Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'
from the find-a-new-cto dept
Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little "hack" to get around the fact that the adware wouldn't work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo's first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.In fact, the company is still in denial mode. Lenovo's CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were "theoretical."
Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don't recall, after security folks pointed out what a security disaster the rootkit was, Sony's response was to dismiss the concerns as... theoretical:WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.
Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"In both cases, these technologies opened up giant, massive vulnerabilities on people's computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don't know if anyone abused these problems. This ignores that (1) it's quite possible people have been abusing these vulnerabilities for months and it's just not public yet, and (2) more importantly, it doesn't fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it's widely known.
Handwaving this off as a "theoretical" concern is not just missing the point -- it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I've been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn't one infected this way). Every time I've dabbled with other laptops I've regretted it. But Lenovo's response to this is very quickly convincing me that the company should never get any more money from me. It's not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn't recognize what it has done.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish
Reader Comments
The First Word
“Ever.
I certainly hope this denial was worth it.
Subscribe: RSS
View by: Time | Thread
If everybody voted with their wallets and caused a lot of financial damage to the companies that act like this (see Sony, EA etc) they'd be at least more transparent and swift in their responses, or even avoid stupidity altogether. But instead people simply keep buying out of ignorance or masochism...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
One red flag to remember, If you do not detect or know of any fraud, there is probably fraud occuring.
This is like letting a murderer off because his bullet missed the victom.
[ link to this | view in thread ]
Meanwhile, in the Middle Ages...
-King Peter Hortensius the First (and last)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
At a minimum
That would be called the second step in the long road to trying to regain anything like trust. But the head-rolling needs to go beyond that. Every single executive who was aware of this and didn't object to it needs to be fired for gross incompetence. Seriously, this isn't something that you need to be an engineer to spot.
The first step would be for them to actually come out and say what they did wrong (so we know they get it), and to stop with the incredible claim that they were doing it because they thought everyone would love it. They haven't even done that much yet.
[ link to this | view in thread ]
In other news
Most people, I think, don't even know what Salmonella is, so why should they care about it?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
What does this say about Lenovo Security beyond this product?
Nothing personal, Lenovo, I just don't fuck around with products when the manufacturer doesn't due bare diligence in protecting their own shit.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Sounds like one of those cutesy names those jerks at the alphabet-soup agencies like to call their systems
[ link to this | view in thread ]
[ link to this | view in thread ]
http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/
No wonder they were adverse to doing something about it. Every time it comes to state spyware there's always a lie about why it isn't this or that to prevent doing something about it till their nose is rubbed in it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Meanwhile, in the Middle Ages...
[ link to this | view in thread ]
Ever.
I certainly hope this denial was worth it.
[ link to this | view in thread ]
Harrison Wells: How theoretical are you, Mr. Allen?
-- The Flash, pilot.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
- Tombstone (1993)
[ link to this | view in thread ]
Re: In other news
On an unrelated note, I've been hearing lots of great things about Aquagenic Urticaria, and I can't wait to get me a whole big mess of it.
[ link to this | view in thread ]
Re:
Their defence seems tailored at reducing the stock hit, by exploiting less knowledgeable investors. That is not uncommon for chumps beating drums in WSJ.
[ link to this | view in thread ]
Alternatively, even if some higher ups have now been briefed by competent personnel, they might still want to go this way. Try to deflect as much damage by sowing some doubt into the non-technical people. Those that don't understand what the whole thing is about. Let them hear conflicting information that makes them want to stop reading whilst we root out the cause. It's not a clever strategy either, but denial is a very natural reaction.
With these recurring situations I'd prefer to take a psychologist's perspective to try and understand it rather than getting upset every time. That's not to say that you have to stay quiet, but it does help keep your sanity I believe.
[ link to this | view in thread ]
Re:
I doubt that anyone is surprised. That response does amplify the outrage and condemnation of the company, though, as it should.
"With these recurring situations I'd prefer to take a psychologist's perspective to try and understand it rather than getting upset every time."
I think most people here understand it just fine! However, understanding a thing doesn't mean that it won't upset you. Particularly when the upset is 100% justified.
[ link to this | view in thread ]
Old marketing maxim
[ link to this | view in thread ]
Re: Old marketing maxim
"It takes months to find a customer, but only seconds to lose one."
Some variations of this suggests it's years instead of months. You start to wonder if the guys in marketing are aware of this.
[ link to this | view in thread ]
Re: Re:
Where does my dad bank now? You guessed it.
They tried to STEAL HIS HOUSE! And he still does business with them.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
And then in 2002...
● Microsoft did something particularly annoying, so I blew this up by publishing it.
● Microsoft claimed that it was impossible to exploit.
● So I also published the tool that exploits it.
[ link to this | view in thread ]
If not, Lenovo needs to get sued for selling infected computers.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
Sounds like one of those cutesy names those jerks at the alphabet-soup agencies like to call their systems
Almost, but not quite. You see, the alphabets name theirs in all-caps.
[ link to this | view in thread ]