Homeland Security Urges Lenovo Customers To Remove Superfish

HughPickens.com (3830033) writes "Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed. Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on.""

Homeland Security wakes up

[hcs_$reboot]

"Lenovo began installing Superfish VisualDiscovery software on some of its computers as early as 2010". And Homeland Security, with all their skillful teams, their heavy means, could not figure out that dirty adware before 2015?

Re:Homeland Security wakes up

it isn't enough to bitch about Lenovo. You also have to take to task the investors who have been keeping Superfish the California startup afloat since 2007.

Re:Homeland Security wakes up

Not their job.

Re:Homeland Security wakes up

[hcs_$reboot]

Not their job.

So why do they Urges Lenovo Customers To Remove Superfish now?

Re:Homeland Security wakes up

"The relationship with Superfish is not financially significant; our goal was to enhance the experience for users," the company said in a statement.

In other words, Lenovo sold out its customers for pennies on the dollar.

Re:Homeland Security wakes up

[thegarbz]

"Lenovo began installing Superfish VisualDiscovery software on some of its computers as early as 2010". And Homeland Security, with all their skillful teams, their heavy means, could not figure out that dirty adware before 2015?

You assume that homeland security do something useful. The reality is they sit around and wait for some major crisis in the mainstream media. Then they jump up and issue statements, press-releases, and suggestions in a futile attempt to appear relevant and useful.

Re:Homeland Security wakes up

[dbIII]

The NSA has probably been using it as a backdoor. Oh wait, they are the guys with the Star Trek set designer building their operations room? Maybe not then, maybe just focusing on rewarding ex-employees with very lucrative outsourcing gigs.

Re:Homeland Security wakes up

[dbIII]

You assume that homeland security do something useful

They run FEMA - heck of a job!
They also send people around to toy shops to check for copyright violations on Rubik's cubes.
They also ... I've got nothing.

Re:Homeland Security wakes up

They also put you on the no fly list without telling you why and good luck getting off it. That list has political abuse, too: Senator Ted Kennedy wound up on it in 2004 (during the GW Bush era) and it took HIM forever to get it fixed; I'm sure that was just a mistake, right? Funny how it wasn't Orrin hatch that got on the list by mistake...

Re:Homeland Security wakes up

and Freedom is Slavery. Got it.

Homeland Security the good guy?

No, more like they want to be the only ones able to control your PC and don't appreciate the competition.

DHS Internal Memo (Classified)

[Redmancometh]

Hey! We found a chance to get positive PR! Such a rare occurence...contact the spin department!

Re:DHS Internal Memo (Classified)

[MrL0G1C]

Exactly, I'm not sure why this story is gracing the front page, I think the Initial story and Lenovo removing it story cover it. Also an MS update removes it anyway.

Re:DHS Internal Memo (Classified)

[thechemic]

This needs to be modded up to fucking hilarious!!!!

I'd suggest to recommend uninstalling windows too

[NotInHere]

as most viruses and trojans today are written for windows.

CA with private key

If you can't tell that installing a CA and the private key for it creates a barn door sized security vulnerability, you have no business selling computers with preinstalled software.

Head on?

They've been doing nothing but putting spin on this since it blew up in their face. Claiming they installed it to enhance the user's experience instead of because they were paid to. Claiming there's no security risk. Claiming they stopped it because of complaints of the "features", rather than because their customers believed it to be intrusive and dangerous. Claiming it can be simply and completely removed with a standard uninstall, which does not remove the custom certificate and vulnerability. Retracting statements and making apologies while dodging the actual issue.
I don't expect many will accept this as a suitable definition of "head on".

Re:Head on?

[Mr+D+from+63]

The best PR move Lenovo could make right now would be to file a lawsuit against Superfish for damages caused.

Re:Head on?

[rmdingler]

They've been doing nothing but putting spin on this since it blew up in their face.

Spin. Present day corporatese for lies and deception.

My, how those ugly accusations have been made to sound pretty.

Re:Head on?

Yes, they were disingenuous about the intent. The claim that there was no security risk was due to incompetence rather than trying to lie, and to be fair, no one had highlighted the TLS proxy facet until recently and that statement came a significant time ago. I think this is more incompetent bungling more than willful maliciousness. For the past that's of no significant comfort, but it does suggest they could learn from their mistakes.

Besides, Lenovo isn't the only delivery vector here. There's a crap ton of stuff using Komodia and it *all* does this bullshit. Lenovo was first prominent media party, and Superfish is also not so great, but the real crux of the issue traces back to Komodia.

Re:Head on?

[thegarbz]

I don't expect many will accept this as a suitable definition of "head on".

In less than a day it has gone from scandal to basically resolved. Let me reword that sentence for emphasis: The company has responded to the issue within a day of complaints. Honestly how many companies have done this? How long was the Sony rootkit an issue before they released an uninstall? 2 years! How long do we wait for major security vulnerabilities to be resolved from the worlds largest software vendors? Often months, sometimes that long even after public disclosure.

PR drones are idiots, if they weren't they would be doing something technical and not be in PR. They are quick to say things that are not necessarily lies but rather just an example of pure ignorance until the problem is resolved. They don't talk to engineers and they apply their limited knowledge at explaining a solution.

It's not a perfect response but the speed at which this problem is being resolved is definitely fitting of the definition: Head-On.

Re:Head on?

[Khyber]

"In less than a day it has gone from scandal to basically resolved."

What? Not even close! What about the damage this shit does to OTHER PROGRAMS I INSTALL that Lenovo has no business touching? Their fix DOESN'T FIX THAT.

And you call the issue resolved? How easy to appease are you?

Re:Head on?

[thegarbz]

Care to cite examples of ongoing sustained damage that isn't resolved by removing the offending program and the associated SSL certificate?

Re:Head on?

[thechemic]

In less than a day it has gone from scandal to basically resolved

LMFAO!!! Not even close. Its only been less than a day SINCE YOU HEARD ABOUT IT. They've been in the media for installing Superfish for the last 5 years. It just finally hit mainstream media, and they resolved it in less than a day since it blew up in their faces.

Re:Head on?

[DingerX]

And only a month after the first public posting of the vulnerability, in their own forums.

Some guy accurately describes the vulnerability, complete with screenshots showing a Superfish-signed online banking page, and posts it to the public Lenovo Security-Malware support forum, and they take no public action for 29 days; yet around the same time, they stopped installing the software on new machines. Only when it's a scandal do they first make statements that are designed "to defuse the situation", which, in this case means trying to convince their owners that their dangerously compromised and possibly already-exploited machines are safe, and then (perhaps when someone points out that such statements are only going to increase the price tag from the inevitable class-action suit) do they start behaving properly.

So, no, that's not a speedy response. As a company selling a product, they are ultimately responsible for everything that product contains. They have a duty of care to make sure that the goods they are supplied do not place their customers at risk. If one of their trusted partners wants to load a Root CA onto their machine, it better have a good security case for it. "Used by major commerce sites", for example, is a good reason; "allows us to break SSL" is a bad one. Ignorance is not an excuse. If Lenovo is not loading up their machines with all the crap they put on it and auditing their installed certificates, they are not doing their duty to the customer.

If Lenovo tells people their machines are secure, when it has known for a month at least that they weren't, it is making things worse for itself. Saying they don't read their own public support forums, or that the information didn't get to the right person doesn't amount to an excuse so much as an admission of guilt. Claiming that PR flaks are there to give these kinds of messages slanders the job of spokespeople: specific people are assigned precise messages to communicate to the people exactly to avoid statements that would open them up to litigation.

Right now, we don't know of any security compromises that occurred via Superfish. We may never hear of them, but that doesn't mean that they never occurred.

Right now, Lenovo seems to have their best PR approach underway: release the uninstallation tool, contact every anti-virus provider on the planet, contact everyone who registered a product with them, and then shut up and start saving pennies for the settlement.

Re:Head on?

[Khyber]

Uh, yea. Trust of ANY program on your computer. Damage is done and continuing to be dealt.

Re:Head on?

No excuse. They had a long time to review check pen test and otherwise beat on this code to ensure it had no major security bugs. Clearly, they did not. It's not just corporate incompetence, it's the standard corporate "cheaper not to do it, customer as collateral damage" mode.This time they got caught I hope they get FUCKED as a warning to others.

Re:I'd suggest to recommend uninstalling windows t

[hcs_$reboot]

To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?

Re:I'd suggest to recommend uninstalling windows t

Throwing the baby out with the bathwater has never been an acceptable solution. Troll elsewhere.

Well if

If Homeland Security urges it, we surely must comply as good citizens.

Other computer manufactures

[ClaraBow]

Does anyone know if other computer manufactures have used Superfish software? Software installers? Just curious if other manufactures also bought the sales pitch from the Superfish sales team.

Re:Other computer manufactures

[hcs_$reboot]

According to the wiki only "some" Lenovo are affected. But according to the same page, that fat fish has ~100m users monthly. So it is likely other products are affected...

Re:Other computer manufactures

[FlynnMP3]

At least that wikipage has decent references on it. Some portions of wikipedia are no better than getting dating advise from bathroom stall scribblings.

Re:Other computer manufactures

[hcs_$reboot]

At least that wikipage has decent references on it. Some portions of wikipedia are no better than getting dating advise from bathroom stall scribblings.

[ citation needed ]

Re: Other computer manufactures

Loooooololoool funny response

Re:Other computer manufactures

Superfish isn't just preinstalled on Lenovo PCs -- it is also bundled with, or installed by, other adware installers/potentially unwanted programs.

For example, a friend was recently infected by Superfish when he downloaded a fake copy of the Firefox installer. (Was the #1 search result for Firefox on Yahoo through a Yahoo ad purchase).

Re:Other computer manufactures

[nyet]

Superfish is just the tip of the iceberg.

Corrupting a Windows machine's CA store is very common in "enterprise" environments where your employer wishes to proxy all outgoing SSL/TLS connections.

The fact that most people are completely unaware of this is disturbing, but unsurprising.

Re:Other computer manufactures

Unpopular opinion maybe, but I don't give a shit about this. My corporate desktop is the property of my employer. There's no fucking way I'd ever rely on https from a machine I didn't own.

This isn't an opinion shared by some of my coworkers, some of which are quite happy to perform online banking on a corporate machine. After trying to educate, I gave up. Some people don't get it, and can't get it. For them, the best thing to happen is android e-banking apps - therefore it all happens on their hardward, and if they get owned it's their fault.

Re:Other computer manufactures

[Neil+Boekend]

My employer is allowed to monitor all I do on their hardware. It is their hardware on their network in the time they pay me for.

Re:I'd suggest to recommend uninstalling windows t

[acoustix]

as most viruses and trojans today are written for windows.

Are you suggesting that Lenovo couldn't have done this if Linux was preinstalled?

More details needed

[BlueTrin]

The agency could educate more the population. As it stands, this advice is superfishal.

Unless you want a permanent war footing

[eye_blinked]

This is a consumer protection function. For goodness sake. Give it to the commerce dept.

I've got a Lenovo laptop

Its a G series consumer model.
It doesn't have "Superfish", never has had. I followed the manual removal procedure and didn't find any references to it.

Of course, this is probably only a feature of US Lenovo laptops, Lenovo Europe has probably got an equivalent fishing/manipulation system called someting else and are keeping quiet about it. "We don't install Superfish! OhhhNooooooo!!!!!".

Re:I've got a Lenovo laptop

Lenovo Europe has probably got an equivalent fishing/manipulation system called someting else and are keeping quiet about it.

No, those of us in European countries tend to have strong consumer protection laws, especially when it comes to data privacy. Selling a computer with this crap on it would be absolutely illegal in Germany and presumably the rest of the EU. As I understand it, America has no such laws to protect the peoples' rights, that's a shame.

What does this mean

Lenovo is a Chinese company. Is this situation our good friend China doing the same things that the NSA and others do for the US? A large amount of computer equipment is made in China so can we trust this stuff? Uinstalling Widows maybe. Reinstalling Windows clean yes.

Re:I'd suggest to recommend uninstalling windows t

I'd suggest to recommend uninstalling windows too as most viruses and trojans today are written for windows.

And then what? Install the perpetually buggy OS called Linux? Yeah, that will work out just fine.

Superfish has offices in Palo Alto, California and

Petah Tiqva, Israel.

Heh

[Shoten]

I think it's interesting that Lenovo posts not just the "Automatic Removal Tool," but also the source code to the tool. What I want to know is this: has anyone compiled it, and managed to get their compile options/environment such that they came up with a binary that matches the downloadable tool?

Re:Heh

[angryargus]

On Windows using MSFT's compilers you'll never get the same binary twice. There's timestamps and GUIDs (the latter for uniquely associating a pdb with an executable file). Different file paths to the source tree can also cause differences. Sometimes it's straightforward to pick out & ignore the GUID, timestamp, and checksum bytes that changed, but often not.

Re:Superfish has offices in Palo Alto, California

[fph+il+quozientatore]

Interesting (in a scaring way). I wish I had mod points.

DHS: Please remove superfish

As it interferes with out software that pretty much does the same thing.

HS has a mailing list?

Yeah, like anyone would sign up for that. Might as well put a neon sign on your house "Please track my every move, for I am a self-identified sheep."

Re:I'd suggest to recommend uninstalling windows t

[Richard_at_work]

What about all those nefarious apps in the Android app store? Do you recommend not using Android either?

Re:I'd suggest to recommend uninstalling windows t

[NotInHere]

Linux would certainly rise the entry level for malware writers, which would make malware writing a less promising market.

Re:I'd suggest to recommend uninstalling windows t

[hcs_$reboot]

+1I, that's what I thought.

Just use OpenBSD, for crying out loud!

If you care about the security of your computers, networks and data, I think you only have one choice: OpenBSD.

OpenBSD is the only operating system project that has shown it consistently puts forth the emphasis on security, as well as the extremely high level of care needed.

Not everybody's needs are equal, of course. Not everybody cares about the security of their computers, networks, or data. So they don't have to use OpenBSD.

But anyone who does give even the slightest damn about security really only has one choice, and that choice is OpenBSD.

If you consider security to be important, but then you don't use OpenBSD for whatever reason, any negative repercussions are solely your fault.

So just do the right thing if security matters to you: use OpenBSD!

Re:Just use OpenBSD, for crying out loud!

I use OpenBSD and I like it, but it isn't a magic incantation that keeps Bad Guys away. Poor configuration and third party apps can lead to holes. Now OpenBSD is better than most at controlling some kinds of damage here, but OpenBSD is great at obeying the user, even to a fault. There is an alternative for people who need some more exotic software/hardware support in building their own Linux from toothpicks with Gentoo and hardening, but this takes still more knowledge from the person assembling it. That being said OpenBSD makes a wonderful desktop operating system.

Re: Just use OpenBSD, for crying out loud!

What makes you think openbsd hasn't been corrupted by some third party? Just because of the size of the target? Even squirrels get shot for food, and that's a small target. You are betting on security thru obscurity, not a safe bet.

Re:Just use OpenBSD, for crying out loud!

[hcs_$reboot]

use OpenBSD!

Actually installing any Linux fragrance would completely wipe-out this stinky big fish crap.

Re:Just use OpenBSD, for crying out loud!

Most people have difficulty installing a damn browser much less an entirely new operaitng system without shiny knobs to click on install. Most people just don't have to patience or the interest in reading to learn exactly how their computer works. This is a shame, especially as so much of modern life is behind a screen and a keyboard.

Re: Just use OpenBSD, for crying out loud!

[dnaumov]

You're so funny :)

You would lose 99% of computer-using population at the "download an installation image from the website and burn it to a CD or make a bootable USB stick". That is before you had to tell them to change the device boot order in BIOS. Which is before they would run into an installer where you can't click on anything and that might as well speak hebrew to them. Which is before they realized half their hardware isn't recognized. Which is before they realize Flash doesn't work. Etc, etc etc...

Re: Just use OpenBSD, for crying out loud!

[Ol+Olsoc]

What makes you think openbsd hasn't been corrupted by some third party? Just because of the size of the target? Even squirrels get shot for food, and that's a small target. You are betting on security thru obscurity, not a safe bet.

Silly goose - haven't you heard? FreeBSD is the cure to all problems. To the point where you can say you have a bunion on your foot, yup, FreeBSD will fix that for ya. It's like a modern washday miracle!

Re:Just use OpenBSD, for crying out loud!

[thieh]

Actually use a different OS for each of your computer. Stuff that can infect your box regardless which OS you are on pretty much means you are screwed either way. Like investing, diversifying would be a better strategy as the scope of the damage is more limited than homogeneous system/networks.

Re: Just use OpenBSD, for crying out loud!

[genner]

What makes you think openbsd hasn't been corrupted by some third party? Just because of the size of the target? Even squirrels get shot for food, and that's a small target. You are betting on security thru obscurity, not a safe bet.

Silly goose - haven't you heard? FreeBSD is the cure to all problems. To the point where you can say you have a bunion on your foot, yup, FreeBSD will fix that for ya. It's like a modern washday miracle!

Well you see FreeBSD does everything you need, so there's no need to stand up ever again. So the bunion on your foot won't matter.

Re:Just use OpenBSD, for crying out loud!

Too bad that usability trumps security for pretty much every home system, which knocks OBSD pretty far down the list.

Re:Just use OpenBSD, for crying out loud!

I used to run gentoo hardened on an old computer as a router/gateway. Was quite nice. When you only have essentially the base system, the compile times for updates are not very long at all, and gentoo stable is quite stable, so you only update it once a month or so.

Re:Just use OpenBSD, for crying out loud!

[chihowa]

I've thought about that approach a bit. Diversifying limits the scope of any infection, but it also increases the chance of any individual infection. With a network of heterogenous systems, you need to also ensure that the network is set up to keep the systems isolated (which is even more important in a homogeneous environment anyway, so no big deal).

The best approach would be to use whatever OS is best capable of handling a specific task. But if you're not very familiar with each of the OSs deployed on your network, you're better off avoiding it and using something that you can keep updated and hardened.

Re: Just use OpenBSD, for crying out loud!

Right.. And you don't know how to transplant your heart, which is a shame blah blah blah go fuck yourself.

Lenovo

Lenovo's behaviour here is disgraceful.

This is why we need computer hardware that is free and open all the way down to the hardware. At the very least, NO-ONE should buy a Lenovo from now on.

It's that simple. Lenovo has to be hammered into the ground for this. If you don't think so, then you either work for them or you don't understand the full implications and just how bad this is.

Re:Lenovo

[twistedcubic]

Why not try to rehabilitate them? The Free Software Foundation agrees with your statement "we need computer hardware that is free and open all the way down to the hardware", but instead of sacking them they suggest telling them to "respect user freedom" etc. When I read the changelog from official Thinkpad BIOS updates which include the word "Linux", I'm more encouraged than discouraged about the company.

Re:Lenovo

>Why not try to rehabilitate them?

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha

You must be stupid, naive, shilling for Lenovo, or on drugs.

Rehabilitate a corporation? Rehabilitate a CHINESE corporation?

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha

Consumers need to walk

[BoRegardless]

or Run away from companies that literally attempt to cause consumers security problems and consumers should never come back. That's the only way companies are going to learn to be buyer/customer oriented.

Re:I'd suggest to recommend uninstalling windows t

[Kjella]

Linux would certainly rise the entry level for malware writers, which would make malware writing a less promising market.

Today's Linux, maybe. The Linux that's been rewritten so 90%+ of the population will use it... doubtful. You'd probably have to make sudo escalation as easy as UAC escalation and once you run as administrator/root it's pretty much game over no matter what system you're on.

Another possibility..

[byrdfl3w]

Homeland Security wants you to remove this from your system because something in it is messing with the NSA's ability to easily peer into said system? Just a thought.

Re:Another possibility..

[Lehk228]

no they want you to run the update^H^H^H^H^H^Hremoval tool so you can be updated to superfish 2015 which is PRISM-compliant.

List of good\bad CA certificates?

Is there a list of good\bad CA certificates?

Captcha - insures

Re:List of good\bad CA certificates?

Sure mate, you can download it off the web somewhere. Via https if you're really paranoid.

Mission creep

[bradley13]

Why, thank you! I had no idea you cared!

Homeland security is now an expert on computer security? Will they do as wonderful a job here as they've done at airports? Will Americans soon have to flash their national IDs at the computers before being allowed on the Internet?

What the devil is Homeland Security doing issuing such a statement? Mission creep to the nth degree...

Remove Superfish! DL our convenient uninstaller!

[CanEHdian]

Hello!

We, your neighbourly friends over at DHS got your back and we've provided a convient uninstaller for that nasty pieve of Chinese spyware a/k/a Superfish. Please indicate if you are a US Citizen/Resident* then click download, run and just click Yes to run as an Administrator. Kthxbye!

* US Citizens/Residents will be provided by a similar download from our technology partners at gchq-dl.gov.uk.

Superfish and other malware

This is why when I set up a new PC for a customer, I run a virus sweep and a malware sweep. They put so much other junk on there, I don't trust them to not put crap like this on there too.

A better way to uninstall Superfish

[Walter+White]

http://windows.microsoft.com/e...

And get rid of all of the other crapware that Lenovo put on your PC in one fell swoop. No doubt it will take more effort to do it this way but it will also be more complete. (I have no idea if this works outside the US.)

For further information I wold check the ideapad section at notebookreview.com where you can find reinstallation help (including the thread I just started.)

Re:A better way to uninstall Superfish

[hcs_$reboot]

This page seems to work fine for most users.

Re:A better way to uninstall Superfish

work fine for most users.

Hahahhahahahaha! Good one.

Re:A better way to uninstall Superfish

[hcs_$reboot]

Lenovo has an "advisory" here.

Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively

What nerve!

Re:I'd suggest to recommend uninstalling windows t

[Ol+Olsoc]

To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?

I can't say for sure - but I doubt people would be touting the security of Windows.

Windows Defender takes care of it already

[jones_supa]

Superfish has been added to malware database of Windows Defender (the integrated virus protection of Windows). A lot of Windows machines are already ringing alarm bells.

Re:Windows Defender takes care of it already

[dbIII]

But does it actually remove it or just ring the alarm bells? I haven't been very impressed with Windows Defender but maybe it has improved.

Re:Windows Defender takes care of it already

[radarskiy]

Let me just download this Windows Defender update so it can clear off the program that does MITM attacks... oh, wait...

Re:Windows Defender takes care of it already

[jones_supa]

Defender quarantizes the software and asks what to do. It knows how to fully remove Superfish too and that is the default recommended action.

Re:Windows Defender takes care of it already

[dbIII]

Including the certs?

Re:Windows Defender takes care of it already

[jones_supa]

Yes.

Re:Windows Defender takes care of it already

[nyet]

Why doesn't windows defender alert you when your employer pushes their proxy's CA into your work machine's trusted CA list via group policy push?

Re:Windows Defender takes care of it already

[jones_supa]

Good question. Why doesn't Defender in general monitor the OS certificate pool more rigorously?

Re:Windows Defender takes care of it already

[dbIII]

Good stuff.

Re:I'd suggest to recommend uninstalling windows t

[hcs_$reboot]

Are you suggesting that Lenovo couldn't have done this if Linux was preinstalled?

Lenovo wouldn't have dared doing it.

Re:I'd suggest to recommend uninstalling windows t

[ColdWetDog]

Wut? I know Linus is a bit of a hard case, but I kinda doubt that Lenovo shivers in their corporate boots every time they here his name mentioned.

Wait... if Homeland Security says it's bad..

Now I'm all confused. Should we remove this crap or is it actually beneficial to us?
They wouldn't want us to get rid of it if it was horrific and privacy-devastating.

Re:Remove Superfish! DL our convenient uninstaller

[OzPeter]

that nasty pieve of Chinese spyware a/k/a Superfish.

If anything, the technology behind Superfish is Israeli

Re:I'd suggest to recommend uninstalling windows t

[hcs_$reboot]

Maybe not. But such crapware would have been detected much faster on Linux.

Re: I'd suggest to recommend uninstalling windows

[Billly+Gates]

Easy. Shit ware, Trojaned app stores, and fake certicates would come pre-installed on them with Linux too.

Folks put your linux advocacy aside as linux has Trojans too. They simply aren't targeted as linux users are smarter and can delete them. Not because modern windows is somehow less secure.

Hasn't been true since XP SP 1 died. Windows today is as secure if not more than linux design wise. It has ACL lists, low rights sandboxing options and so on.

"thoroughly"

We have thoroughly investigated this technology..... the company's initial findings were flawed

I don't think thoroughly means what he thinks it means.

Re:I'd suggest to recommend uninstalling windows t

[present_arms]

Number one reason not to use Ubuntu and anything that uses SUDO in a way that it uses the same password as your username password, it's fucking stupid, kill sudo and use SU with a proper root password that's different to your user password. Ubuntu should be shamed for using sudo in such a stupid fashion.

Re:I'd suggest to recommend uninstalling windows t

SystemD gives you complete satisfaction?

[Groans internally]

Re:I'd suggest to recommend uninstalling windows t

[hcs_$reboot]

systemd relative importance has been discussed here on this very site. It's deemed overrated.

Re:I'd suggest to recommend uninstalling windows t

We would be complaining about systemd?

SMH

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,"

Everyone involved in the investigation needs fired because they fucking suck at their job.

Superfish also installed in FVD Firefox addon.

The last time I checked Superfish was installed in the Flash Video Downloader available from the official Mozilla Addons download website.

In the FVD source I have locally, the files of interest are superfish_titles.txt and superfish.js which are both in the modules/ directory.

Re:Superfish also installed in FVD Firefox addon.

That's the FVD Android addon BTW.

I can't remember if it shares the same codebase with FVD desktop or not.

DHS red alert!

[vm146j2]

Because, just like with robbery, the government hates competition.

Re:I'd suggest to recommend uninstalling windows t

[chihowa]

For the typical Windows/Mac/Ubuntu user who would install malware, the only time they ever type an OS-related password on their system is to perform superuser tasks. Most people don't use passwords on their personal computers and have automatic login set up. The fact that the sudo password is the same as their account password is irrelevant because they only ever use it to perform superuser tasks anyway.

Not after systemd

Not after systemd

Re:I'd suggest to recommend uninstalling windows t

[blueg3]

That may be true.

It's not applicable in this case, because this is OEM-installed adware. Everything it does can be implemented just fine on a Linux system. The solution is really the same for this sort of thing regardless of whether you're talking Windows or Linux -- don't use the OEM-provided pile of crapware that comes with the machine; install a brand-new copy of just the OS.

Re:Systemd?

> Linux would certainly rise the entry level for malware writers

You mean the Linux with Systemd or the one without?

Ah, systemd: the gateway that would control everything. Wait until it turns up to have a special hidden hook for doing MITM attacks.

I smell a class action

[MillionthMonkey]

Someone needs to sue these dicks- if I had to repair my computer for national security reasons because of someone's incompetent malfeasance, I would want to get paid for the time wasted. If you're a lawyer specializing in class action suits, this warning from the DHS is like a Superfish on a platter!

Re:I'd suggest to recommend uninstalling windows t

[NotInHere]

true.

Re:Remove Superfish! DL our convenient uninstaller

You were modded down (gee I wonder why) but Komodia is Israeli for sure. I'd be thoroughly surprised if Mossad wasn't somehow involved. No wonder DHS has issued guidance and Microsoft has incorporated Superfish into their own malware detection products, all within 24 hours of the story breaking.

NSA may pass a lot of unfiltered intel to Israel, but it doesn't like to be upstaged on its own turf.

Registry Registrant ID:
Registrant Name: Barak Weichselbaum
Registrant Organization: Komodia
Registrant Street: 101 East Town St Suite 540
Registrant City: Pardesia
Registrant State/Province: Pardesia
Registrant Postal Code: 42815
Registrant Country: IL
Registrant Phone: +00.6142772739
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: barak@komodia.com
Registry Admin ID:
Admin Name: Barak Weichselbaum
Admin Organization: Komodia
Admin Street: 101 East Town St Suite 540
Admin City: Pardesia
Admin State/Province: Pardesia
Admin Postal Code: 42815
Admin Country: IL
Admin Phone: +00.6142772739
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: barak@komodia.com

Linux or other OS

I just love watching threads like this.
Haven't used Windows for 10 years now, and I finally understand the true meaning of schadenfreude.

Re:Remove Superfish! DL our convenient uninstaller

Israeli? The company is in California. Let me guess...anti-Semite who is afraid?

Re:I'd suggest to recommend uninstalling windows t

I guess it's not obvious to most users that you could set up admin account for maintenance and installing stuff, while using personal account for lol cats and 420noscope bazing. It doesn't take that much technical knowledge , you know

Re:I'd suggest to recommend uninstalling windows t

[rtb61]

That 90% OS's is of course, one great big fat lie. Let's try and count mobile devices in that and as they greatly outnumber desktops and that doesn't include servers either. So yeah, windows, they are well below 50% and falling fast with regard to OS installations. When it comes to Lenovo and superfish and their intent was to 'supplement the shopping experience', seriously piss of you public relations shit heads, that makes them a dead product manufacturer for at least a decade, simply not to be trusted, redirecting searches, hidden and hard to remove, simply totally and grossly unacceptable, anybody who buys any of the products even from a bargain bin is foolish.

Hypocracy unlimited

[terrywirth5]

DHS wants a few thousand Lenovo PC owners to do this while their cronies are hacking and spying on everybody worldwide whether they own a PC, smartphone or not. Look over there! A Chinaman named Lenovo and you should be very afraid! Sick. Of. It.

"...if 90% OSes were Linux..."

[tlambert]

To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?

Then the year of the Linux desktop would be 3 years away instead of 5 years away.

Too late.

[tlambert]

Too late.

If it's already been exploited to install other malware, removing the loader for that malware isn't going to get rid of the malware that came in while the door was being held open by Superfish.

Mission creep is what they ARE

[dbIII]

That Uber department is a whole lot of other stuff mashed together and then expanding.
Enforcing copyright on Rubik's cubes - that's them. Disaster recovery - that's them.

Re:Remove Superfish! DL our convenient uninstaller

[dbIII]

It's Californian spyware.

Dirty little spammer goes corporate

[dbIII]

I met a spammer once when I was out of work and thought I'd take anything. He had a similar attitude to the above quote and said he was just informing people of the options available for porn and penis enlargement. Turns out I wasn't quite ready to take anything, but maybe mostly because it didn't look like I could trust him to pay me either.

Re:I'd suggest to recommend uninstalling windows t

90% are not Windows.

Apple has around 13% of the desktop market share, Linux has around 2-3%.

And when it comes to mobiles/tablets, Microsoft doesn't basically exist at all.

Re:I'd suggest to recommend uninstalling windows t

[rdnetto]

Not even today's Linux. How many distros actually have AppArmor/SELinux enabled?

Re:I'd suggest to recommend uninstalling windows t

[lager_monste]

Yeah right,
I remind you of the rant Linus Torvalds had with SUSE where his daughter needed to know the root password to install printers.

I think a not so super level is required for limited system change rights.

Re:Remove Superfish! DL our convenient uninstaller

[Infiniti2000]

No, the company has offices in both Palo Alto and in Israel. The CEO and co-founder was born in Israel. The company itself was founded in Israel.

Re:I'd suggest to recommend uninstalling windows t

> You'd probably have to make sudo escalation as easy as UAC escalation

Naw, we just have to wait until the holes in systemd (either intentional or inadvertent/as yet unfound by testing or use) get exploited and then all hell will break loose.

Ducks, reaches for popcorn.