Even if Lenovo backtracks, the question that will linger is: why did you even do this in the first place? The only reason they are backtracking is because they got caught. If they haven't gotten caught doing this by consumers, they wouldn't have backtracked. It makes you wonder what their next step will be.
Trust has been destroyed and it will take years to rebuild. I got myself an Apple rMBP 13" last year. I'm guessing it'll last me at least 3 years. If I was ever going to go back to Windows, it'd probably be Dell at this stage.
The real question is: If today's consumers are so tech-savvy, how is Apple selling any Macbooks and iMacs?
Dell has always been the way to go. Reliable construction, decent customer service (there's no such thing as good customer service in the tech world), and fairly cheap prices compared to other OEMs.
Apple does not sell devices per se, Apple sells feeling of belonging, and does so really damn good. Historically, professionals in video editing chose Apple mainly out of inertia, but that time has passed.
"Hey boss man you can make a million dollars by putting shitware on this laptop and only lose $300,000 in sales from upset customers." What do you think boss man will do?
@Ian wrote, <i>“Despite whatever good intentions Lenovo had behind the software…”</i>
Let's be REALLY clear here: the purpose of Superfish adware was to supersede the ads that finance many indie websites, including this site, it'd seem. Lenovo was undercutting the financial viability of sites that depend on either impressions (seems some ads were replaced?) and/or clicks (which would be lessened by having ads in front of, blocking existing ads).
The result is to harm the finances of sites that Lenovo users find most useful.
The privacy angle is pretty serious, too: when Superfish tells <b>ITS</b> ad servers to bring up an ad for guns, drug paraphernalia, security systems or … heck, home pregnancy tests, your profile is going back to the Lenovo partner. Given how sloppy the security angle is (an easily-cracked certificate password, opening all users to MITM attacks using the same certificate number as on EVERY Lenovo machine), there's no reason to think your personal details aren't getting abused, exposed to criminals or snoops.
And of course, the utterly unthinking indifference to user security that was evident.
The only good intention Lenovo had was to make a few bucks by cutting corners on its users' productivity, privacy and security. Dunno how they thought that would work out, so it was just low-grade money-grubbing that'll make any careful person look gimlet-eyed at every other product from them.
There's a reason why they did not target any of their business computer lines. It is because it is totally shady. There is no justification for this software to be installed except to take advantage of users who don't know any better. This is simply theft of advertising money. There is a responsibility for a company to know what is being added to their products. It is easy to wipe and install Windows from an MS derived disc, and is how I always have treated PCs I have bought. I simply can't trust their non-PC mobile devices, because it is generally not as simple.
This is a chinese company selling machines with security exploits and even naming appropriately like malware.
I'd expect the EU to jump all over this because they do what's best for their citizens even if they really do it to make the most of every opportunity rob companies of the earnings and deposit into coffers.
I wholly expect the US govnerment to ignore it totally because our politicians just take the money direct into their pockets to turn the other way.
Just means we need more vigilance. It was enevitable that a company would take advantage of how numb people are to usage agreements. No one reads them and basically clears the company of liability for users who don't read what they agree to.
It's not what this single instance does, or the damage it may or may not cause to potentially hundreds of thousands of people. It's that in my opinion such actions speak clearly about a company's culture and attitudes. I have always had high regards for Lenovo, I think they've been a good steward of the ThinkPad brand, but I know that next time I'm about to purchase any Lenovo products, I will inevitably pause and remember this episode.
Everyone interested should really read the Errata Security blog post that Ian linked to. The behavior is despicable in general, but the actual implementation is otherworldly asinine and lazy. The devs who wrote the code need some kind of Scarlet Letter to let potential employers know they should never be allowed to touch any code that is even remotely security related.
I was "lucky" to purchase a Lenovo in November 2014. One thing I can say is that SuperFish was not "hiding" itself in any way. My first step when starting on a new PC is alwaysto download "proper" software and in this case the only browser provided was IE. So you can imagine my surprise when teh screen started filling up with ads. On the first boot. Note even minutes after starting up. A quick Google search and the culprit was quickly found and removed. SuperFish stayed on my PC no more than 5 minutes and I cannot imagine how anyone could be browsing *any* page with that thing throwing ads at you.
If you only uninstalled the SuperFish application, you still have the root certificate vulnerability. To get rid of it, you have to remove the SuperFish certificate from the Windows certificate store.
Which is even more damning. Anyone who knows a little about getting a new PC will remove these offending applications, but in this case the certificate was still active.
That's why the first action after buying a laptop should always be a clean-install. And since it's a huge advantage to replace the crappy hdd with an ssd, you get 2 benefits for the same work.
"Despite whatever good intentions Lenovo had behind the software"
The only good intention Lenovo had was for Lenovo's bottom-line. If we are to believe their claim that their financial relationship with Superfish "was not significant", what they're really saying is that they're willing to sell their customers up the river and they're willing to do it for trivial amounts of money.
"This essentially amounts to a fake root certificate"
It IS a fake root certificate. The tail is a tail.
lulz apparently someone DDOSed the komodia website.
Anyway this is a huge blunder. How can someone in the place to do these decisions in a big business-oriented tech company NOT know that it'd be a huge mistake?? Seriously?
It really is time for Microsoft to step up and start pushing their own 'Signature' brand of laptops and PCs to the public. Why can't Windows users get the benefit of the Apple type 'works out of the box' type experience? I get a lot of laptops in for customers and the total crap thats installed on them really reflects badly on the manufacturer and Microsoft. Buying a Windows laptop encrusted with crapware is like buying a clown car. Not what you want when you've spent hard earned money on it and just want to start using it. Oh and customers will pay extra for the laptops if it's not installed. After all they pay me to delete it all off once they've bought it.
When a chinese company bought Lenovo from IBM, I made a vow to never buy a product from them ever again. No matter what both sides of that agreement said when the handover was done, Chinese control will eventually poison the original company's ethics and direction.
yeah it's sad, they had managed to maintain their reputation as a business/srs bzns brand after the sale, but with this blunder they've shown they're a typical company that you wouldn't trust with your data like you wouldn't any random no-name chinese OEM.
This issue is difficult for Anandtech to discuss? Why? too much ad money from Lenovo? It should be easy. Lenovo should be BFG blasted from everyone. Who cares what their intentions are? They install a back door.
But Anadtechs new management doesnt want to rock the boat. Least they no longer get invited to Lenovos parties.
Yes, I'm disappointed in the tone of Anandtech's response. Check out the komodia website if you can get to it after the DDoS attack. The content is disgusting - they brag about their ability to circumvent security on several different operating systems. The fact that Lenovo is associating with these people tells you that Lenovo only cares about extracting money from customers.
The "average person" does not care about this (meaning, not enough to take action) until their bank account is wiped out or someone files a tax return in their name.
I'm not a lawyer, but in my view someone in Lenovo should be prosecuted under US law. First, they installed malware. When they were caught, they lied about the security issues.
What is unknown is other security problems that are baked into their products.... Yes, a fresh install of an operating system might help, but it may not be enough.
A class action lawsuit proposal has gotten underway as of today so there are some possible legal ramifications coming Lenovo's way depending on the outcome of the filing:
Too often those class actions result in "victories" such as affected consumers receiving a $5 off coupon for their next unsafe Lenovo laptop.
For this reason I'm with PICman -- the appropriate response here is a criminal prosecution of the person most directly responsible. In particular, causing a fraudulent security certificate to be presented which falsely claims it was issued to "Bank of America" but with which Bank of America had nothing to do with, ought to in and of itself by a crime. Even better if Bank of America itself wishes to also directly sue, and presumably for a victory or settlement that would go far beyond a $5 coupon.
Impersonating a bank, or a representative of a bank, for the purpose of gaining access to financial information must already be illegal in the real world. Is what Lenovo did here similar enough so they could be criminally prosecuted for having done so digitally?
Quite surprised at the low key to near zero coverage this is getting on Anandtech. Pretty much every other tech site has 3-4 articles on this issue...not so this site.
Much better to include them in comparisons, along with a simple statement that "based on previous actions we can not recommend consumers trust their information on Lenovo-altered operating systems, so any of these other choices would be a better."
Or, given the readership here, perhaps every prebuilt system review should include a check for whether the included OS media and license enables a clean reinstall. Requiring and using this opportunity is probably best practice in any case.
"Despite whatever good intentions Lenovo had behind the software" -- oh please. I'd expect more honesty from Anandtech. They only intention here was to make few bucks at the expense of security.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
42 Comments
Back to Article
MonkeyPaw - Thursday, February 19, 2015 - link
So maybe this should have been called SuperPhish?Mondozai - Friday, February 20, 2015 - link
Even if Lenovo backtracks, the question that will linger is: why did you even do this in the first place? The only reason they are backtracking is because they got caught. If they haven't gotten caught doing this by consumers, they wouldn't have backtracked. It makes you wonder what their next step will be.Trust has been destroyed and it will take years to rebuild. I got myself an Apple rMBP 13" last year. I'm guessing it'll last me at least 3 years. If I was ever going to go back to Windows, it'd probably be Dell at this stage.
Antronman - Tuesday, February 24, 2015 - link
The real question is: If today's consumers are so tech-savvy, how is Apple selling any Macbooks and iMacs?Dell has always been the way to go. Reliable construction, decent customer service (there's no such thing as good customer service in the tech world), and fairly cheap prices compared to other OEMs.
Michael Bay - Thursday, February 26, 2015 - link
Apple does not sell devices per se, Apple sells feeling of belonging, and does so really damn good.Historically, professionals in video editing chose Apple mainly out of inertia, but that time has passed.
WorldWithoutMadness - Thursday, February 19, 2015 - link
Lenovo. For those who do (love to get robbed).Maybe OEM should just sell stock OS instead of their useless bloatware, most of the time they don't know what they're making anyways.
willis936 - Friday, February 20, 2015 - link
"Hey boss man you can make a million dollars by putting shitware on this laptop and only lose $300,000 in sales from upset customers." What do you think boss man will do?WaltFrench - Thursday, February 19, 2015 - link
@Ian wrote, <i>“Despite whatever good intentions Lenovo had behind the software…”</i>Let's be REALLY clear here: the purpose of Superfish adware was to supersede the ads that finance many indie websites, including this site, it'd seem. Lenovo was undercutting the financial viability of sites that depend on either impressions (seems some ads were replaced?) and/or clicks (which would be lessened by having ads in front of, blocking existing ads).
The result is to harm the finances of sites that Lenovo users find most useful.
The privacy angle is pretty serious, too: when Superfish tells <b>ITS</b> ad servers to bring up an ad for guns, drug paraphernalia, security systems or … heck, home pregnancy tests, your profile is going back to the Lenovo partner. Given how sloppy the security angle is (an easily-cracked certificate password, opening all users to MITM attacks using the same certificate number as on EVERY Lenovo machine), there's no reason to think your personal details aren't getting abused, exposed to criminals or snoops.
And of course, the utterly unthinking indifference to user security that was evident.
The only good intention Lenovo had was to make a few bucks by cutting corners on its users' productivity, privacy and security. Dunno how they thought that would work out, so it was just low-grade money-grubbing that'll make any careful person look gimlet-eyed at every other product from them.
eanazag - Thursday, February 19, 2015 - link
There's a reason why they did not target any of their business computer lines. It is because it is totally shady. There is no justification for this software to be installed except to take advantage of users who don't know any better. This is simply theft of advertising money. There is a responsibility for a company to know what is being added to their products. It is easy to wipe and install Windows from an MS derived disc, and is how I always have treated PCs I have bought. I simply can't trust their non-PC mobile devices, because it is generally not as simple.This is a chinese company selling machines with security exploits and even naming appropriately like malware.
I'd expect the EU to jump all over this because they do what's best for their citizens even if they really do it to make the most of every opportunity rob companies of the earnings and deposit into coffers.
I wholly expect the US govnerment to ignore it totally because our politicians just take the money direct into their pockets to turn the other way.
Just means we need more vigilance. It was enevitable that a company would take advantage of how numb people are to usage agreements. No one reads them and basically clears the company of liability for users who don't read what they agree to.
adamrussell - Thursday, February 19, 2015 - link
http://arstechnica.com/security/2015/02/how-to-rem...How to remove.
Well written and easy enough.
Not that I had it, but I went through the procedure just in case.
TheLight - Thursday, February 19, 2015 - link
I wrote a quick powershell script to help search for the superfish certificate across a windows domain. Hope it helps people track this down quickly.http://www.theendofthetunnel.org/2015/02/19/search...
aryonoco - Thursday, February 19, 2015 - link
How, just how did this get sign off?It's not what this single instance does, or the damage it may or may not cause to potentially hundreds of thousands of people. It's that in my opinion such actions speak clearly about a company's culture and attitudes. I have always had high regards for Lenovo, I think they've been a good steward of the ThinkPad brand, but I know that next time I'm about to purchase any Lenovo products, I will inevitably pause and remember this episode.
Bob Todd - Friday, February 20, 2015 - link
Everyone interested should really read the Errata Security blog post that Ian linked to. The behavior is despicable in general, but the actual implementation is otherworldly asinine and lazy. The devs who wrote the code need some kind of Scarlet Letter to let potential employers know they should never be allowed to touch any code that is even remotely security related.yankeeDDL - Friday, February 20, 2015 - link
I was "lucky" to purchase a Lenovo in November 2014.One thing I can say is that SuperFish was not "hiding" itself in any way.
My first step when starting on a new PC is alwaysto download "proper" software and in this case the only browser provided was IE. So you can imagine my surprise when teh screen started filling up with ads. On the first boot. Note even minutes after starting up.
A quick Google search and the culprit was quickly found and removed. SuperFish stayed on my PC no more than 5 minutes and I cannot imagine how anyone could be browsing *any* page with that thing throwing ads at you.
Azhrei - Friday, February 20, 2015 - link
If you only uninstalled the SuperFish application, you still have the root certificate vulnerability. To get rid of it, you have to remove the SuperFish certificate from the Windows certificate store.yankeeDDL - Friday, February 20, 2015 - link
Yes, of course. I did not know about the Cert issue till the case exploded on the news: I just cleaned it.mkozakewich - Friday, February 20, 2015 - link
Which is even more damning. Anyone who knows a little about getting a new PC will remove these offending applications, but in this case the certificate was still active.beginner99 - Friday, February 20, 2015 - link
That's why the first action after buying a laptop should always be a clean-install. And since it's a huge advantage to replace the crappy hdd with an ssd, you get 2 benefits for the same work.beginner99 - Friday, February 20, 2015 - link
Note: Did exactly that with a Lenovo laptop but it's older anyway than 2014.techcrazy - Friday, February 20, 2015 - link
I'll never buy a lenovo's product ever again. Except Motorola.Essence_of_War - Friday, February 20, 2015 - link
"Despite whatever good intentions Lenovo had behind the software"The only good intention Lenovo had was for Lenovo's bottom-line. If we are to believe their claim that their financial relationship with Superfish "was not significant", what they're really saying is that they're willing to sell their customers up the river and they're willing to do it for trivial amounts of money.
"This essentially amounts to a fake root certificate"
It IS a fake root certificate. The tail is a tail.
Murloc - Friday, February 20, 2015 - link
lulz apparently someone DDOSed the komodia website.Anyway this is a huge blunder. How can someone in the place to do these decisions in a big business-oriented tech company NOT know that it'd be a huge mistake??
Seriously?
jabber - Friday, February 20, 2015 - link
It really is time for Microsoft to step up and start pushing their own 'Signature' brand of laptops and PCs to the public. Why can't Windows users get the benefit of the Apple type 'works out of the box' type experience? I get a lot of laptops in for customers and the total crap thats installed on them really reflects badly on the manufacturer and Microsoft. Buying a Windows laptop encrusted with crapware is like buying a clown car. Not what you want when you've spent hard earned money on it and just want to start using it. Oh and customers will pay extra for the laptops if it's not installed. After all they pay me to delete it all off once they've bought it.leliel - Friday, February 20, 2015 - link
I'll take Surface for $800, Alex.batongxue - Friday, February 20, 2015 - link
Couldn't care less about this companyplonk420 - Friday, February 20, 2015 - link
*i could care lessmkozakewich - Friday, February 20, 2015 - link
I really don't think he could. I certainly can't. We're already at the bottom of caring.Sushisamurai - Friday, February 20, 2015 - link
When a chinese company bought Lenovo from IBM, I made a vow to never buy a product from them ever again. No matter what both sides of that agreement said when the handover was done, Chinese control will eventually poison the original company's ethics and direction.Murloc - Friday, February 20, 2015 - link
yeah it's sad, they had managed to maintain their reputation as a business/srs bzns brand after the sale, but with this blunder they've shown they're a typical company that you wouldn't trust with your data like you wouldn't any random no-name chinese OEM.michal1980 - Friday, February 20, 2015 - link
This issue is difficult for Anandtech to discuss? Why? too much ad money from Lenovo? It should be easy. Lenovo should be BFG blasted from everyone. Who cares what their intentions are? They install a back door.But Anadtechs new management doesnt want to rock the boat. Least they no longer get invited to Lenovos parties.
PICman - Friday, February 20, 2015 - link
Yes, I'm disappointed in the tone of Anandtech's response. Check out the komodia website if you can get to it after the DDoS attack. The content is disgusting - they brag about their ability to circumvent security on several different operating systems. The fact that Lenovo is associating with these people tells you that Lenovo only cares about extracting money from customers.steven75 - Friday, February 20, 2015 - link
Stick a fork in Lenovo. They're done.steven75 - Friday, February 20, 2015 - link
(Or they would be if the average person were informed)PICman - Friday, February 20, 2015 - link
The "average person" does not care about this (meaning, not enough to take action) until their bank account is wiped out or someone files a tax return in their name.I'm not a lawyer, but in my view someone in Lenovo should be prosecuted under US law. First, they installed malware. When they were caught, they lied about the security issues.
What is unknown is other security problems that are baked into their products.... Yes, a fresh install of an operating system might help, but it may not be enough.
BrokenCrayons - Monday, February 23, 2015 - link
A class action lawsuit proposal has gotten underway as of today so there are some possible legal ramifications coming Lenovo's way depending on the outcome of the filing:http://www.csoonline.com/article/2887088/legal/len...
brucek2 - Monday, February 23, 2015 - link
Too often those class actions result in "victories" such as affected consumers receiving a $5 off coupon for their next unsafe Lenovo laptop.For this reason I'm with PICman -- the appropriate response here is a criminal prosecution of the person most directly responsible. In particular, causing a fraudulent security certificate to be presented which falsely claims it was issued to "Bank of America" but with which Bank of America had nothing to do with, ought to in and of itself by a crime. Even better if Bank of America itself wishes to also directly sue, and presumably for a victory or settlement that would go far beyond a $5 coupon.
brucek2 - Saturday, February 21, 2015 - link
Impersonating a bank, or a representative of a bank, for the purpose of gaining access to financial information must already be illegal in the real world. Is what Lenovo did here similar enough so they could be criminally prosecuted for having done so digitally?jabber - Sunday, February 22, 2015 - link
Quite surprised at the low key to near zero coverage this is getting on Anandtech. Pretty much every other tech site has 3-4 articles on this issue...not so this site.All very quiet. Hmmmm...
Does Anandtech support bloatware installs?
Mumrik - Sunday, February 22, 2015 - link
>It is a difficult subject for a website like AnandTech to tackleStop reviewing their products. Take a stand.
brucek2 - Monday, February 23, 2015 - link
Much better to include them in comparisons, along with a simple statement that "based on previous actions we can not recommend consumers trust their information on Lenovo-altered operating systems, so any of these other choices would be a better."Or, given the readership here, perhaps every prebuilt system review should include a check for whether the included OS media and license enables a clean reinstall. Requiring and using this opportunity is probably best practice in any case.
Zak - Monday, February 23, 2015 - link
"Despite whatever good intentions Lenovo had behind the software" -- oh please. I'd expect more honesty from Anandtech. They only intention here was to make few bucks at the expense of security.Dr.Neale - Tuesday, February 24, 2015 - link
Update 2/23: Typo at the very end: "I can be found here" should read "It can be found here". ROFL :)MamiyaOtaru - Tuesday, February 24, 2015 - link
was deciding between an XPS13, a Razer Blade and a Lenovo X250. Was a tough decision, but this knocks one of the contenders out