I wonder what else they have hidden in this or a similar way? I used to think that Lenovo made half way decent kit; note that I used to think that way.
Lenovo is in hot water after being caught intentionally shipping laptops with software that steals web traffic using man-in-the-middle attacks. The "Superfish" software was present on laptops sold until late last month and stole all manner of web traffic using fake, self-signed, root certificates to inject advertisements into …
Kit is OK, just install [any fresh OS of your choice] on it
There, fixed it for you.
[Sidenote: My first Linux experience was installing Mint on an ancient IBM Thinkpad with a mate, just for fun... Once we grasped the Linux conventions it was a straightforward job, except that it had odd audio hardware. We got a sense of accomplishment when we got a noise out of it!]
Having owned a Lenovo ThinkPad T500 for the last 3 years, and having used a ThinkPad Edge E531, I can tell you the quality has nose dived. Flexing chassis when typing on the ThinkPad Edge, the older T500 is perfect really.
And yes, install any OS of your choice - which means either Windows or Linux.
Just like other companies, Lenovo makes some really good kit, and some not so good. Among the latter are any of the Lenovo consumer systems. Most ANY computer designed and made for consumers has some issues, usually cheap design and materials, often substandard electronics.
So I stand by the T- and X-series Thinkpads. Well made and durable. The W-series, unfamiliar to me but bearing a strong resemblance to the T's, is probably just fine, too.
When I get a Lenovo laptop, I generally reload Windows from scratch. No more bloatware. No more crapware.
But this is a goddam embarrassment for Lenovo. Never should have happened, whatever incentives came from the Crapfish company. Superfish needs to be blockaded and sanctioned, just like a third world dictator. They have no business messing with security certificates, and need to disappear from the internet.
Well done Lenovo. At a critical time following the System X acquisition, when you're trying to crack into the server and storage markets - which entails proving that big customers can trust a Chinese company with their data - you go and factory install malware on a load of end user devices.
Well f***ing played you muppets.
Given the opportunity to build trust on a global basis and cement their standing is a world class provider of IT hardware they do this.
This plus numerous Chinese Govt sponsored hacks and also allegations of Govt sponsored corporate espionage targeting visiting Business Leaders and foreign government figures.
They need to be doing it better and cleaner than the next country....start all over again China.
There always were different ranges of Thinkpads.
Go for the T series (or an X series if you want a compact laptop).
When IBM owned the brand there were at least the R series which were plasticky, and the A series which were larger and heavier. Before that, they were numbered, with the 300 range being budget and made of plastic, and the 700 range being the business systems.
Lenovo have dropped all of the old IBM ranges except the T and X, and have re-branded some of their other ranges as Thinkpads to cash in on the name.
I have a work T420, and apart from the appalling new 'island' keys, it seems as robust as the older systems.
The T used to stand for Titanium (actually an alloy with titanium in it) that was used in a chassis to stiffen the screen/lid, which along with clever interlocks between the lid and base led to the reputation about them being extremely robust. The hinges certainly last longer than most other laptops.
I have three thinkpads one pre-lenovo (IBM) and 2 Lenovo. All three still in service.
But recently, i was handed what was supposed to be a Lenovo S390 VibeX phone. After much faffing about trying to upgrade it, remove malware etc, I discovered it was in fact a counterfeit S960t Lenovo.
Extremely sucky experience. Something is rotten in the state of Shenzen.
Get a good job where Linux is allowed.
Your free homemade hobby operating system is only good for home use.
What you utterly fail to realize with your glib reply is that Windows and MS Office have become the de-facto corporate standard worldwide. You can move from one job to another with almost no new training because the UI is identical. When your corporate partners, customers, suppliers, etc send Office documents between each other it's a given that everyone can use the same formats without awkward conversions. Outlook is the interface to Exchange which offers a host of business services including meeting scheduling, messaging, availability to org charts, and tasks management where email is only one service. Excel macros automate program management to such an extent that if you can write complex Excel macros you can command six-figure salaries.
I could go on, but until you achieve serious corporate responsibility you won't understand any of this.
>Your free homemade hobby operating system is only good for home use.
Nice trolling but you do realize that hobby OS is running on the computer (web server) that you posted this garbage on for us all to read right?
>I could go on, but until you achieve serious corporate responsibility you won't understand any of this.
And being an obvious desktop jockey at best you obviously know quite little about enterprise yourself. An awful lot of business critical workloads these days are on or moving to Linux (often from proprietary Unix which is actually makes me sad but neither here nor there).
> if you can write complex Excel macros you can command six-figure salaries.
Same with being a good enough man whore I guess. Would rather command the six figure salary (which isn't that hard if you can code in any technology in demand) and not have to tell people I use VBA. That way you can be well paid and happy with your work as well.
Nice trolling but you do realize that hobby OS is running on the computer (web server) that you posted this garbage on for us all to read right?
When you wrote the garbage above, you do realize that this discussion is about laptops and not web servers, right? Nice trolling, but you do realize that this discussion is about Lenovo laptops, right? Or are you suggesting that you would load Linux on a Lenovo laptop and run a corporate website from it?
I doubt that too many Lenovo laptops are being used as corporate web servers.
>Or are you suggesting that you would load Linux on a Lenovo laptop
No probably PC-BSD (would check the laptop is supported before I bought the laptop) and I would not have been affected by the mal/bloatware in the first place regardless, (Linux is quickly becoming Windows (ie. shit) due to RH and systemd). As for a web server (on a blade server more than likely) if it was a internet facing with fairly mild load I would probably run it on OpenBSD actually.
If I was some corporate IT drone buying for the company I would probably purchase Lenovo windows laptops (perhaps not any more though) from some trusted vendor but would then image them like almost every shop I have been in does because as you say for the corporate desktop (Microsoft's last bastion) in 2015 there isn't much choice for any decent size outfit. May not be true forever though.
All the volume PC manufacturers do this sort of thing, at least with their consumer oriented product lines. If it isn't Superfish, it's something else at least as nefarious. Now that more and more web sites are going or are planning to go https all the time for all pages, this sort of certificate MITM is going to be standard practice for ad-flinging or ad-tracking crap-ware. Corporate PCs have these sorts of MITM certs installed in them by the IT departments so they can monitor user traffic, so why should we be surprised that consumer PCs come with something similar?
An essential part of the Windows financial model so far as PC manufacturers are concerned these days rests on these sorts of crap-ware deals. They get paid to pre-load this sort of crap-ware and demo-ware, and this is what pays for the Windows license. This makes Windows essentially free so far as PC manufacturers are concerned, which is why they aren't all that interested in things like Linux.
The problem isn't going to go away so long as PC manufacturers are just commodity box shifters shipping a third party OS where the OS vendor's brand name is a prime selling factor. Buyers go to a store (or web site), look for a "Windows PC", and typically pick the cheapest one in a given size range. Things like dodgy security certs are completely beyond their knowledge.
> Corporate PCs have these sorts of MITM certs installed in them by the IT departments so they can monitor user traffic, so why should we be surprised that consumer PCs come with something similar?
Umm because unlike the corporate PC the customer PC is mine (not some corporation's including Lenovo). Damn going to have to download a good antivirus CD now and check the missus Lenovo. As for me never kept a factory install OS on any of my gear more than the first month including my phone and tablets.
You wouldn't find this on an Apple computer, because a single company controls both the hardware and the software. Microsoft's reputation is being undermined by crap like this. They need to copy Apple and start shipping their own hardware.
You wouldn't. You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data. Sadly, the average punter doesn't seem to care.
Heads should roll over this. Literally, as in detached from the bodies that they used to be part of. It isn't going to happen, it'll be a mistake or a bug or something.
As Steve Rambam said at least ten years ago, "Privacy is dead. Get over it." You might not like it but as long as somebody else is willing to lap up this kind of shit it is an economic impossibility to avoid.
@the spectacularly refined chap
You've never actually used an Apple product have you? You've read some guff on the Internet - but nothing more than that. Somehow though, you think you're qualified to comment.
Rest assured, there is no need to hand Apple any of your information just to use (and update) a Mac. On the other hand, I do think that you'll be missing out if you don't take advantage of Apple's free online services (which are really rather good). And, as I've said before, I think that (of all the online service providers) Apple and Microsoft can be trusted. After all, their business models are not predicated on selling what they know about you.
I use Microsoftt's online offerings too, other than Hotmail, and they partner each other well.
What does this have to do with Microsoft? It was Lenovo who installed this crap.
When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop.
Or, as a previous poster has said, you could get your preferred flavour of Linux (or BSD) and install that instead.
Having recently bought one of the junk ridden Lenovo's I can confirm you can re-install the supplied OS - but you have to create a bootable USB using the supplied software and then find exactly the right sub menu in the install to get a clean build (reminds me of a certain planning department in the basement, no light or stairs and a big 'Beware of the Tiger' sign...)
> When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop.
No, the purpose of that sticker is to show that you have a genuine OS installed.
It used to be, dunno about now because I don't follow in that much detail, that the licence was only valid for the image pre-installed by the manufacturers (or re-installed from recovery disks). It specifically did not allow for re-installation with another 'version' of Windows.
Ie, just because you have a licence for (say) XP, that does not give you the right to install XP - other than the OEM version that came with the machine. Quite HTF the average user is supposed to know that the licence for "XP" isn't for "XP" but for "a specific but unspecified version of XP" when there's no hint whatsoever on the sticker is another matter !
But when has "user friendly" ever been part of Microsoft's licensing schemes.
Don't be difficult. You should know perfectly well that the main consumer version of WinV / Win7 is Home Premium. The only possibility of coming a cropper when re-installing an OS is getting confused between 32 vs 64 bit. And 32bit is really outdated and mostly applies to relatively elderly Vista PCs nowadays. Plus, your 'average user' is not about to attempt an OS re-install now, are they?
"When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop."
No you don't. Not anymore. Windows 8 Large OEM versions do not have a license sticker. Only a SLIC key buried into the motherboard.
And good luck calling Microsoft on that. OEM license keys are not compatible with vanilla. You'll get a choice of buying a new retail copy of Windows 8, or going back to OEM, who will happily sell you a "recovery media" for a tenner or so. With all the "bonus software" included for free.
Exception: if the computer has a W8 Pro license, then it may be possible to get a W7 Pro "downgrade" key from MS. W8 Standard has never had any right to use other versions.
I guess that's another good reason not to go with Windows 8. My desktop PC uses the Windows 7 licence key that came with a Lenovo X220. The X220 is happily running Linux and the licence was never activated on it. I activated it on the Windows PC and it continues to receive updates without complaint.
I really hope that Windows 7 is the last Windows OS I ever have to use though. I only use it for games and music applications.
You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data
You've never really used or set up an OSX machine, have you? You need an Apple ID for updates, but it doesn't check if your details are real or not and the associated T&Cs are actually decent.
Personally, this sort of malware is the exact reason I think pre-installed crapware should be banned. As far as I can tell, it may be possible to consider this a malicious and illegal attempt to intercept, and I would pursue it as that. Could make for quite a nice court case..
You've never really used or set up an OSX machine, have you? You need an Apple ID for updates, but it doesn't check if your details are real or not and the associated T&Cs are actually decent.
I was thinking more of the iOS devices there but the point still stands. By your own admission you either have to give over your personal data or commit fraud. Some choice.
By your own admission you either have to give over your personal data or commit fraud.
Since when is not given true details fraud if there's no financial transaction involved? There is no statement/requirement during the signup process that the details you provide must be real, unlike for the organisations you *really" cannot trust with your data such as Google, Facebook and all the other theft as a service providers.
If I am forced to provide details I will lie by default - I can always correct it (or restart) when I find the provider/website/vendor to be trustworthy, and I have a couple of email addresses that auto-delete mail when it's 4 days old. It's a practice that served me well, especially with so-called "free" Wifi services in London.
Since when is not given true details fraud if there's no financial transaction involved?
The laws on fraud are defined in terms of material gain obtained by deception. Financial transactions are the common form that fraud takes but it can be and is applied much more broadly than that. By giving false info you are receiving a material benefit (the update) which cost the provider real money to supply (power, bandwidth, hardware, etc) on the basis of a false representation. That is not a matter of interpretation - it is clear and outright fraud according to the law.
> You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data.
No it isn't - that's exactly what I do, using Little Snitch. In any case, Macs don't do MITM attacks on HTTPS sessions. They are far from perfect, but on both Windows and Mac it's still usually possible to prevent sw phoning home.
However I do agree with you that a Mac will attempt to phone home much more than I am happy with.
Microsoft created the "Signature PC" program (http://www.microsoftstore.com/store/msusa/html/pbpage.MicrosoftSignature) to sell PCs without "crapware" installed. Just, AFAIK, it's only available in the US.
It's also funny that while most accuse MS of "monopoly", someone would also like an even stronger one. A single vendor would only mean less choices and higher prices - exactly as it happens with Apple. Also Windows doesn't cover only a handful of client-side devices - there's also much more in the server room running on Windows - it's would be a far bigger hardware market to cover, and I can't see MS buying Dell or HP anytime soon...
A single vendor would only mean less choices and higher prices - exactly as it happens with Apple
Try a TCO calculation that includes the license costs to make a machine actually useful for business, and Apple kit emerges as the cheapest solution out there, and the kit tends to last for years. And that's before you add productivity gains through much better usability.
A single vendor also means no pass-the-parcel games when it comes to getting something fixed, especially when it's about software. I cannot count how often I heard MS techs try the ever-present line that the problem was down to hardware drivers and thus not their problem.
I run windows in a vm For three things - Visio, Vcenter and fully operational outlook. Evolution is *not quite* there yet for me.
Vcenter I will drop when I get cloudforms running. Outlook I can run in wine - we just have Domain auth issues for the moment since we've not finalized how we're joining linux to the AD. Once I've got machine level auth with AD I'll move outlook to wine. Then I'll start working on visio.
No Mac in sight.
Not sure why you are getting all the downvotes. Bloatware/Adware on new laptops from the likes of Lenovo/Acer/Toshiba etc. is a major screwup in the Windows experience.
I get customers to bring their laptops straight to me unopened so I can delete the 30+ items of crap (not to mention the crappy McAfee AV trial that will lapse and leave the machine unprotected). The machines work really well after all that cruft is removed.
This bloatware trend creates a messy and pop up riddled experience that makes Windows look a mess. Doesnt reflect to great on Acer/Lenovo etc. I can tell you guys, your customers don't like it.
It is time that MS started pushing out more desktops and laptops with just Windows and a few essentials installed. The current US based signature thing isnt enough.
>>I get customers to bring their laptops straight to me unopened so I can delete the 30+ items of crap (not to mention the crappy McAfee AV trial that will lapse and leave the machine unprotected). The machines work really well after all that cruft is removed.
When I buy a laptop, I make sure that it has the cheapest hard drive option. I then buy a brand new SSD. The very first thing I do after unboxing the laptop is to take the harddrive out and replace it. Then I load a fresh OS on it. Been doing that for 15+ years and have always been happy. When I get rid of the laptop, I just pop the old drive back in and sell it off.
There's two reasons here. The first is that it usually takes less time to reload an OS than it does to try and remove all the crapware. The second is that when selling the laptop later I don't have to worry that any of my data is recovered after the deletion.
I did install a ton of bloatware from my lenovo laptop I brought at christmas, but I still had a Superfish global root certificate in my Windows certificate store.
A shady name, if you are casually looking at your Windows services, it will come up next to Superfetch, a legit MS service.
Anyway, Start > type certmgr.msc > Root certificate authorities > Certificates > Delete the unlimited Superfish cert and that should help, even if you have uninstalled and cleaned up your system.
Technically, there is nothing "malicious" about any root certificate no matter what's inside. Root certificate silently enables trust relationship between location where certificate is installed and a party with private key to the certificate in question. It is how this trust relationship can be (ab)used which can be malicious, and not only because the certificate is issued by a corrupted party but also possibly because it's been compromised. So yeah, the more root certificates you have the more exposed you are :(
I totally agree with you, and this is a case of closing the barn door after the horse has bolted, but at least I will not get any silent "secure" sessions being decrypted by a man in the middle on my new , brand new, factory spec laptop.
It is a very sneaky way of compromising the system, and goes against everything any and all IT engineers stand for regarding individual freedom, and coming from an ex-IBM'er, having to critisise the Elephant is not an easy thing, but what they did is just an unimaginable breach of privacy and trust. I'm so happy that the first thing I did was to kill all the preinstalled crud, including this. I though that it was some photo app (misread "snapfish" originally), but adding "value added" apps is one thing, adding apps that are designed to invade and breach the trust that you have with SSL, and playing on the "if you see the padlock, it's secure" mantra that we have been drumming into users heads for.... at least the 20 years I have worked in IT, this is a blatant and unacceptable breach of trust from what used to be a reputable quality PC builder.
Lenovo management need to be forced to listen to Justin Bieber for 10 days, then hung, drawn, quartered and the body parts hung from their head office as a warning to others...
YIKES listening to that idiot Bieber is qualified as cruel and unusual punishment .. but in this case i totally agree . They should be quartered for putting crap on machines leaving the factory . In fact i kind of agree that laptops should be virgins when they leave the factory and have nothing on it but the os without any bloatware/crapware on them .. Bring back the guillotine :)
I'm not exactly clear from the website article of the exact architecture of the Superfish MITM software setup, but if it's acting as a proxy and is intercepting all traffic without informed user consent then there has to be a privacy aspect here - they may be processing private information and so the Data Protection Act could come into play.
If Superfish were masquerading as other businesses via certificates issued under their root certificate then I wonder if the other businesses would have a cause of action in terms of passing off. Certainly if I was Bank of America or any other business offering services via https or suchlike then I'd be pi**ed off about the potential damage to my reputation and business if customers knew that I would do nothing about other people pretending to be me and intercepting private sessions with my customers. Any EULA the consumer nominally agreed to would be irrelevant in terms of whether or not an act of passing off had occurred.
I would also wonder about copyright infringement - by modifying webpages users were requesting to display ads for other "similar" products, and doing that without the consent of the copyright owner, then that might be an unauthorised adaptation of the copyright work (the webpage).
As other commentards have said, roll on DNSSEC.
"If Superfish were masquerading as other businesses via certificates issued under their root certificate "
They were, that's how this works. Pretty much everything you wrote is correct and would form a viable basis for legal action if someone / some group chose to pursue this.
I would like to know how high up the management chain actual understanding of how this worked went. At the top is there someone signing off on a deal that "shows some ads" or is there someone who knows that this is actually breaking a fundamental security component of the web and impersonating websites. It's not a silly question - someone in the chain must have known the implications of this so I wonder how high it got before someone decided to accept responsibility for the decision and chose to do this without flagging the implications higher. That person knowingly endangered their customer's security and I would imagine anyone making that decision wanting to be able to pass the responsibility upwards and say: "i raised it with my boss in this email and they said okay". So it could have risen pretty high indeed.
Which also raises the question of whether there was another motive for this. What this has meant is that the security of very many people has been compromised. It could be greed and incompetence but it also can be a way of spying on people. And if you get caught - it's adware, we didn't know better! There's no way with this installed you can know if you've been compromised or not.
I'm leaning to that not being the case simply because this isn't present on the highest end laptops which would obviously be the best targets. But still, it makes you wonder.
"highest end laptops which would obviously be the best targets"
Why? If it's advertising related then volume counts over quality every time. And even ID theft is a game of volume over quality.
For the small number of premium brands who might value rich customers, they'd typically want to keep their brand clean, and association with crappy ad-scammers would be high risk, as well as likely to generate a lot of unproductive leads - Jaguar buyers (for example) will probably buy high end laptops, but that relationship doesn't work the other way round.
>>"Why? If it's advertising related then volume counts over quality every time. And even ID theft is a game of volume over quality."
Because in the scenario I was evaluating. the purpose of this was spying on people and using advertising as a cover (which this flaw enables), the actors behind that would have to be state level players. (E.g. Chinese government, NSA, etc.). They wouldn't be interested in indiscriminate harvesting, but on targetting high level players.
One could make a case that mid-level people might have more valuable access as that is where most of the IT people with dangerous access live, but I don't think that would be the case.
Anyway, I think the probability is that this is [I]unwitting[/I] breakdown of security in the greed of Lenovo wanted a pittance of advertising revenue with each laptop sale (note to El. Reg: not "lappy"). But still, it makes you wonder.
I would like to know how high up the management chain actual understanding of how this worked went. At the top is there someone signing off on a deal that "shows some ads" or is there someone who knows that this is actually breaking a fundamental security component of the web and impersonating websites.
Doesn't matter. At the end of the day (doncha just luves you some management-speak?), the guys at the top are responsible. CEO, CTO, CMO (Chief Marketing officer, regardless of its "real" title) are the captains of the ship, and are expected to go down with it. Now, the concept of a white-collar fatass corporatist actually going to Jail is anathema in the post-Bush era, but we can always fantasize, now can't we?
Hear hear. I actually even received the new X1 Carbon but just returned it due to a build quality issue without ever having turned it on. Was going to get another in its place but after reading this I'm strongly inclined not to. Despite the fact I never use Windows so it wouldn't touch me anyway.
>Yesterday I was reading this review of a Lenovo with an interest in buying. Not any more.
But just thing, tomorrow it will be on sale - because of a dip in sales due to this security breech, and thanks to El Reg you have been informed of how to deal with this problem. so that X1 could be an even better buy...
That's a shame. Because X1 is not affected by this brouhaha.
If anyone's using a brandname, or any other marketing label, as the only guidance for making decisions, they'll be mightily disappointed sooner or later. Brands are far too messy these days. Lots of crap is peddled under reputable brands, which in order tarnishes good products. There seems to be an infinite supply of greedy fools, who'll try to make a quick buck by misappropriating a solid brand, despite all the historical failures.
Still wearing the aura of IBM quality in design and colours, Lenovo products are an atrocity. Take a screwdriver, and watch how cheaply it is build with spit and tape.
Now they install spyware and adbots, given the latest scandal with Samsung spy television sets, it is time the government intervenes and starts heavily fining this type of fraud like others get speeding tickets.
Sadly the opposition is no better.
Apple laptops are increasingly glued together and have components soldered to the board.
I had an experience with a Toshiba laptop yesterday, a L50-B… the machine rattled out of the box. I had bought it with an 8GB DDR3L stick to install myself, no hatch to access the RAM on the bottom, you need to remove the ENTIRE bottom panel which requires 11 screws then releasing a number of hidden plastic catches. On doing this, I discovered a loose extra screw running around inside the case near the screen hinge.
We've got a couple of Dells at work in which to access the hard drive, the machine needs to be COMPLETELY disassembled from the keyboard down.
We've got one ASUS gaming laptop at work used for 3D visualisation demos, never needed to open that one up so can't comment much on it at this point.
I'm not sure about Acer or Sony. Panasonic are good, but dear as poison. (I don't regret my CF53 MkII, but at AU$2500, it wasn't cheap!)
That doesn't leave many players left.
Open any MSI G-Series laptop, and smile watching the build quality smiling back at you. MSI seems to be the last man standing outside the world of Chinese crap we are slowly sinking in, showing Taiwan honors its title as "renegade province" of the Peoples Republic of Crap in a very positive manner.
Open any MSI G-Series laptop, and smile watching the build quality smiling back at you.
Actually, I was laughing when I opened a MSI gaming laptop. I can't remember the series but while the ease of working with it was great, the quality of the plastic wasn't. The hinge design was one that needed repair after a few months, and anyone who knows anything about leverage (the mechanical moving stuff kind, not financial/blackmail etc) would instantly see that it would break very quickly - huge amounts of stress on very small areas of plastic. I reinforced it with fibreglass as one side was gone and the other was on it's way.
For the price my customer paid, I would've expected a hell of a lot better product. MSI may have some much sturdier machines, and as far as other repair work/disassembly goes, and as far as the laptop itself goes - it was a great machine. But the build quality of the case was quite shite. I still would probably buy one if I had the $$$ to splash.
The first thing I do when I get a new computer/laptop is reformat it and install a vanilla copy of the OS. Everyone seems to stuff their equipment with 'useful software' aka bloatware these days. Do a clean install and its all sorted.
BTW Lenovo actually makes some decent kit - my last two laptops have been Lenovo and I've been very happy with them. No reason not to buy them, just wipe the disk.
The first thing I do when I get a new computer/laptop is reformat it and install a vanilla copy of the OS.
As do I ;)
BTW Lenovo actually makes some decent kit - my last two laptops have been Lenovo and I've been very happy with them. No reason not to buy them, just wipe the disk.
It probably won't be long (if not already the case) that removing such item voids the warranty. Even if the pre-installed trial barely-AV crapware (or decent AV as a few companies do) finds and removes the rubbish.
that will build a laptop to my specs for a very reasonable price AND you buy the OS separately. No bloatware, nothing you did not ask for.
Sounds sweeter every day.
I'll check the (older) Lenovo machine, in which I already deinstalled a load of stuff after buying it, for superfish
I recently found a company nearby that will build a laptop to my specs for a very reasonable price AND you buy the OS separately. No bloatware, nothing you did not ask for.
Mind telling? I get lots of requests for laptops "without the windows tax".
I don't know who he's thinking of, but these guys are worth a look if you want a custom built laptop
they specialise in high spec machines (mainly for real-time video editing), and assemble them from kits mainly provided by Clevo - arguably the most bullet-proof of all the Chinese ODM suppliers
"we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues, Hopkins said"
So, long term, Lenovo's intention is to continue bundling software from this highly trustable source.....
"So, long term, Lenovo's intention is to continue bundling software from this highly trustable source.....
Upvoted. Well, since this one was not concealed enough (they thought no-one would notice an unusual ROOT CA in the browser), that's exected they'd come-up with something better, no ?
we have temporarily removed Superfish
Superfish apparently is a company from a somewhat reputable middle eastern country. These are mildly notorious for "I will be back"-s after temporary bad press due to SHTF. Companies that sound like Fundocs or Converse come to mind.
Better be anonymous.
The problem with some laptops, (Dell, Toshiba, Asus and others) is that you can do a clean install, but then the damn thing runs like a dog, uses battery like there's a hole in the bottom for the electrons to run out, sound doesn't work properly, buttons don't work properly etc, etc.
You end up having to re-install half of the manufacturer's bloatware to get the damn thing to work properly again.
I've just put Mint on my EEEPC 1025CE; and the battery certainly doesn't last as long as it did on Win7. I don't know enough about Linux to see if there are any changes I can make that might help.
I was actually looking at the Lenovo ThinkPad X240 as an upgrade (I don't really want a 13+" screen, but an i5 processor would be nice), but that's off the cards now. I did see a few of the new Asus kits that I was interested, but can't seem to find anywhere (at all) to buy them from
I'm just surprised that anyone actually uses a laptop with the OS install the manufacturer put on it.
The idea the Joe Average will wander out of CurryPhone DixHouse with his shiny, new toy then go straight home, plug it in and start using it without first reinstalling the operating system surprises you?
Your surprise surprises me.
And where do you get the clean install from ?
You certainly can't trust the OS install disk that came with the machine.
And if you do an install with a retail copy of Windows you will still have to go to the laptops maker's site for all the driver downloads. All those run as administrator system installs ......
Ignoring the build quality, preferred OS etc arguments above
Surely the only reason Lenovo installed was for some kind of payment from Superfish?
Does anyone have an idea how much this might add up to?
Then I wonder if this gets out of the 10 o'clock nightly news how much this is going to cost Lenovo in lost sales? Joe Average may well not understand the ins and outs, but the gist of "Lenovo laptops steal your banking details" may well stick in his mind and get passed around like a Chinese whisper
I don't know about Superfish specifically, but general analyses of these sorts of deals say that the total bundle of pre-installed crap-ware pays for the cost of the Windows licence. That is, after taking into account the crap-ware, Windows is essentially free to the manufacturer. That's why they don't care about the cost of Windows licenses.
The crap-ware vendors of course make their money by either doing this sort of dodgy ad flinging, or by persuading you to upgrade a demo version of software to the paid-for version.
These deals are the reason why crap-ware comes pre-loaded, but really good and useful open-source software usually doesn't. It's all about the money, and it's the bottom feeders who will pay for product placement.
Everybody who has a say in the process makes money out of this. The PC manufacturers get paid to load it. Microsoft is happy because their OEM customers now don't care so much about license costs and so have little incentive to look at things like Linux. And of course the crap-ware vendors get to use your PC as a ad-vendor's playground.
Of course the poor sod who bought the PC gets shafted. However, when you buy a typical Windows PC these days, you're not the customer, you're the product.
Just one* of the reasons that I image over or reinstall a PC on purchase, business or personal.
But, seriously, how much can Lenovo have earned back from that to justify screwing their customers over? If someone is paying hundreds for your laptops, and then you're screwing over their privacy and security for a handful of pence (after commission), it really shows where your priorities lie.
Don't "get an update" or "review the situation", stop doing business with them and stop bundling that junk at all.
(*) Other reasons include: I don't know who touched it before it got to me, I don't know what other junk is bundled to pop up when I plug a camera or printer in, I want to prove to myself that it CAN be reinstalled from scratch with all the drivers using only the discs given before data goes on it and before it goes out of warranty, etc. and the amount of junk I see bundled on "new" PC's that slow them to a crawl is unbelievable. Just cleaned a PC from the Vista era as a favour and it was STILL popping up things from Fujitsu etc. about restore processes, driver disks, special offers, spyware junk, printer drivers, you name it that HAD COME WITH THE MACHINE ON PURCHASE.
Also, I once found out that brand-new purchased laptops would not work with full disk encryption because of a dodgy BIOS by testing this. Encryption would work, everything would be hunky-dory, but reboot and the BIOS refuses to boot from anything that did not have a zero in a certain hex offset of the hard disk (which corresponded to a zeroed field in an NTFS header). As such, anything non-Windows you ever tried, or any sort of disk encryption, and it rendered the machine unbootable. Actually forced the manufacturer to obtain and issue an updated BIOS for that model, because we'd purchased many of the same model, I'd noticed immediately, had a reproducible test case (involving writing a non-zero to a point on the hard disk), they'd said it was compatible, I work somewhere with a legal requirement to encrypt mobile devices, and they were about to lose the sale because of it.
It's quite possible I'd only have found out about that months or years down the road if I wasn't needing to use and encrypt those computers immediately.
It's installed as application software by the OEM, so UEFI doesn't even see it. UEFI only comes into play during the OS boot process, and addresses only one, very rare and limited attack vector. UEFI just looks to see that the boot loader was signed by Microsoft during the initial boot, and anything that happens after that is up to the OS.
The whole point is that secure boot is supposed to establish a chain of trust. A chain of trust requires each link in the chain (and you know what they say about chains and weakest links) to be trustworthy. So if Microsoft is signing a bootloader as trustworthy then they should have assured themselves that the system it's loading is trustworthy otherwise that chain of trust means nothing.
If that system is Lenovo's spin of Windows then it's up to them to assure themselves that Lenovo can be trusted to produce a trustworthy system image. That requires Lenovo in turn to assure themselves that anything they include is also trustworthy. It requires due diligence all down the chain.
Secure Boot makes sure that you boot securely into the OS you intended.
It has no effect, design or control over what the OS chooses to do. In the same way that you can login as an admin and delete critical registry entries, you can login as the system OEM installation user and install bloatware and junk.
There is no, and never has been, way to stop that in Windows. Windows does not verify that you, the physical user, want to install that Lenovo junk in the same way that it doesn't verify that you, the physical user, want to choose Chrome as your default browser or change the desktop background.
It's ridiculous to suggest so.
To install ANYTHING on Windows or Linux which runs in the way of necessary drivers, you need to be able to slipstream things into the initial install which can be run as an administrator. It's game over. What broke these system was not Windows, or Secure Boot, failures, but having Lenovo install - as an administrator user - malware before it got to you. Whether that was in an automated (slipstream install) or manual (log in as the initial admin user) fashion, there's NOTHING that can stop that but Lenovo not doing it.
The alternative is that MS has to certify and pre-install not only every driver that could possibly work on their system, but every application as well. That's not what you want, I assure you. Want to install that freeware that you downloaded off the net to fix a problem? Sorry, not signed by Microsoft and therefore not in the MS trust chain. You want to put it into the trust chain manually yourself? Lenovo could have done that exact same thing and you'd never have known more than this showed itself.
Secure Boot just ensures that you boot into a valid, authorised bootloader of your choice. At all points past that, you're on your own. Even the OS isn't necessarily dictated - hence why Linux can still boot on Secure Boot systems with (I believe) a Fedora/Microsoft-signed bootloader. Past that point is not the domain of Secure Boot in any way, shape or form, but the OS. And the OS will allow a user with administrative rights (whether inserted as a slipstreamed instruction via unattend.xml or similar or just by virtue of being the first user created during setup) to do whatever they want. This is no different on Windows, Linux, or anything else.
The second you break that, you break every SCCM system in existence. And I'll be damned if I'm going to get MS to "sign-off" on my custom install of Windows that I deploy to several hundred machines every time I change it.
@Lee D - "To install ANYTHING on Windows or Linux which runs in the way of necessary drivers, you need to be able to slipstream things into the initial install which can be run as an administrator."
- I won't argue with the general thrust of your argument so far as Windows is concerned, but with Linux drivers are normally written by the chip manufacturers and are part of the Linux kernel, not a third party add-on. There are a lot of technical advantages of doing it that way, but from the user's perspective it means that if you have a reasonably up to date kernel, then any drivers you may need normally come built right in. The reason why things are different on Windows is that Microsoft doesn't (understandably) want to hand out their kernel source code to anyone who asks for it.
@Lee D - "hence why Linux can still boot on Secure Boot systems with (I believe) a Fedora/Microsoft-signed bootloader. "
- Different distros have different solutions to this, but it basically revolves around having a signed pre-boot loader. The pre-boot loader loads the real boot loader, which then loads the kernel. I believe that Ubuntu had this first, but Red Hat/Fedora and Suse now also have their own. Overall though, it works more or less as you said. Each step in the chain checks the next step before loading it. It's intended to prevent root-kits from being loaded before the OS.
@Lee D - "MS has to certify and pre-install ... every application as well. ... Want to install that freeware that you downloaded off the net to fix a problem? . "
The solution which Linux distros came up with in the 1990s was repositories. These days the proprietary vendors call them "app stores". There are tens of thousands of packages ("apps") in Debian or Ubuntu. You can add third party repos if you want, which is how some proprietary software vendors offer their products. If you are doing a corporate deployment, you can change the configuration to point at your own repos, which is how you can control what software gets installed. Packages in the repos are signed, and the signatures are checked before they are installed.
I think that this is the way which Apple is going with OS/X, and I imagine that Microsoft eventually will as well. If they copy the way that Linux distros do things, then third party repos will be supported so companies such as Adobe will be able to run their own independent "app stores" instead of paying 30% commission to Apple or Microsoft on every sale.
There is some talk among Linux developers about checking the signature on each program before running it, but I don't know if that can be made to work with user-written scripts. If not, then that idea obviously won't work. Ubuntu has been doing a lot of work on sand-boxing individual apps for their mobile efforts, and have lately realized that it has advantages for cloud (like Docker) and desktop uses as well. This is probably the future direction of security for the desktop.
Looks like UEFI secure boot is the new bogeyman for some people.
The purpose of the secure boot is to establish a chain of trust from the power ON. The purpose of this is to help prevent modification of the boot files >in deployment<. However, if you own or have the access to the trusted certificate, you can make your own bootloader which does whatever you want to. System OEMs can put their certificates in the UEFI firmware and validate whatever they want.
Also, secure boot does not prevent an OS from launching anything after boot which is trusted (or not trusted but allowed by the system security policy). Once the OS is booted, it is completely up to the said OS configuration / security policy what to launch or not. If you, as a root/admin or OEM, install malware which does MITM - UEFI secure boot will not stop you (and it is not even designed to do that).
Now, if you have only trusted certificates installed - in UEFI firmware, validating OS files and in OS certificate store, validating executables run by the OS, then you have a system which has one more hurdle for a potential adversary to crack.
"The purpose of the secure boot is to establish a chain of trust from the power ON."
Yes, and it's a very short chain.
" If you, as a root/admin or OEM, install malware which does MITM - UEFI secure boot will not stop you (and it is not even designed to do that)."
This is my point. The chain of trust isn't even long enough to ensure that the OEM OS image is trustworthy.
It might have been a great idea at some time to make a genuinely trustworthy system but if so it was inadequate. For that to happen the boot process would have had to have the capacity to inspect the OS's certificates and if it found any deemed untrustworthy eliminate them or boot into a very restricted mode. Of course many of us might find this sort of behaviour unacceptably intrusive; there's always a trade-off between usability and security.
Alternatively it might have been a marketing ploy to give customers a feeling of security and maybe try to block attempts to load other OSs by establishing a degree of ownership over the hardware.
What it clearly doesn't do is ensure that it the customer at least starts off with a trustworthy machine.
I'd started to go off Lenovo kit recently anyway so this just confirms I was right to be wary. I try to screw down security as much as I can on my systems but there's always a chance there's a chink in my armour. As for joe public even considering wiping the installed OS and installing a vanilla copy of Windows, that just isn't going to happen.
We bought a Lenovo desktop PC about 2 weeks ago for a new user in our offices. As soon as we installed our antivirus on the machine, it started flagging up that Internet Explorer was infected with a piece of adware called 'Positive Finds'. It seems they are still sending out infected PC's. Steer well clear.
Performing a MITM attack against encrypted communications between a customer and their bank cannot possibly be legal. I can't see a judge accepting that the customer and/or the bank have authorised Superfish to wiretap that conversation.
The directors of Superfish and Lenovo need to go to jail.
Samsung, LG, Barbie, and now Lenovo.
Pretty soon you won't be able to buy anything at all.
Has anyone, ever, in the history of these shenanigans, actually been prosecuted and imprisoned for this?
Thought not. Should have though. All that 'well I deserve my 100K salary because you know I have corporate responsibility and with great responsibility comes great reward', is sounding a bit hollow now.
What low lifes. And they'll get away with it too coz those pesky kids are too busy meddling with fucklook!
The kids don't care, the parents don't care, the corporates don't care, the government doesn't care. Nobody cares anymore, man!
They're selling wi-fi enabled hippy wigs in Woolworth's man! The greatest technological era in the history of mankind is coming to an end.
You never had it. Unless you managed to download it somewhere.
"Users report Superfish is installed on the Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro laptops"
Which is consistent with the claim that only consumer-oriented machines were preloaded with it.
OK, Reg, now for your follow-on article: Which models of Lenovo laptops were afflicted with SuperFish? One would think that Lenovo would be 100% cooperative to reveal this information. It speaks to their credibility with corporate and enterprise buyers. Other accounts about Lenovo and SuperFish imply that this slimeware was installed only on "consumer" laptops. If so, does this mean consumer MODELS of laptops or does it mean those without a Windows Professsional sticker.
Inquiring minds want to know.
""Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues," Hopkins said.
Umm, temporarily? Nobody wants adware installed on a computer, period. The certificate attack is possibly illegal, but that's not actually the main issue here, it is the installing adware on there to begin with. A few vendors have done this on and off in the past (briefly, due to the customer backlash!) Now that you've been caugh red-handed, you must commit to not installing this software any more or your sales will absolutely tank.
edit: Are you guys saying it's actually typical for Windows PCs to come with various adware and spyware installed now, as opposed to just some random "bundled apps"? It makes me particularly glad I don't use Windows on my systems 8-)
...are making their laptops and desktops look and behave like clown cars with all the useless junk they install on them.
Have any of them sat down with one of their consumer machines out of the box and thought -
"Oh yes, now this is a slick and pleasing computing experience!"
How much $ did Lenovo stand to make from fiddling with ads? $1m, $10m per quarter? How much per machine? $10? $100? Too much profits would actually make it too visible - "Lenovo Advertising division, 100M revenue contribution, whazza about?"
This is a company that sells $10b per quarter, with 13-14% gross profit. How much is a Sony rootkit-style debacle, except worse, gonna cost them in lost sales? For how long? Lawsuit costs? Added cost of PR and marketing to fix reputation?
You would expect financial common sense to keep people from doing stuff like this.
Whoever authorized this should barely be trusted, professionally, to flip burgers at low-end Mc Donald imitators from now on. They're just dangerous to your profits.
And their ethics suck too.
Well, at least it Lenovo did one good thing done by committing to remove all bloatware from their machines once they start shipping with Windows 10. Now if only the other laptop manufacturers will do so as well. As well as published the manual instructions for removing both the Superfish and self-signed certificate which was the root of potential abuse.
Biting the hand that feeds IT © 1998–2019