back to article Lenovo shipped lappies with man-in-the-middle ad/mal/bloatware

Lenovo is in hot water after being caught intentionally shipping laptops with software that steals web traffic using man-in-the-middle attacks. The "Superfish" software was present on laptops sold until late last month and stole all manner of web traffic using fake, self-signed, root certificates to inject advertisements into …

  1. Richard Jones 1
    FAIL

    I Wonder

    I wonder what else they have hidden in this or a similar way? I used to think that Lenovo made half way decent kit; note that I used to think that way.

    1. tony2heads
      Linux

      Re: I Wonder

      Kit is OK, just install Linux on it

      1. Dave 126 Silver badge

        Re: I Wonder

        Kit is OK, just install [any fresh OS of your choice] on it

        There, fixed it for you.

        [Sidenote: My first Linux experience was installing Mint on an ancient IBM Thinkpad with a mate, just for fun... Once we grasped the Linux conventions it was a straightforward job, except that it had odd audio hardware. We got a sense of accomplishment when we got a noise out of it!]

        1. Little Mouse

          Re: I Wonder

          Kit is OK a bit cheap and plasticy, just install [any fresh OS of your choice] on it.

          There. Fixed that fixed that for you.

          1. Dave 126 Silver badge

            Re: I Wonder

            Kit is expensive and glass-and-carbon-fibre-reinforced-plasticy (with magnesium/aluminium bits)

            1. wolfetone Silver badge

              Re: I Wonder

              Having owned a Lenovo ThinkPad T500 for the last 3 years, and having used a ThinkPad Edge E531, I can tell you the quality has nose dived. Flexing chassis when typing on the ThinkPad Edge, the older T500 is perfect really.

              And yes, install any OS of your choice - which means either Windows or Linux.

              1. Jon Massey

                Re: I Wonder

                You've gone down a couple of ranges there, alas. Unfortunately they're now releasing less-than-tanklike laptops under the ThinkPad brand (such as your Edge). The modern T and W series are still bomber

                1. ben_myers

                  T and X series are my Thinkpads of choice

                  Just like other companies, Lenovo makes some really good kit, and some not so good. Among the latter are any of the Lenovo consumer systems. Most ANY computer designed and made for consumers has some issues, usually cheap design and materials, often substandard electronics.

                  So I stand by the T- and X-series Thinkpads. Well made and durable. The W-series, unfamiliar to me but bearing a strong resemblance to the T's, is probably just fine, too.

                  When I get a Lenovo laptop, I generally reload Windows from scratch. No more bloatware. No more crapware.

                  But this is a goddam embarrassment for Lenovo. Never should have happened, whatever incentives came from the Crapfish company. Superfish needs to be blockaded and sanctioned, just like a third world dictator. They have no business messing with security certificates, and need to disappear from the internet.

              2. Archaon
                Flame

                Well done Lenovo. At a critical time following the System X acquisition, when you're trying to crack into the server and storage markets - which entails proving that big customers can trust a Chinese company with their data - you go and factory install malware on a load of end user devices.

                Well f***ing played you muppets.

                1. lorisarvendu

                  This is nothing new. Two decades ago I worked for a company that sent out replacement hard drives to their customers that came infected with a Parity Boot virus. I hasten to add that although this company is very large (and still exits), it is not the company I work for now.

                2. NeilMc

                  I couldn't agree more

                  Given the opportunity to build trust on a global basis and cement their standing is a world class provider of IT hardware they do this.

                  This plus numerous Chinese Govt sponsored hacks and also allegations of Govt sponsored corporate espionage targeting visiting Business Leaders and foreign government figures.

                  They need to be doing it better and cleaner than the next country....start all over again China.

              3. Peter Gathercole Silver badge

                Re: I Wonder

                There always were different ranges of Thinkpads.

                Go for the T series (or an X series if you want a compact laptop).

                When IBM owned the brand there were at least the R series which were plasticky, and the A series which were larger and heavier. Before that, they were numbered, with the 300 range being budget and made of plastic, and the 700 range being the business systems.

                Lenovo have dropped all of the old IBM ranges except the T and X, and have re-branded some of their other ranges as Thinkpads to cash in on the name.

                I have a work T420, and apart from the appalling new 'island' keys, it seems as robust as the older systems.

                The T used to stand for Titanium (actually an alloy with titanium in it) that was used in a chassis to stiffen the screen/lid, which along with clever interlocks between the lid and base led to the reputation about them being extremely robust. The hinges certainly last longer than most other laptops.

                1. (AMPC) Anonymous and mostly paranoid coward
                  FAIL

                  Also a serial Lenovo owner user

                  I have three thinkpads one pre-lenovo (IBM) and 2 Lenovo. All three still in service.

                  But recently, i was handed what was supposed to be a Lenovo S390 VibeX phone. After much faffing about trying to upgrade it, remove malware etc, I discovered it was in fact a counterfeit S960t Lenovo.

                  Extremely sucky experience. Something is rotten in the state of Shenzen.

          2. Alistair Silver badge
            Windows

            Re: I Wonder

            Kit has an embedded laptop, not lenovo, 8 cylinders and 4 wheels. Will pick you up in the back alley later tonight.

            (fixed all that fixed fixes)

            (grumpy old SA showing his age)

      2. M. Poolman

        Re: I Wonder @ OP

        Just what I was going to say but you got there first.

        I've had thinkpads for years now and always been satisfied with them. First thing I do is zap any preinstalled OS and stick Linux (other operating systems are available).

      3. Anonymous Coward
        Anonymous Coward

        Re: I Wonder

        Kit is OK, just install Linux on it

        What will you do after your boss fires you?

        1. yossarianuk

          Re: I Wonder

          Get a good job where Linux is allowed.

          1. Anonymous Coward
            Anonymous Coward

            Re: I Wonder

            Get a good job where Linux is allowed.

            Your free homemade hobby operating system is only good for home use.

            What you utterly fail to realize with your glib reply is that Windows and MS Office have become the de-facto corporate standard worldwide. You can move from one job to another with almost no new training because the UI is identical. When your corporate partners, customers, suppliers, etc send Office documents between each other it's a given that everyone can use the same formats without awkward conversions. Outlook is the interface to Exchange which offers a host of business services including meeting scheduling, messaging, availability to org charts, and tasks management where email is only one service. Excel macros automate program management to such an extent that if you can write complex Excel macros you can command six-figure salaries.

            I could go on, but until you achieve serious corporate responsibility you won't understand any of this.

            1. asdf Silver badge

              Re: I Wonder

              >Your free homemade hobby operating system is only good for home use.

              Nice trolling but you do realize that hobby OS is running on the computer (web server) that you posted this garbage on for us all to read right?

              >I could go on, but until you achieve serious corporate responsibility you won't understand any of this.

              And being an obvious desktop jockey at best you obviously know quite little about enterprise yourself. An awful lot of business critical workloads these days are on or moving to Linux (often from proprietary Unix which is actually makes me sad but neither here nor there).

              > if you can write complex Excel macros you can command six-figure salaries.

              Same with being a good enough man whore I guess. Would rather command the six figure salary (which isn't that hard if you can code in any technology in demand) and not have to tell people I use VBA. That way you can be well paid and happy with your work as well.

              1. Anonymous Coward
                Anonymous Coward

                Re: I Wonder

                Nice trolling but you do realize that hobby OS is running on the computer (web server) that you posted this garbage on for us all to read right?

                When you wrote the garbage above, you do realize that this discussion is about laptops and not web servers, right? Nice trolling, but you do realize that this discussion is about Lenovo laptops, right? Or are you suggesting that you would load Linux on a Lenovo laptop and run a corporate website from it?

                I doubt that too many Lenovo laptops are being used as corporate web servers.

                1. asdf Silver badge

                  Re: I Wonder

                  >Or are you suggesting that you would load Linux on a Lenovo laptop

                  No probably PC-BSD (would check the laptop is supported before I bought the laptop) and I would not have been affected by the mal/bloatware in the first place regardless, (Linux is quickly becoming Windows (ie. shit) due to RH and systemd). As for a web server (on a blade server more than likely) if it was a internet facing with fairly mild load I would probably run it on OpenBSD actually.

                  If I was some corporate IT drone buying for the company I would probably purchase Lenovo windows laptops (perhaps not any more though) from some trusted vendor but would then image them like almost every shop I have been in does because as you say for the corporate desktop (Microsoft's last bastion) in 2015 there isn't much choice for any decent size outfit. May not be true forever though.

    2. thames

      Re: I Wonder

      All the volume PC manufacturers do this sort of thing, at least with their consumer oriented product lines. If it isn't Superfish, it's something else at least as nefarious. Now that more and more web sites are going or are planning to go https all the time for all pages, this sort of certificate MITM is going to be standard practice for ad-flinging or ad-tracking crap-ware. Corporate PCs have these sorts of MITM certs installed in them by the IT departments so they can monitor user traffic, so why should we be surprised that consumer PCs come with something similar?

      An essential part of the Windows financial model so far as PC manufacturers are concerned these days rests on these sorts of crap-ware deals. They get paid to pre-load this sort of crap-ware and demo-ware, and this is what pays for the Windows license. This makes Windows essentially free so far as PC manufacturers are concerned, which is why they aren't all that interested in things like Linux.

      The problem isn't going to go away so long as PC manufacturers are just commodity box shifters shipping a third party OS where the OS vendor's brand name is a prime selling factor. Buyers go to a store (or web site), look for a "Windows PC", and typically pick the cheapest one in a given size range. Things like dodgy security certs are completely beyond their knowledge.

      1. asdf Silver badge

        Re: I Wonder

        > Corporate PCs have these sorts of MITM certs installed in them by the IT departments so they can monitor user traffic, so why should we be surprised that consumer PCs come with something similar?

        Umm because unlike the corporate PC the customer PC is mine (not some corporation's including Lenovo). Damn going to have to download a good antivirus CD now and check the missus Lenovo. As for me never kept a factory install OS on any of my gear more than the first month including my phone and tablets.

  2. Buzzword

    Microsoft hardware

    You wouldn't find this on an Apple computer, because a single company controls both the hardware and the software. Microsoft's reputation is being undermined by crap like this. They need to copy Apple and start shipping their own hardware.

    1. the spectacularly refined chap

      Re: Microsoft hardware

      You wouldn't find this on an Apple computer, because a single company controls both the hardware and the software. Microsoft's reputation is being undermined by crap like this. They need to copy Apple and start shipping their own hardware.

      You wouldn't. You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data. Sadly, the average punter doesn't seem to care.

      Heads should roll over this. Literally, as in detached from the bodies that they used to be part of. It isn't going to happen, it'll be a mistake or a bug or something.

      As Steve Rambam said at least ten years ago, "Privacy is dead. Get over it." You might not like it but as long as somebody else is willing to lap up this kind of shit it is an economic impossibility to avoid.

      1. 45RPM Silver badge

        Re: Microsoft hardware

        @the spectacularly refined chap

        You've never actually used an Apple product have you? You've read some guff on the Internet - but nothing more than that. Somehow though, you think you're qualified to comment.

        Rest assured, there is no need to hand Apple any of your information just to use (and update) a Mac. On the other hand, I do think that you'll be missing out if you don't take advantage of Apple's free online services (which are really rather good). And, as I've said before, I think that (of all the online service providers) Apple and Microsoft can be trusted. After all, their business models are not predicated on selling what they know about you.

        I use Microsoftt's online offerings too, other than Hotmail, and they partner each other well.

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Microsoft hardware

          What does this have to do with Microsoft? It was Lenovo who installed this crap.

          When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop.

          Or, as a previous poster has said, you could get your preferred flavour of Linux (or BSD) and install that instead.

          1. marioaieie

            Re: Microsoft hardware

            The problem with some new Lenovo laptops is that they don't come with the licence key, so you are stuck with what you have. Still, you can always download a proper OS for free (as in free speech and free beer).

            1. fred_flinstone

              Re: Microsoft hardware

              Having recently bought one of the junk ridden Lenovo's I can confirm you can re-install the supplied OS - but you have to create a bootable USB using the supplied software and then find exactly the right sub menu in the install to get a clean build (reminds me of a certain planning department in the basement, no light or stairs and a big 'Beware of the Tiger' sign...)

              1. herman Silver badge

                Re: Microsoft hardware

                leopard

                You should return your geek card for that error.

          2. SImon Hobson Silver badge

            Re: Microsoft hardware

            > When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop.

            No, the purpose of that sticker is to show that you have a genuine OS installed.

            It used to be, dunno about now because I don't follow in that much detail, that the licence was only valid for the image pre-installed by the manufacturers (or re-installed from recovery disks). It specifically did not allow for re-installation with another 'version' of Windows.

            Ie, just because you have a licence for (say) XP, that does not give you the right to install XP - other than the OEM version that came with the machine. Quite HTF the average user is supposed to know that the licence for "XP" isn't for "XP" but for "a specific but unspecified version of XP" when there's no hint whatsoever on the sticker is another matter !

            But when has "user friendly" ever been part of Microsoft's licensing schemes.

            1. Blitterbug
              Facepalm

              Re: HTF the average user...

              Don't be difficult. You should know perfectly well that the main consumer version of WinV / Win7 is Home Premium. The only possibility of coming a cropper when re-installing an OS is getting confused between 32 vs 64 bit. And 32bit is really outdated and mostly applies to relatively elderly Vista PCs nowadays. Plus, your 'average user' is not about to attempt an OS re-install now, are they?

          3. Solmyr ibn Wali Barad

            Re: Microsoft hardware

            "When you buy a "windows" laptop you get a licence key on the bottom, usually under the battery. This is so you can download a vanilla copy of the OS from MS and install it, getting rid of the crapware that came with the laptop."

            No you don't. Not anymore. Windows 8 Large OEM versions do not have a license sticker. Only a SLIC key buried into the motherboard.

            And good luck calling Microsoft on that. OEM license keys are not compatible with vanilla. You'll get a choice of buying a new retail copy of Windows 8, or going back to OEM, who will happily sell you a "recovery media" for a tenner or so. With all the "bonus software" included for free.

            Exception: if the computer has a W8 Pro license, then it may be possible to get a W7 Pro "downgrade" key from MS. W8 Standard has never had any right to use other versions.

            1. Anonymous Coward
              Anonymous Coward

              Re: Microsoft hardware

              I guess that's another good reason not to go with Windows 8. My desktop PC uses the Windows 7 licence key that came with a Lenovo X220. The X220 is happily running Linux and the licence was never activated on it. I activated it on the Windows PC and it continues to receive updates without complaint.

              I really hope that Windows 7 is the last Windows OS I ever have to use though. I only use it for games and music applications.

        3. AbelSoul

          Re: Apple and Microsoft can be trusted...

          PRISM?

          5 Eyes?

          Snowden?

          No?

          Oh, well. Carry on then.

      2. Anonymous Coward
        Anonymous Coward

        Re: Microsoft hardware

        You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data

        You've never really used or set up an OSX machine, have you? You need an Apple ID for updates, but it doesn't check if your details are real or not and the associated T&Cs are actually decent.

        Personally, this sort of malware is the exact reason I think pre-installed crapware should be banned. As far as I can tell, it may be possible to consider this a malicious and illegal attempt to intercept, and I would pursue it as that. Could make for quite a nice court case..

        1. the spectacularly refined chap

          Re: Microsoft hardware

          You've never really used or set up an OSX machine, have you? You need an Apple ID for updates, but it doesn't check if your details are real or not and the associated T&Cs are actually decent.

          I was thinking more of the iOS devices there but the point still stands. By your own admission you either have to give over your personal data or commit fraud. Some choice.

          1. Anonymous Coward
            Anonymous Coward

            Re: Microsoft hardware

            By your own admission you either have to give over your personal data or commit fraud.

            Since when is not given true details fraud if there's no financial transaction involved? There is no statement/requirement during the signup process that the details you provide must be real, unlike for the organisations you *really" cannot trust with your data such as Google, Facebook and all the other theft as a service providers.

            If I am forced to provide details I will lie by default - I can always correct it (or restart) when I find the provider/website/vendor to be trustworthy, and I have a couple of email addresses that auto-delete mail when it's 4 days old. It's a practice that served me well, especially with so-called "free" Wifi services in London.

            1. the spectacularly refined chap

              Re: Microsoft hardware

              Since when is not given true details fraud if there's no financial transaction involved?

              The laws on fraud are defined in terms of material gain obtained by deception. Financial transactions are the common form that fraud takes but it can be and is applied much more broadly than that. By giving false info you are receiving a material benefit (the update) which cost the provider real money to supply (power, bandwidth, hardware, etc) on the basis of a false representation. That is not a matter of interpretation - it is clear and outright fraud according to the law.

      3. Scott Wheeler

        Re: Microsoft hardware

        > You would simply find that an Apple device is all but unusable if you deny it the chance to phone home with a far more comprehensive set of personal data.

        No it isn't - that's exactly what I do, using Little Snitch. In any case, Macs don't do MITM attacks on HTTPS sessions. They are far from perfect, but on both Windows and Mac it's still usually possible to prevent sw phoning home.

        However I do agree with you that a Mac will attempt to phone home much more than I am happy with.

        1. Danny 14 Silver badge

          Re: Microsoft hardware

          licence key is embedded in the bios. shouldn't need to type one in.

        2. fnusnu

          Re: Microsoft hardware

          They did: http://www.zdnet.com/article/major-apple-security-flaw-patch-issued-users-open-to-mitm-attacks/

    2. LDS Silver badge

      Re: Microsoft hardware

      Microsoft created the "Signature PC" program (http://www.microsoftstore.com/store/msusa/html/pbpage.MicrosoftSignature) to sell PCs without "crapware" installed. Just, AFAIK, it's only available in the US.

      It's also funny that while most accuse MS of "monopoly", someone would also like an even stronger one. A single vendor would only mean less choices and higher prices - exactly as it happens with Apple. Also Windows doesn't cover only a handful of client-side devices - there's also much more in the server room running on Windows - it's would be a far bigger hardware market to cover, and I can't see MS buying Dell or HP anytime soon...

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft hardware

        A single vendor would only mean less choices and higher prices - exactly as it happens with Apple

        Try a TCO calculation that includes the license costs to make a machine actually useful for business, and Apple kit emerges as the cheapest solution out there, and the kit tends to last for years. And that's before you add productivity gains through much better usability.

        A single vendor also means no pass-the-parcel games when it comes to getting something fixed, especially when it's about software. I cannot count how often I heard MS techs try the ever-present line that the problem was down to hardware drivers and thus not their problem.

        1. lucki bstard

          Re: Microsoft hardware

          'And that's before you add productivity gains through much better usability.'

          Remember

          - Applications

          - Applications

          - Applications

          If the business application only runs on Windows then you either run Windows or a Windows VM on a MAC.

          1. Alistair Silver badge
            Coat

            Re: Microsoft hardware

            Ummmmmm

            I run windows in a vm For three things - Visio, Vcenter and fully operational outlook. Evolution is *not quite* there yet for me.

            Vcenter I will drop when I get cloudforms running. Outlook I can run in wine - we just have Domain auth issues for the moment since we've not finalized how we're joining linux to the AD. Once I've got machine level auth with AD I'll move outlook to wine. Then I'll start working on visio.

            No Mac in sight.

    3. big_D Silver badge

      Re: Microsoft hardware @Buzzword

      You mean like the Surface Pro?

      Or what about the "Signature" editions of other manufacturer's hardware that they like to promote that don't have any crapware installed, just vanilla Windows?

    4. jason 7

      Re: Microsoft hardware

      @Buzzword

      Not sure why you are getting all the downvotes. Bloatware/Adware on new laptops from the likes of Lenovo/Acer/Toshiba etc. is a major screwup in the Windows experience.

      I get customers to bring their laptops straight to me unopened so I can delete the 30+ items of crap (not to mention the crappy McAfee AV trial that will lapse and leave the machine unprotected). The machines work really well after all that cruft is removed.

      This bloatware trend creates a messy and pop up riddled experience that makes Windows look a mess. Doesnt reflect to great on Acer/Lenovo etc. I can tell you guys, your customers don't like it.

      It is time that MS started pushing out more desktops and laptops with just Windows and a few essentials installed. The current US based signature thing isnt enough.

      1. Bob Dole (tm)

        Re: Microsoft hardware

        >>I get customers to bring their laptops straight to me unopened so I can delete the 30+ items of crap (not to mention the crappy McAfee AV trial that will lapse and leave the machine unprotected). The machines work really well after all that cruft is removed.

        When I buy a laptop, I make sure that it has the cheapest hard drive option. I then buy a brand new SSD. The very first thing I do after unboxing the laptop is to take the harddrive out and replace it. Then I load a fresh OS on it. Been doing that for 15+ years and have always been happy. When I get rid of the laptop, I just pop the old drive back in and sell it off.

        There's two reasons here. The first is that it usually takes less time to reload an OS than it does to try and remove all the crapware. The second is that when selling the laptop later I don't have to worry that any of my data is recovered after the deletion.

  3. Flocke Kroes Silver badge

    may?

    "... presents identical and similar product offers that may have lower prices"

    In this context is 'may' equivalent to 'almost never'?

  4. bpfh

    Kill the root certificate

    I did install a ton of bloatware from my lenovo laptop I brought at christmas, but I still had a Superfish global root certificate in my Windows certificate store.

    A shady name, if you are casually looking at your Windows services, it will come up next to Superfetch, a legit MS service.

    Anyway, Start > type certmgr.msc > Root certificate authorities > Certificates > Delete the unlimited Superfish cert and that should help, even if you have uninstalled and cleaned up your system.

    1. AMBxx Silver badge
      Meh

      Re: Kill the root certificate

      I have nearly 400 root certificates in there! Not sure if that's good or bad.

      Anyone know if there's a tool somewhere to scan them for anything malicious?

      1. Bronek Kozicki Silver badge

        Re: Kill the root certificate

        Technically, there is nothing "malicious" about any root certificate no matter what's inside. Root certificate silently enables trust relationship between location where certificate is installed and a party with private key to the certificate in question. It is how this trust relationship can be (ab)used which can be malicious, and not only because the certificate is issued by a corrupted party but also possibly because it's been compromised. So yeah, the more root certificates you have the more exposed you are :(

        1. bpfh
          Mushroom

          Re: Kill the root certificate

          I totally agree with you, and this is a case of closing the barn door after the horse has bolted, but at least I will not get any silent "secure" sessions being decrypted by a man in the middle on my new , brand new, factory spec laptop.

          It is a very sneaky way of compromising the system, and goes against everything any and all IT engineers stand for regarding individual freedom, and coming from an ex-IBM'er, having to critisise the Elephant is not an easy thing, but what they did is just an unimaginable breach of privacy and trust. I'm so happy that the first thing I did was to kill all the preinstalled crud, including this. I though that it was some photo app (misread "snapfish" originally), but adding "value added" apps is one thing, adding apps that are designed to invade and breach the trust that you have with SSL, and playing on the "if you see the padlock, it's secure" mantra that we have been drumming into users heads for.... at least the 20 years I have worked in IT, this is a blatant and unacceptable breach of trust from what used to be a reputable quality PC builder.

          Lenovo management need to be forced to listen to Justin Bieber for 10 days, then hung, drawn, quartered and the body parts hung from their head office as a warning to others...

          1. Danny 14 Silver badge

            Re: Kill the root certificate

            surely just deleting the root cert will drive you mad with all the cert errors? It is the proxy that is the issue rather than the cert.

          2. FuzzyTheBear

            Re: Kill the root certificate

            YIKES listening to that idiot Bieber is qualified as cruel and unusual punishment .. but in this case i totally agree . They should be quartered for putting crap on machines leaving the factory . In fact i kind of agree that laptops should be virgins when they leave the factory and have nothing on it but the os without any bloatware/crapware on them .. Bring back the guillotine :)

  5. Anonymous Coward
    Anonymous Coward

    Criminal

    Isn't it?

    Software designed to intercept communications installed in their laptops and nobody is up in court yet? This is getting so common, it's hard to summon up the anger that I used to have at this sort of thing.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Criminal

      Yes, the article mentioned a "blatant man-in-the-middle attack malware breaking privacy laws." This strikes me more as smelling of racketeering and fraud, though.

    2. ACZ

      Re: Criminal

      I'm not exactly clear from the website article of the exact architecture of the Superfish MITM software setup, but if it's acting as a proxy and is intercepting all traffic without informed user consent then there has to be a privacy aspect here - they may be processing private information and so the Data Protection Act could come into play.

      If Superfish were masquerading as other businesses via certificates issued under their root certificate then I wonder if the other businesses would have a cause of action in terms of passing off. Certainly if I was Bank of America or any other business offering services via https or suchlike then I'd be pi**ed off about the potential damage to my reputation and business if customers knew that I would do nothing about other people pretending to be me and intercepting private sessions with my customers. Any EULA the consumer nominally agreed to would be irrelevant in terms of whether or not an act of passing off had occurred.

      I would also wonder about copyright infringement - by modifying webpages users were requesting to display ads for other "similar" products, and doing that without the consent of the copyright owner, then that might be an unauthorised adaptation of the copyright work (the webpage).

      As other commentards have said, roll on DNSSEC.

      1. h4rm0ny

        Re: Criminal

        "If Superfish were masquerading as other businesses via certificates issued under their root certificate "

        They were, that's how this works. Pretty much everything you wrote is correct and would form a viable basis for legal action if someone / some group chose to pursue this.

        I would like to know how high up the management chain actual understanding of how this worked went. At the top is there someone signing off on a deal that "shows some ads" or is there someone who knows that this is actually breaking a fundamental security component of the web and impersonating websites. It's not a silly question - someone in the chain must have known the implications of this so I wonder how high it got before someone decided to accept responsibility for the decision and chose to do this without flagging the implications higher. That person knowingly endangered their customer's security and I would imagine anyone making that decision wanting to be able to pass the responsibility upwards and say: "i raised it with my boss in this email and they said okay". So it could have risen pretty high indeed.

        Which also raises the question of whether there was another motive for this. What this has meant is that the security of very many people has been compromised. It could be greed and incompetence but it also can be a way of spying on people. And if you get caught - it's adware, we didn't know better! There's no way with this installed you can know if you've been compromised or not.

        I'm leaning to that not being the case simply because this isn't present on the highest end laptops which would obviously be the best targets. But still, it makes you wonder.

        1. Ledswinger Silver badge

          Re: Criminal

          "highest end laptops which would obviously be the best targets"

          Why? If it's advertising related then volume counts over quality every time. And even ID theft is a game of volume over quality.

          For the small number of premium brands who might value rich customers, they'd typically want to keep their brand clean, and association with crappy ad-scammers would be high risk, as well as likely to generate a lot of unproductive leads - Jaguar buyers (for example) will probably buy high end laptops, but that relationship doesn't work the other way round.

          1. h4rm0ny

            Re: Criminal

            >>"Why? If it's advertising related then volume counts over quality every time. And even ID theft is a game of volume over quality."

            Because in the scenario I was evaluating. the purpose of this was spying on people and using advertising as a cover (which this flaw enables), the actors behind that would have to be state level players. (E.g. Chinese government, NSA, etc.). They wouldn't be interested in indiscriminate harvesting, but on targetting high level players.

            One could make a case that mid-level people might have more valuable access as that is where most of the IT people with dangerous access live, but I don't think that would be the case.

            Anyway, I think the probability is that this is [I]unwitting[/I] breakdown of security in the greed of Lenovo wanted a pittance of advertising revenue with each laptop sale (note to El. Reg: not "lappy"). But still, it makes you wonder.

          2. hoverboy

            Re: Criminal

            Sadly, in the Windows World, Lenovo used to be the 'premium brand' - I guess if I want a Windows machine in future it's going to be a Surface...

        2. Someone Else Silver badge
          Flame

          @ h4rm0ny -- Re: Criminal

          I would like to know how high up the management chain actual understanding of how this worked went. At the top is there someone signing off on a deal that "shows some ads" or is there someone who knows that this is actually breaking a fundamental security component of the web and impersonating websites.

          Doesn't matter. At the end of the day (doncha just luves you some management-speak?), the guys at the top are responsible. CEO, CTO, CMO (Chief Marketing officer, regardless of its "real" title) are the captains of the ship, and are expected to go down with it. Now, the concept of a white-collar fatass corporatist actually going to Jail is anathema in the post-Bush era, but we can always fantasize, now can't we?

    3. Anonymous Coward
      Anonymous Coward

      Re: Criminal

      @justakos

      I think there will be a big EU fine landing on the Lenovo CEO's (soon to be deceased) desk.

      1. Yet Another Anonymous coward Silver badge

        Re: Criminal

        Like the one to British Telecom for doing the same thing with phorm ?

        At least with this you can reinstall the OS or remove the software - trickier when it's your ISP mtm-ing you

  6. Edwin

    Facebook complaining about Lenovo on privacy topics?

    Granted, he may only be an employee, but there's something very pot & kettle about this...

    1. LDS Silver badge

      Re: Facebook complaining about Lenovo on privacy topics?

      Sure, they don't want competition. What if someone can get at your "products" data before they even send it to your website? C'mon, that's not fair, until you get a Superface service also on your PC...

  7. poopypants

    Very effective program

    If there was any possibility before that I might buy something made by Lenovo, that possibility no longer exists.

    1. Mystic Megabyte Silver badge
      FAIL

      Re: Very effective program

      Upvoted. Yesterday I was reading this review of a Lenovo with an interest in buying. Not any more.

      http://arstechnica.com/gadgets/2015/02/thinkpad-x1-carbon-review-a-fine-heir-to-the-thinkpad-name/

      1. Bronek Kozicki Silver badge

        Re: Very effective program

        I was reading the very same review yesterday and even checked lenovo prices of the kit ... it was tempting, very.

        It would be good to see criminal investigation into hacking of customers computers but I have doubts that this will happen :(

      2. shaolin cookie

        Re: Very effective program

        Hear hear. I actually even received the new X1 Carbon but just returned it due to a build quality issue without ever having turned it on. Was going to get another in its place but after reading this I'm strongly inclined not to. Despite the fact I never use Windows so it wouldn't touch me anyway.

      3. Roland6 Silver badge

        Re: Very effective program

        >Yesterday I was reading this review of a Lenovo with an interest in buying. Not any more.

        But just thing, tomorrow it will be on sale - because of a dip in sales due to this security breech, and thanks to El Reg you have been informed of how to deal with this problem. so that X1 could be an even better buy...

      4. Solmyr ibn Wali Barad

        Re: Very effective program

        That's a shame. Because X1 is not affected by this brouhaha.

        If anyone's using a brandname, or any other marketing label, as the only guidance for making decisions, they'll be mightily disappointed sooner or later. Brands are far too messy these days. Lots of crap is peddled under reputable brands, which in order tarnishes good products. There seems to be an infinite supply of greedy fools, who'll try to make a quick buck by misappropriating a solid brand, despite all the historical failures.

  8. Grikath Silver badge

    superphish?

    'nuff said methinks..

  9. John Robson Silver badge

    This is why cert authorities are broken.

    200+ certs on my machine.

    Let's get DNSSEC based certificate delivery -trust the root, have browser manufacturers offer a DLV service for *when* the root (or a country TLD) is suspected compromised.

    1. Jamie Jones Silver badge

      Re: This is why cert authorities are broken.

      Politics.

      Too many certificate authorities would lose money, not to mention that NSA/GCHQ probably have some hook into some of them.

      I'm sure it will happen, but expect resistance!

  10. tempemeaty
    Facepalm

    None

    Lenovo was the last PC maker I thought I "might" trust the products of. Now there are none.

    1. Dave 126 Silver badge

      Re: None

      Wait and see... VAIO are no longer part of Sony, and they have some interesting laptops waiting in the wings.

  11. Lionel Baden
    Unhappy

    I'll give you three guesses

    What i was doing last night !!

    1. Anonymous Coward
      Anonymous Coward

      Re: I'll give you three guesses

      Masturbating?

      1. Dave 126 Silver badge

        Re: I'll give you three guesses

        Watching Wolf Hall?

        1. h4rm0ny

          Re: I'll give you three guesses

          Composing a ballad on the subject of FinFET architecture?

          1. Yet Another Anonymous coward Silver badge

            Re: I'll give you three guesses

            d) All of the above

  12. naive

    Lenovo software now matches their build quality

    Still wearing the aura of IBM quality in design and colours, Lenovo products are an atrocity. Take a screwdriver, and watch how cheaply it is build with spit and tape.

    Now they install spyware and adbots, given the latest scandal with Samsung spy television sets, it is time the government intervenes and starts heavily fining this type of fraud like others get speeding tickets.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lenovo software now matches their build quality

      Sadly the opposition is no better.

      Apple laptops are increasingly glued together and have components soldered to the board.

      I had an experience with a Toshiba laptop yesterday, a L50-B… the machine rattled out of the box. I had bought it with an 8GB DDR3L stick to install myself, no hatch to access the RAM on the bottom, you need to remove the ENTIRE bottom panel which requires 11 screws then releasing a number of hidden plastic catches. On doing this, I discovered a loose extra screw running around inside the case near the screen hinge.

      We've got a couple of Dells at work in which to access the hard drive, the machine needs to be COMPLETELY disassembled from the keyboard down.

      We've got one ASUS gaming laptop at work used for 3D visualisation demos, never needed to open that one up so can't comment much on it at this point.

      I'm not sure about Acer or Sony. Panasonic are good, but dear as poison. (I don't regret my CF53 MkII, but at AU$2500, it wasn't cheap!)

      That doesn't leave many players left.

      1. naive

        Re: Lenovo software now matches their build quality

        Open any MSI G-Series laptop, and smile watching the build quality smiling back at you. MSI seems to be the last man standing outside the world of Chinese crap we are slowly sinking in, showing Taiwan honors its title as "renegade province" of the Peoples Republic of Crap in a very positive manner.

        1. Kiwi
          Linux

          Re: Lenovo software now matches their build quality

          Open any MSI G-Series laptop, and smile watching the build quality smiling back at you.

          Actually, I was laughing when I opened a MSI gaming laptop. I can't remember the series but while the ease of working with it was great, the quality of the plastic wasn't. The hinge design was one that needed repair after a few months, and anyone who knows anything about leverage (the mechanical moving stuff kind, not financial/blackmail etc) would instantly see that it would break very quickly - huge amounts of stress on very small areas of plastic. I reinforced it with fibreglass as one side was gone and the other was on it's way.

          For the price my customer paid, I would've expected a hell of a lot better product. MSI may have some much sturdier machines, and as far as other repair work/disassembly goes, and as far as the laptop itself goes - it was a great machine. But the build quality of the case was quite shite. I still would probably buy one if I had the $$$ to splash.

    2. Fihart

      Re: Lenovo software now matches their build quality

      Our experience with Lenovo desktops -- bulging motherboard capacitors after 3 or 4 years. Friend's Laptop, keyboard issue. Not the Thinkpads of the IBM days.

  13. Bronek Kozicki Silver badge

    a different look

    I wonder, perhaps Bank Of America will be willing to sue pants off "Superfish Inc" for violation of its trademark.

    1. Anonymous Coward
      Anonymous Coward

      Re: a different look

      …and Lenovo for distributing this rubbish.

    2. Doctor Syntax Silver badge

      Re: a different look

      Maybe el Reg should have asked them for a comment as well. They only seem to have asked Lenovo & Superfish.

  14. eternal cynic

    simples...

    The first thing I do when I get a new computer/laptop is reformat it and install a vanilla copy of the OS. Everyone seems to stuff their equipment with 'useful software' aka bloatware these days. Do a clean install and its all sorted.

    BTW Lenovo actually makes some decent kit - my last two laptops have been Lenovo and I've been very happy with them. No reason not to buy them, just wipe the disk.

    1. Kiwi
      Linux

      Re: simples...

      The first thing I do when I get a new computer/laptop is reformat it and install a vanilla copy of the OS.

      As do I ;)

      BTW Lenovo actually makes some decent kit - my last two laptops have been Lenovo and I've been very happy with them. No reason not to buy them, just wipe the disk.

      It probably won't be long (if not already the case) that removing such item voids the warranty. Even if the pre-installed trial barely-AV crapware (or decent AV as a few companies do) finds and removes the rubbish.

  15. GreggS

    And they wonder

    Why the US military and other government departments were worried about them buying the IBM laptop business? Wonder if Huawei do the same then they really would have a field day.

  16. Michael H.F. Wilkinson Silver badge

    I recently found a company nearby

    that will build a laptop to my specs for a very reasonable price AND you buy the OS separately. No bloatware, nothing you did not ask for.

    Sounds sweeter every day.

    I'll check the (older) Lenovo machine, in which I already deinstalled a load of stuff after buying it, for superfish

    1. Kiwi
      Thumb Up

      Re: I recently found a company nearby

      I recently found a company nearby that will build a laptop to my specs for a very reasonable price AND you buy the OS separately. No bloatware, nothing you did not ask for.

      Mind telling? I get lots of requests for laptops "without the windows tax".

      Thanks

      1. x 7 Silver badge

        Re: I recently found a company nearby

        I don't know who he's thinking of, but these guys are worth a look if you want a custom built laptop

        http://www.dvc.uk.com/acatalog/Laptop_PCs.html

        they specialise in high spec machines (mainly for real-time video editing), and assemble them from kits mainly provided by Clevo - arguably the most bullet-proof of all the Chinese ODM suppliers

  17. Little Mouse

    TEMPORARILY???!!!!?????

    "we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues, Hopkins said"

    So, long term, Lenovo's intention is to continue bundling software from this highly trustable source.....

    Holy Crap.

    1. SpaMster

      Re: TEMPORARILY???!!!!?????

      They are now bundling a piece of adware called 'Positive Finds' with their new PC's, it was pre installed on a desktop PC we bought off them two weeks ago.

    2. regadpellagru

      Re: TEMPORARILY???!!!!?????

      "So, long term, Lenovo's intention is to continue bundling software from this highly trustable source.....

      Holy Crap."

      Upvoted. Well, since this one was not concealed enough (they thought no-one would notice an unusual ROOT CA in the browser), that's exected they'd come-up with something better, no ?

      1. Anonymous Coward
        Anonymous Coward

        Re: TEMPORARILY???!!!!?????

        we have temporarily removed Superfish

        Superfish apparently is a company from a somewhat reputable middle eastern country. These are mildly notorious for "I will be back"-s after temporary bad press due to SHTF. Companies that sound like Fundocs or Converse come to mind.

        Better be anonymous.

  18. Darkstar

    First Direct

    I had this on my new Lenovo laptop, any attempts to log in to First Direct were being blocked by Avast because the certificate from FD had an error, except that the certificate wasn't from FD it was from Superfish. I uninstalled Superfish once I realised what was going on.

    1. Bronek Kozicki Silver badge

      Re: First Direct

      Do not forget to also uninstall their root certificate.

  19. Efros

    Stock install?

    I'm just surprised that anyone actually uses a laptop with the OS install the manufacturer put on it. I only buy a new laptop every 5 or 6 years but my policy is to wipe it clean and do a clean install. Saves no end of hassles with crapware and bloatware.

    1. Alister Silver badge

      Re: Stock install?

      The problem with some laptops, (Dell, Toshiba, Asus and others) is that you can do a clean install, but then the damn thing runs like a dog, uses battery like there's a hole in the bottom for the electrons to run out, sound doesn't work properly, buttons don't work properly etc, etc.

      You end up having to re-install half of the manufacturer's bloatware to get the damn thing to work properly again.

      1. McToo

        Re: Stock install?

        Not my experience of Asus. My ROG G750 has been running opensuse beautifully for the past year. Better than it ran Win 8 for the week it got to run it before becoming opensuse. In fairness, it did have all of the Asus Win bloatware to cope with too.

        1. mythicalduck

          Re: Stock install?

          I've just put Mint on my EEEPC 1025CE; and the battery certainly doesn't last as long as it did on Win7. I don't know enough about Linux to see if there are any changes I can make that might help.

          I was actually looking at the Lenovo ThinkPad X240 as an upgrade (I don't really want a 13+" screen, but an i5 processor would be nice), but that's off the cards now. I did see a few of the new Asus kits that I was interested, but can't seem to find anywhere (at all) to buy them from

          1. Uncle Slacky Silver badge
            Linux

            Re: Stock install?

            Try TLP for better battery management in Linux: http://linrunner.de/en/tlp/tlp.html

    2. AbelSoul

      Re: Stock install?

      I'm just surprised that anyone actually uses a laptop with the OS install the manufacturer put on it.

      You are?

      The idea the Joe Average will wander out of CurryPhone DixHouse with his shiny, new toy then go straight home, plug it in and start using it without first reinstalling the operating system surprises you?

      Your surprise surprises me.

    3. Yet Another Anonymous coward Silver badge

      Re: Stock install?

      And where do you get the clean install from ?

      You certainly can't trust the OS install disk that came with the machine.

      And if you do an install with a retail copy of Windows you will still have to go to the laptops maker's site for all the driver downloads. All those run as administrator system installs ......

  20. Anonymous Coward
    Anonymous Coward

    Getting real tired of Lenovo, Samsung, LG...

    ...crossing the creepy line quicker than Facebook and Google and Microsoft....

  21. TonyJ Silver badge

    What else?

    If they are sneaky enough to forge root certs at a software level, then what are they adding at a hardware level?

    1. bpfh
      FAIL

      Re: What else?

      I agree. And it's scaring the crap out of me.

  22. Jason 41

    Revenue vs Cost?

    Ignoring the build quality, preferred OS etc arguments above

    Surely the only reason Lenovo installed was for some kind of payment from Superfish?

    Does anyone have an idea how much this might add up to?

    Then I wonder if this gets out of the 10 o'clock nightly news how much this is going to cost Lenovo in lost sales? Joe Average may well not understand the ins and outs, but the gist of "Lenovo laptops steal your banking details" may well stick in his mind and get passed around like a Chinese whisper

    1. thames

      Re: Revenue vs Cost?

      I don't know about Superfish specifically, but general analyses of these sorts of deals say that the total bundle of pre-installed crap-ware pays for the cost of the Windows licence. That is, after taking into account the crap-ware, Windows is essentially free to the manufacturer. That's why they don't care about the cost of Windows licenses.

      The crap-ware vendors of course make their money by either doing this sort of dodgy ad flinging, or by persuading you to upgrade a demo version of software to the paid-for version.

      These deals are the reason why crap-ware comes pre-loaded, but really good and useful open-source software usually doesn't. It's all about the money, and it's the bottom feeders who will pay for product placement.

      Everybody who has a say in the process makes money out of this. The PC manufacturers get paid to load it. Microsoft is happy because their OEM customers now don't care so much about license costs and so have little incentive to look at things like Linux. And of course the crap-ware vendors get to use your PC as a ad-vendor's playground.

      Of course the poor sod who bought the PC gets shafted. However, when you buy a typical Windows PC these days, you're not the customer, you're the product.

  23. Lee D Silver badge

    Just one* of the reasons that I image over or reinstall a PC on purchase, business or personal.

    But, seriously, how much can Lenovo have earned back from that to justify screwing their customers over? If someone is paying hundreds for your laptops, and then you're screwing over their privacy and security for a handful of pence (after commission), it really shows where your priorities lie.

    Don't "get an update" or "review the situation", stop doing business with them and stop bundling that junk at all.

    (*) Other reasons include: I don't know who touched it before it got to me, I don't know what other junk is bundled to pop up when I plug a camera or printer in, I want to prove to myself that it CAN be reinstalled from scratch with all the drivers using only the discs given before data goes on it and before it goes out of warranty, etc. and the amount of junk I see bundled on "new" PC's that slow them to a crawl is unbelievable. Just cleaned a PC from the Vista era as a favour and it was STILL popping up things from Fujitsu etc. about restore processes, driver disks, special offers, spyware junk, printer drivers, you name it that HAD COME WITH THE MACHINE ON PURCHASE.

    Also, I once found out that brand-new purchased laptops would not work with full disk encryption because of a dodgy BIOS by testing this. Encryption would work, everything would be hunky-dory, but reboot and the BIOS refuses to boot from anything that did not have a zero in a certain hex offset of the hard disk (which corresponded to a zeroed field in an NTFS header). As such, anything non-Windows you ever tried, or any sort of disk encryption, and it rendered the machine unbootable. Actually forced the manufacturer to obtain and issue an updated BIOS for that model, because we'd purchased many of the same model, I'd noticed immediately, had a reproducible test case (involving writing a non-zero to a point on the hard disk), they'd said it was compatible, I work somewhere with a legal requirement to encrypt mobile devices, and they were about to lose the sale because of it.

    It's quite possible I'd only have found out about that months or years down the road if I wasn't needing to use and encrypt those computers immediately.

  24. Doctor Syntax Silver badge

    Secure boot?

    Does this model boot with the UEFI/Secure boot stuff? If so it makes a mockery of secure boot.

    1. thames

      Re: Secure boot?

      It's installed as application software by the OEM, so UEFI doesn't even see it. UEFI only comes into play during the OS boot process, and addresses only one, very rare and limited attack vector. UEFI just looks to see that the boot loader was signed by Microsoft during the initial boot, and anything that happens after that is up to the OS.

      1. Doctor Syntax Silver badge

        Re: Secure boot?

        The whole point is that secure boot is supposed to establish a chain of trust. A chain of trust requires each link in the chain (and you know what they say about chains and weakest links) to be trustworthy. So if Microsoft is signing a bootloader as trustworthy then they should have assured themselves that the system it's loading is trustworthy otherwise that chain of trust means nothing.

        If that system is Lenovo's spin of Windows then it's up to them to assure themselves that Lenovo can be trusted to produce a trustworthy system image. That requires Lenovo in turn to assure themselves that anything they include is also trustworthy. It requires due diligence all down the chain.

        1. Lee D Silver badge

          Re: Secure boot?

          Secure Boot makes sure that you boot securely into the OS you intended.

          It has no effect, design or control over what the OS chooses to do. In the same way that you can login as an admin and delete critical registry entries, you can login as the system OEM installation user and install bloatware and junk.

          There is no, and never has been, way to stop that in Windows. Windows does not verify that you, the physical user, want to install that Lenovo junk in the same way that it doesn't verify that you, the physical user, want to choose Chrome as your default browser or change the desktop background.

          It's ridiculous to suggest so.

          To install ANYTHING on Windows or Linux which runs in the way of necessary drivers, you need to be able to slipstream things into the initial install which can be run as an administrator. It's game over. What broke these system was not Windows, or Secure Boot, failures, but having Lenovo install - as an administrator user - malware before it got to you. Whether that was in an automated (slipstream install) or manual (log in as the initial admin user) fashion, there's NOTHING that can stop that but Lenovo not doing it.

          The alternative is that MS has to certify and pre-install not only every driver that could possibly work on their system, but every application as well. That's not what you want, I assure you. Want to install that freeware that you downloaded off the net to fix a problem? Sorry, not signed by Microsoft and therefore not in the MS trust chain. You want to put it into the trust chain manually yourself? Lenovo could have done that exact same thing and you'd never have known more than this showed itself.

          Secure Boot just ensures that you boot into a valid, authorised bootloader of your choice. At all points past that, you're on your own. Even the OS isn't necessarily dictated - hence why Linux can still boot on Secure Boot systems with (I believe) a Fedora/Microsoft-signed bootloader. Past that point is not the domain of Secure Boot in any way, shape or form, but the OS. And the OS will allow a user with administrative rights (whether inserted as a slipstreamed instruction via unattend.xml or similar or just by virtue of being the first user created during setup) to do whatever they want. This is no different on Windows, Linux, or anything else.

          The second you break that, you break every SCCM system in existence. And I'll be damned if I'm going to get MS to "sign-off" on my custom install of Windows that I deploy to several hundred machines every time I change it.

          1. thames

            Re: Secure boot?

            @Lee D - "To install ANYTHING on Windows or Linux which runs in the way of necessary drivers, you need to be able to slipstream things into the initial install which can be run as an administrator."

            - I won't argue with the general thrust of your argument so far as Windows is concerned, but with Linux drivers are normally written by the chip manufacturers and are part of the Linux kernel, not a third party add-on. There are a lot of technical advantages of doing it that way, but from the user's perspective it means that if you have a reasonably up to date kernel, then any drivers you may need normally come built right in. The reason why things are different on Windows is that Microsoft doesn't (understandably) want to hand out their kernel source code to anyone who asks for it.

            @Lee D - "hence why Linux can still boot on Secure Boot systems with (I believe) a Fedora/Microsoft-signed bootloader. "

            - Different distros have different solutions to this, but it basically revolves around having a signed pre-boot loader. The pre-boot loader loads the real boot loader, which then loads the kernel. I believe that Ubuntu had this first, but Red Hat/Fedora and Suse now also have their own. Overall though, it works more or less as you said. Each step in the chain checks the next step before loading it. It's intended to prevent root-kits from being loaded before the OS.

            @Lee D - "MS has to certify and pre-install ... every application as well. ... Want to install that freeware that you downloaded off the net to fix a problem? . "

            The solution which Linux distros came up with in the 1990s was repositories. These days the proprietary vendors call them "app stores". There are tens of thousands of packages ("apps") in Debian or Ubuntu. You can add third party repos if you want, which is how some proprietary software vendors offer their products. If you are doing a corporate deployment, you can change the configuration to point at your own repos, which is how you can control what software gets installed. Packages in the repos are signed, and the signatures are checked before they are installed.

            I think that this is the way which Apple is going with OS/X, and I imagine that Microsoft eventually will as well. If they copy the way that Linux distros do things, then third party repos will be supported so companies such as Adobe will be able to run their own independent "app stores" instead of paying 30% commission to Apple or Microsoft on every sale.

            There is some talk among Linux developers about checking the signature on each program before running it, but I don't know if that can be made to work with user-written scripts. If not, then that idea obviously won't work. Ubuntu has been doing a lot of work on sand-boxing individual apps for their mobile efforts, and have lately realized that it has advantages for cloud (like Docker) and desktop uses as well. This is probably the future direction of security for the desktop.

    2. psyq

      Re: Secure boot?

      Looks like UEFI secure boot is the new bogeyman for some people.

      The purpose of the secure boot is to establish a chain of trust from the power ON. The purpose of this is to help prevent modification of the boot files >in deployment<. However, if you own or have the access to the trusted certificate, you can make your own bootloader which does whatever you want to. System OEMs can put their certificates in the UEFI firmware and validate whatever they want.

      Also, secure boot does not prevent an OS from launching anything after boot which is trusted (or not trusted but allowed by the system security policy). Once the OS is booted, it is completely up to the said OS configuration / security policy what to launch or not. If you, as a root/admin or OEM, install malware which does MITM - UEFI secure boot will not stop you (and it is not even designed to do that).

      Now, if you have only trusted certificates installed - in UEFI firmware, validating OS files and in OS certificate store, validating executables run by the OS, then you have a system which has one more hurdle for a potential adversary to crack.

      1. Doctor Syntax Silver badge

        Re: Secure boot?

        "The purpose of the secure boot is to establish a chain of trust from the power ON."

        Yes, and it's a very short chain.

        " If you, as a root/admin or OEM, install malware which does MITM - UEFI secure boot will not stop you (and it is not even designed to do that)."

        This is my point. The chain of trust isn't even long enough to ensure that the OEM OS image is trustworthy.

        It might have been a great idea at some time to make a genuinely trustworthy system but if so it was inadequate. For that to happen the boot process would have had to have the capacity to inspect the OS's certificates and if it found any deemed untrustworthy eliminate them or boot into a very restricted mode. Of course many of us might find this sort of behaviour unacceptably intrusive; there's always a trade-off between usability and security.

        Alternatively it might have been a marketing ploy to give customers a feeling of security and maybe try to block attempts to load other OSs by establishing a degree of ownership over the hardware.

        What it clearly doesn't do is ensure that it the customer at least starts off with a trustworthy machine.

  25. Spasticus Autisticus

    I'd started to go off Lenovo kit recently anyway so this just confirms I was right to be wary. I try to screw down security as much as I can on my systems but there's always a chance there's a chink in my armour. As for joe public even considering wiping the installed OS and installing a vanilla copy of Windows, that just isn't going to happen.

  26. SpaMster

    This isnt over, they are still providing Adware ridden PC's

    We bought a Lenovo desktop PC about 2 weeks ago for a new user in our offices. As soon as we installed our antivirus on the machine, it started flagging up that Internet Explorer was infected with a piece of adware called 'Positive Finds'. It seems they are still sending out infected PC's. Steer well clear.

  27. crayon
    Joke

    "That is, after taking into account the crap-ware, Windows is essentially free to the manufacturer. That's why they don't care about the cost of Windows licenses."

    Bloody MS' fault again.

  28. Someone Else Silver badge
    FAIL

    Lenovo off the list? CHECK!!

    (Not that they were ever really on the list, but this settles the matter once and for all.)

  29. Anonymous Coward
    Anonymous Coward

    Performing a MITM attack against encrypted communications between a customer and their bank cannot possibly be legal. I can't see a judge accepting that the customer and/or the bank have authorised Superfish to wiretap that conversation.

    The directors of Superfish and Lenovo need to go to jail.

    1. Yet Another Anonymous coward Silver badge

      You clicked OK to eula when you bought/unpacked/isntalled/walked past the machine in Dixons - it's your fault.

  30. stevehn

    Call me paranoid but I don't buy Lenovo products just like I don't buy any Smart phones that is controlled by Chinese companies.

    1. Anonymous Coward
      Anonymous Coward

      Paranoid and probably misguided. First of all, pretty much everything is made by the Chinese nowadays. That's done to keep CEOs and major shareholders rich.

      Second, do you really think that non-Chinese corporations would do sneaky things like this? Ever heard of Google? Facebook? Apple?

    2. Alister Silver badge

      Call me paranoid but I don't buy Lenovo products just like I don't buy any Smart phones that is controlled by Chinese companies.

      Just to point out that the company that writes and sells Superfish is an American / Israeli company...

  31. Daniel B.
    Facepalm

    Phishing paradise

    Now all phishers have to do is to strike Superfish and make it reroute requests to e-banking sites into their own sites and nobody would find out until it's too late.

    Way to go, Lenovo!

  32. theloon

    Priceless - a FB engineer shocked about 'ads' and wondering what world he is in

    Actually more disturbing that the spyware...imo..

    How is this a surprise .... It's the type of world you have helped create FB dude !

    #FAIL

  33. Anonymous Coward
    Anonymous Coward

    That's the last straw..

    I'm changing my profession from IT Specialist to Banker because its a safer, more ethical line of work.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's the last straw..

      Closed circle banker fat cat laughs at your pretensions.

  34. A Ghost
    WTF?

    Just add them to the list

    Samsung, LG, Barbie, and now Lenovo.

    Pretty soon you won't be able to buy anything at all.

    Has anyone, ever, in the history of these shenanigans, actually been prosecuted and imprisoned for this?

    Thought not. Should have though. All that 'well I deserve my 100K salary because you know I have corporate responsibility and with great responsibility comes great reward', is sounding a bit hollow now.

    What low lifes. And they'll get away with it too coz those pesky kids are too busy meddling with fucklook!

    The kids don't care, the parents don't care, the corporates don't care, the government doesn't care. Nobody cares anymore, man!

    They're selling wi-fi enabled hippy wigs in Woolworth's man! The greatest technological era in the history of mankind is coming to an end.

  35. Anonymous Coward
    Anonymous Coward

    What else should we expect?

    When the Chinese military was allowed to purchase IBM's personal computer group and PC patent portfolio?

  36. x 7 Silver badge

    my E540 is clean

    My E540 appears to not be affected - no sign of the cert

    It was a recent purchase and had Win7 installed though manufacture date was around Sept last year. Anyone know the active dates for this infection?

    1. Solmyr ibn Wali Barad

      Re: my E540 is clean

      You never had it. Unless you managed to download it somewhere.

      "Users report Superfish is installed on the Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro laptops"

      libertysflame.com/cgi-bin/readart.cgi?ArtNum=37137

      https://forums.lenovo.com/t5/IdeaPad-Y-U-V-Z-and-P-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839

      Which is consistent with the claim that only consumer-oriented machines were preloaded with it.

  37. ben_myers

    And just which models of Lenovo laptops were afflicted with SuperFish?

    OK, Reg, now for your follow-on article: Which models of Lenovo laptops were afflicted with SuperFish? One would think that Lenovo would be 100% cooperative to reveal this information. It speaks to their credibility with corporate and enterprise buyers. Other accounts about Lenovo and SuperFish imply that this slimeware was installed only on "consumer" laptops. If so, does this mean consumer MODELS of laptops or does it mean those without a Windows Professsional sticker.

    Inquiring minds want to know.

  38. Henry Wertz 1 Gold badge

    Umm... Temporarily removed?

    ""Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues," Hopkins said.

    Umm, temporarily? Nobody wants adware installed on a computer, period. The certificate attack is possibly illegal, but that's not actually the main issue here, it is the installing adware on there to begin with. A few vendors have done this on and off in the past (briefly, due to the customer backlash!) Now that you've been caugh red-handed, you must commit to not installing this software any more or your sales will absolutely tank.

    edit: Are you guys saying it's actually typical for Windows PCs to come with various adware and spyware installed now, as opposed to just some random "bundled apps"? It makes me particularly glad I don't use Windows on my systems 8-)

  39. jason 7

    Lenovo/Acer/Asus/HP etc.

    ...are making their laptops and desktops look and behave like clown cars with all the useless junk they install on them.

    Have any of them sat down with one of their consumer machines out of the box and thought -

    "Oh yes, now this is a slick and pleasing computing experience!"

  40. JLV Silver badge
    Facepalm

    Forget ethics. how about not being stupid?

    Benefit analysis?

    How much $ did Lenovo stand to make from fiddling with ads? $1m, $10m per quarter? How much per machine? $10? $100? Too much profits would actually make it too visible - "Lenovo Advertising division, 100M revenue contribution, whazza about?"

    Risk?

    This is a company that sells $10b per quarter, with 13-14% gross profit. How much is a Sony rootkit-style debacle, except worse, gonna cost them in lost sales? For how long? Lawsuit costs? Added cost of PR and marketing to fix reputation?

    You would expect financial common sense to keep people from doing stuff like this.

    Whoever authorized this should barely be trusted, professionally, to flip burgers at low-end Mc Donald imitators from now on. They're just dangerous to your profits.

    And their ethics suck too.

  41. This post has been deleted by its author

  42. Tree

    Chi-Comms

    My laptop is the baby that the commie gave birth to after sneaking into the USA as a tourist. It is an abortion.

  43. alva

    Well, at least it Lenovo did one good thing done by committing to remove all bloatware from their machines once they start shipping with Windows 10. Now if only the other laptop manufacturers will do so as well. As well as published the manual instructions for removing both the Superfish and self-signed certificate which was the root of potential abuse.

    http://www.removepcthreats.com/halt-to-pc-crapware-after-lenovo-debacle

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019