Slashdot Mirror
Lenovo To Wipe Superfish Off PCs
An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
... good.
It little behooves the best of us to comment on the rest of us.
Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.
Good to know!
Finding God in a Dog
It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Our reputation is everything and our products are ultimately how we have our reputation.
You reputation is now at the Sony and Comcast level: Scum bag assholes who are out to fuck their customers every way they can.
Someone needs to be fired for this. Someone very high up the corporate ladder. Someone who thinks SuperFish improves the shopping ecperience. Someone who needs to be blackballed from the industry and die penniless huddled in a cardboard box drinking sterno.
If that doesn't happen, SuperFish and problems like it will continue to happen.
It was the name for some other malware. What else is on those machines?
The intent of loading this tool was to help enhance our users’ shopping experience.
Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.
My company already removed them for our approved vendor list now. I wonder how many other companies have done exactly the same thing because of this little mistake.
The intent of loading this tool was to help enhance our users’ shopping experience.
The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Hmm..... Who would have thought a Chinese company would install software that is capable of spying on laptops? Wonder how the world's secrets keep getting stolen? If you buy a Lenovo and expect anything different, you deserve what you get. This is not the first time, nor will it be the last time. They just got caught this time.
...When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful...
It is a rare occasion when a C-level exec admits that his company has not got a clue about what its customers want.
.
Since the marketing team are usually the ones responsible for knowing customer needs, will we be seeing a change in Lenovo's executive suite soon, say a new chief marketing officer?
I wonder how what kind of thought process led to them thinking that a piece of software that injects crap into and modifies web pages served via https can be considered useful by anyone.
we will provide a tool that removes all traces of the app from people’s laptops;
So how I do trust that:
1. This tool will do as it says
2. You won't repeat the process in the future?
The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.
I am Slashdot. Are you Slashdot as well?
we will provide a tool that removes all traces of the app from peopleâ(TM)s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, weâ(TM)ll issue a press release with information on how to get it.
Pathetic
I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.
I wouldn't trust Lenovo, anyways. They can't keep a story straight.
First they say 'Between October and December' and then just a few lines later contradict themselves by saying they stopped in January.
Then they further contradict their words by releasing a security advisory stating they stopped in February.
We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.
Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Instead of the eclectic quality stuff that would let you get some serious work done, they'd already turned the thinkpad line into boring mass-market hunt-and-peck-optimised dvd ogling boxes. In that sense, I'd written them off years ago.
Now they need a massive bag of egg on their face to realise that even as largest laptop-and-desktop-peecee brand they really can't afford to lose custom over sheer towering arrogance, so in that sense their reaction is a good sign. It would have still been far better to not breach their users' trust in the first place. The "but the program was never a danger for you, honest" line, for example, is still condescending PR. "Yes we had our preloaded programs do a MITM on you but no harm was done, really." Oh, really? That's not how it works, friend.
So I'll agree that it's not quite the same but at the same time they're not that far apart, either.
http://www.pcworld.com/article...
Samsung also got caught this month injecting ads into TV viewing. They only got caught because they screwed up the algorithm and injected ads into people's personal ad-free videos. And then samsung's genius engineers biffed again by sending the TV microphone pickups back to samsung (which is okay--that's what siri, alexa, cortana, and google do) but doing so unencrypted.
Obviously parasitic ad injection is the the single most lucrative way to earn money on the internet. Your doing it just like google does for nearly all its revenue, selling ads and harvesting click-thru data, but your doing it without the associated cost of attracting customers with a product. No wonder Lenovo wanted this action.
Some drink at the fountain of knowledge. Others just gargle.
Maybe I can get a Lenovo laptop at deep discount and put Mint/KDE on it.
Finding God in a Dog
It is a rare occasion when a C-level exec admits that his company has not got a clue about what its customers want.
Actually, in today's business they do have a clue, but they ignore it, because it more about earning money for the stockholders than making life easier/happier for the customers. They try their best to throw things at users and hope it isn't noticed. They had to take this move because they got caught and know that if they do not do this, then they will have the stockholders lose money in the end.
If I was a Lenovo customer, I would never trust their fix to actually fix the issue. What Lenovo should do is pay for affected customers to take their computers to the technician of the customers choice and have it fixed. If they want to regain the customers trust, they should spare no expense. It appears that they are still putting money before their customers. It won't be long before people start thinking of them in the same way they think of Facebook. The advertisers are the customers, the consumer is the product in their view. Shame too. IBM computers were the best of the best until Lenovo got a hold of them.
I agree, whenever I buy a new computer, "Enhancing my Shopping Experience" is not usually on my short list of reasons to part with my money. As a matter of fact, I don't think that I've *ever* heard it being used as a reason to buy a new computer. I've been using computers since 87' My first one was a TI-99-4A.
Maybe the Feds were right when they said they'd never buy Chinese PC hardware. I was just looking at how attractive and powerful their current laptops are. This all makes me FAR less inclined to ever buy one.
Between Ubuntu and Lenovo who needs the NSA? Anyone can just pay these asshats for all your data.
Some news reports say that the removal tool is only partial. It removes the evil Certs from some browsers but not all. In particular not Firefox. However, it could be that there is yet another fix in the pipeline and that this is what the story is referring to.
Some drink at the fountain of knowledge. Others just gargle.
Our reputation is everything and our products are ultimately how we have our reputation.
Well, they'll miss it then! Their reputation is now that they are a sleazebag company willing to compromise their customers security so they can make a few bucks injecting unwanted advertising, then lying about the security risk when they got caught.
That's a company I will never do business with again.
As soon as the programmer is finished...
Oh boy, another case of testing in production.
SURE they're removing it, not just installing Superfish 2.0: NSA Boogaloo.
That's ATT's new model. In Kansas you can get a $70, gigabit connection from ATT but if you want to opt out of the customer abuse plan they charge you $30/mo extra. No I'm not making that up, but they don't call it the customer abuse plan, but that's what it is. The $30 is so they don't track you and monetize you with the scrutiny that only an ISP can do (see Verizon's tracking cookies).
Lenovo should just say the truth: the laptop was $200 cheaper than it would have been because of SuperFish. If you want to opt out of da'Fish then you gotta pay. Nobody gets hurt okay.
http://it.slashdot.org/comment...
Some drink at the fountain of knowledge. Others just gargle.
So, they only have one at Lenovo? Explains a few things.
February 20, 2015 Dear Andrew, As you may have heard, select Lenovo consumer notebooks shipped after September 2014 included Superfish Visual Discovery software as a shopping aid to customers. Superfish is a TrustE certified third-party software vendor, with offices in Palo Alto, CA. User feedback on the software was not positive and we received some reports of security concerns. Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series. If you use any of these Lenovo consumer models in your enterprise, please refer to the Customer Support information below. While this software does not impact the models typically used by businesses, we wanted to let you know that we take user feedback seriously at Lenovo. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. We make every effort to provide a great user experience for our customers. We recognize that the Superfish software has caused concern. Lenovo has taken steps to address that concern. â Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software is no longer active. â Lenovo has stopped preloading the software and will not preload this software again in the future. â Lenovo has provided instructions for uninstalling this software and will soon provide a software removal patch. For more information on this, or for instructions on Superfish software removal, please visit http://support.lenovo.com/us/e.... We appreciate your confidence in Lenovo. Unsubscribe | Privacy Policy Lenovo reserves the right to alter product offerings or specifications at any time without notice. Models pictured are for illustrative purposes only. Lenovo is not responsible for typographic or photographic errors. Information advertised has no contractual effect. You are subscribed as andrew.coleman@dpw.com. To ensure delivery of Lenovo email offers to your inbox, please add lenovo@update.lenovo.com to your address book. Lenovo and the Lenovo logo are trademarks of Lenovo. All other trademarks are the property of their respective owners. Lenovo 1009 Think Place Morrisville, NC 27560 © 2015 Lenovo. All rights reserved.
excitingthingstodo.blogspot.com
But what about next time?
What about other vendors?
The quest to further "monetize" customers that have already paid for a product is one that more and more companies are doing. I understand the business reasons behind it, but what about the consumer's rights? Do we have any let? Superfish is an especially egregious example if this problem. It is, in essence, a back door installed into millions of consumer devices. The penalties on a company should be so severe that they couldn't just make it disappear in one quarter, but not so severe that it forces the company in bankruptcy. In other words it needs to be painful enough that other companies will think long and hard about possibly doing something similar, but stopping short of putting the head of the villain on a stick outside the castle walls.
Sadly, I think the extent of the punishment will be a little bad press for a few days, then they'll continue on as if nothing had happened.
Bring back the old-style Thinkpad keyboards and all will be forgiven.
"As soon as the programmer is finished"
How much do you not want to be that guy right now........
Sure, they reacted quickly but it should never have happened in the first place. The damage to the Lenovo brand is permanent. There are plenty of folks who won't by a Sony product of any kind, for similar reasons.
Personally I wouldn't trust the offender (Lenovo) to clean the computer. I would send it back and demand a full refund.
No other rational choice.
Dear Lenovo CEO Peter Hortensius.
My shopping experience needs NO enhancements, and especially NO enhancements in form of additional injected ads. I haven't even started talking about you installing appaling security holes and other crapware on MY new computer.
Your apology has made the situation even worse. I would have appreciated if you said something like "margins on PCs are very thin so we have to take any opportunity to offset the price of Windows licence by installing questionable things on our computers".
Not that I would buy Lenovo notebook even without this scandal. You do not let users to make backup media with a "factory restore" image. If a disk dies, or if somebody wants to install an SSD to his notebook later on, he has to seek Lenovo technician to get the image with OS.
The only way to redeem a little bit of respect would be if you started bundling vanilla OS installation media and media with drivers. Like it was done long time ago.
Yours truly
*very* pissed off potential customer.
Not only is your disappearing audio ad making a comeback you broke the fucking comments. Fuck you, I'm just here for the comments.
When are customers ever happy about having their shopping experience "enhanced" especially by adware? I would suggest wiping those computers clean and putting a third party OS install on them as Lenovo has pretty much shown how it views it's customers.
he says: "The feedback from users was that it wasnâ(TM)t useful"
what the users REALLY said was more like: "you compromised our security, you installed spyware and didn't tell us about it or provide the option to opt-out, your uninstaller did not fully uninstall it and we now have to wipe and fully reinstall, costing us all lots of time and money, since a gaping security hole was opened up and god knows what came thru that hole before we knew abou it."
ceo-speak really is an amazing language to learn. its all about lies and deceipt, but it sure is a 'skill' one has to learn to be a top ceo these days.
--
"It is now safe to switch off your computer."
"The feedback from users was that it wasn’t useful, and that’s why we turned it off."
There's a tiny difference between "nah, this isn't helpful" and "this creates massive security holes and radically impairs my ability to safely use the computer."
Serious question: How do I purchase a windows laptop that does not come with preloaded advertising?
(Obviously, just having windows means it's automatically full of bloatware. "Wipe it and install Linux," you say.)
But take this question seriously for a moment: How do you purchase a windows laptop without preloaded crud?
No, this is not enough. Where is the fucking accountability? The person who proposed this needs to be named, and fired, and any bonuses paid for this need to be taken back.
You are only sorry you got caught with your hands in the cookie jar.
This type of shitty nonsense have been going on for years, and I'm surprised that both Microsoft *AND* Windows users just tolerate it.
*WHY?*
If your computer isn't trustworthy, you don't own the computer. Doesn't matter that they belatedly pulled the malware, it would be recycle time for anything from Lenovo.
Isn't that the case with pretty much every consumer-level laptop on the market today?
The HP business laptops do not ship with crapware.
Wherethehell is IKANREAD when we need him?!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I don't want you fucking around with my 'shopping experiences'. Please, please do not sell my eyeballs to advertisers and claim (even with a wink and a nod) that you are somehow doing *ME* a favor.
Lenovo is going to come off my recommendation list. That list is getting shorter and shorter everyday.
Microsoft has updated Windows Defender to root out the Superfish bug
http://www.theverge.com/2015/2/20/8077033/superfish-fix-microsoft-windows-defender
Have gnu, will travel.
Now that we've been caught....
The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation
This really starts to make sense in the sense that Lenovo has 2 sets of products and 2 sets of users. Regular people are users of their computer products, and advertisers are users of their malware products to advertize to those computer users.
You can't please everyone.
Sorry, I got nothin. You?
At this point I would be satisfied with having the option to pay a little more to *not* get all the extra bloatware on my computer. Surely there is some amount of money that the manufacturers like Lenovo get for putting that shit on their computers. What difference does it make to them if they get this money through bloatware vendors or the customer?
In the past I would probably gladly reinstall windows myself and save the $10 (or whatever it is), except that now they don't make that easy either, because often their windows reinstall discs have the same bloatware on them. You can't just install some random windows ISO and use your own product key. Even if the ISO is legitimate, it may not be a version that accepts your product key.
Just let me pay the price, or at least see what that price is.
Lenovo is about to be wiped from the marketplace as a purchase to never make again.
Anybody else buying this nonsense story?
Don't buy Lenovo until they get rid of this CEO and stop putting spyware on PCs.
Our reputation is everything and our products are ultimately how we have our reputation.
This is like Putin saying "Equal rights for gay people are everything". Either you are lying, or you are extremely incompetent.
It's really easy to have a reputation of not putting bloat/spy/ad/malware on your computers. You actually don't have to do *anything* to achieve this reputation. It requires effort to ruin it. Just like it requires effort to harass gay people.
It's time to end the purchasing of Chinese Technology products. Can't trust them.
Who knows what's installed on iPhones. I think it's time we do a deep dive into an iphone. I'm sure we will find something.
"When asked whether his company vets the software they pre-install on their machines, [Lenovo CTO Peter Hortensius] said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Far too little and far, far too late!
If Superfish was merely not "useful", some people would carp about it and most would just ignore it. It is far more dangerous than that because it deliberately behaves in a way that undermines the integrity of the trust system on which internet is based and so jeopardizes the security of the user. To claim that this was done in order to "enhance" the user's experience is cynical beyond belief. I'm certain Hortensius is right when he says that the software was vetted at Lenovo. I'm also quite sure that it performed precisely the way it was intended to. But who on earth thought that was a good idea?
There has to be a price to pay for this major failure of judgement and I can only hope that it is both hefty and that it impacts those at Lenovo who were ultimately responsible for it, Hortensius among them.
licet differant, aequabitur
I don't want to use the tool because I don't want to degrade my enhanced shopping experience. It's just so premium now.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
You know, Bunny Huang was making a "laptop", but forewent the keyboard because, he claimed, everyone has their own taste anyway and they're easy to pick up. Well, not for me they aren't, but perhaps they are in Shenzen.
So the obvious idea is for a (monied, with some free time) reader here to pick up the slack: Go to Shenzen, cobble together a laptop to nerd specs, sell it. Could start with Bunny Huang's board even, but something faster would be nice too.
Specs? Old-style thinkpad keyboard*, trackpoint and no touchpad, 4:3 matte screen with nicely high resolution**, at least one gigabit ethernet, room for wifi and mobile cards, couple usb and one extra, say firewire, ext. video probably still vga for presentations, vol up dn mute and one extra button***, and of course a fully open source BIOS. CPU doesn't need to be x86 nor x86_64; a nice low-power but fast MIPS or ARM or even PowerPC would do just as well. If you can do SPARC then suddenly you have a market with the military.
It's really quite curious that there now exist "made-to-order" laptop manufacturers except they all produce the same souped-up glossy widescreen dvd player with a shitty keyboard and a (multitouch!!1!) touchpad but nothing geared toward getting things done.
* With a few mods for me: Decent-sized ESC, put CTRL in lower left with FN next to it, no windows keys, arrow keys without those extra keys so I can find'em in the dark, that big-ish right shift can be a bit smaller to make room for a compose key, and a couple other tweaks I'd have to think about for a bit.
*** Those pixelqi screens are cute but not available in 4:3? Well, maybe you can find a supplier of colour e-ink. Those do at least 12fps these days. That's fast enough for email, even writing code, and basically all office tasks.
*** Which I'll have invoke the passworded screensaver.
Great to source, not so great to recieve. Unless you are really into that kind of thing.
You fucking suckhole, at least have the balls to own up to your mistakes. You assholes not only put a shitty MITM attack in the OS, you fucking used the same goddam key so that anyone else could MITM us too?! And not a single person with half a clue ever stood up in that design meeting and asked what a monumental fuck-up that was? Right. Trying to make the "user experience" better by inserting your ads into my TLS-based google searches or my secure bank session? It "wasn't useful"?! Just stop. Stop that nonsense and own your mistakes like a real actual person.
I've been buying and recommending Thinkpads since the late 90's. I'm using one now in fact (thankfully re-imaged, no thanks to the twatwaffles at Lenovo). I'm never going to do either of those things again. I might have if they had said, "You got us, our bad, we're sorry and it won't happen again". But not anymore. Not with the wishy-washy corporate-speak bullshit.
Do not fuck with people's stuff for ad revenue. And if you do and get caught, at least fucking own up to it.
And so now I'm wondering what my next laptop will be. Because it sure as shit isn't going to be a Lenovo...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
My money is on New and Improved SuperUltraFish
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
"As soon as the programmer is finished..."
Really? Only one 'programmer'? Wow. Obviously, they are not giving this much attention.
Obviously the "intent" with this tool was not some sort of alutruistic impulse to "improve our customers' shopping experiences"; the "intent" was to collect some tiny payment per PC in exchange for their users giving up some of their piracy.
I'm willing to believe they didn't realize the security implications of this junk, but they might as well admit they play the Crapware game all the consumer PC makers do because it makes them money.
I welcome the day that the FTC actually holds them accountable, and fines the crap out of them. But that will not happen because the last ten or so years China has become the god of exports. They export everything including the fake crap, and the crap that contains enough toxins to ruin kids the rest of their lives. China must be proud of themselves. They would have to be how else can you explain their junk coming over to the USA in record numbers, and the US citizens buying it right and left without even looking at the label, or asking the right questions? Like for instance why is China's goods so much cheaper than anyone else's? How can China get away with shipping goods to the US full of toxins and not suffer any consequences? There is enough stupidity, greed, and ignorance to go around. To tell you the truth I don't know who's bumper to kick anymore. Set up your provisions and line up ...this will take a long time.
Ever since Windows 7 pc's have been loaded with crapware and "enhancing experience" so hard it slows new pc's to a crawl. Almost every OEM has customer feedback background service that does not turn off after answering the user does not want to participate. For all customers I wipe pc's and install it with an MSDN downloaded installation before it is first booted. This has included lenovo machines in the last years. Glad to see I was right to do so. I have access to MSDN If you do not and download elswhere, please compare hashes of downloaded and Original iso files, you do not want to replace your OEM crapware by other malware. pro tip, your windows 8(.1) windows key is stored in the bios and not on a sticker. this can be recovered with "rw-everything", microsoft has official dummy keys you can use while installing (but will not work to activate)
Would a Superfish by any chance be a Crayfish?
"As soon as the programmer is finished"
You're a company the size of Lenovo and you've got one dude working on it? Does he get to do QA and deployment too?
//TODO: Insert catchy phrase
Are you sure he actually wrote 'app'-wiping software?
May I have another?
Okay, but is there anything we should worry about in the FIRMWARE of the devices?
It's a wake up call - now can we get rid of those fucking stupid "SSL accelerators" that do the exact same man in the middle attack and are prone to the same problem if somebody who wants your banking details has or gets hold of the details of the cert.
If it's for "business reasons" that a workplace sniffs all the traffic that's supposed to be encrypted then they should consider what a hit Lenovo's business is going to take over this, and how their business would cope if the lawyers from a couple of major banks go after them for interfering with transactions when a hack happens. They'll want blood, and if the perpetrator can't be tracked down they'll happily take the blood of whoever put the stupid "SSL accelerator" box in and the company they work for.
It's fucking insane to listen in to other people's supposedly secret communications unless you are immune to the legal system. That's without even getting into moral implications.
Once the Chinese buy an American company I never buy from them again. I'll bet the Red Army had more than "Adware" in there. ;>)
Why not software? When you buy a computer, smart phone, cable or fiber box, or other internet connected gadget, you have no idea what you are getting. The vendor can put in anything they want, as Samsung demonstrated by shipping a smart TV sets that can send out audio and video without any indication to the user.
If consumers were informed what kind of crap was being shipped with their gear, it would go a long way towards cubing this kind of intrusive behavior. Nobody wants a device filled up with junk when they get it, but it's hard, even for Slashdot types, to find out what's in the box before it shows up. A list of add on software that you could see before you buy would make all the difference.
Why is Snark Required?
Bundling malware with your computers is a great way to kill reputation. I would never buy a Lenovo device of any kind after this.
It is good to see there is still some resistance to adware and spyware on PCs at a time when it seems to be accepted as normal on smart phones.
null