
Lenovo Caught Installing Adware on New Computers - cpeterso
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
======
kentonv
This is much worse than just installing adware. They install a web proxy which
MITMs all web connections, including HTTPS by means of a pre-installed trusted
root certificate.

The root certificate is the same across all installs, and the private key is
present on the machine (necessarily, to operate the proxy):
[https://twitter.com/fugueish/status/568258997578371072](https://twitter.com/fugueish/status/568258997578371072)

Someone will extract the private key in the next few hours, and then HTTPS
will be basically completely broken for all Lenovo users -- anyone will be
able to spoof any site to them.

Uninstalling the app does NOT remove the certificate:
[https://twitter.com/metsfan/status/568265468173107200](https://twitter.com/metsfan/status/568265468173107200)

On the bright side, Firefox does not use the system certificates (it has its
own list) and Chrome will no doubt push an update to block the certificate
promptly.

~~~
grecy
I'm curious what legal stance Lenovo customers have here - their secure HTTPS
connections are being MITMed intentionally - surely that's hacking, or some
national security violation?

~~~
ajmurmann
It's a big company doing, so it's gonna be fine.

~~~
harbingerzero
It actually depends whether or not the practice is directly or indirectly
agreed to by the user in the Terms of Use, Privacy Policy or similar document.
Now, it's likely that users do agree to it, but if the language in their
policies wasn't broad enough to cover action like this, theoretically it would
be a violation of the Computer Fraud and Abuse Act, as exceeding authorized
use.

~~~
userbinator
Some EULAs basically say "you give permission for us to access and modify any
data in your system"... this is the first example that comes to mind:

[http://en.wikipedia.org/wiki/PunkBuster](http://en.wikipedia.org/wiki/PunkBuster)

These agreements could be summed up in 3 words: "we own you".

~~~
meowface
At least PunkBuster is spying for a relatively noble purpose: preventing
cheating in online games. Cheating absolutely destroys the experience in
multiplayer games and has killed many games.

This is spying with the sole purpose of spreading ads and making money.

~~~
Alupis
So because a few people decide to cheat at a game they paid for, everyone who
paid full price for the game is forced to install spyware which can and does
modify files on your pc, take screenshots as you play the game, monitor your
mouse inputs, keyboard, etc...?

~~~
meowface
I think that is fine, personally. Obviously others might not. You have to
specifically agree to install/allow PunkBuster, and you can choose to play on
servers that don't use PunkBuster. With Lenovo not only is there no opt-out,
but you're not even aware of the adware and root CA installation.

The "spyware" only spies on modifications to the game client in any way and
tries to detect non-human involvement, which of course includes inspecting the
file system and RAM. In theory it could harvest irrelevant information from
your hard drive or memory, but no reverse engineer has ever made such a claim
to my knowledge.

Valve Anti-Cheat does very similar things, but is run by what many consider to
be a trustworthy company, so not that many people take issue with it. If one
trusts the company that distributes the spyware, it's not really a problem, in
my opinion. If Valve were to ever violate that trust, it would severely harm
their business.

I also strongly disagree with DRM, because it only harms other players while
providing no benefits. In contrast, online cheaters can completely ruin the
playing experience for online games, and have heavily contributed to the death
of some games.

I also have no issue if people decide to cheat when in single-player mode. If
you pay for the game you should be able to do whatever you want if you're not
affecting others. It's only a problem when they're playing with other people
over the Internet. PunkBuster and VAC only run when you're playing in online
mode.

~~~
kevin_thibedeau
It's not fine because, as is the case with Superfish, this type of software
leaves gaping security holes that blackhats can exploit no matter how noble
the vendor is.

~~~
meowface
What security holes does PunkBuster introduce? Adware like Superfish and game
client modification detection like PunkBuster are very different kinds of
software. I do not support anything like Superfish.

------
SwellJoe
Jebus, how far the might IBM laptop line has fallen under the leadership of
Lenovo. There was a time when a ThinkPad was arguably the best laptop money
could buy. Many companies, including Google, would offer a choice between a
ThinkPad or a MacBook, because those were the really reliable choices that
were free of shovelware.

I even considered buying a Lenovo recently when a pretty nice looking ThinkPad
was on sale, but a couple of friends have had _very_ bad experiences with
their Lenovo laptops. Both have had to go back to Lenovo for repairs; one of
them had to send it back twice, and on the second go around demanded a new one
instead of a repaired one, because the "repaired" one was worse than when it
went in for repairs.

That said, there's "bad QC", which is forgivable with time and a sincere
effort by the company to correct it, and then there's "evil". Intentionally
shipping adware is evil.

Given this, I can genuinely think of no way for Lenovo to ever get my business
for any product.

~~~
pkulak
Is it even possible to buy a Windows laptop right now with only the OS
installed?

This is exactly why I've been recommending Chromebooks to anyone who asks my
advice for about a year now.

~~~
yuhong
You can buy "Microsoft Signature" machines from the MS stores and online.
Hopefully the words will spread.

~~~
BorisMelnik
Wow haven't heard of those before, actually kind of like the idea of buying a
PC and knowing there is an untouched version of Windows on it (unless you
consider IE malware) :)

~~~
lelandbatey
I bought my last laptop this way, and it's been very satisfying to own. There
was no funny business, it's just straight-up Windows. It didn't even have any
stickers on it except for a tiny Intel sticker.

------
nfmangano
I'm surprised that this is just now news. I received complaints from people
participating in our beta trial
([http://sketchtogether.com](http://sketchtogether.com)) from as early as
October 22nd, 2014 that our website was broken, and it was because of
Superfish being installed on their lenovo laptops. When they uninstalled
Superfish, our webpage started working again.

Superfish injected a line of code that referenced "sf_main.jsp" from a remote
site into all webpages (including ours) that interfered with our code. Here's
a pastebin of the sf_main.jsp javascript file it linked to:
[http://pastebin.com/bZFkfRd5](http://pastebin.com/bZFkfRd5) (I assume the
linked code is not copyrighted, if it is, please let me know and I can take it
down).

~~~
aselzer
Interestingly it is disabled for Google services (making the article's image
irrelevant :). If this regex matches, `nofish` is set true, which disables
superfish:

/^https?:\/\/(www|play)\\.google\\.(?!com\/analytics\/)/i

Also, if you add a <meta name="superfish" content="nofish"> tag, it gets
disabled as well.

Possibly some agreement with Google, like the ones they tend to make with ad-
blockers? ([http://www.theverge.com/2015/2/2/7963577/google-ads-get-
thro...](http://www.theverge.com/2015/2/2/7963577/google-ads-get-through-
adblock))

~~~
makomk
That doesn't disable the part of Superfish that MITMs SSL connnections to
sites - in fact, it obviously can't because that check can't even run until
they've MITMed the connection and injected the code that includes those
checks.

------
Animats
The Javascript code shown connects to
"[https://www.superfish.com/ws/"](https://www.superfish.com/ws/"). WHOIS for
"superfish.com" gives names and addresses of people in Palo Alto, CA and in
Israel.

The other URL in the code is "[https://www.best-deals-
products.com/ws/sf_preloader.jsp"](https://www.best-deals-
products.com/ws/sf_preloader.jsp"). That domain is being blocked by some DNS
services right now, but it's up. It's a Domains by Proxy domain. That code is
worth reading. You can tell what it's looking for as it examines the pages you
are browsing. It has a detailed analyzer for car ad price comparisons, and a
simpler one for hotels. It phones home to
"[http://ia1-p:10009"](http://ia1-p:10009"), which isn't a valid domain, but
there may be some conversion of that I haven't found. One out of every 10,000
times, it reports some debug info to
"[https://www.superfish.com/ws/trackSession.action"](https://www.superfish.com/ws/trackSession.action").

There are long lists of sites, both blacklists it avoids and whitelists it
messes with. There's a list of "paying countries:
"IE|CH|ES|US|AU|BE|IT|AT|NO|CA|DE|NL|SE|GB|DK|FR|BR|NZ|AR|MX|CL|CO|RU".

Lots of comments and debug code; it's not obfuscated at all.

Javascript experts, please take a look at this. There might be something
hostile embedded in this adware code, and it may bring in more Javascript.

~~~
tomjen3
Are we absolutely sure that is the company involved? whois superfish.com gives
both his personal email and telephone number. I want to share them on twitter,
but not unless we are absolutely sure.

Fuck that guy and the company he rode in on.

------
CatsoCatsoCatso
I have had first hand recent experience with this. I bought a new Lenovo
laptop at the start of the month.

When I put a new webpage online using my webhost's cPanel to edit the raw HTML
everything seemed fine, until a friend asked about a 'best-deals' script
running on the page. The Malware / Adware was intercepting & inserting a
script not only into pages I was viewing but also pages I was putting online.

Very, very concerning. I have since removed it completely from my system but
it's still caused some paranoia. Thankfully it was only a hobby project which
was affected & not paid.

~~~
troels
I don't believe that.

They would have to have some sort of software that is able to detect that you
are connecting to cpanel and then act on your behalf. That is significantly
more involved and more malicious than "just" intercepting html in flight and
injecting adds.

~~~
CatsoCatsoCatso
If it wasn't intercepted from the cPanel then it may have been intercepted
from the HTML file download from JSbin (which I copied into cPanel).

Either way, this was a downloaded HTML file which was then copied into cPanel.
I never viewed or edited the file between its download from JSbin & pasting
into cPanel.

The Malware was affecting files & not just pages viewed in browser. Nasty
stuff.

~~~
snowwrestler
It's much more likely that your web site or server was exploited directly,
independent of you owning a Lenovo. This happens frequently; there are
sophisticated operations out there scanning for a wide variety of ways into
sites and servers. They pay special attention to shared hosting systems, which
are not known for their high levels of security.

~~~
CatsoCatsoCatso
I don't think it was independent from the Lenovo issue.

See: [http://superuser.com/questions/848853/what-is-best-deals-
pro...](http://superuser.com/questions/848853/what-is-best-deals-products-and-
is-it-malware) [http://stackoverflow.com/questions/27192298/can-not-open-
a-p...](http://stackoverflow.com/questions/27192298/can-not-open-a-particular-
web-site-only-javascript-code-is-on-the-screen)
[http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Lenovo-P...](http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-
by/td-p/1726839/page/3)
[http://us.battle.net/wow/en/forum/topic/16283439126](http://us.battle.net/wow/en/forum/topic/16283439126)

The best deals script is the very same which I found on my machine, Lenovo is
written all over this.

------
rodgerd
Interesting that the Superfish job page is looking for an iOS kernel hacker.
And by "interesting" I mean "horrifying".

~~~
0x0
What other purpose beyond the development of drive-by installs of iOS rootkits
can such a job position have in a company like that?! :(

------
belorn
If you are a hardware seller, the dream is to get paid more than once. If your
only revenue is from the sticker price, it way too easy to fall behind the
competition, or inadvertently start a race to the bottom. A lot of focus has
thus been done towards this goal, like adding adware, development license, a
cut per sold app, data mining, DRM'ed required parts, and so on.

This is a standard consumer protection issue, as the sticker price fails to
represent the actual price of the product. The seller is concealing the true
price, hiding it in the terms and conditions, while putting the blame on the
consumer for not being aware before buying. It's likely false advertisement,
possible misrepresentation in the contract (if the consumer knew the truth,
would that party have agreed?), and very likely a case of fraud. Lenovo seem
to have opened themselves to be sued.

------
BorisMelnik
Well, it seems as though this [superfish] is categorized as a virus on most
websites. From their own description:

"Superfish Window Shopper is a free browser add-on that instantly compares
prices and shows similar items on ANY product in hundreds of U.S. online
stores including Amazon.com, Best Buy, Macys, Nordstorm, Overstock.com,
Staples, Target, and Wal-mart."

So if I have this right, this is essentially a massive _affiliate scheme_ to
produce revenue for the company? If it compares prices on all these sites,
affid='s are injected for Lenovo and a % of the sale is given to them?

Edit: doing the math here on this for the last few hours and even if just a
few million units have been sold, this has to be 10's of millions in dollars
(being very generous) over the past few quarters.

There reviews are horrible as well. All spam / annoyance related.

------
maryland05
According to various reports, this Superfish adware uses the same certificate
across Lenovo computers. It should be easy to grab the private key out of the
proxy binaries. And then... all these computers are vulnerable to arbitrary
HTTPS man-in-the-middle attacks. Uh oh.

~~~
piannucci
You're assuming that the proxy is on the laptops, no?

~~~
kentonv
Well, the other possibility is that Superfish is routing and MITMing all
traffic through its own servers, which is arguably worse.

~~~
BrainInAJar
arguably? That's orders of magnitude worse

~~~
kentonv
Well, I dunno. In one case Superfish can see all your data and store it on
their servers, in the other case _anyone on the internet_ can spoof any site
(as soon as someone extracts the key). Either way is pretty bad.

But proxying all traffic from all Lenovo laptop owners through a third-party
server without someone immediately noticing a problem is just not feasible, so
I think we can assume that's not what they're doing.

~~~
sliverstorm
Are you sure? Android Chrome proxies all non-HTTPS traffic through a third-
party server, by default. So it isn't like the traffic volume is impossible.

~~~
kentonv
Yes but that's Google. I'd be surprised if Superfish had resources like that,
or could generate that much traffic from their servers and not be noticed (by,
say, Google). I could be wrong.

~~~
kevin_thibedeau
Superfish might have "benefactors" with deep pockets who want a scapegoat who
won't squeal on them.

------
bharad
1\. I connect to
[https://encrypted.google.com/](https://encrypted.google.com/) on Firefox and
the certificate says it is verified by SuperFish.

2\. Also, my broswer.newtab.url was changed to some URL ([http://homepage-
web.com/?s=lenovo&m=tab](http://homepage-web.com/?s=lenovo&m=tab)) instead of
the default about:newtab

Steps to remove VisualDiscovery / Superfish

1\. Home menu, search for Administrator tools 2\. Open services 3\. Find the
VisualDiscovery service. Stop the service. Right click properties. Set
"Startup type" to Disabled

4\. Start -> Control panel 5\. Add/ remove programs 6\. Find Superfish and
uninstall

~~~
taspeotis
From what I understand, you need to go one further and spelunk through your
local machine certificate stores and remove any Superfish certificates. They
are not uninstalled.

------
erikschoster
I don't see myself ever bothering to keep the default windows install on a
thinkpad but this really hurts my impression of the company regardless. I've
had my eye on the new X1s and had planned to upgrade my X201 this year but now
I'm having second thoughts.

Who if anyone has taken over the place of great laptop for linux /
development?

~~~
davidw
The new Dell XPS 13 looks like a very nice laptop. I have the previous version
and it works very well with Linux.

~~~
crdb
I used the XPS 13 as my main machine from 2013 to late 2014 (when I switched
to a MBPr). It was a nice machine initially but I found that it ended up
looking pretty tattered (particularly the plastic edge, which looks and feels
cheap and a bit fragile in the long run). Most annoyingly, it had a tendency
to overheat, particularly when dual booting into Ubuntu. After about 20
minutes, I couldn't leave the thing on my knees - had to find a table. Both
the "tablet/screen" and the base were affected.

It was portable and powerful enough, but the MBPr gives me a much better
overall experience. At half, perhaps 2/3 of the price of the 13" MBPr, it
might still be worth it.

~~~
davidw
Yeah, I just can't stomach the thought of paying more for something where
Linux isn't officially supported, so not only do I pay more, but have to deal
with getting rid of MacOS and installing Linux. I can't stand the lack of
focus follows mouse in MacOS X and a lot of the other little things I'm used
to in Linux.

~~~
crdb
I've used both Bootcamp and Fusion for running Windows 8 and 7 (client
insisted on using some Excel files, and some of the plugins only worked on
Windows Excel...) and found both really quite pain free. In fact, whenever I
can't get away with OpenOffice, I just use Fusion/Excel as a standalone app.

In fact Fusion on the MBPr was the first VM app I used that didn't suck; I
used to run various VMs in VirtualBox on the XPS which had, in theory, the
same specs and a better CPU and the lag was worse than ssh into a server on
the other side of the world (not to mention the overheating)...

I hear you on moving away from Linux. You do get a feel, often, that OSX is
consumer oriented and just "gets in the way". On the upside, when you need
stuff, you can usually find it quickly and it just "works". That's the
ecosystem. Still, if I was to go back, it would STILL be on a mac. One of my
former colleagues wiped OSX and installed
[http://nixos.org/](http://nixos.org/), so I'm sure a more popular distro
would work out.

The thing is, well, this will sound like every other Apple addict out there,
but, the hardware quality really makes a difference, and it is quite hard to
explain. The MBPr is the first machine I've ever used that feels "perfect", as
if they got everything right. And with most of my work done on the cloud
anyway, I didn't need absolute top line specs; portability and things like
battery life mattered more. Amongst the other machines in the house is an
X230, which I wanted to get and boost instead of the XPS, but it feels almost
ten years older.

As for price, in early 2014 I spent a few weeks looking for a good standard
dev laptop for the company (which I've since left) and got a good feel for the
alternatives. In raw specs, you can get a cheaper "laptop", something that
will fit a backpack and work for a while unplugged, yes (think W530). If you
need portability though, all ultrabooks at the time were more expensive if
specced to the same level. We did buy a couple W530s and upgraded them a bit
(32GB RAM, etc.) and all their users ended up using them like desktops. I do
not know if this is still the case, probably not, but I've seen many nominally
more powerful "ultrabooks" (like the YogaPad, whose user assured me he had
better resolution than me) fail in other ways; battery life is one, creaky
joints is another. It took me a few more months before I got over my
psychological block and got the base spec MBPr when it came out in August...
One thing to note is that there are corporate discounts; if you or your
friends are employed by a big corp, you can save a few hundred. Also, the
upgrades are REALLY expensive compared to alternatives - why pay 300 dollars
for extra SSD when you can get an SSD-grade, flush-with-the-side card from
Transcend on Amazon for under 50?

------
Animats
This should result in criminal prosecution under the Computer Fraud and Abuse
Act. A Lenovo buyer needs to file a criminal complaint. Now. If your company
buys Lenovo computers, check for this. Just go to "bankofamerica.com", and
read the SSL certificate.

------
rikkus
I used a ThinkPad 700 in 1992 and have bought ThinkPads ever since. Lenovo
keep trying to ruin them while ignoring customers telling them to stop.

A ThinkPad

1\. Is robust

2\. Is reliable

3\. Is black

4\. Has only useful software pre-installed, from the manufacturer (e.g. the
Lenovo thing which updates drivers)

5\. Has a TrackPoint

6\. Has a consistent keyboard layout

7\. Has hardware buttons ('mouse', function keys, etc.)

8\. Has a functional screen

Every few months David Hill of Lenovo starts crowing about some new ThinkPad
where they've 'innovated' by breaking one or more of these features, usually
the keyboard layout or the hardware buttons. There is then a storm in the
comments, which is ignored, then they put the thing out, and people skip that
model, then they think 'maybe we should listen to our customers' and put it
back as it was. Then they make the same mistake again.

The last two X1 Carbons are a perfect example of this. They turned the
TrackPoint buttons and function keys into 'touch' buttons. Everyone said it
was a bad idea, but they did it anyway, then quickly reversed the decision for
the next iteration.

They're going to keep making this sort of mistake, because there's a problem
in understanding their customers which doesn't seem to be getting fixed - so
it's probably at a high level.

What I'd like to see is another manufacturer step up and make a ThinkPad-ish
line, so that Lenovo can be taught a lesson by having their customers abscond.
They might then realise that they can't keep doing this and put in place a
policy of keeping a line of ThinkPads for their ThinkPad-loving customer base.

Now that they've diluted the brand by making some terrible laptops with
ThinkPad stamped on them, though, (W, E, L series, etc.) they should probably
have some other mark on their 'proper' ThinkPads, i.e. their X and T series.

~~~
DanielBMarkham
Agreed. Somebody really needs to start making Thinkpads again. Lenovo ain't
it. All they've done is manage to kill the brand.

~~~
rikkus
They could rescue it easily, but they're muddled up between their (best
selling, I presume) consumer (including low-end business) and premium business
hardware.

If I was given the job of fixing this at Lenovo, I'd do this:

1\. Kill off the ThinkPad brand. It's tainted.

2\. Invent a new name for the premium laptops. Something workmanlike, off the
top of my head: WorkStead.

3\. Tell the world that the premium business laptops are now called WorkStead.

4\. Tell the world what makes a WorkStead laptop, guaranteeing those things
which have been broken repeatedly over the past few years, e.g. consistent
keyboard layout, real buttons for everything.

4\. Rebrand the X and T series with this name, but only the ones that deserve
it.

5\. Wait for people to again start saying 'Get me a fully loaded WorkStead
T4xx series' like they used to do with ThinkPads, before they had to say 'Let
me check which models they've managed not to ruin recently'.

6\. Stop asking people to choose between 3 slightly different Intel wifi cards
within $10 of each other in price, defaulting to the worst one, when they're
buying a $3000 laptop.

... And other brokenness in the configurators.

------
michaelelliot
Just found this: Spy agencies ban Lenovo PCs on security concerns (27th July
2013) -
[http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_...](http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL)

"Multiple intelligence and defence sources in Britain and Australia confirmed
there is a written ban on computers made by the Chinese company [Lenovo] being
used in “classified” networks."

~~~
vxNsr
I thought that had to do with the fact that they're a chinese owned company
and if say the CIA makes a large order (or any order really) the chinese
government might step in and force malware to be installed.

~~~
skuhn
I can't see why it would matter, since literally every laptop is made in China
already. Plus the vast majority of computer components.

~~~
hurin
Maybe it's too much of a risk if exposed for the manufacturing industry had
they added a backdoor to a foreign customer's component without their
knowledge?

As opposed to Lenovo agreeing to implement a backdoor? I'm not sure either.

------
pjc50
I'm starting to think we need an equivalent of UL certification or even the
old "BABT approved" stickers for consumer protection.

UL provides a bunch of non-obvious to the user but critical for safety rules
for mains-connected devices. Likewise users are subject to non-obvious privacy
threats from internet-connected devices (leakage of personal information,
injected advertising or referral links). These should be _at least_ clearly
labelled.

So Android devices would get a "yellow" rating for "transmits personal
information securely to Google" and these Lenovo laptops and Samsung TVs would
get "red" for "transmits personal information in cleartext".

------
jgrahamc
Can someone with one of these laptops connect to
[https://www.howsmyssl.com/](https://www.howsmyssl.com/) and post what it
says? I'm curious what cipher suites are used from the proxy to the real site.

~~~
BorisMelnik
not a laptop, a VM that I've built with a similar environment but:

[http://i.imgur.com/YyawOxc.png](http://i.imgur.com/YyawOxc.png)
[http://i.imgur.com/V33bYuv.png](http://i.imgur.com/V33bYuv.png)

~~~
mahouse
I think that is because you're using IE 8...

------
faster
This reinforces my policy of buying laptops with the cheapest drive offered
and replacing the drive with an SSD before the first boot. I run Linux anyway,
so booting Windows has no value for me.

~~~
acadien
Can't you just write all 0's to the drive or just reformat it? Genuine
question here, why would you need to physically replace the drive to ensure
security when you can write to the whole thing?

~~~
toomuchtodo
Would have to re-write/re-flash the firmware as well.

~~~
acadien
What is it that the firmware can achieve? Is the firmware capable hijacking
data, communicating with the NIC and transmitting data? Or is it somehow
injecting harmful code? I feel like I'm missing something here.

~~~
panarky
Ripped from yesterday's headlines ...

    
    
      ... rewrote the hard-drive firmware of infected computers—a
      never-before-seen engineering marvel that worked on 12 drive
      categories from manufacturers including Western Digital, Maxtor,
      Samsung, IBM, Micron, Toshiba, and Seagate.
    
      The malicious firmware created a secret storage vault that survived
      military-grade disk wiping and reformatting, making sensitive
      data stolen from victims available even after reformatting the
      drive and reinstalling the operating system. The firmware also
      provided programming interfaces that other code in Equation
      Group's sprawling malware library could access. Once a hard drive
      was compromised, the infection was impossible to detect or remove.
    

[http://arstechnica.com/security/2015/02/how-omnipotent-
hacke...](http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-
to-the-nsa-hid-for-14-years-and-were-found-at-last/)

~~~
sliverstorm
That appears to be the act of a nation-state though. I don't really sweat
those, because I'm pretty sure if the NSA _really_ wants in to my machine, I
can't stop them.

~~~
nly
They don't want in to just _your_ machine though, they want a backdoor in to
_everyones_ machine, by default, without cause.

~~~
sliverstorm
I'm not saying it is acceptable or that it doesn't matter. Just that, when it
comes to my own personal computer, it isn't worth worrying about.

I have a lot of friends who haven't figured out the whole security-as-a-
spectrum thing, and they spend a lot of time giving themselves grey hairs over
adversaries that 1) they can't beat, 2) aren't worth beating, and 3) don't
care about them anyway.

------
gasping
Lenovo going down the drain. All they had to do was continue the Thinkpad
legacy left by IBM. It's honestly breathtaking how badly they've fucked up.
After the touch-based function keys, ruining the trackpoint buttons and now
this. It's unbelievable.

~~~
eikenberry
They brought the trackpoint buttons back on the latest line and you can switch
the F-keys back to being the defaults via a bios setting. Just in case you
were curious.

~~~
yuhong
And they never preinstalled this on ThinkPads as far as I know.

~~~
danieldk
Still, it ruins trust. Apparently Lenovo is morally corrupt enough to inflict
this on their customers. Who knows what else?

One can only hope that they keep Motorola as an independent business unit.

~~~
NameNickHN
That hope is pretty much gone, now.

------
na85
Ugh.

So for "developer-tier" laptops, i.e. not a netbook, does that pretty much
leave Apple as the sole non-shit laptop maker? Is there a chromebook out there
that runs linux pretty well if you pull chromeOS off?

You pay a hefty premium for that backlit Apple logo on the lid, and I'd prefer
to get something a little more down-to-earth.

~~~
deafbybeheading
A colleague uses the Dell XPS 13 and it's pretty good; I'm eyeing that for my
next machine.

~~~
boothead
Watch out, batter life is pretty crap! (About 2 hrs on my < 2yr old one)

~~~
bhayden
The ones just released have a 15 hour battery (which even if it halves, is
pretty good)

~~~
Veedrac
AnandTech says it's genuine: [http://www.anandtech.com/show/8983/dell-
xps-13-review/6](http://www.anandtech.com/show/8983/dell-xps-13-review/6).

------
mrsaint
Some more URLs...

[https://www.superfish.com/ws/sf_code.jsp](https://www.superfish.com/ws/sf_code.jsp)

[https://www.superfish.com/ws/sf_conduit.jsp](https://www.superfish.com/ws/sf_conduit.jsp)

[https://www.superfish.com/ws/sf_conduit_mam.jsp](https://www.superfish.com/ws/sf_conduit_mam.jsp)

[https://www.superfish.com/ws/sfw.jsp](https://www.superfish.com/ws/sfw.jsp)

[https://www.superfish.com/ws/sf_main.jsp](https://www.superfish.com/ws/sf_main.jsp)

[https://www.superfish.com/ws/getCouponsSupportedSites.action](https://www.superfish.com/ws/getCouponsSupportedSites.action)

[https://www.superfish.com/ws/getSupportedSitesJSON.action](https://www.superfish.com/ws/getSupportedSitesJSON.action)

~~~
chinathrow
If I were a company on one of those lists, I would start litigation
immediately.

If you work for SuperFish and read this: I think it's time to learn about
ethics and it's time to walk away from your job NOW.

------
quinndupont
And it has been successfully cracked[1], revealing (potential) associations
with a dodgy SSL redirector [2].

[1] [http://blog.erratasec.com/2015/02/extracting-superfish-
certi...](http://blog.erratasec.com/2015/02/extracting-superfish-
certificate.html) [2] [http://www.komodia.com](http://www.komodia.com)

~~~
SyneRyder
Also worth giving credit to ChuckMcM who was on the right track a few hours
prior:

[https://news.ycombinator.com/item?id=9072815](https://news.ycombinator.com/item?id=9072815)

------
BorisMelnik
Oh, let us not forget the crap PC cleaner program that gets included in the
Superfish install ("a Microsoft Partner"):

[http://i.imgur.com/7cFlZLr.png](http://i.imgur.com/7cFlZLr.png)

[http://i.imgur.com/R4sHowP.png](http://i.imgur.com/R4sHowP.png)

So on a fresh Windows 7 virtual machine with zero apps installed, this program
gives me 200 some errors and wants $49.99 (-$20 for instant savings) to
register the program. This keeps getting better. Typical scam.

------
nly
Hardware manufacturers _cannot_ be trusted with software. One day the horrors
of proprietary firmware will come to light as well, and people will wake up to
this shit.

Dells entire business line of Latitude laptops have been completely broken
under Linux for 10 months. It took them that long to merely revert the
"keyboard improvements" made between two BIOS revisions, but they subsequently
shipped, and are still shipping, brand new machines without the fix or any
downgrade path. These machines just aren't fit-for-purpose.

Imho Richard Stallman is right if for no other reason than I see no other way
to end all this consumer abuse and borderline criminal negligence. In the mean
time, this debacle sounds Class-action worthy to me.

~~~
ihnorton
People should also file complaints with their state consumer protection
division. There are probably at least one or two AGs who would love to make an
example out of Lenovo (big bad foreign company, etc.).

Here's the complaint form for Massachusetts:
[http://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomp...](http://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomplaint.action)

------
BorisMelnik
As a Lenovo owner, I'm really pissed off, and offended. I feel violated. I
just can't comprehend how they could think they wouldn't get caught at
something like this. Especially with the current climate of the privacy
movement in the US. This is bad, very bad for Lenovo.

~~~
malexw
I just wanted to echo your sentiments. I bought my T440p last year and have
otherwise been reasonably happy with it (though not entirely, due to the iffy
trackpad). Fortunately the first thing I did was replace the hard drive.
Despite that, I'll never buy another Lenovo product. I have completely lost
confidence in the company.

------
jamesmcq24
Was just about to purchase a lenovo... although I would have wiped it and
installed linux immediately this has caused me to look elsewhere. when will
companies learn this kind of behavior is toxic to their business?

~~~
Untit1ed
Unfortunately a very small proportion of potential customers are going to hear
or care about this... it's about as toxic to their business as stepping in
some stinging nettles is toxic to me.

~~~
EpicEng
I don't know; if this gets into the news cycle (which it should), I think it
will be a huge problem for lenovo. The people buying one of these to run Linux
likely already understand the implications and are reading about it now. The
rest of the consumer base need only hear "someone can intercept your banking
password" and they will take notice.

There has been an uptick in computer security related news stories lately. I
think the tide may be changing, albeit slowly.

------
ChuckMcM
I'll just leave this out there : [http://www.komodia.com/products/komodia-
redirector/](http://www.komodia.com/products/komodia-redirector/)

~~~
Matt_Cutts
Download Valley, man.

------
cssmoo
This is why I do a flat install on every new machine I get.

Also, why are we bitching just at Lenovo. There are software developers out
there writing this shit. Name and shame the companies and staff. There needs
to be a no hire and no do business with list.

Ethics go all the way down.

I'm rather disappointed though as I've recommended Lenovo hardware recently to
people and use an X201 myself.

~~~
prodigal_erik
If a guy is demonstrably capable of writing malware, and we all refuse to hire
him to do anything else, he will probably write more malware rather than
starve.

~~~
cssmoo
Interesting and well thought out point.

------
superuser2
Lenovo was the last respected PC laptop brand. Is there anyone I can trust to
sell me a well-made laptop anymore besides Apple?

~~~
rozap
Asus is about it.

~~~
Maakuth
I thought so too, but my recent experience with a Zenbook has changed my view.
WiFi drivers were so bad it took half a year after my purchase before the
connection became stable (not dropping every 15 minutes requiring a reboot).
Touchpad drivers were also a mess with awful kinetic scrolling. And just
couple of weeks ago it stopped booting Windows altogehter (something related
to ACPI I guess, Linux works if I don't use suspend). Conveniently one month
after the expiration of the warranty.

~~~
wvenable
Despite the initial problems, I like my Zenbook.

The WiFi drivers are made by Intel, but yes, they were terrible (blue screen).
I had to downgrade back to the drivers that came with Windows for while but
the latest versions seem to be fine. I'm using some stock touchpad drivers
that don't seem to have any kinetic scrolling.

But I'm the person who brought this to the attention of Hacker News:
[https://news.ycombinator.com/item?id=8546702](https://news.ycombinator.com/item?id=8546702)

Basically after installing just about everything the laptop comes with, it
seems to be running great. :)

------
ntakasaki
I am guessing the Lenovo machines that are bought from the Microsoft Store are
free of this, because of the Signature PC program, might be worth the extra
cost if any and the trip there to get a crapware free machine.

~~~
crimsonalucard
why risk it.

------
gerty
I love my Thinkpad and couldn't think of using anything else. I value it for
the hardware and buy it without pre-installed OS, so this wouldn't affect me
anyway. Superfish is however an absolute clusterfuck on behalf of Lenovo,
though at least it was caught rather fast unlike the Sony rootkit. One thing I
really value in Lenovo is their customer service and as a long-time customer,
I'd expect some people to get fired, a heartfelt apology and a compensation
for those affected. It's their PR image on the line. Just don't be f __*ing
Sony.

------
r721
I wonder what are the legal repercussions of this, can't someone sue them?

~~~
BorisMelnik
I think worse than that, I see criminal charges being brought up for this
including fraud, theft, etc.

~~~
technomancy
Theft? Seriously?

~~~
BorisMelnik
They were making money (tens of millions) from software illegally installed,
so definitely.

~~~
technomancy
Do you know what the word "theft" means?

------
apaprocki
Proof that this has been happening since at least December 2014:
[http://itnerdysoldier.blogspot.cz/2014/12/where-does-this-
ww...](http://itnerdysoldier.blogspot.cz/2014/12/where-does-this-wwwbest-
deals.html)

------
wsha
Superfish really creeped me out last November when I got a new Lenovo laptop.
I first noticed it when using Firefox with NoScript. A script from best-deals-
products.com was being blocked on every site that I went to (I never unblocked
it so I can't confirm the statement about Firefox not being affected). It took
me a while searching around to figure out it was the Superfish program. Rather
than uninstall the program, I nuked the disk and installed the vanilla Windows
from Microsoft.

I bought the Lenovo because I was really annoyed with Apple when my MBP died
just after the 3 years of AppleCare I payed for expired on my 2011 model
(notorious for failing: [https://mbp2011.org/](https://mbp2011.org/), I guess
I can't win with laptop vendors). It was my first time working with OEM
Windows in a while (laptop before the MBP was a Dell in 2005) and I was
surprised at how much more bloatware vendors thought they could stuff into a
new laptop compared to the past. Next time I guess I will either go back to
Apple or get something that comes with Linux installed just to avoid the
Windows bloatware.

------
spacefight
There is at least one possible solution for the near future: prohibit computer
vendor by law to accept money or other compensation for pre-installing _any_
kind of 3rd party software except the bare naked OS.

This shit must stop.

------
ryan-c
Since this certificate is unconstrained it can probably be used to sign
drivers...

------
andrewchambers
First thing I also do on a new PC is reinstall the OS from scratch and get rid
of all the preinstalled shit.

~~~
AlexeyBrin
Your strategy works only if you have a clean copy of the OS or you buy one
(since the thread is about Lenovo I assume you are talking about Windows).
Typically, a new PC doesn't come anymore with a copy of the OS, but with a
hidden _recovery_ partition that will basically let you do a factory reset
(meaning all the crap will show up again).

~~~
cdr
Microsoft itself has provided Windows installation media for download since
Windows 8, including Windows 7 media. All you have to do is read your key off
BIOS or the sticker.

And of course Windows 10 will be a free download.

~~~
sliverstorm
Unless things have changed, usually the sticker key is only valid for a
certain kind of media. E.g. VLK's only work with VLK images, retail keys only
work with retail images...

~~~
ptaipale
Just recently installed Windows 7 Pro on a HP ProBook thing:

\- looked up the Windows and Office license keys of the existing installation,
using an utility

\- download Windows 7 disk image from Microsoft and burn on a DVD

\- take out the old disk with recovery partitions and installation with crappy
bloatware

\- put in a new SSD disk, boot DVD to install OS and install Office

\- download and install HP specific drivers for peripherals (display adapter,
fingerprint reader, wlan/3g, whatever)

\- enjoy a relatively bloat-free Windows experience with improved battery life

~~~
CptMauli
I did the same, worked flawlessly. The only PITA was to put the ISO image on
an USB stick.

~~~
techtics
It shouldn't be. You either use the "Media Creation Tool" which also can
download the ISO or you the "Windows USB/DVD Download Tool".

[http://windows.microsoft.com/en-us/windows-8/create-reset-
re...](http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-
media) [http://wudt.codeplex.com/](http://wudt.codeplex.com/)

------
adamnemecek
How to kill a brand in 1 easy step: do this.

------
mbrubeck
The article says that Superfish _" injects third-party ads on Google
searches."_ Does that include
[https://encrypted.google.com/](https://encrypted.google.com/) in Chrome and
Firefox, or do key pinning and HSTS preloading successfully prevent that?

EDIT: According to another comment here, HTTPS connections in Firefox aren't
affected because they don't use the system certificate store. But what about
Chrome - do users see an error on pages with pinned keys, or is the proxy
smart enough not to attack those connections? Or does it also disable Chrome
security features like HSTS and key pinning?

~~~
pencilo
Locally added CAs override pinning, so no it wont help.

------
amatwl
Hopefully Redmond will give hell to Lenovo for this.

Also, apparently this is just the start for crapware on new PCs - Paul
Thurrott said on the podcast Windows Weekly about a week ago that crapware is
going to get a lot worse this PC cycle.

~~~
cbd1984
> Paul Thurrott said on the podcast Windows Weekly about a week ago that
> crapware is going to get a lot worse this PC cycle.

Did he say why?

------
Cass
As a non-technical user with a newish Lenovo laptop, is there some way I can
make sure I'm not affected by this?

~~~
maxerickson
Learn how to view a certificate in Chrome or Internet Explorer:

[https://support.google.com/chrome/answer/95617?hl=en](https://support.google.com/chrome/answer/95617?hl=en)

Then look to see if the certificate for a secured site lists Superfish:

[https://twitter.com/kennwhite/status/568270748638318593/phot...](https://twitter.com/kennwhite/status/568270748638318593/photo/1)

(That doesn't prove it isn't on your computer, but it will show if it is
actively intercepting your connections)

------
HackinOut
TheNextWeb does a poor job at reporting technical facts:

 _" [...] its own self-signed certificate authority which effectively allows
the software to snoop on secure connections [...]"_

 _" [...] the certificate allows the software to decrypt secure
requests[...]"_

As kentonv reported, it's actually the local proxy, installed by the
ad(Mal?)ware which is at the center of the MiTM attack. The root, self-signed
certificate is installed in order for the attack to be transparent to the
victim (i.e. no warning in browser).

------
JoshTriplett
Given that antivirus products detect this as malware, does Lenovo not install
any antivirus on their systems, or do they install a substandard one that
fails to detect it?

------
krisgenre
One more good reason to not buy a laptop with pre-installed OS.

------
geococcyxc
It would be interesting to investigate whether the uncovered private key is
shared by all the other customers of the SSL interceptor as well
([http://www.komodia.com/products/komodia-
redirector/](http://www.komodia.com/products/komodia-redirector/) as mentioned
by ChuckMcM earlier). Their references there mention Barracuda Networks and
Astrill, for example.

------
atian
About a week ago I was trying to troubleshoot Nitrous.io for a friend because
she had complained that it wasn't establishing a connection. We discovered
along the way that there was an odd line of Javascript on the page that
immediately had me assume that her computer was infected with a virus.

A Google search on the filename had others saying that it was removable by
uninstalling some Lenovo Utility preinstalled.

------
markbnj
Just one more very good reason why the first thing I do with a new OEM machine
of any kind is reformat and reinstall from my own media.

------
b3b0p
My dad saw this post and asked that I post the following here for him. He
didn't want to make an account:

"Why do it if you are Lenovo? Well it seems clear to me that there was a
financial inducement provided by superfish. I mean Lenovo is not loading
software unless they are financially benefited. Come on.

As far as other inducements go, consider this. Two weeks ago I got an
expensive, new Lenovo machine. Got it running just fine, thank you, and then I
download Chrome from what was very, very clearly identified as google.com. Who
do you trust man. Fired it up and immediately my machine locked me out and
became unresponsive. Called Lenovo and for $200 worth of Lenovo.premiumsupport
they fixed it and gave me 10 months of additional support. $20/month for 10
months on top of a normal laptop margin does not provide much of an inducement
to cease and desist."

------
facepalm
How do you safely install Mozilla Firefox if you have a broken certificate
store?

~~~
vacri
Sneakernet.

------
jimktrains2
I'm assuming this only affects you if you're running windows? (Honest
question, it's not some firmware based thing from what I've read, but just
checking).

~~~
mahouse
Of course... It's just a certificate and proxy that comes by default with the
OS as it comes from their factory. You can uninstall the certificate,
reinstall Windows, install Linux, etc. and the problem will disappear.

------
jbarham
I quite like my new Lenovo M73 "Tiny" desktop [1]. It's fast and silent and
really is tiny.

But as far as adware/malware is concerned, that's a non-issue for me as the
first thing I did when I got the machine was to replace the Windows drive with
an Ubuntu SSD.

[1]
[http://shopap.lenovo.com/au/en/desktops/thinkcentre/tinys/m7...](http://shopap.lenovo.com/au/en/desktops/thinkcentre/tinys/m73-tiny/)

~~~
itg
I replace my laptop OS with linux too but I don't want to financially
contribute to companies that pull shit like this. Lenovo isn't going to change
their practice unless sales take a hit or get into a legal mess. I'll
personally will not buy anymore Lenovo hardware, and those new dell xps
laptops look pretty nice anyway.

------
skizm
So now MBP is really the only laptop option, unfortunately. (not because I
don't like Apple, I just would rather their be some competition)

------
_Adam
Stupid. I don't understand their motivations - are they making such a huge
amount of money from this?

Lenovo doesn't stand out as much as they used to. Dell/HP/Apple make pretty
great business laptops these days. If everything else is equal and I know the
competitor (for example) won't install adware, then why would I ever buy
Lenovo again?

------
joe_the_user
I presume the next step is Adware installation on in the flash of the system's
boot drive.

------
mherrmann
Unbelievable. Guess switching to Apple from Lenovo last autumn wasn't the
worst choice.

~~~
TallGuyShort
Because Apple things never get hacked. Right?

~~~
snsr
No, because Apple doesn't pre-install malware on their systems.

------
negamax
Superfish. How apt.

~~~
userbinator
More like Super _phish_.

~~~
negamax
Exactly

------
romanovcode
This is why first thing I do after getting a new PC/Laptop is get precise
Windows version, download it to USB and do full-format/reinstall.

Now only it cleans all the bloat from vendors but now it will also remove
malware.

------
thewizardofmys
So basically I have to pay for the hardware and then see annoying ads too?

~~~
gchokov
I wish it was that simple.

------
jorgearturo
I feel bad for Lenovo's customers, but I also feel bad for people who bought
Lenovo stock, thinking they were investing in smart people who wouldn't risk
on such a shity strategy.

------
MM1102
If anyone bought one of these, feel free to contact me. I am a lawyer and we
handle consumer class actions. I would like to hear what you have to say.

------
disputin
Is this sort of thing more tolerated in China where people are used to having
explicit network interference, eg great firewall?

------
bodecker
Superfish, the movie [http://imgur.com/WT33KBJ](http://imgur.com/WT33KBJ)

------
swang
Does anyone know when this started happening (installing of superfish)? Seems
mid-2014 according to the article?

------
synkarius
This is like the Avast spyware story: once you break trust, it's really
difficult to get it back.

------
srj
It looks like this certificate can also be used to codesign malware that can
then run as a superuser.

------
jacquesm
And I thought I was paranoid by swapping out the drive on the day I bought my
new laptop.

------
cesarb
I have to ask: can this root certificate be used for code signing?

------
jussij
What a great way to destroy a brand!

I know which laptop I will never be buying.

------
buildops
What do you recommend instead?

------
OscarCunningham
Would it be correct to assume that this doesn't affect any of the thinkpads
used at IBM?

~~~
TallGuyShort
If they've installed Windows themselves (as I suspect many enterprises have)
it's probable, but I wouldn't say it's correct to assume. There's a test going
I've seen being shared around by people who are fairly trusted in the tech
community that uses an image (supposedly) signed with the private key to see
if the certificate is installed:
[https://filippo.io/Badfish/](https://filippo.io/Badfish/). If I were you I'd
_at least_ check that out.

------
PhoenixWright
Wow. I just bought my first Lenovo product recently, a Q190. I will not be
purchasing anything from them again.

~~~
bobbles
Yeah this is really disappointing. Lenovo had become my 'goto' recommendation
for people looking for a laptop.

Sure as hell not going to be doing that any more.

------
elcct
Thats funny how today I finally convinced myself into buying Lenovo laptop. I
guess I was wrong.

------
jsta
So, what you're saying is that people still use the hard drives that come with
their laptops.

Interesting....

------
ibz
Not to minimize Lenovo's guilt for pre-installing adware and not to say
MITMing HTTPS fine - it is not! But... I'd rather have a laptop that injects
ads in my Google searches than one that sends all my data to some three-letter
agency in the US. That being said, we might one day find out that all the
Chinese laptops and routers are also sending all the data over to China...
That's when the whole story will start being really funny!

