Slashdot Mirror
Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers
An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission.
Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick.
Also at ZDnet.
There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.
Not allegedly at all. My new Y50 (3 weeks old) came with Superfish pre-installed, phoney root certificates and all. Luckily I've encountered Superfish before when they were trying to insinuate themselves into every extension they could on the Chrome Web Store so it was easy to spot and obliterate.
And behold, a command prompt and he who sat upon it, his name was shutdown and -h 3:11 followed with him
bankofamerica.com courtesy of Superfish:
https://i.imgur.com/Ky0Bwih.jpg
Not sure about the source of the screenshot, independent confirmation would be good.
Serious Question - So these Lenovo computers most likely come with UEFI. I recently tried wiping a new UEFI Lenovo PC and re installing using a WIN 7 CD, and the key was retrieved using a tool to read the OS. When It came time to "activate" the fresh WIN 7 OS, that key would not be accepted. Lenovo support said they couldn't provide another key, and that only the recovery CD would work. Are there any known workarounds for this?
http://forums.lenovo.com/t5/Le...
"Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future."
However, later in the post they state that the root CA will remain intact. The private key has already been extracted and cracked, so this leaves Lenovo users still open to a very easy MITM attack.
Which is fine for you and me and everyone else reading /. but no so much for the majority of people buying an off-the-shelf Laptop from Lenovo.
Seriously, how dumbed down does a Linux installer need to get in order for the average moron to wipe and re-install their YouTube/Netflix binge box?
We've already turned the right-clicking, mouse-wielding user into a drooling baby that just points at the large colorful tiles on the touchscreen to make it "go".
I'm really starting to wonder if the Year of the Linux Desktop is directly tied to reducing the average consumer IQ level to that of a goat. Better start working on the voice recognition interfaces now, since our future appears to be an idiot yelling at a server to make it reboot.
That was because of Microsoft? I hate, hate, hate that practice, but I assumed that it was just because the computer manufacturers wanted to save a dime.