
Lenovo Statement on Superfish - mmastrac
http://news.lenovo.com/article_display.cfm?article_id=1929
======
eropple
_> We have thoroughly investigated this technology and do not find any
evidence to substantiate security concerns._

I try to be measured around here, as hard as I can. I can't formulate a polite
way to respond to this claim.

Lenovo, you are full of shit, and maliciously so. There is no excuse, nor
forgiveness, for what you've done here.

~~~
pja
Can you ever imagine Apple pulling a stunt like this? No, because it’s
astonishingly user hostile: Lenovo should be hanging their head in shame, not
making out like it’s no big deal.

~~~
noddingham
The big difference is you don't mind when Apple does things like this. If you
have "Hey, Siri" enabled then your phone's microphone is on all the time
listening to everything you say. But I don't see a lot of people crying foul
over that.

~~~
tormeh
The difference being that only Apple (and the us gov) can listen in, not the
entire world.

~~~
IanDrake
Huh? How so?

------
throwaway41597
> Users are not tracked nor re-targeted

Have a look at code delivered by Superfish:

[https://www.superfish.com/ws/sf_preloader.jsp](https://www.superfish.com/ws/sf_preloader.jsp)

[https://www.superfish.com/ws/sf_code.jsp](https://www.superfish.com/ws/sf_code.jsp)

And grep for track and retarget. Just two snippets:

    
    
        var url = sfDomain + "trackSession.action?userid=" + similarproducts.b.qsObj.userid + "&sessionid=-10&action=ud_host_failed";
    

and:

    
    
        function isRetargetingEnabled(){
            if( similarproducts.b.enableRetargetingUnit && !isRetargetingBlackList()){
                return 1;
            } else{
                return 0;
            }
        }

~~~
omegaham
Outstanding. It's like a ridiculous Law & Order episode where the defendant
goes "I wasn't even in town that night."

"So what's your face doing on all of these security cameras at the scene of
the crime?"

"... uh..."

~~~
shpx
so just to be clear, because I find this hard to believe, they are straight
up, 100% lying? Or is this taking some hash generating code out of context or
something?

~~~
throwaway41597
It's hard to judge without digging into this spaghetti mess of files. But
having the word retarget in your code seems like straight up lying to me.

Tracking is more ambiguous a word and I couldn't find where they define the
userid. But however it is generated, it reads like it's unique. And in order
to retarget users, you'd have to track which products they've viewed in the
first place, that would imply storing browsing history (they deny storing user
info as well) and uniquely identifying users across websites.

Given the coding style, I don't think the person(s) who wrote this code is/are
doing anything clever other than what it seems.

------
packetized
The absolute best part?

"Superfish will be removed from Program Files and Program Data directories,
files in user directory will stay intact for the privacy reason. Registry
entry and root certificate will remain as well. The Superfish service will
stop working as soon as it is uninstalled via above process, and following
reboot."

Per Lenovo's removal instructions [1], the compromised root certificate will
still be installed and trusted. This is completely laughable.

[1] [http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Removal-...](http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Removal-Instructions-for-VisualDiscovery-Superfish-
application/ta-p/2029206)

------
api
While this kind of foistware sucks, I'm also a bit dismayed by the seeming
domain-specificity of peoples' privacy concerns.

Do a simple tracker on a desktop, and people freak out. But all you have to do
is _change the form factor and UI metaphor_ to mobile and people are
absolutely fine with constant location tracking, ambient sound being uploaded
to the cloud (SIRI, etc.), a camera and a microphone that can be activated by
all kinds of apps while the device is in your pocket, and a constant 24/7
Internet connection. You could never even approach that level of invasiveness
on a desktop or laptop.

A desktop/laptop is a computer. A smartphone is a computer. Why the different
reaction?

I wonder if it's a generation gap thing. Older people tend to use mobile
devices less than younger people. Are the younger generation this oblivious?

Same phenomenon holds by the way with regard to jailed devices. Way back when
Microsoft tried to introduce something called "trusted computing," which was
basically just code signing. Everyone _flipped the hell out_ and they shelved
it. But mobile devices can't run software that isn't tethered to their app
stores, and everyone is totally fine with that. Different form factor,
different universe?

It also seems related to brand. When you sign into Chrome with your Google ID,
Google tracks everything you do. But that's Google, not some random little
foistware company, so that's okay I guess. Same goes for Safari and iCloud,
etc.

~~~
nhaehnle
I would agree with you if this were only about adware. The problem is that the
adware opens a massive security hole that is exploitable by _everybody_.

The Lenovo adware wants to hijack SSL connections. To do so, it installs its
own CA, and the private key for that CA can be (and has been) extracted. This
means that if you own such a laptop and access your bank's SSL website from a
random coffee shop, anybody could MitM you, since they can use the publically
available "private" key of the rogue CA to impersonate your bank.

Smart phones enable turn-key surveillance-based dictatorships beyond anything
we've ever seen in the west, but unlike this Lenovo thing, it is not an
_immediate_ threat. Hence people react differently to it.

------
pcora
"We have thoroughly investigated this technology and do not find any evidence
to substantiate security concerns."

Seriously?!

~~~
TwoBit
Anybody can MITM secure connections these computers make, right?

~~~
SixSigma
And present any HTTPS cert of their choosing to any compromised visitors e.g
[https://b4nk0famer1ca.com/](https://b4nk0famer1ca.com/)

~~~
tomp
Hm... I'm pretty sure that if you can actually MITM their connection (i.e. you
can intercept and modify the packages, e.g. by setting up a rogue Wi-Fi
hotspot), you can also fake the DNS and/or IP addresses, so you shouldn't have
a problem compromising visitors of
[https://bankofamerica.com](https://bankofamerica.com).

~~~
Xylakant
you don't need to fake IPs or DNS requests - if you have MITMed their
connection then all their traffic flows through your machine and you can
present whatever content you desire on any domain.

------
tyho
> The relationship with Superfish is not financially significant; our goal was
> to enhance the experience for users.

I would prefer for this to be a lie than for it to turn out for this statement
to be true. Surely nobody at Lenovo honestly belived that ad injection
improved user experience?

~~~
FooBarWidget
This would SEEM obvious because as techies we hate ads. But you can't
extrapolate this to the general population.

There was one time when I visited my mother. We started her instant messaging
program, and we were presented with special offers. I recognized it as such
within half a second, so I almost automatically checked the 'Do not show this
again' checkbox.

My mother alarmed me: "No, do not make it go away! I want to see the offers,
they're useful!"

I was mindblown.

Another example: I have snail mail advertisements. But my girlfriend, who's
living with me now, asked me to sign up for advertisements such as supermarket
special offers. Another mindblown.

~~~
mynameisvlad
> supermarket special offers

Why would you _not_ want to sign up to know about what discounts are available
at your local grocery store, especially if you frequent it weekly.

~~~
obsurveyor
Keyword there is "snail mail." You're saying you really want this stuff in
your mailbox every week? I don't want any snail mail(of _any_ kind), any week
but it's something I still have to live with.

~~~
tomp
In contrast, I've been refusing to opt-in to my banks online statements for a
long time now, simply because I want to have important stuff (e.g. my money)
printed black-on-white. Email can be easily faked.

~~~
sejje
Would it not be easy to print a fake?

I don't really understand why "can be easily faked" is how you're justifying
this.

~~~
unprepare
It is less likely that someone would send a falsified bank document through
the mail, as mail fraud is a federal crime with harsher sentences than most
online versions of spam/phishing.

Also records are kept for mail regarding where it was received by the post
office (which likely has security cameras), when, who is on the return address
and the recipient. There is physical evidence of who has touched a piece of
mail such as fingerprints, hair, DNA etc.

This is part of why you don't get 50 letters from nigerian princes each day

------
jacquesm
Lenovo is going to lose more through how they handle this than through the
fact that they did it in the first place.

~~~
pjmlp
Sadly no. Businesses will still buy Thinkpads like candies.

~~~
wvenable
Yeah and businesses run their own Windows images. Whatever software is
preloaded doesn't matter.

~~~
SyneRyder
Unless their Windows image is based on the out-of-the-box OEM install.

~~~
databyss
I would imagine that any company imaging their hardware has their own custom
image to coincide with their windows licensing agreement and not on whatever
was on the first box.

------
resonantcore
They disabled it server-side? What about the CA certificate in all these
Lenovo users' trust stores that blackhats can now use to MITM with wild
abandon?

~~~
thesimon
It enhances the users experience when being MITM'd.

But yeah, the removal instructions mention that the certificate won't be
removed, which is quite dangerous.

EDIT: And users removing the cert would be unable to load https pages, which
is a tricky situation.

------
pkinsky
I was considering getting a Lenovo X1 Carbon to run linux on. I'd be
installing a clean image, so no Superfish, but I still don't want to give
money to Lenovo right now.

What alternative linux laptops are there? (aside from macs)

~~~
Coding_Cat
There's System76, which are basically pre-loaded Clevo laptops (which are sold
under many different names). I have the Galago Ultrapro and am quite happy
with it. Good battery life, fast, user-serviceable and a calibrated IPS
screen. On release the keyboard was a little off, but the new one is pretty
good.

~~~
meritt
How's battery life? That was always my concern, it seemed to be quite pathetic
in comparison to modern 6-12hr competitors.

~~~
Coding_Cat
It depends on what you're doing of course. Normal usage (playing
music/Youtube, browsing firefox, coding, opening up some PDFs) gives me about
6-8 hours I'd say, I get about 3 hours of (modded) minecraft, which is quite
the battery drain. this is on Gentoo (Awesome as WM) so the background drain
is pretty low. It's good enough that I never really pay attention to it.

upower says the battery is designed to store up to 48Wh, with a maximum design
capacity of 53Wh.

~~~
geoka9
Is the battery controller programmable from Linux? E.g. can you set charging
thresholds?

Is there any hardware in it that doesn't work in Linux?

~~~
Coding_Cat
I don't know about the battery controller, all of it works with Linux
(System76 is a Linux retailer after all).

------
copsarebastards
There's a scene in the movie _The Rum Diary_ where Sanderson says roughly that
the way to sell the public on the idea of building a hotel on an untouched
island is to start by trying to build 20 hotels. Public outrage will occur,
people will write their politicians, and finally a compromise will be reached,
in which you get to build only one hotel. But the trick is, that's what you
wanted to do in the first place. In the end, this compromise wasn't good
enough: the result is still horrible.

This is roughly what Lenovo is trying to pull off here.

 _> Superfish was previously included on some consumer notebook products
shipped in a short window between September and December to help customers
potentially discover interesting products while shopping._

This is the compromise being offered. They're claiming, "We didn't violate
your privacy, we didn't violate your security, we just wanted to help you
discover interesting products."

Superfish opens up all sorts of security holes and privacy concerns, but it's
probably true that this wasn't Lenovo's intention (not yet, anyway). But to
accept this as a compromise would be to give Lenovo the thing they want in the
first place: to serve ads into our web searches. _And that in itself is
deplorable._ It is not acceptable for companies to force their agendas on us.

Lenovo's only defense here is that they were doing something disgusting. We
should not accept this compromise.

------
superobserver
I'm seeing at least one report dating from September of last year on their
forums:

[https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Lenovo-...](https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839)

~~~
JimmyM
> We are getting off-topic here. If you have questions pertaining to the
> differences between adware, spyware, potentially unwanted applications, and
> viruses please post on the Security & Malware Forum. We'll be glad to clear
> up any misunderstanding.

Ugh. Patronising, misleading and evading the point all in one answer. This was
a horrible thread to read.

------
ihnorton
Repeating this from the other thread: people should file complaints with their
state consumer protection division. There are probably at least one or two
attorneys general in the country who would love to make an example out of
Lenovo ("big bad foreign company", etc.).

Here's the complaint form for Massachusetts:
[http://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomp...](http://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomplaint.action)

Some state AGs are active on Twitter too, which might get more direct
visibility.

------
Vir0
We have a Lenovo G710 at work that was purchased less then a month ago and the
amount of bloatware installed on that thing is quite amazing really it's
almost a type of art.

The Superfish cert is there, however the VisualDiscovery service that injects
the adds was at some point disabled as I could only find remnants of it in
form of INI files and registry keys.

A quick fun fact, There are two encrypted INI files located in the Windows
Folder :

A.) VisualDiscovery.INI

B.) VisualDiscoveryOff.INI

If that doesn't tell you everything you need to know about the guy that
developed this shit then I don't know what will.

------
slantyyz
The problem with the statement is that Lenovo owners need to be aware of the
news to find it.

I'm on Lenovo's mailing list and haven't seen a similar statement in my inbox
with remedial instructions.

I was only half-lucky with Superfish. I bought my Y50 before Xmas and removed
Superfish and all other non-essential software but didn't know about the
certificate, which I deleted today.

Sadly, I don't think the typical non-technical Lenovo user is even going to
find out about this or know how to fix it.

~~~
chinathrow
Return it.

------
mmastrac
Unfortunately the best response to this is extracting the private key for the
cert it installs in the root and publishing it:
[http://blog.erratasec.com/2015/02/extracting-superfish-
certi...](http://blog.erratasec.com/2015/02/extracting-superfish-
certificate.html)

~~~
rkangel
OK, thanks for this. I wasn't sure if the signing of stuff was being done
locally by the proxy or remotely. i.e. whether the private key was on the
machines. So yes, complete security clusterfuck.

------
jwally
Can't say I put a lot of trust in this statement

"It does not profile nor monitor user behavior. It does not record user
information. It does not know who the user is. Users are not tracked nor re-
targeted."

from someone who refers to ad-ware as "...to help customers potentially
discover interesting products while shopping".

Barf.

------
javert
Cut the Bullshit Lenovo! Stop Lying to Us!

> We have thoroughly investigated this technology and do not find any evidence
> to substantiate security concerns.

A bald-faced lie!

> our goal was to enhance the experience for users

A bald-faced lie! Adding ads to a page cannot enhance user experience!

I'm on, I think, my 4th ThinkPad. A loyal customer.

Stop treating us like shit! This is completely unacceptable.

Issue a _real_ apology and start firing people, or shut the fuck up.

------
profinger
Honestly, I wish there was a way to comment on their stupid statement. These
bullsh*t companies need to realize that users don't want the stupid bloatware
in the first place. I paid you a TON of money for this computer the least you
can do is give it to me in its best condition.

You wouldn't buy a car that came painted with advertisements on the side!

~~~
jakejake
They are perfectly aware of how people feel about bloatware. Dell at one point
offered clean installs but you had to pay something like $30 extra. This
probably provides some type of clue that they make about that much more per
machine by including all the pre-installed crap.

~~~
takluyver
> Dell at one point offered clean installs but you had to pay something like
> $30 extra

And I'd hazard a guess (with no evidence) that very few people paid that extra
cost. We undervalue our own attention, assuming that we can easily ignore
adverts, so ad-supported products are disproportionately successful
(preinstalled bloatware is just a special kind of advertising).

Does anyone know how well Amazon Kindles with 'Special offers' are selling?

------
admax88q
> The relationship with Superfish is not financially significant; our goal was
> to enhance the experience for users.

I don't believe that for a second.

------
electic
> "We will not preload this software in the future."

I know it is lucrative to preload but I really wish this practice would just
die. In the long run, they are just hurting their business.

------
michaelhoffman
"We have thoroughly investigated this technology and do not find any evidence
to substantiate security concerns."

One way to read this is they have not seen any evidence that people have
_actually_ been hacked in the wild. They may understand perfectly well that it
is now trivial to do this but no one's actually reported _yet_ that they had
thousands of dollars stolen due to using online banking on a compromised
Lenovo machine on public Wi-Fi.

Roll on the class action lawsuits.

------
IvyMike
I've been a ThinkPad customer for ages, and have recommended them to others
many times. I'm fuming mad over this.

What's the best way to tell Lenovo they fucked up? I mean, I can vent over
social media all day but will they even pay attention?

~~~
joshuapants
Stop buying their products. I was already considering moving away from Lenovo
after the ruination of the -40 series. I was almost swayed back in by the -50s
but this put the final nail in the coffin.

------
packetized
Lenovo is saying exactly what they need to say in order to prevent their
statement from being admitted as evidence in a lawsuit or legal proceeding.

In other words, they just acknowledged it without admitting fault or
liability.

~~~
rockdoe
If I base myself on that statement to decide that there's no need to remove
the software, then get my bank account emptied, won't that backfire pretty
hard on them?

------
xioxox
I have a Lenovo laptop and had the superfish root cert installed. I also have
a "Nuance" trusted root certificate installed. It's a SHA1RSA certificate
issued by Nuance, expiring in January 2040 (serial 9e ef 9d f5 9a...),
thumbprint (51 2d 19 4d 28 64...). It says it's usable for everything. Does
anyone know about this one?

~~~
danielki
Nuance makes Dragon Naturally Speaking, which also comes preinstalled on some
Lenovo laptops (including mine, but it was one of the first things I
uninstalled). I'd imagine it has something to do with being able to voice
control applications/websites/whatever-Dragon-does. If you don't use Dragon,
you can probably safely delete it.

------
PythonicAlpha
Even when they disabled server side operations, the malicious root certificate
very likely remains on thousands of computers -- and thus a high security risk
for all owners of those computers!

In essence, a root certificate with known private key is as dangerous as a
worm that infected your computer. Maybe even more dangerous.

------
stefanix
It's perplexing you still need to put a couple of days work into setting a up
a computer. In the 90s it was all about getting all the peripherals to work.
Now it's all about removing the bloatwear, data leaks, and security holes.

On a PC I do a Linux install and go through some extra settings.

On Android I install CyanogenMod with an IPtables firewall. The number of apps
that try to raid your address book on Android is mind-boggling. When you set
Privacy guard to "ask" instead of "deny" you will have so many popups that the
phone is bogged down for a couple of minutes after startup.

------
mindcrash
> We have thoroughly investigated this technology and do not find any evidence
> to substantiate security concerns.

Apparently a wildcard SSL certificate valid for every domain on the internet
installed in a certificate store isn't a security concern.

Apparently said SSL certificate having a extractable private key installed
within a user certificate store isn't a security concern

And apparently leaving said certificate behind in the certificate store even
after uninstalling the crapware (according to a very reliable InfoSec Taylor
Swift) isn't a security concern.

Wow? Wow.

------
tyho
Microsoft seems to have a vice like grip over OEM's regarding preloading
windows on every product they sell without exception, IMHO this is a terrible
thing, but can't they do at least a little good and prevent OEM's from
shipping anything other than a pristine image with no preloaded software?

Surely the endless bundled crapware from every OEM just gives Windows a bad
reputation in the long term. The popularity of chromebooks now are a testament
to that.

~~~
derekp7
They tried dictating what vendors could pre-load, and were taken to court by
the US Justice Dept, along with a large number of states AGs.

~~~
scholia
Correct. So OEMs can load whatever crapware they like, and Microsoft doesn't
even know what they're loading. The idea of a "vice like grip" is nonsense.

What Microsoft does instead is offer Signature editions that are crapware
free....

------
HackinOut
_" We have thoroughly investigated this technology and do not find any
evidence to substantiate security concerns."_

[http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Removal-...](http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Removal-Instructions-for-VisualDiscovery-Superfish-
application/ta-p/2029206)

 _" This article will be updated with additional instructions on clean up of
deactivated files and removal of certificate shortly."_

This was just edited in, here is the post before that:
[https://web.archive.org/web/20150219151726/http://forums.len...](https://web.archive.org/web/20150219151726/http://forums.lenovo.com/t5/Lenovo-
P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-
application/ta-p/2029206)

So, Lenovo, why should we remove this certificate after all? Any security
concerns perhaps?

------
Globz
I seriously consider stopping buying Lenovo laptops for the company I work
with, I simply cannot go through the trouble of removing all of Lenovo pre-
loaded crap each time I replace or buy a new machines.

I used to recommend Lenovo as a good laptop for work, with great quality
hardware for the price but since a couple years my vision is shifting towards
"Lenovo isn't what it used to be, I think we should stop ordering from
them..." I had a lot of problems with defective hardware lately even on
Thinkpad...

This news just adds to the pile of deception I had with Lenovo lately.

------
bhauer
The chief question I have is whether or not a Lenovo PC sold by the Microsoft
Store as a Signature Edition (e.g., [1]) would contain this or anything
similar. My suspicion is that it would not. If anyone is near a Microsoft
Store, and can stop in to run the test, it would be interesting to see the
results.

[1]
[http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-Y...](http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-Y50-4K-Ultra-
HD-Signature-Edition-Gaming-Laptop/productID.306275000)

------
JustSomeNobody
Well there you go. They investigated and found no security issues.

Can't get any better than that!

Seriously, there were so many different ways they could have gone with this
and saved face, but they just decided to hunker down. Sad.

------
jamesmcq24
"our goal was to enhance the experience for users". I've never needed help
finding or discovering products, and I can compare my own prices thank you
very much.

The apology always seems to make it worse.

------
masmullin
\- Lenovo stopped preloading the software in January.

My X1C was ordered on Feb 4th, and shipped Feb 9.

I believe that my machine had this malware installed when I received it. On
firefox, websites that would not normally have many ads, were filled with ads
to the point where I couldn't use the sites.

I am unable to prove my claims, as I formatted the HD and installed Linux to
get rid of all the obvious bloat-ware.

I really enjoy the laptop. But if I was less tech savvy and unable to
format/installLinux I would probably have returned the machine (the ads were
really really intrusive)

------
vbezhenar
It's clearly an adware with backdoor to espionage on user. In many countries
creating and distributing that kind of adware is classified as crime. What a
nonsense they are talking.

------
Thrymr
Why is a press release undated? You have to go back to the "News releases"
page to see that it is dated today. The PDF version doesn't have the date,
either.

------
chez17
>To be clear, Superfish technology is purely based on contextual/image and not
behavioral. It does not profile nor monitor user behavior. It does not record
user information. It does not know who the user is. Users are not tracked nor
re-targeted. Every session is independent.

We've heard this song and dance before. Excuse my skepticism, but I don't
believe you and until we can see some source code, I won't believe you.

------
herf
Lenovo was discounting 30-40% around Black Friday. For weeks! The simple truth
is that crapware pays for cheap PCs, and the economics don't work otherwise.

------
del82
> Users are given a choice whether or not to use the product.

What did this choice look like? Were users prompted to remove the cert if they
didn't want it?

------
Mikeb85
I like my ThinkPad, but between this and the fact that Dell is selling several
Linux laptops, I think my next laptop will be a Dell.

------
lifeformed
"Superfish was included [...] to help customers potentially discover
interesting products while shopping".

Wow how thoughtful and helpful of them.

I don't understand the point of bloatware. Are the manufacturers making a ton
of money off of them or something? How much could bloatware writers possibly
be offering to make it worth uglifying your brand?

~~~
ptaipale
Yes, "ton of money" meaning a few grand. I think manufacturers are selling
their reputation for too cheap.

There of course is a point that each manufacturer would like to provide some
added value through software that would set them apart from other vendors -
because hardware competition is so fierce - but unfortunately their priorities
for selecting the vendors they use are really bad. Much of the crap is just
horrible, and I don't recall seeing anything really useful recently.

~~~
TeMPOraL
Yup. You know how real value-add looks like? Permanent +50GB of DropBox I got
when I bought my Galaxy S4. While I wasn't aware of it until I bought the
phone and was just pleasantly surprised, it's a kind of thing that really
could influence my choice of phone if I was on the edge of a choice.

------
flyinghamster
I have a ThinkPad T61 that I bought refurbished a couple of years ago. One
thing that I really like about it is that it came with a clean Windows 7
installation.

But now, there's no way in hell I'd buy a Lenovo. Trust is not easily regained
once broken.

------
nickysielicki
>Superfish was previously included on some consumer notebook products shipped
in a short window between September and December to help customers potentially
discover interesting products while shopping.

It's not adware, it's a feature!

------
ocdtrekkie
Love the claim that their relationship with Superfish "isn't finanncially
relevant" and that they were doing it for their users.

------
gchokov
An example how not to write press release. So much shit talk.. such a shame.

------
ingler
Lenovo is just copying their betters at the NSA: Infect the machines of others
and when caught, deny it. Sadly, this business model will probably work for
them.

------
verytrivial
Now I'm being stalked by Komodia ads!

------
gluejar
Class-action lawsuit anyone?

------
gcdgcd
Lenovo is dead

------
AC__
Yeah this is fucking hilarious! Be sure to read the Extracting SuperFish
Certificate article first for full affect though lol

