A Bit Late, But Lenovo CTO Admits The Company Screwed Up
from the finally dept
We've had a bunch of posts today (and yesterday) about the "Superfish" debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was -- first denying any serious security problem, and then calling it "theoretical." It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the "theoretical" problem he discussed earlier:“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.He later admits that the company "deserves" to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn't happen again.
[....]
The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.
“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”
While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it's happening. Hopefully, the company is better off for it.
Of course, the same can't be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: adware, malware, peter hortensius, superfish, vulnerability
Companies: komodia, lenovo, superfish
Reader Comments
Subscribe: RSS
View by: Time | Thread
This is a non-apology apology, though. There is no excuse for anybody to interfere with encrypted traffic between you and a host under any circumstances, least of all an OEM.
The CTO is genuflecting to ensure profits aren't going to be down too much this quarter. The only thing which ensures Lenovo and other competitors learn a good lesson from this is heavy losses or bankruptcy, which is what they deserve.
To still fall for the soothing words of professionally lying coporate executives in this day and age is folly.
Meanwhile, in the United States, tech companies continue to claim to protect privacy on the one hand while collaborating with the NSA to destroy it on the other.
Words from coporate executives have no meaning. You're listening to a robot.
[ link to this | view in chronology ]
Assume much?
[ link to this | view in chronology ]
Re:
Lenovo was and is no doubt fully aware of the Sony rootkit debacle: they simply gambled that it wouldn't happen to them. And they probably calculated that even if it did, the profits they made by selling out the security and privacy of their users would outweigh the negative press.
The next Sony/Lenovo will do the same thing, unless Lenovo is sufficiently punished. And by "sufficiently punished", I mean that they must be driven into bankruptcy. We need a massive online campaign that makes it clear that Lenovo supports spyware that enables pedophiles, rapists, phishers, spammers and stalkers: we need to drag them through the mud until anyone hearing their name thinks of the most foul, sleazy, awful people on the planet.
[ link to this | view in chronology ]
Everybody screws up sometimes
[ link to this | view in chronology ]
Re: Everybody screws up sometimes
[ link to this | view in chronology ]
Re: Re: Everybody screws up sometimes
[ link to this | view in chronology ]
Re: Re: Re: Everybody screws up sometimes
That would be laughable if it were not already known what they actually do.
[ link to this | view in chronology ]
Re: Re: Re: Re: Everybody screws up sometimes
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Everybody screws up sometimes
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Everybody screws up sometimes
NSA: Mr CEO, nice to meet you. Your kids still going to Lat Mai high school? I think I ran into your wife at the Gak Lai supermarket the other day. And the landscaping at your home on Momo Drive, magnificent, just magnificent.
True terrorism at it's finest.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Everybody screws up sometimes
Hey, it's just as plausible :)
[ link to this | view in chronology ]
Re: Everybody screws up sometimes
[ link to this | view in chronology ]
Re: Everybody screws up sometimes
Not me. After the first few rounds of deception, it's hard to respect them for coming clean only once they realized that nobody was buying their BS.
[ link to this | view in chronology ]
Before anyone can say "that's a stupid question!", let's not forget that back in the 1980s, after Pharmaceutical giants such as Bayer learned that their human-blood-derived products were spreading AIDS, they immediately took steps to revamp the products to make them safer -- but only to products sold in Western countries. Rather than destroy their existing stock of tainted merchandise, these companies simply changed its destination and shipped it to 3rd-world countries instead (one of which was China, home of Lenovo).
And of course the tobbacco industry has been famous for agreeing to change its evil ways in one country, only to shift its target to other countries where it's hoped that resistance will be weaker.
So let's not completely discount the idea that Lenovo is only making a strategic *partial* retreat and not a capitulation.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I still see what the CTO does as media appeasement/damage control. While the re-code interview is a lot more real, it still seems to be a case of designing the message to the listener...
[ link to this | view in chronology ]
Not even that. I think they knew all along. They didn't think they would get caught.
"Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?"
Lots of cash ?
This seems to have an amazing effect on people and corporations when the amount is high enough.
[ link to this | view in chronology ]
With no cooperation from any CA's, this dinky little company easily created a complete inception style spy ware apparatus that went undetected for quite some time.
good thing the nsa/gchq can't do such a thing...
wait, what?
how many trusted root CA's do you have installed on your computer? ...or a better question is how many root CA's did your browser maker decide you should trust- it's not like you consciously chose to trust those entities.. most probably don't even know they exist. worse still- how did those entities even become 'trusted'... it's far more arbitrary then you might imagine.
[ link to this | view in chronology ]
Re:
I think, like bankers and ISO certifiers, they are focusing more on procedures and insurance than results. The CAs all follow "best practices" without much regard for whether those practices are actually good or sufficient (as opposed to the same mediocre practices as everyone else). For example, they send an *unencrypted* email to the domain owner, even though CAs exist because we expect unencrypted traffic to be observable and modifiable by adversaries. (It's the "best" practice just because nobody else is doing anything better--except with EV certs, where the CAs say they'll do the job they were supposed to do in the first place.)
The few CAs that are known to have been compromised or otherwise taken advantage of (e.g. MD5 collisions helped by predictable serial numbers) had some pretty egregious problems, stuff that serious penetration testers should have found, but they all had the requisite certifications and insurance before it happened. Most of them still do.
[ link to this | view in chronology ]
Re: Re:
Spot on. This is one of those "terms of the art", and I have to admit that I never realized that people might not know what it means.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Actions speak louder than words
If you really regret Superfish (and not just the fact that it was discovered), I have a simple way you can demonstrate your integrity:
As soon as possible, begin offering all of your Windows computers–every single one–with a “clean install” option that includes nothing but Windows, Windows updates and WHQL-certified drivers. Not so much as a custom desktop background image added.
If you have software other than WHQL-certified drivers that you believe enhances the operation of the machine, make it a downloadable install, and keep it granular (e.g., don’t bundle uncertified drivers we need with apps we don’t).
Let us see how much more you have to charge without subsidies from bloatware and adware vendors and make the decision for ourselves which is the better value.
I think you’d win back a lot of respect... and maybe force some other OEMs to play catch-up.
[ link to this | view in chronology ]
Did they simply miss the implications of snooping-based advertising? Especially one that can insert their only advertisements? That doesn't seem credible.
[ link to this | view in chronology ]
posting nice
jaket kulit pria
[ link to this | view in chronology ]
Superphish
greedy people we got and the lust to get adverts and recons into everyone's computer is stunningly vicious
I ran across this in a blog post today
oldschoolh4ck3r
Welcome to the brave new world, where industries and governments collude to dissolve privacy and establish a digital battlefield. Deep-pocketed agencies can fund corporations towards their agendas of tainting technology in their favor, all the while pointing the finger at software 'bugs'. We're in a lot of trouble.
OpenSource and FSF software is the "Last Best Hope" for privacy and security
IMHO
[ link to this | view in chronology ]
Is it really worth it to get a Bad Reputation for this garbage? I know Windows like Android has issues with making any money on razer thin profits and they do this crap to try and make a little money. How much do you really get to have this crap installed on a PC? $20? Here's a idea, bump the price of the PC up $20 and remove ALL of that crap.
Why not be known for Not throwing CRAP on your PC's!!!
[ link to this | view in chronology ]
Worse than Superfish?
https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html
[ link to this | view in chronology ]