Lenovo In Denial: Insists There's No Security Problem With Superfish -- Which Is Very, Very Wrong.

from the so-long-and-thanks-for-all-the-superfish dept

Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.

Lenovo's response? Basically to shrug its shoulders and say it doesn't understand why anyone's that upset. This is because whoever wrote Lenovo's statement on this is completely clueless about computer security.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
Bullshit. That's really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you're doing and sends info back to third parties. That's not what Superfish does, so Lenovo doesn't see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of "Most Promising American Companies," tries to watch what you're surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.

The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn't be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you're visiting is perfectly legitimate. For many years, we've pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate -- and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack -- solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don't see why.

And, even beyond that, it's implemented incredibly stupidly -- in a way that is ridiculously dangerous. That's because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn't take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it's now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is "komodia" which just so happens to also be the name of a company that "redirects" HTTPS traffic (for spying on kids and such).

This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn't like the way the software created popups and such -- but with no mention of the massive security problems. And, even now, the company doesn't seem willing to admit to them.

Furthermore, the company doesn't even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won't do it). This is a huge mess. I've personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago -- right in the middle of the period of when Superfish was being preloaded -- I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don't seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn't seem to have the slightest clue of just how badly it has put people at risk.

It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here. It's one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It's a second thing to not realize the security implications of it. However, it's another thing entirely, once it's been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it's responded to the mess it created.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls
Companies: komodia, lenovo, superfish


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    John Fenderson (profile), 19 Feb 2015 @ 10:28am

    It did for me

    It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here.


    Including Superfish and the bogus certificate was a terrible thing to do in the first place, but what convinced me to never buy another Lenovo machine in the future was this exact response by them. It indicates either an insane level of incompetence or a deliberate effort to deceive everyone. Either way, that's enough to put them on my "never do business with" list.

    link to this | view in thread ]

  2. identicon
    WhoKnows, 19 Feb 2015 @ 10:30am

    Lenovo - Motorola

    Are Lenovo (and now Motorola) tablets and smartphones free of this crap ?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:31am

    I hope that Techdirt does not let this story die. Lenovo needs to have its feet held to the fire.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:32am

    Links to other coverage of Superfish

    EFF: Lenovo is breaking HTTPS security on its recent laptops (by way of Linux Weekly News)

    Superfish key (thanks to EFF for the link).

    Test site to check if a system accepts the Superfish super-CA (also thanks to EFF/LWN for the link).

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:33am

    Maybe their security staff (think plants working for others) told them it was a harmless thing to do. Never ascribe to incompetence what may be a deliberate act. Gone to buy more tin foil.

    link to this | view in thread ]

  6. identicon
    Derrick Johnson, 19 Feb 2015 @ 10:34am

    Never Lenovo or Thinkpad

    Honestly, I've never been a fan of Lenovo or Thinkpad and this just reconfirms my decisions in the first place. This is absolutely ridiculous for any company to not realize exactly what they are doing to a customers computer. They are either ignorant, incompetent or just liars. Either way, stay away.

    link to this | view in thread ]

  7. icon
    Mason Wheeler (profile), 19 Feb 2015 @ 10:35am

    So when the government warns us that Chinese hardware manufacturers are selling stuff that will make us vulnerable to being spied on, we shouldn't listen. But when Ars Technica and Robert Graham pass along such a warning, then it's finally time to listen? ;)

    link to this | view in thread ]

  8. identicon
    PRMan, 19 Feb 2015 @ 10:39am

    Re: It did for me

    I'll start them off with a 1-year ban. If I need a laptop this year, it definitely won't be a Lenovo.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:42am

    Hmm. I think you named the software wrong. Shouldn't it be Superphish?

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:43am

    Settle down, Chinese government just wanted to map out a few networks, that's all. It was either add it or watch 3 generations of your family go to "work farms".

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:44am

    Re:

    The problem is more likely that the security people answer to the marketing department. When a tech company puts its financial and legal staff in charge of its engineers, it's time to say goodbye.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:45am

    Re: Re: It did for me

    Only a one-year ban? I've not bought a single Sony product of any kind since the Rootkit Scandal a decade ago.

    link to this | view in thread ]

  13. icon
    Josh in CharlotteNC (profile), 19 Feb 2015 @ 10:48am

    Re:

    When Ars and Robert Graham provide the documented evidence and the government doesn't... yes.

    link to this | view in thread ]

  14. icon
    Josh in CharlotteNC (profile), 19 Feb 2015 @ 10:50am

    Re:

    I think it more likely that their security staff are actually plants. The potted kind that need daily watering.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:58am

    Still shocked by the password. Not even a 123 or -123... nothing. How can you ship a product that uses a lowercase only pass for something the consumer isn't supposed to touch?

    link to this | view in thread ]

  16. identicon
    David, 19 Feb 2015 @ 10:58am

    So, every Lenovo laptop is easily attacked using MITM attacks using the Superfish CA? Which is now widely available? And Sony doesn't see a problem? Am I really reading this right?

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 19 Feb 2015 @ 10:59am

    Re:

    Did the government specifically warn us about this vulnerability? No. How about the 14 year pwn of HDDs? No. Recent and ongoing revelations teach us that the government is far more interested in hacking our systems than it is in warning us. The government is the last place I expect honest, realtime information to come from.

    link to this | view in thread ]

  18. icon
    Gumnos (profile), 19 Feb 2015 @ 11:00am

    Lenovo preloaded software

    Not too concerned, having installed Linux/BSD on my Lenovo laptops. The hardware used to be good, but one had a keyboard die within the first year, and the other has flaky USB & camera issues. Sigh. Not doing Lenovo again for multiple reasons. Please don't make me go back to Dell.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:03am

    Re:

    One word: credibility

    When the gov says it then you never know if they just try to blame someone else for something they implanted in the first place. If tech sides post something then well... they aren't spying themselves so it is possibly true and I believe them.

    btw. Techsite owners: if the NSA visits you the next days and tries to make you post stuff because people believe you more than them... you're welcome!

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:06am

    Re:

    "And LENOVO doesn't see a problem? Am I really reading this right?"
    FTFY and now yes you do.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:08am

    Re:

    "So, every Lenovo laptop is easily attacked using MITM attacks using the Superfish CA? "

    I believe only some models, not all.

    link to this | view in thread ]

  22. identicon
    rusho, 19 Feb 2015 @ 11:12am

    Culture

    It probably has to do with the culture they are living in in that country.

    link to this | view in thread ]

  23. icon
    Geno0wl (profile), 19 Feb 2015 @ 11:12am

    Why do people think this is a big deal.

    Wait, people's first step in any pre-built machine ISN'T to instantly wipe and build the install themselves to get rid of all the BS on the image?
    I mean that is what I have been doing for years.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:18am

    Re: Why do people think this is a big deal.

    You're the 1%. You might have avoided this yourself, but think of all the non-technical (or even technical-but-with-little-free-time) people around you. Your family. Your friends. The employees of businesses you frequent.

    Even if you can smugly say you aren't directly affected, this is a concerning vulnerability.

    (I mean, I'm a smug Linux user, all my machines run Linux, but a Windows-specific vulnerability like this one still concerns me.)

    link to this | view in thread ]

  25. identicon
    Rich Kulawiec, 19 Feb 2015 @ 11:18am

    Isn't it time to cue the prosecutors?

    I mean, if they're not too busy harassing journalists and activists and bullying hackers and researchers, maybe, just this once, they could find the time to go after a corporation that deliberately broke the security of tens of thousands of people (and quite possibly many more: that figure is based on the EFF's report about what their SSL observatory has seen).

    This is a systematic, malicious, intentional large-scale attack, with serious adverse consequences for those affected...unlike, let's say, mass downloading of academic journal articles. So where are those who like to wield the CFAA like a club? When can we expect to see Lenovo executives being dragged out of their offices? How about the indictments, where are those? And can we expect aggressive prosecution with the threat of long prison sentences?

    link to this | view in thread ]

  26. identicon
    The Baker, 19 Feb 2015 @ 11:21am

    Re: It did for me

    Me too.
    I was just about to pull the trigger on a X1 Carbon.
    Not now .... OK, back to days of researching the next alternative.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:22am

    Re:

    If I am not mistaken the government warning was general for all chinese products without providing evidence (except indicating routers). Those kinds of non-specific warnings are overbroad and bordering on nationalistic state propaganda since it will hurt innocent companies from the country!

    The more specific warning seems to be relatively well investigated and documented from fall 2014 to now.

    The problem for Lenovo is their insistance that the program people have documented as a potential backdoor, should not be seen as any "security concern". For people who know a bit about computers that is scary ignorance or malicious intend since history has taught us that potential vulnerability has to be assumed a potential future exploit if you have any respect for your customers.

    link to this | view in thread ]

  28. identicon
    Rich, 19 Feb 2015 @ 11:22am

    Re: Re: Re: It did for me

    Me neither.

    link to this | view in thread ]

  29. icon
    Jon Renaut (profile), 19 Feb 2015 @ 11:26am

    Hooray Websense for a change

    I tried to check out Superfish's home page to see if they'd made a statement and Websense blocked it as "Potentially Unwanted Software".

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:26am

    Re: Why do people think this is a big deal.

    Main problem, is most of these were christmas season laptops. When your mom buys her partner a laptop for christmas, when a parent buys their child a laptop for school, how many of those random customers will think "I need to image this laptop before I use it?"

    How many of the thousands (millions?) of non-technical end users only see a new computer to do research/email/school/etc. and just care that it "just works?"

    Those are the people who will be served websites that "require an update" and download a file "signed" by microsoft.

    So what if YOU nuke and pave once a month and wipe every new machine. Does your mom do that? Your siblings? Even your coworkers who should know better?

    link to this | view in thread ]

  31. identicon
    Ven, 19 Feb 2015 @ 11:27am

    Re:

    With a name like that it almost feels like they were trying to tell us they were up to no good and daring some one to call them on it.

    It reminds me of the Reacher Gilt character from the Discworld novel "Going Postal", who had the appearance pirate as he used business deals to steal as much money as he could.

    link to this | view in thread ]

  32. icon
    Mike Masnick (profile), 19 Feb 2015 @ 11:30am

    Re: Re:

    I believe only some models, not all.


    Yes, only a subset of "consumer" models. My T-series isn't effected, since that's a "business" model, apparently.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:33am

    Re: Isn't it time to cue the prosecutors?

    Did you forget the golden rule?
    Those with the gold make the rules

    Lenovo has too much money to be punished over this.

    link to this | view in thread ]

  34. identicon
    Joel Coehoorn, 19 Feb 2015 @ 11:39am

    Some Credit

    You have to give them some credit: they stopped adding this stuff in January, well before the story broke.

    That said, there's still a lot of product out on store shelves that will take the better part of a year to clear out. Lenovo ought to recall this merchandise and re-image the machines. They could even resell them as refurbished (I for one would look forward to a glut of near-perfect refurbished laptops hitting the market).

    There's also the issue of what to do for customers who already purchased these machines. There is, at this point, no evidence of active abuse for this vulnerability. A simple patch the merely removes the entry from the trusted certificates store would be adequate to protect consumers. However, that would leave many of them feeling that their machines are broken (their browser would show every https site they visit as fake), and so completely removing the service will be necessary. This is a harder patch, but just making the patch available and notifying customers would be adequate. At least, it's the bare minimum.

    Unfortunately, Lenovo has not yet taken either of these steps. Instead, they published a response that demonstrates a complete lack of understanding of the issue.

    link to this | view in thread ]

  35. identicon
    Ven, 19 Feb 2015 @ 11:41am

    Re: Re: Why do people think this is a big deal.

    This isn't a Windows-specific vulnerability.

    While it would be a more difficult task, this could be done on Linux if you buy a pre-built computer with a distro already installed. It just needs to come with a repository URL pointing to the manufacturer and, for example, have openssl-superfish and gnutls-superfish patched libraries installed instead of the upstream libraries.

    There is an inherit trust relationship when using a pre-imaged machine, and Lenovo has violated that trust.

    link to this | view in thread ]

  36. identicon
    Joel Coehoorn, 19 Feb 2015 @ 11:42am

    Re: Re: Re:

    FWIW, it's not that they don't want to "sell" this stuff to business customers. It's that the scammy software distributors don't want to pay for it on the business lines, because so many business customers replace the stock image with their own.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:56am

    They have stated which hardware has Superfish
    http://news.lenovo.com/article_display.cfm?article_id=1929

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 19 Feb 2015 @ 11:58am

    Re: Re: Why do people think this is a big deal.

    Because pre-built computers started coming with so much factory-installed crapware on them, the easiest way to avoid all that was to partition the drive and install a clean bootleg copy of Windows, which you basically paid for anyway (as the installed OEM copy which you won't be getting a refund on if you prefer to use Linux)

    That's assuming that it's still easy to install and run non-authorized Windows OS's (though probably not as easy as the time when half the computers in the world were using the same "FCKGW-" XP key).

    link to this | view in thread ]

  39. identicon
    Rich Kulawiec, 19 Feb 2015 @ 12:03pm

    Re: Some Credit

    "There is, at this point, no evidence of active abuse for this vulnerability."

    Which means nothing.

    Think about it for a minute: what, exactly, would that evidence look like? And how would one make a definitive connection from it to Superfish?

    That circumstance isn't an accident. It's called "plausible deniability" and it will enable Lenovo, during the inevitable class-action lawsuit, to claim that observed symptoms X and Y and Z were not caused or enabled by Superfish, but by some other security issue on the affected systems.

    link to this | view in thread ]

  40. icon
    BentFranklin (profile), 19 Feb 2015 @ 12:04pm

    Can we hit Superfish with CFAA violations?

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 19 Feb 2015 @ 12:05pm

    Re: Isn't it time to cue the prosecutors?

    The government probably doesn't want to admit they've known about this and been using it all along.

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 19 Feb 2015 @ 12:43pm

    Mint my own certs

    So...if I can get my black hat hands on that cert, I can mint my own valid certificates? Cool!

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 19 Feb 2015 @ 12:55pm

    Re: Re: Re:

    "affected", not effected, and I hope you mean because you wiped the included image. Yes, this is a security problem, but running the included software is a security problem in and of itself (even the firmware, these days, but the difficulty of replacing it gives you an excuse not to do it; there's no good reason not to blow away the vendor OS image though).

    link to this | view in thread ]

  44. identicon
    jackn, 19 Feb 2015 @ 1:02pm

    Re: Re: Some Credit

    "There is, at this point, no evidence of active abuse for this vulnerability."

    Yes, there is. They impersonated 1000's of websites. That is called abuse.

    link to this | view in thread ]

  45. identicon
    Steve, 19 Feb 2015 @ 1:06pm

    Consumer line only?

    We pretty much use lenovo products exclusively in my company, but since we load a custom image on them I don't know if any of ours originally shipped with this software. I do know though that their consumer models tends to come with lots of 'free software' that isn't included (or wanted) on their business models.

    From the descriptions I've read, this sounds like the kind of product that I might expect to find installed on lenovo's consumer line products. Does anyone know if this was occurring in "Think" branded products, or only in "idea" branded products?

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 19 Feb 2015 @ 1:09pm

    Re: Mint my own certs

    Yes, you can mint your own certificates, but the only people who will see them as valid certificates will be those who have Superfish's root certificate as a Trusted Root certificate.

    So, basically, yes, it'll work, but your certificates will only be recognized by those who have chosen to install Superfish, and those who have the affected Lenovo laptops.

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 19 Feb 2015 @ 1:09pm

    No credit

    A simple patch the merely removes the entry from the trusted certificates store would be adequate to protect consumers. However, that would leave many of them feeling that their machines are broken (their browser would show every https site they visit as fake), and so completely removing the service will be necessary. This is a harder patch, but just making the patch available and notifying customers would be adequate.
    I would classify such a patch as a necessary, but insufficient, step. As I understand it, there is currently no mechanism to ensure that users discover the existence of the flaw, that they understand the severity of the flaw, or that they understand the need to install the fix proposed here. The extensive news coverage will probably help the first problem. Lenovo's deceptive pseudo-disclosure will hurt with the second problem.

    Although not exactly appropriate, a product recall notice occurs to me as one way to notify consumers. Not everyone is guaranteed to read that either, but at least users who worry about physical defects in their purchases will be periodically reading recall announcements. It will help that some vendors have shipped laptops that later were recalled as fire hazards, so monitoring recall notices on one's laptop has practical value.

    link to this | view in thread ]

  48. identicon
    Anonymous Coward, 19 Feb 2015 @ 1:12pm

    They are about to have a realllllly shitty day tomorrow morning:

    http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

    link to this | view in thread ]

  49. identicon
    Anonymous Coward, 19 Feb 2015 @ 1:16pm

    Tinfoil hat time

    So... How long has the NSA known about this adware and been using it as cover for their own access to the machine? Have Lenovo deploy it widely enough to disguise any targetting metrics, use the superfish update mechanism as their C&C mode, and unless someone actually catches an example where they've tailored the superfish system, nobody is the wiser.

    Add tailored access (QUANTUMINSERT) and even superfish need not know that their attackware has been compromised.

    link to this | view in thread ]

  50. icon
    John Fenderson (profile), 19 Feb 2015 @ 1:26pm

    Re:

    Ars Technica and Robert Graham presented actual evidence. The government never has.

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 19 Feb 2015 @ 3:35pm

    Re: Consumer line only?

    -Run certmgr.msc
    -Go to Trusted Root Certificate Authorities\Certificates
    -Look for a certificate issued to Superfish, Inc. by Superfish, Inc.

    Alternatively, use Superfish CA test

    link to this | view in thread ]

  52. icon
    John Fenderson (profile), 19 Feb 2015 @ 3:46pm

    Re: Consumer line only?

    According to Lenovo:


    Superfish may have appeared on these models:
    G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
    U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
    Y Series: Y430P, Y40-70, Y50-70
    Z Series: Z40-75, Z50-75, Z40-70, Z50-70
    S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
    Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
    MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
    YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
    E Series: E10-30


    That "may have" bugs me, since it implies that the list is not complete.

    link to this | view in thread ]

  53. identicon
    Mr Big Content, 19 Feb 2015 @ 4:09pm

    What Is This "Bad Guys Can Use It Too" Bullshit?

    If we banned everything just because bad guys can take advantage of it too, we'd never have guns.

    link to this | view in thread ]

  54. icon
    That Anonymous Coward (profile), 19 Feb 2015 @ 4:51pm

    Re:

    why? Its not like they downloaded from Pacer or JStor.

    link to this | view in thread ]

  55. icon
    That Anonymous Coward (profile), 19 Feb 2015 @ 4:53pm

    So they start the day with a press release saying it was no big deal, it was just to benefit consumers....
    Now it is a severe security warning on their website.

    link to this | view in thread ]

  56. icon
    Cynyr (profile), 19 Feb 2015 @ 6:14pm

    Re: Re: Re: Why do people think this is a big deal.

    Just grab a legit ISO from here http://www.mydigitallife.info/official-windows-7-sp1-iso-from-digital-river/ use your favorite software to get your windows key, and then roll your own ISO with the new key, and any drivers you might need using these instructions; http://dellwindowsreinstallationguide.com/download-microsoft-windows-and-office/download-microsoft-w indows/download-windows-8-1-retail-and-oem-iso/download-windows-8-1-iso/creating-a-bootable-iso-with -an-ei-cfg-and-pid-txt-file/

    As long as you have a valid key, and know which product it is for it's very simple. Just test it in vbox before doing it on real hardware.

    link to this | view in thread ]

  57. icon
    Eldakka (profile), 19 Feb 2015 @ 7:28pm

    Re: Re:

    How about the 14 year pwn of HDDs?

    To what are you referring? Sounds interesting...

    link to this | view in thread ]

  58. identicon
    Anonymous Coward, 19 Feb 2015 @ 7:48pm

    Mike, Mike, Mike....
    Why do you so hate capitalism? Lenovo was just trying to maximize profits, as any good capitalist should. Sure, they may have made a mistake, but their heart was in the right place.

    link to this | view in thread ]

  59. icon
    That One Guy (profile), 19 Feb 2015 @ 7:49pm

    Re: Isn't it time to cue the prosecutors?

    The government doesn't go after targets that might fight back, so I'm sure they'll ignore this one in favor of going after some 'malicious hacker' who'll be an easy win for them.

    link to this | view in thread ]

  60. identicon
    Anonymous Coward, 20 Feb 2015 @ 12:47am

    My mother's laptop got infected with Superfish a while ago. I ended up having to wipe the laptop, and it had still infected her Microsoft profile's Internet Explorer settings, meaning it came back after she signed back into her fresh install, so I scrubbed that profile clean of it and reformatted again immediately, just to be sure.

    I'm certainly never going to buy a Lenovo computer ever again now that I've seen this story. I've got a Lenovo Android device, which has been fine up until now but honestly I don't think I want it any more, given the power manufacturers have over what gets installed remotely onto "their" hardware...

    I'm absolutely disgusted.

    link to this | view in thread ]

  61. icon
    bugmenot (profile), 20 Feb 2015 @ 2:09am

    At no point was Superfish installed on *any* Thinkpad laptops. This affects *only* the low end consumer Ideapad division. Lenovo has stated this also. See this article: http://thenextweb.com/insider/2015/02/19/lenovo-posts-superfish-removal-instructions-fails-acknowled ge-severity-problem/

    Article above should be amended to correct this. What they've done is indefensible, but get the facts right.

    link to this | view in thread ]

  62. identicon
    Anonymous Coward, 20 Feb 2015 @ 5:41am

    Re: Re: Re:

    Go to "The Intercept" for the full story.

    link to this | view in thread ]

  63. icon
    John Fenderson (profile), 20 Feb 2015 @ 8:07am

    Re: What Is This "Bad Guys Can Use It Too" Bullshit?

    Or anything at all.

    link to this | view in thread ]

  64. identicon
    Ven, 20 Feb 2015 @ 8:43am

    Re: Tinfoil hat time

    Who's to say that Superfish isn't an NSA or CIA front?

    /tinfoilhat

    link to this | view in thread ]

  65. icon
    John Fenderson (profile), 20 Feb 2015 @ 10:15am

    Re: Re: Tinfoil hat time

    Superfish founder & CEO, Adi Pinhas, has a long history in the field of surveillance technology. He is also pretty famous for the fact the every project he has been involved with has been malware and spyware. He's been a fairly reviled figure for over ten years.

    So, while speculation about Superfish being an intel front isn't ridiculous, it's also not necessary. I don't think that the company would do anything differently at all if they are or are not, and the intel agencies would derive just as much of a benefit either way.

    link to this | view in thread ]

  66. identicon
    RandallX, 20 Feb 2015 @ 11:13am

    Hang 'em High!

    This kind of crap will continue and get even worse. The bad guys know that NO ONE is doing anything about it. All they have to do is say, "Sorry" and all is forgiven. Bullshit! We need to start seeing CEO's going to prison. This is a violation on an epic scale and the consequences should fit the crime. Not only should the CEO of Lenovo go to prison, but so should the people that made the software in the first place. If we start throwing these despicable people in prison others might start to think that this kind of tactic isn't all that great of an idea after all. But if we let it go, then every other prick in the world will be lining up to screw the public as well. As a citizen of this country, I demand that we see these bastards in prison! And you should too!

    link to this | view in thread ]

  67. icon
    GEMont (profile), 22 Feb 2015 @ 4:13pm

    Re: Hang 'em High!

    We are very sorry, but the re-think version of the US Constitution - made possible by the wonderful 9/11 Crisis (tm) - states plainly that nobody among the 1% can be held responsible for their crimes against the 99%, as this is simply business and thus perfectly legal.

    If you want justice, you have to join the 1% of the US population, by whatever means - fair or foul - or suffer the consequences of the laws, according to the new Corporate Constitution of the United States of America.

    ---

    link to this | view in thread ]

  68. identicon
    Anonymous Coward, 23 Nov 2015 @ 2:29pm

    Might wanna re-check those Lenovo machines, as recent updates have pushed out MORE hidden self-signed root certificates.

    Lenovo (internally) decided to wait a few months for 'the stupids [quote]' to focus on something else and then re-introduced superfish but now with chameleon name-randomizing capability.

    Of course its 100% coincidental that 'someone' within 12hours of the update going live started siphoning data to chinese government-owned servers....

    link to this | view in thread ]

  69. identicon
    shortkeys, 20 Sep 2018 @ 3:24am

    Nice

    Good post

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.