A Bit Late, But Lenovo CTO Admits The Company Screwed Up

from the finally dept

We've had a bunch of posts today (and yesterday) about the "Superfish" debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was -- first denying any serious security problem, and then calling it "theoretical." It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the "theoretical" problem he discussed earlier:

“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.

[....]

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”

He later admits that the company "deserves" to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn't happen again.

While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it's happening. Hopefully, the company is better off for it.

Of course, the same can't be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.

Filed Under: adware, malware, peter hortensius, superfish, vulnerability
Companies: komodia, lenovo, superfish

Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'

from the find-a-new-cto dept

Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little "hack" to get around the fact that the adware wouldn't work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo's first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.

In fact, the company is still in denial mode. Lenovo's CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were "theoretical."

WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.

Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don't recall, after security folks pointed out what a security disaster the rootkit was, Sony's response was to dismiss the concerns as... theoretical:

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

In both cases, these technologies opened up giant, massive vulnerabilities on people's computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don't know if anyone abused these problems. This ignores that (1) it's quite possible people have been abusing these vulnerabilities for months and it's just not public yet, and (2) more importantly, it doesn't fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it's widely known.

Handwaving this off as a "theoretical" concern is not just missing the point -- it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I've been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn't one infected this way). Every time I've dabbled with other laptops I've regretted it. But Lenovo's response to this is very quickly convincing me that the company should never get any more money from me. It's not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn't recognize what it has done.

Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish