Lenovo's Response to Its Dangerous Adware Is Astonishingly Clueless

Microsoft is currently doing Lenovo&#x27;s work for them: <a href="https://twitter.com/FiloSottile/status/568800260111388672" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;FiloSottile&#x2F;status&#x2F;568800260111388672</a><p>The latest version of Windows Defender is actively removing the Superfish software <i>and</i> the cert.<p>The text of the definition is here: <a href="http://pastebin.com/raw.php?i=us7iXvkn" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;raw.php?i=us7iXvkn</a>

It tickles me that Superfish is a DFJ-funded [1] start-up based out of Palo Alto. Reporters are focussing on Lenovo&#x27;s Chinese lineage. Yet this bubbled up out of our backyard, from our own lack of diligence (or scruples).<p>[1] Edit: Draper Fisher Jurvetson, the $4 billion Menlo Park VC firm that backed Baidu, Hotmail, Tesla, SpaceX and Twitter.

How on earth can Lenovo&#x2F;Superfish state:<p>&quot;But Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”<p>Now that an official CERT announcement has been released:<p><a href="https://www.us-cert.gov/ncas/alerts/TA15-051A" rel="nofollow">https:&#x2F;&#x2F;www.us-cert.gov&#x2F;ncas&#x2F;alerts&#x2F;TA15-051A</a><p>I think their misleading comments are going to come back and bite them more than they have already.<p>[EDIT - Looks like they are back peddling a little on: <a href="http://news.lenovo.com/article_display.cfm?article_id=1929" rel="nofollow">http:&#x2F;&#x2F;news.lenovo.com&#x2F;article_display.cfm?article_id=1929</a><p><i>&quot; Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. &quot;</i><p><i>&quot; By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort&quot;</i><p>And on: <a href="http://support.lenovo.com/us/en/product_security/superfish" rel="nofollow">http:&#x2F;&#x2F;support.lenovo.com&#x2F;us&#x2F;en&#x2F;product_security&#x2F;superfish</a><p><i>&quot;Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. ... Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern. &quot;</i><p>]

I warned all my friends and colleagues who use Lenovos, and their answers were all the same. &quot;Who&#x27;d be crazy enough to use the default install? First thing I did was (a fresh reinstall of Windows|install Linux).&quot;<p>(Edit: Obviously this is not representative of the general population, and I didn&#x27;t mean to suggest it was. I was just noting that my efforts to warn people about the untrustworthiness of Lenovo were thwarted because none of them trusted Lenovo to begin with, not for software at least, and that seemed interesting.)

While we&#x27;re at it, Lenovo&#x27;s statement that we might enjoy the adware: &quot;The relationship with Superfish is not financially significant; our goal was to enhance the experience for users&quot; is self-evidently bullshit.

The more they deny this is a problem, the more it damages their reputation.<p>They should just admit the problem, thank the security experts, and develop an easy fix.

Note that Lenovo has now removed the statement from their article:<p>“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”

They changed their statement. Now there is no mention of the issue not being &quot;security concern&quot; (<a href="http://news.lenovo.com/article_display.cfm?article_id=1929" rel="nofollow">http:&#x2F;&#x2F;news.lenovo.com&#x2F;article_display.cfm?article_id=1929</a>)

Great... I&#x27;m the last person in the startup world still using a PC, and it happens to be a Lenovo.

I was under the impression that Lenovo supplies a lot of computers to government and enterprise contracts around the world. Was Superfish only installed on consumer oriented devices, like the ones typically found at Best Buy? I realize most large enterprise would re-image their computers before deployment. I&#x27;m shocked that Lenovo would release such a statement. The damage to its credibility is significant.

Lenovo&#x27;s response is not astonishingly in the least, its the expected behavior. They made a business decision to include adware in order to raise some extra revenue and then got caught. The default response is to underplay the importance of it, sweeping it under the rug and hope no legal action will happen.<p>A few months ago there was a HN story about a car manufacturer who had made the decision to use cheaper parts for the ignition. They had the critical internal reports from engineers, and when the deaths started to pile up they did the same thing as lenovo. Act clueless, downplay the issue, make a fix, and silently move on. So long it just customer outrage, it is perfectly fine to do borderline illegal things in order to raise some revenue.

Can someone explains to me how Graham claims he can decrypt the intercepted traffic? The proxy communicates securely with the intended website. It&#x27;s just the browser &lt;-&gt; proxy communication that&#x27;s vulnerable but that&#x27;s local on the machine, no ?

That&#x27;s one example of management being utterly technologically incompetent, which unfortunately is the case in a lot of Chinese companies.

komodia.com admits to be undergoing a DDoS attack at 2300hrs UTC (fri 20th Feb 2015)<p>(komodia is apparently the underlying tech for the superfish thingy)

It is not astonishing that a company that would do this would also lie about it. They knew what they were doing.

if anyone knows someone who has purchased an infected lenova with superfish, send me an email. My wife is a class action attorney and is conducting an investigation in the matter. Eire1130 (at) gmail (Dot) com

Kudos to MS, srsly. lol the amount of positive press that MS has been garnering recently on HN is impressive.

&quot;Beijing-based computer maker Lenovo has reportedly been blacklisted for years by spy agencies worldwide, as concerns about government-sanctioned Chinese hacking persist. According to the Australian Financial Review, Australia, the UK, Canada, New Zealand, and the US have all rejected Lenovo machines for their top-secret networks since the mid-2000s, though the computers can be used for lower-security tasks that don&#x27;t involve sensitive information&quot; [1]<p>Why buy a laptop from a company that has ties to the Chinese government [2], an authoritarian government that supports dictators in Africa and totalitarian government in Russia, oppressing women and children in those countries?<p>[1] <a href="http://www.theverge.com/2013/7/30/4570780/lenovo-reportedly-banned-by-mi6-cia-over-chinese-hacking-fears" rel="nofollow">http:&#x2F;&#x2F;www.theverge.com&#x2F;2013&#x2F;7&#x2F;30&#x2F;4570780&#x2F;lenovo-reportedly-...</a> [2] <a href="http://en.wikipedia.org/wiki/Lenovo" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Lenovo</a>

It&#x27;s kind of hypocritical when USA loads backdoors into hardware that VisualDiscovery relies on.

Last night I fired up a brand new HP stream desktop with windows 8.1 (only $179!). It had a Superfish icon on the desktop. When I get home I&#x27;ll check for the cert.<p>So maybe Lenovo isn&#x27;t the only offender.<p>Edit: Duh. It was snapfish, not superfish. I&#x27;ve been reading about superfish so much that&#x27;s what I saw.

I found this whole Lenovo Adware-gate very hypocritical. Why everyone blames the messenger Lenovo but not the source Superfish? Why? Is it because Lenovo is a Chinese company whereas Superfish is a Iserali-American company based in Silicon Valley?<p>Before this adware-gate, EVERY PC manufacturer bundles adware, HP, Dell, Acer, Lenovo, Asus to name a few top players(Apple perhaps is the only exception as I don&#x27;t count them as a PC manufacturer). Did anyone bother to look if there were tons of similar security risks with those?