Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'

Failures

from the find-a-new-cto dept

Fri, Feb 20th 2015 10:32am — Mike Masnick

Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little "hack" to get around the fact that the adware wouldn't work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo's first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.

In fact, the company is still in denial mode. Lenovo's CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were "theoretical."

WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.

Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don't recall, after security folks pointed out what a security disaster the rootkit was, Sony's response was to dismiss the concerns as... theoretical:

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

In both cases, these technologies opened up giant, massive vulnerabilities on people's computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don't know if anyone abused these problems. This ignores that (1) it's quite possible people have been abusing these vulnerabilities for months and it's just not public yet, and (2) more importantly, it doesn't fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it's widely known.

Handwaving this off as a "theoretical" concern is not just missing the point -- it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I've been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn't one infected this way). Every time I've dabbled with other laptops I've regretted it. But Lenovo's response to this is very quickly convincing me that the company should never get any more money from me. It's not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn't recognize what it has done.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish

39 Comments

If you liked this post, you may also be interested in...

Reader Comments

The First Word

“

Lenovo just insured I will never buy a product from them.

Ever.

I certainly hope this denial was worth it.

—Violynne

”

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 20 Feb 2015 @ 9:57am

But Lenovo's response to this is very quickly convincing me that the company should never get any more money from me.

If everybody voted with their wallets and caused a lot of financial damage to the companies that act like this (see Sony, EA etc) they'd be at least more transparent and swift in their responses, or even avoid stupidity altogether. But instead people simply keep buying out of ignorance or masochism...
[ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 10:36am
  
  Re:
  The problem is that they are all so bad, consumers have to just buy into the lesser evil.
  [ link to this | view in chronology ]
  - PRMan, 20 Feb 2015 @ 2:22pm
    
    Re: Re:
    Citibank bought my parents' mortgage with 5 months left on it and then tried to hide so they would default on it after 30 years of perfect payments.
    
    Where does my dad bank now? You guessed it.
    
    They tried to STEAL HIS HOUSE! And he still does business with them.
    [ link to this | view in chronology ]
    - jim, 21 Feb 2015 @ 6:12am
      
      Re: Re: Re:
      Is that because citi owns the bank, or bought the bank and runs it, or the competition is that poor for customers? Its amazing how many mom and pop banks there are, with cities on the board.
      [ link to this | view in chronology ]
jackn, 20 Feb 2015 @ 10:38am

Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

One red flag to remember, If you do not detect or know of any fraud, there is probably fraud occuring.

This is like letting a murderer off because his bullet missed the victom.
[ link to this | view in chronology ]
- Noah Callaway, 20 Feb 2015 @ 10:44am
  
  Re:
  It's more like letting the murderer off because the victim's body was never found...
  [ link to this | view in chronology ]
  - jackn, 20 Feb 2015 @ 10:52am
    
    Re: Re:
    yes, that is better.
    [ link to this | view in chronology ]
  - Ven, 20 Feb 2015 @ 1:03pm
    
    Re: Re:
    "Well, can't have a murder without a witness."
    - Tombstone (1993)
    [ link to this | view in chronology ]
- DannyB (profile), 20 Feb 2015 @ 11:10am
  
  Re:
  I'm sure that with Lenovo having done something this bad that they will get a punishment just as horrible as Sony received for its rootkit scandal.
  [ link to this | view in chronology ]
  - PRMan, 20 Feb 2015 @ 2:26pm
    
    Re: Re:
    So they're going to get hacked 24 times in the next 4 years? Awesome. Can't wait to see it.
    [ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 12:45pm
  
  Re:
  You're not being spied on if you don't know you're being spied on.
  [ link to this | view in chronology ]
Just Another Anonymous Troll, 20 Feb 2015 @ 10:44am

Meanwhile, in the Middle Ages...
"Yes, there's a big honking hole in my castle wall, but no enemy troops have stormed in through it so any concerns about it are all theoretical."
-King Peter Hortensius the First (and last)
[ link to this | view in chronology ]
- Chris Brand, 20 Feb 2015 @ 11:56am
  
  Re: Meanwhile, in the Middle Ages...
  you mean "... but as far as we know, no enemy troops have come through it ..."
  [ link to this | view in chronology ]
John Fenderson (profile), 20 Feb 2015 @ 10:56am

At a minimum
Fire your CTO, Lenovo. Fire your marketing people. Fire your security team.

That would be called the second step in the long road to trying to regain anything like trust. But the head-rolling needs to go beyond that. Every single executive who was aware of this and didn't object to it needs to be fired for gross incompetence. Seriously, this isn't something that you need to be an engineer to spot.

The first step would be for them to actually come out and say what they did wrong (so we know they get it), and to stop with the incredible claim that they were doing it because they thought everyone would love it. They haven't even done that much yet.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 1:29pm
  
  Old marketing maxim
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2015 @ 1:33pm
    
    Re: Old marketing maxim
    Oops, I meant to type this:
    
    "It takes months to find a customer, but only seconds to lose one."
    
    Some variations of this suggests it's years instead of months. You start to wonder if the guys in marketing are aware of this.
    [ link to this | view in chronology ]
DannyB (profile), 20 Feb 2015 @ 11:07am

In other news
Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.
Beef industry spokesman: We’re not trying to get into an argument with the health guys. They’re dealing with theoretical concerns. We have no insight that anything serious has occurred. But we agree that Salmonella was not something we want to have in our beef, and we realized we needed to do more.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Most people, I think, don't even know what Salmonella is, so why should they care about it?
[ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 1:13pm
  
  Re: In other news
  It's funny that such a standard PR dodge also happens to be the entire raison d'etre for marketing: people don't know what this is, and it's our job to make them want to spend money on it anyway.
  
  On an unrelated note, I've been hearing lots of great things about Aquagenic Urticaria, and I can't wait to get me a whole big mess of it.
  [ link to this | view in chronology ]
Jessie (profile), 20 Feb 2015 @ 11:08am

Every active exploit was at one point simply theoretical. Since this is such a juicy vector, I can't imagine it will be long before it's part of the standard toolkit. If it isn't already.
[ link to this | view in chronology ]
- DannyB (profile), 20 Feb 2015 @ 11:12am
  
  Re:
  If someone from the Ministry of Truth paid to have Superfish installed, then it probably already is in their standard toolkit of exploits.
  [ link to this | view in chronology ]
  - Jessie (profile), 20 Feb 2015 @ 11:24am
    
    Re: Re:
    There is already a root certificate in our certificate stores listed as belonging to the US government. I'm sure there are others in there we don't know about.
    [ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 11:33am
  
  Re:
  Every active exploit was at one point simply theoretical.
  And the authors of the affected software used to love pointing this out. To quote Moxie Marlinspike (IIRC, and from memory), "Microsoft claimed it wasn't exploitable, so I released a tool that exploits it". MS has gotten better about acknowledging bugs without attached exploits; Lenovo are falling back on a strategy about 10 years out of date.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2015 @ 7:58pm
    
    Re: Re:
    Quoted from these slides, page 18 (re: sslsniff; the Defcon 17/2009 talk video is available too):
    And then in 2002...
    ● Microsoft did something particularly annoying, so I blew this up by publishing it.
    ● Microsoft claimed that it was impossible to exploit.
    ● So I also published the tool that exploits it.
    [ link to this | view in chronology ]
Indy, 20 Feb 2015 @ 11:12am

What does this say about Lenovo Security beyond this product?
If this is the impact a serious security concern results, I have zero to nil confidence that an actual breach of Lenovo would be met with a shrug by the company. Therefore, I have no confidence in their security, their processes, and therefore their products.

Nothing personal, Lenovo, I just don't fuck around with products when the manufacturer doesn't due bare diligence in protecting their own shit.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2015 @ 11:28am

Superfish

Sounds like one of those cutesy names those jerks at the alphabet-soup agencies like to call their systems
[ link to this | view in chronology ]
- ryuugami, 21 Feb 2015 @ 12:38pm
  
  Re:
  Superfish
  
  Sounds like one of those cutesy names those jerks at the alphabet-soup agencies like to call their systems
  Almost, but not quite. You see, the alphabets name theirs in all-caps.
  [ link to this | view in chronology ]
toyotabedzrock (profile), 20 Feb 2015 @ 11:30am

They packaged that certificate up and made it valid for code signing so it can be used to install a root kit that Windows will not object to.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2015 @ 11:31am

Yeap, simply theoretical.

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

No wonder they were adverse to doing something about it. Every time it comes to state spyware there's always a lie about why it isn't this or that to prevent doing something about it till their nose is rubbed in it.
[ link to this | view in chronology ]
toyotabedzrock (profile), 20 Feb 2015 @ 11:33am

I have one of the affected computers and I had already uninstalled the crap that did this and disabled a bunch of background crap they have that looks like it is made for remote administration.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2015 @ 11:51am

I hope this kills off bundleware. Nobody deserves to get hit with this kind of garbage.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2015 @ 11:53am

ALL threats are theoretical; otherwise, they're called attacks.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 1:22pm
  
  Re:
  Exactly. And just because you don't know a murderer, doesn't proove they don't exist.
  
  Their defence seems tailored at reducing the stock hit, by exploiting less knowledgeable investors. That is not uncommon for chumps beating drums in WSJ.
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2015 @ 6:53pm
  
  Re:
  Just as theoretical as the Theory of gravity. The first exploit should arrive by monday.
  [ link to this | view in chronology ]
Violynne (profile), 20 Feb 2015 @ 11:57am

Lenovo just insured I will never buy a product from them.

Ever.

I certainly hope this denial was worth it.
[ link to this | view in chronology ]
Mason Wheeler (profile), 20 Feb 2015 @ 11:58am

Barry Allen: [After he's already gained superpowers] Dark energy, antimatter, X-elements... those are all theoretical!
Harrison Wells: How theoretical are you, Mr. Allen?

-- The Flash, pilot.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2015 @ 12:09pm

Theoretical, practical, it's just semantics.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2015 @ 1:24pm

This kind of response is to be expected. It shouldn't surprise you anymore. The same kind of incompetence that led to this being included leads to the denials being published. How fast do you expect things to move inside the company?

Alternatively, even if some higher ups have now been briefed by competent personnel, they might still want to go this way. Try to deflect as much damage by sowing some doubt into the non-technical people. Those that don't understand what the whole thing is about. Let them hear conflicting information that makes them want to stop reading whilst we root out the cause. It's not a clever strategy either, but denial is a very natural reaction.

With these recurring situations I'd prefer to take a psychologist's perspective to try and understand it rather than getting upset every time. That's not to say that you have to stay quiet, but it does help keep your sanity I believe.
[ link to this | view in chronology ]
- John Fenderson (profile), 20 Feb 2015 @ 1:27pm
  
  Re:
  "This kind of response is to be expected. It shouldn't surprise you anymore."
  
  I doubt that anyone is surprised. That response does amplify the outrage and condemnation of the company, though, as it should.
  
  "With these recurring situations I'd prefer to take a psychologist's perspective to try and understand it rather than getting upset every time."
  
  I think most people here understand it just fine! However, understanding a thing doesn't mean that it won't upset you. Particularly when the upset is 100% justified.
  [ link to this | view in chronology ]
Rekrul, 21 Feb 2015 @ 12:17am

Has anyone looked at the terms and conditions that come with these Lenovo laptops? Do they disclose that Lenovo intentionally infected them with malware before they left the factory?

If not, Lenovo needs to get sued for selling infected computers.
[ link to this | view in chronology ]