cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
RunSilent23
Punch Card
Posts: 15
Location: Billings, MT
6,272 Views
Message 41 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

What kind of communication and timeline can we expect that Superfish will be deactivated 2?
ryanhell_sea
Blue Screen Again
Posts: 7
Location: Seattle, WA USA
6,245 Views
Message 42 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Same Yoga 2 11, picked it up on february 5th this month...love it, its awesome....

 

Then I discovered SuperFish...and as I dig deeper I see its a component level piece of sofrware knowingly installed by Lenovo..who by the way is headquartered in china which is virtually the Nation Backed Cyber Super Criminal capitol of the planet and makes Eastern European hackers look like script kiddies...

 

Been a Lenovo bench tech for an MSP early college days, recomended and deployed exclusively Lenovo throughout my career from network/innfrastructure, to business systems deployment, into software and web systems. I was a strong advocate and I fought people concerned with the security of this Chinese based brand...

 

I am eating my words now. Lenovo is gone, this is a horrible problem, it breaches the trust the brand earned as a primary device provider to agencies like NASA, National Weather Service, and Microsoft who are known to use Lenovo devices almost exlusively.

 

I will stop venting here; but one more note I would like to add for comparison with you all; I am seeing a lot of peculior keyboard behavior is indicitive of keyloggers. What I am referencing here is the keyboard I have is laggy, and most problimatically the keys are sending excessive repeat entries, approximately every 5 to 15 words I type. I have lowered key repeat  rate, but the lag and error rate, and the behavior of it is really concerning to me.

 

This is a machine I would definately not allow my employees to use for even accessing unclassified corprate email. 

 

I hoope Lenovo gets in gear, and I hope when I start messing with pen tools I dont find a keylogger, or worse..

ryanhell_sea
Blue Screen Again
Posts: 7
Location: Seattle, WA USA
6,180 Views
Message 43 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Yah, no kidding. Why would Lenovo "request" anything in this situation?! Why should they need to request anything. This is not a matter of opinion, or personal perception, or preference. This is an outright betrayel of trust. It is a manufactured exploit that jeopeardizes the security and safety, as well as privacy of every user. 

 

If I were a FTC officiial, I might even classify this as distributing ESPIANAGE.

 

These are horrible security exploits.

 

lenovo has the legal right, andd simple capability to push an update to not only disable this idiotic app, but to actually REMOVE IT altogether. As an engineer on Managed Service Provider networks in Seattle, I have worked on issues like this with Lenovo and I am telling you all now, if they wanted to remove it they could.

 

The app itself is so pointless, its very purpose ("use case") should really raise eyebrows...

would you install a hidden spy cam above the shower in a new home you built, to detect when someone left the room, so the lights turrned off? What would happen if you did that, and the person you built that home for detected the camera, and was unable to not only uninstall it, but they were not able to disable it? And lest equivicate the insanely insecure certificates Superfish has, to this analogy and say the camera broadcast over unsecured 802.11.

 

This is sad

ryanhell_sea
Blue Screen Again
Posts: 7
Location: Seattle, WA USA
6,066 Views
Message 44 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

My keyboard is funky...I cannot type ten words with a double entry..and its super laggy...in fact it is the laggiest keyboard I have ever used.

 

I smell keylogger, and this Yogurt' 2 11 is fresh OTB just two days ago, only used for work.

 

Time to do some research.

cybergibbons
Punch Card
Posts: 53
Location: GB
6,062 Views
Message 45 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Emileeeee
Fanfold Paper
Posts: 4
Location: :3
5,925 Views
Message 46 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

i'd like to say that the private ssl key isn't embedded verbatim in the software, and good news, it's not.

 

it's embedded upside down.

cybergibbons
Punch Card
Posts: 53
Location: GB
5,889 Views
Message 47 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

https://twitter.com/supersat/status/568329299494744065

Yes, because embedding it and flipping it is enough of a barrier to a malicious party wanting to MITM hundreds or thousands of laptops....

avillager
Fanfold Paper
Posts: 11
Location: BG
4,809 Views
Message 48 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Is this software opensource? How can you prove it is only looking at images, not tracking users, etc.? I'm really surprised Lenovo did such a stupid move.

 

Good for you that you're not removing comments here. There's only one way out here - provide all current and future customers an *opt-in* where they can choose to install or not this software. Fro current users of course , if they do not opt-in, the software and key should be removed... of course if you care about your customer's trust

 

And fix all security issues raised in the thread as well. Your move was not only brainless from PR point of view but also executed veery poorly.

trainer
Paper Tape
Posts: 8
Location: US
4,763 Views
Message 49 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

I just purchased and received a brand new Y-series model last week.  I couldn't be more happy with the hardware but Superfish was one of the first things I noticed when I started the bloatware removal process.  Uninstalled it and moved on until I saw this information this morning.

 

I tried going to BofA and other secure websites and checking what certificates they were using, and fortunately they were using VeriSign and other trusted sources.  But I also went into Internet Tools to see what was installed and there was Superfish staring back at me.

 

To remove: start Internet Explorer as Administrator, click the gear or go to Settings, Click Internet Options, click the Content tab, click the Certificates button, click the Trusted Root Certificate Authorities tab, find Superfish, click it, click the Remove button.

 

There is absolutely no excuse for the inclusion of this type of malware on any computer system, whether it be consumer level or business class.

davidhbrown
Serial Port
Posts: 73
Location: Kingston, RI
4,426 Views
Message 50 of 159

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Oh, Lenovo... I've been a Thinkpad user since my T61p, but how can I trust you after this? Stupid, stupid, stupid. Installing a wildcard root certificate from an adware company? What were you thinking? I've been trying unsuccessfully to pull my jaw back up off the floor since reading this on ars technica this morning.

Top Kudoed Authors