02-19-2015 01:28 AM
Same Yoga 2 11, picked it up on february 5th this month...love it, its awesome....
Then I discovered SuperFish...and as I dig deeper I see its a component level piece of sofrware knowingly installed by Lenovo..who by the way is headquartered in china which is virtually the Nation Backed Cyber Super Criminal capitol of the planet and makes Eastern European hackers look like script kiddies...
Been a Lenovo bench tech for an MSP early college days, recomended and deployed exclusively Lenovo throughout my career from network/innfrastructure, to business systems deployment, into software and web systems. I was a strong advocate and I fought people concerned with the security of this Chinese based brand...
I am eating my words now. Lenovo is gone, this is a horrible problem, it breaches the trust the brand earned as a primary device provider to agencies like NASA, National Weather Service, and Microsoft who are known to use Lenovo devices almost exlusively.
I will stop venting here; but one more note I would like to add for comparison with you all; I am seeing a lot of peculior keyboard behavior is indicitive of keyloggers. What I am referencing here is the keyboard I have is laggy, and most problimatically the keys are sending excessive repeat entries, approximately every 5 to 15 words I type. I have lowered key repeat rate, but the lag and error rate, and the behavior of it is really concerning to me.
This is a machine I would definately not allow my employees to use for even accessing unclassified corprate email.
I hoope Lenovo gets in gear, and I hope when I start messing with pen tools I dont find a keylogger, or worse..
02-19-2015 01:36 AM
Yah, no kidding. Why would Lenovo "request" anything in this situation?! Why should they need to request anything. This is not a matter of opinion, or personal perception, or preference. This is an outright betrayel of trust. It is a manufactured exploit that jeopeardizes the security and safety, as well as privacy of every user.
If I were a FTC officiial, I might even classify this as distributing ESPIANAGE.
These are horrible security exploits.
lenovo has the legal right, andd simple capability to push an update to not only disable this idiotic app, but to actually REMOVE IT altogether. As an engineer on Managed Service Provider networks in Seattle, I have worked on issues like this with Lenovo and I am telling you all now, if they wanted to remove it they could.
The app itself is so pointless, its very purpose ("use case") should really raise eyebrows...
would you install a hidden spy cam above the shower in a new home you built, to detect when someone left the room, so the lights turrned off? What would happen if you did that, and the person you built that home for detected the camera, and was unable to not only uninstall it, but they were not able to disable it? And lest equivicate the insanely insecure certificates Superfish has, to this analogy and say the camera broadcast over unsecured 802.11.
This is sad
02-19-2015 01:49 AM
My keyboard is funky...I cannot type ten words with a double entry..and its super laggy...in fact it is the laggiest keyboard I have ever used.
I smell keylogger, and this Yogurt' 2 11 is fresh OTB just two days ago, only used for work.
Time to do some research.
02-19-2015 01:50 AM
Just some further information on how serious this is - it's not a theoretical issue, this is very bad:
02-19-2015 02:04 AM
i'd like to say that the private ssl key isn't embedded verbatim in the software, and good news, it's not.
it's embedded upside down.
02-19-2015 02:09 AM
Yes, because embedding it and flipping it is enough of a barrier to a malicious party wanting to MITM hundreds or thousands of laptops....
02-19-2015 04:20 AM - edited 02-19-2015 04:23 AM
Is this software opensource? How can you prove it is only looking at images, not tracking users, etc.? I'm really surprised Lenovo did such a stupid move.
Good for you that you're not removing comments here. There's only one way out here - provide all current and future customers an *opt-in* where they can choose to install or not this software. Fro current users of course , if they do not opt-in, the software and key should be removed... of course if you care about your customer's trust
And fix all security issues raised in the thread as well. Your move was not only brainless from PR point of view but also executed veery poorly.
02-19-2015 04:27 AM
I just purchased and received a brand new Y-series model last week. I couldn't be more happy with the hardware but Superfish was one of the first things I noticed when I started the bloatware removal process. Uninstalled it and moved on until I saw this information this morning.
I tried going to BofA and other secure websites and checking what certificates they were using, and fortunately they were using VeriSign and other trusted sources. But I also went into Internet Tools to see what was installed and there was Superfish staring back at me.
To remove: start Internet Explorer as Administrator, click the gear or go to Settings, Click Internet Options, click the Content tab, click the Certificates button, click the Trusted Root Certificate Authorities tab, find Superfish, click it, click the Remove button.
There is absolutely no excuse for the inclusion of this type of malware on any computer system, whether it be consumer level or business class.
02-19-2015 05:07 AM
Oh, Lenovo... I've been a Thinkpad user since my T61p, but how can I trust you after this? Stupid, stupid, stupid. Installing a wildcard root certificate from an adware company? What were you thinking? I've been trying unsuccessfully to pull my jaw back up off the floor since reading this on ars technica this morning.