
Lenovo's Response to Its Dangerous Adware Is Astonishingly Clueless - taylorwc
http://www.wired.com/2015/02/lenovo-superfish/
======
buro9
Microsoft is currently doing Lenovo's work for them:
[https://twitter.com/FiloSottile/status/568800260111388672](https://twitter.com/FiloSottile/status/568800260111388672)

The latest version of Windows Defender is actively removing the Superfish
software _and_ the cert.

The text of the definition is here:
[http://pastebin.com/raw.php?i=us7iXvkn](http://pastebin.com/raw.php?i=us7iXvkn)

~~~
danielweber
15 years ago this would have led to rioting on slashdot and Usenet. How dare
Microsoft remove someone else's software?

I'm generally in favor of MS doing this specific thing, but there is potential
for abuse here.

~~~
rdtsc
No 15 years ago Microsoft would have been the ones installing it.

I think Microsoft went from being a hated software giant to sort of an
underdog vis-a-vis Google, Facebook, Amazon and Apple.

They are very big and strong no doubt, but I think the attitude they are
projecting since switching CEO recently, their open source efforts, and such
make them look pretty good PR-wise among the tech crowd.

~~~
eggnet
Microsoft has done some shady things, but at no time in Microsoft's history
would they have installed this.

~~~
dredmorbius
NSAKEY ...

Though I believe virtually all preloads were OEM actions, not Microsoft's
directly.

~~~
yuhong
NSAKEY don't count either.

~~~
dredmorbius
I've never been fully convinced by arguments on either side of that
discussion. Always struck me as suspicious though.

Hell of a name, you've got to admit.

Bruce Schneier's discussion at the time:

[http://web.archive.org/web/20011005071623/http://www.counter...](http://web.archive.org/web/20011005071623/http://www.counterpane.com/crypto-
gram-9909.html#NSAKeyinMicrosoftCryptoAPI)

One of his speculations:

 _it is actually an NSA key. If the NSA is going to use Microsoft products for
classified traffic, they 're going to install their own cryptography. They're
not going to want to show it to anyone, not even Microsoft. They are going to
want to sign their own modules. So the backup key could also be an NSA
internal key, so that they could install strong cryptography on Microsoft
products for their own internal use._

Though given alternative methods of bypassing any Microsoft security, not
really necessary.

------
JumpCrisscross
It tickles me that Superfish is a DFJ-funded [1] start-up based out of Palo
Alto. Reporters are focussing on Lenovo's Chinese lineage. Yet this bubbled up
out of our backyard, from our own lack of diligence (or scruples).

[1] Edit: Draper Fisher Jurvetson, the $4 billion Menlo Park VC firm that
backed Baidu, Hotmail, Tesla, SpaceX and Twitter.

~~~
pkaye
What is DFJ?

~~~
jgrowl
[http://en.wikipedia.org/wiki/Draper_Fisher_Jurvetson](http://en.wikipedia.org/wiki/Draper_Fisher_Jurvetson)

------
ghshephard
How on earth can Lenovo/Superfish state:

"But Superfish tells us it stands by Lenovo’s assessment. “Superfish is
completely transparent in what our software does and at no time were consumers
vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will
be releasing a statement later today with all of the specifics that clarify
that there has been no wrong doing on our end.”

Now that an official CERT announcement has been released:

[https://www.us-cert.gov/ncas/alerts/TA15-051A](https://www.us-
cert.gov/ncas/alerts/TA15-051A)

I think their misleading comments are going to come back and bite them more
than they have already.

[EDIT - Looks like they are back peddling a little on:
[http://news.lenovo.com/article_display.cfm?article_id=1929](http://news.lenovo.com/article_display.cfm?article_id=1929)

 _" Finally, we are working directly with Superfish and with other industry
partners to ensure we address any possible security issues now and in the
future. "_

 _" By the end of this month, we will announce a plan to help lead Lenovo and
our industry forward with deeper knowledge, more understanding and even
greater focus on issues surrounding adware, pre-installs and security. We are
eager to be held accountable for our products, your experience and the results
of this new effort"_

And on:
[http://support.lenovo.com/us/en/product_security/superfish](http://support.lenovo.com/us/en/product_security/superfish)

 _" Vulnerabilities have been identified with the software, which include
installation of a self-signed root certificate in the local trusted CA store.
... Superfish intercept HTTP(S) traffic using a self-signed root certificate.
This is stored in the local certificate store and provides a security concern.
"_

]

~~~
TillE
> back peddling

Just because I've been seeing this mistake a lot lately: peddling is selling.
Pedaling is the thing you do with your feet.

------
rcthompson
I warned all my friends and colleagues who use Lenovos, and their answers were
all the same. "Who'd be crazy enough to use the default install? First thing I
did was (a fresh reinstall of Windows|install Linux)."

(Edit: Obviously this is not representative of the general population, and I
didn't mean to suggest it was. I was just noting that my efforts to warn
people about the untrustworthiness of Lenovo were thwarted because none of
them trusted Lenovo to begin with, not for software at least, and that seemed
interesting.)

~~~
pjc50
This is repeatedly recommended, but I think it's overlooking that not all
manufacturer customization is entirely evil. You then to hunt down all the
drivers for bits of the motherboard. Are you sure your power consumption
settings etc are optimal after you've done this? Have you installed all the
drivers "manually" via their inf files? (e.g. Nvidia drivers come with their
own pile of bloatware)

~~~
rogerbinns
Lenovo does this for you with their system updater. It downloads and updates
all drivers for your system, including bios updates and configuration tweaks
that affect power and stability. It will install on a fresh install from
Microsoft media - ie there is no need to keep what was preinstalled on the
system.
[http://support.lenovo.com/us/en/documents/ht080136](http://support.lenovo.com/us/en/documents/ht080136)

~~~
chadgeidel
I don't use those because i don't trust the manufacturer-provided "system
updater" to only download drivers. What's to prevent them from surreptitiously
installing their add-on garbage.

Even if it currently does not do that, I just don't trust it to not do that in
general.

~~~
rogerbinns
The Lenovo one is a continuation of the IBM one. You get to tick what you
want, they show what the existing installed version is, as well as changelogs.
There has never been any misrepresentation. I believe corporate types use the
system updater too, and pissing them off by installing garbage would quickly
annoy valuable customers.

It does not let you install or update the crapware that comes with systems. It
is actually quite difficult to get that stuff other than saving it when you
get a new system. BTW IBM/Lenovo have historically had _way_ less crapware
than other vendors. I think Lenovo got complacent in this case, hearing "you
guys do less crapware than the others" and confusing it with "you are doing a
perfect job". Less worse is not the same as doing good.

Someone's useful add-on is someone else's garbage. They have some software
called Access Connections which provides more gui and control over networking,
such as which access points to connect to based on location profiles and who
knows what else. I don't want that since I mostly use Linux, and Windows does
a good enough job when I am using it. The system updater has never installed
it, nor tricked me in any way.

------
SideburnsOfDoom
While we're at it, Lenovo's statement that we might enjoy the adware: "The
relationship with Superfish is not financially significant; our goal was to
enhance the experience for users" is self-evidently bullshit.

~~~
eli
The key word is _significant_. They're not claiming they didn't preload this
software for money, they're just saying it wasn't for very much money. Such a
small amount of money that they have no problem ending the relationship now
that it's causing them problems.

My wild guess would be they got in the ballpark of $0.25 an install.

~~~
CWuestefeld
A different way to frame the comment might be something like: "we were willing
to sell out your privacy and security for a mere pittance, 'cause we're cheap
whores".

~~~
eli
I assume they didn't intend to compromise security. I think it's more accurate
to say that they stiffed their users with adware that nobody wants in exchange
for a little bit of money, and that were so indifferent to security and
privacy while doing it that either didn't notice or didn't care that it was a
fundamentally bad idea.

~~~
bdamm
In my opinion that is worse. Most any clueful technocrat can tell you that
injecting traffic into HTTPS sessions is a MITM attack. I am willing to bet
that fact most certainly did make it to an executive level (certainly at the
fishy company) and a choice was made to not care about that problem.

The road to poor security is paved with indifference.

------
leereeves
The more they deny this is a problem, the more it damages their reputation.

They should just admit the problem, thank the security experts, and develop an
easy fix.

~~~
Ronsenshi
They did admit the problem and linked page describing how to remove SuperFish.

> We're sorry. We messed up. We're owning it. And we're making sure it never
> happens again. Fully uninstall Superfish:
> [http://lnv.gy/182BW8g](http://lnv.gy/182BW8g)

[https://twitter.com/lenovoUS/status/568578319681257472](https://twitter.com/lenovoUS/status/568578319681257472)

~~~
rdtsc
Only after various rounds of denials followed by backlash against them. Even
their "removal" instruction initially failed to fully remove the root
certificate. Every single step they made PR-wise was too slow and just
reactionary to the backlash. Somebody up there should be fired and replaced.

~~~
Ronsenshi
Oh, OK. Was not aware about that.

------
albertzeyer
Note that Lenovo has now removed the statement from their article:

“We have thoroughly investigated this technology and do not find any evidence
to substantiate security concerns.”

~~~
nissehulth
Looks like they also removed a number of posts in the forum where the
discussion started, including a post where a moderator wrote that customers
asked Lenovo for this kind of service. The same moderator also pointed out
that it was against the community rules to argue with moderators...

------
argos
They changed their statement. Now there is no mention of the issue not being
"security concern"
([http://news.lenovo.com/article_display.cfm?article_id=1929](http://news.lenovo.com/article_display.cfm?article_id=1929))

------
billhendricksjr
Great... I'm the last person in the startup world still using a PC, and it
happens to be a Lenovo.

~~~
secabeen
Is it a Thinkpad, or a consumer model? The Thinkpads were never involved in
this.

~~~
danieldk
Well, given that they are morally corrupt enough to do this to their
customers, why not expect them to have similar trojans or backdoors on
Thinkpads?

If we assume firmware is safe, wipe it and do a clean install from trusted
media.

~~~
jgrowl
Can we assume their firmware is safe though?

~~~
stcredzero
No. Firmware has been a part of the "trusting trust" conundrum for several
years now.

------
jhou2
I was under the impression that Lenovo supplies a lot of computers to
government and enterprise contracts around the world. Was Superfish only
installed on consumer oriented devices, like the ones typically found at Best
Buy? I realize most large enterprise would re-image their computers before
deployment. I'm shocked that Lenovo would release such a statement. The damage
to its credibility is significant.

~~~
rdtsc
Yes, it was only installed on their consumer oriented machines. Their T model
Thinkpad don't have it installed.

Now the question is of course what else are they installing and what other yet
undiscovered issues we'll find. It sounds like FUD but so far based on their
response, they seem either incompetent (stupid) or malicious. And I don't
exactly like either...

~~~
ZanyProgrammer
I never quite got this distinction between consumer and non consumer machines,
when you can buy high end ThinkPads (but not the blocky T models) at a
retailer, and are just as nice as big old blocky good old ThinkPads.

I'm really interested if a high end (but "consumer") ThinkPad like
[http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-T...](http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-
ThinkPad-Yoga-i7-256GB-Signature-Edition-2-in-1-PC/productID.306276200) that
you can buy at a retail store (in this case, a special MSFT Store version that
has plain Windows supposedly on it) was infected.

~~~
rdtsc
I loved (well still do) my T model. It has a strong magnesium case. Very
solid. Heck it lasted 7 years. Including travel and other abuse.

It didn't have bloatware crap installed (as say US govt or big companies would
not like that). It came with a smart card reader and such. Had a fingerprint
scanner (back when there were not common).

Initially also they didn't have all these "consumer" models (Y,G,W,...).

------
belorn
Lenovo's response is not astonishingly in the least, its the expected
behavior. They made a business decision to include adware in order to raise
some extra revenue and then got caught. The default response is to underplay
the importance of it, sweeping it under the rug and hope no legal action will
happen.

A few months ago there was a HN story about a car manufacturer who had made
the decision to use cheaper parts for the ignition. They had the critical
internal reports from engineers, and when the deaths started to pile up they
did the same thing as lenovo. Act clueless, downplay the issue, make a fix,
and silently move on. So long it just customer outrage, it is perfectly fine
to do borderline illegal things in order to raise some revenue.

------
halayli
Can someone explains to me how Graham claims he can decrypt the intercepted
traffic? The proxy communicates securely with the intended website. It's just
the browser <-> proxy communication that's vulnerable but that's local on the
machine, no ?

~~~
shawkinaw
I'm wondering the same thing. As far as I understand, the proxy is local to
the machine, so HTTPS traffic over Wi-Fi should be past the proxy and
therefore encrypted using the real certificate.

~~~
Animats
The installed backdoor certificate is trusted as a root certificate. Its
private key is contained in the MITM software, and is now known publicly. So
anyone can now create phony certs signed by the backdoor cert, and Lenovo
machines accept them as valid.

Here is such a page:

[https://badfish.filippo.io/yes.png](https://badfish.filippo.io/yes.png)

That's an image of the word "Yes" signed with the Superfish certificate. If
your browser shows that image without warnings about an invalid cert, the
backdoor exists.

~~~
halayli
Right but this only means you can decrypt data coming from websites using a
starfish cert. It doesn't mean you can decrypt your bank traffic because you
have this proxy installed which is what Graham is claiming.

~~~
Animats
Yes, it _does_ mean others can decrypt your bank traffic.

Here's how this type of MITM attack works.

Situation: user is using laptop in public location with WiFi. Between WiFi
device and net is a computer with MITM software.

Client laptop requests "[https://www.bigbank.com"](https://www.bigbank.com").
MITM box gets HTTPS request, sees it is for "bigbank.com", and generates a
fake cert for that site. It then uses the Superfish root cert to sign the fake
cert. MITM box acts as server for that connection and sees the user's traffic
in the clear, unencrypted. The Lenovo client laptop sees a valid cert chain
descending from the Superfish cert installed by Lenovo. The user sees a green
bar and lock icon.

MITM box then opens an HTTPS connection to
"[https://www.bigbank.com"](https://www.bigbank.com"), and acts as client for
that connection. The two connections are connected together as a proxy, so
that the user sees what looks like a valid HTTPS connection. The MITM box can
log everything, including bank passwords.

There's even open source software for doing MITM attacks:
[https://code.google.com/p/subterfuge/](https://code.google.com/p/subterfuge/)

~~~
halayli
If you have a computer between the user and net, then yes all bets are off
because you can generate certs the browser will trust.

~~~
Animats
Only if the root cert store of the user's machine has been tampered with. If
you have a valid cert store, you can detect MITM attacks on HTTPS connections.

~~~
halayli
yep. I was referring to superfish's case.

------
somerandomone
That's one example of management being utterly technologically incompetent,
which unfortunately is the case in a lot of Chinese companies.

~~~
Phlarp
Thankfully American companies _never_ have technologically incompetent
managers...

------
tonylemesmer
komodia.com admits to be undergoing a DDoS attack at 2300hrs UTC (fri 20th Feb
2015)

(komodia is apparently the underlying tech for the superfish thingy)

------
harrystone
It is not astonishing that a company that would do this would also lie about
it. They knew what they were doing.

------
eire1130
if anyone knows someone who has purchased an infected lenova with superfish,
send me an email. My wife is a class action attorney and is conducting an
investigation in the matter. Eire1130 (at) gmail (Dot) com

------
jhou2
Kudos to MS, srsly. lol the amount of positive press that MS has been
garnering recently on HN is impressive.

------
fown9
"Beijing-based computer maker Lenovo has reportedly been blacklisted for years
by spy agencies worldwide, as concerns about government-sanctioned Chinese
hacking persist. According to the Australian Financial Review, Australia, the
UK, Canada, New Zealand, and the US have all rejected Lenovo machines for
their top-secret networks since the mid-2000s, though the computers can be
used for lower-security tasks that don't involve sensitive information" [1]

Why buy a laptop from a company that has ties to the Chinese government [2],
an authoritarian government that supports dictators in Africa and totalitarian
government in Russia, oppressing women and children in those countries?

[1] [http://www.theverge.com/2013/7/30/4570780/lenovo-
reportedly-...](http://www.theverge.com/2013/7/30/4570780/lenovo-reportedly-
banned-by-mi6-cia-over-chinese-hacking-fears) [2]
[http://en.wikipedia.org/wiki/Lenovo](http://en.wikipedia.org/wiki/Lenovo)

~~~
foz
I'd be curious to know what brands or models are considered safe by these
agencies.

~~~
itl12
I think it mentions in the article about agencies having Dell and HP on the
list of allowed companies.

------
whytry
It's kind of hypocritical when USA loads backdoors into hardware that
VisualDiscovery relies on.

------
mchahn
Last night I fired up a brand new HP stream desktop with windows 8.1 (only
$179!). It had a Superfish icon on the desktop. When I get home I'll check for
the cert.

So maybe Lenovo isn't the only offender.

Edit: Duh. It was snapfish, not superfish. I've been reading about superfish
so much that's what I saw.

------
devy
I found this whole Lenovo Adware-gate very hypocritical. Why everyone blames
the messenger Lenovo but not the source Superfish? Why? Is it because Lenovo
is a Chinese company whereas Superfish is a Iserali-American company based in
Silicon Valley?

Before this adware-gate, EVERY PC manufacturer bundles adware, HP, Dell, Acer,
Lenovo, Asus to name a few top players(Apple perhaps is the only exception as
I don't count them as a PC manufacturer). Did anyone bother to look if there
were tons of similar security risks with those?

~~~
rdtsc
Lenovo had a chance to redeem itself by apologizing, removing the software and
quickly distancing itself from the company.

They screwed up by denying there was problem in the first place. Which means
they were defending both their decision to install Superfish as well as, by
proxy, Superfish itself.

Thus they are seen to be either incompetent (can't trust them) or malicious
(also can't trust them).

Also consumers never bought Superfish. They paid for a relatively expensive
piece of hardware from Lenovo and got screwed. They are right to blame Lenovo
for it.

~~~
devy
They did.
[https://twitter.com/lenovoUS/status/568578319681257472](https://twitter.com/lenovoUS/status/568578319681257472)

