The root certificate is the same across all installs, and the private key is present on the machine (necessarily, to operate the proxy):
Someone will extract the private key in the next few hours, and then HTTPS will be basically completely broken for all Lenovo users -- anyone will be able to spoof any site to them.
Uninstalling the app does NOT remove the certificate: https://twitter.com/metsfan/status/568265468173107200
On the bright side, Firefox does not use the system certificates (it has its own list) and Chrome will no doubt push an update to block the certificate promptly.
These agreements could be summed up in 3 words: "we own you".
This is spying with the sole purpose of spreading ads and making money.
The "spyware" only spies on modifications to the game client in any way and tries to detect non-human involvement, which of course includes inspecting the file system and RAM. In theory it could harvest irrelevant information from your hard drive or memory, but no reverse engineer has ever made such a claim to my knowledge.
Valve Anti-Cheat does very similar things, but is run by what many consider to be a trustworthy company, so not that many people take issue with it. If one trusts the company that distributes the spyware, it's not really a problem, in my opinion. If Valve were to ever violate that trust, it would severely harm their business.
I also strongly disagree with DRM, because it only harms other players while providing no benefits. In contrast, online cheaters can completely ruin the playing experience for online games, and have heavily contributed to the death of some games.
I also have no issue if people decide to cheat when in single-player mode. If you pay for the game you should be able to do whatever you want if you're not affecting others. It's only a problem when they're playing with other people over the Internet. PunkBuster and VAC only run when you're playing in online mode.
Edit: It's pretty bad form to downvote new accounts becuase you disagree. Imagine if I didn't know about hellbanning.
Ask yourself what open source licenses, corporate EULAs and the NSAs defense have in common. The best hope here is that Lenovo explicitly promised someone something they didn't keep.
You can bet that if the NSA manages to use this to hoover up some tasty HTTPS, this scandal will be lauded as a big boost to "national security" behind the scenes, and nobody will be punished. For all we know NSA had a hand in engineering this.
Of course, if some government data is stolen as a result, then the whole thing will be thrown under the bus and deemed a threat to "national security".
I hope anyone who uses terms like "national security" does it in full awareness of what Orwell meant by newspeak and doublethink.
This is a transparent dragnet that can easily be blamed away, which has been shown to be much more preferable in the NSA's M.O.
And to be clear, I mean, absolutely nothing. This isn't a slightly unlikely thing that still leaves room to wonder about "plausible deniability"... this is a thing that happens all the damned time and the NSA need at most sit back and passively reap the benefits, along with hackers and criminals.
Somebody somewhere wanted to get in on the advertising gig because it looks like free money. Their first attempt didn't work on HTTPS sites. Some techie was ordered to fix it. Said techie read a few things on a few sites and typed in the magic commands to "make it work" and probably literally didn't even know that they'd just annihilated security for all their users... they literally just knew that this made their software "work", and for them, pretty much the first time they clicked on to an HTTPS page and saw their own ads, the story ended. Ship it.
To a first approximation, nobody using SSL in some manner understands SSL.
Some of the code inserted is pretty strange, including functions to checks for lenevo, bestbuy.com and isPayingCountry() with a list of country identifiers:
So apparently they work with some big companies, and I can't work out what the country check is for, perhaps for subsidiaries of a large customer?
of course they are - Lenovo customers have signed the agreement that this is ok when they started the machine the first time </sarcasm>
Rest assured Lenovo was perfectly aware of the security and privacy implications of this feature from the beginning.
They merely try to sound oblivious because their laywers hope that will soften the legal and media repercussions.
Superfish looks like the kind of crapware that pays OEMs to include it in their bundle. Lenovo took the cash and didn't bother to review the code. Superfish, for its part, probably doesn't have the best and brightest engineers working for them. They probably tasked a junior programmer with working around SSL, who then committed the first solution that worked without ever thinking about security implications, and they shipped it.
If they did know about the problem, they could have fixed it. If the app simply generated a new key as part of first-time use, then it would just be run-of-the-mill crapware rather than a gaping security hole. Even if Lenovo has malicious intent, it would still have been in their best interests to do at least that, yet they didn't. Hence I assume it was incompetence.
It doesn't take a "security review" to spot a gaping security and privacy violation like this.
Any engineer with even the slightest clue of how a browser and "the internet" works would have called this out during the first "How does this product work?"-presentation.
Let's not pretend Lenovo is staffed with monkeys.
Remember stuff like this:
(Which, possibly unfairly, is one reason I'm leaning more towards ansible than saltstack to this day -- I mean, if stuff like that got through... what else, in more complex areas of the system?)
Never falsely attribute to incompetence what is actually ascribable to malice. You can't come in here with a straight face and say that no one at Lenovo considered the security risk of including this software. If it was considered and they pushed ahead with it anyway, that's malice.
It's negligent, and in this case probably criminally so -- and that might constitute "an evil" -- but I don't think this is the result of someone's overt intentional evil act. I don't think anyone actually did consider the security risk of this particular piece of software. Maybe I'm naive, but if nothing else, the risk of lawsuits/backlash seems too great in this case.
I don't like ads and bloatware, but I think calling them "evil" is diluting what "evil" means.
I might be wrong, of course. But I don't think any of the big OEMs does any real review of the crap that is installed on computers -- and I think forgetting to generate an unique cert/key on post-install/first run is an error -- not intentional. Deciding to install this kind of crap strikes me as a very poor decision -- but I'm still not sure I'd consider it evil. Evil would be using the Intel management co-prosessor to do something similar -- presumably then a clean install wouldn't help.
That's what I meant by invoking the opposite of Hanlon's razor. Sure, never attribute to malice what can be explained by ignorance. But my point is, you can't explain this one with ignorance. There is just no way that Lenovo has hired a security team that would do a review of this and say it looks fine, and no way a company the size and stature of Lenovo would not have a competent security team. The only logical answer is that this was raised as a risk and management chose to accept the risk.
I'm not saying they're evil (I used that word to describe Charles Manson), nor that their end goal was for users to be compromised. Merely that they had to know this was a bad idea, and they chose to do it anyway.
"Any engineer" means something in HN, but we're not talking about "people who read HN" levels of engineer here, don't be mistaken.
Some people that have had no or limited experience with software are assigned to software projects, and that's
the issue with companies like Lenovo.
I find it very hard to believe that no red flags were raised by any of the engineers, managers and especially lawyers who must have screened this "feature" for problems.
It seems more plausible that the problem was known from the beginning (it is by design after all) and Lenovo decided to risk it.
Virtually everyone in the engineering team raised a flag when the imbec...uhm, the Product Manager came up with the idea. We pointed out that a) this burdens us with the responsibility of storing sensitive data which can, at least, have significant legal implications and that b) even if it's encrypted data, it may be a little hard to market a privacy device that works by uploading user data to our server as a first step without being transparent about the whole process. Oh, and c) that the data recovery mechanism he proposed (which involved storing the users' private keys on our servers as well, just in case they lost their precious little gimmick) was, in this case, entirely retarded.
The whole thing didn't even make it to Legal, because everyone in the decision tree just thought that since there's no plaintext data being stored, there's no potential for a lawsuit (and when we told the PM about Lavabit, he came back two hours later saying he Googled it and that we're covered since we're not an e-mail provider). The bright heads in Marketing weren't exactly sure about the whole transparency thing. They thought we should keep it simple and just tell people that their data is safely encrypted and be done with it, because end-users don't need to know about tech mumbo-jumbo like encryption keys and all that.
I don't work there anymore (thank God) and they haven't launched in the meantime, but when I left, they were basically working on implementing this clusterfuck.
I'm sorry I can't be more specific than this (for obvious reasons, I hope). The point is, however, that decisions as complex as these (there's a stack of paperwork thicker than the Osbourne-1 involved in preloading anything on a laptop) are made through an elaborate process, not made "by mistake".
Someone knew there was a problem. The problem may have ended up misunderstood or washed out along the decision chain (although I find that fairly unlikely), but someone, at some point, decided this was ok.
How does that go along with a gigantic fuckup like this? Ipso facto there was no vetting, otherwise this wouldn't happen. What did they expect, that this wouldn't come out, that this wouldn't damage their brand even further? If it was done out of malice it is still poorly vetted and incompetent malice.
They probably didn't figure out that anyone would have a problem with this. For them, it's just a cool gimmick to get some money. That it is a gaping security hole which makes about 0.42 % of user population mad, probably never occurred to them.
Unfortunately, for the 0.42 % (that is us, reading this site, and people of similar interests) it will be hard going to explain to the next 4.2 % why this is so bad. The remaining approximately 96 % of population will stay largely uninterested.
Yea, read again. I claim that even if there was malice there necessarily was an element of incompetence present in that case as well.
> it will be hard going to explain to the next 4.2 % why this is so bad
Why? People aren't interested in exact details, that's why they rely on 0.42%. You can illustrate the magnitudes of moronity required to design some of their products and lack of respect for security by explaining that they approach those that are needed to drive a car which has chainsaw strapped on its steering wheel. This isn't mere buffer-overflows due to bad coding, these are comatose levels of stupidity.
I don't think I've seen a junior anything who was informed and insightful enough to write a network proxy, including SSL support, and the necessary certificate work.
And calling it enhanced is not always an unreasonable interpretation. For instance, take the case of a cheap mobile phone with a very limited bandwidth. You can increase the end user satisfaction considerably if you move some of the functionality to a server layer so that when you browse, the things actually happen somewhere in a cloud and your phone is just displaying the result, without being the actual browser as seen by the site you visit.
Nokia did this with some of the cheaper devices, and I think it was quite OK. It comes down to how much you trust that party, of course, and how critical your communication is.
if (location.protocol === 'https:' && queryString.search(/dlsource=hdrykzc/i) !== -1) // Patch for Lenovo - do not run on https sites
I honestly don't know why Lenovo (and others) still make these third party deals. Just ship the machine with a blank OS, or install a vetted selection of open-source software (7zip, VLC, LibreOffice if they want). Just don't install crapware for the mediocre kickback it generates!
I always love when the same model (down to the part number) comes with a different configuration and board inside the case.
> To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
If it does, does it trust its own cert? Probably (certainly?), but if not, that would leave one in the curious (perverse?) position of being safer by using the proxy. superfish can mitm your connection, but nobody else with the key could.
... I wonder if there's an MBA / capitalism version of this, centering around short-term profit at the expense of everything else.
Bug 1134506 - Mark "Superfish, Inc." root certificate as untrusted in NSS
Trying all strings from the binary if any of them matches is a cheap and easy operation, so try it first, if it doesn't work use a more elaborate approach.
I assume his reasoning for looking for the private key was similar to: this program creates a new certificate authority and installs it on this computer. In order to do this, it must have all necessary tools for doing so, including the private key it uses to create those certificates, in memory somewhere. Even if that private key is stored encrypted somewhere, it has to exist unencrypted in memory at some point to be used.
> I tried the small dictionary john.dict that comes with John-the-Ripper, and it didn't find anything. But of course, I don't need a real dictionary. The password is probably also in the clear in the memory dump. I could just use the file super.txt as my dictionary! I tried this, but it was taking a long time, with 150k unique lines of text. It'd take many hours to complete. To speed things up, I filtered the list for just lower-case words
It's the lowest hanging fruit. I doubt he expected to find the password just sitting there, but since he did, here we are :)
But yes, keeping sensitive information hidden in plain text considered a security flaw.
That or maybe they are completely clueless about the security implications.
Lenovo's hardware support for Linux is great so unless there's something keeping you on Windows switching to a good Linux distro usually works fine on these laptops.
There is almost no machine out there running openly auditable code on all components.
Adding dodgy userspace software is easy and remunerative for Lenovo ( lots of $$$ from the software vendor for 'bundling' ).
Tampering with firmware is hard, expensive and doesn't seem to offer compelling return on investment. What's the business case?
The idea is something like
Interesting question to consider: what if the MITM was benevolent to the user? I.e. Lenovo included a similar ad-blocking proxy in their default installation? Would the public response have been as negative, or would it be considered to be a helpful addition akin to how most browsers now include popup-blockers?
In other words, are people more repulsed by the purpose (advertising)? Because I certainly think MITM'ing connections locally to remove ads a good thing... and with some devices like "smart" TVs apparently now phoning home and showing ads, I have no qualms about putting their traffic through a proxy to strip that crap out.
avast! was actually guilty of this a while ago (see https://lelutin.ca/posts/avast_conducts_MitM_attack_on_users...), and the article gives some good rationale why MITMing SSL at all without the user's explicit knowledge is bad.
The trust essentially moves from the browser to the proxy - while I don't know what Superfish does, Proxomitron definitely checks the certificate and pops up a warning dialog if there's something wrong.
why MITMing SSL at all without the user's explicit knowledge is bad
I think "without the user's explicit knowledge" is the key point here; if you install a security product then you somehow expect that it be able to inspect all your traffic for any maliciousness... as otherwise the "bad guys" will just make use of SSL to defeat that.
Apparently Superfish ships from Lenovo with the same private key on every machine. So all a bad guy needs to do is extract that private key from one machine, and now they can MITM all the Superfish Lenovo machines from basically anywhere on the Internet.
Has anyone confirmed the certificate validation behaviour in Superfish? I have a feeling it will be "none at all", which would be really bad...
More context at https://twitter.com/supersat
If someone installs a CA, Chrome will trust it. There's not much way around this: if someone has the capability to install a CA on your computer, they'd have the capability to modify chrome.exe to force acceptance of it.
Also, sometimes MITM'ing is desired. I'm doing it right now with Firefox and BurpSuite.
If Chrome were to block unknown roots for pinned sites, these sites would become inaccessible because the MITM proxy is still active. That's certainly not desirable in a controlled enterprise environment, but the same would occur when blocking this 'Lenovo root'.
Do you mean the proxy is remote? That is not the impression I have (otherwise having the private key locally makes no sense).
If it's local, then even with the private key extracted, and considering a lot of website force https nowadays, we should still have standard crypto between the lenovo computer and the website. EDIT: As long as the adware checks the website certificate AND doesn't trust it's own self-signed certificate in the store... yeah... a lot of ifs...
Anyway, thanks for the additional details, more helpful than "[...] the certificate allows the software to decrypt secure requests[...]", found in the article...
Standard crypto using that website's certificate. Which could be legit. Or could be an attacker's certificate, signed with this Lenovo root certificate.
Some criminals are about to make a lot of money.
"Also the module tries to verify that the certificate is indeed signed by an approved signer, it will use the CA store of the browser used to verify that (for Internet Explorer the Windows store will be used, and for Firefox the NSS store will be used), if the certificate isn't legit, the created certificate will be created in a way it would raise an alert to protect the user."
A huge ugly hack...
Now Lenovo is "soon" going to explain how to remove this certificate after the "uninstall" in a buried forum post...
Down around 0200 PST 2015-02-19
 cpeterso https://news.ycombinator.com/item?id=9072642
I guess Firefox should block that plugin as malicious.
That's the odd part of this. Browser plugins can modify the DOM (insert ads, change search results, etc) without proxying anything. So why do it? I wonder if they were fishing for an NSA contract to further monetize the installs.
I even considered buying a Lenovo recently when a pretty nice looking ThinkPad was on sale, but a couple of friends have had very bad experiences with their Lenovo laptops. Both have had to go back to Lenovo for repairs; one of them had to send it back twice, and on the second go around demanded a new one instead of a repaired one, because the "repaired" one was worse than when it went in for repairs.
That said, there's "bad QC", which is forgivable with time and a sincere effort by the company to correct it, and then there's "evil". Intentionally shipping adware is evil.
Given this, I can genuinely think of no way for Lenovo to ever get my business for any product.
Crapware doesn't bother me, since that gets wiped before I start using the box, including the biggest offender of all them crapwares - MS Windows. Unless you're concerned about one of those disk-firmware-rewiring NSA uglies, that's a foolproof solution to the nastyware problem.
Hardware is good, in case of trouble on-site warranty works well (once you've learned your way through the ibm website). Be informed about what you buy, skip the comically broken models (see adaptive keyboard) use common sense and your thinkpad will be good. Nothing out of the usual when buying tech stuff.
Though in a not so distant future if lenovo declines continue, it may be wise to stay away from their brand altogether.
A friend bought a $1000 laptop (U330 touch) from them and a piece of plastic holding a hinge broke. When I looked at it, it was clear that the part could have been 10 times (yes, 10) thicker without adding much weight (about a gram I guess) and probably zero cost.
I find this mistake nearly unacceptable but the evil part comes when you ask for warranty and they tell you that you must have done something wrong, why would a hinge break otherwise? And you accepted the warranty terms, so its their right to say so.
Quality control also was an issue as the laptop first came with a malfunctioning keyboard and a non operating touch screen.
So yeah, now is not a good time to buy anything from Lenovo.
We bought T440s a year or two later and both were just abysmal. The trackpad, the keyboard, everything is crappy and fails to work properly. No one at our company would use them and they sit in a closet now. I've been monitoring Lenovo's laptops recently and they all seem to be getting worse and worse.
I have read similar things about basically every laptop(heck even cars, TVs, Fridges) brand in existence.
Ars Technica just reviewed the 3rd generation version: http://arstechnica.com/gadgets/2015/02/thinkpad-x1-carbon-re....
Mess with my muscle-memory and you're sure I will never buy your laptop. Same reason I'll never consider MacBooks: Non-standard keyboard.
OK, that's one part of non-traditionalism :-) Luckily, the Ctrl and Fn keys' functions can be swapped in the BIOS (but obviously, the key labels will stay put).
I referred to the strange setup of the Caps Lock key, and the missing 6th row with function keys. (Although the functioning of the function keys is different in the 3rd generation model than in the 1st generation model).
Then again, the first thing I did when I bought it was install an extra SSD and install Linux.
This is exactly why I've been recommending Chromebooks to anyone who asks my advice for about a year now.
Microsoft's Windows Installation Media Creation Tool  enables you to download a clean Windows 8.1 ISO that can be used to re-install the operating system and wipe out all of the preloaded bloatware on any PC.
To do the same with a Windows 7 PC, visit Microsoft's Software Recovery website .
From Windows 8.1 Update 1 onwards, there is a built-in PowerShell cmdlet called Export-WindowsDriver  that will backup all of your third-party drivers prior to reinstalling the OS.
Export-WindowsDriver –Online -Destination c:\DriverBackup
Once you have created a bootable USB flash drive from the Windows ISO , another useful tip is to create a folder called $WinPEDriver$ in the root of the drive and copy the drivers you backed up into here. Windows will automatically install the drivers found in the $WinPEDriver$ folder during installation of the OS.
Chromebooks are the worst possible thing, I tell everyone to stay away from these crippled google branded piece of slavery.
I advise either a second hand quality laptop or a brand new one while budgeting a little extra for cleaning the crap that manufacturers preload inside to allow for such a low selling price.
(An unnecessary hassle, I agree)
What did they do? If they detect a "counterfeit" FTDI (in other words, a clone not necessarily claiming to be an FTDI), the driver bricks your chip!
Yeah, you can fix it using Linux, but it's a pain in the ass.
Or use Linux and be away from this cancer of MS Windows ecosystem.
For instance, is it "only the OS installed" if it includes hardware-specific support for the display adapter, or a fingerprint reader?
Anyway, all laptops I have seen include either a generic Windows OS installation disk, or an option to order one for the price of mailing cost. But of course even with these you might have something included which you do not consider "only the OS".
It would sure be nice to bring home a Windows machine that only had Windows on it and any necessary but minor applications from the manufacturer (like a settings application or drivers and not some photo sharing spyware).
The second gen X1 Carbon has two "innovations" I could live without. A clickpad and an LCD serving as function row keys. I must not be alone in my woes, as the third gen X1 Carbon reverted the change and has normal trackpad buttons and real function keys.
Other than that, the same quality Thinkpad build. It's not a war tank as the R40 was but, then again, it does not have the weight constraints that allow for a rollcage.
I know it is fashionable to say Lenovo fumbled the Thinkpad brand but, at least in the top of the line products, this isn't true. Of course, this is anecdotal, based on my company's purchases and nothing else. If you listen in forums, the landscape is much as the one here on HN (even if 90% of those who speak never bought a "chinese" Thinkpad)
I suspect the cheaper Lenovo laptops are shitty though.
We've tried HP and Dell in the past with the same ugly results. Horrible default images full of crapware, though not MITM bad. The only difference is that we had 10x the hardware issues with Dell and HP. We always need to make our own images. Windows OEM is a nightmare of shit crapware, which is a shame as the stock windows product is actually, dare I say, good? At least good for business use cases.
I also find it amusing that anytime there's some kind of issue in the US people instantly yell NSA, but thus far no one has thought to think this could be the CCP's attempt to spy on people by weakening SSL. I'm sure its trivial for them to grab the private key from Lenovo. Seems like the cyberwars are heating up.
Personally, I hope this becomes a major scandal. This deserves lots more press. In fact, every anti-virus product should remove this and the certificate. Anything short of that is irresponsible. This is congressional investigation worthy right here.
Also, if you add a <meta name="superfish" content="nofish"> tag, it gets disabled as well.
Possibly some agreement with Google, like the ones they tend to make with ad-blockers? (http://www.theverge.com/2015/2/2/7963577/google-ads-get-thro...)
it probably is, but by the look of things one can safely assume that they can fuck off
How much you want to bet that thing is XSSable?
Correct me if I'm wrong, but I don't think any amount of CSP will help you in this situation. They're MITMing traffic and thus can modify the CSP headers.
The other URL in the code is "https://www.best-deals-products.com/ws/sf_preloader.jsp". That domain is being blocked by some DNS services right now, but it's up. It's a Domains by Proxy domain. That code is worth reading. You can tell what it's looking for as it examines the pages you are browsing. It has a detailed analyzer for car ad price comparisons, and a simpler one for hotels. It phones home to "http://ia1-p:10009", which isn't a valid domain, but there may be some conversion of that I haven't found. One out of every 10,000 times, it reports some debug info to "https://www.superfish.com/ws/trackSession.action".
There are long lists of sites, both blacklists it avoids and whitelists it messes with. There's a list of "paying countries: "IE|CH|ES|US|AU|BE|IT|AT|NO|CA|DE|NL|SE|GB|DK|FR|BR|NZ|AR|MX|CL|CO|RU".
Lots of comments and debug code; it's not obfuscated at all.
Fuck that guy and the company he rode in on.
When I put a new webpage online using my webhost's cPanel to edit the raw HTML everything seemed fine, until a friend asked about a 'best-deals' script running on the page. The Malware / Adware was intercepting & inserting a script not only into pages I was viewing but also pages I was putting online.
Very, very concerning. I have since removed it completely from my system but it's still caused some paranoia. Thankfully it was only a hobby project which was affected & not paid.
They would have to have some sort of software that is able to detect that you are connecting to cpanel and then act on your behalf. That is significantly more involved and more malicious than "just" intercepting html in flight and injecting adds.
Either way, this was a downloaded HTML file which was then copied into cPanel. I never viewed or edited the file between its download from JSbin & pasting into cPanel.
The Malware was affecting files & not just pages viewed in browser. Nasty stuff.
I have to bypass my own ad-filtering proxy whenever I download some files, as otherwise it may corrupt them as it attempts to filter out anything it detects as ad-like in the content. Not surprising that this adware would attempt to inject its script into anything it detects as being HTML.
The best deals script is the very same which I found on my machine, Lenovo is written all over this.
Never buying Lenovo again.
Result: no bloat and no malware
We can't just dismiss this sort of behavior because you can reformat the computer and "Result: no bloat and no malware". They need to learn that people won't let them get away with this. So no this is unacceptable, I too will never buy nor recommend a Lenovo product in the foreseeable future!
This is a standard consumer protection issue, as the sticker price fails to represent the actual price of the product. The seller is concealing the true price, hiding it in the terms and conditions, while putting the blame on the consumer for not being aware before buying. It's likely false advertisement, possible misrepresentation in the contract (if the consumer knew the truth, would that party have agreed?), and very likely a case of fraud. Lenovo seem to have opened themselves to be sued.
"Superfish Window Shopper is a free browser add-on that instantly compares prices and shows similar items on ANY product in hundreds of U.S. online stores including Amazon.com, Best Buy, Macys, Nordstorm, Overstock.com, Staples, Target, and Wal-mart."
So if I have this right, this is essentially a massive affiliate scheme to produce revenue for the company? If it compares prices on all these sites, affid='s are injected for Lenovo and a % of the sale is given to them?
Edit: doing the math here on this for the last few hours and even if just a few million units have been sold, this has to be 10's of millions in dollars (being very generous) over the past few quarters.
There reviews are horrible as well. All spam / annoyance related.
But proxying all traffic from all Lenovo laptop owners through a third-party server without someone immediately noticing a problem is just not feasible, so I think we can assume that's not what they're doing.
2. Also, my broswer.newtab.url was changed to some URL (http://homepage-web.com/?s=lenovo&m=tab) instead of the default about:newtab
Steps to remove VisualDiscovery / Superfish
1. Home menu, search for Administrator tools
2. Open services
3. Find the VisualDiscovery service. Stop the service.
Right click properties. Set "Startup type" to Disabled
4. Start -> Control panel
5. Add/ remove programs
6. Find Superfish and uninstall
Who if anyone has taken over the place of great laptop for linux / development?
They're basically rebranded Sagers/Clevos, I believe, so you may be able to get essentially the same machine for a little less money, but weigh that against supporting a Linux laptop seller.
It was portable and powerful enough, but the MBPr gives me a much better overall experience. At half, perhaps 2/3 of the price of the 13" MBPr, it might still be worth it.
In fact Fusion on the MBPr was the first VM app I used that didn't suck; I used to run various VMs in VirtualBox on the XPS which had, in theory, the same specs and a better CPU and the lag was worse than ssh into a server on the other side of the world (not to mention the overheating)...
I hear you on moving away from Linux. You do get a feel, often, that OSX is consumer oriented and just "gets in the way". On the upside, when you need stuff, you can usually find it quickly and it just "works". That's the ecosystem. Still, if I was to go back, it would STILL be on a mac. One of my former colleagues wiped OSX and installed http://nixos.org/, so I'm sure a more popular distro would work out.
The thing is, well, this will sound like every other Apple addict out there, but, the hardware quality really makes a difference, and it is quite hard to explain. The MBPr is the first machine I've ever used that feels "perfect", as if they got everything right. And with most of my work done on the cloud anyway, I didn't need absolute top line specs; portability and things like battery life mattered more. Amongst the other machines in the house is an X230, which I wanted to get and boost instead of the XPS, but it feels almost ten years older.
As for price, in early 2014 I spent a few weeks looking for a good standard dev laptop for the company (which I've since left) and got a good feel for the alternatives. In raw specs, you can get a cheaper "laptop", something that will fit a backpack and work for a while unplugged, yes (think W530). If you need portability though, all ultrabooks at the time were more expensive if specced to the same level. We did buy a couple W530s and upgraded them a bit (32GB RAM, etc.) and all their users ended up using them like desktops. I do not know if this is still the case, probably not, but I've seen many nominally more powerful "ultrabooks" (like the YogaPad, whose user assured me he had better resolution than me) fail in other ways; battery life is one, creaky joints is another. It took me a few more months before I got over my psychological block and got the base spec MBPr when it came out in August... One thing to note is that there are corporate discounts; if you or your friends are employed by a big corp, you can save a few hundred. Also, the upgrades are REALLY expensive compared to alternatives - why pay 300 dollars for extra SSD when you can get an SSD-grade, flush-with-the-side card from Transcend on Amazon for under 50?
I wish more computers were built out of whatever my EEE PC 701 was. It was matte and almost indestructible.
But I bought a second hand X201 instead :)
1. Is robust
2. Is reliable
3. Is black
4. Has only useful software pre-installed, from the manufacturer (e.g. the Lenovo thing which updates drivers)
5. Has a TrackPoint
6. Has a consistent keyboard layout
7. Has hardware buttons ('mouse', function keys, etc.)
8. Has a functional screen
Every few months David Hill of Lenovo starts crowing about some new ThinkPad where they've 'innovated' by breaking one or more of these features, usually the keyboard layout or the hardware buttons. There is then a storm in the comments, which is ignored, then they put the thing out, and people skip that model, then they think 'maybe we should listen to our customers' and put it back as it was. Then they make the same mistake again.
The last two X1 Carbons are a perfect example of this. They turned the TrackPoint buttons and function keys into 'touch' buttons. Everyone said it was a bad idea, but they did it anyway, then quickly reversed the decision for the next iteration.
They're going to keep making this sort of mistake, because there's a problem in understanding their customers which doesn't seem to be getting fixed - so it's probably at a high level.
What I'd like to see is another manufacturer step up and make a ThinkPad-ish line, so that Lenovo can be taught a lesson by having their customers abscond. They might then realise that they can't keep doing this and put in place a policy of keeping a line of ThinkPads for their ThinkPad-loving customer base.
Now that they've diluted the brand by making some terrible laptops with ThinkPad stamped on them, though, (W, E, L series, etc.) they should probably have some other mark on their 'proper' ThinkPads, i.e. their X and T series.
If I was given the job of fixing this at Lenovo, I'd do this:
1. Kill off the ThinkPad brand. It's tainted.
2. Invent a new name for the premium laptops. Something workmanlike, off the top of my head: WorkStead.
3. Tell the world that the premium business laptops are now called WorkStead.
4. Tell the world what makes a WorkStead laptop, guaranteeing those things which have been broken repeatedly over the past few years, e.g. consistent keyboard layout, real buttons for everything.
4. Rebrand the X and T series with this name, but only the ones that deserve it.
5. Wait for people to again start saying 'Get me a fully loaded WorkStead T4xx series' like they used to do with ThinkPads, before they had to say 'Let me check which models they've managed not to ruin recently'.
6. Stop asking people to choose between 3 slightly different Intel wifi cards within $10 of each other in price, defaulting to the worst one, when they're buying a $3000 laptop.
... And other brokenness in the configurators.
"Multiple intelligence and defence sources in Britain and Australia confirmed there is a written ban on computers made by the Chinese company [Lenovo] being used in “classified” networks."
I sometimes wonder if autocratic regimes are so image focused that they've seeded popular forums with stooges.
As opposed to Lenovo agreeing to implement a backdoor? I'm not sure either.
UL provides a bunch of non-obvious to the user but critical for safety rules for mains-connected devices. Likewise users are subject to non-obvious privacy threats from internet-connected devices (leakage of personal information, injected advertising or referral links). These should be at least clearly labelled.
So Android devices would get a "yellow" rating for "transmits personal information securely to Google" and these Lenovo laptops and Samsung TVs would get "red" for "transmits personal information in cleartext".
... and replace the CPU with one that is known not to have backdoors. You'll have to craft it from Silicon yourself, though, because there aren't any available for sale anymore.
... rewrote the hard-drive firmware of infected computers—a
never-before-seen engineering marvel that worked on 12 drive
categories from manufacturers including Western Digital, Maxtor,
Samsung, IBM, Micron, Toshiba, and Seagate.
The malicious firmware created a secret storage vault that survived
military-grade disk wiping and reformatting, making sensitive
data stolen from victims available even after reformatting the
drive and reinstalling the operating system. The firmware also
provided programming interfaces that other code in Equation
Group's sprawling malware library could access. Once a hard drive
was compromised, the infection was impossible to detect or remove.
I have a lot of friends who haven't figured out the whole security-as-a-spectrum thing, and they spend a lot of time giving themselves grey hairs over adversaries that 1) they can't beat, 2) aren't worth beating, and 3) don't care about them anyway.
For example, it could binary-patch (either at write time or read time) your kernel image on disk to communicate with the NIC, etc...
I expect the "cheapest drive" is not an SSD.
You said "the cheapest drive is not an SSD".
The point is to minimise the money spent on the drive supplied with the machine because you're not going to use that drive, you're going to throw it away.
One can only hope that they keep Motorola as an independent business unit.
So for "developer-tier" laptops, i.e. not a netbook, does that pretty much leave Apple as the sole non-shit laptop maker? Is there a chromebook out there that runs linux pretty well if you pull chromeOS off?
You pay a hefty premium for that backlit Apple logo on the lid, and I'd prefer to get something a little more down-to-earth.
For laptops, at least, I buy them and use them until they die.
I've only owned three laptops in my life.
There's a whole world of bad software engineering in that observation!
Precision M4800, for example.
15", i7-4710MQ, Nvidia Quadro K100M 2GB, 4K screen, AC wireless, 512GB SSD for around $2500, about similar to the high end rMBP 15" (yes, I know there are things the rMBP has, just as there are things the Precision has - it's 'comparable', not 'identical').
If you work for SuperFish and read this: I think it's time to learn about ethics and it's time to walk away from your job NOW.
So on a fresh Windows 7 virtual machine with zero apps installed, this program gives me 200 some errors and wants $49.99 (-$20 for instant savings) to register the program. This keeps getting better. Typical scam.
Dells entire business line of Latitude laptops have been completely broken under Linux for 10 months. It took them that long to merely revert the "keyboard improvements" made between two BIOS revisions, but they subsequently shipped, and are still shipping, brand new machines without the fix or any downgrade path. These machines just aren't fit-for-purpose.
Imho Richard Stallman is right if for no other reason than I see no other way to end all this consumer abuse and borderline criminal negligence. In the mean time, this debacle sounds Class-action worthy to me.
Here's the complaint form for Massachusetts:
There has been an uptick in computer security related news stories lately. I think the tide may be changing, albeit slowly.
Also, why are we bitching just at Lenovo. There are software developers out there writing this shit. Name and shame the companies and staff. There needs to be a no hire and no do business with list.
Ethics go all the way down.
I'm rather disappointed though as I've recommended Lenovo hardware recently to people and use an X201 myself.
The WiFi drivers are made by Intel, but yes, they were
terrible (blue screen). I had to downgrade back to the drivers that came with Windows for while but the latest versions seem to be fine. I'm using some stock touchpad drivers that don't seem to have any kinetic scrolling.
But I'm the person who brought this to the attention of Hacker News: https://news.ycombinator.com/item?id=8546702
Basically after installing just about everything the laptop comes with, it seems to be running great. :)
Additionally, a roommate spilled a pint of beer on my computer and Asus replaced it for free, despite not having an accidental damage warranty.
I bought the Lenovo because I was really annoyed with Apple when my MBP died just after the 3 years of AppleCare I payed for expired on my 2011 model (notorious for failing: https://mbp2011.org/, I guess I can't win with laptop vendors). It was my first time working with OEM Windows in a while (laptop before the MBP was a Dell in 2005) and I was surprised at how much more bloatware vendors thought they could stuff into a new laptop compared to the past. Next time I guess I will either go back to Apple or get something that comes with Linux installed just to avoid the Windows bloatware.
This shit must stop.
And of course Windows 10 will be a free download.
- looked up the Windows and Office license keys of the existing installation, using an utility
- download Windows 7 disk image from Microsoft and burn on a DVD
- take out the old disk with recovery partitions and installation with crappy bloatware
- put in a new SSD disk, boot DVD to install OS and install Office
- download and install HP specific drivers for peripherals (display adapter, fingerprint reader, wlan/3g, whatever)
- enjoy a relatively bloat-free Windows experience with improved battery life
EDIT: According to another comment here, HTTPS connections in Firefox aren't affected because they don't use the system certificate store. But what about Chrome - do users see an error on pages with pinned keys, or is the proxy smart enough not to attack those connections? Or does it also disable Chrome security features like HSTS and key pinning?
Also, apparently this is just the start for crapware on new PCs - Paul Thurrott said on the podcast Windows Weekly about a week ago that crapware is going to get a lot worse this PC cycle.
Did he say why?
Then look to see if the certificate for a secured site lists Superfish:
(That doesn't prove it isn't on your computer, but it will show if it is actively intercepting your connections)
"[...] its own self-signed certificate authority which effectively allows the software to snoop on secure connections [...]"
"[...] the certificate allows the software to decrypt secure requests[...]"
As kentonv reported, it's actually the local proxy, installed by the ad(Mal?)ware which is at the center of the MiTM attack. The root, self-signed certificate is installed in order for the attack to be transparent to the victim (i.e. no warning in browser).
A Google search on the filename had others saying that it was removable by uninstalling some Lenovo Utility preinstalled.
"Why do it if you are Lenovo? Well it seems clear to me that there was a financial inducement provided by superfish. I mean Lenovo is not loading software unless they are financially benefited. Come on.
As far as other inducements go, consider this. Two weeks ago I got an expensive, new Lenovo machine. Got it running just fine, thank you, and then I download Chrome from what was very, very clearly identified as google.com. Who do you trust man. Fired it up and immediately my machine locked me out and became unresponsive. Called Lenovo and for $200 worth of Lenovo.premiumsupport they fixed it and gave me 10 months of additional support. $20/month for 10 months on top of a normal laptop margin does not provide much of an inducement to cease and desist."
But as far as adware/malware is concerned, that's a non-issue for me as the first thing I did when I got the machine was to replace the Windows drive with an Ubuntu SSD.
Lenovo doesn't stand out as much as they used to. Dell/HP/Apple make pretty great business laptops these days. If everything else is equal and I know the competitor (for example) won't install adware, then why would I ever buy Lenovo again?
Now only it cleans all the bloat from vendors but now it will also remove malware.
I know which laptop I will never be buying.
Sure as hell not going to be doing that any more.