back to article Superfish: Lenovo? More like Lolnono – until they get real on privacy

Everyone and their dog has an opinion on the Superfish debacle which has struck once mighty Lolnovo Lenovo a potentially critical public relations blow. The Register's own Ian Thomson had little nice to say on the subject, and both social media and anecdotal experience indicate to me that his feelings are reasonably widespread …

  1. Decade
    Linux

    Problem is inherent to closed source

    The truth is that privacy has no real meaning when you use closed source software. Open source might make your heart bleed, but everything is out there and open. There are no secrets. With closed source, it's ultimately just a trust game.

    That's why I say that, in the long term, open source is the only reasonable option.

    1. Anonymous Coward
      Anonymous Coward

      Re: Problem is inherent to closed source

      The problem is made worse by closed-source, but open-source isn't immune.

      Take OpenSSL's heartbleed for example. Unintentional though it was, it sat there for a number of years before the vulnerability was discovered.

      The effect of the bug was no different to spyware: it was a potential breech of confidentiality.

      The difference is in the clean-up. Most binary distributions had fixes out within a day of the patch going into OpenSSL upstream. Anyone with a source-based distribution could do it themselves.

      The only people who really got burnt were the embedded sector (and customers) who have to compile and ship new firmware.

      The only way in which having source code wins here is that you, the end user, are potentially free to fix the problem yourself or pay someone you trust to do it for you. If you do not have the source code (irrespective of its license) then you basically are stuck with negotiating with the supplier of the software to obtain fixes.

    2. Lars Silver badge
      Linux

      Re: Problem is inherent to closed source

      First of all an objective article. I do prefer open source but this, however, is not about the source at all. If Lenovo, and let us be adult and call them Lenovo, started to deliver Linux laptops they could as easily have installed similar crap on the computer, open or closed source.

      1. big_D Silver badge

        Re: Problem is inherent to closed source

        Exactly Lars, or the machine would have been more expensive with Linux installed, and no crapware.

        The problem has nothing to do with open or closed source software. The problem has to do with the hardware being sold below cost. That means that the manufacturers have to make their profit somewhere. And that is, currently, selling high end machines for realistic prices or selling cheap machines piled up with crapware.

        That said, I inspected my daughter's Lenovo Yoga 2 yesterday, when she came to visit, as it was an October 2014 model and allegedly affected by this. But there was no a trace of it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Problem is inherent to closed source

      It looks someone already forgot the Ubuntu-Amazon deal...

      http://www.theregister.co.uk/2012/09/24/ubuntu_amazon_suggestions/

      1. Decade
        Linux

        Re: Problem is inherent to closed source

        Alright, I was in a hurry when I wrote that first reply. Properly, I should have said, “free software,” but the distinction is too complicated to explain quickly, and Eric Raymond and Bruce Perens are bad men who made “open source” the instantly recognizable phrase instead of “free software.”

        The crucial bit is the freedom to seek your own software providers. Don’t trust Canonical? Then take advantage of their hard labor and use Linux Mint. Don’t like OpenSSL? Then sponsor development of LibreSSL. Feeling cynical about Code.org’s message of universal coding? Just code for yourself.

        The open aspect is also nice. Apple sends your searches to spammers? Nobody knows until somebody does a packet capture or something. Canonical sends your searches to Amazon? There’s immediate outcry, and, before it even ships, multiple opt-out methods are provided. Including that Linux Mint option.

        Everybody knows that nobody upgrades the software on their computers. Part of that is the training: Everybody is told that they are not supposed to modify the software on their computers. This goes all the way back to the beginning of the software industry, exemplified by Bill Gates’ Open Letter to Hobbyists: Since he made the software, only he has the privilege of modifying it, and everybody else should pay him to do so.

        That set up a dysfunctional dynamic, so that the bosses of Lenovo thought it was a good idea to put a little piece of unvetted closed-source software onto their customers’ computers. After all, the rest of the software is unvetted, all the way down to the operating system and the firmware that runs before the operating system runs. What more harm can one little bit of software do? (Plenty, it turns out, this time.)

        1. big_D Silver badge

          Re: Problem is inherent to closed source

          Everybody knows that nobody upgrades the software on their computers. Part of that is the training: Everybody is told that they are not supposed to modify the software on their computers.

          Rubbish. The industry is continually spending millions trying to get people to upgrade. People don't upgrade, because they don't understand or aren't interested in what operating system they run.

          "It works, why would I want to upgrade" or "why would I want to pay for Windows again? My copy still works."

          And for that audience, and that is the vast majority of PC users, they buy a pre-installed PC, because they wouldn't know how to install a mint on it, "that is something you eat, isn't it?" So they buy a PC with the manufacturers Linux image and they wouldn't be able to tell the difference, if it was standard Ubuntu or Ubuntu packed full of adware...

          For those users, it is like selling them a car without an engine and expecting them to put their own engine and electronics in. They don't know and they don't care, as long as it gets them from A to B and their friend Tom or the local dealer can check the oil for them once a year...

          For IT professionals and IT enthusiasts, that is a totally different story - but like car enthusiasts, who strip the engine out and rebuild it to blueprint specs or bore the engine out - they are few and far between in the general population.

        2. Anonymous Coward
          Anonymous Coward

          Re: Problem is inherent to closed source

          Sorry, but yours is a rant along the lines "Only <put your preferred religion here> will save your soul from this decaying and rotten world!".

          This was not a technical issue of closed, open, or free source. Or do you assert that it was *technically* impossible to install such kind of dodgy software on a pre-installed Linux Mint, for example? If so, feel free to explain....

          Truly, they could have even installed a modified kernel to achieve it...

    4. Voland's right hand Silver badge

      Re: Problem is inherent to closed source

      This has nothing to do with closed source.

      The system in place was designed to subvert regardless of closeness or openness. You can configure the proxy in firefox and it will work with firefox same as it does with IE, Chrome, etc. The approach is not new, there are appliances like this for corporate use.

      This is just a lame, badly done single user implementation of the same appliance. While it can do what it says on the tin (content inspection, parental control or as in this case ad injection) it is inherently bad idea because it puts the crypto out of the hands of the user. While this may be acceptable in some corporate environments, for end user use it definitely is not.

      While at it, there is an important caveat here. NONE of the SSL/TLS would have been broken if there were user certificates in use as well as server certificates. I love listening to people who have no effing clue how TLS works complaining that it is inherently broken. Well, if it is done properly (both sides authenticating each other as they should) it is not. Neither in general, nor in this case because the handshake would have failed with the server not recognizing the user certificate or mismatching certificate to user/pass or whatever other credentials are in use.

      1. Anonymous Coward
        Anonymous Coward

        Re: Problem is inherent to closed source

        While at it, there is an important caveat here. NONE of the SSL/TLS would have been broken if there were user certificates in use as well as server certificates. I love listening to people who have no effing clue how TLS works complaining that it is inherently broken. Well, if it is done properly (both sides authenticating each other as they should) it is not. Neither in general, nor in this case because the handshake would have failed with the server not recognizing the user certificate or mismatching certificate to user/pass or whatever other credentials are in use.

        How do you distribute a certificate to a remote user (i.e. overseas customer sees something on your site and wants to purchase)? The server will have never seen anything presented by the user.

        By the sounds of things, this SuperFish proxy could have potential access to your user certificates too.

    5. Richard Jones 1
      FAIL

      Re: Problem is inherent to closed source

      While I am in general terms in full agreement with your article I suspect that it over complicated the discussion process that went on. These were laptops out of the 'normal' Lenovo comfort range of corporate users. These were for marginal low cost customers, many of whom probably were very likely not very skilled with a PC. Note I have avoided the word savy for a very good reason.

      Along came Superfish to make life even easier for the simple user, OK I know that this should have set off alarm bells round the entire company if not the world, but I will bet the original presentation went to the marketing types, 'Gee this will make the machines so much easier for the unskilled to use and we get a few cents or dollars off the price.' They would not even have the ability to know about 'What could go wrong' let alone ask the question. So marketing said shove this one the low cost machines and make them easier and cheaper to use, 'Look it even self configures so no need to change production they said to us.' The rest was history.

      I do not see this as open versus closed versus any other model of software, this was a simple dumb, crass stupid commercial idea for which the customer in the middle (Lenovo) fell, or sleep walked into, hook line and sinker.

      Browser helpers are always an awful idea end of. Do it your self or learn how to. Good Samaritans do not exist.

      As for the company that produced the crapware, it appears unlikely, but maybe they really thought they had a good idea, or were they also paid by an unseen hand? I do not know

    6. I. Aproveofitspendingonspecificprojects

      It will never happen

      Loading a computer with the closed source crapware Windows included IS the business. They are unlikely to have been making dollars on the crap they foisted. It was more likely cents, maybe even fractions of cents.

      And low as it is, Linux can't compete with that. But at least it lifts a lid few of us get to see under.

  2. DNTP

    "the chances are actually pretty good that this sort of descision was taken by a mid-level management body and signed off on by a low level executive"

    See this is why whenever I hear there is someone in a suit trying to sell something technical to our management, I grab my laptop and kick open the door and walk in and sit down at the meeting and basically bet no one wants to be the one to tell me to get out.

    (minus, maybe, the actual kicking part)

    That's how to spy on stuff honestly. None of this sneaky Lenovo type dealing. Just walk in and be all like, I'm here, I understand this stuff, tell me what's going on so I can help you make a decision.

  3. Anonymous Coward
    Anonymous Coward

    Thing is, Trevor, whilst I think your article is well written and rational and actually is a breath of fresh air...what Lenovo did was STUPID. As you said, not really out of greed or malice, just plain idiocy.

    Thing is, Lenovo have a good past. They bought the Thinkpad name and, because Thinkpads are well used by us in the industry, indeed this is being typed on one write now, we tend to hold Lenovo to a higher standard.

    Forget the shiny, we cry out of decent screen resolutions in a sensible format. Keyboards we can actually use! Machines that survive being taken to the ends of the earth and abused. Machines we can strip down and replace stuff easily. Machines that we use as tools, and as decent tools get regarded by those that wield them, we regarded these.

    And there are several things which, over time, we have started to get a little annoyed over. Change that didn't seem to make sense to those of us who felt we had an affinity for Thinkpads. We felt a little shortchanged, but we stuck by because we have some loyalty and they are still nice machines, we can use them and recommend them when people ask us what should they get, even if we still need to remove a lot of bloat.

    So this, even if it was stupid, was an act of betrayal. I mean, think about it...they actually had fake certs? Trivial to resolve yes. But it goes against everything we, supposedly, stand for. I say we, I mean those of us in IT who work with these things every day.

    If this can happen so easily for something as silly as advertising, then just think how easy it would be to compromise firmware, whether any government or criminal body (probably interchangable terms) wanting their own piece of the action.

    I too, will not buy another Lenovo (Lenomo ?). Nor Dell, for that matter, but that is because they are a pita to do anything to, and usually they spec some esoteric Dell own hardware that uses some piss poor driver that never gets updated properly.

    I don't know where I will go next, and I will be sad not to use Lenovo hardware again, but the only voice I have is my wallet.

    1. Electron Shepherd

      we cry out of decent screen resolutions in a sensible format. Keyboards we can actually use! Machines that survive being taken to the ends of the earth and abused. Machines we can strip down and replace stuff easily. Machines that we use as tools, and as decent tools get regarded by those that wield them, we regarded these.

      That will keep sales relatively buoyant in the corporate sector. Delicate hardware (I'm looking at you, Sony), is a difficult problem to fix, and the effects are expensive in repair costs and lost productivity. Bloatware is simple and cheap to fix, and the fix is usually part of the standard procedures anyway. I don't know of any large corporate that takes delivery of say, 500 laptops and keeps the existing software. Job 1 is to erase the hard disk and install the standard corporate image. For those organisations, the fact that Lenovo behaved as they did is a concern, sure, but not a show-stopper, since the actual effect on them is zero.

      For consumers; they don't care. If they did, the problem wouldn't exist in the first place. Stop 100 people tomorrow morning in PC World buying a laptop, whatever the model. Ask them if they're worried about Superfish. They'll probably think it's an American angling competition.

      1. Anonymous Coward
        Anonymous Coward

        You are right. But I won't buy em. But hey, who cares?

        My main problem is that:

        Acer - I knew who did the repairs in the UK. That put me off.

        Sony - Oh Sony. How i do loathe thee.

        Dell - some nice machines but at the same time some crappy decisions. Bought my previous dell because it had a really good 15" screen at full HD. Then having to remove the keyboard to replace the wireless card? sheesh.

        Lenovo - So sad.

        HP - seriously, what happened to you?

        Apple - Hahahhhahahaa....the funny thing is I was an Apple user for years and got all my family on to them because it meant less work for me. Then SJ got all super control freaky and it just all went weird. So I never went back after 2009.

        Panasonic - oh lucky you. Could it be?

        Asus - I want to like you, I really do and I have some really find memories of netbooks...

        Shame it isn't so easy to build your own like you can desktops.

    2. John Tserkezis

      "...but the only voice I have is my wallet."

      Many times, it's enough. Sure, you may think you're a lone voice, but there are others with the same.

      And dollars and cents are the only language they understand.

    3. big_D Silver badge

      One point to your rant, which is generally well thought out, the software was only installed on non-ThinkPad, non-corporate models - although it also wasn't installed on my daughter's Lenovo Yoga 2 either (October 2014).

      1. Anonymous Coward
        Anonymous Coward

        It doesn't matter to me if it was on all their range or the cheap end or consumer or mil-spec or Spongebob Squarepants signature model. The fact it happened at all by Lenovo is what is so monumentally galling.

        It is a little like having those American TSA locks on your luggage, except this is your internet connection. It is like the illusion of security, people who are not internet savvy are always told that "...do not do anything secure if you don't see this sign on your browser etc...but hey. Actually that is bollocks. No - it isn't even a 'hack' as such - it was Lenovo what did it."

  4. keithpeter Silver badge
    Linux

    $30 extra for Signature Windows?

    Just as a special offer for a couple of years from Lenovo, while they do all the trust building alluded to in Trevor's article. $30 extra on the consumer level laptops at the heart of this tale gets you the Microsoft Windows Signature install or equivalent that MS provide. MS might even do a deal as it would help their 'premium' brand as well. The take up would indicate the extent to which ordinary people are interested in their 'user experience'.

    Typing this on an old Thinkpad (X60) running Jessie (testing) with the MATE desktop. Remarkably light and responsive on a 9 year old machine.

    1. John Tserkezis

      Re: $30 extra for Signature Windows?

      "gets you the Microsoft Windows Signature install"

      I can't help thinking that consumers will see this as "pay more to get less".

      And it only applies to windows 8.1 - which we've already established isn't the prize pig Microsoft hoped it would be.

      1. big_D Silver badge

        Re: $30 extra for Signature Windows?

        That is the problem, the consumer is so used to buying bargain basement stuff, the prices have been pushed so low that the manufacturers can't make a profit, so they have to resort to other methods.

        Until the consumer is ready to pay realistic prices for stuff, they will have to put up with such tricks.

        I work for a company that supplies software to the food industry. Here the prices are similarly depressed, although in this case the large supermarkets set the prices "they" are willing to pay and if the farmers and suppliers want to sell their product, they have to agree to those prices.

        There was a documentary recently, here in Germany, where they interviewed an egg supplier for Aldi. They got a big contract from Aldi at reasonable prices, he invested in new hens and new equipment to meat the demands of Aldi, then the next year they sunk the price by something like 30% and the year after they wanted to sink the prices again. The farmer now loses money on every egg he sells.

        At least the PC makers have something they can fall back upon to make up the difference.

        We need to get away from the craziness of paying less than something is worth, or what it actually costs to produce. Until then, we only have ourselves to blame.

      2. Don in Florida
        Flame

        Re: $30 extra for Signature Windows?

        EXTRA $$$ FOR WIN. 8.1 ........???

        at least once per month, and sometimes once per week, 8.1 goes bat-shit crazy

        doing stuff right in front of my eyes I never knew a computer could do ..... all while it freezes out my keyboard { both ... Notebook + external back lit k.b. } ....

        I am sooo very fortunate that I kept '7' { Win. 7 Pro 64 } and have a dual boot scenario ....

        the only reason I mess around with 8.1 is that my '7' refuses to provide sound ...... so no movies,

        no music, etc.

        about that $ 30, ... I'd pay $ 30, or maybe even $ 50 to get that p.o.s. off my computer, cleanly

        by the way....latest catastrophe > downloaded and installed a 'must have' Win. update for the 8.1 operating system on the evening of Feb. 21, 2015 ......things were pretty calm until then.

        I had considered upgrading the 8.1 partition to one of the Win. 10 previews { maybe the Enterprise version}........now I see that would possible be a BIG mistake...... the 8.1 partition will be formatted multiple times to ensure a clean slate, and Win. 10 installed .....no matter what that brings, it cannot be as bad as, or worse, than 8 / 8.1

        1. ps2os2

          Re: $30 extra for Signature Windows?

          Hey I hear you can get XP for dirt cheap.

  5. DropBear
    Devil

    Nope:

    Ah, but there's the catch - while I don't equate Sony-type active malice with Lenovo-type maybe-they-just-didn't realize-what they-were-doing, I shun both equally: I REALLY DON'T GIVE A DAMN what the intention was (or was not) as long as the result is me getting pwned. The only difference is Sony: FUCK YOU FOREVER / Lenovo: it's nothing personal, you understand...

  6. Electron Shepherd
    Unhappy

    It's a chap called Joel Birch I feel sorry for

    The poor guy has a jQuery plugin called.... SuperFish

    There's perfectly innocent web sites out there serving superfish.js and superfish.css. I'm sure no-one will think those are anything to do with spyware...

    1. Michael Wojcik Silver badge

      Re: It's a chap called Joel Birch I feel sorry for

      "There are only two hard things in Computer Science: cache invalidation and naming things." (Phil Karlton)

    2. Robert Baker
      Joke

      Re: It's a chap called Joel Birch I feel sorry for

      There's perfectly innocent web sites out there serving superfish.js and superfish.css. I'm sure no-one will think those are anything to do with spyware...

      But the resemblance is superfishal.

  7. Doctor Syntax Silver badge

    On the whole I agree with you Trevor except you've missed out one thing - the need to have responded positively and fast. Not only should top management have immediately cottoned onto the fact that this was bad but they should have said so, located the execs responsible, fired them and checked for any similar stuff in other crapware, including in discontinued products, and dealt with it in the same way.

    It might or might not have been mildly unfair to the execs but it would have sent a powerful message to the rest of the company and customers that this will not happen again.

    From the customer's point of view, of course, the fact that the crapware brings the price down to below cost is good news providing you never intended to use the original OS anyway.

    1. Electron Shepherd

      top management [should have] located the execs responsible [and] fired them

      it would have sent a powerful message to the rest of the company and customers that this will not happen again.

      Can I respectfully disagree with your conclusion? From my point of view, if that happened, all it says is that mid-level people were doing things that were a fireable offence and top management didn't know.

      That doesn't in any way guarantee it won't happen again - all it guarantees is that top management weren't in control of the company. Even if it's true, no-one from Lenovo is going to admit to that, explicitly or implicitly.

      1. Doctor Syntax Silver badge

        "all it guarantees is that top management weren't in control of the company"

        Trevor's analysis was that this level of detail wasn't something that would be expected to go up to the top management. I agree with that. Being in control shouldn't mean micro-managing. It should, however, mean that standards are set in relation to the way customers are treated and that breaching those standards are a disciplinary matter. So I'd expect a top management in control of its company to exercise that discipline.

        It might well be the case that such standards hadn't been set in which case it might be somewhat unfair to the execs concerned if top management didn't eventually follow them but that's a matter for the board. In the immediate aftermath of things going wrong like this, however, it's the top management who are in a position to act sufficiently quickly, not the board.

    2. Trevor_Pott Gold badge

      I don't think I missed that. I did mention that Lenovo's response was "loathsome". I know you want someone's head on a pike (god damn it, you're angry, and your emotions need to be validated!) but all of that only lasts a few months at best.

      The long term lack of trust will outlive the demand for heads on platters, and that is what needs to be addressed. History has taught us that heads on platters don't actually do anything to salve the anger, nor do they address the long term requirement for rebuilding of trust.

      1. Sarah Balfour

        Pike…? Pun not intended, eh…?

        1. Anonymous Coward
          Anonymous Coward

          Carp diem.

        2. Robert Baker
          Coat

          Pike…? Pun not intended, eh…?

          Carp diem.

          I wondered how long it would take this thread to descend into fish puns. Please, let's have no more of such pollocks — there's no plaice for it these dace.

      2. Doctor Syntax Silver badge

        "I know you want someone's head on a pike (god damn it, you're angry...)"

        Nothing personal; I don't have a Lenovo & use Windows only rarely so I'm not directly affected. My response was purely on the basis of what Lenovo need to do to maintain trust. The same would apply to any other company that breaches customers' trust.

        Back in the day we used to hear about businesses being customer focussed; I even worked for one which, at that time took it seriously. Since then just about every big business seems to have joined the race to the bottom. When they get there they have no more advantage over their competitors than when they started; their competitors are still right alongside them. They have no cost advantage over their competitors. In the PC world they are selling kit using the same component bins as their competitors with the same OS as their competitors. The only thing they can compete on is their reputation.

        And I disagree with you that reputation only lasts a few months at most. It's a long term asset, hard won, easily lost and, once lost, even harder to regain. So once something like this happens they need to send out a message that this is not typical of they way they want to behave and that breaches of customer trust are and will continue to be a sacking offence.

        1. Trevor_Pott Gold badge

          At this point, I have to believe you are purposefully misreading or misrepresenting what I've said. I did not say reputation damage wasn't long term. I said outrage was. And that firing people in an attempt to stem outrage never works, and it doesn't help rebuilt the reputation damage either.

          The solution to reputation damage issues is deep and sincere process changes, transparency and external auditing. Unfortunately, you can't seem to separate temporary outrage (I want my head on a platter, damn it!) from long term reputation damage. They absolutely are two different things.

          1. Doctor Syntax Silver badge

            Outrage can strike a fatal blow. If it does there's no reputation left to recover. On this side of the pond we have the concept of "doing a Ratner".

            1. Trevor_Pott Gold badge

              Outrage can strike a fatal blow. This is not one of those times. The incident simply isn't that critical, the people who understand the implications are few, the issue was dealt with quickly (Sept 2014 to January 2015 is the shipping time period). The issue was resolved before the general public found out, and Lenovo is still the low cost provider.

              The outrage is already fading as we head through the weekend. By the next news cycle it will be gone, save for the most extreme elements of the fringe.

              Where this will impact Lenovo is corporate sales. Yes, this issue was directed at the consumer sales, but the only people who understand it are nerds. Nerds who - in many cases - have a voice (or control of) corporate purchasing. These nerds will hold the security breach against Lenovo as an indication of ineptitude and/or bad faith, and that could weigh against them when competing against close competitors.

              Could.

              Lenovo can - should they chose to - mitigate the reputation damage. The long term process of rebuiliding trust is possible, because the trust that needs to be rebuilt is not amonst the hoi polloi, but amongst nerds. Nerds can (for the most part) be reasoned with. Show them real progress and you'll win them back.

              But the general public will not hew towards a more a long term reputation issue here. They simply don't understand it. They know only enough to be outraged by something, but not really what. So they are venting. Beating their fists against the chest of the body corporate and when they're done, they'll slink back to wherever it is they came from. Someone else will do something stupid next week and off they go.

              But those corporate sales, governed by now-cautious nerds? That needs to be addressed if Lenovo is to survive. And that means long term solutions, not heads on platters as a pointless salve for the embittered masses.

              1. Anonymous Coward
                Anonymous Coward

                Actually a head on a platter (or, indeed, pike) might just do it in this case.

                Lenovo's response arguably did as much damage as the superfish thing, if not more:

                Peter Hortensius, the firm's *chief technology officer*:

                "We’re not trying to get into an argument with the security guys," he told the Wall Street Journal. "They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred."

                He can go, for a start.

                Potentially sending the contents of every HTTPS session of affected users to Superfish (whos very business model means that they cannot be trusted) is a bit more than theoretical and definitely counts as nefarious in my book. They got caught and tried (badly) to lie their way out of it.

                And then to add salt to the wound:

                <paraphrase>Ha ha! We only did it to the peasants....we wouldn't do it to our corporate users because we love you guys</paraphrase>

                ...forgetting that IT bods do occasionally leave the office and have their own gear at home.

                If the company had responded to the effect of:

                "Holy shit! We didn't realise it did that! We are so, so sorry. We are going to immediately try to fix the problem for all our affected users; we are going to have a serious word with Superfish who are about to account for every single byte of information siphoned from our users; and we are going to review all of our internal procedures to make sure that nothing like this can ever happen again"

                ...they might have had a chance.

                1. dogged

                  Outrage is pretty limited though - it's limited to, well, us.

                  And none of us are affected because as somebody stated above, job #1 is to wipe the corporate laptop shipment and put the corporate image on it. And if we bought it for our own use with our own money, we probably didn't buy the shitty low-end machines that were infected. And if we did, we'd probably still have re-imaged them immediately and thus, not been affected.

                  The corporates don't give a damn because they are not affected. The consumers don't give a damn because they almost certainly still don't even know and probably never will. The only outrage is here and frankly, we are not important. I know, I know, your ego, all those guys going "I am keeping XP forever because fuck you Microsoft hahahaha bet that made Nadella cry", all the "Sony? Rootkit! Rootkit!" crowd, all the people who hate Apple.... we're not important. We are, in the grand scheme of things, nothing. Nobody cares about your start menu or your Bootcamped MBP or your hacked Dell. To the people who make the money and the people who spend the money, we are nothing.

                  Lenovo will make something shiny, Engadget will come in their pants about it, the Verge will give it 4/10 (based on the traditional -5 points for not being designed by Jony Ive), Curry's will put it on a big flashy stand and sell millions of them and life will go on.

                  I'd still like a ThinkPad X1 Carbon, that hasn't changed. I'd still reimage it immediately, that hasn't changed. Lenovo will make billions this years, that hasn't changed.

                  Sometimes I think we should really get the fuck over ourselves.

                  1. Anonymous Coward
                    Anonymous Coward

                    @dogged - good points; but if we don't give Leovono a hard time then who will? If it all goes down without any rumble of dissent then it will encourage other people/companies to pull the same sort of shit.

                    1. dogged

                      Well, the short answer seems to be "the entire security industry plus Microsoft and Mozilla" so far.

                      Making Windows look like it contains adware by default is a very good way to upset a quite large and quite wealthy company in Redmond WA who have access to a lot of lawyers.

                      1. Anonymous Coward
                        Anonymous Coward

                        We are to all intents and purposes part of the security industry groundswell. Agreed that we're all small cogs but not entirely without influence. People come to us for hardware recommendations, for example, and I personally have cost Sony a fair few quid since they pulled that rootkit stuff with my anti-recommendations.

                        All statistically meaningless on an individual basis; but -as us nerds seem to react in a fairly uniform way to this sort of unethical shenanigans- the cumulative effect may not be inconsequential (especially when you consider that we're not especially forgiving and those consequences may last for quite some time).

                        Even bitching on forums serves a purpose; that of spreading information to people who otherwise might not have known about an issue or it's possible ramifications. There are many occasions that I've found the comments -especially on El Reg***- to be more enlightening than the story because someone will chip in with a different perspective, or a nugget of information or just the right keywords. So it's worth doing.

                        ***No dissing of the El Reg hacks intended

                        EDIT: Oh yeah. The other thing about nerds is we research stuff. We're still in the process of finding out how deep the rabbit hole goes with Leovohno...I don't think we've found the bottom yet.

  8. Anonymous Coward
    Anonymous Coward

    Trust, once lost here, is almost impossible to regain.

    I have a feeling (no proof) that it's more a case of wishful thinking than reality. People know about more or less nasty things done to them by their own governments and by the evil corporations (and small, evil fish we never hear about, like this superfish). They know their cool ipods, iphones and soon-to-be iwatches are made by suicides and children paid peanuts (or less). Did they march on Washington to demand justice after Snowden revelations? Do they stop (but REALLY stop) buing their cool nike trainers stiched by the kids in the far east? Talk of boycott is hot - on facebook. But do they REALLY vote with their feet and wallets? After that building collapse in Bangladesh, some 1,000 dead, famous brand labels found in the rubble, hot talk about boycotting, apologies from some brands (and stony silence from others), but later, I read that some sales figures were monitored and the brands not only didn't lose custom, they gained, steadily (probably through some coincidence).

    Trust is impossible to regain, sure, but people DO get used to living in mistrust of their governments intentions and actions - and then they get on with it. Yes, I see the spiral, and there's probably much wider, deeper, negative collateral to the so-called "humanity" further down the hole, but coming back to the issue, my point is, that after a few years of fear that their exposed testicles paraded on facebook might make them a laughing stock and hit their bonuses, the big boys, both the governments and business, start to realize, that that REAL negative impact of this exposure is actually just a short-lived, minor blow of warm air which they can happily ignore. So, after a nervous giggle, they carry on as usual. And we soon become used to and ignore the smell of their exposed testicles and carry on as well (same can be seen in the Western reaction to Russian involvement in Ukraine now).

  9. Anonymous Coward
    Anonymous Coward

    Lenovo's biggest crime? Dragging the once great ThinkPad line through the mud...

    Here's the rigmarole necessary to replace a current ThinkPad's hard disk:

    https://www.youtube.com/watch?v=T5knRRHbBbk

    Flimsy plastic casing that has to be flexed and bent to the point of failure (note the parts that go flying at 2:24 and 2:27 in the video!) in order to undertake the simplest of upgrades, like swapping out memory or the hard disk. Acceptable for a product that retails anywhere between £1400 to £1900?

    Lest you think this is a one off, all sorts of sorry tales relating to quality control and design issues from screens to keyboards litter the various forums online. Of course, ultimately we have IBM and good old American corporatism to blame for selling out to the Chinese for a fast buck.

    IMO the brand produces junk while retaining the premium price tag of yesteryear and this latest scandal is the final, really unsurprising, nail in the coffin.

  10. Mark 85

    And the lawsuits have started...

    Didn't take the bottom-feeders long:

    https://www.trp.idmanagedsolutions.com/news/newsstory?fromtitle=Stock%20Quote&frompage=quote&section=stocks&snap=mil&symbol=LNVGY&article=76426d119b7eea3b%20%20https://www.trp.idmanagedsolutions.com/news/newsstory?fromtitle=Stock%20Quote&frompage=quote&section=stocks&snap=mil&symbol=LNVGY&article=754f06f923a2df9d

    1. Anonymous Coward
      Anonymous Coward

      Re: And the lawsuits have started...

      They'll struggle to prove any losses have occurred though, and while IANAL I thought that was a prerequisite for success?

  11. Nate Amsden

    I used to love thinkpad

    Back when it was IBM.. when Lenovo bought it I switched to Toshiba. Currently my daily driver is a i7 Tecra A11 from 2010 with Nvidia graphics and Samsung 850 Pro SSD (primary OS is Linux). Works great.. though I miss my on site support contract, that expired last year. It's not ultra portable by any stretch but it spends 97% of it's life plugged in sitting on a table or desk anyway.

    Last Thinkpad I used I think was 2006.

  12. Neil Barnes Silver badge

    An acceptable balance between privacy, security, advertising and so forth

    And there's the rub: there isn't one.

    There is no way that any person with any understanding of the issues will ever accept any compromise on any of these points. Eroding privacy and security for the mindless drivel of advertising is never acceptable, under any circumstance.

    Problem is, Joe Public doesn't know the issues. He's happy to run a browser that lets external parties log his browsing activities, that pops up down and sideways with advertising, that holds records of his activities which are accessible to other external parties. He runs operating systems that allow the automatic installation of programs designed to do either direct harm to him, or which allow the remote control of his computer by unfriendly parties. He visits sites which have themselves been polluted by unfriendly parties, collecting viruses and trojans along the way. He installs software and updates without thinking, because that's what you do, and doesn't really care about the other stuff they install on the fly. He answers yes to 'are you sure' because he has no way of deciding any better. If he's smarter, he accepts the reduction in speed and utility caused by necessary anti-virus programs (but he still doesn't really know what a virus is).

    And none of this can be cured. You can't expect Joe Public to understand the whys and wherefores of computer operation any more than you can expect him to understand how an engine works, just because he can drive. Computer systems are an order of magnitude more complex than any other single object with which we deal on an everyday basis, but we expect them to be simple to use and infallible.

    Even for the experts, we can't trust a shiny new out of the box computer: for example, is there something on the hard drive controller logic that's lying to us? I don't see an easy way to avoid that, because everything reads the first few blocks of the disc to get started and there's no guarantee that what is on the disc is what is delivered to you. Worse, is there something in the BIOS, something that sits there watching for input on bottom level ports - keyboard, mouse, the disk interfaces and so on? We'd never know...

    The whole issue is one of trust, and at the moment, there just isn't any. Even products which you may have trusted for years (and incidentally been told that you *must* upgrade regularly, probably best to leave the automatic upgrade on, eh?) are sold to other companies who have their own idea about how to monetise their new acquisition and start adding little bits here and there.

    There is a need for a guaranteed clean installation: bios, hardware, operating system. You'd still have to take things on trust, of course, but you'd reduce the threat surface immeasurably by simply requiring, as a legal requirement, that any computing product be supplied with a clean operating system with no third party addenda. No trial run software, no useful browser bars, no free-for-a-month. Nothing. Note that this need not be part of the out-of-the-box build (except for the hardware); it need only be available when the box is opened on a physical media which can be used as often as necessary.

    Someone pointed out upthread that people will complain that they are paying for less. They are mistaken; they are paying for security - even if they don't realise it.

    It's time people realised that there are other ways of funding things than endless chains of advertisers' clickbait. The bottom-feeding scum that are advertisers need to learn that their endless attempts to steal our most limited resource - time - are not acceptable. And perhaps get an honest job.

    </rant>

  13. Chris Miller

    Simple solution

    Offer a clean OS install without all the bloatware/spyware/crapware for - what? - an extra £20/£30/£50 (as has been pointed out, maybe Microsoft would be willing to subsidise it for Windows). Of course, I'd buy it, and so would Trevor and so would many of the ElReg audience, but I'd bet 99% of sales would be for the cheap version.

    1. Trevor_Pott Gold badge

      Re: Simple solution

      Except for the part where I'm 4 for 4 on "laptops that dies just after the 1 year mark" with Lenovo. That's Acer levels of bad. So I'm looking elsewhere. I have a desktop/luggable that needs replacing and a disintegrated Lenovo X230 ultraportable that probably could still do the job (and has two years worth of warantee left), but which has a disintegrated plastic casing that Lenovo says is "normal wear and tear" and refuses to address.

      So I could buy some plastic bits online one piece at a time for about $400, (wasting about two hours to find the bits) and then spend 4 hours replacing them myself, or I could find an ultraportable from a company that will ship me something serviceable.

      The problem is, I can't seem to find an ultraportable that has both 16GB of RAM and a keybaord that is designed properly. Ctrl in the bottom left - FN/Ctrl are BIOS flippable on Thinkpads - and Delete in the top right. And that means both a delete and a backspace key. You hear me, apple?

      So at the moment, I'm searching. In an ideal world the 16GB of RAM wouldn't drive the cost of the notebook up 5x the cost of buying SODIMMs and shoving them into a 4GB or 8GB model. Similarly, I'd love to have at least 240GB of SSD - preferably 480GB - without the vendor trying to charge me 3x the retail cost of an SSD to have it in there.

      As soon as I find proper replacements for my ultraportable and my desktop/luggable, Lenovo is kicked to the curb. The hardware is falling apart and, despite my belief that they didn't have ill intentions regarding this Superfish thing...they handled it really poorly, and I see no signs that anyone other than their social media team has intentions of doing what needs to be done to repair trust.

      So. Sony's out. (Fuck you, Sony!) Lenovo's out. Acer's HAHAHAHAHAHAHAHA out. That's really starting to narrow the feild...

      1. keithpeter Silver badge
        Windows

        Re: Simple solution

        So. Sony's out. (Fuck you, Sony!) Lenovo's out. Acer's HAHAHAHAHAHAHAHA out. That's really starting to narrow the feild...

        Clevo? some chatter on the Linux boards about these. Generic plastic case/chicklet but configurable.

        May have to treat client as disposable going forward.

      2. Chris Miller

        Re: Simple solution

        Good points, Trevor. I wasn't really aiming at Lenovo with my comment, I think any manufacturer would do well to think about it as an option.

        I really miss the good old days when life for PC guys offered simple no-brainers: you want a laptop? IBM; you want a desktop? Dell; you want a server? Compaq.

      3. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        So. Sony's out. (Fuck you, Sony!) Lenovo's out. Acer's HAHAHAHAHAHAHAHA out. That's really starting to narrow the feild...

        Do let us know when you find something. The last three laptops I've bought so far:

        - Panasonic Toughbook CF-53 MkII

        - Lenovo B590

        - Toshiba Satellite Pro L50-B.

        The Panasonic is my main workhorse. Nice machine, dependable hardware that performs WELL under Linux, built like a preverbial sumou wrestler, but sheesh, didn't get much change out of AU$2500 by the time I had bought a 1TB HDD and an extra 4GB RAM for it. Ohh, and at nearly 3kg it definitely is no ultrabook!

        Lenovo B590 I bought for my mother to replacing an aging Dell desktop running Windows XP. I knew it'd be doing light-duty things so didn't need to be particularly stellar, and this machine seemed to fit the bill. The machine has ran well for the last year but I'm somewhat regretting my decision now. On the TODO list is to check it over for SuperFish.

        The Toshiba was the latest purchase. Always held them in high regard: the first computer I used was a Toshiba, a 286 luggable with a plasma CGA screen. The first laptop we had in the house was a Toshiba, and that continued until I got to uni, where I had a second-hand Dell which soon fell to bits. The Toshibas kept working, so that's mostly what we stuck to.

        Heck, the oldest continually-running machine we have in the house is a Portégé 7010CT sporting a 300MHz Pentium II, dead battery 160MB RAM and a 160GB HDD, it still keeps chugging along (running Gentoo Linux).

        Bought the L50-B to replace an aging L30-D that was starting to fail (machine would refuse to power up), and I was sorely disappointed about how much the build quality had gone backwards. Moreover, a loose screw inside the case was discovered when I finally prised the bottom panel off (11 screws and 4 hidden catches) to install a RAM module (no dedicated RAM/HDD hatches either). It felt really cheap by comparison to the other machines we've had from them. It was saddening to see how far they had regressed.

        We've got two old PIII-era IBM Thinkpads in the cupboard, both with dead LCD backlight inverters and odd motherboard faults.

        There's an LG P1 Express floating around the house. Will never buy again. While the hardware is nice enough but the BIOS goes into a bootloop if you install a hard drive bigger than the 100GB one it came with. LG Support don't seem to know anything about their laptops when you ring them.

        While I'm mostly happy with this old Apple MacBook (2008-model), I'd never buy a modern one owing to the lack of expandability and serviceability.

        Some of the Dell machines at work are shocking to work on, and lately only their high-end machines can be customised. Not that sturdy either.

        I hear bad things about Acer. Not sure about ASUS although I've had many years of good service from ASUS motherboards, maybe worth a try? Someone here mentioned MSI have good build quality.

        If you find a crowd that can supply a small business and offer on-site support though, I'm all ears!

      4. Myself-NZ

        Re: Simple solution

        Have you had a look at the HP Probooks ? The HP ProBook 430 G2 may fit your needs. Can take max 16 GB RAM, has an M2 2242 slot for SSD as well as a space for a 7mm SATA HDD. Can go up to an i7 dual core CPU, not too heavy and from my experience they have decent build quality. Not sure if the keyboard is what you are after though. They tend to be my go to laptop range. Still has a bit of bloat, but nothing that a fresh install doesn't get rid of.

  14. big_D Silver badge

    Checked out Yoga 2

    It is clean. No trace of the malware and the root certificate was also no there. It was an October 2014 model, so allegedly affected, but no sign of the malware.

    Maybe it was restricted to certain markets (this one was bought on Amazon.de).

    1. Trevor_Pott Gold badge

      Re: Checked out Yoga 2

      Being a Yoga 2 (not a 3) it could have sat in the channel for some time before you bought it. So it's possible that despite buying in October, the unit shipped in August, or even earlier.

    2. Andy Mc

      Re: Checked out Yoga 2

      I bought one in December and it was manufactured in July (and hence clean)...

  15. Anonymous Coward
    Anonymous Coward

    If Lenovo (or any other PC manufacturer) ever did a true and fair audit of the crapware they install for 'our benefit', they wouldn't install it (I wrote fair earlier...) and they'd be back in -ve margins land. So unfortunately that'll never happen, and the bloat will continue. Like all big corporations, they'll hope it all blows over quickly. And it probably will for most people. Was BT really harmed long-term by Phorm?

    But I'll never buy anything from Lenovo, and I'll be asking my work procurement team to look into this too and make their own judgement.

  16. g00se
    FAIL

    Hired!

    Trevor - you've got the job. We've decided that Peter Principle incompetence is the best spin we can get that sounds realistic. Report to Lenovo HQ immediately to learn the contents of the generous package you will be offered.

  17. GregC

    Looks like they are, at last, trying to start the process

    It's a bit mealy mouthed initially, but they have now made a statement that suggests they are starting the kind of process Trevor has espoused - see here, complete with links to how to remove Superfish and the root cert

    Time will tell if this is anything more than PR guff in an attempt to save face, but they say they are going to pretty much go down the route Trevor suggests in the artcle. We will see, I guess. They'll be on my no-buy list for a very long time regardless.

  18. oneeye

    Motorola,or the latest Nexus might have been my next phone

    Everyone gets it. Trust is the issue. And Lenovo just don't get it. That's a corporate mindset at work here. Its not the idiots who authorized the install only who seem to be clueless. But a top down mentality that will ultimately cost Lenovo in the end. The suggestions in the article would be a good start,but don't hold your breath. Humility tthese days is in short supply.

  19. HaroldR
    Flame

    Self-signed certificates are the root of this insanity

    The root of the problem is that the whole SSL Certificate Authority system is rotten to the core. A self-signed certificate is worth precisely nothing. "Believe me when I say who I am," yeah right! Users have become conditioned by lazy and/or cheap sites to just click through meaningless (to them) SSL CA warnings to get to their content. Comodo exploited this huge loophole to create a parental content filtering tool that also worked with SSL-encrypted content. A laudable goal with a horrendous side-effect that Superfish and Lenovo handily exploited. BTW, uninstalling Superfish doesn't uninstall the self-signed certificate. The Man-In-The-Middle is still lurking in your PC, inviting criminals in to steal your data. Secure http and the little padlock are helpless to stop him.

    1. Charles 9

      Re: Self-signed certificates are the root of this insanity

      So you expect people to spend book bucks every year or so just to maintain a secure local site like an Owncloud? Besides, the big problem wasn't the certificate but the masquerading which can happen regardless of the certificate.

  20. Marty McFly Silver badge
    Happy

    Good article - there's opportunity here

    This is one of the more insightful articles I have read in a long time.

    Lenovo is under a pile of steaming poo right night, and justly so. However, this presents them with a golden opportunity if they are wise enough to see it. Imagine the marketing in a couple years....

    "Lenovo, the only brand to be independently certified for security & privacy"

    "At Lenovo, your security & privacy are guaranteed on all as-shipped equipment"

    Will Lenovo be smart enough to accept this anger and realize it is really a market demand? As I look over my pile of well used Lenovo laptops from the past 15 years, a market strategy like this will get them back in my good graces.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like