Slashdot Mirror
Lenovo To Wipe Superfish Off PCs
An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
... good.
It little behooves the best of us to comment on the rest of us.
Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.
Good to know!
Finding God in a Dog
It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Don't forget Acer.
Hardware keylog me once, shame on me...
Someone needs to be fired for this. Someone very high up the corporate ladder. Someone who thinks SuperFish improves the shopping ecperience. Someone who needs to be blackballed from the industry and die penniless huddled in a cardboard box drinking sterno.
If that doesn't happen, SuperFish and problems like it will continue to happen.
Be fair. Sony and Comcast have both blamed their customers and dallied around in court for quite a while before doing anything, or avoided doing anything in some cases. Lenovo reacted within a day. Lenovo may have taken a fall, but there are circles to Hell, and they aren't in the same class as Sony and Comcast.
Dammit, George W. Bush really has screwed my memory of that saying. =(
The intent of loading this tool was to help enhance our users’ shopping experience.
Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.
Got a link on that?
I tried googling and all I found is various keyloggers for sale.
My company already removed them for our approved vendor list now. I wonder how many other companies have done exactly the same thing because of this little mistake.
The intent of loading this tool was to help enhance our users’ shopping experience.
The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Good point. I give them a plus for at least properly listening to feedback.
Hmm..... Who would have thought a Chinese company would install software that is capable of spying on laptops? Wonder how the world's secrets keep getting stolen? If you buy a Lenovo and expect anything different, you deserve what you get. This is not the first time, nor will it be the last time. They just got caught this time.
...When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful...
It is a rare occasion when a C-level exec admits that his company has not got a clue about what its customers want.
.
Since the marketing team are usually the ones responsible for knowing customer needs, will we be seeing a change in Lenovo's executive suite soon, say a new chief marketing officer?
we will provide a tool that removes all traces of the app from people’s laptops;
So how I do trust that:
1. This tool will do as it says
2. You won't repeat the process in the future?
The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.
I am Slashdot. Are you Slashdot as well?
Same here
we will provide a tool that removes all traces of the app from peopleâ(TM)s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, weâ(TM)ll issue a press release with information on how to get it.
Pathetic
I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.
I wouldn't trust Lenovo, anyways. They can't keep a story straight.
First they say 'Between October and December' and then just a few lines later contradict themselves by saying they stopped in January.
Then they further contradict their words by releasing a security advisory stating they stopped in February.
We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.
Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Instead of the eclectic quality stuff that would let you get some serious work done, they'd already turned the thinkpad line into boring mass-market hunt-and-peck-optimised dvd ogling boxes. In that sense, I'd written them off years ago.
Now they need a massive bag of egg on their face to realise that even as largest laptop-and-desktop-peecee brand they really can't afford to lose custom over sheer towering arrogance, so in that sense their reaction is a good sign. It would have still been far better to not breach their users' trust in the first place. The "but the program was never a danger for you, honest" line, for example, is still condescending PR. "Yes we had our preloaded programs do a MITM on you but no harm was done, really." Oh, really? That's not how it works, friend.
So I'll agree that it's not quite the same but at the same time they're not that far apart, either.
http://www.pcworld.com/article...
Samsung also got caught this month injecting ads into TV viewing. They only got caught because they screwed up the algorithm and injected ads into people's personal ad-free videos. And then samsung's genius engineers biffed again by sending the TV microphone pickups back to samsung (which is okay--that's what siri, alexa, cortana, and google do) but doing so unencrypted.
Obviously parasitic ad injection is the the single most lucrative way to earn money on the internet. Your doing it just like google does for nearly all its revenue, selling ads and harvesting click-thru data, but your doing it without the associated cost of attracting customers with a product. No wonder Lenovo wanted this action.
Some drink at the fountain of knowledge. Others just gargle.
Maybe I can get a Lenovo laptop at deep discount and put Mint/KDE on it.
Finding God in a Dog
They were right in thinking that a piece of software that injects crap into and modifies web pages served via https can be considered useful by anyone.
They just got the wrong "anyone."
It little behooves the best of us to comment on the rest of us.
Maybe the Feds were right when they said they'd never buy Chinese PC hardware. I was just looking at how attractive and powerful their current laptops are. This all makes me FAR less inclined to ever buy one.
Between Ubuntu and Lenovo who needs the NSA? Anyone can just pay these asshats for all your data.
Some news reports say that the removal tool is only partial. It removes the evil Certs from some browsers but not all. In particular not Firefox. However, it could be that there is yet another fix in the pipeline and that this is what the story is referring to.
Some drink at the fountain of knowledge. Others just gargle.
Our reputation is everything and our products are ultimately how we have our reputation.
Well, they'll miss it then! Their reputation is now that they are a sleazebag company willing to compromise their customers security so they can make a few bucks injecting unwanted advertising, then lying about the security risk when they got caught.
That's a company I will never do business with again.
As soon as the programmer is finished...
Oh boy, another case of testing in production.
That's ATT's new model. In Kansas you can get a $70, gigabit connection from ATT but if you want to opt out of the customer abuse plan they charge you $30/mo extra. No I'm not making that up, but they don't call it the customer abuse plan, but that's what it is. The $30 is so they don't track you and monetize you with the scrutiny that only an ISP can do (see Verizon's tracking cookies).
Lenovo should just say the truth: the laptop was $200 cheaper than it would have been because of SuperFish. If you want to opt out of da'Fish then you gotta pay. Nobody gets hurt okay.
http://it.slashdot.org/comment...
Some drink at the fountain of knowledge. Others just gargle.
So, they only have one at Lenovo? Explains a few things.
February 20, 2015 Dear Andrew, As you may have heard, select Lenovo consumer notebooks shipped after September 2014 included Superfish Visual Discovery software as a shopping aid to customers. Superfish is a TrustE certified third-party software vendor, with offices in Palo Alto, CA. User feedback on the software was not positive and we received some reports of security concerns. Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series. If you use any of these Lenovo consumer models in your enterprise, please refer to the Customer Support information below. While this software does not impact the models typically used by businesses, we wanted to let you know that we take user feedback seriously at Lenovo. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. We make every effort to provide a great user experience for our customers. We recognize that the Superfish software has caused concern. Lenovo has taken steps to address that concern. â Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software is no longer active. â Lenovo has stopped preloading the software and will not preload this software again in the future. â Lenovo has provided instructions for uninstalling this software and will soon provide a software removal patch. For more information on this, or for instructions on Superfish software removal, please visit http://support.lenovo.com/us/e.... We appreciate your confidence in Lenovo. Unsubscribe | Privacy Policy Lenovo reserves the right to alter product offerings or specifications at any time without notice. Models pictured are for illustrative purposes only. Lenovo is not responsible for typographic or photographic errors. Information advertised has no contractual effect. You are subscribed as andrew.coleman@dpw.com. To ensure delivery of Lenovo email offers to your inbox, please add lenovo@update.lenovo.com to your address book. Lenovo and the Lenovo logo are trademarks of Lenovo. All other trademarks are the property of their respective owners. Lenovo 1009 Think Place Morrisville, NC 27560 © 2015 Lenovo. All rights reserved.
excitingthingstodo.blogspot.com
But what about next time?
What about other vendors?
The quest to further "monetize" customers that have already paid for a product is one that more and more companies are doing. I understand the business reasons behind it, but what about the consumer's rights? Do we have any let? Superfish is an especially egregious example if this problem. It is, in essence, a back door installed into millions of consumer devices. The penalties on a company should be so severe that they couldn't just make it disappear in one quarter, but not so severe that it forces the company in bankruptcy. In other words it needs to be painful enough that other companies will think long and hard about possibly doing something similar, but stopping short of putting the head of the villain on a stick outside the castle walls.
Sadly, I think the extent of the punishment will be a little bad press for a few days, then they'll continue on as if nothing had happened.
Bring back the old-style Thinkpad keyboards and all will be forgiven.
Sure, they reacted quickly but it should never have happened in the first place. The damage to the Lenovo brand is permanent. There are plenty of folks who won't by a Sony product of any kind, for similar reasons.
I might agree with you if their initial response hadn't been lying (they claimed that they thoroughly tested and there was no security risk) and designed to avoid taking real responsibility (we did this for you!)
No other rational choice.
Dear Lenovo CEO Peter Hortensius.
My shopping experience needs NO enhancements, and especially NO enhancements in form of additional injected ads. I haven't even started talking about you installing appaling security holes and other crapware on MY new computer.
Your apology has made the situation even worse. I would have appreciated if you said something like "margins on PCs are very thin so we have to take any opportunity to offset the price of Windows licence by installing questionable things on our computers".
Not that I would buy Lenovo notebook even without this scandal. You do not let users to make backup media with a "factory restore" image. If a disk dies, or if somebody wants to install an SSD to his notebook later on, he has to seek Lenovo technician to get the image with OS.
The only way to redeem a little bit of respect would be if you started bundling vanilla OS installation media and media with drivers. Like it was done long time ago.
Yours truly
*very* pissed off potential customer.
My shopping experience is just fine without active MITM attacks.
The ironic thing is that Lenovo has had a good reputation. They inherited the Thinkpad name, and it used to be that it was the go to brand for laptops before Apple jumped in that market. Plus, business-line Thinkpads are pretty secure, be it a decent TPM implementation, fingerprint scanner, and other items.
I just hope they learn their lesson, and this doesn't pop up again, as their products are quite usable.
When are customers ever happy about having their shopping experience "enhanced" especially by adware? I would suggest wiping those computers clean and putting a third party OS install on them as Lenovo has pretty much shown how it views it's customers.
There is no "to be fair". This is how these companies and politicians get away with everything. Well that company came forward and admitted they were raping us so they are better then the ones that don't admit it.
The answer to that is NO. There will be no raping.
You rape you lose. Go to jail, loose your business, etc.
Otherwise they just keep raping and just apologize as soon as they are caught. There is no penalty in the "to be fair" model.
If we want them to change they need to know, if they are caught they are out of business, out of office, in jail, hung by the neck.
love the taste, hate the texture
he says: "The feedback from users was that it wasnâ(TM)t useful"
what the users REALLY said was more like: "you compromised our security, you installed spyware and didn't tell us about it or provide the option to opt-out, your uninstaller did not fully uninstall it and we now have to wipe and fully reinstall, costing us all lots of time and money, since a gaping security hole was opened up and god knows what came thru that hole before we knew abou it."
ceo-speak really is an amazing language to learn. its all about lies and deceipt, but it sure is a 'skill' one has to learn to be a top ceo these days.
--
"It is now safe to switch off your computer."
"The feedback from users was that it wasn’t useful, and that’s why we turned it off."
There's a tiny difference between "nah, this isn't helpful" and "this creates massive security holes and radically impairs my ability to safely use the computer."
No, this is not enough. Where is the fucking accountability? The person who proposed this needs to be named, and fired, and any bonuses paid for this need to be taken back.
You are only sorry you got caught with your hands in the cookie jar.
This type of shitty nonsense have been going on for years, and I'm surprised that both Microsoft *AND* Windows users just tolerate it.
*WHY?*
Which level of Hell is Sony in for not knowing that a company they bought 6 months had distributed the rootkit (prior to Sony buying them)?
Isn't that the case with pretty much every consumer-level laptop on the market today?
The HP business laptops do not ship with crapware.
Wherethehell is IKANREAD when we need him?!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I don't want you fucking around with my 'shopping experiences'. Please, please do not sell my eyeballs to advertisers and claim (even with a wink and a nod) that you are somehow doing *ME* a favor.
Lenovo is going to come off my recommendation list. That list is getting shorter and shorter everyday.
Have gnu, will travel.
Now that we've been caught....
The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation
This really starts to make sense in the sense that Lenovo has 2 sets of products and 2 sets of users. Regular people are users of their computer products, and advertisers are users of their malware products to advertize to those computer users.
You can't please everyone.
Sorry, I got nothin. You?
At this point I would be satisfied with having the option to pay a little more to *not* get all the extra bloatware on my computer. Surely there is some amount of money that the manufacturers like Lenovo get for putting that shit on their computers. What difference does it make to them if they get this money through bloatware vendors or the customer?
In the past I would probably gladly reinstall windows myself and save the $10 (or whatever it is), except that now they don't make that easy either, because often their windows reinstall discs have the same bloatware on them. You can't just install some random windows ISO and use your own product key. Even if the ISO is legitimate, it may not be a version that accepts your product key.
Just let me pay the price, or at least see what that price is.
Lenovo is about to be wiped from the marketplace as a purchase to never make again.
there are circles to Hell, and they aren't in the same class as Sony and Comcast.
Is this where Google+ got their Circles idea from? I wonder if Satan had filed a trademark on Circles in the US?
Our reputation is everything and our products are ultimately how we have our reputation.
This is like Putin saying "Equal rights for gay people are everything". Either you are lying, or you are extremely incompetent.
It's really easy to have a reputation of not putting bloat/spy/ad/malware on your computers. You actually don't have to do *anything* to achieve this reputation. It requires effort to ruin it. Just like it requires effort to harass gay people.
"When asked whether his company vets the software they pre-install on their machines, [Lenovo CTO Peter Hortensius] said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Far too little and far, far too late!
If Superfish was merely not "useful", some people would carp about it and most would just ignore it. It is far more dangerous than that because it deliberately behaves in a way that undermines the integrity of the trust system on which internet is based and so jeopardizes the security of the user. To claim that this was done in order to "enhance" the user's experience is cynical beyond belief. I'm certain Hortensius is right when he says that the software was vetted at Lenovo. I'm also quite sure that it performed precisely the way it was intended to. But who on earth thought that was a good idea?
There has to be a price to pay for this major failure of judgement and I can only hope that it is both hefty and that it impacts those at Lenovo who were ultimately responsible for it, Hortensius among them.
licet differant, aequabitur
I don't want to use the tool because I don't want to degrade my enhanced shopping experience. It's just so premium now.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Great to source, not so great to recieve. Unless you are really into that kind of thing.
You fucking suckhole, at least have the balls to own up to your mistakes. You assholes not only put a shitty MITM attack in the OS, you fucking used the same goddam key so that anyone else could MITM us too?! And not a single person with half a clue ever stood up in that design meeting and asked what a monumental fuck-up that was? Right. Trying to make the "user experience" better by inserting your ads into my TLS-based google searches or my secure bank session? It "wasn't useful"?! Just stop. Stop that nonsense and own your mistakes like a real actual person.
I've been buying and recommending Thinkpads since the late 90's. I'm using one now in fact (thankfully re-imaged, no thanks to the twatwaffles at Lenovo). I'm never going to do either of those things again. I might have if they had said, "You got us, our bad, we're sorry and it won't happen again". But not anymore. Not with the wishy-washy corporate-speak bullshit.
Do not fuck with people's stuff for ad revenue. And if you do and get caught, at least fucking own up to it.
And so now I'm wondering what my next laptop will be. Because it sure as shit isn't going to be a Lenovo...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
My money is on New and Improved SuperUltraFish
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Obviously the "intent" with this tool was not some sort of alutruistic impulse to "improve our customers' shopping experiences"; the "intent" was to collect some tiny payment per PC in exchange for their users giving up some of their piracy.
I'm willing to believe they didn't realize the security implications of this junk, but they might as well admit they play the Crapware game all the consumer PC makers do because it makes them money.
I welcome the day that the FTC actually holds them accountable, and fines the crap out of them. But that will not happen because the last ten or so years China has become the god of exports. They export everything including the fake crap, and the crap that contains enough toxins to ruin kids the rest of their lives. China must be proud of themselves. They would have to be how else can you explain their junk coming over to the USA in record numbers, and the US citizens buying it right and left without even looking at the label, or asking the right questions? Like for instance why is China's goods so much cheaper than anyone else's? How can China get away with shipping goods to the US full of toxins and not suffer any consequences? There is enough stupidity, greed, and ignorance to go around. To tell you the truth I don't know who's bumper to kick anymore. Set up your provisions and line up ...this will take a long time.
Ever since Windows 7 pc's have been loaded with crapware and "enhancing experience" so hard it slows new pc's to a crawl. Almost every OEM has customer feedback background service that does not turn off after answering the user does not want to participate. For all customers I wipe pc's and install it with an MSDN downloaded installation before it is first booted. This has included lenovo machines in the last years. Glad to see I was right to do so. I have access to MSDN If you do not and download elswhere, please compare hashes of downloaded and Original iso files, you do not want to replace your OEM crapware by other malware. pro tip, your windows 8(.1) windows key is stored in the bios and not on a sticker. this can be recovered with "rw-everything", microsoft has official dummy keys you can use while installing (but will not work to activate)
Assuming you want Windows (and not Apple or Linux or BSD or any of a bunch of other suggestions people will make)
From previous statements it sounds like buying the much more expensive "business model" will get this. You may have to do a bulk purchase of dozens of them.
Another suggestion was to buy a system at a Microsoft store. They do have an interest in making Windows not suck.
"As soon as the programmer is finished"
You're a company the size of Lenovo and you've got one dude working on it? Does he get to do QA and deployment too?
//TODO: Insert catchy phrase
It's a wake up call - now can we get rid of those fucking stupid "SSL accelerators" that do the exact same man in the middle attack and are prone to the same problem if somebody who wants your banking details has or gets hold of the details of the cert.
If it's for "business reasons" that a workplace sniffs all the traffic that's supposed to be encrypted then they should consider what a hit Lenovo's business is going to take over this, and how their business would cope if the lawyers from a couple of major banks go after them for interfering with transactions when a hack happens. They'll want blood, and if the perpetrator can't be tracked down they'll happily take the blood of whoever put the stupid "SSL accelerator" box in and the company they work for.
It's fucking insane to listen in to other people's supposedly secret communications unless you are immune to the legal system. That's without even getting into moral implications.
Why not software? When you buy a computer, smart phone, cable or fiber box, or other internet connected gadget, you have no idea what you are getting. The vendor can put in anything they want, as Samsung demonstrated by shipping a smart TV sets that can send out audio and video without any indication to the user.
If consumers were informed what kind of crap was being shipped with their gear, it would go a long way towards cubing this kind of intrusive behavior. Nobody wants a device filled up with junk when they get it, but it's hard, even for Slashdot types, to find out what's in the box before it shows up. A list of add on software that you could see before you buy would make all the difference.
Why is Snark Required?
null