Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Portables

Lenovo To Wipe Superfish Off PCs 266

An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
This discussion has been archived. No new comments can be posted.

Lenovo To Wipe Superfish Off PCs

Comments Filter:
  • The lesson here (Score:5, Insightful)

    by MAXOMENOS ( 9802 ) <mike@mikesmithforor e g o n . c om> on Friday February 20, 2015 @10:59AM (#49094619) Homepage

    The feedback from users was that it wasn’t useful, and that’s why we turned it off.

    Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.

    Good to know!

    • Re:The lesson here (Score:5, Informative)

      by Anonymous Coward on Friday February 20, 2015 @11:31AM (#49094891)

      From a partner email regarding the SuperFish software:

      "Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series."

    • Re:The lesson here (Score:5, Interesting)

      by mea_culpa ( 145339 ) on Friday February 20, 2015 @11:35AM (#49094935)

      There is a lot of truth to that statement.
      It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.

      Lenovo's business products were not affected by this as these aren't usually preloaded with crap.
      The same goes for other manufactures too. Dell and HP both offer cheap crapware infested models, along with pricier crap free business models.

      You do get what you pay for.

      • Re:The lesson here (Score:4, Insightful)

        by The-Ixian ( 168184 ) on Friday February 20, 2015 @12:21PM (#49095283)

        It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.

        This may have been true at one time, but I don't think it is the case any longer. I think that the ubiquity of cheap components and the falling price of Windows for OEMs, the profit margins have been steadily increasing over the years.
         
        I think it is just that OEMs have become dependent on the revenue stream they get from app developers who want their software included in the base image.

        • Re:The lesson here (Score:4, Insightful)

          by cdrudge ( 68377 ) on Friday February 20, 2015 @12:56PM (#49095485) Homepage

          I think it is just that OEMs have become dependent on the revenue stream...

          They aren't dependent on it, they just don't want to leave a revenue stream untapped.

        • Re:The lesson here (Score:4, Informative)

          by Solandri ( 704621 ) on Friday February 20, 2015 @04:07PM (#49096943)

          This may have been true at one time, but I don't think it is the case any longer. I think that the ubiquity of cheap components and the falling price of Windows for OEMs, the profit margins have been steadily increasing over the years.

          You haven't been buying laptops for very long, have you? I've bought:

          A Thinkpad 700 (monochrome, not color) in 1994 for about $2100.
          A Thinkpad 701c in 1996 for about $2800 (original retail in 1995 was about $3800)
          A Thinkpad 560E in 1999 (2 years after release) on sale for about $2600 (nearly $4000 in 1997)
          A Toshiba Portege 3440CT in 2001 on a killer sale for $1750 (was $2500 when new)
          A Thinkpad T40 in 2004 for $1800
          A Sony S360 in 2006 for $600 in a killer sale (original retail approx 2x).
          A Sony Z122 - their top of the line model - in 2010 for $800 in a killer sale (original retail approx 2x).

          The ubiquity of cheap components has been translating into much cheaper laptops over time. If you look at the profit margins of these companies, they've been pretty stable at 5%-10%. Apple is the only one who's figured out a way to sell cheap components at a huge markup.

      • Re:The lesson here (Score:5, Insightful)

        by Jawnn ( 445279 ) on Friday February 20, 2015 @12:42PM (#49095419)

        There is a lot of truth to that statement. It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.

        Lenovo's business products were not affected by this as these aren't usually preloaded with crap.

        So you say, and I am inclined to believe it is so. Nevertheless, Lenovo has demonstrated, in clear and undeniable terms, that profit outweighs the needs of their customers, including the need to have a secure and trustworthy computing platform. The have violated that trust.
        "And for that reason, I'm out."

        • Re:The lesson here (Score:5, Insightful)

          by TsuruchiBrian ( 2731979 ) on Friday February 20, 2015 @01:27PM (#49095683)

          Every company's primary goal is maximizing profit. The only difference is between strategy. Some companies try to maximize profits by cutting their own costs by being efficient and making a superior product that customers actually want. Some companies try to maximize profits by bribing politicians to pass laws hindering their competitors. Some companies try to maximize profits by tricking people (e.g. tricking them into buying products that are not as good as advertized).

          If the trust that you had violated was your trust that a corporation valued profit over you, then it's time to stop being a consumer and to start farming in your back yard.

          Asking a corporation to value it's customers more than profit is like asking you to value a corporation more than your children. Neither party should be under the false pretense of the other having unconditional loyalty. This is a mutually beneficial business arrangement that is ended the second either side realizes it is no longer beneficial to them.

          What I am getting at is that the problem is not that they placed profit above you. Every corporation (even the good ones) do that. The problem is that they tricked you. "Good" companies don't trick people, not because the don't value profit above all else, but because unlike Lenovo, they actually do care about their reputation (as a means to profit).

    • No other rational choice.

    • ...our laptops are for consumers to buy crap online, and not for any kind of serious work....

      Considering that Lenovo has a consumer line of laptops and a business line of laptops (the ThinkPad brand), there may be a shred of truth in what you say.

    • Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.

      Isn't that the case with pretty much every consumer-level laptop on the market today? This was a particularly bad case of pre-installed crapware, but I can't think of a laptop sold at any American retailer today that isn't guilty of the same.

      If you want to do real work, skip windows and put an OS on your laptop that is useful for real work.

      • Re:The lesson here (Score:4, Interesting)

        by CastrTroy ( 595695 ) on Friday February 20, 2015 @12:22PM (#49095293)
        If you buy a laptop/computer from the Microsoft Store [microsoftstore.com], I think they all feature Signature Edition, which they state includes the following

        Signature Edition PCs are tuned for fast performance from the second you turn them on. They include free anti-virus software that never expires and have no junkware or trialware, ensuring that your new PC is always clean, fast, and protected.

        It seems that MS realizes there is a problem with junkware included with their OS. They can't force manufacturers to not install junkware on the computers they sell, but it looks like MS is trying to do something to alleviate the problem. It actually looks like the machines sold on the Microsoft Store are actually quite competitively priced.

      • by Pieroxy ( 222434 )

        My wife's MacBook Air came with no crapware preinstalled. My Ubuntu Dell XPS 13 neither.

        I have no idea what you're talking about.

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday February 20, 2015 @11:00AM (#49094629) Homepage Journal

    It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.

  • Accountability (Score:5, Interesting)

    by Anonymous Coward on Friday February 20, 2015 @11:06AM (#49094663)

    Someone needs to be fired for this. Someone very high up the corporate ladder. Someone who thinks SuperFish improves the shopping ecperience. Someone who needs to be blackballed from the industry and die penniless huddled in a cardboard box drinking sterno.

    If that doesn't happen, SuperFish and problems like it will continue to happen.

  • That's a stretch (Score:5, Insightful)

    by jones_supa ( 887896 ) on Friday February 20, 2015 @11:09AM (#49094701)

    The intent of loading this tool was to help enhance our users’ shopping experience.

    Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.

    • by DarkOx ( 621550 ) on Friday February 20, 2015 @11:37AM (#49094941) Journal

      The first followup question should be; did / do you have Superfish installed on YOUR computer? I would be really interested to hear how much he valued this 'enhanced shopping experience'.

      The simple fact is they willfully shipped spyware. Beyond that they willfully shipped spyware with the potential to compromise one of the most fundamental security mechanisms Internet users rely on, SSL/TSL by inserting itself into the authentication chain. Beyond that the Superfish spyware did compromise SSL/TLS because the private key it uses to generate proxy certificates was poorly protected.

      So on the first count we might excuse them, everybody does it although its still slimy. On the second count they should have know they were crossing a line and entering deep scumbag territory. On the third count well, again I guess everybody does it.

    • "The intent of loading this tool was to help enhance our users’ shopping experience."
      Also dollars. The intent was dollars.
    • by by (1706743) ( 1706744 ) on Friday February 20, 2015 @01:56PM (#49095901)

      ...on affected machines.

      People always misuse that word. I think you mean, "infected" ;)

  • Root Cause (Score:5, Insightful)

    by zieroh ( 307208 ) on Friday February 20, 2015 @11:12AM (#49094723)

    The intent of loading this tool was to help enhance our users’ shopping experience.

    The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.

    • Yes.

      The assholes have to appreciate that sticking to their core competency is more profitable, in the long run, than fucking with their gear in order to increase CEO salaries.

    • Re:Root Cause (Score:5, Informative)

      by kat_skan ( 5219 ) on Friday February 20, 2015 @11:33AM (#49094909)

      The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.

      They don't believe that. They believe their customers are stupid enough to believe it.

  • by Desidivo ( 814311 ) on Friday February 20, 2015 @11:15AM (#49094743)
    Hmm..... Who would have thought a Chinese company would install software that is capable of spying on laptops? Wonder how the world's secrets keep getting stolen? If you buy a Lenovo and expect anything different, you deserve what you get. This is not the first time, nor will it be the last time. They just got caught this time.
  • by QuietLagoon ( 813062 ) on Friday February 20, 2015 @11:15AM (#49094747)

    ...When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful...

    It is a rare occasion when a C-level exec admits that his company has not got a clue about what its customers want.

    .
    Since the marketing team are usually the ones responsible for knowing customer needs, will we be seeing a change in Lenovo's executive suite soon, say a new chief marketing officer?

  • by OzPeter ( 195038 ) on Friday February 20, 2015 @11:17AM (#49094771)

    we will provide a tool that removes all traces of the app from people’s laptops;

    So how I do trust that:

    1. This tool will do as it says
    2. You won't repeat the process in the future?

    The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.

  • we will provide a tool that removes all traces of the app from peopleâ(TM)s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, weâ(TM)ll issue a press release with information on how to get it.

    Pathetic

  • Useless (Score:5, Informative)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Friday February 20, 2015 @11:19AM (#49094793) Homepage Journal

    I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.

    I wouldn't trust Lenovo, anyways. They can't keep a story straight.

    First they say 'Between October and December' and then just a few lines later contradict themselves by saying they stopped in January. [imgur.com]

    Then they further contradict their words by releasing a security advisory stating they stopped in February. [imgur.com]

    We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.

    Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.

    • Is there some reason you DID trust Lenovo at some point?
      • I have a t420s - business grade laptop that I bought for personal use. its what everyone else had at my previous job, they were reliable, they were well built (they really are, even to the level of having a plastic spill-protector layer over the motherboard, inside the case. nice touch.)

        the business grade laptops didn't have this spyware installed and they would probably not risk their business customers.

        consumers: they are fuckable. we can screw them and we don't care. no one respects 'consumers' anymo

    • We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.

      Corporations don't lie. The spokesman was simply "mistaken" in those previous statements.

      Simply put, you cannot trust this company any longer.

      Is there one you can trust? I just prefer to trust none of them, buy the hardware that meets my needs, and nuke it from orbit when it comes in with the OS of my choice with 100% less crapware.

  • by MAXOMENOS ( 9802 ) <mike@mikesmithforor e g o n . c om> on Friday February 20, 2015 @11:27AM (#49094861) Homepage
    Maybe I can get a Lenovo laptop at deep discount and put Mint/KDE on it.
  • Reputation (Score:5, Informative)

    by JohnFen ( 1641097 ) on Friday February 20, 2015 @11:34AM (#49094915)

    Our reputation is everything and our products are ultimately how we have our reputation.

    Well, they'll miss it then! Their reputation is now that they are a sleazebag company willing to compromise their customers security so they can make a few bucks injecting unwanted advertising, then lying about the security risk when they got caught.

    That's a company I will never do business with again.

    • Err... Their reputation wasn't based off of THEIR products.... It was based off of the Thinkpad line that IBM sold them several years ago. People trusted the IBM Thinkpads, and Lenovo acquired that trust when they bought the Thinkpads. It was just a matter of time until they ruined the Thinkpad reputation.
    • by rwv ( 1636355 )
      I'm surprised that anybody believed Lenovo had a good reputation dating back to when they took over the IBM Thinkpad brand of laptops (in 2005) since IBM didn't want it anymore. Prior to that, I haven't heard of Lenovo. After that, I knew of Lenovo as a Chinese company. 'Nuf said.
  • by magarity ( 164372 ) on Friday February 20, 2015 @11:34AM (#49094919)

    As soon as the programmer is finished...

    Oh boy, another case of testing in production.

  • by Rob Bos ( 3399 ) on Friday February 20, 2015 @11:41AM (#49094981) Homepage

    So, they only have one at Lenovo? Explains a few things.

  • by gurps_npc ( 621217 ) on Friday February 20, 2015 @11:43AM (#49094991) Homepage
    February 20, 2015 Dear Andrew, As you may have heard, select Lenovo consumer notebooks shipped after September 2014 included Superfish Visual Discovery software as a shopping aid to customers. Superfish is a TrustE certified third-party software vendor, with offices in Palo Alto, CA. User feedback on the software was not positive and we received some reports of security concerns. Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series. If you use any of these Lenovo consumer models in your enterprise, please refer to the Customer Support information below. While this software does not impact the models typically used by businesses, we wanted to let you know that we take user feedback seriously at Lenovo. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. We make every effort to provide a great user experience for our customers. We recognize that the Superfish software has caused concern. Lenovo has taken steps to address that concern. â Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software is no longer active. â Lenovo has stopped preloading the software and will not preload this software again in the future. â Lenovo has provided instructions for uninstalling this software and will soon provide a software removal patch. For more information on this, or for instructions on Superfish software removal, please visit http://support.lenovo.com/us/e... [lenovo.com]. We appreciate your confidence in Lenovo. Unsubscribe | Privacy Policy Lenovo reserves the right to alter product offerings or specifications at any time without notice. Models pictured are for illustrative purposes only. Lenovo is not responsible for typographic or photographic errors. Information advertised has no contractual effect. You are subscribed as andrew.coleman@dpw.com. To ensure delivery of Lenovo email offers to your inbox, please add lenovo@update.lenovo.com to your address book. Lenovo and the Lenovo logo are trademarks of Lenovo. All other trademarks are the property of their respective owners. Lenovo 1009 Think Place Morrisville, NC 27560 © 2015 Lenovo. All rights reserved.
  • by JimMcc ( 31079 ) on Friday February 20, 2015 @11:44AM (#49095007) Homepage

    But what about next time?

    What about other vendors?

    The quest to further "monetize" customers that have already paid for a product is one that more and more companies are doing. I understand the business reasons behind it, but what about the consumer's rights? Do we have any let? Superfish is an especially egregious example if this problem. It is, in essence, a back door installed into millions of consumer devices. The penalties on a company should be so severe that they couldn't just make it disappear in one quarter, but not so severe that it forces the company in bankruptcy. In other words it needs to be painful enough that other companies will think long and hard about possibly doing something similar, but stopping short of putting the head of the villain on a stick outside the castle walls.

    Sadly, I think the extent of the punishment will be a little bad press for a few days, then they'll continue on as if nothing had happened.

  • Bring back the old-style Thinkpad keyboards and all will be forgiven.
  • Sure, they reacted quickly but it should never have happened in the first place. The damage to the Lenovo brand is permanent. There are plenty of folks who won't by a Sony product of any kind, for similar reasons.
  • by stasike ( 1063564 ) on Friday February 20, 2015 @11:58AM (#49095137)

    Dear Lenovo CEO Peter Hortensius.

    My shopping experience needs NO enhancements, and especially NO enhancements in form of additional injected ads. I haven't even started talking about you installing appaling security holes and other crapware on MY new computer.

    Your apology has made the situation even worse. I would have appreciated if you said something like "margins on PCs are very thin so we have to take any opportunity to offset the price of Windows licence by installing questionable things on our computers".

    Not that I would buy Lenovo notebook even without this scandal. You do not let users to make backup media with a "factory restore" image. If a disk dies, or if somebody wants to install an SSD to his notebook later on, he has to seek Lenovo technician to get the image with OS.
    The only way to redeem a little bit of respect would be if you started bundling vanilla OS installation media and media with drivers. Like it was done long time ago.

    Yours truly
    *very* pissed off potential customer.

    • by GNious ( 953874 )

      Yours truly
      *very* pissed off potential customer.

      So thats one "pissed off potential customer", with ca 2 billion remaining potential customers who will never hear about, let alone care about this incident, and thus remain non-pissed-off.

  • When are customers ever happy about having their shopping experience "enhanced" especially by adware? I would suggest wiping those computers clean and putting a third party OS install on them as Lenovo has pretty much shown how it views it's customers.
  • he says: "The feedback from users was that it wasnâ(TM)t useful"

    what the users REALLY said was more like: "you compromised our security, you installed spyware and didn't tell us about it or provide the option to opt-out, your uninstaller did not fully uninstall it and we now have to wipe and fully reinstall, costing us all lots of time and money, since a gaping security hole was opened up and god knows what came thru that hole before we knew abou it."

    ceo-speak really is an amazing language to learn. i

  • by the_B0fh ( 208483 ) on Friday February 20, 2015 @12:27PM (#49095323) Homepage

    No, this is not enough. Where is the fucking accountability? The person who proposed this needs to be named, and fired, and any bonuses paid for this need to be taken back.

    You are only sorry you got caught with your hands in the cookie jar.

    This type of shitty nonsense have been going on for years, and I'm surprised that both Microsoft *AND* Windows users just tolerate it.

    *WHY?*

  • by rogoshen1 ( 2922505 ) on Friday February 20, 2015 @12:42PM (#49095417)

    I don't want you fucking around with my 'shopping experiences'. Please, please do not sell my eyeballs to advertisers and claim (even with a wink and a nod) that you are somehow doing *ME* a favor.

  • by ThatsDrDangerToYou ( 3480047 ) on Friday February 20, 2015 @01:03PM (#49095531)
    Sorry, I got nothin. You?
  • by Rudisaurus ( 675580 ) on Friday February 20, 2015 @02:02PM (#49095945)

    "When asked whether his company vets the software they pre-install on their machines, [Lenovo CTO Peter Hortensius] said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."

    Far too little and far, far too late!

    If Superfish was merely not "useful", some people would carp about it and most would just ignore it. It is far more dangerous than that because it deliberately behaves in a way that undermines the integrity of the trust system on which internet is based and so jeopardizes the security of the user. To claim that this was done in order to "enhance" the user's experience is cynical beyond belief. I'm certain Hortensius is right when he says that the software was vetted at Lenovo. I'm also quite sure that it performed precisely the way it was intended to. But who on earth thought that was a good idea?

    There has to be a price to pay for this major failure of judgement and I can only hope that it is both hefty and that it impacts those at Lenovo who were ultimately responsible for it, Hortensius among them.

  • by Wee ( 17189 ) on Friday February 20, 2015 @02:16PM (#49096049)
    You fucking suckhole, at least have the balls to own up to your mistakes. You assholes not only put a shitty MITM attack in the OS, you fucking used the same goddam key so that anyone else could MITM us too?! And not a single person with half a clue ever stood up in that design meeting and asked what a monumental fuck-up that was? Right. Trying to make the "user experience" better by inserting your ads into my TLS-based google searches or my secure bank session? It "wasn't useful"?! Just stop. Stop that nonsense and own your mistakes like a real actual person.

    I've been buying and recommending Thinkpads since the late 90's. I'm using one now in fact (thankfully re-imaged, no thanks to the twatwaffles at Lenovo). I'm never going to do either of those things again. I might have if they had said, "You got us, our bad, we're sorry and it won't happen again". But not anymore. Not with the wishy-washy corporate-speak bullshit.

    Do not fuck with people's stuff for ad revenue. And if you do and get caught, at least fucking own up to it.

    And so now I'm wondering what my next laptop will be. Because it sure as shit isn't going to be a Lenovo...

    -B
  • by sirwired ( 27582 ) on Friday February 20, 2015 @02:49PM (#49096305)

    Obviously the "intent" with this tool was not some sort of alutruistic impulse to "improve our customers' shopping experiences"; the "intent" was to collect some tiny payment per PC in exchange for their users giving up some of their piracy.

    I'm willing to believe they didn't realize the security implications of this junk, but they might as well admit they play the Crapware game all the consumer PC makers do because it makes them money.

"I've finally learned what `upward compatible' means. It means we get to keep all our old mistakes." -- Dennie van Tassel

Working...