Discussion in 'Article Discussion' started by Gareth Halfacree, 19 Feb 2015.
Fake certificate authority and all.
Crap job Lenovo. I mean, I'm sure it's easy enough to remove if you know what you're doing but 95% of their consumer market will be completely oblivious to this.
Just curious but the article says "if the controlling company should decide to break a few more laws"
Unless i have misunderstood does that mean they are already breaking a law, if so what part is breaking the law, Is it the fraudulent trusted certificate authority, acting as a man-in-the-middle (MITM) in encrypted connections, or something else ?
Here in the UK, I'd personally argue that Lenovo was breaking Section 1 of the Computer Misuse Act 1990, which states:
Now, Lenovo will likely argue that there are clauses in the terms and conditions that allow them to do this, meaning that it's not "unauthorised," but the fact that they're wiretapping encrypted communications (and, fun fact, the fraudulent certificate authority remains in the system even if the adware is uninstalled) which are encrypted specifically to keep them private would likely obviate such a defence. There are other laws which could apply, of course, such as Section 1 of the Regulation of Investigatory Powers Act 2000, Sections 2 and 4 of the Fraud Act 2006, arguably Article 8(1) of the The Human Rights Act 1998 (although the House of Lords has ruled that this can't be used to bring a case for "invasion of privacy," that one may be a no-goer), and I could go on.
Whether anyone will actually attempt to bring Lenovo to court for this, I don't know. I reckon there's a class action a-brewin', tho'.
I don't think they'd have a leg to stand on if they tried to argue that there's clauses in the terms and conditions that allow them to do this, apparently the first time the user opens a browser it pops up a license agreement but even if you decline the agreement the certificate remains active, uninstalling the software doesn't remove the certificate either.
It makes me wonder how many people are effected by this as it seems users on the Lenovo Forums reported it over four months ago, but only discovered it was installing the certificate last month.
Word to the wise, never buy Lenovo again.
I'd still recommend their business a class laptops as an option, but I agree that their consumer class products generally aren't the best option.
Lenovo have released a statement about Superfish.
'S been linked in the article since lunchtime, along with a snarky response to its "thorough investigation" which turned up "no evidence" to support any security concerns. Which apparently didn't extend to searching Twitter to see if people were sharing the private key, its password, and fraudulent certificates for Lenovo's own website signed with said private key (hint: yes, yes they were.)
Fun additional fact mentioned in the updated article: Lenovo having "completely disabled server side interactions" does not remove the fake certificate authority. Neither does uninstalling the software. Anyone with a Lenovo laptop that had Superfish on it at any time is at risk of MITM attacks, whether or not they have remove Superfish. Nice, eh? You basically have to manually delete the CA from every browser on the system as well as uninstall Superfish.
Never owned anything by them and now I probably never will.
Opps sorry, it's easy to miss an update to articles if you mainly use the forums.
I think a snarky response is being too kind to them personally but i must be in the minority, it seems people are OK with the rather wet response from Lenovo (wet, superfish see what i did there)
No, it's entirely my fault: I should have posted a comment in this 'ere thread noting that there was an update for that very reason. Mea culpa!
Lenovo appears to be taking a little more responsibility now: it's US Twitter account has been on a charm offensive, and the company has posted step-by-step instructions for removing Superfish and the CA - although instructions for the latter are only currently available for Internet Explorer.
Never will. Their Yoga 11 is buggy as hell and their customer support non-existent.
Doesn't suprise me in the least tbh as there's plenty of other areas the Chinese seem to do it too - iPhone jailbreaking software and smartphones to name a couple. With a company as huge as Lenovo doing it, it does worry me that it's possibly far more commonplace over there than you might think. I do like some of their laptops but as Corky42 says, this is a reason to avoid them completely, even if they're taking steps to remove it.
100% agree with this. I hope Lenovo have sacked the idiot that decided this scheme was a good idea. Not that I care now, or at any time in the future.
I've had one on the bench all day (a G580) and it's being a complete b**ch, so I agree with that, today more than ever. I am tying this from my X230 though, which is rock solid as ever.
Some of their consumer products aren't too bad, still a bit "plasticy" for my liking but better than some. HP mid range consumer laptops have taken a complete nose dive in recent years. You're lucky if you can get 12 months out of typing on one without the keyboard wearing down to shiny plastic. At least they don't ship with adware though
Lenovo need to be careful about what they do with the ThinkPad range next. They've been slowly going downhill for a number of years, and having seen an X1 Carbon recently and decided it's not the rugged, "road warrior" machine my X230 is, I don't hold a lot of hope for the future of the range.
This sort of thing is the reason I always recommend that average Joe consumers have their new computer set up by a competent engineer or tech, then looked over and serviced once a year after that.
I'm still running an X61! It isn't the quickest laptop by any stretch, and I get odd looks in meetings for rocking an 8 year old machine. But it does what I want, has never failed me, and has very little chance of being stolen.
I was considering replacing it with an X1 but like Uni I can't see it standing the abuse the X61 does, so until it totally dies I think I'll keep it, at least I know what's on it
Funny this is breaking news now.
The first thing I did when I got my Yoga for Christmas was go through and remove bloatware. That bloatware included Superfish.
Having a vague idea what it is I wasn't happy about it, but I guess I didn't realise the full gravity of the fact it came pre-installed.
The certificates are a bigger concern, but I would guess that other good practise protected me from any security issues with them.
That said: I wasn't sure whether it was worth doing a full wipe and re-install of Windows so I have a nice clean system before this.
I am now.
Tested mine this morning after seeing an article on wired and pleased to say I'm clean. Bought an x240 a month ago. Got to say they aren't the most exciting but the 12.5" screen is the right size for me to be comfortable with and the 15-20 hr battery life is a game changer.
Separate names with a comma.