Slashdot Mirror
Homeland Security Urges Lenovo Customers To Remove Superfish
HughPickens.com (3830033) writes "Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed. Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on.""
"Lenovo began installing Superfish VisualDiscovery software on some of its computers as early as 2010". And Homeland Security, with all their skillful teams, their heavy means, could not figure out that dirty adware before 2015?
Slashdot, fix the reply notifications... You won't get away with it...
as most viruses and trojans today are written for windows.
They've been doing nothing but putting spin on this since it blew up in their face. Claiming they installed it to enhance the user's experience instead of because they were paid to. Claiming there's no security risk. Claiming they stopped it because of complaints of the "features", rather than because their customers believed it to be intrusive and dangerous. Claiming it can be simply and completely removed with a standard uninstall, which does not remove the custom certificate and vulnerability. Retracting statements and making apologies while dodging the actual issue.
I don't expect many will accept this as a suitable definition of "head on".
To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?
Slashdot, fix the reply notifications... You won't get away with it...
Does anyone know if other computer manufactures have used Superfish software? Software installers? Just curious if other manufactures also bought the sales pitch from the Superfish sales team.
The agency could educate more the population. As it stands, this advice is superfishal.
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
Its a G series consumer model.
It doesn't have "Superfish", never has had. I followed the manual removal procedure and didn't find any references to it.
Of course, this is probably only a feature of US Lenovo laptops, Lenovo Europe has probably got an equivalent fishing/manipulation system called someting else and are keeping quiet about it. "We don't install Superfish! OhhhNooooooo!!!!!".
Petah Tiqva, Israel.
Linux would certainly rise the entry level for malware writers, which would make malware writing a less promising market.
Today's Linux, maybe. The Linux that's been rewritten so 90%+ of the population will use it... doubtful. You'd probably have to make sudo escalation as easy as UAC escalation and once you run as administrator/root it's pretty much game over no matter what system you're on.
Live today, because you never know what tomorrow brings
Hello!
We, your neighbourly friends over at DHS got your back and we've provided a convient uninstaller for that nasty pieve of Chinese spyware a/k/a Superfish. Please indicate if you are a US Citizen/Resident* then click download, run and just click Yes to run as an Administrator. Kthxbye!
* US Citizens/Residents will be provided by a similar download from our technology partners at gchq-dl.gov.uk.
When the copyright term is "forever minus a day", live every day like it's the last.
http://windows.microsoft.com/e...
And get rid of all of the other crapware that Lenovo put on your PC in one fell swoop. No doubt it will take more effort to do it this way but it will also be more complete. (I have no idea if this works outside the US.)
For further information I wold check the ideapad section at notebookreview.com where you can find reinstallation help (including the thread I just started.)
To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?
I can't say for sure - but I doubt people would be touting the security of Windows.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Superfish has been added to malware database of Windows Defender (the integrated virus protection of Windows). A lot of Windows machines are already ringing alarm bells.
On Windows using MSFT's compilers you'll never get the same binary twice. There's timestamps and GUIDs (the latter for uniquely associating a pdb with an executable file). Different file paths to the source tree can also cause differences. Sometimes it's straightforward to pick out & ignore the GUID, timestamp, and checksum bytes that changed, but often not.
Number one reason not to use Ubuntu and anything that uses SUDO in a way that it uses the same password as your username password, it's fucking stupid, kill sudo and use SU with a proper root password that's different to your user password. Ubuntu should be shamed for using sudo in such a stupid fashion.
http://chimpbox.us
That may be true.
It's not applicable in this case, because this is OEM-installed adware. Everything it does can be implemented just fine on a Linux system. The solution is really the same for this sort of thing regardless of whether you're talking Windows or Linux -- don't use the OEM-provided pile of crapware that comes with the machine; install a brand-new copy of just the OS.