Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Lenovo's Response to Its Dangerous Adware Is Astonishingly Clueless (wired.com)
397 points by taylorwc on Feb 20, 2015 | hide | past | favorite | 214 comments



Microsoft is currently doing Lenovo's work for them: https://twitter.com/FiloSottile/status/568800260111388672

The latest version of Windows Defender is actively removing the Superfish software and the cert.

The text of the definition is here: http://pastebin.com/raw.php?i=us7iXvkn


At least "Lenovo US" is owning up to it. https://twitter.com/lenovoUS/status/568578319681257472 Not sure how they're connected to the "Lenovo" that issued that statement.


Seems to be a lot of self-righteous moral crusaders on Twitter, and some on HN too, who won't be satisfied until they see Lenovo employees hanging from lamp posts...


The people who made the decisions involved here essentially hacked hundreds of thousands of PCs and defrauded their customers. I don't expect anyone in Lenovo to be punished for a crime, but there's no doubt they did something clearly unethical and borderline illegal. Their best possible defense is that they were just incredibly negligent.


Not sure that you have to be especially self-righteous to think that there is some level of betraying user trust that ought to actually have some kind of negative consequences for people.


If this had been done by a private person instead of a corporation, they would be looking at prison time. The double standard is frustrating.


Let's not get too hyperbolic here. Lenovo compromised user security for profit. There should be consequences for such gross misconduct.


Violent murder is not an appropriate response to this, but certainly somebody (probably multiple people in the upper echelons of Lenovo) should be fired. The damage to Lenovo's reputation from this is enormous.

Even if 'average people' have no idea what a certificate is or why it's important, those who do have an outsized influence on PC purchasing, and are likely to remember this for years.


That's good. It seems too few consumers get a clean Windows experience, and this fiasco has quickly become the chief example. You'd think MS would want to address that, perhaps by hardening their OEM licensing.


Every AV should be doing this. Is MS the only one doing it?


Defender is my current Windows anti-malware software of choice. Basically, because they don't feel they have to shill so hard as the other AV companies, and this makes their user experience suck the least.


Yes, and: it's preinstalled on Windows 8, it costs nothing, and it's made by the very same company whose product it tries to protect, so incentives and motivation are clear (an exception to "if you're not paying you're the product").

It's quite a convincing product, quickly becoming an integral part of the OS. And rightfully so.


> It's quite a convincing product, quickly becoming an integral part of the OS. And rightfully so.

Not really. Microsoft, itself, actually suggests that you use a third-party antimalware product.

It scores pretty low on AV-Test.org[1] too, but it's better than nothing.

[1]: http://www.av-test.org/en/antivirus/home-windows/windows-8/


For that matter, were AV vendors intentionally looking the other way with Superfish, or any other nasties?


ESETs NOD32 prevents Superfish from being installed. I'm not sure if it does any more than that though.

http://i.imgur.com/NCfBs6K.png


As well Microsoft should be.

Its brand is as tarnished (if not more so) by this sort of crap.

Not that Microsoft's own hands are clean or that the issue of crapware preloads isn't a massive problem.

Google should also be paying attention: Android preloads are also increasingly a massive turn-off.


This is really great, but the real question is will users actually see this on a default Lenovo OS build? Can anyone confirm that Defender doesn't get disabled in favor or say... McAfee or Symantec?


Per OEM appeasement, if there is a 3rd party AV software installed, Windows Defender auto-disables. So many Lenovo users will have an issue.

ArsTechnica covered this issue in their reporting today http://arstechnica.com/security/2015/02/windows-defender-now...


Doesn't seem to remove SuperfishIEAddon.dll file nor related registry keys.


This is the right action from their side, most of the users are not security specialists, somebody should watch out for them.


15 years ago this would have led to rioting on slashdot and Usenet. How dare Microsoft remove someone else's software?

I'm generally in favor of MS doing this specific thing, but there is potential for abuse here.


No 15 years ago Microsoft would have been the ones installing it.

I think Microsoft went from being a hated software giant to sort of an underdog vis-a-vis Google, Facebook, Amazon and Apple.

They are very big and strong no doubt, but I think the attitude they are projecting since switching CEO recently, their open source efforts, and such make them look pretty good PR-wise among the tech crowd.


Microsoft has done some shady things, but at no time in Microsoft's history would they have installed this.


Seems more like a Sony/Samsung move than a Microsoft one.


NSAKEY ...

Though I believe virtually all preloads were OEM actions, not Microsoft's directly.


NSAKEY don't count either.


I've never been fully convinced by arguments on either side of that discussion. Always struck me as suspicious though.

Hell of a name, you've got to admit.

Bruce Schneier's discussion at the time:

http://web.archive.org/web/20011005071623/http://www.counter...

One of his speculations:

it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

Though given alternative methods of bypassing any Microsoft security, not really necessary.


You should look into some of the stuff MS did in the glory years, such as deliberately breaking rival software from Lotus, Borland, and Apple.


I'm not sure how that's relevant to this. It's bad, as I allowed in my statement, but I'm not seeing other parallels.


In the past Microsoft would have been both installing it and have their security tool removing it, left hand does not know what the right hand do in large organization, then after figuring out they would whitelist their own spyware from the removal tool. This may have actually happened.

The rest is simply PR, microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.


> microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.

I don't buy it. I think Microsoft seems to have actually made real changes. If you want an example of what a giant evil tech corporation dying slowly looks like, take a look at Oracle. Their core business is basically obsolete, but they'll go on killing open-source projects and squeezing their locked-in enterprise customers for many years.


They are not removing someone else's software though, they are alerting you to a security issue, recommending removal, and providing the tools to do so. That's exactly what an antivirus is supposed to do.


Sorry, but as one who was on Slashdot from pre-userid days, and is in general a huge critic of the company, bullshit.

Microsoft is in a hard place in terms of determining what is or isn't allowed on their systems (due in large part to their own past and quite probably ongoing monopoly abuses), but fixing obvious flaws is to be applauded.

I don't champion the company often, but they're doing the right thing here. Actually, sanctioning Lenovo for letting this happen might be another option they've got. Though something tells me they won't play that card (and quite possibly cannot).


This is only is if Windows Defender is operational - in which case the user definitely wants the malware to be disabled/removed. It's akin to having a SPAM defender - in which you grant administrative rights to the owner of the Anti-SPAM tool to redirect spam to the bit-bucket.


Agreed. Seems like the lesser of two evils in this case. I applaud MSFT for realizing that the vast majority of their users will not have the impetus nor the requisite skill to remove this from their machine.


For all we know, Lenovo and Microsoft have been in communication and Lenovo asked or was ok with Microsoft doing this via Defender. Also, Defender specifically flags this issue as a "CompromisedCert", indicating that the impetus for removing it was not necessarily the app itself but because the private key for the cert was found and leaked everywhere.


It tickles me that Superfish is a DFJ-funded [1] start-up based out of Palo Alto. Reporters are focussing on Lenovo's Chinese lineage. Yet this bubbled up out of our backyard, from our own lack of diligence (or scruples).

[1] Edit: Draper Fisher Jurvetson, the $4 billion Menlo Park VC firm that backed Baidu, Hotmail, Tesla, SpaceX and Twitter.


Looking over the executive team of Superfish (Which, creepily, refers people to their linkedin profiles - presumably so they can see who is looking at them.) I see that their Chief Product Officer (Cmpt. Science from Stanford, so obviously knew what was going on) is formerly from Zynga. Mark Pincus is (infamously?) known for his comments about how sometimes, when you are small, you have to do all these terrible things that you are really ashamed of, just so you can get big and never have to think about doing them again. In the case of Pincus, he was referring to a the zwinky toolbar that earns money by redirecting web searches to advertisements - oddly close to what just happened with Superfish/Lenovo.



What is DFJ?



How on earth can Lenovo/Superfish state:

"But Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”

Now that an official CERT announcement has been released:

https://www.us-cert.gov/ncas/alerts/TA15-051A

I think their misleading comments are going to come back and bite them more than they have already.

[EDIT - Looks like they are back peddling a little on: http://news.lenovo.com/article_display.cfm?article_id=1929

" Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. "

" By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort"

And on: http://support.lenovo.com/us/en/product_security/superfish

"Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. ... Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern. "

]


> back peddling

Just because I've been seeing this mistake a lot lately: peddling is selling. Pedaling is the thing you do with your feet.


Reminds me of story of "the ant letter". I'd describe it, but I'm interested to wait a bit to see if anyone else has heard/read it. Will describe it later if no one replies. I've not found via Google despite a search.


I warned all my friends and colleagues who use Lenovos, and their answers were all the same. "Who'd be crazy enough to use the default install? First thing I did was (a fresh reinstall of Windows|install Linux)."

(Edit: Obviously this is not representative of the general population, and I didn't mean to suggest it was. I was just noting that my efforts to warn people about the untrustworthiness of Lenovo were thwarted because none of them trusted Lenovo to begin with, not for software at least, and that seemed interesting.)


This is repeatedly recommended, but I think it's overlooking that not all manufacturer customization is entirely evil. You then to hunt down all the drivers for bits of the motherboard. Are you sure your power consumption settings etc are optimal after you've done this? Have you installed all the drivers "manually" via their inf files? (e.g. Nvidia drivers come with their own pile of bloatware)


Lenovo does this for you with their system updater. It downloads and updates all drivers for your system, including bios updates and configuration tweaks that affect power and stability. It will install on a fresh install from Microsoft media - ie there is no need to keep what was preinstalled on the system. http://support.lenovo.com/us/en/documents/ht080136


I don't use those because i don't trust the manufacturer-provided "system updater" to only download drivers. What's to prevent them from surreptitiously installing their add-on garbage.

Even if it currently does not do that, I just don't trust it to not do that in general.


The Lenovo one is a continuation of the IBM one. You get to tick what you want, they show what the existing installed version is, as well as changelogs. There has never been any misrepresentation. I believe corporate types use the system updater too, and pissing them off by installing garbage would quickly annoy valuable customers.

It does not let you install or update the crapware that comes with systems. It is actually quite difficult to get that stuff other than saving it when you get a new system. BTW IBM/Lenovo have historically had way less crapware than other vendors. I think Lenovo got complacent in this case, hearing "you guys do less crapware than the others" and confusing it with "you are doing a perfect job". Less worse is not the same as doing good.

Someone's useful add-on is someone else's garbage. They have some software called Access Connections which provides more gui and control over networking, such as which access points to connect to based on location profiles and who knows what else. I don't want that since I mostly use Linux, and Windows does a good enough job when I am using it. The system updater has never installed it, nor tricked me in any way.


Here's a fun surprise: Microsoft allows driver vendors to ship arbitrary programs in addition to drivers. They will download and install these programs automatically. For instance, I bought some "gamer" mouse because it was the closest thing to an Intellimouse 3 I could find. Suddenly I have a \Program Files\Razer directory, and a popup on install telling me to register and do all this other stuff.

So if Lenovo was evil, they can just ship shit in their drivers, get it certified by MS, and have it distributed automatically by Windows Update driver install.


For Lenovo you can download the SCCM package for the given model. Includes all necessary .inf files and does not install anything itself (designed for use in corporate deployments).


I mean, sure, you do, but that takes less time than removing all the stuff you don't want.


But by tying in good and quite obviously bad customizations, you're attacking the entire value proposition of a vendor preload.

It's why I've, in general, never trusted them.


Yes, not all manufacturer customization is evil. But my point is that no one in my circle trusts the manufacturer enough to leave any of it on their machine.


I'm on my 4th Thinkpad. I always do a fresh install of Linux, would never trust the pre-installed crap.

But now that I know that Lenovo is a piece of shit company with zero integrity, I don't even want to trust their hardware.


I despise Lenovo. Purely from an engineering quality aspect, they aren't remotely close to IBM. I've been on the T440p for a year now, and I utterly hate using it. Every time I'm not docked, I'm really, really, annoyed. (Compared to feeling great when on the X201.)

But what am I gonna do? There's essentially no options to replace an old X-style ThinkPad. The newest Carbon X1 is as close as anything. Everyone else is moving to the Apple-style clickpad, which is unacceptable. HP and Dell sell mostly crap. Apple's devices are hot and unergonomic (apart from questionable Windows driver support).

So good luck not trusting them. And I doubt HP'd do any better.


I'm at the level of hardware trust issues myself.


I use a default install and I'm a techie. I just remove the bloatware first.


The last Lenovo laptop I got came with Norton. I uninstalled that completely. Then I went to download Chrome which Norton decided to protect me from. Uninstall means different things, and they never uninstall completely/cleanly. In this Superfish example they would have left the dodgy certificates behind. The only way you know you have a good install is to do a clean install, rather than attempt surgery on the crap that got shipped.

Fortunately Lenovo do have a system updater that does a fantastic job on driver downloads etc.


Sometimes this is the only way to get CPU scaling to work properly, as the drivers for the laptop's particular quirky ACPI implementation may not be available sepatately. It's no fun having a clean system that either runs at 1999 speeds or burns a hole in your desk. Linux can be a bit better on some systems, but worse on others.


On that note, Microsoft seem to have taken down the windows digital downloads, OEM CD keys don't work. How would you do a fresh install now?


I followed this a few weeks ago:

http://windows.microsoft.com/en-CA/windows-8/create-reset-re...

Got me a 8.1 ISO, installed with a volume key.


I had trouble finding Windows 8.1 iso files, but Windows 8.0 isos were easy to find, and upgrading was simple.


I'm still sticking to Windows 7, the Windows 7 OEM disks are now behind a barrier which requires you to put in a valid key only from certain retailers.


I didn't ask them. Maybe piracy + "I have a Windows license so it's ok-ish" rationalization.


Piracy is hardly a "clean install". I wouldn't be surprised if a decent-sized number of the bootleg Windows installs out there are heavily-rootkitted.

I haven't seen any recent statistics, but at one point, 74% of rootkit infections were on pirated copies of Windows XP [0]

[0] http://www.zdnet.com/article/study-rootkits-target-pirated-c...


I think that this may actually be attributed to the lack of working Windows Update on a lot of pirated systems.


Yes and no. There is at least one case that I can remember[0] of pirated software being modified to download and install a virus.

According to Microsoft[1], 32% of pirated Windows 7 copies and activation cracks resulted in some sort of malware infection

Speaking anecdotally, most of the friends and family whose computers I've had to clean up have been running some sort of cracked/pirated software that they'd downloaded or had been given to them by a friend

[0] http://voices.washingtonpost.com/securityfix/2009/05/pirated...

[1] Admittedly, Microsoft has somewhat of a bias, but the number sounds reasonable to me: http://archive.news.softpedia.com/news/32-of-Pirated-Windows...


Piracy is actually quite hard on Windows 8+. The way it is licensed is way different from the past and the current circumvention methods require repeated reactivation and break a lot.

Note: I do own Windows 8.1 Pro, so don't think this is based on my experience pirating the software. I merely have examined the licensing system for some software I was writing.


The CD for the clean install is included in the Home versions? Interesting.


It's not, but you don't need one. You can make your own disk or USB pretty easily: http://windows.microsoft.com/en-us/windows-8/create-reset-re...


This is one of the things that Microsoft gets right, that I wish Apple would do better.


With Macs you have multiple options. The first being much easier than a typical Windows PC.

1) Boot into Recovery mode (Cmd + R), then use Internet Recovery [1] to install OS X. This works even if your HDD or SSD is completely blank. All Macs from around mid-2010 onwards are supported. [2]

2) Download the latest OS X installer from the Mac App Store, then either use the bundled 'createinstallmedia' command-line app to create a bootable USB flash drive [2] or a third-party app called DiskMaker X [3].

[1] http://support.apple.com/en-gb/HT4718

[2] http://support.apple.com/en-gb/HT202313

[3] http://support.apple.com/en-gb/HT201372

[4] http://liondiskmaker.com/


Apple provides Recovery Disk Assistant, which is more or less the same thing.

Also, when the SSD in my Macbook Air failed, I was able to netboot their internet recovery thing, which let me install OS X on a USB3 hard drive. Pretty cool.


Apple provides Recovery Disk Assistant, which is more or less the same thing.

I see. They have that stuck into Disk Utility now. One point to Apple.

Disk Utility is a bit kludgy nowadays, though, and it seems they're not doing as good a job as MS publicizing the tool. (Too small a sample size here, but I ran across the MS tool by accident while searching/browsing. With Apple, a human had to tell me.)


You live in a bubble. There are plenty of people who use Lenovo products that are not tech people. By saying this, even though you don't intend to, you are minimizing the effect of this and being an apologist for lenovo.


Well, I wasn't trying to do that. I'll edit my comment to make my intent more clear.


An intellectual should always be wary of semantic equivalents to, "You're either for us, or against us." In greatest part, because this is one of the major symptoms that one's consciousness is partly clouded by group psychology.


I don't like the attitude that if there's a problem, you aren't allowed to say anything along the lines of "here's something that makes it less of a problem than it might be".


While we're at it, Lenovo's statement that we might enjoy the adware: "The relationship with Superfish is not financially significant; our goal was to enhance the experience for users" is self-evidently bullshit.


The key word is significant. They're not claiming they didn't preload this software for money, they're just saying it wasn't for very much money. Such a small amount of money that they have no problem ending the relationship now that it's causing them problems.

My wild guess would be they got in the ballpark of $0.25 an install.


Which kinda sounds even worse. It says essentially that they're willing to break critical security components on their entire product line for pennies per device.

Hey Lenovo, can you install this root cert I made on your entire product line for me? I'll give you like $20 for it. It's at least better than Superfish - I promise not to include the private key with a trivially-crackable password in the install, so only I can intercept all secure communications by any of your customers, instead of anybody in the world.


I think it's more likely they don't thoroughly audit every piece of crapware they allow to install.


Or even casually... hopefully that'll change now.


A different way to frame the comment might be something like: "we were willing to sell out your privacy and security for a mere pittance, 'cause we're cheap whores".


I assume they didn't intend to compromise security. I think it's more accurate to say that they stiffed their users with adware that nobody wants in exchange for a little bit of money, and that were so indifferent to security and privacy while doing it that either didn't notice or didn't care that it was a fundamentally bad idea.


In my opinion that is worse. Most any clueful technocrat can tell you that injecting traffic into HTTPS sessions is a MITM attack. I am willing to bet that fact most certainly did make it to an executive level (certainly at the fishy company) and a choice was made to not care about that problem.

The road to poor security is paved with indifference.


My co-worker Tom has this mental model he calls the "prostitute-physician scale." Basically, it's a scale for measuring how willing you are to simply take the client's money and do whatever, versus giving advice in the best interest.


I think many sex workers with personal standards would be insulted by your comparison with physicians, who seem to be happy to take money (not your money, I guess) to push drugs that may or may not actually help you[0].

[0] https://www.youtube.com/watch?v=YQZ2UeOTO3I


I think many sex workers with personal standards would be insulted by your comparison with physicians, who seem to be happy to take money (not your money, I guess) to push drugs that may or may not actually help you[0].

I do not object to this notion at all! For one thing, it's not my comparison, it's my co-worker's. Also, an "inversion" of the scale's sign would serve as a sharp and salient commentary on problems in our society.


For me the key word is "enhance". Why would Lenovo go to the trouble of bundling this, knowing full well that it doesn't actually enhance anything for end users?

Hint: It starts with $ and ends with $.


"Enhance" is the weasel word you use when you want to try to convince someone something is better, but you can't actually explain in detail what's better about it. Whenever you see a marketing claim that something is "enhanced" the warning bells should be sounding.


I'm not even that miffed about being a product and not the customer; I am incredibly miffed that I'm apparently one of the products in the discount bin.


I am miffed, actually. I own a Lenovo laptop and it was not cheap. Fortunately it dates back to well before this thing and has a clean OS install anyway, but.

They sell laptops. It's not a free service, I am the customer not the product. Did Lenovo have a pressing financial need for these extra pennies on the side? Really? How is that benefit vs risk calculation looking now?


I wonder if this is actually true at all? I mean, yes, everyone around here absolutely abhors software like this, but there is a class of people who love hunting for bargains and accumulating coupons etc. Is there someone who buys a laptop like this and enjoys the additional advertisements? I always wondered the same about those annoying toolbars, I imagine some people actually perceive these as useful.


The more they deny this is a problem, the more it damages their reputation.

They should just admit the problem, thank the security experts, and develop an easy fix.


Their PR style is a bit outdated. Denying and minimizing worked before very well -- major news sources would publish the official denials only and it would kind of stop there.

And most of all it helped if there would be litigation. The thought goes if CTO goes on record admitting guilt that is a slam dunk case for anyone suing them.

Therefore the typical corporate non-apology apology "I am very sorry you feel this way" kind of bullshit.

The problem of course is information sources are a lot more diversified, with Twitter and other media bubbling up tech news to the top faster.

The other problem they are facing is a lot of technical people were their proponents and would advocate and drive purchasing decision (in turn putting their own reputation on the line). This is where it is going to hurt them.

Something to the effect of "We are very sorry, this was a mistake, here is how to remove the software, we'll send you free software or Lenovo.com discounts. We'll cut off our relationship with this company. Etc, etc.." I think would have been much better for them in the long run.


They did admit the problem and linked page describing how to remove SuperFish.

> We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: http://lnv.gy/182BW8g

https://twitter.com/lenovoUS/status/568578319681257472


Only after various rounds of denials followed by backlash against them. Even their "removal" instruction initially failed to fully remove the root certificate. Every single step they made PR-wise was too slow and just reactionary to the backlash. Somebody up there should be fired and replaced.


Oh, OK. Was not aware about that.


Then there's a disconnect between the PR people who handle that Twitter account, and the PR people who are quoted in this story.


Note that Lenovo has now removed the statement from their article:

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”


Looks like they also removed a number of posts in the forum where the discussion started, including a post where a moderator wrote that customers asked Lenovo for this kind of service. The same moderator also pointed out that it was against the community rules to argue with moderators...


They changed their statement. Now there is no mention of the issue not being "security concern" (http://news.lenovo.com/article_display.cfm?article_id=1929)


Great... I'm the last person in the startup world still using a PC, and it happens to be a Lenovo.


Is it a Thinkpad, or a consumer model? The Thinkpads were never involved in this.


Well, given that they are morally corrupt enough to do this to their customers, why not expect them to have similar trojans or backdoors on Thinkpads?

If we assume firmware is safe, wipe it and do a clean install from trusted media.


Because the business and consumer teams at Lenovo are largely separate. I can't order a Yoga through my Thinkpad rep. I have to go to a retail vendor and us a credit card. I expect there are lots of people at the old IBM offices in New York who are as horrified as we are at when the consumer team agreed to.


Can we assume their firmware is safe though?


No. Firmware has been a part of the "trusting trust" conundrum for several years now.


Thinkpad T430s. It's a year old so I'm in the clear upon more detailed reading of the article. I usually do a clean install but when I bought this box it came installed with Win 7 and the discs I got were Win 8 only. Didn't come with a Win 7 serial. This is what I get for buying from a reseller on Amazon.


T430s user here - you should be proud. Did you know Coreboot started supporting T430s a week back [1] ?

[1] http://www.phoronix.com/scan.php?page=news_item&px=Coreboot-...


If you have Windows installed I think you can extract the license key from it (assuming Windows is genuine), then use it to do a clean install, or just save it for posterity in case the hard disk ever dies. As far as I know this is fine WRT Windows EULA.


no you cant - not in lenovo's case. The reason for this is that the keys for lenovo correspond to a very special Windows release that Microsoft specially bakes for Lenovo. You cannot use the keys on any other ISO. This is also a big problem - you cant download these ISOs (unless some *rrentbay) and Lenovo does not give you CDs readily.


Hey, I use a desktop machine. That paints me as some kind of startup weirdo. Granted, it runs linux, but still, it doesn't fold in the middle or have it's own monitor and keyboard built in.


The time period where Superfish was included was a relatively small chunk of 2014, so you may not be impacted.

A good general guideline when buying an off-shelf Windows machine is to do a full wipe first. There may be some manufacturers who are immune to this, but assume everyone's included some bloatware. I find too many people who buy Windows machines start by attempting to manually remove this stuff, which is often a hopeless proposition. Clean wipe, reinstallation.

This isn't the reason why most startups/devs have moved to Apple, but it sure helps.


assume everyone's included some bloatware

We programmers should use this as an analogy for dealing with everyday psychological issues.


And you're still running the OS that it came with? Even if you want to keep Windows, always reinstall fresh. It's far easier than trying to hunt down every piece of malware they put on it


This is repeatedly recommended, but I think it's overlooking that not all manufacturer customization is entirely evil. You then to hunt down all the drivers for bits of the motherboard. Are you sure your power consumption settings are optimal after you've done this?


Windows has gotten pretty good at finding and installing drivers for you. I'm not sure about 8.1 (only used it briefly on a tablet that came with it installed) but with the 10 preview it has found and installed all the drivers I needed for the two Thinkpads I tried it on. It didn't download the Lenovo power management utility which is key to really squeezing the most out of it, but in my experience it isn't significantly better than Windows power management + keeping the screen brightness down (which is what the Lenovo utility does anyway).


I was under the impression that Lenovo supplies a lot of computers to government and enterprise contracts around the world. Was Superfish only installed on consumer oriented devices, like the ones typically found at Best Buy? I realize most large enterprise would re-image their computers before deployment. I'm shocked that Lenovo would release such a statement. The damage to its credibility is significant.


Yes, it was only installed on their consumer oriented machines. Their T model Thinkpad don't have it installed.

Now the question is of course what else are they installing and what other yet undiscovered issues we'll find. It sounds like FUD but so far based on their response, they seem either incompetent (stupid) or malicious. And I don't exactly like either...


I never quite got this distinction between consumer and non consumer machines, when you can buy high end ThinkPads (but not the blocky T models) at a retailer, and are just as nice as big old blocky good old ThinkPads.

I'm really interested if a high end (but "consumer") ThinkPad like http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-T... that you can buy at a retail store (in this case, a special MSFT Store version that has plain Windows supposedly on it) was infected.


I loved (well still do) my T model. It has a strong magnesium case. Very solid. Heck it lasted 7 years. Including travel and other abuse.

It didn't have bloatware crap installed (as say US govt or big companies would not like that). It came with a smart card reader and such. Had a fingerprint scanner (back when there were not common).

Initially also they didn't have all these "consumer" models (Y,G,W,...).


Consumers are often willing to buy poor, unreliable equipment to save a couple hundred dollars, but most businesses are not willing to do that.


Lenovo's response is not astonishingly in the least, its the expected behavior. They made a business decision to include adware in order to raise some extra revenue and then got caught. The default response is to underplay the importance of it, sweeping it under the rug and hope no legal action will happen.

A few months ago there was a HN story about a car manufacturer who had made the decision to use cheaper parts for the ignition. They had the critical internal reports from engineers, and when the deaths started to pile up they did the same thing as lenovo. Act clueless, downplay the issue, make a fix, and silently move on. So long it just customer outrage, it is perfectly fine to do borderline illegal things in order to raise some revenue.


Can someone explains to me how Graham claims he can decrypt the intercepted traffic? The proxy communicates securely with the intended website. It's just the browser <-> proxy communication that's vulnerable but that's local on the machine, no ?


I'm wondering the same thing. As far as I understand, the proxy is local to the machine, so HTTPS traffic over Wi-Fi should be past the proxy and therefore encrypted using the real certificate.


The installed backdoor certificate is trusted as a root certificate. Its private key is contained in the MITM software, and is now known publicly. So anyone can now create phony certs signed by the backdoor cert, and Lenovo machines accept them as valid.

Here is such a page:

https://badfish.filippo.io/yes.png

That's an image of the word "Yes" signed with the Superfish certificate. If your browser shows that image without warnings about an invalid cert, the backdoor exists.


Right but this only means you can decrypt data coming from websites using a starfish cert. It doesn't mean you can decrypt your bank traffic because you have this proxy installed which is what Graham is claiming.


Yes, it does mean others can decrypt your bank traffic.

Here's how this type of MITM attack works.

Situation: user is using laptop in public location with WiFi. Between WiFi device and net is a computer with MITM software.

Client laptop requests "https://www.bigbank.com". MITM box gets HTTPS request, sees it is for "bigbank.com", and generates a fake cert for that site. It then uses the Superfish root cert to sign the fake cert. MITM box acts as server for that connection and sees the user's traffic in the clear, unencrypted. The Lenovo client laptop sees a valid cert chain descending from the Superfish cert installed by Lenovo. The user sees a green bar and lock icon.

MITM box then opens an HTTPS connection to "https://www.bigbank.com", and acts as client for that connection. The two connections are connected together as a proxy, so that the user sees what looks like a valid HTTPS connection. The MITM box can log everything, including bank passwords.

There's even open source software for doing MITM attacks: https://code.google.com/p/subterfuge/


If you have a computer between the user and net, then yes all bets are off because you can generate certs the browser will trust.


Only if the root cert store of the user's machine has been tampered with. If you have a valid cert store, you can detect MITM attacks on HTTPS connections.


yep. I was referring to superfish's case.


The proxy accepts fake certificates so you can MiTM anyone. It does not properly verify the remote site's certificate.


Yes, but MiTM isn't the same as sniffing packets over a wifi in a cafe, which what Graham claimed.


If you can read (sniff) WiFi in a cafe, you can write (MiTM), so the difference isn't really important, is it?


Usually sniffing refers to capturing packets. But yes if you can read and write then you can definitely decrypt the traffic since you can provide the user with a trusted cert.


That's one example of management being utterly technologically incompetent, which unfortunately is the case in a lot of Chinese companies.


Thankfully American companies _never_ have technologically incompetent managers...


s/Chinese//

It's not we haven't thought about replacing management with shell scripts...


Superfish is an American company. Lenovo may have been dumb enough to be suckered by it, but they weren't dumb enough to create it.


komodia.com admits to be undergoing a DDoS attack at 2300hrs UTC (fri 20th Feb 2015)

(komodia is apparently the underlying tech for the superfish thingy)


It is not astonishing that a company that would do this would also lie about it. They knew what they were doing.


if anyone knows someone who has purchased an infected lenova with superfish, send me an email. My wife is a class action attorney and is conducting an investigation in the matter. Eire1130 (at) gmail (Dot) com


Kudos to MS, srsly. lol the amount of positive press that MS has been garnering recently on HN is impressive.


[flagged]


> Don't think it is purely happenstance.

I agree that it's not purely happenstance -- I think Microsoft the company is making a genuine bid to be relevant again.

It's a desperate bid, and I don't think it's in their DNA to succeed, but it'd be great if it happens. Personally I avoid using MS whenever possible; I still have to use Word and Excel to communicate with others, and some conferences still require a PPT file.

Even back when Microsoft was a big player I never found the Windows programming model technically appealing, but even if I had I would have stayed away because their anticompetitive approach was too risky and hostile for me to be willing to depend on. They became addicted to that instead of technical excellence, which is why I think this effort will fail, no matter how sincere the commitment is at the top.

But they do employ many smart people and surely it is good if we have more sources of good technology (where good is a combination of technical excellence & good policy). So why not encourage them in the hope they get their shit together?


Microsoft always has had pockets of technical excellence. It's also always had the problem of the left hand not knowing what the right hand is doing. This seems to be somehow built right into the company's structure. (So not DNA, more like epigenetics.) Perhaps these are just the problems faced by any big company in a nutshell?


> It's a desperate bid, and I don't think it's in their DNA to succeed

I'm not so sure. I think their DNA is changing pretty rapidly these days. Office for iOS is better than Office for Windows RT. Windows Azure services are actually really good, with tons of documentation on how to use them across all platforms (iOS, Android, Javascript, Node.js, etc).

It feels as though the last few decades, every team has been beholden to the Windows/Office hegemony, whereas now teams have the direction to make a good product on their own terms. Without having to answer the question "how will this keep Windows/Office dominant", the massive amount of talent at Microsoft can finally start to shine, and I really think we're starting to see the genesis of that environment lately. It's too early to tell, but I'm pretty hopeful.


shrug. I thought someone needed to do machine learning as a service, especially that can be accessed from Python, so I upvoted an article on Azure. I think presentation should be separate from data, so I upvoted a comment on posh.

I'm a OS X / Linux person (my name's probably in your distro somewhere) and sometimes Microsoft does good stuff.


And, strangely, I didn't say otherwise. I'm typing this message on Windows. My main development IDE is Visual Studio. My primary RDBMS platform is SQL Server, deploy of course on Windows.

Yeah, the strawman that Microsoft can do no right is pretty easy to knock down, but has absolutely nothing to do with the context of this.

Again, a post on the second page (a ridiculous, extremely low quality post that had to be flagged off the front page) saw my benign comment get -11 within 60 seconds. I've never seen that before, much less for a completely moderate comment. I've seen this extremely pro-Microsoft moderation hit other threads hard, and it seems pretty obvious that it isn't by accident.


And, strangely, I didn't say otherwise.

The part that 'nailer' is correcting is your statement that "There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard.". You accused him (and me, and others who voted up this story) of being either a "brigading Microsoft fan" or a "paid shill". Your comments are being downvoted because individual users think that they are rude and false, not because of an organized pro-Microsoft movement.


You accused him (and me, and others who voted up this story) of being either a "brigading Microsoft fan" or a "paid shill".

Sorry, but that's just false as far as I can tell. He cited those things as the reason for his other comment's moderation. Please quote the text from which you draw your conclusions of attribution.


jhou2: the amount of positive press that MS has been garnering recently on HN is impressive

engendered: Don't think it is purely happenstance. There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard.

My interpretation might be wrong, but I take jhou2's "positive press" to mean stories such as this one appearing on the front page. I interpret 'engendered' as saying that these stories would not appear on the front page if it were not for "brigading Microsoft fans" or "paid shills". Since the story is on the front page because of user upvote, and although there could be dispute about all vs most vs some, I read this to be accusing those who voted up the story as being one of these things.

In my read, he attributes the downvotes on his comments to the same faction, uses this as evidence that the faction exists, and thus can also be held responsible for elevating this and other Microsoft-positive stories to the front page. I think he's wrong, don't think the "brigading Microsoft fan" has much of an influence on HN, and doubt that Microsoft is paying anyone for getting things on the front page.

I'd happily consider evidence to the contrary, but I think the downvotes to engendered's comments are due to other factors, and that the pro-Microsoft stories are appearing more frequently on HN because they periodically act as a positive force. I don't know how prevalent my attitude is, but I find these stories interesting in a "Dog Bites Man" fashion. I am more likely to vote up a good deed done by Microsoft because I find it to be more noteworthy than a good deed done by others.


My interpretation might be wrong

Thanks for that moment of intellectual honesty. The following two paragraphs strike me to be as much of a stretch as his theory.

I am more likely to vote up a good deed done by Microsoft because I find it to be more noteworthy than a good deed done by others.

Credit where credit is due is commendable.


When startups choose tech these days based on what HN thinks is cool and hip at the day the decission is made, you can't blame tech companies noticing this and trying to turn the odds in their favour.


You're getting downvoted for tone because of your repeated accusations of shilling.

In general any post that accuses other people of being a fanboy or a shill will attract rapid heavy downvotes, regardless of which company is criticised or which company is accused of shilling. This is probably a good thing.

There is plenty of anti-MS sentiment on HN that doesn't get downvoted.


People do have strong opinions and favored suppliers and sports teams, but generally there is a polite way and an impolite way to disagree with something :-) Stating that a given sports franchise "sucks" and anyone who thinks it doesn't is "stupid" is a great way to start a brawl in pretty much any sports bar, and discussion forums like HN are no different.

And like sports teams, companies are constantly changing they are getting new employees and new management and new ideas. So the idea that any company is "good" or "bad" is unsupported on its face, all we can ever say is that "this action" or "this decision" was good or bad and criteria by which we have judged it.

Microsoft's decision to immediately cleanse this injector code as 'malware' was, in my opinion, a "good" decision. Based on the reasoning that it is better for the users and folks like my Dad who doesn't know how to get it off his system is helped by this.


Better yet would be killing any komodia cert (I don't think that's what they did), since even the spy-on-your-kids products have the effect of breaking ssl.


The reason it saw that was that 1) your post was inflammatory, and 2) it was completely content-free. The very same reason I downvoted this.

Yelling "shill!" does nothing but decrease the site's SNR. It's not helpful in any way.


There's also the possibility--very distant, I know--that Microsoft has been put into the odd position of being an underdog in many areas, which gives it the flexibility and necessity to act morally to make inroads against competitors among consumers.

Of all the BigCos, MS seems the best to me right now, and I say that as a guy who's made a habit of buying a Lenovo laptop every year or so and immediately installing Linux on it.


> There is absolutely and unequivocally ...

I down-voted you for this and nothing else that further followed.

Because anyone that believes in a) absolute objective truth and b) that they posses that said truth, is a person that will generally be wrong in many ways on whatever follows (or at the least, if this was an out-of-the-character emotional response, it will lack the needed logic and reason based evidence to support the statement).

Also, starting out a discussion with kill terms that accuse and label anyone who does not agree with the given POV, is not cool.


Oh, please. Your post was downvoted because it accused people of being MS shills - just like this one.

https://news.ycombinator.com/item?id=9074704


I downvote any post made complaining about "obvious brigading" or complaining or the vote score and I doubt I'm alone.


I hated Microsoft for years, for all the stupid garbage they pulled. Antitrust stuff, terrible software, mismanagement, etc. Even after switching to using a Mac full time, I still had to deal with awful Office documents with undocumented changes, or 'XML-based' documents with undefined data formats. Sending my resume to someone and finding out the entire thing had been reformatted into Courier New and lost all my indenting, making me look like an idiot, etc.

But lately, things have changed. Apple is the new Google, loved by the tech world. Google is the new Microsoft, using their market power to do dumb stuff that no one really cares about, and Microsoft is the new Apple, the underdog who got left behind by changing technology and ego and is making a serious, determined effort to become and stay relevant, to put out good products, and to regain their position as a market leader (earned this time, and not strong-armed).


Oddly insightful for such a simple analogy. Out of curiosity, what products do you use from these companies? (Eg android phone, mac computer, microsoft xbox?)


Does everything have to be a conspiracy? So either Microsoft is building some good and interesting stuff, or there's some conspiracy to target HN that would get them...what, exactly? +Karma here?


Not just karma, too many lazy engineers choose their stack almost solely on a quick scan on HN to see what's cool.

You can date many startups by first looking at their stack, and then checking when that stack was cool here.


Not only here but in general "coolness" is one of the main factors for choosing tech in startups.

2008 - So did you rewrite your PHP apps in Ruby?

2012 - So did you rewrite your Ruby apps in Node?

2015 - So did you rewrite your Node apps in Go?


I'd dispute the 2015 one. There have been lots of Go related articles on HN, but Go usually gets a mixed reception.


I think it would actually be pretty interesting to do some kind of visualization over time with popularity of languages and mentions on forums like this.


For nearly any reoccurring subject on HN, someone on HN likely believes any non-negative comments about it are the result of shills.


[flagged]


It's no secret that we've had problems with pro-Microsoft astroturfing on HN in the past. But the way to deal with this is not to make angry, substanceless accusations and then complain when the community responds poorly. Please stop.

I'm going to detach this subthread as off-topic now.


Without discounting the possibility that there may be some astroturfing, I think it's far more likely that you've run afoul of community expectations.

The HN guidelines specifically suggest you resist commenting on downvotes, and people take that seriously here. Editing your comment to add meta-commentary on votes will generally just get you more downvotes.

Additionally, your comments are fairly polarizing. You make statements about how something is obvious, but then provide nothing besides anecdotal evidence. If it's that obvious, real evidence should be easy to show, otherwise it's possibly not as clear as you think. You could possibly have avoided this problem by framing it as a question and leaving an opening for someone to provide a better answer. This also invites people who disagree, or have a different interpretation to engage in a useful way, rather than starting off in an antagonistic way. For example, stating something "absolutely and unequivocally" without evidence won't generally be seen useful to the discussion here.


No, not intentionally naive, but perhaps intentionally not cynical. I'd like to believe that a technology company, such as Microsoft, relies on a bit more than buy-in and advocacy. Perhaps the soundness of a product, for example.


Maybe you shouldn't jump on top level posts with nothing but paranoid speculations and that wouldn't happen so much.


> I left a completely benign post that didn't go with the pro-Microsoft/anti-Google narrative -- saw -11 within less than 60 seconds.

"Benign?" You accused a dude of being a lying Microsoft shill because he said that a recent Android version ran slowly on his device.


> I left a completely benign post that didn't go with the pro-Microsoft/anti-Google narrative

This is simply not true, that comment (https://news.ycombinator.com/item?id=9076549) included "HN has seen a HUGE influx of Microsoft shills, and it's getting disconcerting." You're also being inconsistent with whether the post was on the front page or the second.

Given that, I'm not inclined to believe that you actually got -11 in less than 60 seconds.


That's like saying the majority of HNers are Gruber's drones for praising his business model, or Google/Mozilla/Node having a brigade of posters to praise their languages.


I, for one, rather enjoy being highly compensated to shill on HN for the highest bidder. It's great, easy money.

Has your check arrived this week?


I thought a comment went dead and stopped getting votes after it hit -5.


"Beijing-based computer maker Lenovo has reportedly been blacklisted for years by spy agencies worldwide, as concerns about government-sanctioned Chinese hacking persist. According to the Australian Financial Review, Australia, the UK, Canada, New Zealand, and the US have all rejected Lenovo machines for their top-secret networks since the mid-2000s, though the computers can be used for lower-security tasks that don't involve sensitive information" [1]

Why buy a laptop from a company that has ties to the Chinese government [2], an authoritarian government that supports dictators in Africa and totalitarian government in Russia, oppressing women and children in those countries?

[1] http://www.theverge.com/2013/7/30/4570780/lenovo-reportedly-... [2] http://en.wikipedia.org/wiki/Lenovo


Why buy a computer from a company that has ties to the US government, an authoritarian government that supports dictators in Africa, the Middle-East, South America, and East Asia, including torture, drug smuggling, misogyny, and has itself engaged in abduction, detention without trial, and in relation to this case, illegal interception of communications?


1.) Which US computer company has ties to US government? Literally owned by the government?

2.) How is US government authoritarian? Have you actually lived in a country that has no elected representative?


1.) Lenovo isn't owned by the CCP.

2.) In the way that a company can be compelled to comply with an order from the government, including the requirement that the company may not disclose to anyone the nature of that order or the gag order, and that there is effectively no way to challenge such orders in a court of law.

>Have you actually lived in a country that has no elected representative?

Yes. What difference is that supposed to make?


> 1.) Which US computer company has ties to US government? Literally owned by the government?

But Lenovo isn't owned by the Chinese government, either.

> 2.) How is US government authoritarian? Have you actually lived in a country that has no elected representative?

The existence of more dictatorial countries doesn't mean the US isn't authoritarian—it is a spectrum rather than a dichotomy.


You would have to really flex the definition of authoritarian to include the US, to the point of making the word uselessly broad.


The OED says:

> Favourable to or characterized by obedience to authority as opposed to personal liberty; strict, dictatorial.

It's certainly reasonable to argue about whether this actually applies; but I don't think that it represents a useless dilution of the word to think that it might. (Well, not 'dictatorial', but the rest of it.)


I'd like to hear that argument and not just the assertion that it is arguable.


Actually I meant by

> It's certainly reasonable to argue about whether this actually applies

literally that it is reasonable to argue, i.e., that neither position is obviously irrefutably true; and also I think I've created enough of a de-rail already here; but, if I had to make an argument for authoritarianism, I think that I would claim that the concept of free-speech zones instantly implies, for some parts of US government at some times, more respect for authority than personal liberty.


You know, you can have "elected" "representatives" and still be authoritarian. You can make sure the ballot only has people you like on it, you can ignore what the representatives have to say, you can lie to the representatives so their decisions are compromised, you can restrict the flow of information to the electorate so their decisions are compromised... All of the above happen in the US. Hell, China has elected representatives - they're just all from the same party.

"Don't blame me - I voted for Kodos." - Homer J. Simpson.


Superfish is a US company, though, and Komodia is Israel based.

There is nothing connecting this to the Chinese government. This appears to be a a cross-border display of greed and incompetence.


Why buy a laptop from a company that has ties to the Chinese government [2], an authoritarian government that supports dictators in Africa and totalitarian government in Russia, oppressing women and children in those countries?

I guess because they make good hardware.


Also (presuming grandparent is American, which may be incorrect) the US supports dictators and totalitarian governments that oppress women in Saudi Arabia.


Well because they were making darn good hardware. I had my T60 for many many years. Carbon X1 seems nice.

Now I ended up buying a cheap ASUS Chromebook for traveling, replaced drive with a large one and installed Ubuntu. But still haven't decided if I want to replace my main machine.

Was eyeing Carbon X1 models for a while, but now will have to rethink.

Besides, like some people here, I always wipe everyone out and reinstall my own distro on it (Ubuntu usually).


The T60 was one of the very first laptops Lenovo released after it purchased the IBM PC division. I wonder if it had already been in development under IBM before the purchase.


I am pretty sure it was. Mine still has the old style IBM Thinkpad logo on the case. Documentation and driver downloads pointed to ibm.com site for a long while even after the acquisition.


This seems offtopic unless you think the recent security lapse was some type of conspiracy instead of just apathy, greed, and incompetence.


I'd be curious to know what brands or models are considered safe by these agencies.


I think it mentions in the article about agencies having Dell and HP on the list of allowed companies.


hp


It's kind of hypocritical when USA loads backdoors into hardware that VisualDiscovery relies on.


Last night I fired up a brand new HP stream desktop with windows 8.1 (only $179!). It had a Superfish icon on the desktop. When I get home I'll check for the cert.

So maybe Lenovo isn't the only offender.

Edit: Duh. It was snapfish, not superfish. I've been reading about superfish so much that's what I saw.


[deleted]


"In Lenovo defense, the crap that is shipped in the default configuration of every modern windows computers makes something like this inevitable."

If only there was some way they could have known what was pre-installed on the machines they're selling. /s


Assuming that this isn't an intentional backdoor that they had to place, there is no defense, period.

Intentionally weakening people's system, MITMing their traffic, and inserting ads in private communication.

If an individual was doing this, let alone at this scale, they would be stamped 'hacker' and put in some dark prison for ten years. Now it's Lenovo, they will get away with an apology or a class action lawsuit at most.

Whoever decided to include this belongs in jail.


Says the guy who's never been to jail.

Whoever decided to include this, I'm guessing, had ZERO idea what a MITM was. At best they knew it'd spam ads to hardware owners.


How is that any kind of a defense?


It's more like an "Everybody does it, but we got burned first"


I found this whole Lenovo Adware-gate very hypocritical. Why everyone blames the messenger Lenovo but not the source Superfish? Why? Is it because Lenovo is a Chinese company whereas Superfish is a Iserali-American company based in Silicon Valley?

Before this adware-gate, EVERY PC manufacturer bundles adware, HP, Dell, Acer, Lenovo, Asus to name a few top players(Apple perhaps is the only exception as I don't count them as a PC manufacturer). Did anyone bother to look if there were tons of similar security risks with those?


Because there are all sorts of insecure malware/adware out there. They're all various levels of evil and a known quantity of badness.

Lenovo is a company that you paid your money to to buy a laptop. It shouldn't come pre-infected with something that compromises your security and privacy.


Lenovo had a chance to redeem itself by apologizing, removing the software and quickly distancing itself from the company.

They screwed up by denying there was problem in the first place. Which means they were defending both their decision to install Superfish as well as, by proxy, Superfish itself.

Thus they are seen to be either incompetent (can't trust them) or malicious (also can't trust them).

Also consumers never bought Superfish. They paid for a relatively expensive piece of hardware from Lenovo and got screwed. They are right to blame Lenovo for it.



Why everyone blames the messenger Lenovo but not the source Superfish?

Because Lenova is the one who took your hundreds to thousand+ dollars and in return compromised your experience (for what has to be pennies). And in this case it caused a serious security compromise?

"EVERY PC manufacturer bundles adware"

Crapware/bloatware and adware are very different things. Dell installs some bloatware crap that I can uninstall (and even that is, truly, unacceptable. Again, they can't make more than a dollar or two on that junk, yet they compromise the user experience), but they don't MITM my secure communications, or compromise my security.

This has nothing to do with Lenova being a Chinese company. Further, no one expects anything out of Superfish (some slimy adware company), but they do expect standards from Lenova.


BTW, it's Lenovo. I wouldn't be surprised if other manufacturers had adware installed but perhaps remedied quickly rather than a PR disaster.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: