

Lenovo CTO: We’re Working to Wipe Superfish App Off of PCs - coldcode
http://blogs.wsj.com/digits/2015/02/19/lenovo-cto-were-working-to-wipe-superfish-app-off-of-pcs/

======
packetized
"We’re not trying to get into an argument with the security guys. They’re
dealing with theoretical concerns." \- Peter Hortensius

I'd say that someone having cracked out the password for the private key is a
bit more than a 'theoretical' concern. This might be the most tone-deaf
handling of a potential PR disaster so far this year.

~~~
AceJohnny2
This is cluebat level of ignorance. I want to apply the "don't ascribe to
malice what can adequately be explained by ignorance" maxim, but I'm having
trouble with the "adequately" here. Either they managed to live under a rock
and completely ignore everything related to the Snowden revelations, or
they're willfully dismissing it.

Such a pity, I was looking forward to getting an X1...

~~~
pekk
My concern when making a purchase is whether the purchase will be good for me.
I would definitely wipe whatever laptop I purchased, so this story is
interesting and embarrassing for Lenovo but has no effect on my own purchases
which are driven by what will function well for my preferences (like good
Linux support and not requiring me to use a trackpad)

Given the general sliminess in computer, phone and software companies, there
is no "pure" option except to buy some ancient computer and never use it on
the internet, like RMS. This isn't acceptable to me. I will buy what serves my
own needs, and you can do whatever you want.

~~~
dredmorbius
If Lenovo are willing to compromise user _software_ for some perceived
corporate benefit, what's to say that they're not going to compromise
hardware, firmware, bootloaders, recovery tools, etc.?

I ask that from a Lenovo Thinkpad T520i, one of a half-dozen or more I've
owned or used over 15+ years, and absolutely my preferred mobile hardware over
that period.

------
skymt
Hortensius says Lenovo failed in due diligence. How, exactly? The two reasons
people are upset about Superfish are that it breaks web security and injects
ads into pages. Hortensius doesn't believe the former, and the latter is the
entire purpose of the software. The only failure he could mean, taking him at
his word, is in not anticipating the backlash, because as he describes it
Superfish works as intended.

~~~
HackinOut
Double standards are also seen in their "Removal Instructions" post on their
forum. When uninstalling SuperFish, it seems suddenly important to remove the
root certificate...

 _" It is very important to delete the certificate even though the application
itself has been removed."_

[http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Removal-...](http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-
series/Removal-Instructions-for-VisualDiscovery-Superfish-
application/ta-p/2029206)

Didn't seem that important earlier today:
[https://web.archive.org/web/20150219151726/http://forums.len...](https://web.archive.org/web/20150219151726/http://forums.lenovo.com/t5/Lenovo-
P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-
application/ta-p/2029206)

 _" files in user directory will stay intact for the privacy reason. Registry
entry and root certificate will remain as well. "_

------
vinhboy
> Hortensius: In general, we get pretty good feedback from users on what
> software we pre-install on computers.

LOL. Yes sir! The internet is filled with people happy about bloatware...

I seriously wonder how much money they make off these bloatware providers to
risk pissing off customers and devalue their brand.

It can't be that much can it?

~~~
freehunter
The weird part is, I've bought three Lenovos of my own and never had a problem
with their preinstalled software. Some of it, like the ThiknVantage suite, can
even be useful. Maybe it's because I buy from the Thinkpad line? Do they
install less crap on Thinkpads than on IdeaPads or other laptops?

~~~
MartinCron
Yeah. I have a ThinkPad T530 and a Yoga Pro 3 and while it's not a fair
comparison (mobile workstation vs. strange laptop/hybrid...thing) the software
on the ThinkPad feels more sparse and out of the way while the stuff on the
Yoga is pretty terrible and invasive.

------
rmason
The reason the app is there is because they care more about taking money from
AdWare providers than their customers.

The only thing that will change going forward is they're going to do more due
diligence on their AdWare suppliers before agreeing to the deal.

------
bluecalm
As usual bundling stuff together is anti-consumer practice. If we have laws
against bundling then it would be better world because a lot of useless at
best/malicious at worst stuff wouldn't be able to get money (like crapware no-
one sane would order separately).

Here is something to start with: "if you offer a product A bundled with
product B you have to offer A alone for the price not more than A bundled with
B"

while weak and not really addressing many issues with bundling it at least
gets rid of the most blatant problem of malicious add-ons.

Then something like A for not more than price(A) + 1/2price(B) and now we are
getting rid of a lot more useless stuff.

------
Animats
Raise hell. If you have one of these machines, file a complaint with the FBI.
At the very least, fill out their form:
[https://complaint.ic3.gov/default.aspx](https://complaint.ic3.gov/default.aspx)

~~~
woodman
While I am all for giving Lenovo hell, I'd highly recommend that people avoid
voluntary interaction with US "law enforcement". They aren't really on your
side, and this has been demonstrated more than once.

------
vivivi
I wouldn't trust this company anymore. Bye Lenovo.

~~~
wvenable
Nearly every laptop is preloaded with crapware. Lenovo might have (briefly
even) picked one of worst examples of it but I'm sure there are (or will be)
examples of this from other manufacturers that has yet to be discovered.

It might now be the case going forward that Lenovo will be a better choice.
They've been burned.

~~~
SwellJoe
There's crapware, and then there's spyware/adware.

The shovelware that most vendors ship on their boxes is offensive, yes. It's
annoying. It steals a little of my life each time I buy a new machine, because
I have to take time to re-image the system or clean off the crap (my current
HP Envy was particularly egregious in this waste of my time, in that the
restore image didn't work, so I had to wait ten days to get a restore DVD from
them, and had to _pay_ them $15 for the privilege of being able to restore my
system). But, none of this is comparable to installing spyware on your
customers systems.

They keep making claims that it isn't spyware, but in a previous HN thread,
someone was trivially able to find the tracking and re-targeting codes in the
injected code. It is the definition of spyware, and even worse, it is broken
in such a way that it enabled MITM attacks.

 _" It might now be the case going forward that Lenovo will be a better
choice. They've been burned."_

Have you read their statements about it? Every single one of them denies any
wrongdoing. They believe it's just a "customers don't like this software"
issue. They don't believe it is a "We have likely committed crimes against our
customers", which is what it actually is, at least in jurisdictions that take
citizen privacy at all seriously. (In the US the TOS click through probably
protects them, because the US doesn't give a shit about privacy, but in some
other countries it probably wouldn't.)

~~~
wvenable
> Every single one of them denies any wrongdoing.

Of course. You make out like that's a significant detail. "Large company
denies liability" is not a headline. Do you honestly think Dell, HP, or even
Apple would say anything differently in a similar situation?

Based on the quantity and quality of the software pre-installed on every
laptop I've ever owned, I'm not quite as convinced as you are that this is
exclusively an issue that could only ever happen to Lenovo customers.

~~~
SwellJoe
Sony shipped spyware, too. As has Samsung on their TVs. But, that doesn't mean
it's OK, or that anyone should trust Lenovo because "they've been burned".
Lenovo isn't the wronged party, their customers are.

I'm saying I would need to see a "mea culpa" from Lenovo before I would even
begin to think about trusting them.

~~~
wvenable
I never intended to imply that anyone should implicitly trust Lenovo now
because this happened; such a point is so ridiculous I'm surprised you believe
I was making it. I also never made that point that Lenovo is somehow the
wronged party -- which is again is ridiculous.

Instead, given the general attitude of most PC manufacturers with regard to
what is pre-installed, I don't think boycotting Lenovo would necessarily save
you from this sort of issue in the future. You're just as likely to be burned
by almost any one of them. This product wasn't even made specifically for
Lenovo.

Perhaps this attention will make Lenovo more careful in the future. It equally
might not. It might make _other_ manufactures more careful. Or it might make
no difference at all.

------
cies
Good rep with open source community: all blown.

Now waiting for the new Dell XPS13? Or anyone has another option for a
powerful ultrabook that goes well with the pinguin?

------
lorddoig
I can understand the motive, however flawed it may seem in hindsight. They
were seeing dollar signs, happy shareholders, job security - so they took a
chance that massively backfired.

Am I the only one who thinks they deserve a little credit for getting their
CTO to publicly deal with the issue _on the same day_ all this came to a head,
including saying that a guy was literally sat coding out a removal tool _right
now_ and due for release _tonight_? That's a damn respectable feedback loop
for a megacorp if you ask me, and we'd have a lot less to whine about here on
HN if all mistakes were rectified so expeditiously.

------
dredmorbius
Lenovo, Peter Hortensius, Yang Yuanqing: I'm writing this on a T520i laptop.
It's one of a half dozen or more IBM or Lenovo Thinkpad products I've owned
personally or used through work over the past 15 years.

And yes, while I'm running my own installation of Debian GNU/Linux, I
preserved the Windows installation for ( _very_ ) occasional use. Only under a
VM, and not in two or more years that I recall. With this news I'm strongly
inclined to wipe it

But pulling crap like this is a _tremendous_ erosion of trust. In your
products. In any Microsoft Windows installation (not that I trust these in any
event). It's a tremendous hit to your own brand equity, as well as
Microsoft's.

The sad truth is that there are few alternatives out there, and that there are
plenty of other security risks. But you can solidly bet that as a consumer and
IT director I'll explore the hell out of other alternatives before making my
own or corporate purchases and/or recommendations.

------
m432
Some articles posted with a picture of thinkpad which is non-affected products
for this issue.

>>Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro models.

Above is announced from some sources and

>>Lenovo-branded devices sold between September 2014 and January 2015 through
consumer online and retail stores, like Best Buy and Amazon.com, are likely
affected by the Superfish adware

Has anyone got any additional info?

------
wvenable
I'm aware that Microsoft is legally limited from restricting what vendors can
pre-load into Windows but they really should provide a technical solution. For
example an operating system option to revert to absolute stock. This would
necessarily be different from reinstalling from recovery (which also
reinstalls the crapware).

~~~
skymt
Microsoft offers this tool to create a clean Windows install disc:
[http://windows.microsoft.com/en-us/windows-8/create-reset-
re...](http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-
media)

------
einrealist
Lenovo should just offer the unbiased, truthful and transparent choice between
a clean image (with device drivers) and their usual crapware image. They can
then easily gather metrics on what image is selected when customers order
products. Just give customers a choice!

~~~
spiralpolitik
Sadly there is no money in the clean image option for Lenovo. Margins on Non-
Apple PC hardware are now so razor thin its only through the pay to play
software "value-add" can companies turn enough money to justify the whole
expense.

------
ppezaris
relevant:
[https://news.ycombinator.com/item?id=9076788](https://news.ycombinator.com/item?id=9076788)

------
chinathrow
Lenovo CTO: How about time in front of a court?

------
tramjoe_
Someone, please just sue these people.

~~~
tramjoe_
Funny, this comment started with a lot of upvotes, and since this morning,
massive downvote. I wonder why... Lenovo PR in the place?

~~~
stevenh
I attempted to start a conversation here about ways to detect whether visitors
to your own site are infected with the Superfish malware, and I was downvoted
to the very bottom of the page.

Another person had discovered a method to automatically disable Superfish by
placing a special <meta> tag on your page; within two hours of posting his
discovery, Lenovo silently removed the disable ability:
[https://news.ycombinator.com/item?id=9076788](https://news.ycombinator.com/item?id=9076788)

Deliberately preventing people from disabling Superfish doesn't seem like
something a company "working to wipe Superfish app off of PCs" would do.

I don't believe a single word uttered by these snakes.

~~~
tramjoe_
Well, they have no clue how to handle this. I just upvoted your other comment,
and I suggest that anyone reading this does the same for it, my comment and
chinathrow comment above. All three seem to have been bashed, and even if this
might be a legit downvoting, I tend to think this is a bit much of a
coincidence - let's show them it won't work.

------
stevenh
If you run a website and you'd like to help spread awareness to victims of
this heinous crime, a technique such as this might work:

[https://paste.ee/p/y1RvZ](https://paste.ee/p/y1RvZ)

These are the URLs on the malware peddler's server I examined to get an idea
for how to detect whether their malicious payload injection has taken place:

[https://www.best-deals-products.com/ws/sf_code.jsp](https://www.best-deals-
products.com/ws/sf_code.jsp)

[https://www.best-deals-products.com/ws/sf_preloader.jsp](https://www.best-
deals-products.com/ws/sf_preloader.jsp)

[https://www.best-deals-
products.com/ws/sf_main.jsp?dlsource=...](https://www.best-deals-
products.com/ws/sf_main.jsp?dlsource=hdrykzc)

