> We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
I work at a large Telco/ISP and I understand how this kind of thing happens (though I'm not excusing it).
First they come to the tech people and we explain exactly what's going on. Our managers translate it so they can understand it, and push it up with their name on it. Those Directors translate it so they can understand it and push it up with their name on it. The VPs dumb it down a bit, put their name on it and push it sideways to communications, where it goes all the way back "down" the organizational structure until someone actually makes the press release. By that time sometimes the release isn't even about the same original thing anymore.
Our company puts out press releases all the time and us tech people just shake our heads at how inaccurate and plain wrong they are.
EDIT: As Kurtz79 points out, I forgot the step where it gets translated through Legal/PR before it goes down to communications.
To be honest, it seems something coming out of PR/Lawyer guys rather than actual engineers.
I mean, the statement is pretty clear and leaves little room for doubt, it would take a lot of simplification and misunderstanding to twist a proper technical analysis (provided it has been done, or even asked) to this level.
It's also important to understand that in a case like this, upper management likely _wants_ the money from installing this on laptops (or their bosses do, or their boss's bosses do, and so on), so while they may act in good faith in translating the technical impacts of software like this to their management, they likely translate with a slight, unbeknownst to them bias.
It's pretty similar to what Comcast are doing by injecting ads into the web pages you visit.
Perhaps the real problem is that tech companies hire too many product/marketing managers, resulting in them having to cook up ridiculous money-making schemes in order to justify their own existence.
> Perhaps the real problem is that tech companies hire too many product/marketing managers, resulting in them having to cook up ridiculous money-making schemes in order to justify their own existence.
You have hit the proverbial nail very squarely on the head.
[Superfish technology sends your data to a third party ad server. We then use this data to create behavioral profiles on you, we process this data, and we monitor it. Finally we record all this data in our backups for up to 10 years.]
is consistent with:
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is.
I've been thinking about this. If I put my tinfoil hat on, I think they're telling the truth.
> The relationship with Superfish is not financially significant;
Again, with my tinfoil hat on, I believe this. I believe that either Israeli (check out Superfish's background and connections) or Chinese governmental groups have forced Lenovo into loading this awful malware onto its machines.
> our goal was to enhance the experience for users.
Not their goal in loading adware, but their goal in general. They are drawing a line (or semicolon) between what they wanted to do, and what the dark and mysterious forces behind Superfish forced them to do.
Again, tinfoil hat. This is all very conspiracy theory-ish.
Why stop buying Thinkpads? Lenovo have acknowledged the issue and are now trying to resolve it. Everybody makes mistakes but how they fix those problems tells you a lot about the culture of the company.
Lenovo also made a terrible mistake in removing the physical click buttons, but is now reintroducing them across their entire laptop range for 2015. What I see is a company willing to listen and admit their mistakes.
Can the same be said of other vendors, such as Apple?
I'd argue that so far, that's exactly the point, their response makes it worse.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns" is a laughable statement to have issued.
I can understand the legal reasons for not admitting to the security issues. But outright saying that they can't find anything to suggest they exist indicates a company I wouldn't want to do business with.
To expand on that, in this case I know enough about the subject matter to understand that it's ridiculous to suggest there aren't security concerns. But I can't guarantee this will be the case for other problems. So going forward I'd probably avoid being a customer of a company who I have positive proof is prepared to issue blatantly incorrect statements about security issues.
I also had to laugh when Jobs started talking about "antenna gate". Instead of saying "We made a mistake here" he started saying "other phones have similar problems", etc. So his response wasn't good, but people still buy Apple and Apply is currently the largest company by market cap...
An antenna doesn't pose a security hole. Bullshit about antennas in other phones is Apple's traditional humbleness deficit, bullshit about compromised SSL connections is a criminal lie.
> "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns" is a laughable statement to have issued.
Why o why does "investigated this technology" even imply that somebody (technical) looked at it?
Lead: Hey vendor, is your product secure?
Vendor: Sure it is. It helps people find products they want.
Lead: Aye! That's cool. Deal!
Vendor: Aye! Let's hand it off to the mere mortals to implement the plan...
Customer (formerly known as lead): Nice doing business with you. I like we have a relationship based on trust and honesty.
This is not a mistake. This is an outright attack on the user, and it is straight-up disingenuous to claim it otherwise.
Anybody can MitM any HTTPS connection coming from these laptops. Anybody! The private key is public knowledge! This is so transcendentally bad and so impossible to implement without understanding the consequences that somebody should go to jail for this.
If I'm reading you correctly, you're making the argument that Lenovo, the company that was just discovered to have been intentionally shipping a massive security vulnerability on their laptops, is still thought of by you as listening to their users better than Apple, the company that would never in their wildest dreams even remotely consider the idea of putting something like Superfish on their computers, simply because Lenovo changed their minds and stopped shipping the security vulnerability?
"Oh, no, my husband's a good man. He even promised to stop beating me!"
Clearly Lenovo are stupid for bundling third-party ad-injection software, but who knows what Apple are doing behind closed doors? e.g. CarrierIQ in the baseband... etc.
Who knows what <insert person or company of choice> is doing behind closed doors? What am I doing behind closed doors? What are you doing behind closed doors?
While there is a chance someone may be doing something bad behind closed doors, that cannot be used as a reason for why they are worse than someone whose door we have opened and found doing something bad.
Just to be clear, this is Apple, the company famous for putting user experience ahead of everything else (and often criticized by developers for putting user experience ahead of developer experience). Apple, the company that routinely tops customer satisfaction surveys. Apple, the company that has gone on the record time and time again about how user-focused they are.
There are plenty of valid things to criticize Apple for, but accusing them of sneaking malware onto their devices is not one of them.
This Lenovo press release is evidence neither for nor against Apple's malfeasance. But I think we can all agree that if Apple does bundle malware, that malware's user experience will be thoughtful, smooth, and superbly curated. /s
Their response is basically that this wasn't even a problem, but they'll still stop because people are making a big deal out of it for no reason and it's good to keep people happy, even when they're idiots.
This seems like a pretty good reason to drop them. When you catch somebody misbehaving, and their response is "fine, I'll stop, but it wasn't a problem" then you can't trust them at all.
> When you catch somebody misbehaving, and their response is "fine, I'll stop, but it wasn't a problem" then you can't trust them at all.
Indeed. This kind of response is one of the most disrespectful things you can do to another person. "Hey, what are so upset about? Chill, it wasn't a big deal anyway!"
I'm kind of impressed that their PR guys are so incompetent. Their statement is so nakedly condescending, they might as well have straight-up said, "You guys are full of shit, but we'll stop just so you'll shut up about it."
If I was a lawyer, the basic requirement I'd have for a statement like this is to make it so it can't be construed as an admission of guilt, because that may later be used in court to extract damages.
I'm certain that the legal requirements can be met without outright lying (or admitting to unbelievably gross incompetence).
In fact, they seem to agree. I loaded the page just now, and "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." is no longer present in their statement.
Their statement is still unbelievably condescending and awful (and none of that has any legal bearing that I can see) but they at least removed the part where they outright denied any security problem.
>What I see is a company willing to listen and admit their mistakes.
Apply this to a human who did something similar.
"I'm sorry I purposefully allowed my previous employer's systems to be infected by a virus in return for payment. I'm willing to admit it was a mistake and I've taken steps to correct it."
Would you honestly hire someone like that to be a sysadmin?
Punish bad behaviour. It will scare other other technology companies from doing this sort of thing again. If you switch to another company, you're rewarding the new company for not putting this spyware on their machines.
Bringing back the physical click buttons is a step in the right direction, but their recent drivers have ruined the middle mouse button for me. Can't use it both to scroll and middle click; you can either get scrolling or uninstall the driver and get middle click. There is a buggy piece of software called TPMiddle that lives on my X220 right now, but I'm jumping ship for my next laptop purchase.
I love my Lenovo X1 Carbon. It's a really nice machine. I do run linux so I know I'm not the average user, but they haven't lost my business despite this being an epic screw-up. I think they make good machines and I'll continue to buy from them in the future, but I'll be reformatting immediately just like I've always done with any PC I've ever bought from Dell, Gateway, Lenovo, etc, so I don't have to deal with the bloat they put on their machine images.
If they are willing to compromise you on a software level, what makes you think they aren't prepared to do so on the hardware level (presuming they already aren't).
At some point you're going to have to trust the vendor and the supply chain... unless you're prepared to build your own computer by soldering home-made components onto a bread-board! ;-)
"Screwing up" implies negligence, but not malicious intent. I think it's likely a bit of both.
They did "screw up", i.e., the financial side of the business thought it was ok to hurt the user experience in order to make more money, and the engineering side was too incompetent to realize the security risk. Why would this level of demonstrated incompetence lead you to believe that they will be better in the future?
The fact that they've gone from minor user-unfriendly features to major violations of trust doesn't speak well to their learning ability or consumer care, however.
In a company as big as Lenovo, I'd be kind of surprised if the person or persons who decide what bloatware to load onto the consumer image make any sort of hardware decisions.
There's also that this particular kind of compromise is basically inapplicable to hardware. What are they going to do, put a 3G radio in your laptop that broadcasts your "data" via the cell network to Belarus?
Same here. I just ordered a Lenovo desktop 3 days ago for a family member. Seriously thinking about canceling the order now even though that machine should not be affected. I've been recommending Lenovo to lots of people, and I personally have a ThinkPad and a Yoga 2 Pro. I found the Superfish certificate on the Yoga this morning. This glib and dismissive statement is just adding insult to injury. As ambivalent as I am about lawsuits, I'm hoping Lenovo's management will get a class action right in its mendacious face.
You don't support lawsuits (all those pricks abusing the courts, extorting money from companies!)... right up until the hot second a company screws you, and then the courts are an appropriate recourse.
Maybe you could consider becoming a decent human being, learning some empathy, and realizing that perhaps other people have used the courts as recourse because they, too, were screwed by a company. Labeling lawsuits as an abuse of the court system or other laws is company defense 101.
Ok, I think you're assigning me to a camp in your head that I do not belong to. I'm not the corporation-loving, lawyer-hating, "tort-reforming" droid you're looking for. If you believe in the rule of law, which I do, then lawsuits are inevitable. There have been great lawsuits in history that have ensured freedom, ended injustice, and punished evil. But there have also been lawsuits used to bully, intimidate, and coerce. I assume you've heard of patent trolls? How about the SCO saga? How about the Scopes Monkey Trial? That's why I said I'm "ambivalent"[1] about them.
All of the above are a vast minority of lawsuits, and I read ambivalence as functionally equivalent to anti-tort. Again, you were ambivalent until your ox got gored.
If you re-installed your OS and didn't use the factory image (which always includes other bloatware), then you were not affected. Or if you installed another OS (Linux, BSD, etc) then you were not affected.
I love my thinkpad... but I've always paved over the factory image the moment I got my new laptop. This is egregious beyond a doubt, but it does not affect me so I'm not worried about buying more of their laptops.
I love mine too, but this makes me pause. If they were willing to do something like this in software, what's to say they wouldn't do something that you couldn't just flash away? Like an 'enhanced user experience' BIOS. or hardware component? You can't just reformat those.
The, it didn't effect me because I reformatted is kind of a "First they came for the communists..." argument.
It doesn't matter, if _I_ was affected or not. It matters that thousands of others _are_ affected and that I fucking care what my friends and family run.
Oh and that I run a website over https matters too. I want that all users have the same expectation what that means.
I've always been curious about how this work. If I buy a Win machine and want to keep Win (say to dual-boot), how do I do this? Buy a second OS disk? Torrent one and use my key?
I get it if I'm wiping out and putting on Linux or something, but that always seems like I'm wasting something I've already bought.
You don't have to "waste" the windows license key you purchased... it allows you to do a fresh install and just use that key. You can use any windows ISO or disk to do the fresh install. In fact I think somewhere you can download the Windows 7, 8, and 8.1 ISO's directly from Microsoft.
OK great- that was exactly what I was asking. The 'backup' files they ask me to make re-installs the original state of the machine- I assume that includes crapware. Thanks.
"No, a windows user would have to buy a second copy of windows from microsoft"
Or procure a legit, OEM install disk/image and reload using the key affixed to the bottom* of the laptop.
*Pre-8 days, now you get to "hope" the gUEFI recognizes the media and auto-populates the embedded key for you. When(not 'if' in my experience) it doesn't, then "buy more" is the only option outside of Linux.
This is totally correct - I just meant that using Lenovos provided installation media would not resolve the issue.
You can definitely use an OEM disk of your exact version with your printed serial. I too have had to procure new keys for win8 machines (did two last week that wouldn't recognize the keys on my machine)
Windows Vista and up did away with special OEM ISO/Disks. You can use your OEM license with any official ISO/Disk.
What you may of had issue with was your OEM license being activated too many times -- if that happens, the automatic online activation will not work. You must use the phone number to activate your license, and it will ask "how many computers is this license installed on"... of course you just give the answer "one" and it activates it with no problem.
"Windows Vista and up did away with special OEM ISO/Disks. You can use your OEM license with any official ISO/Disk."
Are you referring to all flavors(Home Basic/Home Premium/Pro/Ultimate) from one disk? Installing retail/OEM from one disk has never been the case in my experience, though I have limited experience with 'retail' installs. I joined TechNet ~6 years back to obtain ISOs to reload various x32/x64/Vista/7 installs, but none of the machines' OEM keys I tried would work with the TN ISO's. If I'm not mistaken, they were specifically 'retail' ISOs.
> Are you referring to all flavors(Home Basic/Home Premium/Pro/Ultimate) from one disk? Installing retail/OEM from one disk has never been the case in my experience
No, Home/Pro/Ultimate are separate disks -- but OEM/Retail are exactly the same thing. You have to phone in your activation however, since OEM keys usually do not automatically activate over the internet.
Vista and up, there is no such thing as an OEM ISO image. XP had that and it was a great pain for support...
If you mean OEM in the sense of the pre-installed image on your recovery partition... that's not an "OEM" install in the same sense as the XP disks were... that's a customized image either made by something like nLite or installed on a generic factory laptop, pre-loaded with garbage, ran sysprep (to genericsize it) and imaged to a file.
The recovery image/factory image does not use the license on the bottom of your laptop usually -- it uses a factory volume license key that is pre-activated on the image. However if you try to recover that key with some key extractor, and use it to activate another installation from an official ISO, it will not work -- ie. that license will only activate at the factory. If you use the license from the bottom of your laptop, you need a genuine microsoft iso.
So long as you have a Windows 7 Pro license key on the bottom of your laptop, and use a Windows 7 Pro ISO, it will work.. or Home and Home, etc...
To clarify, I was not speaking of recovery/restore, just clean installs of Windows sans vendor bloat... & h/w drivers.
And... you appear to be absolutely correct.
"Vista and up, there is no such thing as an OEM ISO image. XP had that and it was a great pain for support..."
I was not aware OEM & RETAIL installation media were merged, cannot locate any search results verifying this, but I cannot find any recent issues being discussed either. Site where I buy software still has the categories distinguished & separate, but I never considered the media became one and the same w/ only distinction being the key itself(and all rights afforded Retail over OEM). I had numerous problems installing 7 when it appeared on consumer devices before I did any machine builds w/ 7(and made images of installation media that came with their licenses), hence my subscribing to TechNet(R.I.P.) before Digital River links became ubiquitous... and yeah, I have a dozen+ variants of XP due both to it's OEM/RETAIL duality plus the never-ending sfc /scannow prompt: "please insert original installation media" if XP received any Service Packs since original installation.
I do now recall unlocking Vista & 7 disks to install any flavor now that you mention nLight... another contributor to my lapse. Plus, I did find official MS pages that support your last point on unique disks for each flavor... I thought it was just for Enterprise.
EDIT:
"You have to phone in your activation however, since OEM keys usually do not automatically activate over the internet."
After activation failure, you can opt to insert a different key & retype the same key a 2nd time for online activation. That always irked me, I thought it was a bug.
> Site where I buy software still has the categories distinguished & separate,
Typically the "OEM" purchase of the ISO Disk comes in just a plain white envelope (with COA sticker somewhere on it) and "no official microsoft support" since it's intended for "systems builders" who microsoft expects to have their own support for consumers. A lot of people who build their own rigs choose this option because the "OEM" package is usually $10-$30 cheaper. The "Retail" packaging just comes with the fancy case with color inserts, etc... and "official microsft support".
If you are building your own rig, you're probably unlikely to call Microsoft for anything. If you are some company's internal-IT, you're unlikely to call Microsoft for anything.... Heck, if you are installing your own Windows installation, you're unlikely to call Microsoft for anything... So i just always buy the "OEM" packaging when I need a new license.
So the difference there is really just the packaging the ISO/Disk comes in and whether or not it has "official" support by Microsoft. Otherwise the ISO image on the disk is identical. :)
Never purchased a Lenovo but I was bent on using one for my next machine. No longer. Their lies about it "not being a risk" have put the affected customers at immense risk.
Luckily this is not [yet] an issue where I live. I am an extremely deliberate consumer, though. I have evaluated competition and terminated contracts for far less than this.
Just because others are doing it, does not make it right.
Lenovo is a hardware vendor. I suspect most of the HN crowd reinstalls something on their machines. The non-HN crowd won't even know about all of this (see the public response to NSA spying on American citizens, almost zero).
All HN-crowd have friends, family and other folks who "don't know about that". And some of them bought those devices.
But what the fucking fuck have people not understood about this issue?
Someone might run open, free access points, sucking people in to connect and then they fucking MITM everything - inclusive that money transfer from your relative to you. How about that? Yes, you might be affected by this huge fuck up from Lenovo.
You'd think people would at least check to see if they were even affected, it clearly states "Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or smartphones." and no enterprise products or servers.
I'm giving Lenovo the benefit of the doubt here. Look at all the potentially malicious crap Dell, HP, Compaq, and others have installed on computers over the years.
Any experienced computer user should know and want to wipe the hard-drive and reinstall as soon as you get the computer, preferably from trusted sources, I'm not sure Microsoft's rules on customizing their reinstall disk. I wouldn't trust the reinstall partition either.
You have to also consider that the Chinese government might see all the news about NSA and US government hacking and intercepting hardware and they could require or secretly implement bugs into almost any Chinese made product, that's always been an unfortunate concern with Lenovo.
If Lenovo would push for more open standards of all computer components and have independent parties verify their internal processes, then that would go a long way to improving their credibility after this incident.
I imagine Lenovo wants to tell you the truth but has the CCP's tank barrels pointed at their back. Further evidence that buying from autocratic regimes comes at a risk. I wouldn't run Kaspersky either, especially after Wired exposed their connections to the FSB and Russian military.
If this was going on with a US OEM, people would assume the NSA. But with Lenovo (which the US government refuses to buy btw) and Huwai and other non-vendors for the USG, HN'ers have regularly defended them and claimed the US was being paranoid or protectionist. How the hell do you think a fucking MITM gets onto a production image? This is financial suicide for Lenovo and they know it. This has all the telltale signs of government collusion. The CCP has a lot more to gain from stuff like this than Lenovo has to lose. How many people have been compromised from ship date until the day this gets uninstalled? Millions? For how many months? Years? That's a lot of SSL sniffing available to the CCP.
Can you ever imagine Apple pulling a stunt like this? No, because it’s astonishingly user hostile: Lenovo should be hanging their head in shame, not making out like it’s no big deal.
No company is immune to making ridiculous statements - Apple told people not to hold the iPhone 4 the 'wrong way', for example[1].
I can believe that management at Lenovo simply can't understand how serious this incident is - they're unlikely to have the technical knowledge needed to understand how severe the security problem is. I'm sure there are hundreds of Lenovo engineers tearing their hair out in frustration right now. Not that this excuses the management - they should be listening to their engineers.
Apple telling users not to hold the phone the wrong way is different in kind and several leagues of degree from "we are enabling anyone, ever, to MitM your connection to any website."
I believe you are raising this point in good faith, but it verges on disingenuous to compare them.
Quite right - they're not on the same level. However, both are certainly 'user-hostile'.
The thrust of my argument was that most large companies are bad at communicating about technical problems because of the way the message gets filtered through management, PR, lawyers etc. It's probably fair to say that Apple hasn't ever done anything this bad - but it's also disingenuous to hold them up as an unfailing bastion of niceness and competence.
> Can you ever imagine Apple pulling a stunt like this? No
Why would you jump to that conclusion? Apple is just a company... and through the right view-port, even something like this can appear to be "consumer oriented" to management ("we're helping customers locate products and services easier").
Recently Canonical thought it was a great idea to bake-in Amazon ads into their search lens... so ads and product placement tagged with their affiliate link were baked into your OS.
No company is immune to doing stupid things, even Apple.
Apple is definitely not immune to stupid things. They've done a lot of stupid things.
Apple have also made tons of mistakes when it comes to security and privacy.
But I still have a hard time seeing Apple ever intentionally adding a feature that proxies all a user's encrypted connections to inspect the content and insert ads.
Given that Apple has made a priority of elevating convenience above security, I'm not sure how seriously to take Cook on the subject of the importance of privacy and security.
Actually, reading the NSA hard drive firmware hack a couple days ago rekindled my suspicions about all the MacBook Pro failures a few years back. Apple claimed the hardware was at fault & nothing short of sending off for a pricey, clean-room extraction would get the data back. Much to my clients' relief I recovered all the data from three MBP drives for a lot less than what the 'geniuses' quoted. *It was the HD controller at fault, I managed to get them to mount and read at an extremely slow rate, but in time all was recovered.
Apple told people for almost ten years (both on their website and in their retails stores) that "Macs cannot get viruses." They act like that wasn't a big deal.
The number one source of viruses on a Mac is anti-virus software, don't install it. No system is impervious, there are levels of risk. Apparently the highest possible risk is running a stock Lenovo.
I imagine that comment referred to fake antivirus software from webpage ads or something that users are tricked into installing. Something like ClamAV would be fine.
Many companies exist in a reality distortion bubble where they think that by phrasing a feature in a certain way, it becomes less customer hostile.
Case in point; Lenovo pitched this as a "way for our customers to find new products". This is not a problem most users have, which is why the starting point for customer-centric design should ALWAYS be user feedback. This can be collected any number of ways (focus groups, surveys, etc.) but if you ask leading questions, you're going to get the answers you wanted to hear.
I don't doubt that the people who put this product together thought that it was an enhancement to the user experience. The problem is that they didn't do the research prior to even developing the project. So the end result is a product that solves only one problem: how can Lenovo get in on some sweet advertising dollars?
The big difference is you don't mind when Apple does things like this. If you have "Hey, Siri" enabled then your phone's microphone is on all the time listening to everything you say. But I don't see a lot of people crying foul over that.
Well, there is a difference between "hey, we have this cool service you'd like but we need to process your voice data; maybe or maybe not we're doing something else with it" and "we're forcing ads down your throat and hey, now everyone can MITM you and rob your bank account clean".
The big difference is that "Hey, Siri" isn't a privacy threat at all, and that Apple doesn't generally allow people to snoop on all of my supposedly-secure traffic and then say "oh, there was no problem" when confronted with it.
About the closest they've come to that was the "goto fail" bug from a year ago or so, and that gave every appearance of being a mistake, and Apple didn't try to claim that it wasn't a problem (although they were, as usual, pretty quiet about the exact nature of the problem).
Plus, they have no reason to do so, because unlike Lenovo, they make a healthy profit on their hardware. (I believe IBM was in the same position with its ThinkPads back in the day.) In contrast, the bargain PC laptop makers have little or no profit margin on the hardware itself, so they're always looking for other ways to eke out a bit more money.
This is why I'm willing to pay a bit more for things I rely upon and care about. If you were a climber, would you try to save a buck by using an off-brand, bargain rope?
Lenovo isn't a "bargin PC laptop maker"... the Thinkpad series are some of the most highly regarded laptops in the industry...
And to that extent, just because you paid more for an aluminum case with exactly the same internal components doesn't somehow make it seriously better... Macbook Air's for example have notorious overheating issues that kill the laptop...
You kind of missed my point. Lenovo only put the spyware on their bargain laptops, not ThinkPads. ThinkPads and MacBooks may have unintended hardware bugs, but since they already make a profit, they're less likely to have intended crapware.
I'm on record around here about being angry with Yosemite sending requests off-machine, and it's the first thing I turn off. Lenovo enables anyone, anywhere, to MitM your bank.
Difference in kind. Massive, massive difference in kind.
I imagine that whoever made the decision in Lenovo didn't understand that's what they were doing. They heard "(technical jargon)... replaces some adverts on webpages... Profit!" and signed off on it.
That's not an excuse for this, but it smells like incompetence rather than deliberate malice (at least on Lenovo's part - Superfish/Komodia may be another story).
I soundly reject the notion that everyone in Lenovo's chain of auditing and implementation just heard "technical jargon". No company is magically and universally nontechnical. And anyone who allowed this to pass and remains employed there is culpable.
No evidence of security concerns, you say, Lenovo!? Well then your entire C-suite will put their money where their mouth is by browsing with these "uncompromised" machines for the forseeable future, right? Banking, signing in to their hospital's website, logging in to corporate sites...
Wait, your IT department just frantically rolled out clean disk images to the whole org? That's a funny coincidence...
It's quite possible that the muckety-mucks who signed off on this in the first place were unaware of the implications. But at this point, the technical details should be known even to the clueless pointy-hair types.
It's probable that their lawyers told them to make this claim to lessen their exposure to lawsuits. If they admitted any kind of problem they'd be in hot water, but now the burden is on anyone bringing a suit to prove them wrong.
The first thing we do, let's kill all the lawyers.
so just to be clear, because I find this hard to believe, they are straight up, 100% lying? Or is this taking some hash generating code out of context or something?
It's hard to judge without digging into this spaghetti mess of files. But having the word retarget in your code seems like straight up lying to me.
Tracking is more ambiguous a word and I couldn't find where they define the userid. But however it is generated, it reads like it's unique. And in order to retarget users, you'd have to track which products they've viewed in the first place, that would imply storing browsing history (they deny storing user info as well) and uniquely identifying users across websites.
Given the coding style, I don't think the person(s) who wrote this code is/are doing anything clever other than what it seems.
Not to be too snarky, but I don't think I'd trust somebody who wrote that function to have code where one could "not find any evidence to substantiate security concerns."
Perhaps this is some sort of style thing specific to javascript, but wouldn't:
function isRetargetingEnabled(){
return (similarproducts.b.enableRetargetingUnit &&
!isRetargetingBlackList());
}
be the better way to write it? Sure say what you want about micro-optimizations, but the function appears to be used in a boolean context, so shouldn't it just return the if condition? Things like this are why I have trouble trusting security claims.
I like your style better, but your function doesn't return 0 || 1 (yours returns true || false).
I also wouldn't read too much into it. It's unlikely that the same person wrote all the code involved, and many smart people I know write these kinds of functions, no matter how much I complain about it.
"Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish service will stop working as soon as it is uninstalled via above process, and following reboot."
Per Lenovo's removal instructions [1], the compromised root certificate will still be installed and trusted. This is completely laughable.
While this kind of foistware sucks, I'm also a bit dismayed by the seeming domain-specificity of peoples' privacy concerns.
Do a simple tracker on a desktop, and people freak out. But all you have to do is change the form factor and UI metaphor to mobile and people are absolutely fine with constant location tracking, ambient sound being uploaded to the cloud (SIRI, etc.), a camera and a microphone that can be activated by all kinds of apps while the device is in your pocket, and a constant 24/7 Internet connection. You could never even approach that level of invasiveness on a desktop or laptop.
A desktop/laptop is a computer. A smartphone is a computer. Why the different reaction?
I wonder if it's a generation gap thing. Older people tend to use mobile devices less than younger people. Are the younger generation this oblivious?
Same phenomenon holds by the way with regard to jailed devices. Way back when Microsoft tried to introduce something called "trusted computing," which was basically just code signing. Everyone flipped the hell out and they shelved it. But mobile devices can't run software that isn't tethered to their app stores, and everyone is totally fine with that. Different form factor, different universe?
It also seems related to brand. When you sign into Chrome with your Google ID, Google tracks everything you do. But that's Google, not some random little foistware company, so that's okay I guess. Same goes for Safari and iCloud, etc.
I would agree with you if this were only about adware. The problem is that the adware opens a massive security hole that is exploitable by everybody.
The Lenovo adware wants to hijack SSL connections. To do so, it installs its own CA, and the private key for that CA can be (and has been) extracted. This means that if you own such a laptop and access your bank's SSL website from a random coffee shop, anybody could MitM you, since they can use the publically available "private" key of the rogue CA to impersonate your bank.
Smart phones enable turn-key surveillance-based dictatorships beyond anything we've ever seen in the west, but unlike this Lenovo thing, it is not an immediate threat. Hence people react differently to it.
> ambient sound being uploaded to the cloud (SIRI, etc.)
To the best of my understanding, Siri doesn't do this. Siri listens, locally and on-device, for the hot phrase. (I know that the Moto X does that for 'Okay, Google Now'.)
Anyway, to the other points: I get something for providing information to Google. My location isn't terribly important to me and the benefits outweigh the risk. Ditto an online internet connection. My phones, iPhone and Android alike, both run whatever software I want--Cydia was the first thing I installed on my iPhone and Android accepts applications without qualm. (And I don't use applications that can turn the camera or microphone on without my knowledge.)
This is spying on my e-mail and my bank. It has literally no positive attributes. There's just such a massive difference to me that I get confused at your core claim.
This is a massive, well-established company deliberately introducing a gigantic security hole into all secure internet services, including the ones you use for online payments, banking, and governmental services. It's a security hole that can be exploited by anyone with moderate technical knowledge, and it was all done for the sake of showing you ads.
A desktop/laptop is a computer. A smartphone is a computer. Why the different reaction?
They're still two different classes. Smartphones (at least the mainstream Android, iOS and Windows platforms) aren't even self-hosting yet, so they're definitely in their infancy and unlikely to displace the microcomputers we have until said shift occurs, regardless of widespread commentary to the contrary.
By the way, "trusted computing" was backed by a ton of other companies besides Microsoft (I don't even think Microsoft were remotely the first), and it is most certainly not dead in the slightest.
A big part of this is convenience, I guess. People were flipping out about Microsoft's trusted computing because it was seen as a big company locking things down. Apple and Android managed to wrap it in a cool UX (and arguably good value proposition of curated content - which is still not as good as one would like given how much crap you can find on the app store) - and general population started using it before techies got around to shouting. It's too late now.
Another, maybe smaller part, is trust. I for one sign into Chrome with my Google ID and enable all location services, etc. on my Android phone because I still trust Google and the Don't Be Evil mantra. I haven't been convinced yet that they're a bad actor (OTOH I can't say that about Apple). I admit it's probably very subjective.
Not even a hint of an admission on the certificate issue, I'm not surprised. If they admit they knew about the root certificate or even acknowledge its existence after the discovery, they could open themselves up to legal liability if someone's bank account or identity is compromised.
This really sucks because I used to recommend Lenovo workstations and ThinkPad laptops to people; it really is good hardware at a decent price. I know this certificate/spyware issue was only on the consumer side, but it stains their entire reputation as far as I'm concerned. When my wife's Lenovo IdeaPad finally dies, we're not going to get another Lenovo like we planned.
They actually reference the root certificate in their removal instructions:
"Uninstalling Superfish Visual Discovery
Go to Control Panel > Uninstall a Program
Select Visual Discovery > Uninstall
Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish service will stop working as soon as it is uninstalled via above process, and following reboot."
So they're basically telling you how to get rid of ads and call it solved, while still leaving you vulnerable to getting robbed by any script kiddie that gets his hands on the certificate key?
I had the same reaction. If that's true, it's almost more worrying than if they admitted their complicity. What other gaping holes might someone that dumb about security have left open? More likely, it's just something they have to say for liability reasons. If they admit that it's a problem, every lawsuit against them gets much easier and is likely to yield higher damages. In a way, that same legal system often lauded as an alternative to regulation forces them to say something that's not true.
Hm... I'm pretty sure that if you can actually MITM their connection (i.e. you can intercept and modify the packages, e.g. by setting up a rogue Wi-Fi hotspot), you can also fake the DNS and/or IP addresses, so you shouldn't have a problem compromising visitors of https://bankofamerica.com.
you don't need to fake IPs or DNS requests - if you have MITMed their connection then all their traffic flows through your machine and you can present whatever content you desire on any domain.
The point being that you don't have to MITM their connection. The private key is in the wild, you can sign a cert and host it anywhere on the internet. Any visitors who have that see that cert signed by that root cert will say "yep, fine, go ahead".
So then you spam the world with "Important message from Lenovo" and hope they click on https://len0v0.com and install your important update
"We thought that performing an SSL MitM on our users to serve targeted ads would improve their experience. What a shocker when we found out we were wrong!"
> The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.
I would prefer for this to be a lie than for it to turn out for this statement to be true. Surely nobody at Lenovo honestly belived that ad injection improved user experience?
This would SEEM obvious because as techies we hate ads. But you can't extrapolate this to the general population.
There was one time when I visited my mother. We started her instant messaging program, and we were presented with special offers. I recognized it as such within half a second, so I almost automatically checked the 'Do not show this again' checkbox.
My mother alarmed me: "No, do not make it go away! I want to see the offers, they're useful!"
I was mindblown.
Another example: I have snail mail advertisements. But my girlfriend, who's living with me now, asked me to sign up for advertisements such as supermarket special offers. Another mindblown.
I am mindblown too. I thought that it was pretty obvious by now to everyone that ads do not show you the offer that is best for you; they show you the offer that's best for the company, which means you spending more money on something subpar. I find ads anything but useful.
So how exactly do you expect people to find out about your product if you don't advertise it? Even word of mouth requires a first sale, which generally requires... advertising.
There's advertising, and then there's advertising. Maybe a hundred years ago ads were about product discovery, they are not about that anymore. For most of the needs we have there are already products so you can just discover the product categories via well... interaction with other people. A new class of product gets often gets its spread organically, or at least via product-discovery-ads.
So for example, you didn't learn about the existence of cameras via ads - you probably saw your parents or friends shooting photos when you were a child. And you know that the ads of cameras you see on the web are offering subpar products, and you're better off searching for a camera that fulfills your needs yourself.
Another example, of a relatively new category - iBeacons. You probably read about them on the Internet, or maybe in a magazine like The Economist. Sure, maybe you read an infomercial, but what you've learend is that there is this new category of products, and that they can help you make phones more context-aware. But if you're thinking about what beacons to buy, you are again better off researching yourself and consciously ignoring anything that looks like an ad.
I don't totally disagree, but it's worth noting that when I read about iBeacons "on the internet," that was likely just a sophisticated ad, disguised as a review or blog article.
It's definitely better than the ads that ghostery blocked, but ads aren't going away and they were still important to the discovery process.
Keyword there is "snail mail." You're saying you really want this stuff in your mailbox every week? I don't want any snail mail(of any kind), any week but it's something I still have to live with.
In contrast, I've been refusing to opt-in to my banks online statements for a long time now, simply because I want to have important stuff (e.g. my money) printed black-on-white. Email can be easily faked.
It is less likely that someone would send a falsified bank document through the mail, as mail fraud is a federal crime with harsher sentences than most online versions of spam/phishing.
Also records are kept for mail regarding where it was received by the post office (which likely has security cameras), when, who is on the return address and the recipient. There is physical evidence of who has touched a piece of mail such as fingerprints, hair, DNA etc.
This is part of why you don't get 50 letters from nigerian princes each day
Yes, is it really that hard to take 5 seconds out of your day and check snail mail? I get that people don't like it, but let's be real, it's not that big of an inconvenience.
Well, if this is opt-in mail, it's all cool. Where I live I, along with all my neighbours, have something like half a kilogram of spam mail weekly, all of it (except maybe first flyer from a newly-opened pizza place) goes straight to thrash. Scale this up to 1-million city or 30-million country and think of all this wasted paper, paint, electricity, fuel and labour.
Now are they? I sometimes wonder about leaflets (and some form of Internet marketing) that maybe it doesn't really work, but it's so hard to tell that they just keep throwing money at it because everyone else does.
Our kind of audience has learned to be more effective with less distraction, likely because we have encountered information overload routinely before and therefore changed our behavior and preferences to prevent or lessen the problem.
The flip side is that there are genuine discounts for many products that save you money with no strings attached. It's just differential pricing: they want to sell their products for more money to people who want to spend more money. Or it's part of an affiliate advertising program and the way to ensure affiliate codes get entered by buyers is to offer them a discount.
I hate many ads too but I'll seek out discounts when I think they might exist.
Grocery shops have another trick up their sleeve - they lower prices on some products, but raise prices of complementary goods. So you can have a genuine discount on bread, and at the same time heavily overpriced cheese. They're betting on you not caring enough to split your shopping between multiple venues.
My mother recently told me how she's tired of keeping track of prices (or price/quality tradeoff) in 5+ different shops - she can save a lot of money and buy good quality products at the same time as long as she knows what to buy where. But she's doing bulk shopping. I probably wouldn't bother walking around the hood to get one item cheaper.
The real problem is the wasted time. You may save $20 bucks a week shopping around, but if it costs you 45 minutes and you make $40/hour after taxes, you are spending 45 minutes to save 30 minutes.
Indeed. Well, my mother doesn't make anywhere near that amount so it's worth the savings for her - the shops are just counting that people earning more won't bother shopping around.
This makes me wonder if any of the people working at Superfish actually use their own products regularly, including this one, and like it. I wouldn't be surprised if they do.
If they make their money off of people legitimately interested, I wonder if there could be a way to convince the spammers that we're really not, so they can stop wasting their paper and bandwidth.
Ironically, I've been looking at Lenovo laptops recently, and now Lenovo ads follow me around the web (when they're not blocked). So they are currently showing me something of interest, and it's a handy reminder of how easy tracking is.
> Surely nobody at Lenovo honestly belived that ad injection improved user experience?
I can see the marketing folks honestly believing this. See, the problem with people in marketing is that they come up with ideas that sound good in theory but neglect to consider the implications.
"Wouldn't it be great if I was presented with offers to buy things based on context clues in the web pages I'm browsing?"
"Wouldn't it be great if I didn't have to enter passwords all the time?"
After the marketing brainstorm session the engineers are asked "can this be done?" And the answer is usually "Yes, but..." This is the point at which the marketing droid zones out. "Make it so!"
So yes, I do believe someone in marketing thought this was a great idea. And if it worked perfectly without compromising security, it probably would be a good idea. But there's always compromises in technology, and the marketers either can't grasp or don't care about the consequences.
Let's make broad claims about how people in tech marketing must be idiots!
See the funny thing is that I've worked in the PC making business and the parts business (Newegg) and the way this software makes it into the preload is not because of marketing, it's a product or finance decision. Hardware is a low margin business so you get paid to add in some pre-installed software and structure some revenue sharing deals. Lenovo isn't lying when it said that it wasn't financially meaningful; in fact, that's probably why they stopped installing it (not because they did some survey of users, etc.).
I don't think any reasonably competent marketer would ever suggest installing some adware as a "feature" so that they could market it. The fact that people are only finding out about this Superfish now meant that Lenovo and Lenovo marketing didn't advertise it's existence. Can someone show me some marketing material that say's "Lenovo PCs, now with more Superfish to enhance your online shopping experience."?
> Let's make broad claims about how people in tech marketing must be idiots!
That's not really where I was going with it, just pointing out that sales and marketing start out with reasonable "what if I could..." scenarios and don't really care about the implementation.
> I don't think any reasonably competent marketer would ever suggest installing some adware as a "feature" so that they could market it.
You're right, because they don't think at the implementation level. What I think _did_ happen, if my experience is any indication, is that someone said "I think showing users suggested products would be a tremendous value add! Let the eggheads figure out how to do it." What you end up with is what needs to be done at a technical level in order to fulfill marketing's requirements. It ain't always pretty.
I don't know. My experience with the output of marketing and sales people is that they come up with ideas that sound good only to them, and not to anyone with even a miligram of conscience. I try to attribute it to a kind of job-related blindness rather than malice, but seriously - quite often those ideas boil down to "how can we scam those poor schmucks"? It's like no one ever asks themselves the question if the idea is actually good for the end user.
Good business is about providing value for proper compensation. If you're trying to trick your customer into paying more money for less value, you're just scamming them.
Well, at least in my experience they do come up with some ideas that are genuinely about making the user experience better (to increase retention/sales/etc. of course). Like the idea about doing away with or simplifying passwords somehow. It's an idea with good intentions and if it could work perfectly it would be _awesome_. But it doesn't work perfectly -- there are major drawbacks. The sales and marketing folks just don't understand that part of the equation.
I don't mind that kind of mistakes that much. Well, they don't understand the security implications, maybe they didn't listen to someone when they should have. Yes, sometimes it's a fuckup, but intentions were at least honest. As strongly as I hate scumbag marketers and sales, I strongly (and publicly) applaud those who have good intentions and are aiming for a win-win.
But here, in this particular case, you clearly have bad intentions with a side order of criminal negligence.
I feel like many marketing professionals have deluded themselves into either thinking this is true or redefining enough words in their vocabulary that it becomes true. eg, If these ads result in people buying something, then that "proves" they were "useful" and thereby provided a "good experience" to the user.
Well, a lot of people use their computer to purchase things. How do people know what to purchase? Ads! Therefore more ads = more knowledge about what to purchase and results in a better user experience QED /s.
You know, I often feel as though I'm living in a cave, because there are many things out in the world that I'm unaware of, and I often wonder if it's because I use Adblock.
Take Uber, for example. It's apparently a popular ride-sharing service, which I've only heard of recently due to a bunch of articles about them getting into trouble with the law. So how did that service get to be so popular to begin with? How did people first hear of them? I'm guessing that there were lots of banner ads for them all over the web, which I've never seen.
Of course, my curiosity as to what goods and services I might be missing out on is not strong enough to cause me to turn off Adblock, because good lord, the web user experience is horrible without it.
Well, truth be told, most products and services out there are crap, and if something is actually good (or stupidly bad), you'll learn about it anyway. People like to talk about things that solve their problems well. Hell, in tech the Hacker News itself is a nice place for that; most of my "product discovery" happens here. Sure, maybe sometimes you will be late to the party, but you'll find out about good products eventually, and hell no, I'm not going to look at ads unless forced at gunpoint.
I agree, both in the market for products, but also for engineers.
I'm sure that Lenovo has some really smart people that right now consider if they should dust off their CV and jump ship instead of working with morons.
This kind of stupidity can really destroy morale of technical teams within an organisation.
I'm structurally distrustful of the hardware that I buy so I rip out the drives without ever even booting them and then install Linux on a drive bought through another source. I can still see some potential issues there (drive firmware compromised, bios tricks, chipsets with junk and management devices) but that's a basic precaution against getting something you didn't actually buy.
I think it rapidly turns into "How much effort are you willing to use to make yourself more secure?" There's diminishing returns as you increase your money and effort devoted. $50 and a couple hours will get you another hard drive and a Linux install. How much are you going to spend to guarantee that your BIOS and firmware aren't compromised?
There's a reason why security-conscious folks spend an enormous amount of money on the stuff that we buy for a couple hundred bucks. I'm sure that the NSA pays thousands for $100 hard drives.
There are some interesting corollaries that make this interesting from an InfoSec perspective.
Heart of the matter is that most consumers - whether personal or business users will have little to no visibility into this. And, even a smaller fraction will have the technical chops to remove this garbage unless there's a tool that's openly presented to them.
Since there are a ton of small businesses that purchase and consume laptops just as the come out of the box, I'm really interested in the industrial espionage potential with this.
Couple in all the PRISMish like revelations over the last year and a half, and I simply have trouble putting much faith in their, "oh, it's just to show better ads, sorry..." statement.
Big companies, yes. Small businesses, not so much.
There's certainly an unrealized support cost. But in my experience, it's pretty common to see several different manufacturers and OSs across a small business. When they need a new laptop, they're either picking up what's cheap at Best Buy or handing down machines when the boss gets a new one.
I would imagine that any company imaging their hardware has their own custom image to coincide with their windows licensing agreement and not on whatever was on the first box.
They disabled it server-side? What about the CA certificate in all these Lenovo users' trust stores that blackhats can now use to MITM with wild abandon?
I was considering getting a Lenovo X1 Carbon to run linux on. I'd be installing a clean image, so no Superfish, but I still don't want to give money to Lenovo right now.
What alternative linux laptops are there? (aside from macs)
There's System76, which are basically pre-loaded Clevo laptops (which are sold under many different names).
I have the Galago Ultrapro and am quite happy with it. Good battery life, fast, user-serviceable and a calibrated IPS screen. On release the keyboard was a little off, but the new one is pretty good.
It depends on what you're doing of course. Normal usage (playing music/Youtube, browsing firefox, coding, opening up some PDFs) gives me about 6-8 hours I'd say, I get about 3 hours of (modded) minecraft, which is quite the battery drain. this is on Gentoo (Awesome as WM) so the background drain is pretty low. It's good enough that I never really pay attention to it.
upower says the battery is designed to store up to 48Wh, with a maximum design capacity of 53Wh.
Why does lenovo thinkpad have to be the only line of laptops that has a trackpoint by default? How hard can it be to include it for other brands? This is a very important feature for some people and it limits their choice to thinkpads and (AFAIK) some HP laptops.
I think it has more to do with the fact that a lot of people just don't like the Trackpoint or (more likely) won't give it a shot, so manufacturers aren't going to invest the time and money to put it on their laptops.
Personally I think the Trackpoint is the greatest thing ever, but I worked at IBM for a long time. Pretty much anyone who has had to use Thinkpads for an extended period of time ends up loving the Trackpoint. But regular people just don't want to give it a shot.
I recommend the Asus UX line. Don't get the super-high-end ones if you're going to put Linux on it, but you'll get excellent value for your money with $600.
We're using almost exclusively HP here: the EliteBooks always had/have crappy trackpad buttons (to the point of being bothersome). I noticed this in their EliteBook line since 10 years, so they just don't care about it. The keyboard is so-so but acceptable, and the screen of the Folio/G1 ultrabook series is downright bad (strong blue color cast with large sample variability). You can get a matte filter and a replaceable battery in an ultrabook line, which is very good to have, but that stops here. Dell and Lenovo ship way better screens and keyboards for the same specs, which I would definitely recommend for a serious programmer.
The 840 G1 I'm trying now has some ACPI and ATA issues currently on any stock kernel (google for more details). HP is definitely not even trying to test his high-end laptop line on Linux.
I was quite ok with the Thinkpad line, but this move from Lenovo would now tend me to Dell.
There's a scene in the movie The Rum Diary where Sanderson says roughly that the way to sell the public on the idea of building a hotel on an untouched island is to start by trying to build 20 hotels. Public outrage will occur, people will write their politicians, and finally a compromise will be reached, in which you get to build only one hotel. But the trick is, that's what you wanted to do in the first place. In the end, this compromise wasn't good enough: the result is still horrible.
This is roughly what Lenovo is trying to pull off here.
> Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping.
This is the compromise being offered. They're claiming, "We didn't violate your privacy, we didn't violate your security, we just wanted to help you discover interesting products."
Superfish opens up all sorts of security holes and privacy concerns, but it's probably true that this wasn't Lenovo's intention (not yet, anyway). But to accept this as a compromise would be to give Lenovo the thing they want in the first place: to serve ads into our web searches. And that in itself is deplorable. It is not acceptable for companies to force their agendas on us.
Lenovo's only defense here is that they were doing something disgusting. We should not accept this compromise.
> We are getting off-topic here. If you have questions pertaining to the differences between adware, spyware, potentially unwanted applications, and viruses please post on the Security & Malware Forum. We'll be glad to clear up any misunderstanding.
Ugh. Patronising, misleading and evading the point all in one answer. This was a horrible thread to read.
Repeating this from the other thread: people should file complaints with their state consumer protection division. There are probably at least one or two attorneys general in the country who would love to make an example out of Lenovo ("big bad foreign company", etc.).
We have a Lenovo G710 at work that was purchased less then a month ago and the amount of bloatware installed on that thing is quite amazing really it's almost a type of art.
The Superfish cert is there, however the VisualDiscovery service that injects the adds was at some point disabled as I could only find remnants of it in form of INI files and registry keys.
A quick fun fact, There are two encrypted INI files located in the Windows Folder :
A.) VisualDiscovery.INI
B.) VisualDiscoveryOff.INI
If that doesn't tell you everything you need to know about the guy that developed this shit then I don't know what will.
The problem with the statement is that Lenovo owners need to be aware of the news to find it.
I'm on Lenovo's mailing list and haven't seen a similar statement in my inbox with remedial instructions.
I was only half-lucky with Superfish. I bought my Y50 before Xmas and removed Superfish and all other non-essential software but didn't know about the certificate, which I deleted today.
Sadly, I don't think the typical non-technical Lenovo user is even going to find out about this or know how to fix it.
OK, thanks for this. I wasn't sure if the signing of stuff was being done locally by the proxy or remotely. i.e. whether the private key was on the machines.
So yes, complete security clusterfuck.
"It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted."
from someone who refers to ad-ware as "...to help customers potentially discover interesting products while shopping".
Honestly, I wish there was a way to comment on their stupid statement. These bullsh*t companies need to realize that users don't want the stupid bloatware in the first place. I paid you a TON of money for this computer the least you can do is give it to me in its best condition.
You wouldn't buy a car that came painted with advertisements on the side!
They are perfectly aware of how people feel about bloatware. Dell at one point offered clean installs but you had to pay something like $30 extra. This probably provides some type of clue that they make about that much more per machine by including all the pre-installed crap.
> Dell at one point offered clean installs but you had to pay something like $30 extra
And I'd hazard a guess (with no evidence) that very few people paid that extra cost. We undervalue our own attention, assuming that we can easily ignore adverts, so ad-supported products are disproportionately successful (preinstalled bloatware is just a special kind of advertising).
Does anyone know how well Amazon Kindles with 'Special offers' are selling?
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
One way to read this is they have not seen any evidence that people have actually been hacked in the wild. They may understand perfectly well that it is now trivial to do this but no one's actually reported yet that they had thousands of dollars stolen due to using online banking on a compromised Lenovo machine on public Wi-Fi.
Stop buying their products. I was already considering moving away from Lenovo after the ruination of the -40 series. I was almost swayed back in by the -50s but this put the final nail in the coffin.
If I base myself on that statement to decide that there's no need to remove the software, then get my bank account emptied, won't that backfire pretty hard on them?
I have a Lenovo laptop and had the superfish root cert installed. I also have a "Nuance" trusted root certificate installed. It's a SHA1RSA certificate issued by Nuance, expiring in January 2040 (serial 9e ef 9d f5 9a...), thumbprint (51 2d 19 4d 28 64...). It says it's usable for everything. Does anyone know about this one?
Nuance makes Dragon Naturally Speaking, which also comes preinstalled on some Lenovo laptops (including mine, but it was one of the first things I uninstalled). I'd imagine it has something to do with being able to voice control applications/websites/whatever-Dragon-does. If you don't use Dragon, you can probably safely delete it.
Even when they disabled server side operations, the malicious root certificate very likely remains on thousands of computers -- and thus a high security risk for all owners of those computers!
In essence, a root certificate with known private key is as dangerous as a worm that infected your computer. Maybe even more dangerous.
It's perplexing you still need to put a couple of days work into setting a up a computer. In the 90s it was all about getting all the peripherals to work. Now it's all about removing the bloatwear, data leaks, and security holes.
On a PC I do a Linux install and go through some extra settings.
On Android I install CyanogenMod with an IPtables firewall. The number of apps that try to raid your address book on Android is mind-boggling. When you set Privacy guard to "ask" instead of "deny" you will have so many popups that the phone is bogged down for a couple of minutes after startup.
> We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
Apparently a wildcard SSL certificate valid for every domain on the internet installed in a certificate store isn't a security concern.
Apparently said SSL certificate having a extractable private key installed within a user certificate store isn't a security concern
And apparently leaving said certificate behind in the certificate store even after uninstalling the crapware (according to a very reliable InfoSec Taylor Swift) isn't a security concern.
Microsoft seems to have a vice like grip over OEM's regarding preloading windows on every product they sell without exception, IMHO this is a terrible thing, but can't they do at least a little good and prevent OEM's from shipping anything other than a pristine image with no preloaded software?
Surely the endless bundled crapware from every OEM just gives Windows a bad reputation in the long term. The popularity of chromebooks now are a testament to that.
Correct. So OEMs can load whatever crapware they like, and Microsoft doesn't even know what they're loading. The idea of a "vice like grip" is nonsense.
What Microsoft does instead is offer Signature editions that are crapware free....
Perhaps Microsoft could put out a security update to remove any Superfish certificates left. Still after the fact, but better than doing nothing (and leaving these suspicious certs around).
Windows is openly licensed. You just roll up to the website and sign up, then you can do what you like.
Under the US Government-imposed anti-trust rules, Microsoft wasn't even allowed to charge the top OEMs different prices. Otherwise it could have discriminated against the "bad" ones.
I seriously consider stopping buying Lenovo laptops for the company I work with, I simply cannot go through the trouble of removing all of Lenovo pre-loaded crap each time I replace or buy a new machines.
I used to recommend Lenovo as a good laptop for work, with great quality hardware for the price but since a couple years my vision is shifting towards "Lenovo isn't what it used to be, I think we should stop ordering from them..." I had a lot of problems with defective hardware lately even on Thinkpad...
This news just adds to the pile of deception I had with Lenovo lately.
The chief question I have is whether or not a Lenovo PC sold by the Microsoft Store as a Signature Edition (e.g., [1]) would contain this or anything similar. My suspicion is that it would not. If anyone is near a Microsoft Store, and can stop in to run the test, it would be interesting to see the results.
"our goal was to enhance the experience for users". I've never needed help finding or discovering products, and I can compare my own prices thank you very much.
- Lenovo stopped preloading the software in January.
My X1C was ordered on Feb 4th, and shipped Feb 9.
I believe that my machine had this malware installed when I received it. On firefox, websites that would not normally have many ads, were filled with ads to the point where I couldn't use the sites.
I am unable to prove my claims, as I formatted the HD and installed Linux to get rid of all the obvious bloat-ware.
I really enjoy the laptop. But if I was less tech savvy and unable to format/installLinux I would probably have returned the machine (the ads were really really intrusive)
It's clearly an adware with backdoor to espionage on user. In many countries creating and distributing that kind of adware is classified as crime. What a nonsense they are talking.
Why is a press release undated? You have to go back to the "News releases" page to see that it is dated today. The PDF version doesn't have the date, either.
>To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent.
We've heard this song and dance before. Excuse my skepticism, but I don't believe you and until we can see some source code, I won't believe you.
Lenovo was discounting 30-40% around Black Friday. For weeks! The simple truth is that crapware pays for cheap PCs, and the economics don't work otherwise.
"Superfish was included [...] to help customers potentially discover interesting products while shopping".
Wow how thoughtful and helpful of them.
I don't understand the point of bloatware. Are the manufacturers making a ton of money off of them or something? How much could bloatware writers possibly be offering to make it worth uglifying your brand?
Yes, "ton of money" meaning a few grand. I think manufacturers are selling their reputation for too cheap.
There of course is a point that each manufacturer would like to provide some added value through software that would set them apart from other vendors - because hardware competition is so fierce - but unfortunately their priorities for selecting the vendors they use are really bad. Much of the crap is just horrible, and I don't recall seeing anything really useful recently.
Yup. You know how real value-add looks like? Permanent +50GB of DropBox I got when I bought my Galaxy S4. While I wasn't aware of it until I bought the phone and was just pleasantly surprised, it's a kind of thing that really could influence my choice of phone if I was on the edge of a choice.
I have a ThinkPad T61 that I bought refurbished a couple of years ago. One thing that I really like about it is that it came with a clean Windows 7 installation.
But now, there's no way in hell I'd buy a Lenovo. Trust is not easily regained once broken.
>Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping.
Lenovo is just copying their betters at the NSA: Infect the machines of others and when caught, deny it. Sadly, this business model will probably work for them.
I try to be measured around here, as hard as I can. I can't formulate a polite way to respond to this claim.
Lenovo, you are full of shit, and maliciously so. There is no excuse, nor forgiveness, for what you've done here.