Sins of a Solar Empire : Real-Time Strategy. Unrivalled Scale.
© 2003-2016 Ironclad Games Corporation Vancouver, BC. All rights reserved.
© 2006-2016 Stardock Entertainment

If you recently bought or are planning to buy a Lenovo…

By on February 19, 2015 9:15:37 AM from JoeUser Forums JoeUser Forums

DrJBHL

Join Date 04/2002
+2259

 

You should be warned that it ships with crapware (as many do to increase OEM profits)…but it also ships with Superfish on it.

Superfish is adware which ‘sees’ the images on the webpages you visit and then offers ads compatible with them…for instance, if you look for a new table, it will try to insert ads with tables in them to “help” you. SO you say, All the sights I look at are https protected. Sad news: Superfish also installs a root certificate in your Windows certificate store, which cancels the https protection. Perfect!

“The pre-installed certificate is the exact same on all systems as it seems. And so is obviously the private key, which seems to be part of the Superfish software as well. What it means? Well, you can just issue certificates and computers having the Superfish software installed will recognize them as valid.” – infected.io

*poof: Security severely compromised: Every site you visit (banking included) is man-in-the-middled.

 

OK…I’ll just uninstall Superfish, you say. You’ll also have to uninstall the certificate…and you have to do that yourself.

Here’s how:

First locate the Windows certificate store (Screen shot from gHacks):

  1. Tap on the Windows-key to bring up the start menu or start screen.
  2. Type certmgr.msc and hit enter. This opens the Certificate Manager.
  3. Use the folder structure on the left to navigate to Trusted Root Certification Authorities -> Certificates.
  4. Check if Superfish Inc. is listed among the certificates.
  5. If it is, right-click the certificate and select Delete from the context menu to remove it.

I have to agree with Martin Brinkmann. It’s bad enough having to work at removing all the crapware they put on your computer, which you didn’t ask for, have any use for, nor want.

Now? Lenovo actually installed adware which spies on you and a root certificate which makes your shiny new computer vulnerable to man-in-the-middle attacks (of which there are many and usually done via phishing).

This is a REALLY poor business practice which I hope they didn’t know about (the root certificate part)…and it could damage their rep for many years to come. Frankly, it’s a scandal.

Sources:

http://www.ghacks.net/2015/02/19/lenovo-pcs-ship-with-preinstalled-adware-and-root-certificate/?_m=3n%2e0038%2e1524%2ehj0ao01hy5%2e1kul

Others in the text. All checked. All safe.

Locked Post 18 Replies
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
February 19, 2015 10:37:18 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

Thanks for this, I'll keep it in mind if I ever end up with one of these.

Reason for Karma (Optional)
Successfully updated karma reason!
February 19, 2015 11:21:18 AM from WinCustomize Forums WinCustomize Forums

Every company seems to want to screw you.

Reason for Karma (Optional)
Successfully updated karma reason!
February 19, 2015 2:13:46 PM from Elemental Forums Elemental Forums

So if I'm understanding this right, this is pretty fucking bad becase any party can use this installed exploit?

Reason for Karma (Optional)
Successfully updated karma reason!
February 19, 2015 7:20:50 PM from WinCustomize Forums WinCustomize Forums

Yep...that's right.

Reason for Karma (Optional)
Successfully updated karma reason!
February 19, 2015 10:16:05 PM from WinCustomize Forums WinCustomize Forums


This is a REALLY poor business practice which I hope they didn’t know about (the root certificate part)…and it could damage their rep for many years to come. Frankly, it’s a scandal.

Yup, this could damage their rep as badly as the 'root kit' scandal hit Sony, and for mine they fechen deserve it.  Next to bankers and politicians, advertising execs are the next worse class of parasite on the planet, and it IS these parasites who set shit like this up with hardware/software developers. Fechen advertising execs and their cohorts.  If I had my way, those responsible for this diabolical crime would be charged with intrusive cyber crimes.... AND convicted.... AND sentenced to denuttification AND life imprisonment WITHOUT parole.

What with modern HDDS coming with spyware installed in the root; intrusive and aggressive advertising; spyware and crapware being installed on new PCs - not to mention the scammers, hackers and phising parasites, it's a wonder there are any PC sales anymore.  If there's a way to kill the golden goose, it's going to extremes and excesses with one bad idea after another, and advertising execs know precisely how to do that.  Yup, PC sales and usage could see a steep decline if practices like this continue to happen.  In fact, I hope OEMs who agree to it go broke... along with the slimy advertisers who instigate it.

I know that I am becoming more and more dubious about purchasing anything OEM... but then again, if new HDDs come with spyware installed in the root, and it is found to be uninstallable, even building my own PCs could well become a thing of the past.  Thankfully, I've not experienced anything untoward with my HP laptop-come-tablet, but had I found anything remotely similat to this travesty, I'd be screaming it from the highest hill and kicking up such a stick they'd distinctly .hear it at HP HQ

Anyway, this advertising exec walks into a bar with a rather large leech on his head and the barman cracks up laughing for a few minutes.  When he finally settles and has caught his breath he asks: "Look, you don't see this sort of thing every day, so what's the stoey here?

The leech replies: "Well it started out as a very virulent and puss laden boil on my arse."

Now you all know where advertising execs come from.

Reason for Karma (Optional)
Successfully updated karma reason!
February 19, 2015 11:37:32 PM from Elemental Forums Elemental Forums

Yeah, welcome to my "NEVER BUY!!" list, Lenovo.

 Burn in the hell of your own making.

 

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 4:04:25 AM from WinCustomize Forums WinCustomize Forums

Update:


“We messed up badly here,” Peter Hortensius, Lenovo’s chief technology officer, said in an interview. “We made a mistake. Our guys missed it. We’re not trying to hide from the issue -- we’re owning it.”

No, Mr. Hortensius. The problem is that the world's largest computer making firm made the laptop and for money, you put crapware, bloatware adware and spyware on your computers and someone bought it from you, so now that person "owns" it and the consequences of it, also anyone who buys that computer from him/her...and so on.

Now you expect people to think it was an 'oops'...or as a 15 year old might say, "messed up"...that Lenovo is based in Beijing and no one but no one will believe that you have anyone's security in mind, and you aren't 15.

"I have a bunch of very embarrassed engineers on my staff right now," Lenovo CTO Peter Hortensius said in an interview Thursday. "They missed this. Making this right also means setting up mechanisms to ensure something like this doesn't happen again, Hortensius said. "We'll make sure to have a much more detailed understanding of programs that go on our preload and they will not go if we think they're open to attack."

How lame does that sound? Their engineers weren't doing their job because they realize (just like anyone else would) that their salaries are coming from the money the Superfish "people" (and others) pay Lenovo to put their crap on their computers. So now LeNovo says it won't put adware on their computers anymore also that they will be making available a tool to remove Superfish...if you have a Lenovo, I wouldn't trust it to get the root certificate as well. I'd make sure it did by using the method in the OP.

They've published a "how to" on their website as well: http://support.lenovo.com/us/en/product_security/superfish_uninstall



Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 4:25:19 AM from WinCustomize Forums WinCustomize Forums

Intentions are only seen as being right if you action them before you are caught

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 4:51:44 AM from Elemental Forums Elemental Forums

Yeah it's crap, but it's probably the best response they can make to save as much face as possible. Their only interest from here on out is safeguarding future sales. They'll whitewash, they'll lie, they'll omit, anything that works. This is the sort of thing that gets CEOs fired. 

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 5:22:11 AM from WinCustomize Forums WinCustomize Forums

Quoting DrJBHL,

How lame does that sound?

About as lame as it gets...

"Oh, poo...we got found out....sorry....I'd say 'mea culpa' but I don't speak the lingo"...

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 5:47:47 AM from WinCustomize Forums WinCustomize Forums

Sounds to me like Mr. Peter Hortensius has a complete handle on the bullshit stakes... with the meter running exceedingly high on his press statement.

What he really meant to say was: "Look people, we messed up badly.  Our engineers didn't do a good enough job at hiding it and now everybody knows what low-lifes we've become."

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 6:39:33 AM from Stardock Forums Stardock Forums

They seem to be more concerned about the preload apps being open to attack than the more fundamental issue which is installing software to show adverts on the users PC.  The one the user purchased from them...

Mistakes happen, but the software they included doesn't seem to me to be a bit of software any sane individual would chose to install if they were given the choice.  On the other hand I can see the benefits for Lenovo.  I imagine profit made is about to be wiped out 10 fold by the PR damage though.

If we are lucky this will make all OEMS think more about what they bundle.  Likewise software developers.  Why should the latest version of Adobe flash try to force something else on me too?  I wanted to get a friend to install ImgBurn the other day, but had to find a link to an older version as the latest includes 'bundled offers' which I knew they would accidentally install.

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 6:46:18 AM from Stardock Forums Stardock Forums

They aren't sorry that they loaded the software onto their PC's, they are sorry that they got caught...

The only thing they will learn from this is to do a better job of hiding it from detection...and hope they don't get caught again.

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 9:58:00 AM from WinCustomize Forums WinCustomize Forums

Quoting Neil Banfield,

Mistakes happen, but the software they included doesn't seem to me to be a bit of software any sane individual would chose to install if they were given the choice.

So agree...there's no thought as to, "Will this do good for the consumer or not?"...or even more basic: "Would I install this on my computer?"

Who on earth would want adware? No one.

Worse...that root certificate which could be easily backward engineered and screw millions via mitm attacks. That's something ANY engineer would have checked under "Changes to the system after installation"...please don't ask me to believe they don't have software which shows them that!

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 1:01:11 PM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

Maybe we need to check the other OEM's to see if they have done any shenanigans sold the the public. And will not be buying a Lenovo!!!!! 

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 2:34:35 PM from Elemental Forums Elemental Forums

All part of the recent trend to shove more and more advertising in people's faces for a quick buck.

Samsung got busted for their TVs inserting ads into your locally streamed content.  Their response?  "It was just a mistake, that feature got turned on by accident."  What wasn't an accident was writing the code to do it in the first place.

https://gigaom.com/2015/02/10/samsung-tvs-start-inserting-ads-into-your-movies/

 

Reason for Karma (Optional)
Successfully updated karma reason!
February 20, 2015 3:56:35 PM from Elemental Forums Elemental Forums

ms windows defender now kills the fish automatically... cert and all ... or so i read.

Reason for Karma (Optional)
Successfully updated karma reason!
February 25, 2015 9:42:07 PM from WinCustomize Forums WinCustomize Forums

It was bound to happen.... a lawsuit has been filed against Lenove AND SuperFish.

Can't say I'm surprised.... can't say it's not deserved, either.

With a bit of luck it'll cost 'em an arm and a leg... which hopefully deters them [and others] from perpetrating such devious and underhanded practices ever again.

Still reckon there's a crime or three in there somewhere... and if there isn't there should be.... with heavy penalties.

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #101114  walnut1   Server Load Time: 00:00:00.0000297   Page Render Time: