Slashdot Mirror
Lenovo To Wipe Superfish Off PCs
An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.
Good to know!
Finding God in a Dog
It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Don't forget Acer.
Hardware keylog me once, shame on me...
Someone needs to be fired for this. Someone very high up the corporate ladder. Someone who thinks SuperFish improves the shopping ecperience. Someone who needs to be blackballed from the industry and die penniless huddled in a cardboard box drinking sterno.
If that doesn't happen, SuperFish and problems like it will continue to happen.
Be fair. Sony and Comcast have both blamed their customers and dallied around in court for quite a while before doing anything, or avoided doing anything in some cases. Lenovo reacted within a day. Lenovo may have taken a fall, but there are circles to Hell, and they aren't in the same class as Sony and Comcast.
Dammit, George W. Bush really has screwed my memory of that saying. =(
The intent of loading this tool was to help enhance our users’ shopping experience.
Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.
The intent of loading this tool was to help enhance our users’ shopping experience.
The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Hmm..... Who would have thought a Chinese company would install software that is capable of spying on laptops? Wonder how the world's secrets keep getting stolen? If you buy a Lenovo and expect anything different, you deserve what you get. This is not the first time, nor will it be the last time. They just got caught this time.
...When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful...
It is a rare occasion when a C-level exec admits that his company has not got a clue about what its customers want.
.
Since the marketing team are usually the ones responsible for knowing customer needs, will we be seeing a change in Lenovo's executive suite soon, say a new chief marketing officer?
we will provide a tool that removes all traces of the app from people’s laptops;
So how I do trust that:
1. This tool will do as it says
2. You won't repeat the process in the future?
The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.
I am Slashdot. Are you Slashdot as well?
I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.
I wouldn't trust Lenovo, anyways. They can't keep a story straight.
First they say 'Between October and December' and then just a few lines later contradict themselves by saying they stopped in January.
Then they further contradict their words by releasing a security advisory stating they stopped in February.
We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.
Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
http://www.pcworld.com/article...
Samsung also got caught this month injecting ads into TV viewing. They only got caught because they screwed up the algorithm and injected ads into people's personal ad-free videos. And then samsung's genius engineers biffed again by sending the TV microphone pickups back to samsung (which is okay--that's what siri, alexa, cortana, and google do) but doing so unencrypted.
Obviously parasitic ad injection is the the single most lucrative way to earn money on the internet. Your doing it just like google does for nearly all its revenue, selling ads and harvesting click-thru data, but your doing it without the associated cost of attracting customers with a product. No wonder Lenovo wanted this action.
Some drink at the fountain of knowledge. Others just gargle.
Any competent company should have their own OS image put onto new laptops. This should not affect the corporate world.
Maybe I can get a Lenovo laptop at deep discount and put Mint/KDE on it.
Finding God in a Dog
Our reputation is everything and our products are ultimately how we have our reputation.
Well, they'll miss it then! Their reputation is now that they are a sleazebag company willing to compromise their customers security so they can make a few bucks injecting unwanted advertising, then lying about the security risk when they got caught.
That's a company I will never do business with again.
As soon as the programmer is finished...
Oh boy, another case of testing in production.
So, they only have one at Lenovo? Explains a few things.
February 20, 2015 Dear Andrew, As you may have heard, select Lenovo consumer notebooks shipped after September 2014 included Superfish Visual Discovery software as a shopping aid to customers. Superfish is a TrustE certified third-party software vendor, with offices in Palo Alto, CA. User feedback on the software was not positive and we received some reports of security concerns. Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series. If you use any of these Lenovo consumer models in your enterprise, please refer to the Customer Support information below. While this software does not impact the models typically used by businesses, we wanted to let you know that we take user feedback seriously at Lenovo. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. We make every effort to provide a great user experience for our customers. We recognize that the Superfish software has caused concern. Lenovo has taken steps to address that concern. â Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software is no longer active. â Lenovo has stopped preloading the software and will not preload this software again in the future. â Lenovo has provided instructions for uninstalling this software and will soon provide a software removal patch. For more information on this, or for instructions on Superfish software removal, please visit http://support.lenovo.com/us/e.... We appreciate your confidence in Lenovo. Unsubscribe | Privacy Policy Lenovo reserves the right to alter product offerings or specifications at any time without notice. Models pictured are for illustrative purposes only. Lenovo is not responsible for typographic or photographic errors. Information advertised has no contractual effect. You are subscribed as andrew.coleman@dpw.com. To ensure delivery of Lenovo email offers to your inbox, please add lenovo@update.lenovo.com to your address book. Lenovo and the Lenovo logo are trademarks of Lenovo. All other trademarks are the property of their respective owners. Lenovo 1009 Think Place Morrisville, NC 27560 © 2015 Lenovo. All rights reserved.
excitingthingstodo.blogspot.com
But what about next time?
What about other vendors?
The quest to further "monetize" customers that have already paid for a product is one that more and more companies are doing. I understand the business reasons behind it, but what about the consumer's rights? Do we have any let? Superfish is an especially egregious example if this problem. It is, in essence, a back door installed into millions of consumer devices. The penalties on a company should be so severe that they couldn't just make it disappear in one quarter, but not so severe that it forces the company in bankruptcy. In other words it needs to be painful enough that other companies will think long and hard about possibly doing something similar, but stopping short of putting the head of the villain on a stick outside the castle walls.
Sadly, I think the extent of the punishment will be a little bad press for a few days, then they'll continue on as if nothing had happened.
Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own. On Windows they should the windows store, on OSX they should keychain and on linux/bsd they should use /etc/ssl
Shipping their own is confusing for end users and forces them to manage multiple trust locations. I can totally see some people wanting to use a different keystore for their web browser than other software uses and having an option would be nice, but it should NOT be the default let alone the only offered behavior. I write this as a long time Seamonkey user, but this would be my biggest complaint.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Sure, they reacted quickly but it should never have happened in the first place. The damage to the Lenovo brand is permanent. There are plenty of folks who won't by a Sony product of any kind, for similar reasons.
"Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own."
Nope. Having your own cert store protects you if the primary OS cert store gets fucked.
My god it is like the lessons of granular security have just been totally forgotten, these days.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I might agree with you if their initial response hadn't been lying (they claimed that they thoroughly tested and there was no security risk) and designed to avoid taking real responsibility (we did this for you!)
It doesn't matter. That they were willing to do this on low-cost consumer machines indicates a lack of judgement that reflects on all aspects of their company.
No other rational choice.
Dear Lenovo CEO Peter Hortensius.
My shopping experience needs NO enhancements, and especially NO enhancements in form of additional injected ads. I haven't even started talking about you installing appaling security holes and other crapware on MY new computer.
Your apology has made the situation even worse. I would have appreciated if you said something like "margins on PCs are very thin so we have to take any opportunity to offset the price of Windows licence by installing questionable things on our computers".
Not that I would buy Lenovo notebook even without this scandal. You do not let users to make backup media with a "factory restore" image. If a disk dies, or if somebody wants to install an SSD to his notebook later on, he has to seek Lenovo technician to get the image with OS.
The only way to redeem a little bit of respect would be if you started bundling vanilla OS installation media and media with drivers. Like it was done long time ago.
Yours truly
*very* pissed off potential customer.
Just fine in bigass-corporate-company land, but the world is bigger than that. A huge amount of US economic activity is in small business, and how many of those have competent IT? This will be a possible opening of a lot of companies for a long time.
they'd already turned the thinkpad line into boring mass-market hunt-and-peck-optimised dvd ogling boxes. In that sense, I'd written them off years ago.
Really? I have used both IBM and Lenovo ThinkPads and while the Lenovo ones aren't quite as great as what IBM made, they are still vastly superior to any consumer laptop on the market today. You might be thinking of the IdeaPad line, which looks like a ThinkPad to a small degree but isn't nearly the same thing. The ThinkPads are still solid - and someone else pointed out they don't have Superfish on the, either.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
My shopping experience is just fine without active MITM attacks.
The ironic thing is that Lenovo has had a good reputation. They inherited the Thinkpad name, and it used to be that it was the go to brand for laptops before Apple jumped in that market. Plus, business-line Thinkpads are pretty secure, be it a decent TPM implementation, fingerprint scanner, and other items.
I just hope they learn their lesson, and this doesn't pop up again, as their products are quite usable.
It also wouldn't affect the corporate world because business-grade PCs were never infected with it in the first place.
However, the real issue -- the one that makes competent companies completely justified in shit-listing Lenovo -- is the argument that if a company is capable of exercising such poor judgement now, then who knows what other poor judgement they might show in the future. Maybe the next "oops" will be a hardware keylogger in Thinkpads or a compromised WiFi firmware or something.
Lenovo may have backpedaled this time, but the malware only happened to begin with because somebody at Lenovo thought it was a good idea. That, by itself, poses an unacceptable risk to any sane customer.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
"I got news for you if your primary OS cert store gets fucked you are fucked."
Given the history of the NSA and Microsoft, you're better off assuming the OS cert store is fucked in the first place, sir.
There's a good reason to have security on every program with its own rules.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
No, this is not enough. Where is the fucking accountability? The person who proposed this needs to be named, and fired, and any bonuses paid for this need to be taken back.
You are only sorry you got caught with your hands in the cookie jar.
This type of shitty nonsense have been going on for years, and I'm surprised that both Microsoft *AND* Windows users just tolerate it.
*WHY?*
The discussion is far from moot. Security also involves mitigation. By assuming your OS is fucked in the first place, you get programs that should in theory provide more security by using their own stuff instead of the OS, thus mitigating (or outright eliminating in some cases) the specific threat to the point of rendering it useless. Thus, even if the OS isn't actually compromised, you've still greatly managed to increase your security over the baseline.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Isn't that the case with pretty much every consumer-level laptop on the market today?
The HP business laptops do not ship with crapware.
Wherethehell is IKANREAD when we need him?!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I don't want you fucking around with my 'shopping experiences'. Please, please do not sell my eyeballs to advertisers and claim (even with a wink and a nod) that you are somehow doing *ME* a favor.
In other news, Superfish has now been added to the Windows Defender malware database.
Sorry, I got nothin. You?
"When asked whether his company vets the software they pre-install on their machines, [Lenovo CTO Peter Hortensius] said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Far too little and far, far too late!
If Superfish was merely not "useful", some people would carp about it and most would just ignore it. It is far more dangerous than that because it deliberately behaves in a way that undermines the integrity of the trust system on which internet is based and so jeopardizes the security of the user. To claim that this was done in order to "enhance" the user's experience is cynical beyond belief. I'm certain Hortensius is right when he says that the software was vetted at Lenovo. I'm also quite sure that it performed precisely the way it was intended to. But who on earth thought that was a good idea?
There has to be a price to pay for this major failure of judgement and I can only hope that it is both hefty and that it impacts those at Lenovo who were ultimately responsible for it, Hortensius among them.
licet differant, aequabitur
You fucking suckhole, at least have the balls to own up to your mistakes. You assholes not only put a shitty MITM attack in the OS, you fucking used the same goddam key so that anyone else could MITM us too?! And not a single person with half a clue ever stood up in that design meeting and asked what a monumental fuck-up that was? Right. Trying to make the "user experience" better by inserting your ads into my TLS-based google searches or my secure bank session? It "wasn't useful"?! Just stop. Stop that nonsense and own your mistakes like a real actual person.
I've been buying and recommending Thinkpads since the late 90's. I'm using one now in fact (thankfully re-imaged, no thanks to the twatwaffles at Lenovo). I'm never going to do either of those things again. I might have if they had said, "You got us, our bad, we're sorry and it won't happen again". But not anymore. Not with the wishy-washy corporate-speak bullshit.
Do not fuck with people's stuff for ad revenue. And if you do and get caught, at least fucking own up to it.
And so now I'm wondering what my next laptop will be. Because it sure as shit isn't going to be a Lenovo...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Obviously the "intent" with this tool was not some sort of alutruistic impulse to "improve our customers' shopping experiences"; the "intent" was to collect some tiny payment per PC in exchange for their users giving up some of their piracy.
I'm willing to believe they didn't realize the security implications of this junk, but they might as well admit they play the Crapware game all the consumer PC makers do because it makes them money.
Got found out ...
Yup! One of the clues that Lenovo already knew this was bad software because it is designed to hijack people's data to inject ads, breaks security, and can't be uninstalled (hence the company is currently working on an uninstaller).
In unrelated news, a murderer that got caught said that the bullet was intended to enhance circulation, but he received negative feedback from his customers, and is working on instructions on how to remove all traces of the bullet (except, of course, for all the damage it already caused).
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways