A Bit Late, But Lenovo CTO Admits The Company Screwed Up

from the finally dept

We've had a bunch of posts today (and yesterday) about the "Superfish" debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was -- first denying any serious security problem, and then calling it "theoretical." It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the "theoretical" problem he discussed earlier:
“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.

[....]

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”
He later admits that the company "deserves" to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn't happen again.

While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it's happening. Hopefully, the company is better off for it.

Of course, the same can't be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: adware, malware, peter hortensius, superfish, vulnerability
Companies: komodia, lenovo, superfish


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Feb 2015 @ 6:49pm

    The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

    This is a non-apology apology, though. There is no excuse for anybody to interfere with encrypted traffic between you and a host under any circumstances, least of all an OEM.

    The CTO is genuflecting to ensure profits aren't going to be down too much this quarter. The only thing which ensures Lenovo and other competitors learn a good lesson from this is heavy losses or bankruptcy, which is what they deserve.

    To still fall for the soothing words of professionally lying coporate executives in this day and age is folly.

    Meanwhile, in the United States, tech companies continue to claim to protect privacy on the one hand while collaborating with the NSA to destroy it on the other.

    Words from coporate executives have no meaning. You're listening to a robot.

    link to this | view in chronology ]

    • identicon
      Pegr, 20 Feb 2015 @ 7:26pm

      Assume much?

      Why would you think this isn't another example of collaboration? Go research the principles of the vendor. They are all from the intel community.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Feb 2015 @ 4:41am

      Re:

      You're exactly right. This isn't an apology or an admission. It's corporate bullshit from one of Lenovo's professional liars. It's worthless crap that means NOTHING.

      Lenovo was and is no doubt fully aware of the Sony rootkit debacle: they simply gambled that it wouldn't happen to them. And they probably calculated that even if it did, the profits they made by selling out the security and privacy of their users would outweigh the negative press.

      The next Sony/Lenovo will do the same thing, unless Lenovo is sufficiently punished. And by "sufficiently punished", I mean that they must be driven into bankruptcy. We need a massive online campaign that makes it clear that Lenovo supports spyware that enables pedophiles, rapists, phishers, spammers and stalkers: we need to drag them through the mud until anyone hearing their name thinks of the most foul, sleazy, awful people on the planet.

      link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 20 Feb 2015 @ 7:09pm

    Everybody screws up sometimes

    But it takes a "man" (or woman) of character to admit it when they do. I don't like what Lenovo did, but I have gained a lot of respect for them in that their CTO is willing to fall on his sword over this. And even more respect for him.

    link to this | view in chronology ]

    • identicon
      Pegr, 20 Feb 2015 @ 7:27pm

      Re: Everybody screws up sometimes

      They were victimized, actually.

      link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 20 Feb 2015 @ 7:36pm

        Re: Re: Everybody screws up sometimes

        That's laughable, at best. Even a properly secure version of this software would be garbage, and not something any vendor should bundle in a pre-installed OS in the first place. And if they had done any resting at all, they would have seen what a gaping security hole it creates.

        link to this | view in chronology ]

        • identicon
          Pegr, 20 Feb 2015 @ 8:00pm

          Re: Re: Re: Everybody screws up sometimes

          No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy-destroying software on their laptops in order to sell the data to the NSA.

          That would be laughable if it were not already known what they actually do.

          link to this | view in chronology ]

          • icon
            Kaemaril (profile), 21 Feb 2015 @ 3:40am

            Re: Re: Re: Re: Everybody screws up sometimes

            Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?

            link to this | view in chronology ]

            • identicon
              Pegr, 21 Feb 2015 @ 8:39am

              Re: Re: Re: Re: Re: Everybody screws up sometimes

              Money.

              link to this | view in chronology ]

            • icon
              Bamboo Harvester (profile), 21 Feb 2015 @ 9:13am

              Re: Re: Re: Re: Re: Everybody screws up sometimes

              "Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?"

              NSA: Mr CEO, nice to meet you. Your kids still going to Lat Mai high school? I think I ran into your wife at the Gak Lai supermarket the other day. And the landscaping at your home on Momo Drive, magnificent, just magnificent.

              True terrorism at it's finest.

              link to this | view in chronology ]

              • icon
                Kaemaril (profile), 21 Feb 2015 @ 10:51am

                Re: Re: Re: Re: Re: Re: Everybody screws up sometimes

                Mr CEO : Why, Mr. NSA. It's really nice to meet you too. This guy to my right? Oh, you haven't met. Now, I'm not saying he's with Chinese Intelligence and I'm not saying he's not. But he's awfully knowledgeable about your children, practically a trivia buff on the subject.

                Hey, it's just as plausible :)

                link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Feb 2015 @ 9:29am

      Re: Everybody screws up sometimes

      They didn't admit anything until they got caught in a web of their own lies and had no choice but to backpedal to save face. They deserve no credit for this. They were forced into it.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Feb 2015 @ 7:52am

      Re: Everybody screws up sometimes

      "I have gained a lot of respect for them in that their CTO is willing to fall on his sword over this"

      Not me. After the first few rounds of deception, it's hard to respect them for coming clean only once they realized that nobody was buying their BS.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 12:56am

    It will be interesting to see if Lenovo's promise to drop Superfish covers all computers -- or only computers sold in Western countries?

    Before anyone can say "that's a stupid question!", let's not forget that back in the 1980s, after Pharmaceutical giants such as Bayer learned that their human-blood-derived products were spreading AIDS, they immediately took steps to revamp the products to make them safer -- but only to products sold in Western countries. Rather than destroy their existing stock of tainted merchandise, these companies simply changed its destination and shipped it to 3rd-world countries instead (one of which was China, home of Lenovo).

    And of course the tobbacco industry has been famous for agreeing to change its evil ways in one country, only to shift its target to other countries where it's hoped that resistance will be weaker.

    So let's not completely discount the idea that Lenovo is only making a strategic *partial* retreat and not a capitulation.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 1:00am

    ...trying to figure out why comments are going to "moderation" right now.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 2:15am

    The last denial from him was in WSJ who typically has an audience more likely to be less technically understanding and easier to calm by lies. re-code has typically a technology angle attracting people who can spot the lies and get angered by them.

    I still see what the CTO does as media appeasement/damage control. While the re-code interview is a lot more real, it still seems to be a case of designing the message to the listener...

    link to this | view in chronology ]

  • identicon
    Dreddsnik, 21 Feb 2015 @ 5:39am

    "No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy"

    Not even that. I think they knew all along. They didn't think they would get caught.

    "Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?"

    Lots of cash ?
    This seems to have an amazing effect on people and corporations when the amount is high enough.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 6:43am

    this komodia stuff is the tip of the iceberg with regards to how screwed up https and ca/cert based security is. I hope you guys will keep digging- lots of stories and knowledge that deserve attention and understanding here.

    With no cooperation from any CA's, this dinky little company easily created a complete inception style spy ware apparatus that went undetected for quite some time.

    good thing the nsa/gchq can't do such a thing...
    wait, what?

    how many trusted root CA's do you have installed on your computer? ...or a better question is how many root CA's did your browser maker decide you should trust- it's not like you consciously chose to trust those entities.. most probably don't even know they exist. worse still- how did those entities even become 'trusted'... it's far more arbitrary then you might imagine.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Feb 2015 @ 9:22am

      Re:

      how many trusted root CA's do you have installed on your computer? ...or a better question is how many root CA's did your browser maker decide you should trust- it's not like you consciously chose to trust those entities..
      You might be misunderstanding the word "trusted"... "a trusted system is one whose failure may break a specified security policy." It's not a compliment, and notably doesn't mean trustworthy.

      worse still- how did those entities even become 'trusted'... it's far more arbitrary then you might imagine.
      I think, like bankers and ISO certifiers, they are focusing more on procedures and insurance than results. The CAs all follow "best practices" without much regard for whether those practices are actually good or sufficient (as opposed to the same mediocre practices as everyone else). For example, they send an *unencrypted* email to the domain owner, even though CAs exist because we expect unencrypted traffic to be observable and modifiable by adversaries. (It's the "best" practice just because nobody else is doing anything better--except with EV certs, where the CAs say they'll do the job they were supposed to do in the first place.)

      The few CAs that are known to have been compromised or otherwise taken advantage of (e.g. MD5 collisions helped by predictable serial numbers) had some pretty egregious problems, stuff that serious penetration testers should have found, but they all had the requisite certifications and insurance before it happened. Most of them still do.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 23 Feb 2015 @ 7:54am

        Re: Re:

        "You might be misunderstanding the word "trusted"... "a trusted system is one whose failure may break a specified security policy." It's not a compliment, and notably doesn't mean trustworthy."

        Spot on. This is one of those "terms of the art", and I have to admit that I never realized that people might not know what it means.

        link to this | view in chronology ]

  • icon
    miatajim (profile), 21 Feb 2015 @ 7:38am

    Sorry Lenovo, you should have learned from Sony in 2005. Never again will you see any of my personal or any corporate (friends family)I have any control over.

    link to this | view in chronology ]

  • icon
    Coises (profile), 21 Feb 2015 @ 5:01pm

    Actions speak louder than words

    Dear Lenovo,

    If you really regret Superfish (and not just the fact that it was discovered), I have a simple way you can demonstrate your integrity:

    As soon as possible, begin offering all of your Windows computers–every single one–with a “clean install” option that includes nothing but Windows, Windows updates and WHQL-certified drivers. Not so much as a custom desktop background image added.

    If you have software other than WHQL-certified drivers that you believe enhances the operation of the machine, make it a downloadable install, and keep it granular (e.g., don’t bundle uncertified drivers we need with apps we don’t).

    Let us see how much more you have to charge without subsidies from bloatware and adware vendors and make the decision for ourselves which is the better value.

    I think you’d win back a lot of respect... and maybe force some other OEMs to play catch-up.

    link to this | view in chronology ]

  • icon
    DB (profile), 21 Feb 2015 @ 10:48pm

    The statement is exactly the one you would see if control of the situation was moved from marketing ("we are certain there is no risk") to legal ("we didn't know anything").

    Did they simply miss the implications of snooping-based advertising? Especially one that can insert their only advertisements? That doesn't seem credible.

    link to this | view in chronology ]

  • identicon
    jaket kulit pria, 22 Feb 2015 @ 2:56am

    posting nice

    many blog posts do not like this provide a useful article for visitors thanks admin
    jaket kulit pria

    link to this | view in chronology ]

  • icon
    Mike Acker (profile), 22 Feb 2015 @ 9:13am

    Superphish

    Torvalds notes (p.95) of "Just for Fun" "If money was to get involved things would get murky. If you don't let money enter the picture you won't have greedy people".

    greedy people we got and the lust to get adverts and recons into everyone's computer is stunningly vicious

    I ran across this in a blog post today

    oldschoolh4ck3r
    Welcome to the brave new world, where industries and governments collude to dissolve privacy and establish a digital battlefield. Deep-pocketed agencies can fund corporations towards their agendas of tainting technology in their favor, all the while pointing the finger at software 'bugs'. We're in a lot of trouble.

    OpenSource and FSF software is the "Last Best Hope" for privacy and security

    IMHO

    link to this | view in chronology ]

  • icon
    JBDragon (profile), 23 Feb 2015 @ 9:30am

    This is why NONE of this 3rd party CRAP should ever be pre-installed on a new computer. It should Windows ONLY, free of all other crap!!!

    Is it really worth it to get a Bad Reputation for this garbage? I know Windows like Android has issues with making any money on razer thin profits and they do this crap to try and make a little money. How much do you really get to have this crap installed on a PC? $20? Here's a idea, bump the price of the PC up $20 and remove ALL of that crap.

    Why not be known for Not throwing CRAP on your PC's!!!

    link to this | view in chronology ]

  • icon
    msmolly (profile), 23 Feb 2015 @ 11:05am

    Worse than Superfish?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.