Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Portables IT

Lenovo Still Shipping Laptops With Superfish 127

Ars Technica reports that weeks after Lenovo said it would stop selling computers with Superfish adware installed, it's still there for many purchasers of the company's laptops. From the article: Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.

"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed."
Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."
This discussion has been archived. No new comments can be posted.

Lenovo Still Shipping Laptops With Superfish

Comments Filter:
  • Too late (Score:5, Interesting)

    by Anonymous Coward on Sunday March 08, 2015 @10:15AM (#49209517)

    My company bought 1200 Lenovo laptops last year, but now we'll never buy another Lenovo product again. I don't care if was the consumer laptop, they are no longer a company that can be trusted.

    • Lenovo (Score:4, Informative)

      by Anonymous Coward on Sunday March 08, 2015 @10:47AM (#49209719)

      Lenovo were the only ones who were caught. And:

      Criticisms of Superfish software predated the "Lenovo incident" and were not limited to the Lenovo user community: as early as 2010, Apple, Mozilla Firefox, and Microsoft Windows users had expressed concerns in online support and discussion forums that Superfish software had been installed on their computers without their knowledge, by being bundled with other software. [wikipedia.org]

      After that there is some finger pointing by the CEO of Superfish at another company.

      Anyway, when it comes to this shit and cheap computers that subsidize their prices with adware/malware/advertising/etc ..., I just clean all that shit off and then some other things - and it tickles me that the asshole companies like Superfish are getting screwed because they won't be getting any ad revenue from me or anyone else that I cleaned a machine for.

    • by Enry ( 630 )

      Most companies that buy that many systems have their own image they just blast onto the laptop. Since it's usually a base install of the OS plus required drivers and software, there's no Superfish installed.

    • If only another company would make a Thinkpad clone, there would be a giant army of people running away and Lenovo would die, and companies would be On Notice not to do that.

      As it is, their key product line is unaffected and has no good alternative.

    • you still buy Cisco switches, right? :)

  • Rush job? (Score:5, Informative)

    by DoofusOfDeath ( 636671 ) on Sunday March 08, 2015 @10:50AM (#49209743)

    Although I consider Lenovo fully responsible (and liable) for SuperPhish in the first place, I could easily see the removal tool's inefficacy stemming from it being a panicked rush job.

    • Re: Rush job? (Score:4, Informative)

      by Kvathe ( 3869749 ) on Sunday March 08, 2015 @11:11AM (#49209855)
      Agreed. The original superfish bundling was a bad move, but this seems like more a case of Hanlon's Razor. It's hard to discount stupidity when talking about Lenovo.
      • Re: Rush job? (Score:4, Insightful)

        by SigmundFloyd ( 994648 ) on Sunday March 08, 2015 @01:09PM (#49210457)

        I think Hanlon's razor (never attribute to malice what can be explained by stupidity) is way too optimistic about human nature.

        Lenovo has no ethics, pure and simple. As far as I'm concerned, they lost a prospective customer.

        • by Anonymous Coward

          Another perspective is that Lenovo has been so burned by this that they're the one company that will never do anything like it again.

        • Few if any corporations have ethics. They generally (not always) do what is legal, but not necessarily what is ethical, and almost never what is morally correct. They exist for one purpose and that is to make a profit.

          • My morally correct is not your morally correct. It is impossible for a company to do anything morally correct as universal morality code would be an oxymoron.

            • My morally correct is not your morally correct. It is impossible for a company to do anything morally correct as universal morality code would be an oxymoron.

              That is what Ethics is for, and why the main focus of complaints is generally ethics and not morality. Ethics is the overlapping parts people agreed on.

    • So why not just work a deal with Malware Bytes? There stuff already works, and both companies benefit from the exposure...
      • by mwvdlee ( 775178 )

        And admit it was malware whilst Superfish was obviously just a case of misunderstoodware? /sarcasm

  • by gman003 ( 1693318 ) on Sunday March 08, 2015 @10:53AM (#49209761)

    This was such a blatantly anti-customer move that I will never - NEVER - be a Lenovo customer again. They cannot be trusted, and probably can never be trusted again because any "change" could just be a whitewashing campaign, not a real change.

    This is simply more evidence that they deserve all the shit they're getting, and more.

    • by vadim_t ( 324782 ) on Sunday March 08, 2015 @11:06AM (#49209829) Homepage

      That's a counterproductive way of doing things.

      Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

      The spyware gives them some money. If all people who hate it put Lenovo in their blacklist forever, then the most sensible business decision is keeping the spyware. The customers that hate it won't come back, and the ones that remain don't care, so nothing is gained by removing it after losing that part of the customer base.

      • by websitebroke ( 996163 ) on Sunday March 08, 2015 @11:23AM (#49209923)
        I think what the OP is getting at is that if enough people don't trust Lenovo, and Lenovo goes under as a result, it would be a great lesson to the other manufacturers that putting this sort of crapware on their machines doesn't pay in the long run. It's not an unreasonable point of view, but I think you're right, because I think the Superfish debacle won't be enough to drive Lenovo out of business. All we have left is the carrot of being a potential future customer since the stick of beating down Lenovo won't be effective.
        • by vadim_t ( 324782 )

          I understand the idea, yes. But:

          1. Most of the time, it doesn't work. Let's face it, at least 95% of the people looking to buy a laptop don't understand this issue. A good amount of people doesn't care about spying either, because they think they have anything to hide, or because the US government is doing it so it must be good, or because the US government doing it makes it impossible to avoid anyway, or for a myriad other reasons. I think Lenovo would have to be in a very weak state for this to do them un

          • Everything you say is correct if what Lenovo did was just commit an innocent error. I don't think that's what they did. I think what they did was overtly malicious, and the only suitable response is to never do business with them again.

      • So what you are saying is that you still buy Sony after three separate attempts at owning your computer... OK, then.
      • The customers that hate it won't come back, and the ones that remain don't care, so nothing is gained by removing it after losing that part of the customer base.

        Those aren't the only two options.

        This is an opportunity for the typical end-user to learn how to uninstall the malware and/or reinstall windows from a clean version, thus making them better as a computer user.

      • by SigmundFloyd ( 994648 ) on Sunday March 08, 2015 @01:26PM (#49210537)

        Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

        At the very least, heads should have rolled. And one of them had better be the CEO's. Better yet, the whole chain of command that made and approved the decision to install the malware.

        Since this hasn't happened, we can safely conclude that Lenovo is in bad faith and unwilling to do what is right.

        • Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

          At the very least, heads should have rolled. And one of them had better be the CEO's. Better yet, the whole chain of command that made and approved the decision to install the malware.

          Since this hasn't happened, we can safely conclude that Lenovo is in bad faith and unwilling to do what is right.

          At the very least, Lenovo should have been sued half way into oblivion, and their executives should have been arrested and charged under the Computer Fraud and Abuse act.

          But they're a corporation, so... "fuck you" says the U.S. attorneys.

      • by mwvdlee ( 775178 )

        On the other hand, people who keep buying their machines make them stop installing spyware HOW exactly?

    • by guygo ( 894298 )
      There is not a single unit of electronics equipment made in China that can be trusted not to spy on you for some pretext. Not one. If you buy Chinese-made electronic equipment, you can expect to be spied on. That's what they do.
      • Agreed. And just how many keyboards and mice are produced in the USA? I bet very few.
      • There is not a single unit of electronics equipment made in China that can be trusted not to spy on you for some pretext. Not one. If you buy Chinese-made electronic equipment, you can expect to be spied on. That's what they do.

        Neither can we trust the US, thanks to the traitors to the Constitution. We're kind of short on alternatives here.

        • And between the US and China, I would prefer to be spied on by China. They have less of an ability to harm me.

  • by QuietLagoon ( 813062 ) on Sunday March 08, 2015 @11:00AM (#49209797)
    Lenovo is not looking at this from a customer point of view. They are looking to minimize the damage to their profits caused by their arrogant ignorance

    .
    From that point of view, why should they reimage the drives of notebooks in inventory?

    • ...why should they reimage the drives of notebooks in inventory?

      To avoid a class-action lawsuit, maybe?

      • by plover ( 150551 )

        I'm pretty sure that the people who've already been impacted are enough to bring a class action suit; eliminating a few more plaintiffs won't change much.

        • What I'm saying (bearing in mind of course that This Is Merely My Opinion and that I Am Not A Lawyer) is:

          Previous to this, Lenovo didn't promise not to sell machines with SuperFish installed on them. Now they have done so, and yet they're still shipping them with it.

          Said another way:

          To people who bought their machines previously, Lenovo could (and did) say, "Sorry, we screwed up, but we'll make it right," which could have had mitigating effects in the event of litigation. Now, they're out of any such excuse

  • Of course laptops were in warehouses, in transit on slow steaming cargo ships...many with SuperFish will still be sold even though Lenovo stopped installng it. No point to the story

    • Sure there's a point: we get to feel superior because we wouldn't be this dumb/criminal/evil/fraudulent/wrong.

      It doesn't matter that the story is literally "two people who frequent some other web site say they looked at their neighbor's new laptop that the neighbor said they ordered sometime in early February and received sometime in late February and it's still got Superfish on it. Also, those two same somebodies say that when they ran the official Lenovo removal tool the software wasn't removed, by whi
    • let me introduce you do the retail tactic called the Return Merchandise Authorization Center

      Lenovo can have a retailer deal with this in 2 ways

      1 RMAC all units with date codes prior to %clean date%

      2 Ship "update" disc sets that burn the restore partition and reloads it with a clean version (then proceeding with a restore)

      bonus for L if the sets have some sort of "Due to a Quality Control Issue we have included a restore media set at no charge" notice on the packet

      • I'm cheap, if I were Levono I'd post link and md5 checksum of ISO download of the clean version. Seed a few torrents with it too. Problem solved as far as I'm concerned.

        I like Lenovo laptops, Windows problems like this not an issue when I put Linux Mint and OpenBSD on them

        • by Smask ( 665604 )

          If you intend to run Linux on your Lenovo laptop, make sure everything works without massaging drivers because YOU NEEDS TO ROOT THE BIOS to get the computer to accept a non sanctioned (i.e. bought from some other store than Lenovo) network card. My G50-45 was delivered with a Realtek card that works like crap and I haven't got the Bluetooth part to work yet. I do have an Intel 7260 to replace the network card with IF THE FUCKING COMPUTER WOULD BOOT WITH IT.

    • The story allows us to inform other people, and ensure the majority of those laptops stay in their warehouses. An unsold product can gather dust while Lenovo pays for the warehouse storage of said crap, OR Lenovo can re-image and sell a slightly less crappy product.
      • Nonsense, SuperFish easy to remove.

        This level of debacle has happened a few times in open source world also.

        • by stooo ( 2202012 )

          From the article, it seems it's not so easy after all, even Lenovo does not succed in removing it. (letting a malware exe on your system is not what i call "removal")
          Also, it it was easy, Lenovo would put in the effort to do it for their ware.

    • by stooo ( 2202012 )

      >> No point to the story

      Yes, there is a point. If Lenovo was concerned with the security of their customers, they would arrange with their distributors to either remove the malware or recall the hardware.
      Continuing to sell it with malware shows they don't care about their customers.
      And yes it costs money. That's the cost of deliberately distributing malware.

  • Are people still buying them at all? There are tons of companies that haven't broken your trust yet, but one of them! Stop buying Lenovo.
  • Everyone in his right mind reinstall new computers. The manufacturers were known to install bloatware, crapware, shitware and so on for years. It just was not that bad.
    • by plover ( 150551 ) on Sunday March 08, 2015 @12:05PM (#49210157) Homepage Journal

      Your average home user doesn't reinstall anything, and for many reasons.

      Even if he or she wanted to, they won't have a viable consumer OS installation disk anymore. They get the "System Recovery Disk" with their new purchase, and it's likely filled with the same Lenovo image that was used to bundle the malware in the first place.

      • Well, here's a chance to make some money then, it takes about 50 minutes to set up a fresh install of Deb7 or the like, so train up a couple dozen guys to do this in under an hour, and charge $40-$60 to make housecalls to set up people's new PCs with Linux out of the box and sell them peace of mind for security against all the crap that gets in from outside and that's probably in the box to begin with. Just like Microsoft in the 90's, the secret is marketting, marketting, marketting.
        • Much as I like Linux, it isn't the answer to everything. Most people have some Windows programs they want to run on their laptop, and even if the F/OS programs were better they aren't the ones they want.

          Moreover, we're talking about laptops, and installing Linux on laptops that were loaded with Windows can be iffy.

  • by Anonymous Coward

    Simple Fix: STOP BUYING LENOVO MACHINES... They need to feel PAIN because of this fuckup... They won't if everybody keeps on buying them... EVERYBODY needs to STOP NOW!!!

  • Can't help but laugh (Score:5, Interesting)

    by ilsaloving ( 1534307 ) on Sunday March 08, 2015 @12:32PM (#49210269)

    I'm seeing so many posts about how people "will never buy from Lenovo again because they can't be trusted" etc etc, and can't help shrug cynically.

    I wonder how many of these same people buy Sony products despite not just one, but an entire string of blatantly anti-consumer decisions (of which the rootkit CDs were just one)

    Or Microsoft, which has a very long history of not just anti-consumer, but crushing the PC industry and suberting entire standards bodies. But in the last couple years they've thrown a few open source bones... yeah that totally makes up for the last 20+ years of damage they have caused.

    So yeah, I hope everyone gets to enjoy their collective outrage while it lasts, cause before you know it you'll find your comments will get modded troll by people who think you're just overreacting.

    • by ledow ( 319597 ) on Sunday March 08, 2015 @01:53PM (#49210631) Homepage

      I agree with the sentiment of your post.

      However, for some of us, a principle stands out and isn't just empty words.

      I do not now, and have not ever, owned an Apple or Sony product. I disagree with the way they do business, I disagree with the attitude to the consumer, and I disagree with the way they sting the prices on their equipment. There's a number of companies on my blacklist that I have said I won't buy from again. And I haven't.

      Microsoft, for example, is a problem to avoid. If you work in IT, it's one company that you are very often required to support, no matter what your personal objections. However, even then, there are steps you can take. I endeavour to give Microsoft as little money as possible, and as much proportioned towards the products I agree with as possible. It's cost them many, many tens of thousands of pounds over the years.

      I can't completely cut them out, but their attitude costs them all the time. IE and Bing, however, are totally unnecessary in my environments yet encourage a "lazy endorsement" of their products if you just leave them in, so I ACTIVELY do everything I can to move users off them. I often go to a new workplace and my first policy is "We don't support IE, use a real browser" for example.

      Some people will bitch and moan and then go on to contradict themselves in the privacy of their own head. Some of us don't.

      My current site is entirely Lenovo hardware on the client end. Be sure that Superfish is going to cost them, hard, next time I'm doing some purchasing. Sure, I might end up buying at a much heavier discount than normal (the Superfish issue cannot and have not affected me because of the way I deploy machines on fresh images as a matter of course) rather than outright blacklisting, but that's reflective of the hassle caused to any place using their hardware for business use. Almost none.

      However, guess who people go to when they want purchasing advice? The IT guy. Guess which laptops they are going to be advised to avoid entirely or at the very least create a fuss when buying?

      Things like this aren't zero impact. And when Superfish is just a memory, it should still play a part in people's buying opinions. But do you honestly expect permanent blacklisting for ever and ever even after the problem is fixed?

    • The problem with these "never going to buy from [company] again" stances is that they might seem appropriate when you're young. But if you stick to your guns, by the time you're around 40 you realize there are very few companies left which you can still buy from without compromising your principles. Can't buy from Sony because of the rootkit scandal. Can't buy from Asus because they're sexist. Can't buy from Dell because of the bulging capacitors. Can't buy from HP because they overcharge for ink. Can'
    • I, for one, have a fairly long list of companies I will not do business with, with Sony, near the top of the list, and now Lenovo, working hard to beat out Sony for top place on the list.

      Since I'm sort of my neighborhood "tech support", I make it clear to anyone who asks me for advice on what to buy, of my list and WHY these companies are ON the list. I tell them that if they go ahead and buy some piece of tech from one of these companies, they need not ask for my help in setting up the item or ANY kind of

    • by HiThere ( 15173 )

      While you've got a point, I haven't bought a Sony product in over a decade. Everytime I get near to forgetting about them some other deed crosses the screen.

      I can't really speak to Lenovo, since I've never bought anything from them, but I'd be really surprised if I ever do now. Previously it was just that I preferred to buy from someone else, now I additionally prefer not to buy from them. This is an additional barrier.

      OTOH, I've got to agree that most people don't seem to even notice company quality, bu

    • Honestly. I don't buy Apple products (unless you count a used iPod for which Apple would get $0 of the proceeds). I used to recommend Lenovo, but now they're off my list. HP, long gone.

      Sony is a bit harder to avoid just because they have so damn many subsidiaries and product lines (again, I own a PS3, bought second-hand as were all my games).

    • I wonder how many of these same people buy Sony products despite not just one, but an entire string of blatantly anti-consumer decisions

      I haven't bought anything Sony since the rootkit.

      Or Microsoft, which has a very long history of not just anti-consumer, but crushing the PC industry and suberting entire standards bodies.

      Likewise, I have done my best to avoid giving Microsoft even a single dime -- although in practice, that's pretty much impossible to achieve, thanks to their continuing evil practices (such as demanding royalties from Android phone manufacturers).

  • by kheldan ( 1460303 ) on Sunday March 08, 2015 @01:01PM (#49210403) Journal
    Wipe the drive and do a clean install of Windows. You'll probably also be getting rid of a whole bunch of other bloatware in the process anyway, so win-win.
    • by stooo ( 2202012 )

      "Wipe the drive and do a clean install of Linux. You'll probably also be getting rid of a whole bunch of other bloatware in the process anyway, so Lin-Lin."

      Corrected that for you

      • Yeah sure thing buddy because the average user is going to have any idea what the hell to do with Linux. You give the average user Linux in their laptop and it'll get thrown against a brick wall as hard as they can toss it within an hour because it's not Windows. Like it or not this is still the world we're living in, most people just want to do what they need to do with a computer, not futz around with it like an enthusiast will. Save your arguments for someone else, too, if you want to debate this, I have
        • That couldn't be further from the truth. I know a lot of normal people (including my aged mother) who don't know a damned thing about operating systems but have no more problem with Linux than they have with Windows.

          In terms of ease of use, they achieved parity years ago.

          • "If it breaks can we call you for help?"

            Enjoy being free tech support when their Linux installation has a problem. Or they want to install some new software. Or hardware. "Why won't {insert Windows software name here} work the way it does on my computer at work?". Etcetera.
    • That solution does nothing to actually fix the problem.

    • A clean install of Windows from what? Most people don't have Windows install disks sitting around. (I can get them through my work-provided MSDN subscription, but that isn't realistic for most people.)

  • by Sable Drakon ( 831800 ) on Sunday March 08, 2015 @02:27PM (#49210777)
    Neither the source article nor the slashdot reposting bother to say WHERE the system was purchased from. A bit of negligence if you ask me, since it's a very important point of contention for the validity of the article. If the machine was purchased through a third-party vendor (i.e. TigerDirect, Newegg, Amazon, Best Buy), then yes, it shouldn't be a surprise that Superfish is still a part of these machines. However, if this system was bought directly through Lenovo, then there really is a problem here and Lenovo needs to fix it as soon as possible.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...