Homeland Security Urges Lenovo Customers To Remove Superfish

HughPickens.com (3830033) writes "Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed. Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on.""

Homeland Security wakes up

[hcs_$reboot]

"Lenovo began installing Superfish VisualDiscovery software on some of its computers as early as 2010". And Homeland Security, with all their skillful teams, their heavy means, could not figure out that dirty adware before 2015?

Re:Homeland Security wakes up

it isn't enough to bitch about Lenovo. You also have to take to task the investors who have been keeping Superfish the California startup afloat since 2007.

Head on?

They've been doing nothing but putting spin on this since it blew up in their face. Claiming they installed it to enhance the user's experience instead of because they were paid to. Claiming there's no security risk. Claiming they stopped it because of complaints of the "features", rather than because their customers believed it to be intrusive and dangerous. Claiming it can be simply and completely removed with a standard uninstall, which does not remove the custom certificate and vulnerability. Retracting statements and making apologies while dodging the actual issue.
I don't expect many will accept this as a suitable definition of "head on".

Just use OpenBSD, for crying out loud!

If you care about the security of your computers, networks and data, I think you only have one choice: OpenBSD.

OpenBSD is the only operating system project that has shown it consistently puts forth the emphasis on security, as well as the extremely high level of care needed.

Not everybody's needs are equal, of course. Not everybody cares about the security of their computers, networks, or data. So they don't have to use OpenBSD.

But anyone who does give even the slightest damn about security really only has one choice, and that choice is OpenBSD.

If you consider security to be important, but then you don't use OpenBSD for whatever reason, any negative repercussions are solely your fault.

So just do the right thing if security matters to you: use OpenBSD!

A better way to uninstall Superfish

[Walter+White]

http://windows.microsoft.com/e...

And get rid of all of the other crapware that Lenovo put on your PC in one fell swoop. No doubt it will take more effort to do it this way but it will also be more complete. (I have no idea if this works outside the US.)

For further information I wold check the ideapad section at notebookreview.com where you can find reinstallation help (including the thread I just started.)

Windows Defender takes care of it already

[jones_supa]

Superfish has been added to malware database of Windows Defender (the integrated virus protection of Windows). A lot of Windows machines are already ringing alarm bells.