Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Still Shipping Laptops With Superfish

Posted by timothy on from the maybe-they-need-some-superbait dept.

Ars Technica reports that weeks after Lenovo said it would stop selling computers with Superfish adware installed, it's still there for many purchasers of the company's laptops. From the article: Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.

"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."

32 of 127 comments (clear)

  1. Too late by Anonymous Coward · · Score: 5, Interesting

    My company bought 1200 Lenovo laptops last year, but now we'll never buy another Lenovo product again. I don't care if was the consumer laptop, they are no longer a company that can be trusted.

    1. Re:Too late by sumdumass · · Score: 4, Insightful

      Unless his company disolves or passes the burden of purchaseing laptops onto employees in the future, there will be a need in 3-5 years to get new ones.

      However, 1200 laptops, with a company that large it should be using volume licensing and reimaging the computers with their own keyed software. This would negate anything the manufacturer does. Is there something with new laptops making this impractical?

    2. Re:Too late by Anonymous Coward · · Score: 4, Insightful

      I don't think they're worried about the OS level stuff, but more that if they'll load malware onto a consumer product intentionally they might consider loading other less savory things into firmware or something similar. There's worry about the slippery slope rather than the actual Superfish fiasco.

    3. Re:Too late by ssam · · Score: 3, Interesting

      If a company is incompetent enough to ship such insecure software, why would you trust that their firmware drivers were safe. If a company thinks its good econmic sense to ship adware, why would trust them use high quality components where they might save a few cent by cheaper low quality ones.

      I have bought thinkpads in the past, because they are great hardware (i like the track point, wide set of ports even on the ultraportable x series, replacable battery, easily swapable disks, IPS screens). But my 18 month old x230 has just developed a random shutdown fault, so my opinion of Lenovo is failling fast.

    4. Re:Too late by Aighearach · · Score: 3, Informative

      If they're buying consumer grade laptops for employees, they'll just buy whatever is cheap in 5 years, and the bean counter won't listen to the whining about which brands anybody wants. That's true even if the CTO was overheard in the cafeteria saying, "Gosh, we'll never buy from them again!"

    5. Re:Too late by thegarbz · · Score: 4, Insightful

      If a company is incompetent enough to ship such insecure software, why would you trust that their firmware drivers were safe. If a company thinks its good econmic sense to ship adware, why would trust them use high quality components where they might save a few cent by cheaper low quality ones.

      That's an easy answer. Companies are ignorant machines. A company isn't incompetent, certain parts of it are. While a small group of idiots thought it may be a good idea to do one thing, it is quite likely that the other group (responsible for firmware or hardware) had no idea that it was going on, have far better quality for their own segment, and the people may have even been against it had they known.

      I postulate that the people assembling the hardware or the firmware had no idea what malware was being installed on the final machine, and that one has nothing to do with the other.

    6. Re:Too late by sound+vision · · Score: 3, Interesting

      3 years ago I was involved in a contract to replace several thousand public school computers from Lenovo that had bad PSUs. The computers weren't just dying, they were actually catching fire.
      Lenovo has been coasting on brand reputation for quite some time now.

    7. Re:Too late by stooo · · Score: 2

      Alternative ?
      Try the Fujitsu Lifebooks.

      --
      aaaaaaa
    8. Re:Too late by Anonymous Coward · · Score: 2, Interesting

      Bios compatibility is a thing. My experience is mostly with Dell non-consumer hardware, but you can generally replace most parts with non-branded ones. When you can't it is typically something that is not coded to be compatible in the BIOS, not that it's BIOS locked not to be able to use it. For example, if you get a brand new wireless card and try to put it into a 3 year old laptop, the BIOS may not support that card because it's old, not because it's locked.

  2. Lenovo by Anonymous Coward · · Score: 4, Informative

    Lenovo were the only ones who were caught. And:

    Criticisms of Superfish software predated the "Lenovo incident" and were not limited to the Lenovo user community: as early as 2010, Apple, Mozilla Firefox, and Microsoft Windows users had expressed concerns in online support and discussion forums that Superfish software had been installed on their computers without their knowledge, by being bundled with other software.

    After that there is some finger pointing by the CEO of Superfish at another company.

    Anyway, when it comes to this shit and cheap computers that subsidize their prices with adware/malware/advertising/etc ..., I just clean all that shit off and then some other things - and it tickles me that the asshole companies like Superfish are getting screwed because they won't be getting any ad revenue from me or anyone else that I cleaned a machine for.

  3. Rush job? by DoofusOfDeath · · Score: 5, Informative

    Although I consider Lenovo fully responsible (and liable) for SuperPhish in the first place, I could easily see the removal tool's inefficacy stemming from it being a panicked rush job.

    1. Re: Rush job? by Kvathe · · Score: 4, Informative

      Agreed. The original superfish bundling was a bad move, but this seems like more a case of Hanlon's Razor. It's hard to discount stupidity when talking about Lenovo.

    2. Re: Rush job? by SigmundFloyd · · Score: 3, Insightful

      I think Hanlon's razor (never attribute to malice what can be explained by stupidity) is way too optimistic about human nature.

      Lenovo has no ethics, pure and simple. As far as I'm concerned, they lost a prospective customer.

      --
      Knowledge is power; knowledge shared is power lost.
    3. Re: Rush job? by dreamchaser · · Score: 2

      Few if any corporations have ethics. They generally (not always) do what is legal, but not necessarily what is ethical, and almost never what is morally correct. They exist for one purpose and that is to make a profit.

    4. Re: Rush job? by Aighearach · · Score: 2

      My morally correct is not your morally correct. It is impossible for a company to do anything morally correct as universal morality code would be an oxymoron.

      That is what Ethics is for, and why the main focus of complaints is generally ethics and not morality. Ethics is the overlapping parts people agreed on.

  4. Never trust them again by gman003 · · Score: 3, Insightful

    This was such a blatantly anti-customer move that I will never - NEVER - be a Lenovo customer again. They cannot be trusted, and probably can never be trusted again because any "change" could just be a whitewashing campaign, not a real change.

    This is simply more evidence that they deserve all the shit they're getting, and more.

    1. Re:Never trust them again by vadim_t · · Score: 4, Interesting

      That's a counterproductive way of doing things.

      Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

      The spyware gives them some money. If all people who hate it put Lenovo in their blacklist forever, then the most sensible business decision is keeping the spyware. The customers that hate it won't come back, and the ones that remain don't care, so nothing is gained by removing it after losing that part of the customer base.

    2. Re:Never trust them again by websitebroke · · Score: 4, Informative

      I think what the OP is getting at is that if enough people don't trust Lenovo, and Lenovo goes under as a result, it would be a great lesson to the other manufacturers that putting this sort of crapware on their machines doesn't pay in the long run. It's not an unreasonable point of view, but I think you're right, because I think the Superfish debacle won't be enough to drive Lenovo out of business. All we have left is the carrot of being a potential future customer since the stick of beating down Lenovo won't be effective.

    3. Re:Never trust them again by guygo · · Score: 2

      There is not a single unit of electronics equipment made in China that can be trusted not to spy on you for some pretext. Not one. If you buy Chinese-made electronic equipment, you can expect to be spied on. That's what they do.

    4. Re:Never trust them again by freeze128 · · Score: 2

      The customers that hate it won't come back, and the ones that remain don't care, so nothing is gained by removing it after losing that part of the customer base.

      Those aren't the only two options.

      This is an opportunity for the typical end-user to learn how to uninstall the malware and/or reinstall windows from a clean version, thus making them better as a computer user.

    5. Re:Never trust them again by SigmundFloyd · · Score: 5, Interesting

      Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

      At the very least, heads should have rolled. And one of them had better be the CEO's. Better yet, the whole chain of command that made and approved the decision to install the malware.

      Since this hasn't happened, we can safely conclude that Lenovo is in bad faith and unwilling to do what is right.

      --
      Knowledge is power; knowledge shared is power lost.
  5. Lenovo is looking at this from a profit PoV by QuietLagoon · · Score: 5, Insightful
    Lenovo is not looking at this from a customer point of view. They are looking to minimize the damage to their profits caused by their arrogant ignorance

    .
    From that point of view, why should they reimage the drives of notebooks in inventory?

    1. Re:Lenovo is looking at this from a profit PoV by Zontar+The+Mindless · · Score: 2

      What I'm saying (bearing in mind of course that This Is Merely My Opinion and that I Am Not A Lawyer) is:

      Previous to this, Lenovo didn't promise not to sell machines with SuperFish installed on them. Now they have done so, and yet they're still shipping them with it.

      Said another way:

      To people who bought their machines previously, Lenovo could (and did) say, "Sorry, we screwed up, but we'll make it right," which could have had mitigating effects in the event of litigation. Now, they're out of any such excuses and thus MUCH more likely to get hammered in court.

      --
      Il n'y a pas de Planet B.
  6. Re:Not a big deal by laurencetux · · Score: 2

    let me introduce you do the retail tactic called the Return Merchandise Authorization Center

    Lenovo can have a retailer deal with this in 2 ways

    1 RMAC all units with date codes prior to %clean date%

    2 Ship "update" disc sets that burn the restore partition and reloads it with a clean version (then proceeding with a restore)

    bonus for L if the sets have some sort of "Due to a Quality Control Issue we have included a restore media set at no charge" notice on the packet

  7. Re:Is there really a Slashdot-ish user affected ? by plover · · Score: 4, Informative

    Your average home user doesn't reinstall anything, and for many reasons.

    Even if he or she wanted to, they won't have a viable consumer OS installation disk anymore. They get the "System Recovery Disk" with their new purchase, and it's likely filled with the same Lenovo image that was used to bundle the malware in the first place.

    --
    John
  8. Can't help but laugh by ilsaloving · · Score: 4, Interesting

    I'm seeing so many posts about how people "will never buy from Lenovo again because they can't be trusted" etc etc, and can't help shrug cynically.

    I wonder how many of these same people buy Sony products despite not just one, but an entire string of blatantly anti-consumer decisions (of which the rootkit CDs were just one)

    Or Microsoft, which has a very long history of not just anti-consumer, but crushing the PC industry and suberting entire standards bodies. But in the last couple years they've thrown a few open source bones... yeah that totally makes up for the last 20+ years of damage they have caused.

    So yeah, I hope everyone gets to enjoy their collective outrage while it lasts, cause before you know it you'll find your comments will get modded troll by people who think you're just overreacting.

    1. Re:Can't help but laugh by ledow · · Score: 4, Interesting

      I agree with the sentiment of your post.

      However, for some of us, a principle stands out and isn't just empty words.

      I do not now, and have not ever, owned an Apple or Sony product. I disagree with the way they do business, I disagree with the attitude to the consumer, and I disagree with the way they sting the prices on their equipment. There's a number of companies on my blacklist that I have said I won't buy from again. And I haven't.

      Microsoft, for example, is a problem to avoid. If you work in IT, it's one company that you are very often required to support, no matter what your personal objections. However, even then, there are steps you can take. I endeavour to give Microsoft as little money as possible, and as much proportioned towards the products I agree with as possible. It's cost them many, many tens of thousands of pounds over the years.

      I can't completely cut them out, but their attitude costs them all the time. IE and Bing, however, are totally unnecessary in my environments yet encourage a "lazy endorsement" of their products if you just leave them in, so I ACTIVELY do everything I can to move users off them. I often go to a new workplace and my first policy is "We don't support IE, use a real browser" for example.

      Some people will bitch and moan and then go on to contradict themselves in the privacy of their own head. Some of us don't.

      My current site is entirely Lenovo hardware on the client end. Be sure that Superfish is going to cost them, hard, next time I'm doing some purchasing. Sure, I might end up buying at a much heavier discount than normal (the Superfish issue cannot and have not affected me because of the way I deploy machines on fresh images as a matter of course) rather than outright blacklisting, but that's reflective of the hassle caused to any place using their hardware for business use. Almost none.

      However, guess who people go to when they want purchasing advice? The IT guy. Guess which laptops they are going to be advised to avoid entirely or at the very least create a fuss when buying?

      Things like this aren't zero impact. And when Superfish is just a memory, it should still play a part in people's buying opinions. But do you honestly expect permanent blacklisting for ever and ever even after the problem is fixed?

    2. Re:Can't help but laugh by Solandri · · Score: 2

      The problem with these "never going to buy from [company] again" stances is that they might seem appropriate when you're young. But if you stick to your guns, by the time you're around 40 you realize there are very few companies left which you can still buy from without compromising your principles. Can't buy from Sony because of the rootkit scandal. Can't buy from Asus because they're sexist. Can't buy from Dell because of the bulging capacitors. Can't buy from HP because they overcharge for ink. Can't buy from Acer because of their crappy PC build quality in the 1990s. Can't buy from Apple because of product lock-in. Can't buy from Toshiba because they sold advanced milling technology to the Soviet Navy. (You may laugh at that one, bit it's not really much different than anyone in their teens today - the Sony rootkit scandal happened long before they even started to use computers extensively.)

      Rather than an absolute "never buy from evil companies" philosophy, perhaps a "buy from the less evil companies" philosophy might be more reasonable. I try to apply the golden rule. Do I occasionally make bad decision? Hell yes. Do I want others to give me a second chance after I've tried to reform? Hell yes. So when other people at these companies make terrible decisions, I kinda feel obliged to give them a second chance if I'm sufficiently satisfied that they've tried to reform. You can only earn a spot on my perma-ban list if you've shown you are incorrigible and not interested in reforming (e.g. RIAA).

  9. The solution is simple by kheldan · · Score: 4, Insightful

    Wipe the drive and do a clean install of Windows. You'll probably also be getting rid of a whole bunch of other bloatware in the process anyway, so win-win.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  10. This makes me wonder.. by Sable+Drakon · · Score: 2

    Neither the source article nor the slashdot reposting bother to say WHERE the system was purchased from. A bit of negligence if you ask me, since it's a very important point of contention for the validity of the article. If the machine was purchased through a third-party vendor (i.e. TigerDirect, Newegg, Amazon, Best Buy), then yes, it shouldn't be a surprise that Superfish is still a part of these machines. However, if this system was bought directly through Lenovo, then there really is a problem here and Lenovo needs to fix it as soon as possible.

    --
    The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
  11. Re:Not a big deal by Smask · · Score: 2

    If you intend to run Linux on your Lenovo laptop, make sure everything works without massaging drivers because YOU NEEDS TO ROOT THE BIOS to get the computer to accept a non sanctioned (i.e. bought from some other store than Lenovo) network card. My G50-45 was delivered with a Realtek card that works like crap and I haven't got the Bluetooth part to work yet. I do have an Intel 7260 to replace the network card with IF THE FUCKING COMPUTER WOULD BOOT WITH IT.

  12. Re:Genral Consumer vs. Business Models by HiThere · · Score: 3, Insightful

    It's not even so much morality as self interest. If they'll do this to some of their customers, they'll do it to others, so you don't want to be one of those others. And if software is too easily removed they're quite capable of doing it in firmware.

    Doing business only with reputable companies falls within the area of "enlightened self-interest" rather than altruism.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.