Lenovo is attempting to defuse controversy over its pre-installed Superfish crapware – which appears to have run man-in-the-middle attacks against consumers in order to sling ads – by saying it has discontinued use of the visual-recognition technology on new laptops and promising to review outstanding concerns. Superfish …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

Thursday 19th February 2015 15:27 GMT Britt

@Halverflake

So, making the laptops vulnerable and undesirable is a valid way to move the negative margins into the positive? That is, of course, until it all goes boom and the backlash hits.

That has to be up their with other historic pathetic excuse making.

And now for the tin foil hat moment:

Is it the Ads that are making them the money that takes the margins into the black, or is it the back pocket NSA (or disliked agency/country of choice) funding to gimp the machines security that lines the pockets.

Still, bad form. I've never trusted pre-installed bloatware (and thusly removed it) and now I'm vindicated more than ever.

Probably a fair number of commenters here feeling the same.

20 2 Reply
1. Thursday 19th February 2015 15:42 GMT Will Godfrey
  
  Re: @Halverflake
  
  Indeed so, but unfortunately Joe Public probably has no understanding of what the problem is... even if (s)he's been made aware of it.
  
  8 0 Reply
  1. Thursday 19th February 2015 18:31 GMT Doctor Evil
    
    Re: @Halverflake
    
    Joe Public is buying tablets these days. Laptops are still being bought by a more knowledgeable crowd with long memories for misdeeds like this.
    
    No Lenovo for me.
    
    7 2 Reply
2. Thursday 19th February 2015 15:48 GMT Notas Badoff
  
  Re: @Halverflake
  
  Halverflake's statement didn't advocate foisting adware on users, but reiterated a reason 'why' it happens. So +1 for your being suspicious but -1 for reading comprehension.
  
  And, you know, it is getting ridiculous the way everyone reflexively adds '!\!SA!!' to every discussion of malfeasance. Hey, remember Hanlon's Razor? Or like, you know, crop circles, aliens, poisoned wells, etc. etc. etc.
  
  6 8 Reply
  1. Thursday 19th February 2015 16:48 GMT Britt
    
    Re: @Halverflake
    
    Fair Comment. I can see that he played devils advocate but, to me at least, came across as smarmy.
    
    And +1 for you on the everything has NSA in it, hence why I caved and did my tin foil hat moment. It seemed fashionable.
    
    1 0 Reply
  2. Thursday 19th February 2015 19:27 GMT Bob Dole (tm)
    
    Re: @Halverflake
    
    >>Hey, remember Hanlon's Razor? Or like, you know, crop circles, aliens, poisoned wells, etc. etc. etc.
    
    All NSA.
    
    What's your point again?
    
    7 0 Reply
  3. Thursday 19th February 2015 22:29 GMT BillG
    
    Re: @Halverflake
    
    This validates all the paranoia some people felt when IBM sold ThinkPad to a company in communist China.
    
    6 0 Reply
  4. Friday 20th February 2015 01:38 GMT P. Lee
    
    Re: @Halverflake
    
    The application is called "SuperFish" and and nobody thought, "Hold on a minute, this might be a problem"?
    
    With this level of incompetence, who needs the NSA with their HDD firmware mad skillz?
    
    I'm afraid MS has some share in the blame. Not providing clean OS images is precisely to allow this sort of revenue stream and it targets those least able to fix the problem.
    
    But don't worry Nadella, I'm sure ~~people~~ consumers will still want a Windows tablet and phone!
    
    Hello, I'm a Mac and I'm not delivered with software that snoops on your bank account. etc.
    
    1 4 Reply
    1. Friday 20th February 2015 01:52 GMT mrjohn
      
      Re: @Halverflake
      
      You sure about that?
      
      http://www.theguardian.com/us-news/2015/feb/19/nsa-gchq-sim-card-billions-cellphones-hacking
      
      1 0 Reply
    2. Friday 20th February 2015 15:51 GMT Dan Paul
      
      Re: @Halverflake @P.Lee
      
      Lenovo produced the hard drive image, not Microsoft.
      
      Lenovo is fully reponsible for including the bloatware, not Microsoft.
      
      Microsoft makes operating systems and office software for many laptop/PC manufacturers, not just Lenovo.
      
      Is "SuperPhish" present on those units too? Not that anyone has heard.
      
      2 0 Reply
      1. Monday 23rd February 2015 00:44 GMT regadpellagru
        
        Re: @Halverflake @P.Lee
        
        "Lenovo produced the hard drive image, not Microsoft.
        
        Lenovo is fully reponsible for including the bloatware, not Microsoft.
        
        Microsoft makes operating systems and office software for many laptop/PC manufacturers, not just Lenovo.
        
        Is "SuperPhish" present on those units too? Not that anyone has heard."
        
        The problem, here, is MS has let OEMs, like muppets-Lenovo and many others, package their OS, to their will, including the possibility to add any full-scale spy/mal/bloat-wares, if it brought revenue. And this is gonna hurt them, even if they've only been naive.
        
        MS really need to regain control of Windows from the OEMs and provide certified (whatever that means) install media that can bring a secure baseline to any HW. It is abolutely pointless to have invested in things like secure boot and have let OEM act as Lenovo had.
        
        MS is not the culprit, here, but they've let things go titsup.
        
        0 1 Reply
        
        Tuesday 3rd March 2015 05:53 GMT Anonymous Coward
        
        Re: @Halverflake @P.Lee
        
        They can't. The OEMs can dictate terms because, otherwise, they won't buy. What can Microsoft do when the OEMs basically make it "Deal or No Deal"?
        
        0 0 Reply
    3. Friday 20th February 2015 17:49 GMT David Bell 6
      
      Re: @Halverflake
      
      "I'm afraid MS has some share in the blame. Not providing clean OS images is precisely to allow this sort of revenue stream and it targets those least able to fix the problem."
      
      Erm... http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media
      
      1 0 Reply
3. Thursday 19th February 2015 16:44 GMT roadrunner
  
  Re: @Halverflake
  
  If you issue a false certificate to intercept secure communications, don't you open yourself up to criminal charges?
  
  Or does the law only apply to nerdy 17 year olds?
  
  26 0 Reply
  1. Thursday 19th February 2015 16:58 GMT regadpellagru
    
    Re: @Halverflake
    
    "If you issue a false certificate to intercept secure communications, don't you open yourself up to criminal charges?"
    
    Who cares, when
    
    1- it happens to a chinese vendor (law ? What's that ?)
    
    2- you have 0 judge or lawyer on earth who can understand this SSL stuff
    
    3- you can easily spin it to the "usefull app that gives nice ads to the user"
    
    8 0 Reply
    1. Thursday 19th February 2015 19:12 GMT Solmyr ibn Wali Barad
      
      Re: @Halverflake
      
      "2- you have 0 judge or lawyer on earth who can understand this SSL stuff"
      
      Heck, even a good half of the IT crowd doesn't. Myself included. Maybe there's enough understanding to cope with the daily tasks, but not enough to make truly important policy decisions, or to serve as an expert in legal proceedings.
      
      Which may be a serious problem in the legal matters. If someone's machine is hijacked for a criminal activity, then a false impression of security may become a deciding factor in a verdict. Encrypted drive? Check. Password-protected? Check. SSL? Check. That's a proof beyond reasonable doubt, m'lud. Nobody but the defendant could have gained access to this machine. Throw in an "expert" or two, and it's pretty much a done deal.
      
      If that previous part sounds as a hyperbole - not necessarily so. Germany has a precedent on this. If any cybercrimes are performed from a "secure" WEP-protected WiFi network, then the owner is liable. Not to mention that possession of any "hack-tools" is an offence by itself, and a solid proof of guilt.
      
      Honest mistakes undoubtedly happen. But there shall be no mercy for vendors that are knowingly exposing their customers.
      
      4 0 Reply
      1. Friday 20th February 2015 15:35 GMT Tom 13
        
        Re: or to serve as an expert in legal proceedings.
        
        In the US, if you could serve as an expert on the subject, you will be excluded from the jury pool.
        
        1 1 Reply
        
        Friday 20th February 2015 16:51 GMT Solmyr ibn Wali Barad
        
        Re: or to serve as an expert in legal proceedings.
        
        Probably so. Jury trial is supposed to be a 'common sense' test, so selection process should filter out anyone who's not so common. And remove people with a clear bias or prejudice. How's that working in practice, I wouldn't know, haven't seen it close up. Probably less than perfectly, as jury foreman in Apple vs Samsung so aptly demonstrated. He got away with playing an "expert" during a jury session.
        
        Yes, some experts can be outright scary. Highly educated (which is kind of a requirement), highly decorated, and able to talk utter bollocks with a confidence.
        
        1 1 Reply
4. Thursday 19th February 2015 16:45 GMT nigel 15
  
  Re: @Halverflake
  
  @Halvarflake can go **** himself.
  
  He's providing mitigation if not full excusing. Together with being incredibly patronising to those of us that are surprised by this.
  
  Margins are thin in many industries. Oil prices are suppressed at the moment, margins are thin. I'd still be surprised if next time i go to fill up the car with petrol i got a 50/50 mixture of that and bath water. Presumably @Halverflake does expect this, or else he doesn't understand the economics of the oil industry.
  
  what an arse.
  
  10 2 Reply
Thursday 19th February 2015 15:41 GMT Terje

It does seem like the recommendation I have made lately to friends and family asking my advice on new computers to format and do a clean install does carry some additional merit apart from getting rid of crudrefuses to uninstall properly.

5 0 Reply
1. Thursday 19th February 2015 17:10 GMT elDog
  
  @Terje - and how are they supposed to do a clean install?
  
  Consumer laptops don't get any media any more to rebuild the user partition.
  
  There may be a vendor-supplied partition that contains the means to rebuild the original user partition, but why would I trust it?
  
  Why would I trust some DVDs that were distributed by Lenovo (or any other vendor) since they can have the same malware.
  
  Why would I trust a download from a web site linked to the vendor? Or to M$, or <younameit>?
  
  In the end, it doesn't make any difference. The <conspiracy_agencies> has already modified your BIOS and your HDD firmware to do their bidding. I can imagine that these lower-level techniques are now promulgating outside of our <trusted_agencies>.
  
  If anything, all these new stories about rootkits, zero-days, firmware diddling - all they do is open up channels for spying and PROVE that we are being spied upon - by whom? Probably by Many Eyes (Five + Israeli + Russian + ...)
  
  7 1 Reply
  1. Thursday 19th February 2015 18:57 GMT danR2
    
    Re: @Terje - and how are they supposed to do a clean install?
    
    Because, although the lesser of two evils is still evil, it is still lesser. Why should someone buy cut-rate Prozac from alibaba?
    
    1 0 Reply
Thursday 19th February 2015 15:42 GMT Comedy of Errors

Removing it

Lots of articles say the only way to be sure you have got rid of everything is to reinstall Windows and avoid using the Windows image supplied with the machine.

The problem is that won't work. The version of windows on it is the cut price "Windows 8.1 with Bing" for which Microsoft has never issued a public ISO. Standard version of Windows will not work.

So without buying a whole new version of Windows we are left just trying to fix the obvious stuff and hope we didn't miss anything.

7 1 Reply
1. Thursday 19th February 2015 21:35 GMT Anonymous Coward
  
  Re: Removing it
  
  Does anybody know a free program that will identify and/or kill any instance of Superfish? I think I caught it due to a browser extension. It injected ad sidebars into certain web pages and I can't tell if it's gone.
  
  0 0 Reply
  1. This post has been deleted by its author
  2. Friday 20th February 2015 15:32 GMT Richard Taylor 2
    
    Re: Removing it
    
    Not too difficult to remove - and yes, I found it on my son's otherwise excellent Lenovo laptop) you might try http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html - appears to have been written by someone who has thought about it.
    
    0 0 Reply
  3. Friday 20th February 2015 15:52 GMT Tom 13
    
    Re: Does anybody know a free program
    
    I've generally had good luck with Malware Bytes Anti-Malware.
    
    Just this week I had to clean up a Lenovo consumer laptop that was malware infested and used it. I think the source was Tovi (Trovi?) Toolbar*, but hadn't seen the news about SuperFish at the time. So I don't know if the bad cert was on it. Unfortunately I already returned it to the owner so I can't check the cert list. I did notify the user when I saw the Reg article about the problematic cert.
    
    *Nasty little bugger. Kept popping up ads no matter which installed browser I used. Couldn't get to the malware byte site. Downloaded on a different computer, copied to USB, infected PC wouldn't read the drive. Finally burned it to a CD and installed it that way. The scan found 400+ instances of questionable stuff. Deleted it all. System was returned fully patched, malware bytes installed, Secunia PSI installed to make sure her other software is updated. And I suggested she stop by at least once a quarter to make sure the patches have been installed. She uses her cell for internet connectivity while I have broadband.
    
    1 1 Reply
  4. Thursday 5th March 2015 20:28 GMT Panum
    
    Re: Removing it
    
    I had to take my business laptop to a security expert. He told me it was a rather difficult task to remove all the convoluted crap Lenovo thoughtfully installed on my machine. (He likes this kind of stuff)
    
    I am fortunate he is a friend and it didn't cost me much. There was re-spawning code hidden in innocuous looking sections of the root directory.
    
    I will NEVER buy a Lenovo again.
    
    0 0 Reply
2. Friday 20th February 2015 09:35 GMT Stoneshop
  
  Re: Removing it
  
  Standard version of Windows will not work.
  
  Because it usually lacks specific drivers for the network and video cards used in the machine; I've seen that with just about any Windows version I've had to deal with. Which is solvable without having to buy another version: just add the network driver from an USB stick, tell Windows to update itself and some eleventeen billion reboots later you're left with just a few question marks in the device mangler, the drivers for which you have to scrounge from elsewhere. And anyway, you have a COA already, no need to buy a new install kit.
  
  Or install Linux. I've had way less hassle there, if at all, over the past ten years or so compared to Windows.
  
  1 1 Reply
Thursday 19th February 2015 15:54 GMT Alan J. Wylie

SSL Certificate now public

Robert Graham has gone further and decrypted the private key for the certificate, which is installed as trusted on who-knows-how-many systems.

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

6 0 Reply
1. Thursday 19th February 2015 19:17 GMT Destroy All Monsters
  
  Re: SSL Certificate now public
  
  IT IS THE SAME ONE IN ALL CASES??
  
  1 0 Reply
  1. Thursday 19th February 2015 19:51 GMT Daniel B.
    
    Re: SSL Certificate now public
    
    IT IS THE SAME ONE IN ALL CASES??
    
    It seems to indeed be the case. The password protecting the PKCS8 Private Key package is the name for another product that does MITM stuff "to protect your children", the Private Key is part of the actual .exe and is extracted from the program's memory, its in PEM format, so I'm pretty sure it is the same one for everyone.
    
    Hell, you don't even need to extract the key, there's a screenshot showing modulus, publicExponent, privateExponent, prime1 and prime2 out there. The horse has bolted. Someone will get burned.
    
    Bad Lenovo! Bad Boy!
    
    5 0 Reply
  2. Friday 20th February 2015 01:05 GMT david 12
    
    Re: IT IS THE SAME ONE IN ALL CASES??
    
    Yes, I thought the article was particularly unclear about that. Perhaps instead of writing
    
    >Obtaining a private key from one Lenovo laptop would
    
    ...the author could have written...
    
    "Obtaining the private key from any Lenovo laptop would "
    
    1 0 Reply
    1. Friday 20th February 2015 03:59 GMT Daniel B.
      
      Re: IT IS THE SAME ONE IN ALL CASES??
      
      Its actually an ongoing thing. Like an STD, it's the gift that keeps on giving.
      
      The news broke up early this day about the SuperFish thing, to someone ripping up the malware and finding that the fake CA was embedded within the installed program, to the discovery that the password was easily guessable (and related to another product that does a similar thing), to confirmation that all SuperFish installs use the same public/private key combinations.
      
      Someone at Lenovo is definitely having a very bad day.
      
      4 0 Reply
Thursday 19th February 2015 15:57 GMT jason 7

They can charge more for the laptops. After all a lot of my customers are happy to pay me £50 to remove the crapware and set the laptop up like a Mac would come out of the box.

Improves the user experience no end.

6 0 Reply
Thursday 19th February 2015 16:21 GMT thomas k.

Superfish comes with Lenovo consumer products only

Because, of course, we wouldn't jeopardize our lucrative SMB and Enterprise business by pulling this shit on them.

7 0 Reply
1. Thursday 19th February 2015 16:54 GMT Christian Berger
  
  Re: Superfish comes with Lenovo consumer products only
  
  And even if it was on their business products, 99% of those get re-installed with Linux anyhow before they see a day of productive use.
  
  4 6 Reply
2. Thursday 19th February 2015 19:37 GMT Solmyr ibn Wali Barad
  
  Re: Superfish comes with Lenovo consumer products only
  
  True that. Business laptops are a different kettle of fish (pardon the pun). It's the consumer that gets shafted at every turn. But therein lies the danger - if such a behaviour remains unchallenged, then it's just a matter of time when some bright spark will try similar tricks in the business segment.
  
  3 0 Reply
3. Friday 20th February 2015 00:59 GMT Jamie Jones
  
  Re: Superfish comes with Lenovo consumer products only
  
  "Because, of course, we wouldn't jeopardize our lucrative SMB and Enterprise business by pulling this shit on them."
  
  Oh, I get it now.
  
  I originally read "Superfish comes with Lenovo consumer products only" to mean that only Lenovo used their software.
  
  0 0 Reply
This post has been deleted by its author
Thursday 19th February 2015 16:44 GMT Anonymous Coward

having worked at a UK OEM developing preloads, I (and others) campaigned wthin the company to keep things as vanilla as possible. Our users loved our installs, no adware, no trials.

We went bust.

The majority had spoken, they wanted the cheapest junk around, and now they have it. It speaks wonders for the concept of Democracy...those who may know better get to sit and watch the bulk destroy everything. I would chime in something about flies buying ipads and this site ending up being redesigned but that would be a total cheap shot.

13 0 Reply
1. Thursday 19th February 2015 18:07 GMT Destroy All Monsters
  
  Sadly, it has come to the point where no shot is too cheap and no hyperbole is left unrealized anymore.
  
  "Ah, Mr Creosote. Can I offer you a large, wide-screen image in the middle of your preferred website, sir?"
  
  5 0 Reply
  1. Thursday 19th February 2015 20:34 GMT Anonymous Coward
    
    No. Fuck off; I'm full.
    
    2 0 Reply
    1. Tuesday 3rd March 2015 06:03 GMT Charles 9
      
      Well, screw back. You're getting it whether you like it or not, even if we have to clamp you head to the chair.
      
      0 0 Reply
Thursday 19th February 2015 18:03 GMT Destroy All Monsters

Well....

> Prospecting for a new laptop

> Dell has only no-longer-composable "take it or leave it and better lube up" crud on display

> Visit Lenovo's website instead

> Need to tell NoScript to "enable temporarily" websites I have never heard of

> Ghostery pops a vein growing a World Trade Center in the corner

> Nope.jpg

Still have no new laptop. Am I a failure?

9 0 Reply
1. Thursday 19th February 2015 19:49 GMT Solmyr ibn Wali Barad
  
  Re: Well....
  
  "Still have no new laptop. Am I a failure?"
  
  Maybe. But you are certainly not alone - my trusty T40 says hello. It has survived quite a lot of newer doodads, so it remains to be seen who has the last laugh on this.
  
  5 0 Reply
Thursday 19th February 2015 18:27 GMT danR2

Simpler: Don't buy Chinese computers/mobes. Stick with Chinese furniture, etc.

I make it easi(er) on myself. I don't buy Chinese computer/mobe products. The government there whines about how messed up the place is with rampant, non-state, hacking, and if the Red Army or the politburo isn't quietly mandating backdoors in firmware, they will get them in anyway (why should the NSA have all the fun?), and in this case Lenovo is showing a pretty clear evidence of security ignorance in getting non-domestic crapware—Israeli is this instance—on your machine in the first place, and dishonesty in lying about how long ago it was getting installed.

This doesn't guarantee security on a Mac, or even on a Blackphone. It gets me a bit closer.

2 0 Reply
Thursday 19th February 2015 18:55 GMT Proud Father

"discover products visually"

Don't you just love PR twonks?

Reality check : it displays adverts so we can get some money

3 0 Reply
Thursday 19th February 2015 18:59 GMT GregC

MS removal instructions don't work

I've got one of the afinfected laptops - first thing I did with it was remove all the crud, of course, however this article got me double checking, and while Superfish itself is nowhere to be seen sure enough the root cert was there.

The MS instructions don't work on 8.1, at least not on my machine - the Remove option is greyed out. I had to go into certmgr.msc to delete it.

Needless to say, it will be the last Lenovo machine I ever buy...

4 0 Reply
1. Thursday 19th February 2015 21:03 GMT Roland6
  
  Re: MS removal instructions don't work
  
  > I had to go into certmgr.msc to delete it.
  
  Yes, and yet another example of the p*ss poor UI work MS have done on both Win7 and Win8!
  
  Use the 'search' box that the Win8 fans go on and on about and enter the word 'certificate', guess what certmgr.msc is nowhere to be seen...
  
  4 1 Reply