So this is a thing now
-
Supply chain poisoning is the death of trade
-
I feel like this behavior should be illegal on devices that you don't own.
Oh well, just another reason to use @scottalanmiller 's logic and wipe the drive before you do start to use it.
-
Ugh, yes! Nuke them all. Vendor images are by definition garbage.
-
Lenovo has released a statement saying Superfish was installed on consumer laptops shipped between October and December 2014. The manufacturer said it stopped preloading Superfish in January 2015 and has no plans to resume the practice. Amazingly, the company said it did "not find any evidence to substantiate security concerns," but added that it's responding to them anyway. People who are concerned their PC may contain this critical vulnerability can check at https://filippo.io/Badfish/. The website was designed by one of the same researchers who published a site to scan websites for the catastrophic Heartbleed weakness in OpenSSL.
How did this not come up in image/software testing. TLS injection is something that can be fairly easily observed by even those without a technical background.
-
@coliver said:
I feel like this behavior should be illegal on devices that you don't own.
Oh well, just another reason to use @scottalanmiller 's logic and wipe the drive before you do start to use it.
We saw this behaviour on @dominica's Lenovo! I had proposed that something like this was going on. Glad to see it was validated after people kept calling me crazy.
-
This is pretty bad - check out the top comment here: https://www.reddit.com/r/technology/comments/2wecz2/lenovo_users_report_preinstalled_superfish_adware/
-
Here, in its full glory, is the entire Lenovo statement:
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at http://forums.lenovo.com.
-
This definitely puts the final nail in the coffin for Lenovo for me. Our interactions with them last year were awful. This, though, is outrageous.
-
@scottalanmiller said:
This definitely puts the final nail in the coffin for Lenovo for me. Our interactions with them last year were awful. This, though, is outrageous.
So I take it you believe they knew exactly what this software did/could do and decided to deploy it anyhow?
-
@Dashrender said:
@scottalanmiller said:
This definitely puts the final nail in the coffin for Lenovo for me. Our interactions with them last year were awful. This, though, is outrageous.
So I take it you believe they knew exactly what this software did/could do and decided to deploy it anyhow?
I used the machine for five minutes and knew what they had done. There is no way they didn't know that this was happening. And if they claim that they didn't know, that's almost worst. They will just let anyone pay to put anything bad onto your machine!
This is not a trivial breach of trust.
-
@Dashrender said:
@scottalanmiller said:
This definitely puts the final nail in the coffin for Lenovo for me. Our interactions with them last year were awful. This, though, is outrageous.
So I take it you believe they knew exactly what this software did/could do and decided to deploy it anyhow?
My main question is... does it matter? If they did it intentionally then it is justified. If they didn't fully test the software and understand the implications.... then it is also justified. This isn't a small bug that just went by the wayside, this is a serious security breaking, intentional, piece of software.
-
@coliver Exactly. There is no excusable scenario here.
-
Not to mention... Lenovo has a fairly big market share even on the consumer side... if they didn't know that consumers hate ads then their marketing and research team failed... hard.
-
Yes, the adware alone was bad. Very bad. Trying to force ads onto a product that someone bought isn't okay. No one agreed to having their OS modified at the network level to have ads forced on them.
Then to break security and put people at risk for Lenovo's personal gain... even if they only intended to screw their customer and never intended to do anything worse, there is no way I will ever cross the line to touching Lenovo again.
-
Don't jump to conspiracy theories. This is very simple. Lenovo had a chance to make money and they simply don't care that they are breaking the law or putting customers at risk. Most customers will assume that it was a mistake and forgive them or, at best, forget because people don't remember these things for long. Lenovo isn't out to hurt anyone, that's not their goal. They want money and they just don't care if their customers are hurt or put at risk while they do it.
This is hardly the first vendor we've dealt with that is willing to knowingly steal data or put customers at risk to make a buck.
-
Yeah, it's pretty inexcusable, and their official post is mealy-mouthed PR crap. Here's a site that will check for the Superfish cert, if you need it:
https://filippo.io/Badfish/ -
I feel like we should all buy a lenovo right now to get in on the sweet lawsuit money
-
@MattSpeller said:
I feel like we should all buy a lenovo right now to get in on the sweet lawsuit money
sweet, sweet lawsuit money. Just make sure it was shipped between october and december of last year.
-
@MattSpeller said:
I feel like we should all buy a lenovo right now to get in on the sweet lawsuit money
Congratulations End Users, You get $7.45 for all the trouble Lenovo has caused you.
-
@IRJ said:
Congratulations End Users, You get $7.45 for all the trouble Lenovo has caused you.
See! It is all a scam to get us to purchase more lenovos! /s /tinfoilhattery