Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo To Wipe Superfish Off PCs

Posted by Soulskill on from the cleaning-up-a-mess dept.

An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."

28 of 266 comments (clear)

  1. The lesson here by MAXOMENOS · · Score: 5, Insightful

    The feedback from users was that it wasn’t useful, and that’s why we turned it off.

    Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.

    Good to know!

    --
    Finding God in a Dog
    1. Re:The lesson here by Anonymous Coward · · Score: 5, Informative

      From a partner email regarding the SuperFish software:

      "Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series."

    2. Re:The lesson here by penix1 · · Score: 4, Insightful

      Obviously they care about people like me, because they're taking steps to fix the situation rather than ignoring it.

      Well, since the crapware came pre-installed, to really show they care they AREN'T providing you with a new system image with it removed. Instead, you are left to remove it yet again if you ever have to reset to factory....Yay Lenovo!

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    3. Re:The lesson here by mea_culpa · · Score: 4, Interesting

      There is a lot of truth to that statement.
      It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.

      Lenovo's business products were not affected by this as these aren't usually preloaded with crap.
      The same goes for other manufactures too. Dell and HP both offer cheap crapware infested models, along with pricier crap free business models.

      You do get what you pay for.

    4. Re:The lesson here by MightyMartian · · Score: 4, Insightful

      They're taking steps to fix the situation, after having been busted putting spyware on them. That doesn't exactly make them sound honorable.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    5. Re:The lesson here by geekmux · · Score: 4, Insightful

      I have a lenovo laptop, it does serious work just fine. Obviously they care about people like me, because they're taking steps to fix the situation rather than ignoring it.

      "Our reputation is everything"

      They care about saving face because they were caught which can directly impact sales. It doesn't mean they're going to uninstall the other crapware you're not bitching about right now. When that goes viral, they might remove it then, but make no mistake as to their overall intent of ensuring as many revenue streams as possible.

    6. Re:The lesson here by Jawnn · · Score: 4, Insightful

      There is a lot of truth to that statement. It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.

      Lenovo's business products were not affected by this as these aren't usually preloaded with crap.

      So you say, and I am inclined to believe it is so. Nevertheless, Lenovo has demonstrated, in clear and undeniable terms, that profit outweighs the needs of their customers, including the need to have a secure and trustworthy computing platform. The have violated that trust.
      "And for that reason, I'm out."

    7. Re:The lesson here by Jawnn · · Score: 4, Insightful

      They're taking steps to fix the situation, after having been busted putting spyware on them. That doesn't exactly make them sound honorable.

      Worse than just spyware, far worse. They installed a trivially easy-to-exploit vulnerability which affects the security of every web app their customers might ever use.

    8. Re:The lesson here by quetwo · · Score: 4, Insightful

      Except on most of those Signature Edition PCs, they still include a trial of Office 365 :) The HP's on the site have pre-loaded software that help you buy ink. So, it's halfway true...

      It's just other people's trialware or junkware they don't include.

    9. Re:The lesson here by TsuruchiBrian · · Score: 4, Insightful

      Every company's primary goal is maximizing profit. The only difference is between strategy. Some companies try to maximize profits by cutting their own costs by being efficient and making a superior product that customers actually want. Some companies try to maximize profits by bribing politicians to pass laws hindering their competitors. Some companies try to maximize profits by tricking people (e.g. tricking them into buying products that are not as good as advertized).

      If the trust that you had violated was your trust that a corporation valued profit over you, then it's time to stop being a consumer and to start farming in your back yard.

      Asking a corporation to value it's customers more than profit is like asking you to value a corporation more than your children. Neither party should be under the false pretense of the other having unconditional loyalty. This is a mutually beneficial business arrangement that is ended the second either side realizes it is no longer beneficial to them.

      What I am getting at is that the problem is not that they placed profit above you. Every corporation (even the good ones) do that. The problem is that they tricked you. "Good" companies don't trick people, not because the don't value profit above all else, but because unlike Lenovo, they actually do care about their reputation (as a means to profit).

  2. Seems like they should send out DVDs by drinkypoo · · Score: 4, Insightful

    It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Accountability by Anonymous Coward · · Score: 5, Interesting

    Someone needs to be fired for this. Someone very high up the corporate ladder. Someone who thinks SuperFish improves the shopping ecperience. Someone who needs to be blackballed from the industry and die penniless huddled in a cardboard box drinking sterno.

    If that doesn't happen, SuperFish and problems like it will continue to happen.

  4. Re:Sony Comcast Level Reputation by Aristos+Mazer · · Score: 5, Insightful

    Be fair. Sony and Comcast have both blamed their customers and dallied around in court for quite a while before doing anything, or avoided doing anything in some cases. Lenovo reacted within a day. Lenovo may have taken a fall, but there are circles to Hell, and they aren't in the same class as Sony and Comcast.

  5. That's a stretch by jones_supa · · Score: 5, Insightful

    The intent of loading this tool was to help enhance our users’ shopping experience.

    Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.

    1. Re:That's a stretch by DarkOx · · Score: 4, Insightful

      The first followup question should be; did / do you have Superfish installed on YOUR computer? I would be really interested to hear how much he valued this 'enhanced shopping experience'.

      The simple fact is they willfully shipped spyware. Beyond that they willfully shipped spyware with the potential to compromise one of the most fundamental security mechanisms Internet users rely on, SSL/TSL by inserting itself into the authentication chain. Beyond that the Superfish spyware did compromise SSL/TLS because the private key it uses to generate proxy certificates was poorly protected.

      So on the first count we might excuse them, everybody does it although its still slimy. On the second count they should have know they were crossing a line and entering deep scumbag territory. On the third count well, again I guess everybody does it.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  6. Root Cause by zieroh · · Score: 5, Insightful

    The intent of loading this tool was to help enhance our users’ shopping experience.

    The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.

    --
    People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
    1. Re:Root Cause by kat_skan · · Score: 5, Informative

      The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.

      They don't believe that. They believe their customers are stupid enough to believe it.

  7. Trust has been broken by OzPeter · · Score: 4, Insightful

    we will provide a tool that removes all traces of the app from people’s laptops;

    So how I do trust that:

    1. This tool will do as it says
    2. You won't repeat the process in the future?

    The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.

    --
    I am Slashdot. Are you Slashdot as well?
  8. Useless by Khyber · · Score: 5, Informative

    I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.

    I wouldn't trust Lenovo, anyways. They can't keep a story straight.

    First they say 'Between October and December' and then just a few lines later contradict themselves by saying they stopped in January.

    Then they further contradict their words by releasing a security advisory stating they stopped in February.

    We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.

    Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  9. Don't forget samsung by goombah99 · · Score: 5, Informative

    http://www.pcworld.com/article...

    Samsung also got caught this month injecting ads into TV viewing. They only got caught because they screwed up the algorithm and injected ads into people's personal ad-free videos. And then samsung's genius engineers biffed again by sending the TV microphone pickups back to samsung (which is okay--that's what siri, alexa, cortana, and google do) but doing so unencrypted.

    Obviously parasitic ad injection is the the single most lucrative way to earn money on the internet. Your doing it just like google does for nearly all its revenue, selling ads and harvesting click-thru data, but your doing it without the associated cost of attracting customers with a product. No wonder Lenovo wanted this action.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Don't forget samsung by mlts · · Score: 4, Interesting

      Ad injection is quite lucrative. This is what entire companies like Phorm which intercepts in-flight connections and inserts ads.

      As for ad injection like this, I've seen a number of consumer level PCs route traffic through a local proxy, installing Web browser add-ons to keep the browser switched to the proxy and to inject their own SSL key. The fix was removal, and even then, there were processes that had to be stopped via autoruns, as well as blocked from phoning home via the Windows Firewall (so there wasn't a chance they could do damage even if restarted.)

      The exception to this seems to be HP, which might have sample programs on it (Norton, for example), but no crapware that loads in Web browser add-ons. It actually was a shock seeing a new HP consumer laptop actually in a usable state out of the box, without having to go swinging at what starts up with the autoruns pickaxe.

      The problem is that companies face zero negative consequences for adding intrusive software like this onto a machine. Joe Sixpack won't know or care that his search engine gets redirected through some no-name third party site so his google search page has flash ads. With the private key out, he won't realize that his banking stuff is compromised until his bank account gets drained.

      The fix? As a consumer, either bring your own OS and completely wipe and reinstall the box, or buy a business-line version. Lenovo would not dare to try installing anything like this on the Thinkpad line, just like Dell's Latitude line, and HP's EliteBook line. Of course, there is always Apple, which seems expensive, but if one compares like for like, a MacBook Pro actually has a price advantage to a comparable business line HP or Dell with the same features and chipset.

  10. On the bright side by MAXOMENOS · · Score: 4, Funny

    Maybe I can get a Lenovo laptop at deep discount and put Mint/KDE on it.

    --
    Finding God in a Dog
  11. Reputation by JohnFen · · Score: 4, Informative

    Our reputation is everything and our products are ultimately how we have our reputation.

    Well, they'll miss it then! Their reputation is now that they are a sleazebag company willing to compromise their customers security so they can make a few bucks injecting unwanted advertising, then lying about the security risk when they got caught.

    That's a company I will never do business with again.

  12. Re:Only a partial removal? by DarkOx · · Score: 4, Insightful

    Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own. On Windows they should the windows store, on OSX they should keychain and on linux/bsd they should use /etc/ssl

    Shipping their own is confusing for end users and forces them to manage multiple trust locations. I can totally see some people wanting to use a different keystore for their web browser than other software uses and having an option would be nice, but it should NOT be the default let alone the only offered behavior. I write this as a long time Seamonkey user, but this would be my biggest complaint.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  13. Re:Banned from our approved vendors list by JohnFen · · Score: 4, Insightful

    It doesn't matter. That they were willing to do this on low-cost consumer machines indicates a lack of judgement that reflects on all aspects of their company.

  14. Re:Banned from our approved vendors list by MickyTheIdiot · · Score: 4, Insightful

    Just fine in bigass-corporate-company land, but the world is bigger than that. A huge amount of US economic activity is in small business, and how many of those have competent IT? This will be a possible opening of a lot of companies for a long time.

  15. Re:Banned from our approved vendors list by mrchaotica · · Score: 4, Insightful

    It also wouldn't affect the corporate world because business-grade PCs were never infected with it in the first place.

    However, the real issue -- the one that makes competent companies completely justified in shit-listing Lenovo -- is the argument that if a company is capable of exercising such poor judgement now, then who knows what other poor judgement they might show in the future. Maybe the next "oops" will be a hardware keylogger in Thinkpads or a compromised WiFi firmware or something.

    Lenovo may have backpedaled this time, but the malware only happened to begin with because somebody at Lenovo thought it was a good idea. That, by itself, poses an unacceptable risk to any sane customer.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  16. Re:Got found out ... by Anonymous Coward · · Score: 5, Informative

    In other news, Superfish has now been added to the Windows Defender malware database.