra crapware on your system - only the bare minimum OS and tools, which is almost unheard of today. I'm willing to pay a bit more for that service, since they don't get subsidized by horrible stuff like this adware.

Re:Hardly allegedly

[mlts]

For desktops, I end up doing similar, and building my own (for my personal use.) However, for laptops, it is good to go with a brand's business line (not consumer junk, but business tiers that actually will offer decent CS). Similar if one needs desktops for a company (since for accounting and auditing, it is good to have machines that have similar hardware or one easily trackable model ID.)

Of course, for personal laptops, there is always Apple. Even if one installs Windows on it (easy to do as it is a UEFI machine), the hardware is quite solid, and for individuals, Apple CS is quite good. Businesses and the enterprise, it is a different story.

tl;dr, there isn't really one fix for this, but in general, avoiding consumer-line stuff like the clap is the best thing one can do, either by building one's own machine, buying the business/enterprise tier, or going Apple.

Glad I Cancelled My Lenovo Order

[Jason+Levine]

When I needed a new laptop, I heard good things about Lenovo and they had a good deal so I ordered one. It initially said it would ship in 2 weeks. One week later, that ship date turned into 8 weeks. When I called asking why, I was told "we need some parts" (they wouldn't specify what parts). They also said that it *could* ship earlier but they couldn't guarantee when it would ship. When I tried to cancel, I was told I couldn't but that I could submit a form requesting cancellation which, if approved, might go through before my laptop shipped but might not. In the end, I managed to cancel the order and get all my money back. I ordered from another vendor (Toshiba) and got my laptop in two weeks.

Re:Glad I Cancelled My Lenovo Order

[TheGratefulNet]

you didnt order a business-grade laptop, did you?

I have one and mostly love it. the pci-e blacklist SUCKS (tried installing a new wireless card and it refused. not on the 'ok' list. had to install a hacked bios to allow any pcie card to be installed. HP is the same stupid way, too). and to be honest, with the hacked bios (I didnt hack it) I'm now at risk since I have no good idea what that 3rd party did to create the unblack blacklist, so to speak.

but if you don't need to hack the bios (buy all your stuff at point of purchase to be safe) then the business grade models to NOT install crapware nearly as much and they all use the same chipsets since business needs each machine to be identical. consumer versions are the chip-o-the-month club and it sounds like that's what you were ordering. uhm, don't buy consumer grade lappies from lenovo. why bother? get what they are good at, the serious lappies. the t or w grade lappies.

Re:Glad I Cancelled My Lenovo Order

We use Lenovo at work and historically I had bought from them for home too. Last time I tried I found that they don't want to sell to consumers anyway. We all know that delivery services (such as UPS, Fed-Ex, etc.) deliver while you are at work. So I wanted to ship the computer to my work address. They refused since the address on my credit card was my home address. They wanted me to talk to my bank and add my work address as a secondary address. But my bank has no business knowing my work address and I shouldn't have to maintain that work address with my bank as I change jobs, so I had to cancel the order since they wouldn't ship it to me at work. Bunch of buffoons there; like a shipment of a "must sign for" package is ever going to get to me at my house...

Re:Glad I Cancelled My Lenovo Order

[mrchaotica]

I ordered a Thinkpad X60 from back when they were still IBM and got the same kind of fluctuating ship date BS (although I didn't respond by cancelling my order)... I guess nothing's changed.

Re:Glad I Cancelled My Lenovo Order

[hey!]

I've had bad luck with Toshiba laptops in terms of durability and Linux support. In particular the ACPI DSD tables on Toshibas that I've had detect non-Windows operating systems and *deliberately* disable certain hardware like sound. It's fixable, but a PITA, adding extra steps every time you do a kernel upgrade.

For years IBM then Lenovo was my choice for build quality, but I guess from here on out I'm sticking with Apple. I'm very pleased with the hardware.

Re:Glad I Cancelled My Lenovo Order

Newegg did that to me once. It took three weeks before they shipped it to the address I wanted.

Re:Glad I Cancelled My Lenovo Order

[The+Rizz]

You can always have them officially ship it to your home address, but put a "hold for pickup at UPS/FedEx location" instruction on it. Then you just grab it before/after work, or over lunch hour.

Re:Glad I Cancelled My Lenovo Order

[nitehawk214]

The "only ship to billing address" is not some conspiracy to keep you from ordering things. It is there to keep other people from stealing your credit card number and ordering a bunch of stuff.

If you are paranoid about your bank knowing the address of your work... well, perhaps you should not be using credit cards on the internet, since they will know about that laptop you just bought.

Re:Glad I Cancelled My Lenovo Order

Amazon lets you ship to a non-billing address. Why should Lenovo be so special that they won't?

Re:Glad I Cancelled My Lenovo Order

[painandgreed]

You can always have them officially ship it to your home address, but put a "hold for pickup at UPS/FedEx location" instruction on it. Then you just grab it before/after work, or over lunch hour.

More like grab it after taking half a day off work IME. Drive across town to the airport. Find their warehouse. Figure out which door goes to the office you're supposed to pick the package up at. Then stand in line for an hour before even talking to a person.Then wait for then to see if they can actually find your package.

Revenge

[JimSadler]

There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.

Re: Revenge

Agreed. The engineer that made this change needs to be locked up for a good 20 years. Make an example out of him!

Re:Revenge

[kelarius]

It's more likely that Lenovo installed this software because they were paid to do so (either directly or through kickbacks to Mike Hopkins or whatever VP) and they simply didn't vet the software to make sure that it wasn't malicious. So while some people in the organization may be guilty of negligence they would never get convicted on anything close to CFAA levels.

Re:Revenge

hahaha, just like Sony when they installed root kits ....

Re:Revenge

You seem to believe that laws apply equally to corporations and people. You must not be American.

Re: Revenge

You mean bed and boarding at NSÐ?

Re:Revenge

but, but.... corporations are people!

Re:Revenge

[Jawnn]

There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.

Oh please. Laws are for little people. You know, the ones who aren't corporations. No one is going to jail for "just doing what it takes to 'compete' in a free market". What did you think we meant when we had our Spokesman In Chief tell you that "government is the problem"?

Re:Revenge

[Khyber]

"they would never get convicted on anything close to CFAA levels."

The amount of 'negligence' this amounts to (hijacking EVERY type of traffic, including VPN) leaves them no room. They should've discovered this in a basic software audit. It took some random joe like 8-12 hours to crack this and make a program to sniff the traffic of EVERY computer with this stuff installed, and log the traffic.

worse a fake root certificate!

[Billly+Gates]

What were Lenovo thinking? People pay bills online you know. Easily can steal lots of information

As much as we bashed RMS here for being a lunatic he has a point with trusting a for profit entity making closed source software.

Re:worse a fake root certificate!

[Dr.+Evil]

bankofamerica.com courtesy of Superfish:

https://i.imgur.com/Ky0Bwih.jpg

Not sure about the source of the screenshot, independent confirmation would be good.

Re:worse a fake root certificate!

[QuasiSteve]

Wouldn't really need one - SuperFish works in such a way that it inserts itself for any site. What would it do otherwise, keep a blacklist of all the possible banking/investment/whatever sites in the world that it should ignore?

So yes, bankofamerica.com courtesy of SuperFish, but also facebook courtesy of SuperFish and YouTube courtesy of SuperFish and Mom & Pop's corner store courtesy of SuperFish.

It's a nasty piece of software in that its intent is to serve up ads (and/or collect information, of course), but this sort of thing is also readily available on the market for parents who want to keep tabs on little johnny's browsing habits or bosses who want to keep tabs on their employees. Unless johnny/employee / their browser checks the certificate and notices it's probably not what it's supposed to be despite being perfectly valid, bob's your uncle.

Re:worse a fake root certificate!

[Dr.+Evil]

It didn't occur to me that it actually included the private key for its own root certificate in the local proxy...

Unbelievably stupid design.

Re: worse a fake root certificate!

[Billly+Gates]

Is there a way for sites to detect and block this?

Re: worse a fake root certificate!

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/How_to_check_the_secruity_state_of_an_XMLHTTPRequest_over_SSL

That would be a good start. Problem is, if the connection is MiTM'd, the malware can just pull the javascript out of the request.

Re:worse a fake root certificate!

[nullchar]

How could it MITM with only the public key? It needs to sign each destination HTTPS site with the private key.

Each install could generate a unique key pair and install a new root cert.

Re: worse a fake root certificate!

[sexconker]

Is there a way for sites to detect and block this?

No. The host is compromised.

Even if the bank mailed you a copy of their real cert, the compromised host could just update the malware to fetch the real cert and display that when the user tries to view the cert's details.

Even if the bank handed you a copy of a UNIQUE cert they use for ONLY for you, IN PERSON, and you handed them your own UNIQUE client cert, the compromised host could just watch all the legit shit happen when you log in the first time, then fuck you in the ass with that legit information.

Even "2-factor" authentication with a RSA clock won't help - these codes are good for a window of time (to allow people time to enter them and to allow for latency, clock skew, etc.). A compromised host can just use the same valid code rapidly within that window. Some systems require you to enter two distinct codes for a transaction, but this doesn't solve anything either as a compromised host can just trick the user into thinking they're moving $100 into their account when the real transaction is moving $10000 into the attackers account.

True one-time use keys don't fix this either.

That's it

My current Lenovo (bit long in the tooth) will be the last one. And no -- wiping clean to install Linux/*BSD/whatever doesn't cut it -- DO YOU HEAR ME, Lenovo?

I just don't want to be treated like this in the first place. Lenovo's now in my no-buy list, right up there with Sony and Microsoft.

Time to look up some System76, ZaReason, whatever (heck, even purism). I'm willing to pay premium to be treated as a customer and not as a stupid gullet.

DO YOU HEAR ME, Lenovo?

SuperFish Private Key cracked

[brennz]

See http://blog.erratasec.com/2015...

Now all these boxes can be owned by anyone with the key!

Re:SuperFish Private Key cracked

[NatasRevol]

If only someone could identify Lenovo employees using Lenovo computers...

One strike

[sjbe]

I'll just buy from elsewhere if I need a Windows machine. I have a one strike and you are out policy on this kind of nonsense. I used to buy their machines back when IBM was still making them but they seem to have lost their way.

Re:One strike

[drunk_punk]

Gotta say... If you NEED a windows machine... my windows VirtualBox VM runs better/faster than most windows laptops.

Re: One strike

[Billly+Gates]

Build your own. Works best for Windows machines and Linux as well

Re: One strike

[sjbe]

Build your own. Works best for Windows machines and Linux as well

I'm not a hobbyist and don't have the time. Any Windows machine I buy will almost certainly be for work and I'm not about to waste a ton of time building a machine. If Lenovo wants to load their machines with spyware then there are plenty of other options out there.

Re:One strike

[sjbe]

Gotta say... If you NEED a windows machine... my windows VirtualBox VM runs better/faster than most windows laptops.

That cannot be true almost by definition. Running a virtual machine of any description carries overhead which you will not incur running directly on the hardware. I do run Windows machines in VMs and it works great but I'm not going to pretend it is faster than running it directly on the hardware.

Re:One strike

[koinu]

I can be faster, and it is faster. At least my Windows XP that I need for some exotic old applications runs noticeably faster than from what I can remember on real hardware. Why can it be so? Because a virtual machine does not have that much hardware/devices like a real box. It can also optimize I/O of any kind with intelligent buffering of well-known access patterns (I don't know if it does it, but why else would vbox ask you what system you want to install in a given virtual machine?).

Re:One strike

[Khyber]

VirtualBox fucking sucks, though. You can't part out a GPU between VMs like RemoteFX, Citrix, or VMWare can.

Re:One strike

How does it run Star Citizen?

That's the biggest deal with Windows IMO- all the game devs compile for it.

Re:One strike

I know many people with Windows systems that, for whatever reason, gradually get slower and slower...

I have an old Xp virtualbox image used for testing that has never been allowed to connect to them thar intarwebs. No upgrades, no service packs. After 8 years it's still very quick. It's been an interesting long term experiment. So from that perspective Windows can seem to run faster.

Re:One strike

VM technology is decent enough these days that running a Windows VM on a box with enough RAM, SLAT support, and a decent, 7200 RPM, SSD will result in pretty much the same performance as running the OS directly on the bare metal.

What would be nice is some form of hypervisor like ESXi, except on which allows for use of a local console (and accelerated 3D graphics), as well as stuff like wireless support, USB media, and so on. The closest to this would be VMWare Workstation on Linux or OS X, where even though the hypervisor is a type 2, the base OS has very low overhead, so it is almost as good as a type 1.

The advantage of this is that snapshots can be taken and rolled back, and one can keep multiple items, such as a VM just for banking, one for Web browsing, one for games, and so on, each completely separate from the others.

Re:One strike

I know many people with Windows systems that over time, for whatever reason, get slower and slower...

I've had an old Xp virtualbox image used for testing that has never been allowed to connect to them thar intarwebs. No updates, no service packs. Eight years later it still runs very quickly. It's been an interesting long-term experiment. So from that perspective, a vbox version of Windows can seem quicker.

Re: One strike

[Mashiki]

You don't have three hours to sit down and build your own? I'll bet you spend more time watching TV every day, or reading a book.

Re: One strike

It takes you 3 hours? Slowpoke.
It might be his first time and it could take him 3 hours just to make a parts list. Experience makes the difference here and he claims not to have it. So don't be a jerk.
My advice, spend a weekend with a nerd and get some real advice.

Re:One strike

[Khyber]

"a decent, 7200 RPM, SSD"

One of those terms does not belong. I'll leave it as an exercise to you as to which one.

Re: One strike

[Khyber]

Don't have the TIME?!?

It takes like 15 minutes to build a system from base components if you're handy with a hex driver (for standoff installation) and a screwdriver for the rest of the system.

It takes longer to cook a pot of rice.

Re:One strike

That cannot be true almost by definition. Running a virtual machine of any description carries overhead which you will not incur running directly on the hardware.

Well, it depends.

If we are talking apples and oranges:

        single CPU / single core 1.3 ghz system emulating a pentium @ 100 mhz

versus

      physical machine w/ a single pentium @ 100 mhz

there is no surprise the virtual machine should be faster.

However, even with apples and apples, software can do much that hardware cannot. It can cache things and rewrite/reorder instructions/etc. for speed. Hardware can do this too, but software will "by definition" as you put it,
be more flexible.

Yes, there is going to be overhead for a virtual machine. But that still doesn't mean other hacks and trickery means the
net result is a speed gain that goes beyond the overhead.

Also, some CPUs have special modes just for virtualization and other things...so "overhead" is more minimal on this hardware.

There are no hard rules either way...it depends on lots of things.

Same reason java code can be faster than native code -- the java VM can make optimizations at run-time based on profiling information (i.e. what code actually executes and what paths it takes) that a "compile once" language may not be able to do.

You see this even with "compile once" languages that let you "hint" which branch is more likely to be taken -- gcc allows this for C I believe.

There is no rule that a virtual machine is slower or faster. It just depends.

Re: One strike

[Mashiki]

No he claims he doesn't have the time, not experience. Perhaps you should try reading. It helps.

Re: One strike

[bingoUV]

Since laptops are (also) involved, you need machining of the body around your small form factor motherboard. Most experienced machinists wouldn't be able to do a good job in 15 minutes. And the tool list is much longer than a hex driver.

With just a hex driver, the "machining" can easily take a month.

Re: One strike

[Khyber]

Who needs the case? Also, nobody in this thread mentioned laptops specificaly.

Also, we've got 3-D printing. Just print a shell. Plenty of stuff out there already made up for several nearly-standard laptop logic boards.

Re: One strike

[bingoUV]

TFS mentions laptops. They are selling more than desktops for a while.

With 3-D printing, equipment list is now longer than just a screwdriver.

Re: One strike

[Khyber]

Nah, still only need those two pieces of equipment I listed. What's changed is the access list. Odds are there's a makerspace with a half-decent 3D printer available. Just take your design over there and print it out.

Re: One strike

[bingoUV]

Then it's not "build your own" anymore.

Even if it were, driving to rent your 3-D printer could easily take longer than it takes to cook your rice, and designing the 3-D model over the bought small motherboard keeping in mind extensibility, cooling, access ports is another task that surpasses rice cooking.

Re:One strike

[hucker75]

But EVERY big company puts shit on new computers and always has. This isn't news.

Re: One strike

I think you missed above where he said you could get downloadable shell schematics for a few models of a nearly-standard laptop motherboard. He's right but it only works for the 15"-17" ranges. The drive could indeed take longer, but the actual building itself should not take much longer than rice to cook. BTW a typical rice cooker has a typical time range from 25-45 minutes.

Re: One strike

[bingoUV]

You don't need the shell of a nearly standard laptop - because buying the motherboard for it means you're dependent on that laptop's manufacturer for driver support. So any advantage of "build your own" is gone right there.

You need a shell for a small form factor non laptop motherboard.

Lenovo Yoga 2 Pro

[Dan+East]

I just checked on my Lenovo Yoga 2 Pro I bought a few months ago, and it does not have Superfish as a trusted root certificate authority, as indicated in the screenshot in TFA.

Basic product development

[fuzzyf]

It is odd that PC manufacturers are willing to ruin their brands just to earn a few extra bucks.

I have never owned a mac before, but after my last encounter with a high-end Vaio I’m seriously considering a macbook pro as my next laptop. Don’t get me wrong, it ws a very nice laptop. Good battery, expansions and a carbon chassis.
HP (and Compaq before that) business laptops where ok after a reinstall, but the Vaio was just a pain. Shared libraries needed to be installed in a certain order, or it would freak out and tell you that the battery was critical and just shut down. Also support for Windows 8 was just appalling.
Anyway, it shouldn' t be neccesary to reinstall a brand new laptop. They really take the fun out of unboxing it.

It looks like Microsoft cracked the code with their Surface Pro. Clean install and a continuing brand name. Leneovo (and others) could even do what Amazon does with Kindle. Charge more for a clean version.

Re:Basic product development

[BVis]

It is odd that PC manufacturers are willing to ruin their brands just to earn a few extra bucks.

Not really. Consider the following:

Over-promoted walking haircut (with "Executive" in his/her title somewhere) hears something about this "Superfish thingy". They get it in their hard-wired little business-school brains that "duuh Superfish = money = good", he/she grills someone with actual knowledge about it and selectively listens to how they can make money with it, and how it can be installed on every laptop they ship. (They deliberately ignore the person with actual knowledge when they try to tell the pointy-haired little twit how it's 'illegal' and 'unethical' and 'bad faith' etc etc etc.) So, exec orders people who do actual work to incorporate Superfish into the builds, despite how bad an idea it is. The builds start shipping, Superfish starts paying out, revenues are up, everyone's happy (except for the people doing actual work who know it's bullshit.) Quarterly profits go up, exec gets bonus, builds third summer house. Sooner or later someone notices what they're doing (see TFA) and calls them on it. Exec realizes this is bad, they're going to get held accountable for something, and as we all know that's the worst thing that can ever happen to some over-promoted suit. Exec pulls eject handle, lands softly with a golden parachute. Everyone left gets to clean up the mess and attempt to rehabilitate the brand. But it's ok, the executive got a bonus.

Lather, rinse, repeat. Nobody learned anything from the Sony rootkit thing, other than "Hey, we can make money doing this, and all we have to do is violate the trust of our customers! Fuck them, how did our money get in their pockets anyway?"

Re:Basic product development

[Coren22]

Don’t get me wrong, it ws a very nice laptop. Good battery, expansions and a carbon chassis.

What do you mean by carbon chassis? Is it made out of carbon fiber? Diamond? Graphite?

Re:Basic product development

[fuzzyf]

Carbon fiber.
Would be cool with a diamond unibody, but it's a bit out of my pricerange. :)

Re:Basic product development

[fuzzyf]

Yeah. You are right
But I _wish_ it would be odd :)

Re:Basic product development

[BVis]

Agreed. This attitude more than anything else, in my opinion, is the biggest challenge the current economic environment faces. How do you keep someone from sacrificing long-term growth and stability for short-term gains, when they have a financial incentive to build the latter? You don't. Not without a mandate from an outside authority.

Yeah, yeah, gubmint bad, free market good, invisible hand, FREEEEEDOOOOOMMMM, etc.

Nothing new.

[nospam007]

That's why you run decrapifier as the very first thing. http://www.pcdecrapifier.com/

Only then do you run your ninite selection. https://ninite.com/

Re:Nothing new.

[TheGratefulNet]

lenovo was caught and they are backpeddling. they SAY there is a removal script.

does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').

I really wish the US would punish companies (in a truly painful way, such as 10% or more of their GROSS income) when they act in bad faith, on purpose, like this.

then again, if the US punished bad actors, it would have to constantly punish ITSELF.

well, maybe that's needed too .....

as we all know, if a bad actor behaves badly and there is no punishment, what reason does he have to change his bad ways?

the fact that the US fellates all corporations, as a form of religion, is what allows them to continue the bad behavior. in fact, it encourages it by rewarding 'profit, above all else'.

it really seems clear to me that we have chosen the wrong 'god' to worship. profit, above all else, WILL be our downfall. it has started already and many of us see it. but our words are not being heard ;(

Re:Nothing new.

[DocSavage64109]

I wonder how much money they made by selling out and compromising the systems of so many of their customers. If I was to rob someone of just $10, I would face court and hundreds if not thousands in fines. This society truly is set up to only punish poor people and their types of crime.

Re:Nothing new.

[bmo]

does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').

It doesn't

http://forums.lenovo.com/t5/Le...

Uninstalling Superfish Visual Discovery

Go to Control Panel > Uninstall a Program
Select Visual Discovery > Uninstall
Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish service will stop working as soon as it is uninstalled via above process, and following reboot.

And then....

This article will be updated with additional instructions on clean up of deactivated files and removal of certificate shortly.

Uh huh. Sure.

--
BMO

Re:Nothing new.

they SAY there is a removal script.

does it do a complete job? somehow, I have my doubts(

I believe your fears have already been proven correct.

http://www.csoonline.com/article/2886396/malware-cybercrime/lenovo-shipping-laptops-with-pre-installed-adware-that-kills-https.html?page=2

It leaves the superfish certificate installed.

Re:Nothing new.

Fuck that. Who knows what 3rd party shitware has come ridding with whatever shovelware a PC maker has put on in order to widen their razor thing margins.

Wipe and pave is the only solution. (Prerably zero the first meg or so to wipe the MBR and partition table/GPT just in case. Or run a low level too that zeros and 'refreshes' for max performance if its and SSD)

Believe it or not, go with win 8.1. Just install your favorite start menu replacement and enjoy a faster, more stable, more mature windows 7.

Win7 is great and all but it's starting to show it's age. It takes no less than 3 gigs of updates to get win7 current. (Which takes an hour and a half on a current quad core intel system with a fast SSD) - Twice that if you install any version of office.

Re:Nothing new.

[Dragonslicer]

as we all know, if a bad actor behaves badly and there is no punishment, what reason does he have to change his bad ways?

the fact that the US fellates all corporations, as a form of religion, is what allows them to continue the bad behavior. in fact, it encourages it by rewarding 'profit, above all else'.

it really seems clear to me that we have chosen the wrong 'god' to worship. profit, above all else, WILL be our downfall. it has started already and many of us see it. but our words are not being heard ;(

It started with a good idea: make it so that a person who makes a mistake running their business can't be sued into personal oblivion. If you remove that major risk factor, it will encourage (or more accurately, not heavily discourage) more people to start their own businesses. Eventually, though, corporations got big enough that they could use this merely to shield themselves from the consequences of any actions they take, so there's no risk at all to doing things that would likely destroy most small businesses.

This is why we can't have nice things.

Re:Nothing new.

[Khyber]

" they SAY there is a removal script.

does it do a complete job?"

Not. Even. Close.

You might clean out the cert store for Windows, but that does nothing if you have FF/Thunderbird or Opera installed. They have their own cert stores and those get infected, too. Lenovo won't touch those programs.

Re:Nothing new.

[david_thornley]

I'm not real bothered by the corporate liability barrier. If an executive trashes the stock price, there's usually at least some token punishment.

What bothers me is corporations getting away with criminal actions. The Sony rootkit is a good example: if I had done that, I'd have served serious prison time. This is another one. The corp responsible usually manages to shield any employees from criminal charges (in some cases, they may throw a few peons to the wolves) and comes out profiting from its crimes. Crime doesn't pay for individuals, but corporations profit on it.

chrome and scriptsafe blocked it for me

scriptsafe on chrome kept asking about loading best-deals-products.com. I said blacklist, never saw anything. only after searching on the domain name did I find out about superfish and then delete it

At Apple HQ...

[fuzzyf]

"You mean we can pay Lenovo to install crap on all their laptops?"
"Yeah"
"What the... that's just... well.. go for it!"

Re:At Apple HQ...

[DocSavage64109]

So this is all a brilliant scheme by apple to discredit their competitors? I wonder if they are also responsible for Samsung putting crappy apps on their phones and tablets?

Re:At Apple HQ...

[fuzzyf]

No.
Just a joke.

Bastards

Lenovo lost a lot of sales at my company because of the bloat & crapware they install.
My last experience with a Lenovo laptop was one of the worst of my career. Never again.

Lenovo website says they deactivated it...

[fonos]

http://forums.lenovo.com/t5/Le...

"Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future."

However, later in the post they state that the root CA will remain intact. The private key has already been extracted and cracked, so this leaves Lenovo users still open to a very easy MITM attack.

Re:Lenovo website says they deactivated it...

[JohnFen]

Yes, that response was insufficient on a number of points. But what struck me about their statement was this:

The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"? They can't possibly believe that. If they do, then they're hopelessly delusional. If they don't, then they're scumbag liars. Either way, it does nothing but make them look terrible.

Re:Lenovo website says they deactivated it...

[amicusNYCL]

Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"?

Because it's the only way they can possibly spin advertising as being somehow pro-consumer. There's really no other way.

Re:Lenovo website says they deactivated it...

[zlives]

"enhances the experience for users"

that's why super-fish is mandatory and installed on all their corporate PCs?

Re:Lenovo website says they deactivated it...

[hcs_$reboot]

Superfish has completely disabled server side interactions

That means they probably have no way to disable the client side. Poorly implemented crap.

Re:Lenovo website says they deactivated it...

You wouldn't want them to install ANOTHER bogus cert when they update you to Massiveaquaticvertebrates would you?

Of course they won't install THAT software in the future, the new version will be even more helpful for a immersive user experience !

Re:Lenovo website says they deactivated it...

[david_thornley]

Showing the user relevant ads is a useful service. Amazon does that. They like to show me ads for books I might like, and they're often very tempting and I often wind up buying them. I benefit from that.

Whether this is worth the privacy invasions and potential data links and security holes is another question entirely, and the answer is "no". However, as long as Lenovo talks about the benefits of the ad targeting and avoids hinting at possible downsides, they aren't really lying.

It's similar to: Buy Joe's Thermite - the permanent solution to your computer security problems!

Re:Lenovo website says they deactivated it...

[JohnFen]

Showing the user relevant ads is a useful service.

It can be, in the right context. Amazon showing me ads for other Amazon products I might like is acceptable -- I'm already shopping, after all. My computer injecting ads into random web sites is not acceptable, nor is it useful. It's malware. Showing ads in any context where I'm not actually shopping is never actually useful to me, but would be tolerable if there were no tracking going on.

However, as long as Lenovo talks about the benefits of the ad targeting and avoids hinting at possible downsides, they aren't really lying.

I honestly don't see any benefit to what Superfish does whatsoever. So, as I said, they might not be lying -- in which case they're delusional.

Not the first time.

[Deathlizard]

I've ran into this recently on a Lenovo tablet, but I don't think it was superfish (honestly I don't remember the name, but it was factory installed. ADWCleaner caught it.) although it looks like they purposely obfuscate the name to confuse people so they can't uninstall it.

And this is Adware No. 2 for them. They had their own homebrewed Adware program called Message Center Plus. It was so bad that MSE Detected it.

IBM knew How to make a Laptop. Lenovo Knows how to exploit a Brand Name. it's a good thing Google sold Motorola to them so they can exploit my phone now.

Don't dismiss RMS

[matbury]

Richard Stallman is spot on regarding free and open source software (FOSS). He warns us about how proprietary, closed source software can be abused and that our dependency on it is a danger to civil society. In case you didn't see it the first time round: https://www.youtube.com/watch?... Only an idiot would dismiss the concerns he raises.

Re:Don't dismiss RMS

[macs4all]

Richard Stallman is spot on regarding free and open source software (FOSS). He warns us about how proprietary, closed source software can be abused and that our dependency on it is a danger to civil society. In case you didn't see it the first time round: https://www.youtube.com/watch?... Only an idiot would dismiss the concerns he raises.

In theory, he is correct, and I certainly don't dismiss his CONCERNS; however, as a practical matter, it is an undeniably and obviously unreasonable assumption that more than about .01% (just a guess, and probably WAY too high of a number) of the total computer-buying (let alone "computer-USING") meatsacks on the planet could even recognize, let alone safely extract, even blatantly-added malware (let alone obsfucated malware) simply from staring at even uncommonly-well-documented Source Code (let alone Source with a comment block every 500 lines or so), even if given an infinite amount of time (which, of course 0.00% of us meatsacks actually have).

So, for those reasons (and many others too numerous to mention), "only an idiot" would believe that F/OSS is, in any way, shape, or form, an actual panacea for the detection and elimination of malicious code-insertion by the 99.99% of the computer-buying (let alone computer-USING!) public.

Amirite?

Re:Don't dismiss RMS

[david_thornley]

You're overlooking that Joe User doesn't have to know C++ from Arabic. All it takes is a few people to find something wrong, which is easier with the source code, and publish a patch, and that may be effectively impossible with proprietary software.

Re:Don't dismiss RMS

[matbury]

This is the usual argument against taking steps in more positive directions; "Because it is insufficient, it is pointless." It implies dichotomous, binary states of win or lose, good or evil, us or them. The real world is never so simple and such dichotomies are merely constructed arguments to frame and force decision making in a particular direction. If someone ever offers you an A or B choice, ask them why they've narrowly and manipulatively framed a complex situation in that way. We need FOSS, we need transparency of people in positions of influence and power, we need privacy for the rest of us, we need democratically organised and controlled regulation.

Boycott Lenovo

I have never owned a Lenovo product, and now I certainly never will.

Remember not to buy Lenovo products or services ever again. It does not matter if you would not be affected because you install your operating system yourself. Any company doing things like this should go bankrupt.

Total Idiocy

[Khyber]

"Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well."

Which means we can crack that shit and pwn any computer that even had the software 'removed.'

Oh, and then issuing certificates under the names of other corporations? I do believe that is identity theft, at the bare minimum.

Lenovo should be hit in the courts hard over this.

Re:Total Idiocy

LOL why don't you American idiots sue the NSA and all the corps that work with them first? This is nothing compare to what they've been doing.

Are you going to pretend to be stupid and look the other way?

Re:Total Idiocy

[ale2011]

And notice that the US-Cert alert (TA15-051A) is not for the spyware by itself, it is because the superfish is vulnerable...

It's idiotic to have pre-installed certificates. It implies admitting total ignorance on what trust is and what it implies.

Completely unacceptable

This really is enough to end large business relationships. Think about US gov network nodes with stuff on them.

I know these same outfits should be running custom endpoint images but still.

Lenovo isn't worth it.

I stopped bothering with Lenovo over a year ago when their machines began to ship without the ability to create a recovery disc. They were the only brand at our store which did this. Good to know they're still awful.

Firefox immune to this shit

[Khyber]

Firefox maintains its own certificate database so this SSL MITM vulnerability won't affect FF users - only IE and Chrome.

Re:Firefox immune to this shit

[Khyber]

Correction: There might be code to inject into FF and Opera - https://twitter.com/supersat/s...

Goodbye Lenovo

[WorldWarPi]

I've bought a dozen Thinkpads over the years. Lenovo has now lost my trust. Goodbye.

Criminal

They need to stop calling this stuff "adware" or "bloatware". This is just a pre-deployed malicious computer crack intended to illegally gather information on users and their systems. Getting users to buy this system is just a form of social engineering. Nobody would purchase these systems if they understood the consequences of this superfish software. I believe that this should cross the line into the criminal side of things. Someone should go to prison for this.

Caught with their pants down.

I like how when company's get caught with their pants down the PR tries to spin things.

LOL "user feedback was not positive" really? You think? Who's going to give positive feedback to adware being included on something they purchased.

"Visual Discovery / Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:"

http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-application/ta-p/2029206

Re:Caught with their pants down.

[Khyber]

Yup, lying sacks of shit. I caught them in their lie, too.

They say they stopped this in December?

Why does this say it stopped in January here in the official topic?

Why does this updated "security advisory" state February as the actual stopping month?

Lenovo is a lying sack of shit. We should start a change.org petition and tell the Gov't to bar Lenovo from all future USGov't contracts.

Problem is the incentives

[ErichTheRed]

I'm a big ThinkPad fan, but I generally go download a fresh set of drivers and run my own OS install when I buy one.

This just sounds like a PC manufacturer wanting to juice the margin a few dollars by installing some crapware. Most techies just wipe out the crapware, but the crapware vendors pay the manufacturer to put their crapware on the machine image. Unfortunately, it looks like they went one step further and installed crapware that was spyware also.

I'm surprised they thought they could get away with it -- but maybe my line of reasoning was used -- "consumers don't know the difference, pros wipe out the crapware, what's the harm?" Companies need to be prepared for the fact that people are going to disassemble, reverse-engineer and poke and prod every little thing about their products, then release detailed accounts of it all over social media and the tech blogs. It sounds like someone hasn't realized that yet or was willing to take the risk.

Another on the list

[JohnFen]

Well, I'll just add Lenovo onto my list of companies whose products I will never again purchase. That they could think this was an acceptable thing to do tells me that they cannot ever be trusted.

Re:Another on the list

Imagine how the world feels about buying ANY American products.

I am sure Microsoft hid nothing in their software for the NSA. Wait, they did.

Re:Another on the list

[Khyber]

Lenovo is a Chinese company, now. Where the fuck have you been, in a cave?

Not identity theft

The correct word is fraud. Fraud has been a criminal offense for a very long time.

Jail them

If they would start filing criminal charges against executives like this and locking them in prison for 30+ years, that would put a stop to that.

They should have started with Bill Gates and arrested him for perjury.

Then Carly Fiorna for Alexia spyware distributed with HP printer drivers.

Then the Sony music exec who had the root kits placed on the music CDs.

Marriott GM in Nashville for DOSing private networks.

If the just-us department and US Attorneys would do their job instead of going after easy targets like Aaron Swartz, this wouldn't be a problem.

What the fuck slashdot?

News about some notebook ad middleware that can be disabled at setup (not unlike those toolbar bullshit installations) get front page position.

While NSA malware infiltrating all top hard drive brands in over 30 countries never get to the front page, I watched this news get deleted 3 times from the firehose.

Looks like the NSA/GCHQ psyop team are busy at work after one of the most effective malware got exposed.

NSA malware found hidden in hard drives for nearly 20 years

Russian security software vendor Kaspersky Lab, which this week released a report revealing that thousands of hard drives from 30 nations have been infected by U.S.-government sanctioned malware in existence for nearly 20 years, today said there's no way of knowing if your computer is infected and intelligence agencies are surveilling it.

Once a hard drive or SSD gets infected with this malicious payload, it's impossible to scan its firmware. To put it simply: For most hard drives, there are functions to write into the hardware's firmware area, but there are no functions to read it back. "It means that we are practically blind, and cannot detect hard drives that have been infected by this malware," said Igor Soumenkov, principal security researcher at Kaspersky Lab. The drives in PCs and Macs that were infected by the malware represented more than a dozen major HDD and SSD makers. Kaspersky all but said it was the NSA that created and used the spyware.

Reuters also cited a former NSA employee as having confirmed the latter. Two of the largest drive makers, Western Digital and Seagate, said prior to the report, they had no idea their drives had been targeted. A WD spokesman said the company has not participated in or supported the development or deployment of cyberespionage technology by government entities, adding that "Western Digital has not provided its source code to government agencies." Seagate said its self encrypting drives are supposed to thwart reverse engineering of its firmware. "This is an astonishing technical accomplishment and is testament to the group's abilities," Kaspersky's report stated."

http://www.computerworld.com/article/2885069/theres-no-way-of-knowing-if-the-nsas-spyware-is-on-your-hard-drive.html

I used to recommend IBM/Lenovo

[phorm]

But these days I tend to recommend Asus. Certainly they can cost a bit more than an HP/Acer, but they're fairly solid and have a decent warranty. My only real complain is their preference for 1366x768 resolution laptop screens...

Re:I used to recommend IBM/Lenovo

...I'm boycotting Asus since their web site is the worst thing I've tried to use =/ I don't want to try it ever again

Re:I used to recommend IBM/Lenovo

[dwywit]

I've had a pretty good run with Toshibas over the last couple of years. Simple to setup, and when it reaches the desktop, delete the bloatware, install my suite of preferred anti-malware, browser, etc, and off to the customer it goes.

Toshiba warranty service has deteriorated a bit (re-install the OS for an un-detected DVD drive....really?), but Asus tech support here in Oz is TERRIBLE. I had a 27" screen that had a fault out of the box. My supplier told me I had to deal direct with Asus, because Asus support have to approve all returns (which is technically illegal here - there's a mandatory 14-day no-arguments return law - if it's faulty and within 14 days of purchase, it MUST be replaced, no questions asked). They made me sign up to their "support group" before I could lodge a fault, then it took over two weeks to get the return approved. Never buying Asus products again.

Re:I used to recommend IBM/Lenovo

[Khyber]

I've had several shit runs with Toshiba recently. Let's see...

Newer Toshiba - 64-bit system - dual core, Intel 965, HARD LIMIT TWO GIGS OF RAM.
Older Toshiba - 32-bit system - dual core, Overclockable Intel 945 (and it stomps the shit out of the 965 once brought to the original design spec clock speed of 400MHz vs 166 MHz and does so with almost ZERO increase in thermals) and can have a maximum of 4GB of RAM.

That's pretty shitty as far as I'm concerned. Thoughtless hardware limitations, newer hardware that's WEAKER than a prior-gen model FOR MORE CASH, and their DC jacks fucking SUCK (I've just hard-soldered the power adapters to the board to fix that problem.)

Their batteries are equally shit, more prone to heat degradation even moreso than HP, and HP is the king of hot fucking laptops.

Re:I used to recommend IBM/Lenovo

[Samhain138]

Worst thing? Try their customer support (or worse, RMA process).
Sent in my Zenbook UX31A because the keyboard had non-functioning keys (up/down/esc?).
Got it 6 months later (after a ton of phone calls and email correspondences).
The keyboard worked alright, but the sound card was DOA and it was missing a couple of screws.
The international warranty is a hoax as well...

Re:I used to recommend IBM/Lenovo

[gmack]

Toshiba: large hole in the bottom where the air gets sucked in and then blown against a heat sink on with tiny fins. dust gets sucked in and blown against the heat sink where it gets stuck and when that dust layer gets thick enough, the only way to clean it is to rip the whole laptop apart. It's almost as if they designed the laptop to wear out after a year or two passes.

Re:I used to recommend IBM/Lenovo

[bingoUV]

1366x768 is an epidemic that I see affecting every laptop manufacturer. Do you know of any laptop maker that is immune?

Re:I used to recommend IBM/Lenovo

[phorm]

Some of the mid-range and many upper-range Dell laptops do 1920x1080. It's more common on 17" screens so you do end up with a larger laptop as well. Some HP laptops also have 1080P displays, and 1600x900 used to be common on various models.

I remember seeing a dell laptop in the past that did 2200x1200 or something like that. I was very tempted to buy but unfortunately it was one of those affected by the flakey GPU's that tended to desolder themselves over time.

WARNING

Any such software or hardware that has such an effect is considered a military attack and will be subject to a response.

Bad joke

[mu51c10rd]

So you could say the fish was caught?

Re:Bad joke

[Cro+Magnon]

I'd say that it confirms that Lenovo is a fishy company.

Nonsense.

[ikhider]

Really guys? This is on the Windows side. The Windows OS is one massive piece of malware. It is like you are crying over a cut when there is a massive gaping shotgun blast through the chest. Once you agree to the Windows terms of service, you are already compromised. They now have you signing in with your microsoft ID account that tracks you anyway. However, once you install GNU/Linux or Open BSD or any freedom respecting software like Trisquel or FreeSlack or Dragora, they cannot do anything to you. Lenovo makes nice laptops.

Re:Nonsense.

Ridiculous...you still aren't free from this if you installed open source. Your ISP has access to all your packets and can do a MITM attack as well.

Re:Nonsense.

[Khyber]

"Really guys? This is on the Windows side"

Nope, just tried using the injection code that the malware has for FireFox under Linux (Ubuntu) - it works and injects into FF's certificate store.

Perhaps you should do some of the work yourself instead of spouting off nonsense.

Re:Nonsense.

[ikhider]

So what you are saying is that if you run OpenBSD, or any Libre GNU/Linux distro, Lenovo malware will break through whatever security precautions you take and own your machine? Documentation please.

Re:Nonsense.

[Khyber]

You apparently don't know how to read.

It injects into FF's store. Not the fucking OS.

Re-read, comprehend, understand, then try your comment again.

Re:Nonsense.

[ikhider]

We're talking about Lenovo installing some malware crap on the Windows OS when you get your machine out of the box. I'm talking about wiping the OS or plucking in another fresh drive and installing a fresh, secure OS. Once you surf on the interwebs, you take your chances and use your precautions like anyone else. My point was that though some complain of Lenovo's practise of third party software crap, keep in mind that the Windows OS is not much better.

Re:Nonsense.

So what you are saying is that if you run OpenBSD, or any Libre GNU/Linux distro, Lenovo malware will break through whatever security precautions you take and own your machine? Documentation please.

So what you are saying is that it is impossible to run FireFox on any OS you listed?
I think it is you that needs to provide the documentation...

But since you asked:
https://developer.mozilla.org/...

Tier-3 platforms have a maintainer or community which attempt to keep the platform working.

        Windows/x86-64 (msvc)
        Linux on various CPU architectures including ARM, PPC, 68k â" maintained by various Linux distributions
        OpenSolaris/x86&SPARC â" maintained by Simon.Jin and Ginn.Chen
        OS X/ppc (gcc) â" maintained by Cameron Kaiser
        FreeBSD (gcc) â" maintained by Jan Beich
        OpenBSD (gcc) â" maintained by Landry Breuil
        Darwin/X11 â" maintained by Jeremy Huddleston
        Windows/x86 and x86-64 (mingw gcc) â" maintained by Jacek Caban â" some features are disabled because they require MS COM or the w32api project doesn't expose the necessary Windows APIs

Bold added by me to indicate support for each OS you specifically said was not supported.

It should also be noted any OS with GCC should be able to compile FireFox (at least in theory), so even open source and free OSes you didn't list should also be capable of compiling and running FireFox (again, at least in theory)

So yes, all of firefox, firefox, firefox, and firefox will run the Lenovo javascript certificate injection code and "own you".

Information about the Responsible Parties

[Khyber]

http://i.imgur.com/kRO8OW5.png

A nice cached screencap of their (conveniently) down website.

See all these people, here? These are the people that need to be dragged into court.

2 big 2 jail

Big laws are for small people.

Secure Boot

Don't worry, UEFI secure boot will fix all of this, and make us all safe.
LOL
Wait till you can not install any OS image other than the one that came with your machine. HAHA

Did anyone bother to check this out?

[WinstonWolfIT]

From : http://news.lenovo.com/article...

LENOVO STATEMENT ON SUPERFISH
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

        Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
        Lenovo stopped preloading the software in January.
        We will not preload this software in the future.

Re:Did anyone bother to check this out?

[Khyber]

Yea, and it's a big lie as there are forum posts in JUNE talking about this exact software.

Do you bother to do investigation before jumping to a conclusion?

Re:Did anyone bother to check this out?

yes, and is you can read above, if you had taken the time, Or if you had actually quoted the full statement, they left the fake certificate in place. Since those they key of those certificates is known, it means all laptops on which this has been installed, remain vulnerable to a MITM attack.

slower in theory, faster in practice. w/cheating

[raymorris]

> That cannot be true almost by definition. Running a virtual machine of any description carries overhead which you will not incur running directly on the hardware.

A computer scientists might say that's true. A stopwatch will say the virtual machine is faster - much faster. You can easily see it for yourself by checking how long it takes to reboot while installing Windows updates. You can also explain it "scientifically".

You would agree, I'm sure, that a system with 8GB of RAM and a hard drive with 64MB of drive cache might be much faster than a machine with 8.01GB of RAM and 1MB of drive cache. Agreed?

We've established that a machine with more RAM serving as storage cache might be faster than one with less, even if the one with small storage cache has more RAM overall.
Therefore, a system with 6GB of RAM and 1GB of drive cache might be faster than either of the above 8GB machines. That's essentially what a machine running a VM is. From the perspective of the guest OS, the host hypervisor is firmware - firmware with a GB of cache RAM.

Also the hypervisor or host OS may simply do a better job of using the hardware, it may have better drivers. If the hypervisor has a very fast driver for the storage, while Windows has a slower driver for that storage, it may be faster to let the hypervisor talk to the hardware. Windows uses the virtual storage driver which should be extremely fast because all it does is map, or perhaps copy, RAM.

You can see a very clear of case of a virtualized copy of Windows being much faster than one running on metal by just installing some Windows updates that requires rebooting the OS. On metal, a full reboot may over a minute to complete all of the "on startup" processes. Within a hypervisor, the same processes may complete in under 10 seconds because everything is read from host cache RAM rather than from spinning platters. From a computer science perspective you might say "that's cheating, the virtualized Windows didn't have to actually reboot the hardware". Well no, it didn't. And that made it much, much faster. It's much faster BECAUSE it didn't have to reboot the hardware, but the first three words of that sentence are "it's much faster".

Computer Fraud and Abuse Act (CFAA)

[LessThanObvious]

How does interfering with user encryption this way not qualify as a violation of the Computer Fraud and Abuse Act (CFAA) ?

Re:Computer Fraud and Abuse Act (CFAA)

[Khyber]

Considering it's bypassing BANK security stuff as well as anything else using SSL...

Well, the execs won't see jail time - they're in fucking China.

another classic crave, dweeb response

Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick.

not quite. Another reason not to buy said laptops

Re:slower in theory, faster in practice. w/cheatin

[log0n]

Not to mention that a VM won't have crapware installed.

It's everything down to the ThinkPad line

[Khyber]

https://forums.lenovo.com/t5/W...

Registry entries are there even on laptops from 2011.

So this has likely been in planning stages for years.

Don't buy Lenovo

[jerryjnormandin]

If Superfish is installed the adware can be searching the hard drive for financial information, credit card, bank accounts, all at risk. I suggest not to purchase any Lenovo equipment. It's not what it used to be anyway. If you have to buy a Lenovo then I suggest you re-image it.

Looks like not only Lenovo.

[Khyber]

Still doesn't absolve Lenovo of failing to do proper audit/review.

http://marcrogers.org/2015/02/...

And *NOW* Lenovo is trying to CYA more by issuing a 'security advisry' for the software:

http://support.lenovo.com/us/e...

I just caught Lenovo in a lie

[Khyber]

http://imgur.com/H8459Z3,87zOr...

Oh how quickly you changed your original statement from January to February.

Good thing we can screencap and HTML-rip your entire site for the proof, Lenovo.

This is why I use Ubuntu.

[Drunkulus]

The best spyware comes from Canonical and unlike Windows you can get it for FREE!

Something else to note

[Khyber]

Since this thing tries to infect the Cert Store each browser utilizes, removing the stuff from the Windows Cert Store will not remove the stuff in Thunderbird, FF, or Opera. Those are still infected and vulnerable.

Looks like a full DBAN zero-out format is the only way to go.

Damn odd definition of running fast

That hasn't said anything about it RUNNING faster. I would imagine a virtual REBOOT is faster.

That is more like the opposite of RUNNING. I have a 4.7MHz system that probably REBOOTS faster than either (OS actually IS in firmware) but it doesn't RUN any faster than my calculator.

Re:Damn odd definition of running fast

[Khyber]

It's been proven that in many cases emulating/virtualizing is much faster even in running software.

But you probably are to young to remember when at one point and time WINE was giving games better Linux performance versus their native Windows version - upwards of a 10% increase in framerate.

Re:Damn odd definition of running fast

[david_thornley]

WINE Is Not an Emulator, more like a framework. It's a way of natively running Windows software on Unix and Linux and similar OSes. Is anybody surprised that a good version of Linux could run 10% faster than Windows?

"Lenovo Allegedly Installing "Superfish" Proxy..."

[ikhider]

Well, it just so happens that when you install a nice, secure OS instead of the spyware that comes with your Lenovo product, you do not have to worry about this issue. It will not inject nasty stuff. Isn't that nice? Try a nice GNU/Linux OS or one of the BSD's. Also, who uses google these days anyway? So much nasty tracking going on! Also, if you insist on using Firefox, distro's iike Trisquel repackage it as "abrowser" and make it run more securely. Turn that frown upside down!

Re:"Lenovo Allegedly Installing "Superfish" Proxy.

[Khyber]

"Well, it just so happens that when you install a nice, secure OS instead of the spyware that comes with your Lenovo product, you do not have to worry about this issue"

Except this stuff can hit FF and Opera and Thunderbird, which don't use the OS's cert store. Which means FireFox on Linux and BSD can get fucked as well.

And since this crapware is utilized as the base for many other programs, many of which have Linux ports, you can be rest-assured that there are quite likely infected Linux machines.

Well, no surprise someone freely espousing OSS nonsense wouldn't have half a fucking clue what they're talking about.

ThinkPad alternative?

[davidshewitt]

I used to be a big fan of Lenovo's Thinkpads but the quality (and keyboard) has gone downhill in recent models. Preinstalling malware is the final deal-breaker (The TFS says it was to consumer-grade machines, but doing this is a serious breach of trust).

Does anyone recommend a good enterprise-grade laptop? Something like the T400 but with a Haswell chip?

Re:Misses the point

[Billly+Gates]

...to wipe the box and install some other OS.

Would anyone tolerate purchasing an alarm clock with a hidden cam on it?

I think not! This is outright criminal. No no reinstalling an OS should never be a common practice on a new system. Yes people use, need, and do not have the technical ability or need to run a non-Windows OS. Yes this is going to butt hurt many here but give it up.

Windows 7 is stable and works fine for non hacker use. People ... normal people ... do not run an OS. They run applications. This means Windows.

If Linux wont he marketshare wars they would have fake certificates, app stores, in Ubuntu too. This should be illegal ... actually it is illegal and hacking. People pay their bills on their systems these days as a normal practice and this is downright scary. Just because I image Windows 7 and install Unix VMs on my system does not mean the average user should at all.

MS needs to change the EULA to prevent this since Windows 10 will be free for the consumer version of it.

Re:Misses the point

[bingoUV]

If Linux wont he marketshare wars they would have fake certificates, app stores, in Ubuntu too

Yes, but fixing it will be simpler. Most Linux distribution installations are easier than windows installations. And getting the installer image is easier as it is most prominent in the distribution website rather than obscure as in the case of Microsoft's windows downloads.

MS needs to change the EULA to prevent this since Windows 10 will be free for the consumer version of it.

What has the end user got to with it? Lenovo is the middle-man, so MS need to change the MMLA (middle man license agreement).

booting is one EXAMPLE of kernel running hard

[raymorris]

Booting is one of the most resource-intensive things that most people do with their computers, so it's ONE EXAMPLE in which the speed difference is obvious. While booting, the kernel and init system hit the CPU quite a bit and the disk even more. Make no mistake, by the time you see the Windows logo, the kernel is running, running a sprint.

Other examples of tasks that are faster on a virtualized system depend on your hardware, drivers, and configuration. Try it sometime. Assign about 75% of the RAM to the guest, less if you have more than 12GB of RAM.

Make shipping real Windows DVDs mandatory

[MoarSauce123]

Any PC or laptop with a preinstalled OS should only be allowed to be sold if an original OS DVD is included. Means the ones that Microsoft releases for Windows, not the already junked up 'recover' DVDs from the manufacturer. That is the only way to properly wipe the entire system and start from scratch. Or just do not add all these often useless 3rd party apps. I know that the hardware vendors get paid to push this garbage, but is that worth these PR disasters?