back to article Lenovo shipped lappies with man-in-the-middle ad/mal/bloatware

Lenovo is in hot water after being caught intentionally shipping laptops with software that steals web traffic using man-in-the-middle attacks. The "Superfish" software was present on laptops sold until late last month and stole all manner of web traffic using fake, self-signed, root certificates to inject advertisements into …

Page:

  1. Richard Jones 1
    FAIL

    I Wonder

    I wonder what else they have hidden in this or a similar way? I used to think that Lenovo made half way decent kit; note that I used to think that way.

    1. tony2heads
      Linux

      Re: I Wonder

      Kit is OK, just install Linux on it

      1. Dave 126 Silver badge

        Re: I Wonder

        Kit is OK, just install [any fresh OS of your choice] on it

        There, fixed it for you.

        [Sidenote: My first Linux experience was installing Mint on an ancient IBM Thinkpad with a mate, just for fun... Once we grasped the Linux conventions it was a straightforward job, except that it had odd audio hardware. We got a sense of accomplishment when we got a noise out of it!]

        1. Little Mouse

          Re: I Wonder

          Kit is OK a bit cheap and plasticy, just install [any fresh OS of your choice] on it.

          There. Fixed that fixed that for you.

          1. Dave 126 Silver badge

            Re: I Wonder

            Kit is expensive and glass-and-carbon-fibre-reinforced-plasticy (with magnesium/aluminium bits)

            1. wolfetone Silver badge

              Re: I Wonder

              Having owned a Lenovo ThinkPad T500 for the last 3 years, and having used a ThinkPad Edge E531, I can tell you the quality has nose dived. Flexing chassis when typing on the ThinkPad Edge, the older T500 is perfect really.

              And yes, install any OS of your choice - which means either Windows or Linux.

              1. Jon Massey

                Re: I Wonder

                You've gone down a couple of ranges there, alas. Unfortunately they're now releasing less-than-tanklike laptops under the ThinkPad brand (such as your Edge). The modern T and W series are still bomber

                1. ben_myers

                  T and X series are my Thinkpads of choice

                  Just like other companies, Lenovo makes some really good kit, and some not so good. Among the latter are any of the Lenovo consumer systems. Most ANY computer designed and made for consumers has some issues, usually cheap design and materials, often substandard electronics.

                  So I stand by the T- and X-series Thinkpads. Well made and durable. The W-series, unfamiliar to me but bearing a strong resemblance to the T's, is probably just fine, too.

                  When I get a Lenovo laptop, I generally reload Windows from scratch. No more bloatware. No more crapware.

                  But this is a goddam embarrassment for Lenovo. Never should have happened, whatever incentives came from the Crapfish company. Superfish needs to be blockaded and sanctioned, just like a third world dictator. They have no business messing with security certificates, and need to disappear from the internet.

              2. Archaon
                Flame

                Well done Lenovo. At a critical time following the System X acquisition, when you're trying to crack into the server and storage markets - which entails proving that big customers can trust a Chinese company with their data - you go and factory install malware on a load of end user devices.

                Well f***ing played you muppets.

                1. lorisarvendu

                  This is nothing new. Two decades ago I worked for a company that sent out replacement hard drives to their customers that came infected with a Parity Boot virus. I hasten to add that although this company is very large (and still exits), it is not the company I work for now.

                2. NeilMc

                  I couldn't agree more

                  Given the opportunity to build trust on a global basis and cement their standing is a world class provider of IT hardware they do this.

                  This plus numerous Chinese Govt sponsored hacks and also allegations of Govt sponsored corporate espionage targeting visiting Business Leaders and foreign government figures.

                  They need to be doing it better and cleaner than the next country....start all over again China.

              3. Peter Gathercole Silver badge

                Re: I Wonder

                There always were different ranges of Thinkpads.

                Go for the T series (or an X series if you want a compact laptop).

                When IBM owned the brand there were at least the R series which were plasticky, and the A series which were larger and heavier. Before that, they were numbered, with the 300 range being budget and made of plastic, and the 700 range being the business systems.

                Lenovo have dropped all of the old IBM ranges except the T and X, and have re-branded some of their other ranges as Thinkpads to cash in on the name.

                I have a work T420, and apart from the appalling new 'island' keys, it seems as robust as the older systems.

                The T used to stand for Titanium (actually an alloy with titanium in it) that was used in a chassis to stiffen the screen/lid, which along with clever interlocks between the lid and base led to the reputation about them being extremely robust. The hinges certainly last longer than most other laptops.

                1. (AMPC) Anonymous and mostly paranoid coward
                  FAIL

                  Also a serial Lenovo owner user

                  I have three thinkpads one pre-lenovo (IBM) and 2 Lenovo. All three still in service.

                  But recently, i was handed what was supposed to be a Lenovo S390 VibeX phone. After much faffing about trying to upgrade it, remove malware etc, I discovered it was in fact a counterfeit S960t Lenovo.

                  Extremely sucky experience. Something is rotten in the state of Shenzen.

          2. Alistair Silver badge
            Windows

            Re: I Wonder

            Kit has an embedded laptop, not lenovo, 8 cylinders and 4 wheels. Will pick you up in the back alley later tonight.

            (fixed all that fixed fixes)

            (grumpy old SA showing his age)

      2. M. Poolman

        Re: I Wonder @ OP

        Just what I was going to say but you got there first.

        I've had thinkpads for years now and always been satisfied with them. First thing I do is zap any preinstalled OS and stick Linux (other operating systems are available).

      3. Anonymous Coward
        Anonymous Coward

        Re: I Wonder

        Kit is OK, just install Linux on it

        What will you do after your boss fires you?

        1. yossarianuk

          Re: I Wonder

          Get a good job where Linux is allowed.

          1. Anonymous Coward
            Anonymous Coward

            Re: I Wonder

            Get a good job where Linux is allowed.

            Your free homemade hobby operating system is only good for home use.

            What you utterly fail to realize with your glib reply is that Windows and MS Office have become the de-facto corporate standard worldwide. You can move from one job to another with almost no new training because the UI is identical. When your corporate partners, customers, suppliers, etc send Office documents between each other it's a given that everyone can use the same formats without awkward conversions. Outlook is the interface to Exchange which offers a host of business services including meeting scheduling, messaging, availability to org charts, and tasks management where email is only one service. Excel macros automate program management to such an extent that if you can write complex Excel macros you can command six-figure salaries.

            I could go on, but until you achieve serious corporate responsibility you won't understand any of this.

            1. asdf Silver badge

              Re: I Wonder

              >Your free homemade hobby operating system is only good for home use.

              Nice trolling but you do realize that hobby OS is running on the computer (web server) that you posted this garbage on for us all to read right?

              >I could go on, but until you achieve serious corporate responsibility you won't understand any of this.

              And being an obvious desktop jockey at best you obviously know quite little about enterprise yourself. An awful lot of business critical workloads these days are on or moving to Linux (often from proprietary Unix which is actually makes me sad but neither here nor there).

              > if you can write complex Excel macros you can command six-figure salaries.

              Same with being a good enough man whore I guess. Would rather command the six figure salary (which isn't that hard if you can code in any technology in demand) and not have to tell people I use VBA. That way you can be well paid and happy with your work as well.

              1. Anonymous Coward
                Anonymous Coward

                Re: I Wonder

                Nice trolling but you do realize that hobby OS is running on the computer (web server) that you posted this garbage on for us all to read right?

                When you wrote the garbage above, you do realize that this discussion is about laptops and not web servers, right? Nice trolling, but you do realize that this discussion is about Lenovo laptops, right? Or are you suggesting that you would load Linux on a Lenovo laptop and run a corporate website from it?

                I doubt that too many Lenovo laptops are being used as corporate web servers.

                1. asdf Silver badge

                  Re: I Wonder

                  >Or are you suggesting that you would load Linux on a Lenovo laptop

                  No probably PC-BSD (would check the laptop is supported before I bought the laptop) and I would not have been affected by the mal/bloatware in the first place regardless, (Linux is quickly becoming Windows (ie. shit) due to RH and systemd). As for a web server (on a blade server more than likely) if it was a internet facing with fairly mild load I would probably run it on OpenBSD actually.

                  If I was some corporate IT drone buying for the company I would probably purchase Lenovo windows laptops (perhaps not any more though) from some trusted vendor but would then image them like almost every shop I have been in does because as you say for the corporate desktop (Microsoft's last bastion) in 2015 there isn't much choice for any decent size outfit. May not be true forever though.

    2. thames

      Re: I Wonder

      All the volume PC manufacturers do this sort of thing, at least with their consumer oriented product lines. If it isn't Superfish, it's something else at least as nefarious. Now that more and more web sites are going or are planning to go https all the time for all pages, this sort of certificate MITM is going to be standard practice for ad-flinging or ad-tracking crap-ware. Corporate PCs have these sorts of MITM certs installed in them by the IT departments so they can monitor user traffic, so why should we be surprised that consumer PCs come with something similar?

      An essential part of the Windows financial model so far as PC manufacturers are concerned these days rests on these sorts of crap-ware deals. They get paid to pre-load this sort of crap-ware and demo-ware, and this is what pays for the Windows license. This makes Windows essentially free so far as PC manufacturers are concerned, which is why they aren't all that interested in things like Linux.

      The problem isn't going to go away so long as PC manufacturers are just commodity box shifters shipping a third party OS where the OS vendor's brand name is a prime selling factor. Buyers go to a store (or web site), look for a "Windows PC", and typically pick the cheapest one in a given size range. Things like dodgy security certs are completely beyond their knowledge.

      1. asdf Silver badge

        Re: I Wonder

        > Corporate PCs have these sorts of MITM certs installed in them by the IT departments so they can monitor user traffic, so why should we be surprised that consumer PCs come with something similar?

        Umm because unlike the corporate PC the customer PC is mine (not some corporation's including Lenovo). Damn going to have to download a good antivirus CD now and check the missus Lenovo. As for me never kept a factory install OS on any of my gear more than the first month including my phone and tablets.

  2. Buzzword

    Microsoft hardware

    You wouldn't find this on an Apple computer, because a single company controls both the hardware and the software. Microsoft's reputation is being undermined by crap like this. They need to copy Apple and start shipping their own hardware.

    1. the spectacularly refined chap

      Re: Microsoft hardware

      You wouldn't find this on an Apple computer, because a single company controls both the hardware and the software. Microsoft's reputation is being undermined by crap like this. They need to copy Apple and start shipping their own hardware.

      You wouldn't. You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data. Sadly, the average punter doesn't seem to care.

      Heads should roll over this. Literally, as in detached from the bodies that they used to be part of. It isn't going to happen, it'll be a mistake or a bug or something.

      As Steve Rambam said at least ten years ago, "Privacy is dead. Get over it." You might not like it but as long as somebody else is willing to lap up this kind of shit it is an economic impossibility to avoid.

      1. 45RPM Silver badge

        Re: Microsoft hardware

        @the spectacularly refined chap

        You've never actually used an Apple product have you? You've read some guff on the Internet - but nothing more than that. Somehow though, you think you're qualified to comment.

        Rest assured, there is no need to hand Apple any of your information just to use (and update) a Mac. On the other hand, I do think that you'll be missing out if you don't take advantage of Apple's free online services (which are really rather good). And, as I've said before, I think that (of all the online service providers) Apple and Microsoft can be trusted. After all, their business models are not predicated on selling what they know about you.

        I use Microsoftt's online offerings too, other than Hotmail, and they partner each other well.

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Microsoft hardware

          What does this have to do with Microsoft? It was Lenovo who installed this crap.

          When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop.

          Or, as a previous poster has said, you could get your preferred flavour of Linux (or BSD) and install that instead.

          1. marioaieie

            Re: Microsoft hardware

            The problem with some new Lenovo laptops is that they don't come with the licence key, so you are stuck with what you have. Still, you can always download a proper OS for free (as in free speech and free beer).

            1. fred_flinstone

              Re: Microsoft hardware

              Having recently bought one of the junk ridden Lenovo's I can confirm you can re-install the supplied OS - but you have to create a bootable USB using the supplied software and then find exactly the right sub menu in the install to get a clean build (reminds me of a certain planning department in the basement, no light or stairs and a big 'Beware of the Tiger' sign...)

              1. herman Silver badge

                Re: Microsoft hardware

                leopard

                You should return your geek card for that error.

          2. SImon Hobson Silver badge

            Re: Microsoft hardware

            > When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop.

            No, the purpose of that sticker is to show that you have a genuine OS installed.

            It used to be, dunno about now because I don't follow in that much detail, that the licence was only valid for the image pre-installed by the manufacturers (or re-installed from recovery disks). It specifically did not allow for re-installation with another 'version' of Windows.

            Ie, just because you have a licence for (say) XP, that does not give you the right to install XP - other than the OEM version that came with the machine. Quite HTF the average user is supposed to know that the licence for "XP" isn't for "XP" but for "a specific but unspecified version of XP" when there's no hint whatsoever on the sticker is another matter !

            But when has "user friendly" ever been part of Microsoft's licensing schemes.

            1. Blitterbug
              Facepalm

              Re: HTF the average user...

              Don't be difficult. You should know perfectly well that the main consumer version of WinV / Win7 is Home Premium. The only possibility of coming a cropper when re-installing an OS is getting confused between 32 vs 64 bit. And 32bit is really outdated and mostly applies to relatively elderly Vista PCs nowadays. Plus, your 'average user' is not about to attempt an OS re-install now, are they?

          3. Solmyr ibn Wali Barad

            Re: Microsoft hardware

            "When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop."

            No you don't. Not anymore. Windows 8 Large OEM versions do not have a license sticker. Only a SLIC key buried into the motherboard.

            And good luck calling Microsoft on that. OEM license keys are not compatible with vanilla. You'll get a choice of buying a new retail copy of Windows 8, or going back to OEM, who will happily sell you a "recovery media" for a tenner or so. With all the "bonus software" included for free.

            Exception: if the computer has a W8 Pro license, then it may be possible to get a W7 Pro "downgrade" key from MS. W8 Standard has never had any right to use other versions.

            1. Anonymous Coward
              Anonymous Coward

              Re: Microsoft hardware

              I guess that's another good reason not to go with Windows 8. My desktop PC uses the Windows 7 licence key that came with a Lenovo X220. The X220 is happily running Linux and the licence was never activated on it. I activated it on the Windows PC and it continues to receive updates without complaint.

              I really hope that Windows 7 is the last Windows OS I ever have to use though. I only use it for games and music applications.

        3. AbelSoul

          Re: Apple and Microsoft can be trusted...

          PRISM?

          5 Eyes?

          Snowden?

          No?

          Oh, well. Carry on then.

      2. Anonymous Coward
        Anonymous Coward

        Re: Microsoft hardware

        You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data

        You've never really used or set up an OSX machine, have you? You need an Apple ID for updates, but it doesn't check if your details are real or not and the associated T&Cs are actually decent.

        Personally, this sort of malware is the exact reason I think pre-installed crapware should be banned. As far as I can tell, it may be possible to consider this a malicious and illegal attempt to intercept, and I would pursue it as that. Could make for quite a nice court case..

        1. the spectacularly refined chap

          Re: Microsoft hardware

          You've never really used or set up an OSX machine, have you? You need an Apple ID for updates, but it doesn't check if your details are real or not and the associated T&Cs are actually decent.

          I was thinking more of the iOS devices there but the point still stands. By your own admission you either have to give over your personal data or commit fraud. Some choice.

          1. Anonymous Coward
            Anonymous Coward

            Re: Microsoft hardware

            By your own admission you either have to give over your personal data or commit fraud.

            Since when is not given true details fraud if there's no financial transaction involved? There is no statement/requirement during the signup process that the details you provide must be real, unlike for the organisations you *really" cannot trust with your data such as Google, Facebook and all the other theft as a service providers.

            If I am forced to provide details I will lie by default - I can always correct it (or restart) when I find the provider/website/vendor to be trustworthy, and I have a couple of email addresses that auto-delete mail when it's 4 days old. It's a practice that served me well, especially with so-called "free" Wifi services in London.

            1. the spectacularly refined chap

              Re: Microsoft hardware

              Since when is not given true details fraud if there's no financial transaction involved?

              The laws on fraud are defined in terms of material gain obtained by deception. Financial transactions are the common form that fraud takes but it can be and is applied much more broadly than that. By giving false info you are receiving a material benefit (the update) which cost the provider real money to supply (power, bandwidth, hardware, etc) on the basis of a false representation. That is not a matter of interpretation - it is clear and outright fraud according to the law.

      3. Scott Wheeler

        Re: Microsoft hardware

        > You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data.

        No it isn't - that's exactly what I do, using Little Snitch. In any case, Macs don't do MITM attacks on HTTPS sessions. They are far from perfect, but on both Windows and Mac it's still usually possible to prevent sw phoning home.

        However I do agree with you that a Mac will attempt to phone home much more than I am happy with.

        1. Danny 14 Silver badge

          Re: Microsoft hardware

          licence key is embedded in the bios. shouldn't need to type one in.

        2. fnusnu

          Re: Microsoft hardware

          They did: http://www.zdnet.com/article/major-apple-security-flaw-patch-issued-users-open-to-mitm-attacks/

    2. LDS Silver badge

      Re: Microsoft hardware

      Microsoft created the "Signature PC" program (http://www.microsoftstore.com/store/msusa/html/pbpage.MicrosoftSignature) to sell PCs without "crapware" installed. Just, AFAIK, it's only available in the US.

      It's also funny that while most accuse MS of "monopoly", someone would also like an even stronger one. A single vendor would only mean less choices and higher prices - exactly as it happens with Apple. Also Windows doesn't cover only a handful of client-side devices - there's also much more in the server room running on Windows - it's would be a far bigger hardware market to cover, and I can't see MS buying Dell or HP anytime soon...

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft hardware

        A single vendor would only mean less choices and higher prices - exactly as it happens with Apple

        Try a TCO calculation that includes the license costs to make a machine actually useful for business, and Apple kit emerges as the cheapest solution out there, and the kit tends to last for years. And that's before you add productivity gains through much better usability.

        A single vendor also means no pass-the-parcel games when it comes to getting something fixed, especially when it's about software. I cannot count how often I heard MS techs try the ever-present line that the problem was down to hardware drivers and thus not their problem.

        1. lucki bstard

          Re: Microsoft hardware

          'And that's before you add productivity gains through much better usability.'

          Remember

          - Applications

          - Applications

          - Applications

          If the business application only runs on Windows then you either run Windows or a Windows VM on a MAC.

          1. Alistair Silver badge
            Coat

            Re: Microsoft hardware

            Ummmmmm

            I run windows in a vm For three things - Visio, Vcenter and fully operational outlook. Evolution is *not quite* there yet for me.

            Vcenter I will drop when I get cloudforms running. Outlook I can run in wine - we just have Domain auth issues for the moment since we've not finalized how we're joining linux to the AD. Once I've got machine level auth with AD I'll move outlook to wine. Then I'll start working on visio.

            No Mac in sight.

    3. big_D Silver badge

      Re: Microsoft hardware @Buzzword

      You mean like the Surface Pro?

      Or what about the "Signature" editions of other manufacturer's hardware that they like to promote that don't have any crapware installed, just vanilla Windows?

    4. jason 7

      Re: Microsoft hardware

      @Buzzword

      Not sure why you are getting all the downvotes. Bloatware/Adware on new laptops from the likes of Lenovo/Acer/Toshiba etc. is a major screwup in the Windows experience.

      I get customers to bring their laptops straight to me unopened so I can delete the 30+ items of crap (not to mention the crappy McAfee AV trial that will lapse and leave the machine unprotected). The machines work really well after all that cruft is removed.

      This bloatware trend creates a messy and pop up riddled experience that makes Windows look a mess. Doesnt reflect to great on Acer/Lenovo etc. I can tell you guys, your customers don't like it.

      It is time that MS started pushing out more desktops and laptops with just Windows and a few essentials installed. The current US based signature thing isnt enough.

      1. Bob Dole (tm)

        Re: Microsoft hardware

        >>I get customers to bring their laptops straight to me unopened so I can delete the 30+ items of crap (not to mention the crappy McAfee AV trial that will lapse and leave the machine unprotected). The machines work really well after all that cruft is removed.

        When I buy a laptop, I make sure that it has the cheapest hard drive option. I then buy a brand new SSD. The very first thing I do after unboxing the laptop is to take the harddrive out and replace it. Then I load a fresh OS on it. Been doing that for 15+ years and have always been happy. When I get rid of the laptop, I just pop the old drive back in and sell it off.

        There's two reasons here. The first is that it usually takes less time to reload an OS than it does to try and remove all the crapware. The second is that when selling the laptop later I don't have to worry that any of my data is recovered after the deletion.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019