the fire rises
Give Acer/ASUS a try, BURN LENOPEVO
Chinese PC maker Lenovo has published instructions on how to scrape off the Superfish adware it installed on its laptops – but still bizarrely insists it has done nothing wrong. That's despite rating the severity of the deliberate infection as "high" on its own website. Well played, Lenonope. Superfish was bundled on new …
win 8 the "...worst MS OS ever conceived"? Only if you disregard Win 98 ME Win CE (pronounced wince in our office) or vista. Un-crapwarering consumer machines from all manufacturers phones upwards, is necessary before use. only Arduino boards escapes the extraction process... Hang on what's that screen printed in 3 point next to A0... pass me the emery board
I used to like Asus kit for a long time - right up to the point where I found out the hard way that their warranty related customer service is by far the worst in the industry and in some cases outright in breach of consumer protection laws.
Lenovo permanently lost me as a customer about 2 minutes after I unboxed my Lenovo Y50-70 with the supposed 4K screen - when I discovered that it is a shitty pentile pseudo-4K screen than only has HALF of the number of subpixels that it should, making everything in "4K" look like it was printed on an '80s era dot matrix printer.
The problem is increasingly that all manufacturers (except maybe Apple) are rapidly racing to the bottom and finding a piece of kit that is genuinely good is becoming increasingly difficult.
"Give Acer/ASUS a try, BURN LENOPEVO"
Sitting here trying to fix the girlfriend's ASUS laptop that can with so much crap that I couldn't physically get rid of, and now watching CHKDSK take a few hours to find all the bad sectors on the hard drive too.
No. But OK, so no Lenovo, no ASUS, I tried Acer once, who is left? This Samsung laptop I'm able to use because it doesn't have bad blocks isn't bad, but was fearsomely expensive.
One thing I noted when looking at the list of affected models, there is a lack of any of the business class models on that list.
Personally, the only Lenovo laptops that are/were worth buying are the business class machines in the first place. My own preference is for the T series laptops, which I've had a couple of, and numerous friends own and use them as well.
Once you get beyond that, or downgrade to the Ideapads (shudder) you are away from the original durable and reliable IP that they bought the whole brand from IBM for.
>>Lenovo won’t be getting another cent of my PC budget from now on.
Absolutely right. They won't be getting a single damned dime from me either. I don't really like Dell but I'll probably be getting whatever their business class laptop range is nowadays next time. You don't reward bad behavior if you want it to stop.
One good thing about Dell's business laptops (ie Latitudes or Precisions), they're supremely easy to open up to upgrade or replace components. There didn't used to be much crapware installed either, but I'm not sure if that's the case today (as soon as the laptop comes in it gets a fresh install from WDS).
My work laptop is a Dell, and while I could name a few brain-dead design failures it suffers from,1 it's serviceable.
And Dell's the only manufacturer I know of besides Lenovo that still sells machines with isometric "pointing stick" mice. I hate touchpads, so that's a must-have for me. (If anyone knows offhand of other brands that have 'em I wouldn't mind hearing about it.)
So yes, I expect that when my current Lenovo personal laptop needs replacement, I too will be going with Dell. It's sad; I've had a range of Thinkpads dating from the first year IBM came out with them. And I had some of IBM's earlier laptops and luggables - like the PS/Note - before that.
1As has every single Dell machine I've ever seen - is there something in the water there? Bizarre case-opening mechanisms. Reset buttons without mollyguards positioned right next to drive-eject buttons. Lousy power connectors. The latest laptop has a blue LED on the power cord that shines with the glare of 1000 suns and isn't affected by the (otherwise very nice) turn-off-every-single-goddamned-light hotkey. Soon I will simply give up and wrap the fucker with electrical tape.
...at least easy to break up.
Older Dell laptops were bulletproof construction-wise. Later models not quite so -- issues with keyboard mechanics (who approved that ultra-fragile butterfly mechanism under the laptop keycaps ?) and power connector burning out.
However, I was charmed by the ease of dis-assembly of the two (Irish built) heavily used D505 and D510 series models I recently took on. With luck a third will turn up and I'll be able to build one that actually fully works.
IMHO, we must make the best of a bad situation. Please, wipe the hard drive of any new purchase, including overwriting the MBR/GPT, and perform a fresh install of an OS. There simply are no vendors selling anything that does not include bloatware, at the least, if not malware. This is not new.
That's not a problem. Now THIS is a problem.
Seriously, if a corporate CTO can claim with a straight face that there's no security problem...they do deserve all the ridicule they're getting, and a good punch in the wallet.
"This begs the question; why do it then?"
For the same reason that most consumer laptops come loaded with crapware, that the OEM picked up a tiny payment for each piece of unrequested bloat, but which was from their perspective was pure, unadulterated profit. In the commoditised PC market, every little counts.
The hogged sectors on the disk were free (the buyer paid for that), the hogged CPU cycles were free (the buyer just had to wait a bit longer), the hogged RAM was free (again the buyer had to wait longer). We all know that the board of Lenovo won't sit round deciding what this months suite of bloatware includes, so the decision to include Superfish would have been taken by some middle manager (at best), probably in the commercial (as opposed to technical) side of the business - marketing, if you like.
However, Lenovo's misfortune won't change practice elsewhere, and you can expect the other makers to continue to shift their wares laden with unrequested crapware, and sooner of later this sorry tale will repeat. It's a bit like the long and continuing saga of data breaches - every month the wolves have another victim, but the corporate herd mere look on and laugh as their fellow is shredded, and then continue to lumber along, slow and stupidly doing what they always did.
California USA is already "sue happy" with reguards to shit as lowball as being served a cup of hot coffee from McDonalds, so having your computer manufacturer preload the machine with a verified security risk that facilitated ID Theft? Oh yeah, Lenovo is going to get nailed to a wall by it's scrotum & used like a piñata at a Chav's birthday party.
I'll go get the popcorn if someone else will bring the lawn chairs...
They would most likely be sued in East Texas District as that's the preferred place for lawsuits based on ease of filing and likelihood of winning.
Think patent trolls.
They can be sued as long as it can be proved they have a "presence" in the district. If I can buy it I can prove presence.
Quick check of the Wikipedia page, they were serving the coffee at 82C at the drive through, which is hot enough to cause third degree burns in 12 to 15 seconds, so that it would stay hot until people got home. The jury found that the woman was partially to blame, but the fact that McDonalds admitted they were selling coffee at a temperature which wouldn't be safe to drink meant that they held the majority of the blame (the compensation was adjusted based on the balance of blame)
This post has been deleted by its author
Coffee is served at around 100C in my house as that's the temperature it leaves the kettle after it's finished boiling. Unless in the US water miraculously boils at lower temperatures I suspect it's the same over there too. Whole thing is a sad indictment of both the US education and legal systems.
Unless in the US water miraculously boils at lower temperatures I suspect it's the same over there too
Uhhh, Bob? Albuquerque, New Mexico, where the original incident occurred, has an elevation of 5312 ft. above sea level. (Up in the Heights, to the east of the airport, the elevation goes up to over 6100 ft.) At those altitudes, water actually does boil at a temperature below 100C
Something about keeping quiet, and being thought a fool, as opposed to opening one's mouth and erasing all doubt, comes to mind. You might wanna consider that.
Third degree burns on her thighs and genitals.SKIN grafts. Stop protecting McDonalds. They were super heating the coffee so it would stay hot for carry out. It was going out boiling.
10 thumbs down, really? Look at this. contains a photo. Look at these burns and tell me again.
She had ten thousand dollars in medical bills. McDonald's offered her $800
This was from that Hot Coffee. Don't look if if you have a weak stomach. How hot does it have to be to do this?
You need to see the HBO film 'Hot Coffee' to get the truth about the McDonald's incident. After viewing it you'll change your mind about it. The truth has been twisted and spun out to make McD look like the victim. Lenovo will use the same PR outfit to sway pubic opinion.
Metaphorically speaking. Lenovo is finished. It's just a matter of time. Even were everyone up the chain from the responsible team to the CEO were to resign, they won't recover.
It's also quite possible that "bloatware-free" will become a selling point for manufacturers, especially if Microsoft finally steps in and changes their licensing to prohibit it (which they might just do, given predictions of a declining market for PCs and the continued damage to their reputation from a continued parade of exploits).
Lenovo's newly acquired server business (from IBM) may also suffer, as discounts on laptop and desktop machines are often used as a sweetener in enterprise server hardware agreements. That whole tie-in strategy could well become a millstone around the neck of server sales, which will accompany Lenovo's business down into the depths.
Let us bow our heads and let our hair - those of us with hair of course; if your mien has floppy tentacles that's okay too - dangle toward our keyboards while we psychically project this thought upon an aetheric trajectory to light the minds of those who build and market the machines for our consumption.
"...to light the minds of those who build and market the machines for our consumption."
I couldn't agree more. That's why I am in danger of being perceived as an outdated stick-in-the-mud by never buying a laptop.
In my desktop support days I dreaded getting a call from one of the lap-top owners on the site. The damned things were a nightmare to fix, any hardware problems were almost unfixable and actually getting into the guts of the thing wasted a lot of the user's budget and my time because they were so fiddly.
Luckily, personally I have the knowledge and skills to be able to build my own desktops, that way I know what is in there and as a Linux user also what goes onto the HDD. I'm not saying that that is for everyone of course, but you do seem to pay a very heavy price for portability. The Motorola idea of a modular mobile is interesting, notwithstanding Jonathan Ive's ranting, I wonder if a modular laptop would be practical.
It is unlikely the Server side of Lenovo will suffer from the Consumer laptops being infected with a security threat on par with the Sony Rootkit debaucle. Enterprise/Corporate purchasers don't buy the Consumer versions of the laptops, they buy the Business versions, and if you're buying Lenovo Servers then you've got the cash to tell Lenovo *EXACTLY* what software gets installed on those 1,500 new laptops you'll be acquiring.
Business grade laptops purchased in your typical corporate purchase schema don't get a lot of cruft slapped on them, primarily because the people doing the buying have the power to say "Loo, that program is crap. Don't include it or we'll take this purchase order somewhere else." If you're looking at a slip of paper potentially worth a million bucks in a single purchase order, you bend over backwards to make the customer happy so they'll give that paper/money to you rather than your competition.
The Average Joe on the street buying a Consumer grade machine as a single unit purchase doesn't have the power that a Corporation with a million dollar purchase on the line does, so Average Joe gets the security flaws while the Corporation gets what they want, only what they want, and not a bit nor byte more.
Average Joe probably won't find the problem and if he does find it, he probably won't be making another purchase for five years or so anyway.
Personally, I'd take the money and run. There will be sales on Lenovo kit and all the Linux guys will be happy to pick them up. As will anyone with an MSDN account.
No-one does a clean install? That policy may cost you. It would have cost you before (being phished), it will probably cost you in the future (you pc may be more expensive). It will certainly cost Lenovo, but I don't think I'll let it cost me.
The business machines may well be different and you may have some say over what gets installed however the comments from the CTO and CEO should be a MAJOR concern.
"The software was preinstalled on a range of Lenovo's consumer laptops, a move Peter Hortensius, the firm's chief technology officer, admitted was a mistake. But he said that there were no security risks with using software which borks HTTPS."
ANy CTO who thinks that pre-installing a trusted root certificate which intercepts HTTPS and can access all your encrypted traffic including your banking information and is done by a company who you didn't really know what they were installing on your machines cannot be trusted to take security seriously on any device in their portfolio.
"Normally Lenovo performs due diligence on all software it preinstalls but in this case the vetting procedure was not carried out well enough, he opined."
How much vetting would it have required? Why not just ask Superfish for the exact details of what their software does?
" Superfish is completely transparent in what our software does and at no time were consumers vulnerable - we stand by this today" Said their CEO
Consumers were absolutely vulnerable, ridiculously so. If the CEO can't see this then that is even more worrying.
I am in a really difficult situation as I have been initialising a project for the last 6 months and the plan is to use some Lenovo kit - a lot of work has been done around their devices. I am now really struggling with the upheaval that not using it would bring, but I am so reluctant to carry on with them after the statements they have been releasing.
"Why? Weren't you intending to wipe the hard drive and re-install to your own specification?"
No that isn't really possible for this project (don't ask why). However that is not the point, the issue is that the trust and philosophy of a company is important and how highly they regard their customers.
If the leadership cannot even understand that what they did could pose a security risk for their customers then what hope that they keep private keys secure or use best security practices for their systems or for remote support.
For instance if their techs are not trained in best security practice and care regarding customer data what's to say a debug dump might not contain sensitive information that hasn't been sanitised and that that data isn't then treated with the respect it deserves? If Lenovo can't recognise security threats as blatant as this what hope is there that they recognise more subtle ones?
"It is unlikely the Server side of Lenovo will suffer from the Consumer laptops being infected with a security threat "
Not directly. But with clueless people at the helm, they'll bork something in servers sooner or later. Remote management cards are a prime example here. Their security sucks industry-wide. Thought that it could get even worse isn't exactly comforting. Then there's management software that all vendors are so keen to push, often claiming that only their own shitware is supported for management purposes.
Enterprise customers are able to identify threats, at least mostly, and put up a good fight. But small business just doesn't have means for it.
Yes. Exactly this. This was a collosal quality failure by their management chain and it should call into question all of their products. I was weaned back to Wintel from Apple on the back of W7 usability and Lenovo build quality, since when my go-to supplier has been Lenovo. Funnily enough, a technophobe friend was so p*ssed off with her macbook she insisted she wanted a windows laptop. I found her a sweet deal on an i7 Lenovo Yoga2. I didn't have time to do the usual crapware cleanup and lockdown I would do on my own machines and sure enough within a week it was a nightmare of popups; unusable. W8 has a GREAT feature of the easy reinstall without losing data. I did this, did a proper install and she's had no problems since.
You are likely correct, since Lenovo consumer division uses different factories than Lenovo Business (formerly known as IBM's PC division) and they are pretty separate entities like all the various companies of Sony that operate independently. The last time I was dealing with doing first article inspections on OEM'd IBM servers with my previous company the former IBM PC division (Lenovo) was still in the same mfg floor as the IBM servers, but Lenovo consumer was NOT there.
HOWEVER - since it all says Lenovo on the nameplate - it still gives you pause on buying the next bit of kit from them, regardless of if its Lenovo consumer or business. Whether that is a long term pause, or short term will likely be determined by their actions in the next few weeks.
people doing the buying have the power to say "Loo, that program is crap. Don't include it or we'll take this purchase order somewhere else."
Not all business grade computers are purchased by big quangos, and I'd dare to say that not even a majority of them are. Disclaimer: I don't know if they're actually adding crapware to systems sold to small/middle sized companies, as I haven't purchased or advised to purchase any Lenovo kit since the infamous brouhaha with the bubbling capacitors in the nineties.
And yes, Microsoft 'should' forbid the installation of crapware in systems sold with Windows pre-installed, but I somehow doubt they will do that. Instead they seem likely to add their own layer of crapware and force it down the user's throat, the same they tried to do with Win8 and they'll apparently do with Win10.
Fuck'em both with a shovel!.
"I haven't purchased or advised to purchase any Lenovo kit since the infamous brouhaha with the bubbling capacitors in the nineties."
You what?! We're giving Lenovo a good bollocking for the things they do, but you managed to spoil the fun with just one sentence.
- Lenovo was entirely unheard of in the nineties.
- First capacitor plague started around 2000, low-esr.com had a good article about it in 2002. Basically, a good half of the Taiwanese cap production was rubbish because of badly copied chemical composition. Fascinating story, actually, if anyone can be arsed to look it up.
- Second wave was a Chinese production in late 2000's. This time it included a lot of "mislabeled" caps (like having a 16uF cap in a bigger 47uF barrel), and counterfeits of the reputable names like Sanyo. Besides the usual noname business.
- In both waves, affected caps ended up pretty much everywhere. In PSU's, monitors, motherboards, etc, all over the world.
Well, besides these two major plague-like events, there have been lesser screw-ups every now and then. These are not so remarkable. It's quite easy to kill an electrolyte capacitor, if you don't leave a sufficient safety margin for it.
Not to give too many details, but Lenovo was selling computers and mainboards under that brand since the nineties, in my country at least. They weren't very known or popular then, but they were there nonetheless. One of my customers was bitten by the above said trouble with capacitors and Lenovo and their resellers denied everything. And yes, it was due to defective capacitors. To put it short, we had to learn the truth by ourselves, by sending one of the affected mainboards to an electronic engineering firm.
And yes, there was a similar outbreak -I think the one you refer in your post- a few years later.
And FYI, Lenovo was created in 1984 and started pushing their kit overseas sometime around 1992.
OK, if you really managed to encounter Lenovo products in the nineties... But no, I still cannot say "fair enough" about it. There was no infamous brouhaha back then. Capacitor failures have happened since their invention, for any number of underlying reasons. And an equipment vendor that'll repair things outside the warranty period is a rare sight. Must be a truly known and endemic issue (like it was in 200x) to get free service.
15-20 years is a very long time. Technologies have changed, product lines have came and gone, companies have changed. For better or worse, as the case may be. By such absolutist standards we shouldn't buy anything from anybody, ever. Because I really can't name a worldwide brand where I haven't seen a blown capacitor. Must've replaced thousands of little buggers over time.
"There was no infamous brouhaha back then"
You know that the word 'infamous' has several meanings, don't you? And I remember reading about this particular SNAFU in some computer magazine several months after the fact, and reading comments in forums during the 2000 outbreak of bad capacitors. So it wasn't the Capacitorgeddon, but neither was it a trivial matter.
Capacitor failures have happened since their invention, for any number of underlying reasons
Yeah, but if you see at least one of them -probably more- failing in every mobo served by a company, you can safely conclude that said company's quality testing process is crap.
And an equipment vendor that'll repair things outside the warranty period is a rare sight
Actually, the failures happened always in the first fortnight after purchase, with two systems being directly DOA. The replacement machines exhibited the same behaviour. The amount of work we had to do in order to move the data and reinstall the OS's was simply unbelievable.
Must be a truly known and endemic issue (like it was in 200x) to get free service.
Not in Europe. And I thought that the USA had similar rules, but I might be wrong. The reseller finally took away the systems and reimbursed my customer, after receiving a copy of the technical report and letter from the company's lawyer.
"15-20 years is a very long time..."
Sure. But I operate following a simple rule: No company screws me twice, if I can prevent it. The incident related in TFA seems to hint strongly towards Lenovo's current management having the same philosophy the company had in the nineties.
Seriously, the most infamous -or disgraceful, if you prefer- part about this incident is the way Lenovo tried to elude their responsibility. At first, they claimed the issue was caused by failures in the customer's leccy supply and/or the grounding. Luckily, the customer's electrical installation had been certified a few weeks before the purchase, so Lenovo and the reseller had to look for a different explanation.
The next step was a meeting full of weaselspeak where they hinted -without saying it clearly- that the affected computers had been sabotaged. We had none of it, of course, and shortly after sent one of the units to an electronics firm for the forensic examination.
After the events, I learned that other people had been having the same issues MONTHS BEFORE MY CUSTOMERS ORDERED THE MACHINES!!!
When Lenovo acquired IBM's PC division, my first reaction was of incredulity and a lot of profanity. ;-)
Thanks for sharing. Looks like you had a real scam pulled on you. Sorry for the doubts and geeky behaviour (hey, grab your keyboards, somebody seems to be wrong on the Internet! :-) )
This case wouldn't be any different between US/Europe. Refusal to fix DOA products is intolerable on either side of the pond. I assumed incorrectly that capacitors failed just outside the normal warranty, which is the most typical situation. And there it starts to depend on the context - is the problem widespread enough to justify a warranty extension, what's the cost/benefit ratio, is the component supplier willing to share costs, etc. Reputable names have done it occasionally. Albeit they don't advertise it outside the partner network. Public recalls are mostly for the safety-related issues like flaming batteries and dodgy power parts.
Anyhow, there's a saying that it's the ability to handle big screw-ups that separates boys from men. Some say even this is not enough - a real man has to cause a serious blunder first, then clean it up, and learn his lessons on the way.
Let's see how present-day Lenovo handles things. At first, CTO managed to pour oil on fire, but over the weekend, they pulled an U-turn. That's slightly better than the usual "you're holding it wrong" crap we've been accustomed to.
I'm having trouble focusing on Lenovo as the primary culprit here. Yeah, they done wrong. They even done wrong in a big time way, but these days, it's just par for the course.
Right now I'm hoping never to buy another Microsoft-infested machine. It was the end of so-called support for Windows 7 that finally blew my fuse. It's not as though the thing that Microsoft laughably calls support has ever been worth anything, but at least it was a nice theory. Okay, I'm exaggerating a bit. I think I actually have found some useful information there, but mostly I remember all the times when I found nothing but infinite loops. The feeling is 2% success, but it might have been as high as 10% averaging over the last couple of decades...
Of course the punchline is that Microsoft is doing just fine. Terrible software is NOT a problem. Customer satisfaction? Pshaw. All you need is a EULA to disavow all responsibility and a sales strategy selling to the vendors, not the end victims.
Sadly, maybe I'll have no other choice. The google has clearly gone to the EVIL side, and Chromebooks seem too limited anyway, whereas Apple has always been more of a fashion statement than an exercise of meaningful freedom... Ubuntu? Ah, that was a sad joke, though it might be the most "successful" of the Linux failed economic models. *sigh*
It's not just Superfish. Lenovo laptops sold in Japan come with Baidu IME (software that allows you to type Japanese on a qwerty keyboard). Baidu is the Chinese equivalent of Google. I was tidying up a relative's PC when I noticed it, and was puzzled. Windows has its own perfectly acceptable IME software, so who would bother to write a pointless replacement?
The answer came when I put a proper Firewall on the laptop. The Baidu IME software was trying to open a network connection every you typed anything into a web page, passwords, the lot.
So that got uninstalled very quickly.
I'm not one to leap to conclusions and point, but there is a big problem with Internet banking fraud in Japan, originating mostly in China. And Lenovo sell a lot of laptops in Japan.
The mindset revealed is astonishing. This wasn't even covert, the software's behaviour was plain as day to anyone willing to go looking for it. Who in their right mind would think that customers wouldn't notice and wouldn't care even if they did? It's the sort of thing that can wipe out entire markets, it's a helluva risk, yet they took that risk. Are they fond of Russian Roulette?
The "maximum money now no matter the consequences" attitude will be their undoing. Consequences have a way of accumulating exponentially...
The private key is stored as a string in the adware program package software.
Hey guys, the bank safe is uncrackable, don't worry.
For ease of use, I just set the clock to allow 24hr entry, taped the combination knob key to the door and wrote the combination code on the front with a jumbo indelible felt marker.
" ... It'll be sad to let go of my laptop when it reaches end of life, ..."
My ten year old Acer Travelmate 8000 (15" 4:3 matte screen) was very much revitalised by an SSD drive with Linux (Mint) installed on it. It's now the computer (out of four that I have) that gets the most use. I'd recommend it, give it a try.
After years of concluding that Linux was too beardy and incomplete, I was strongarmed by a friend into trying Peppermint (as far as I understand it, a Lubuntu spinoff that sort of combines local disk with cloud programs).
I like it. Fast and works well (without driver issues !!) on the first two machines I tried. Failed on one with an Intel Mobile CPU (issue with CPU maximum memory addressing or something).
It's not going to replace Windows yet for me, but is now on my internet browsing machine of choice. Here's hoping this really is the future, this time.
Similar idea here. I have a 5-year-old ThinkPad X201. With an SSD, a memory upgrade and a replacement keyboard, it's been completely re-vitalised. And it has a 16:10 screen unlike the 16:9 crap that Lenovo (and everyone else) insist on sticking onto all their computers these days. There's no reason why older laptops can't be easily revitalised with a couple of quick upgrades, then no new laptop is required - malware or otherwise.
Mint is fresh for me here too on an Asus laptop. I am quite happy with my Asus K53 and LMDE which has both cinnamon and mate desktops installed. I use the latter. It has i5 (dual core) on it and builds my Debian kernels from source for 45 minutes (ARM cross compilation takes only 10 minutes though). Barely ever get to the half of the 8 gigs o'RAM. A great Linux laptop it is.. perhaps only needs a new battery for now. Awaiting a replacement from ebay costing $14 for me.
This is not a new machine (4-5 years now) , however it's almost perfect for my needs. Came with EUFI option, while not active with Windows 7. Installing GNU/Linux was much more straightforward back then, can't comment on how the preinstalled Windows was bloated, though...
Try one of the "boutique" vendors. I got my last laptop from Sager (they sell rebranded Clevo laptops) and I don't think it came with anything besides the OS and drivers. Those companies also have the benefit that you've heard of the companies that produce the parts in the machine. You're not getting some hardware that'll self-destruct in a year just to save the OEM 5¢. A lot of them have better options for hardware configurations and still manage reasonable prices.
lolwut? Apple weren't even validating SSL certs, arguable an even worse situation for the end-user.
And yet, they issued an actual fix for that pretty quickly. Fixing the goto fail issue involved downloading the most recent update, while fixing SuperFish requires at least two actions, with at least one requiring the user to do advanced stuff (removing a root CA) by themselves.
You don't get this shit with Apple because you pay a minimum of £749 for a laptop, and at that price, there's plenty of profit margin. If Apple tried to sell a £300 laptop, they'd be stuffing crapware on it too.
It's really a problem that infests so much of life, that people buy on price rather than value. You can get a £379 Thinkpad Edge from Lenovo and at worst you can describe the pre-installed stuff as "maybe useful", like an Office trial, or a copy of Picasa. And they're solid machines. But a lot of people will look at that next to a £239 Dell Inspiron and go for the Dell.
You don't get this sort of shit from Apple because there are no Apple OEM's.
This is not Microsoft's fault per-se. They didnt put this software in the image for Lenovo laptops, Lenovo did. Had they also been an Apple OEM and Linux OEM, they would have put the same or similar on those laptop images also.
This is why I'm surprised Microsoft hasn't tried harder to stop the spread of bloatware on OEMs machines. The practice isn't doing Windows/Microsoft any good.
It's like Ferrari producing a fine car and then the dealership slaps loads of cheap sun strips, fluffy dice, novelty horns, beaded seat covers and furry steering wheel covers on it.
The moans from customers are rarely about Windows itself, it's the issues caused by old bloatware they have never dared remove.
Got my mum a cheap HP laptop at Christmas and actually only removed the crapware I could see (I didn't have a spare USB key at the time to burn the image to a device and reinstall the OS). May have to start checking for anything hidden such as this.
but now a sign of age is begining to detect the true content of the offering, "waiter this salad contains a turd".
I used to love the IBM Thinkpads.
It's the wider technology mindset which allows this sort of "I didn't think it would matter!" slip.
I Just "upgraded"? to latest Android on my company phone and it was keen to report back all I do, keep track of who I connect with, locate me to a fine degree on the planet etc.
For goodness sake fuck off, seriously.
They seem to have acquired the mindset that anything I buy, anything I use, anything I watch, anything I even look at should be a channel for advertising.
For things I don't need, want, or have any intention of buying.
It's not difficult, boys. Advertising *doesn't* work; if it did, there'd be nothing on the shelves and we'd all have six cars. So stop buggering about trying to attract my attention because I don't have one.
if it did, there'd be nothing on the shelves and we'd all have six cars
The goal of advertising is not to increase the available wealth of the target, but but have him allocate wealth differently than it would have been done otherwise.
And seeing how people are in debt up to their eyesockets while still having three cars....
"The goal of advertising is not to increase the available wealth of the target, but but have him allocate wealth differently than it would have been done otherwise."
And it's very effective. I quite frequently reallocate my business away from companies who pester me.
Of course advertising works:
1) blanket advertising: the idea is to gain mind share and thus market share. i.e. buy cuke rather than pepsi, McDonalds rather than Burger King. Which brands have you heard about most? This is how x-factor et al work. The idea is not that they will make people buy who don't want it, but to exclude alternatives fromt the market, so someone in the market for teeny-pop doesn't go and buy the "wrong thing."
2) Blanket advertising: to tip those "on the edge of purchasing" over into buying. Just before lunch? There will be a fast food advert for you to get you to a fast-food restaurant rather than make your own food. Nobody needs chewing gum, adverts won't tell anything new about gum, but the reminder is there to get gum-chewers to buy it.
3) Brand positioning: This is the kind of person who drives an SUV. If you want to be this kind of person, you need an OUR SUV, not a hatchback and not an SUV for plebs.
Tell a big enough lie often enough and people will accept it even if they don't consciously believe it. Without advertising, consumption would drop overall and there would probably be more new entrants into the market.
@Neil Barnes: This is the problem: "Advertising *doesn't* work"
Some of the smarter advertisers know this. They know their jobs are less than worthless (in that a lot of advertising probably harms the brands being promoted), and built on a lie, and they're panicking, because their clients will find out, sooner or later. Advertisers and clients know consumers are getting fed up with the constant bombardment, but it's a race to the bottom.
The problem is, advertising DOES work. Granted, it doesn't work 99.9% of the time, but that inane bombardment is the price we all pay for the 0.1%.
The key is it only works where a decision was going to be made (or close to being made) anyway, e.g. I don't know what I'm having for tea tonight and I cannot be arsed making anything - oh hey, I've got a flyer from the new pizza place in my letterbox. Or - I really should invest in a new car soon - hey, the new VW Polo is under ten grand.
To put it another way, advertising is temptation trying to find a moment of weakness. But because marketers know practically nothing about you for all their profiling and demographic 'work', the carpet bomb approach is all they have to go with at the moment. Which is why Facebook and Google are frantically trying to get you to give up every last piece of data about yourself - they are convinced there is a 'Holy Grail' of advertising somewhere in that information that will allow them to deliver ads only to eyeballs that are most likely to be receptive.*
*Suddenly occurs to me this is why Google became one of the corporate Goliaths so quickly - you can't not tell Google about what you are interested in if you use their services because telling Google what you want is an inherent part of the search service. If I'm Googling around for a red bomber jacket, Google can't not discover I'm currently interested in clothes even if they wanted to.
This is the problem: "Advertising *doesn't* work"
Some of the smarter advertisers know this. They know their jobs are less than worthless (in that a lot of advertising probably harms the brands being promoted), and built on a lie, and they're panicking
Yes. Yes. Yes. Yes. No!
They aren't panicking in the slightest. Although advertising is largely bollocks, the client doesn't know that and feels they have to compete with their competitor. It's nothing to do with the advertising company or the consumer, ad spend is driven by corporate fears of loss of business.
As companies go to the wall, they will often spend more and more on advertising in some mad attempt to bring in more revenue.
Of course advertising "works". You need laundry detergent. You have a choice of buying Persil or Brax. Which do you think most people would buy? Your baby needs feeding. Do you open a jar of Heinz baby food or Nubb baby food?
You need a new HDD. Western Digital or Saamdal?
A new car - Ford or Rulink?
We all tend to choose the familiar over the unfamiliar for day-to-day products. Take a guess at why the familiar names have become so familiar.
"Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping," Lenovo said in a statement on Thursday."
Apparently, Lenovo ships about 30 million units p.a. Making the assumption that half of them are "consumer" notebooks, this "short window between September and December" translates into something like up to five million affected devices. Clearly, there is no need for immediate concern.
I also like (not) how they describe "inserting unwanted ads" as "helping customers potentially discover interesting products while shopping".
Having been a big fan of ThinkPads in the past, I'm quite worried by this. And not only by the incident itself, which seems to be distressing enough, but also by the meaningless or even misleading statements from their PR units. To regain consumer confidence, Lenovo needs to be fully transparent on this; own the problem, then own the solution. I'm quite disappointed.
And is this a security company???
I can see legit use for that as long as you are inspecting your SSL sessions for some good reason, but an SDK sold to anybody doesn't look really a "security product", especially if it lets you alter the session.
Except that I couldn't even buy a UK lenovo a year or so ago which didn't come with windows,let alone a disk, when the exact same model was available in Europe for a lot less.
Having said that, I'm conflicted by this story, even though it only affected the consumer end of the market. The keyboard on the E145 on which I am typing this went bezerk a few months back, and I steeled myself for the inevitable series of stumbling blocks the support line would place before me. Instead, I spoke to someone knowledgeable at the first step, who, within 5 mins, had arranged ofr a replacmeent keyboard. The keyboard arrived the following morning, by courier, who had driven from Greenock to our remote and rural location in north west Scotland.
The moral of the story - it's the marketeers who who should be moved to the B ark as soon as possible.
I have a 7 year old Thinkpad rescued it from a bin some four years ago (it has scratches on its screen, not a problem at all for something you intend as a server especially since over ssh or VNC the scratches don't matter) and obliterated all traces of Windows, including recovery partition. Then installed Linux.
Today it acts as my "dirt cheap home file server and P2P node" Not much storage but enough for the purpose. Thanks to Superfish, when the current one breaks I'll hopefully have some second hand Superfished Lenovos to choose from.
OK, I'm now a lawyer, but from my reading of the Act, it looks to me as if Lenovo, by knowingly installing what constitutes backdoors and password-snoop-capable malware into systems sold in the UK, without the buyers' knowing consent, may be in breach of sections 1, 2 and 3A of the Computer Misuse Act 1990.
I think it's about time to get the National Crime Agency involved, and nail the relevant directors of Lenovo UK to the wall.
I was wondering if anyone had flagged this to their bank as a phishing attempt. A few of the banks seem to have started to think about security properly, so you might raise some excitement there if you're trying to shake things up a bit. Presumably a side-channel handshake is the only protection against a wide-open PC?
My wife's lovely touch-screen ASUS laptop has just failed yet again. It's the third time since she bought it WAAAAAY back in October 2013. Since then it's had a new hard drive and then a complete replacement motherboard....... which appears to have packed up just 4 months later. Appalling, and now out of warranty too. Never again. Four hundred smackers down the drain after just 16 months. I wouldn't mind but it's had very light use and has never been dropped or abused in any way. Piss poor.
Because I like to fix PCs and Laptops, someone brought me yet another ASUS laptop last year and that too had total motherboard failure just a couple of months after the warranty expired. I'm still scanning Ebay in the vain hope that I can buy a cheap donor machine but no luck yet.
I've seen way too many Dell and HP machines with motherboard failure (mostly to do with Nvidia GPUs I hasten to add).
Looks like I won't be considering a Lenovo replacement as they appear to have just decided they don't much care for the home consumer marketplace with their rather unfortunate strategy.
From experience Toshiba make the most reliable machines, but even those have suffered from failed power supply sockets..... a cheap part but a pain in the ass to replace. A severe case of penny-pinching when you consider how much punishment they take. Someone else used the term "race to the bottom" in their posting..... it would appear to be true, sadly.
Quit buying consumer-grade cr@p from Best Buy, and look at off-lease commercial grade hardware.
I've had good luck with Dell stuff, which is what we use at work. Not Inspiron, which is their consumer junk, but the mid-range Latitudes. I'm currently using an E6430, which is holding up quite well after 3 years.
You don't want something too high-powered, because Dell do have a reputation for trying to cram too many BTUs into a poorly ventilated package, and their "high performance" video cards tend to become "no performance".
Anyhow, that's what I use. And a mid-tower, which has multiple DVD drives and such, and is extremely well ventilated. Both, of course, run Linux Mint.
There are always examples and counterexamples. Asus U35 happens to be well-engineered. Had to take one apart after a domestic accident, it was a pleasant surprise. Still works, too.
Basically, brand doesn't mean much, all mentioned companies have produced lemons every now and then.
Hmmm... when I bought my daughter a Lenovo G50-70 for Xmas, it was chosen specifically because it was one of the few easily available £300ish laptops that was Linux friendly with minimum of fuss. Said daughter wanted a laptop she could use to dual boot Windows (for League of Legends) and Mint (for everything else) and I think that machine turned out to be the only one in the price range that had basic requirements like allowing the secure boot to be disabled, out-of-the-box driver compatibility, separate left + right click buttons so you can click both to simulate a middle click, etc.
Much as I'm annoyed by Lenovo having done this, I have to admit that faced with the same choice again, if the other manufacturers are going to create arbitrary obstacles which outright prevent me from choosing which OS I want on a machine that I own, I'd have to go for the same model again. Sadly we as consumers are getting increasingly less choice in this area as time goes on. And look at it this way, Lenovo won't dare do it again now, will they?
In a way, they just forgot to pretend the Emperor is wearing clothes.
Ok, so this is actually a massive fail for them, but as I see it the real lesson that should be taken off this is that the hierarchical topology of the X509 public key infrastructure (that's the Emperor I'm referring to) is a terrible fit for the Internet and should a priori never be trusted.
Just take a look at the list of CAs that comes by default with any browser installation and tell me you actually trust every one of those.
"Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping," Lenovo said in a statement on Thursday.
Hey, Lenovo! If I want to "discover interesting products", I can do that myself with out your help, assholes...isn't that what Google is for?
The only unanswered question was posed by John
BonerBoehner: "What I want to know is, who's going to jail?"
... this is the sort of access (AND source code, please) the PRC government is now insisting American manufacturers provide for products sold there? Or that many if not most of those "American" products (and parts for all the rest) sold ** outside** the PRC are probably made in the factories that will do the dirty-work?
Superfish's developers may have got their code. Komodia is a computer security firm which makes software called SSL Digestor, which works in a very similar way to Superfish to break SSL encryption and inject advertising.
My idle mind wonders if there isn't a fourth party involved in this debacle...an advertising provider, would be my guess, who made a deal to obtain what appears to be an image search engine from Superfish (whose website doesn't indicate that they're a platform for ads) and an ad-insertion mechanism from Komodia (whose website doesn't indicate that they're in the ads business, but does give off a slightly creepy vibe), and combined them with a view towards making money by having Lenovo install it for them, and then serving ads through it.
Just wondering how deep the rabbit hole goes here.
.. what can easily explained by stupidity.
Let me explain the thought process:
Superfish contacts someone in the Lenovo marketing department with a wizard scheme for making them both money. They'll put a little bit of harmless software on the laptop that will watch people browsing and work out how to target adverts better. Superfish make money selling the software, Lenovo get a share of the extra ad revenue.
Nothing excites a marketing exec more than the prospect of extra money with zero effort so (with great aplomb and an infinite lack of technical knowledge) the deal is done.
Doubtless someone in the technical side of Lenovo protested that this was a very very very (repeat to the n+10 power) bad idea, but the siren call of free dosh drowned them out.
Fast forward and it all comes out: the software is neither harmless or safe (as well as being a blatant privacy violation) and you can hear the sound of butts being covered all the way up to the top. Doubtless, someone on the technical side will get slapped around for not preventing it (and the email archives will mysteriously get eaten by some advanced data-rot) and the head of marketing will have to curtail their next round of official bonuses (although the flow of small brown envelopes will continue).
Thinkpad 600x. Thinkpad A20P. Thinkpad T30. Thinkpad T61P. Thinkpad W530. These are all my old friends who have traveled, worked, and collaborated with me over the last 15 years.
I am sad to see Lenovo so willingly violate the trust of their customer base. Today it was only adding stuff to pre-built machine images. What will they do tomorrow? Add it to the drivers so that even if I nuke & pave the machine they are still violating me?
It is a shame that trust, so difficult to earn, is to easily thrown away. I don't see how Lenovo can regain my trust, but I do hope they will try. And it will take more than words of denial to do so.
I don't think so. The Independent is the only consumer-oriented news source on the first page of a Google search for "lenovo malware." Forbes and CNNMoney have articles, but does the average PC buyer read them? ThinkPads, darlings of the business community, were spared. Even if Bob Bloke reads about the "firestorm," we've all dealt with enough non-techies to know they have a short memory span, and don't understand what such malware does anyway.
While I agree that Lenovo should be subject to the BOFH's cattle prod for this, I think speculation on their imminent plunge off the cliff as a result is greatly exaggerated. And we probably can assume Lenovo will be more careful in the future. They execute incompetent business managers in China. Not that the other PC mfrs will learn from this. Lenovo could, by default, become the laptop source of choice.
"The Independent is the only consumer-oriented news source on the first page of a Google search for "lenovo malware."
Print edition of the Financial Times this morning: teaser on front page with continuation towards the back. Hint: this is the one the MD and accountant read. Front page below the fold on BBC with link to Technology article. Hint: this is the one your MP/councillor/non-exec Director/School govenor reads.
Corporate channel managed kit not affected but perceptions will suffer methinks...
Then someone discovered 'The Long Tail'....
and invented X-Factor....
Fortunately you, as a commentard, can vote for a Politician in order to get crap such as this sorted out.
Lenovo should speedily reach out to linuxmint.com to become their partners. Start offering, at least as an option, a preinstalled Linux Mint/LMDE on their machines to sort out all the mess they've created while working with their current partners. I would consider buying it then...
Well, how else can these PC manufacturers offer cheap desktop and laptop PCs to the average joe? We're just a greedy bunch that has forced PC prices down to what they are. People complain about how expensive Macs are, so we resort to PCs filled with crapware to the brim just because they're a lot cheaper! If you want bloat-free PCs, then pay the price.
This isn't new; this isn't restricted to Lenovo or the computer business.
The corporate world lost its way many years ago.
Confusion marketing; where packages are assembled with so many variables which only slightly differ it's impossible to do meaningful comparisons.
Bundling where you can only have the product or service you actually want if you buy a whole lot of stuff you don't.
Contracts which tie you in for so long it's almost impossible to remember to end them.
"Loyalty fucking" where anybody who renews a contract takes it up the arse while new customers get a free blow-job.
"No you don't" purchasing where you think you've bought something - a copy of Windows, say - only to find out you haven't, you've only rented it or you can only use it in months with an R in them or some other similar shit.
I'm sure Reg readers can think of many more practices which can't stand the light of day.
"Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping,"
Er no Lenovo. It was included because you sought to profit by inflicting crapware / adware / spyware on your customers. You're not alone in doing this - vendors like HP, Dell etc. preinstall crap because a substantial percentage of users will never remove it. You just took it one sleazy step further.
It's very simple to fix. Do not install anything except Windows. If you absolutely must, put some programs in a single folder and allow people to electively install them. It's not hard.