Slashdot Mirror
Lenovo To Wipe Superfish Off PCs
An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.
Good to know!
Finding God in a Dog
It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Be fair. Sony and Comcast have both blamed their customers and dallied around in court for quite a while before doing anything, or avoided doing anything in some cases. Lenovo reacted within a day. Lenovo may have taken a fall, but there are circles to Hell, and they aren't in the same class as Sony and Comcast.
The intent of loading this tool was to help enhance our users’ shopping experience.
Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.
The intent of loading this tool was to help enhance our users’ shopping experience.
The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
we will provide a tool that removes all traces of the app from people’s laptops;
So how I do trust that:
1. This tool will do as it says
2. You won't repeat the process in the future?
The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.
I am Slashdot. Are you Slashdot as well?
Any competent company should have their own OS image put onto new laptops. This should not affect the corporate world.
But what about next time?
What about other vendors?
The quest to further "monetize" customers that have already paid for a product is one that more and more companies are doing. I understand the business reasons behind it, but what about the consumer's rights? Do we have any let? Superfish is an especially egregious example if this problem. It is, in essence, a back door installed into millions of consumer devices. The penalties on a company should be so severe that they couldn't just make it disappear in one quarter, but not so severe that it forces the company in bankruptcy. In other words it needs to be painful enough that other companies will think long and hard about possibly doing something similar, but stopping short of putting the head of the villain on a stick outside the castle walls.
Sadly, I think the extent of the punishment will be a little bad press for a few days, then they'll continue on as if nothing had happened.
Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own. On Windows they should the windows store, on OSX they should keychain and on linux/bsd they should use /etc/ssl
Shipping their own is confusing for end users and forces them to manage multiple trust locations. I can totally see some people wanting to use a different keystore for their web browser than other software uses and having an option would be nice, but it should NOT be the default let alone the only offered behavior. I write this as a long time Seamonkey user, but this would be my biggest complaint.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
"Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own."
Nope. Having your own cert store protects you if the primary OS cert store gets fucked.
My god it is like the lessons of granular security have just been totally forgotten, these days.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It doesn't matter. That they were willing to do this on low-cost consumer machines indicates a lack of judgement that reflects on all aspects of their company.
Just fine in bigass-corporate-company land, but the world is bigger than that. A huge amount of US economic activity is in small business, and how many of those have competent IT? This will be a possible opening of a lot of companies for a long time.
It also wouldn't affect the corporate world because business-grade PCs were never infected with it in the first place.
However, the real issue -- the one that makes competent companies completely justified in shit-listing Lenovo -- is the argument that if a company is capable of exercising such poor judgement now, then who knows what other poor judgement they might show in the future. Maybe the next "oops" will be a hardware keylogger in Thinkpads or a compromised WiFi firmware or something.
Lenovo may have backpedaled this time, but the malware only happened to begin with because somebody at Lenovo thought it was a good idea. That, by itself, poses an unacceptable risk to any sane customer.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
The discussion is far from moot. Security also involves mitigation. By assuming your OS is fucked in the first place, you get programs that should in theory provide more security by using their own stuff instead of the OS, thus mitigating (or outright eliminating in some cases) the specific threat to the point of rendering it useless. Thus, even if the OS isn't actually compromised, you've still greatly managed to increase your security over the baseline.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.