Lenovo To Wipe Superfish Off PCs 266
An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. "As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it." When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Got found out ... (Score:2)
... good.
Re: Got found out ... (Score:2)
Yeah, where's the proactive removal of other sketchy software that their CPO's team found during the regular audit?
It's almost like they're only doing this 'cause they've been caught stealin' [youtu.be] user data with SuperPhish.
Re:Got found out ... (Score:5, Informative)
The lesson here (Score:5, Insightful)
Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.
Good to know!
Re:The lesson here (Score:5, Informative)
From a partner email regarding the SuperFish software:
"Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series."
Re:The lesson here (Score:4, Funny)
"Please keep buying ThinkPads! Please!"
Re:The lesson here (Score:5, Interesting)
There is a lot of truth to that statement.
It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.
Lenovo's business products were not affected by this as these aren't usually preloaded with crap.
The same goes for other manufactures too. Dell and HP both offer cheap crapware infested models, along with pricier crap free business models.
You do get what you pay for.
Re:The lesson here (Score:4, Insightful)
It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.
This may have been true at one time, but I don't think it is the case any longer. I think that the ubiquity of cheap components and the falling price of Windows for OEMs, the profit margins have been steadily increasing over the years.
I think it is just that OEMs have become dependent on the revenue stream they get from app developers who want their software included in the base image.
Re:The lesson here (Score:4, Insightful)
They aren't dependent on it, they just don't want to leave a revenue stream untapped.
Re:The lesson here (Score:4, Informative)
You haven't been buying laptops for very long, have you? I've bought:
A Thinkpad 700 (monochrome, not color) in 1994 for about $2100.
A Thinkpad 701c in 1996 for about $2800 (original retail in 1995 was about $3800)
A Thinkpad 560E in 1999 (2 years after release) on sale for about $2600 (nearly $4000 in 1997)
A Toshiba Portege 3440CT in 2001 on a killer sale for $1750 (was $2500 when new)
A Thinkpad T40 in 2004 for $1800
A Sony S360 in 2006 for $600 in a killer sale (original retail approx 2x).
A Sony Z122 - their top of the line model - in 2010 for $800 in a killer sale (original retail approx 2x).
The ubiquity of cheap components has been translating into much cheaper laptops over time. If you look at the profit margins of these companies, they've been pretty stable at 5%-10%. Apple is the only one who's figured out a way to sell cheap components at a huge markup.
Re:The lesson here (Score:5, Insightful)
There is a lot of truth to that statement. It was the cheaper consumer models that were affected. Retail profit margins are so thin that manufacturers and retailers make up for it with preloaded crapware.
Lenovo's business products were not affected by this as these aren't usually preloaded with crap.
So you say, and I am inclined to believe it is so. Nevertheless, Lenovo has demonstrated, in clear and undeniable terms, that profit outweighs the needs of their customers, including the need to have a secure and trustworthy computing platform. The have violated that trust.
"And for that reason, I'm out."
Re:The lesson here (Score:5, Insightful)
Every company's primary goal is maximizing profit. The only difference is between strategy. Some companies try to maximize profits by cutting their own costs by being efficient and making a superior product that customers actually want. Some companies try to maximize profits by bribing politicians to pass laws hindering their competitors. Some companies try to maximize profits by tricking people (e.g. tricking them into buying products that are not as good as advertized).
If the trust that you had violated was your trust that a corporation valued profit over you, then it's time to stop being a consumer and to start farming in your back yard.
Asking a corporation to value it's customers more than profit is like asking you to value a corporation more than your children. Neither party should be under the false pretense of the other having unconditional loyalty. This is a mutually beneficial business arrangement that is ended the second either side realizes it is no longer beneficial to them.
What I am getting at is that the problem is not that they placed profit above you. Every corporation (even the good ones) do that. The problem is that they tricked you. "Good" companies don't trick people, not because the don't value profit above all else, but because unlike Lenovo, they actually do care about their reputation (as a means to profit).
Re:The lesson here (Score:4, Insightful)
Most computers these days don't come with a restore disc, let alone a disc drive.
Nowadays they have a compressed restore image on the drive that occupies between four and twenty GB as a restore option, which likely comes with the crapware ready to spring in to action(!).
Re:The lesson here (Score:4, Informative)
Nobody does that any more.
In addition the ability of a consumer to install from that disc is about equal to their ability to install Linux. It is not going to happen.
Re:The lesson here = Wipe & Reinstall (Score:3)
No other rational choice.
Re: (Score:2)
...our laptops are for consumers to buy crap online, and not for any kind of serious work....
Considering that Lenovo has a consumer line of laptops and a business line of laptops (the ThinkPad brand), there may be a shred of truth in what you say.
Re: (Score:2)
Translation: our laptops are for consumers to buy crap online, and not for any kind of serious work.
Isn't that the case with pretty much every consumer-level laptop on the market today? This was a particularly bad case of pre-installed crapware, but I can't think of a laptop sold at any American retailer today that isn't guilty of the same.
If you want to do real work, skip windows and put an OS on your laptop that is useful for real work.
Re:The lesson here (Score:4, Interesting)
It seems that MS realizes there is a problem with junkware included with their OS. They can't force manufacturers to not install junkware on the computers they sell, but it looks like MS is trying to do something to alleviate the problem. It actually looks like the machines sold on the Microsoft Store are actually quite competitively priced.
Re:The lesson here (Score:5, Insightful)
Except on most of those Signature Edition PCs, they still include a trial of Office 365 :) The HP's on the site have pre-loaded software that help you buy ink. So, it's halfway true...
It's just other people's trialware or junkware they don't include.
Re: (Score:3)
My wife's MacBook Air came with no crapware preinstalled. My Ubuntu Dell XPS 13 neither.
I have no idea what you're talking about.
readamading compreheminsionation failuration /gwb (Score:3)
Isn't that the case with pretty much every consumer-level laptop on the market today?
The HP business laptops do not ship with crapware.
Wherethehell is IKANREAD when we need him?!
Re: (Score:3)
Not to troll, but you're right. The hardware costs a lot, but they're built like tanks for the most part. Yeah, it's OSX... whatever. Put what you want on it (but that takes the discussion off the topic...)
Anyrate, the biggest bennie is the complete and utter lack of shitware - no "trial" apps you cannot remove, no adware, no bullshit. I didn't have to blow away the HDD and install a fresh OS when I got it, and as a result, there was no scrambling or sorting through the driver mess (especially those "driver
Re: (Score:3)
If I were to use Apple products, I'd have to either use OSX, which I loathe, or replace the OS, which means that there is no point, since I can replace the OS on x86 machines too.
As bad as all that shovelware is -- and it is bad -- This Superfish thing is far worse. It is active spyware that opens your machine up to be easily hacked by anybody.
Re:The lesson here (Score:5, Insightful)
Well, since the crapware came pre-installed, to really show they care they AREN'T providing you with a new system image with it removed. Instead, you are left to remove it yet again if you ever have to reset to factory....Yay Lenovo!
Re:The lesson here (Score:5, Insightful)
They're taking steps to fix the situation, after having been busted putting spyware on them. That doesn't exactly make them sound honorable.
Re:The lesson here (Score:5, Insightful)
They're taking steps to fix the situation, after having been busted putting spyware on them. That doesn't exactly make them sound honorable.
Worse than just spyware, far worse. They installed a trivially easy-to-exploit vulnerability which affects the security of every web app their customers might ever use.
Re: (Score:3)
Did someone say spyware? I heard revenue stream. I'm just glad companies are working so hard to enhance my shopping experience. Adware that purposefully circumvents data encryption shouldn't be seen as a criminal violation of the CFAA, clearly they are just enhancing it.
Re:The lesson here (Score:5, Insightful)
I have a lenovo laptop, it does serious work just fine. Obviously they care about people like me, because they're taking steps to fix the situation rather than ignoring it.
"Our reputation is everything"
They care about saving face because they were caught which can directly impact sales. It doesn't mean they're going to uninstall the other crapware you're not bitching about right now. When that goes viral, they might remove it then, but make no mistake as to their overall intent of ensuring as many revenue streams as possible.
Re: (Score:3)
So, if a neighbor is caught sleeping with your spouse, and promises to stop, it is now OK?
I'd rather have neighbors and spouses that don't do that.
Re: (Score:3, Insightful)
Why prevent your spouse to have fun? Share the love !
Re: (Score:3)
Seems like they should send out DVDs (Score:5, Insightful)
It seems like they ought to be offering to send out fresh system restore images to customers, either via download or by DVD-for-a-small-shipping-fee. A tool which promises to remove the offending infection seems inadequate.
Accountability (Score:5, Interesting)
Someone needs to be fired for this. Someone very high up the corporate ladder. Someone who thinks SuperFish improves the shopping ecperience. Someone who needs to be blackballed from the industry and die penniless huddled in a cardboard box drinking sterno.
If that doesn't happen, SuperFish and problems like it will continue to happen.
Re: (Score:3)
No, because New Coke. [wikipedia.org]
The American public's reaction to the change was negative and the new cola was a major marketing failure. The subsequent reintroduction of Coke's original formula, re-branded as "Coca-Cola Classic", resulted in a significant gain in sales.
Re: (Score:2)
People in the US executive class fail upwards.
Re: (Score:2)
Lenovo is Chinese. How do executives in the Chinese executive class fail?
Re: (Score:3)
upwards.
That's a stretch (Score:5, Insightful)
The intent of loading this tool was to help enhance our users’ shopping experience.
Shut up. It injects advertising into search engine results, and also has the capability to intercept and hijack SSL/TLS connections to websites, thanks to the installation of a self-signing certificate authority on affected machines. You are not enhancing my shopping experience in any way, but you are doing a great job ruining my computer experience. This is nothing more than classic OEM crapware at its best.
Re:That's a stretch (Score:5, Insightful)
The first followup question should be; did / do you have Superfish installed on YOUR computer? I would be really interested to hear how much he valued this 'enhanced shopping experience'.
The simple fact is they willfully shipped spyware. Beyond that they willfully shipped spyware with the potential to compromise one of the most fundamental security mechanisms Internet users rely on, SSL/TSL by inserting itself into the authentication chain. Beyond that the Superfish spyware did compromise SSL/TLS because the private key it uses to generate proxy certificates was poorly protected.
So on the first count we might excuse them, everybody does it although its still slimy. On the second count they should have know they were crossing a line and entering deep scumbag territory. On the third count well, again I guess everybody does it.
Re: (Score:3)
Also dollars. The intent was dollars.
Re:That's a stretch (Score:4, Funny)
People always misuse that word. I think you mean, "infected" ;)
Root Cause (Score:5, Insightful)
The intent of loading this tool was to help enhance our users’ shopping experience.
The belief that the "shopping experience" of their users needed "enhancing" speaks loudly as to exactly how little Lenovo understands.
Re: (Score:2)
Yes.
The assholes have to appreciate that sticking to their core competency is more profitable, in the long run, than fucking with their gear in order to increase CEO salaries.
Re:Root Cause (Score:5, Informative)
They don't believe that. They believe their customers are stupid enough to believe it.
Chinese Company With Spying (Score:3, Informative)
CTO admits Lenovo does not know its customers... (Score:3)
...When asked whether his company vets the software they pre-install on their machines, he said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful...
It is a rare occasion when a C-level exec admits that his company has not got a clue about what its customers want.
.
Since the marketing team are usually the ones responsible for knowing customer needs, will we be seeing a change in Lenovo's executive suite soon, say a new chief marketing officer?
Trust has been broken (Score:5, Insightful)
we will provide a tool that removes all traces of the app from people’s laptops;
So how I do trust that:
1. This tool will do as it says
2. You won't repeat the process in the future?
The trust with Lenovo has been broken and I can't see what they can ever do in order to restore it.
Re: (Score:3)
Their removal tool is garbage and does nothing to fix any damage done to the cert stores of browsers like FireFox and Opera, and will not fix your Thunderbird cert store either, if any of those were infected.
Re: (Score:3)
They only admitted the problem and provided a removal tool after they were caught. As a parent, I've tried to teach my boys that it is better to admit your mistakes outright and correct them than to wait until you are caught and then try to apologize. The former is more likely to be accepted and forgiven. The latter just shows you are sorry you were caught, not you are sorry you did the misdeed in the first place.
Lenovo isn't sorry for putting Superfish on PCs. They're sorry they were caught.
Simply (Score:2)
we will provide a tool that removes all traces of the app from peopleâ(TM)s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, weâ(TM)ll issue a press release with information on how to get it.
Pathetic
Useless (Score:5, Informative)
I will guarantee you that this particular 'update' will only take care of the core OS infection. If you have FF, Opera, or Thunderbird, do not expect this to work. You're stuck fixing those programs and their cert stores on your own.
I wouldn't trust Lenovo, anyways. They can't keep a story straight.
First they say 'Between October and December' and then just a few lines later contradict themselves by saying they stopped in January. [imgur.com]
Then they further contradict their words by releasing a security advisory stating they stopped in February. [imgur.com]
We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.
Simply put, you cannot trust this company any longer. Their 'fix' is a lie, their statements are lies, and they're trying to save face to avoid the Federal hand of pain bearing down upon them.
Re: (Score:2)
Re: (Score:2)
I have a t420s - business grade laptop that I bought for personal use. its what everyone else had at my previous job, they were reliable, they were well built (they really are, even to the level of having a plastic spill-protector layer over the motherboard, inside the case. nice touch.)
the business grade laptops didn't have this spyware installed and they would probably not risk their business customers.
consumers: they are fuckable. we can screw them and we don't care. no one respects 'consumers' anymo
Re: (Score:2)
We know this software has been on Lenovo laptops since June, at the least. So the Oct-Dec statement is a lie. Three straight lies in a row.
Corporations don't lie. The spokesman was simply "mistaken" in those previous statements.
Simply put, you cannot trust this company any longer.
Is there one you can trust? I just prefer to trust none of them, buy the hardware that meets my needs, and nuke it from orbit when it comes in with the OS of my choice with 100% less crapware.
On the bright side (Score:5, Funny)
Reputation (Score:5, Informative)
Our reputation is everything and our products are ultimately how we have our reputation.
Well, they'll miss it then! Their reputation is now that they are a sleazebag company willing to compromise their customers security so they can make a few bucks injecting unwanted advertising, then lying about the security risk when they got caught.
That's a company I will never do business with again.
Re: (Score:2)
Re: (Score:2)
a round of testing perhaps? (Score:3)
As soon as the programmer is finished...
Oh boy, another case of testing in production.
"the programmer" (Score:3)
So, they only have one at Lenovo? Explains a few things.
Re: (Score:3)
Hope "the tester" hasn't been let go.
Here is the letter Lenovo sent out to everyone (Score:4, Informative)
They got caught this time... (Score:4, Insightful)
But what about next time?
What about other vendors?
The quest to further "monetize" customers that have already paid for a product is one that more and more companies are doing. I understand the business reasons behind it, but what about the consumer's rights? Do we have any let? Superfish is an especially egregious example if this problem. It is, in essence, a back door installed into millions of consumer devices. The penalties on a company should be so severe that they couldn't just make it disappear in one quarter, but not so severe that it forces the company in bankruptcy. In other words it needs to be painful enough that other companies will think long and hard about possibly doing something similar, but stopping short of putting the head of the villain on a stick outside the castle walls.
Sadly, I think the extent of the punishment will be a little bad press for a few days, then they'll continue on as if nothing had happened.
I'm more upset they destroyed thinkpad keyboard (Score:2)
Brand damage (Score:2)
Dear Peter Hortensius (Score:3)
Dear Lenovo CEO Peter Hortensius.
My shopping experience needs NO enhancements, and especially NO enhancements in form of additional injected ads. I haven't even started talking about you installing appaling security holes and other crapware on MY new computer.
Your apology has made the situation even worse. I would have appreciated if you said something like "margins on PCs are very thin so we have to take any opportunity to offset the price of Windows licence by installing questionable things on our computers".
Not that I would buy Lenovo notebook even without this scandal. You do not let users to make backup media with a "factory restore" image. If a disk dies, or if somebody wants to install an SSD to his notebook later on, he has to seek Lenovo technician to get the image with OS.
The only way to redeem a little bit of respect would be if you started bundling vanilla OS installation media and media with drivers. Like it was done long time ago.
Yours truly
*very* pissed off potential customer.
Re: (Score:2)
Yours truly
*very* pissed off potential customer.
So thats one "pissed off potential customer", with ca 2 billion remaining potential customers who will never hear about, let alone care about this incident, and thus remain non-pissed-off.
reputation = ruined (Score:2)
ceo talk translation (Score:2)
he says: "The feedback from users was that it wasnâ(TM)t useful"
what the users REALLY said was more like: "you compromised our security, you installed spyware and didn't tell us about it or provide the option to opt-out, your uninstaller did not fully uninstall it and we now have to wipe and fully reinstall, costing us all lots of time and money, since a gaping security hole was opened up and god knows what came thru that hole before we knew abou it."
ceo-speak really is an amazing language to learn. i
Where's the damned accountability? (Score:3)
No, this is not enough. Where is the fucking accountability? The person who proposed this needs to be named, and fired, and any bonuses paid for this need to be taken back.
You are only sorry you got caught with your hands in the cookie jar.
This type of shitty nonsense have been going on for years, and I'm surprised that both Microsoft *AND* Windows users just tolerate it.
*WHY?*
To Google, Lenovo, et al (Score:3)
I don't want you fucking around with my 'shopping experiences'. Please, please do not sell my eyeballs to advertisers and claim (even with a wink and a nod) that you are somehow doing *ME* a favor.
Some joke using the word "appwipe"... (Score:3)
Enhancing users shopping experience (Score:3)
"When asked whether his company vets the software they pre-install on their machines, [Lenovo CTO Peter Hortensius] said, "Yes, we do. Obviously in this case we didn't do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation."
Far too little and far, far too late!
If Superfish was merely not "useful", some people would carp about it and most would just ignore it. It is far more dangerous than that because it deliberately behaves in a way that undermines the integrity of the trust system on which internet is based and so jeopardizes the security of the user. To claim that this was done in order to "enhance" the user's experience is cynical beyond belief. I'm certain Hortensius is right when he says that the software was vetted at Lenovo. I'm also quite sure that it performed precisely the way it was intended to. But who on earth thought that was a good idea?
There has to be a price to pay for this major failure of judgement and I can only hope that it is both hefty and that it impacts those at Lenovo who were ultimately responsible for it, Hortensius among them.
Way to own it, dickhead (Score:3)
I've been buying and recommending Thinkpads since the late 90's. I'm using one now in fact (thankfully re-imaged, no thanks to the twatwaffles at Lenovo). I'm never going to do either of those things again. I might have if they had said, "You got us, our bad, we're sorry and it won't happen again". But not anymore. Not with the wishy-washy corporate-speak bullshit.
Do not fuck with people's stuff for ad revenue. And if you do and get caught, at least fucking own up to it.
And so now I'm wondering what my next laptop will be. Because it sure as shit isn't going to be a Lenovo...
-B
Why do they even TRY with this B.S.? (Score:3)
Obviously the "intent" with this tool was not some sort of alutruistic impulse to "improve our customers' shopping experiences"; the "intent" was to collect some tiny payment per PC in exchange for their users giving up some of their piracy.
I'm willing to believe they didn't realize the security implications of this junk, but they might as well admit they play the Crapware game all the consumer PC makers do because it makes them money.
Re: (Score:3)
Hardware keylog me once, shame on me...
Re:Sony Comcast Level Reputation (Score:4, Funny)
Re: (Score:2)
Got a link on that?
I tried googling and all I found is various keyloggers for sale.
Don't forget samsung (Score:5, Informative)
http://www.pcworld.com/article... [pcworld.com]
Samsung also got caught this month injecting ads into TV viewing. They only got caught because they screwed up the algorithm and injected ads into people's personal ad-free videos. And then samsung's genius engineers biffed again by sending the TV microphone pickups back to samsung (which is okay--that's what siri, alexa, cortana, and google do) but doing so unencrypted.
Obviously parasitic ad injection is the the single most lucrative way to earn money on the internet. Your doing it just like google does for nearly all its revenue, selling ads and harvesting click-thru data, but your doing it without the associated cost of attracting customers with a product. No wonder Lenovo wanted this action.
Re:Don't forget samsung (Score:5, Interesting)
Ad injection is quite lucrative. This is what entire companies like Phorm which intercepts in-flight connections and inserts ads.
As for ad injection like this, I've seen a number of consumer level PCs route traffic through a local proxy, installing Web browser add-ons to keep the browser switched to the proxy and to inject their own SSL key. The fix was removal, and even then, there were processes that had to be stopped via autoruns, as well as blocked from phoning home via the Windows Firewall (so there wasn't a chance they could do damage even if restarted.)
The exception to this seems to be HP, which might have sample programs on it (Norton, for example), but no crapware that loads in Web browser add-ons. It actually was a shock seeing a new HP consumer laptop actually in a usable state out of the box, without having to go swinging at what starts up with the autoruns pickaxe.
The problem is that companies face zero negative consequences for adding intrusive software like this onto a machine. Joe Sixpack won't know or care that his search engine gets redirected through some no-name third party site so his google search page has flash ads. With the private key out, he won't realize that his banking stuff is compromised until his bank account gets drained.
The fix? As a consumer, either bring your own OS and completely wipe and reinstall the box, or buy a business-line version. Lenovo would not dare to try installing anything like this on the Thinkpad line, just like Dell's Latitude line, and HP's EliteBook line. Of course, there is always Apple, which seems expensive, but if one compares like for like, a MacBook Pro actually has a price advantage to a comparable business line HP or Dell with the same features and chipset.
Re:Sony Comcast Level Reputation (Score:5, Insightful)
Be fair. Sony and Comcast have both blamed their customers and dallied around in court for quite a while before doing anything, or avoided doing anything in some cases. Lenovo reacted within a day. Lenovo may have taken a fall, but there are circles to Hell, and they aren't in the same class as Sony and Comcast.
Re: (Score:2)
Only a partial removal? (Score:2)
Some news reports say that the removal tool is only partial. It removes the evil Certs from some browsers but not all. In particular not Firefox. However, it could be that there is yet another fix in the pipeline and that this is what the story is referring to.
Re:Only a partial removal? (Score:5, Insightful)
Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own. On Windows they should the windows store, on OSX they should keychain and on linux/bsd they should use /etc/ssl
Shipping their own is confusing for end users and forces them to manage multiple trust locations. I can totally see some people wanting to use a different keystore for their web browser than other software uses and having an option would be nice, but it should NOT be the default let alone the only offered behavior. I write this as a long time Seamonkey user, but this would be my biggest complaint.
Re:Only a partial removal? (Score:4, Insightful)
"Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own."
Nope. Having your own cert store protects you if the primary OS cert store gets fucked.
My god it is like the lessons of granular security have just been totally forgotten, these days.
Re: (Score:2)
I got news for you if your primary OS cert store gets fucked you are fucked. What do think your OS uses to validate updates etc? hmm?
If you OS is compromised there is little (probably no) information an attacker won't be able to get in terms what you are doing in your browser. So I reject your argument.
Like I said having the option to use its own keystore is a good thing. If you for specific reasons you may have don't want the browser to trust what is in the system store or want the browser to trust som
Re: (Score:3)
"I got news for you if your primary OS cert store gets fucked you are fucked."
Given the history of the NSA and Microsoft, you're better off assuming the OS cert store is fucked in the first place, sir.
There's a good reason to have security on every program with its own rules.
Re:Only a partial removal? (Score:4, Insightful)
The discussion is far from moot. Security also involves mitigation. By assuming your OS is fucked in the first place, you get programs that should in theory provide more security by using their own stuff instead of the OS, thus mitigating (or outright eliminating in some cases) the specific threat to the point of rendering it useless. Thus, even if the OS isn't actually compromised, you've still greatly managed to increase your security over the baseline.
Re: (Score:2)
?!?! what ??! those news reports don't know what they are talking about!!
firefox was not affected by this, it have it own certificate store and this software didn't installed any CA on it.
HTTP traffic from all browsers should be views and changed by this software, but HTTPS was only intercepted by the browsers that use the system certificate store
They should charge their customers for the removal (Score:2)
That's ATT's new model. In Kansas you can get a $70, gigabit connection from ATT but if you want to opt out of the customer abuse plan they charge you $30/mo extra. No I'm not making that up, but they don't call it the customer abuse plan, but that's what it is. The $30 is so they don't track you and monetize you with the scrutiny that only an ISP can do (see Verizon's tracking cookies).
Lenovo should just say the truth: the laptop was $200 cheaper than it would have been because of SuperFish. If you wan
Re: (Score:3)
I might agree with you if their initial response hadn't been lying (they claimed that they thoroughly tested and there was no security risk) and designed to avoid taking real responsibility (we did this for you!)
Re: (Score:2)
There is no "to be fair". This is how these companies and politicians get away with everything. Well that company came forward and admitted they were raping us so they are better then the ones that don't admit it.
The answer to that is NO. There will be no raping.
You rape you lose. Go to jail, loose your business, etc.
Otherwise they just keep raping and just apologize as soon as they are caught. There is no penalty in the "to be fair" model.
If we want them to change they need to know, if they are caught they
Re:Lenovo were already falling (Score:4, Informative)
they'd already turned the thinkpad line into boring mass-market hunt-and-peck-optimised dvd ogling boxes. In that sense, I'd written them off years ago.
Really? I have used both IBM and Lenovo ThinkPads and while the Lenovo ones aren't quite as great as what IBM made, they are still vastly superior to any consumer laptop on the market today. You might be thinking of the IdeaPad line, which looks like a ThinkPad to a small degree but isn't nearly the same thing. The ThinkPads are still solid - and someone else pointed out they don't have Superfish on the, either.
Re:Banned from our approved vendors list (Score:4, Insightful)
Re:Banned from our approved vendors list (Score:5, Insightful)
It doesn't matter. That they were willing to do this on low-cost consumer machines indicates a lack of judgement that reflects on all aspects of their company.
Re:Banned from our approved vendors list (Score:5, Insightful)
Just fine in bigass-corporate-company land, but the world is bigger than that. A huge amount of US economic activity is in small business, and how many of those have competent IT? This will be a possible opening of a lot of companies for a long time.
Re:Banned from our approved vendors list (Score:5, Insightful)
It also wouldn't affect the corporate world because business-grade PCs were never infected with it in the first place.
However, the real issue -- the one that makes competent companies completely justified in shit-listing Lenovo -- is the argument that if a company is capable of exercising such poor judgement now, then who knows what other poor judgement they might show in the future. Maybe the next "oops" will be a hardware keylogger in Thinkpads or a compromised WiFi firmware or something.
Lenovo may have backpedaled this time, but the malware only happened to begin with because somebody at Lenovo thought it was a good idea. That, by itself, poses an unacceptable risk to any sane customer.
Re: (Score:2)
Re: (Score:2)
They were right in thinking that a piece of software that injects crap into and modifies web pages served via https can be considered useful by anyone.
They just got the wrong "anyone."
Re: (Score:3)
My shopping experience is just fine without active MITM attacks.
The ironic thing is that Lenovo has had a good reputation. They inherited the Thinkpad name, and it used to be that it was the go to brand for laptops before Apple jumped in that market. Plus, business-line Thinkpads are pretty secure, be it a decent TPM implementation, fingerprint scanner, and other items.
I just hope they learn their lesson, and this doesn't pop up again, as their products are quite usable.