back to article So long, Lenovo, and no thanks for all the super-creepy Superfish

Chinese PC maker Lenovo has published instructions on how to scrape off the Superfish adware it installed on its laptops – but still bizarrely insists it has done nothing wrong. That's despite rating the severity of the deliberate infection as "high" on its own website. Well played, Lenonope. Superfish was bundled on new …

  1. Anonymous Coward
    Anonymous Coward

    the fire rises

    Give Acer/ASUS a try, BURN LENOPEVO

    1. Anonymous Coward
      Anonymous Coward

      "Give Acer/ASUS a try, BURN LENOPEVO"

      Asus???? Mmh, must respectfully disagree! Their netbooks were wonderful, but their gaming rigs and high-end media laptops aren't as great... (Hardware display issues causing NVIDIA card + Asus laptop to hang)...

      +1 Comment by Reg man Iain Thomson

      1. obrien

        Re: "Give Acer/ASUS a try, BURN LENOPEVO"

        After a couple of really bad experiences of terrible build quality and even worse customer service, Asus will never see a penny from me again.

    2. Daniel B.
      Boffin

      Re: the fire rises

      Maybe ASUS. But Acer isn't going to see my money, I got burned enough back in 2011 with crappy Acer laptops. Nevermore!

      Still, neither will see my money as long as they sell Win8-only laptops. I'm not going to pay for the worst MS OS ever concieved.

      1. wobbly1

        Re: the fire rises

        win 8 the "...worst MS OS ever conceived"? Only if you disregard Win 98 ME Win CE (pronounced wince in our office) or vista. Un-crapwarering consumer machines from all manufacturers phones upwards, is necessary before use. only Arduino boards escapes the extraction process... Hang on what's that screen printed in 3 point next to A0... pass me the emery board

        1. Andy Gates

          Re: the fire rises

          WinCE is like Highlander 2. We just don't talk about it.

    3. Gordan

      Re: the fire rises

      I used to like Asus kit for a long time - right up to the point where I found out the hard way that their warranty related customer service is by far the worst in the industry and in some cases outright in breach of consumer protection laws.

      Lenovo permanently lost me as a customer about 2 minutes after I unboxed my Lenovo Y50-70 with the supposed 4K screen - when I discovered that it is a shitty pentile pseudo-4K screen than only has HALF of the number of subpixels that it should, making everything in "4K" look like it was printed on an '80s era dot matrix printer.

      The problem is increasingly that all manufacturers (except maybe Apple) are rapidly racing to the bottom and finding a piece of kit that is genuinely good is becoming increasingly difficult.

    4. DavCrav

      Re: the fire rises

      "Give Acer/ASUS a try, BURN LENOPEVO"

      Sitting here trying to fix the girlfriend's ASUS laptop that can with so much crap that I couldn't physically get rid of, and now watching CHKDSK take a few hours to find all the bad sectors on the hard drive too.

      No. But OK, so no Lenovo, no ASUS, I tried Acer once, who is left? This Samsung laptop I'm able to use because it doesn't have bad blocks isn't bad, but was fearsomely expensive.

      1. Jamesit

        Re: the fire rises

        "No. But OK, so no Lenovo, no ASUS, I tried Acer once, who is left?"

        I have had no problems with MSI.

    5. Josh 14

      Re: the fire rises

      One thing I noted when looking at the list of affected models, there is a lack of any of the business class models on that list.

      Personally, the only Lenovo laptops that are/were worth buying are the business class machines in the first place. My own preference is for the T series laptops, which I've had a couple of, and numerous friends own and use them as well.

      Once you get beyond that, or downgrade to the Ideapads (shudder) you are away from the original durable and reliable IP that they bought the whole brand from IBM for.

  2. FrankAlphaXII

    >>Lenovo won’t be getting another cent of my PC budget from now on.

    Absolutely right. They won't be getting a single damned dime from me either. I don't really like Dell but I'll probably be getting whatever their business class laptop range is nowadays next time. You don't reward bad behavior if you want it to stop.

    1. phuzz Silver badge

      One good thing about Dell's business laptops (ie Latitudes or Precisions), they're supremely easy to open up to upgrade or replace components. There didn't used to be much crapware installed either, but I'm not sure if that's the case today (as soon as the laptop comes in it gets a fresh install from WDS).

    2. Michael Wojcik Silver badge

      My work laptop is a Dell, and while I could name a few brain-dead design failures it suffers from,1 it's serviceable.

      And Dell's the only manufacturer I know of besides Lenovo that still sells machines with isometric "pointing stick" mice. I hate touchpads, so that's a must-have for me. (If anyone knows offhand of other brands that have 'em I wouldn't mind hearing about it.)

      So yes, I expect that when my current Lenovo personal laptop needs replacement, I too will be going with Dell. It's sad; I've had a range of Thinkpads dating from the first year IBM came out with them. And I had some of IBM's earlier laptops and luggables - like the PS/Note - before that.

      1As has every single Dell machine I've ever seen - is there something in the water there? Bizarre case-opening mechanisms. Reset buttons without mollyguards positioned right next to drive-eject buttons. Lousy power connectors. The latest laptop has a blue LED on the power cord that shines with the glare of 1000 suns and isn't affected by the (otherwise very nice) turn-off-every-single-goddamned-light hotkey. Soon I will simply give up and wrap the fucker with electrical tape.

      1. Fihart

        @ Michael Wojcik Dell not unbreakable but....

        ...at least easy to break up.

        Older Dell laptops were bulletproof construction-wise. Later models not quite so -- issues with keyboard mechanics (who approved that ultra-fragile butterfly mechanism under the laptop keycaps ?) and power connector burning out.

        However, I was charmed by the ease of dis-assembly of the two (Irish built) heavily used D505 and D510 series models I recently took on. With luck a third will turn up and I'll be able to build one that actually fully works.

    3. Jaybus

      IMHO, we must make the best of a bad situation. Please, wipe the hard drive of any new purchase, including overwriting the MBR/GPT, and perform a fresh install of an OS. There simply are no vendors selling anything that does not include bloatware, at the least, if not malware. This is not new.

  3. phil dude
    Black Helicopters

    thank you Rob Graham

    For an elegant demonstration we are not paranoid enough...

    P.

  4. Winkypop Silver badge
    FAIL

    "Superfish wasn't a major contributor to the manufacturer's bottom line"

    This begs the question; why do it then?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Superfish wasn't a major contributor to the manufacturer's bottom line"

      Why indeed?

      I fancy Superfish will be a major contributor to the manufacturer's bottom line, but in a negative sense. And serves them bloody-well right.

      1. Solmyr ibn Wali Barad

        Re: "Superfish wasn't a major contributor to the manufacturer's bottom line"

        That's not a problem. Now THIS is a problem.

        Seriously, if a corporate CTO can claim with a straight face that there's no security problem...they do deserve all the ridicule they're getting, and a good punch in the wallet.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Superfish wasn't a major contributor to the manufacturer's bottom line"

      "This begs the question; why do it then?"

      For the same reason that most consumer laptops come loaded with crapware, that the OEM picked up a tiny payment for each piece of unrequested bloat, but which was from their perspective was pure, unadulterated profit. In the commoditised PC market, every little counts.

      The hogged sectors on the disk were free (the buyer paid for that), the hogged CPU cycles were free (the buyer just had to wait a bit longer), the hogged RAM was free (again the buyer had to wait longer). We all know that the board of Lenovo won't sit round deciding what this months suite of bloatware includes, so the decision to include Superfish would have been taken by some middle manager (at best), probably in the commercial (as opposed to technical) side of the business - marketing, if you like.

      However, Lenovo's misfortune won't change practice elsewhere, and you can expect the other makers to continue to shift their wares laden with unrequested crapware, and sooner of later this sorry tale will repeat. It's a bit like the long and continuing saga of data breaches - every month the wolves have another victim, but the corporate herd mere look on and laugh as their fellow is shredded, and then continue to lumber along, slow and stupidly doing what they always did.

    3. Anonymous Coward
      Anonymous Coward

      Re: "Superfish wasn't a major contributor to the manufacturer's bottom line"

      "This begs the question; why do it then?"

      The oldest reason in the world; overarching greed for the last ounce of profit trumps a diminishing amount of common sense.

  5. Shadow Systems

    Cue the ClassAction lawsuits in 3... 2... 1...

    California USA is already "sue happy" with reguards to shit as lowball as being served a cup of hot coffee from McDonalds, so having your computer manufacturer preload the machine with a verified security risk that facilitated ID Theft? Oh yeah, Lenovo is going to get nailed to a wall by it's scrotum & used like a piñata at a Chav's birthday party.

    I'll go get the popcorn if someone else will bring the lawn chairs...

    1. asdf

      Re: Cue the ClassAction lawsuits in 3... 2... 1...

      They better be more worried about the shareholder lawsuits because they are admitting there is very little upside to this and they are about to see a whole lot of downside.

      1. James Anderson

        Re: Cue the ClassAction lawsuits in 3... 2... 1...

        They are based in the Peoples Republic of China -- I doubt they have such a thing as shareholder lawsuits.

        1. Mark 85

          Re: Cue the ClassAction lawsuits in 3... 2... 1...

          And California probably can't touch them because of them being in China.

          1. midcapwarrior

            Re: Cue the ClassAction lawsuits in 3... 2... 1...

            They would most likely be sued in East Texas District as that's the preferred place for lawsuits based on ease of filing and likelihood of winning.

            Think patent trolls.

            They can be sued as long as it can be proved they have a "presence" in the district. If I can buy it I can prove presence.

    2. Dana W

      Re: Cue the ClassAction lawsuits in 3... 2... 1...

      The Woman with the McDonald's coffee had third degree burns on her thighs and genitals, she had to have multiple skin grafts. That is not "sue Happy" that was justice. Google it, photos of the skin grafts are online........

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Cue the ClassAction lawsuits in 3... 2... 1...

        The Woman with the McDonald's coffee had third degree burns on her thighs and genitals

        McDonalds now serves lava? Probably not in polystyrene cups.

        1. SolidSquid

          Re: Cue the ClassAction lawsuits in 3... 2... 1...

          Quick check of the Wikipedia page, they were serving the coffee at 82C at the drive through, which is hot enough to cause third degree burns in 12 to 15 seconds, so that it would stay hot until people got home. The jury found that the woman was partially to blame, but the fact that McDonalds admitted they were selling coffee at a temperature which wouldn't be safe to drink meant that they held the majority of the blame (the compensation was adjusted based on the balance of blame)

          1. This post has been deleted by its author

          2. Cowboy Bob

            Re: Cue the ClassAction lawsuits in 3... 2... 1...

            Coffee is served at around 100C in my house as that's the temperature it leaves the kettle after it's finished boiling. Unless in the US water miraculously boils at lower temperatures I suspect it's the same over there too. Whole thing is a sad indictment of both the US education and legal systems.

            1. JeffyPoooh
              Pint

              Re: Cue the ClassAction lawsuits in 3... 2... 1...

              "Coffee is served at around 100C in my house..."

              You're doing it wrong.

            2. tony2heads
              Headmaster

              Re: Cue the ClassAction lawsuits in 3... 2... 1...

              Water boils at lower temperatures at high altitude. Much of New Mexico is about 2000m, where it would boil at 93C

              Sorry, but no icon for a pedantic science nazi

            3. Someone Else Silver badge
              Boffin

              @ Cowboy Bob -- Re: Cue the ClassAction lawsuits in 3... 2... 1...

              Unless in the US water miraculously boils at lower temperatures I suspect it's the same over there too

              Uhhh, Bob? Albuquerque, New Mexico, where the original incident occurred, has an elevation of 5312 ft. above sea level. (Up in the Heights, to the east of the airport, the elevation goes up to over 6100 ft.) At those altitudes, water actually does boil at a temperature below 100C

              Something about keeping quiet, and being thought a fool, as opposed to opening one's mouth and erasing all doubt, comes to mind. You might wanna consider that.

            4. Dana W

              Re: Cue the ClassAction lawsuits in 3... 2... 1...

              Third degree burns on her thighs and genitals.SKIN grafts. Stop protecting McDonalds. They were super heating the coffee so it would stay hot for carry out. It was going out boiling.

              10 thumbs down, really? Look at this. contains a photo. Look at these burns and tell me again.

              https://harmfuldruginfocenter.wordpress.com/2011/08/24/are-our-rights-preserved-hot-coffee-review/

              She had ten thousand dollars in medical bills. McDonald's offered her $800

              This was from that Hot Coffee. Don't look if if you have a weak stomach. How hot does it have to be to do this?

              https://harmfuldruginfocenter.files.wordpress.com/2011/08/mcdonalds.jpg

              http://www.civil-injustice.com/wp-content/uploads/2013/03/stella1.png

              1. Destroy All Monsters Silver badge
                Holmes

                Re: Cue the ClassAction lawsuits in 3... 2... 1...

                Stop protecting McDonalds.

                I you can't handle the heat, don't drink coffee at McDonald's.

                1. Solmyr ibn Wali Barad

                  Re: Cue the ClassAction lawsuits in 3... 2... 1...

                  Disclaimer on a coffee cup: "Warning! Our coffee is so delicious that it may cause an addiction. Oh, and it's hot, too."

        2. Gazareth

          McDonalds now serves lava? Probably not in polystyrene cups.

          Nope, it's in the Apple Pies.

          1. Riku

            Re: McDonalds now serves lava? Probably not in polystyrene cups.

            Damn right, those things should be used to ignite fusion reactors.

    3. Daniel B.

      Re: Cue the ClassAction lawsuits in 3... 2... 1...

      California USA is already "sue happy" with reguards to shit as lowball as being served a cup of hot coffee from McDonalds

      Bad example for a frivolous lawsuit; coffee so hot that it causes third-degree burns is a real hazard.

      1. Richard Jones 1

        Re: Cue the ClassAction lawsuits in 3... 2... 1...

        Selling a dangerous liquid to someone who did not know about hot liquids was a dereliction of a duty of care. Which UK care home or hospital managed that McDonalds site again?

    4. Anonymous Coward
      Anonymous Coward

      Re: Cue the ClassAction lawsuits in 3... 2... 1...

      You need to see the HBO film 'Hot Coffee' to get the truth about the McDonald's incident. After viewing it you'll change your mind about it. The truth has been twisted and spun out to make McD look like the victim. Lenovo will use the same PR outfit to sway pubic opinion.

    5. Hieronymus Howerd

      Re: Cue the ClassAction lawsuits in 3... 2... 1...

      You're an idiot.

      1. DavCrav

        Re: Cue the ClassAction lawsuits in 3... 2... 1...

        "You're an idiot."

        I think it's actually "your an idiot".

        1. keith_w

          Re: Cue the ClassAction lawsuits in 3... 2... 1...

          Actually it is "You are an idiot", which can be abreviated as "You're an idiot" which you are.

          1. Anonymous Coward
            Anonymous Coward

            Re: Cue the ClassAction lawsuits in 3... 2... 1...

            That's a 'whoosh' right there

  6. Anonymous Coward
    Anonymous Coward

    They shot themselves in the head

    Metaphorically speaking. Lenovo is finished. It's just a matter of time. Even were everyone up the chain from the responsible team to the CEO were to resign, they won't recover.

    It's also quite possible that "bloatware-free" will become a selling point for manufacturers, especially if Microsoft finally steps in and changes their licensing to prohibit it (which they might just do, given predictions of a declining market for PCs and the continued damage to their reputation from a continued parade of exploits).

    Lenovo's newly acquired server business (from IBM) may also suffer, as discounts on laptop and desktop machines are often used as a sweetener in enterprise server hardware agreements. That whole tie-in strategy could well become a millstone around the neck of server sales, which will accompany Lenovo's business down into the depths.

    1. Grade%

      Re: They shot themselves in the head

      "bloatware-free"

      Let us bow our heads and let our hair - those of us with hair of course; if your mien has floppy tentacles that's okay too - dangle toward our keyboards while we psychically project this thought upon an aetheric trajectory to light the minds of those who build and market the machines for our consumption.

      1. nematoad

        Re: They shot themselves in the head

        "...to light the minds of those who build and market the machines for our consumption."

        I couldn't agree more. That's why I am in danger of being perceived as an outdated stick-in-the-mud by never buying a laptop.

        In my desktop support days I dreaded getting a call from one of the lap-top owners on the site. The damned things were a nightmare to fix, any hardware problems were almost unfixable and actually getting into the guts of the thing wasted a lot of the user's budget and my time because they were so fiddly.

        Luckily, personally I have the knowledge and skills to be able to build my own desktops, that way I know what is in there and as a Linux user also what goes onto the HDD. I'm not saying that that is for everyone of course, but you do seem to pay a very heavy price for portability. The Motorola idea of a modular mobile is interesting, notwithstanding Jonathan Ive's ranting, I wonder if a modular laptop would be practical.

    2. Shadow Systems

      Re: They shot themselves in the head

      It is unlikely the Server side of Lenovo will suffer from the Consumer laptops being infected with a security threat on par with the Sony Rootkit debaucle. Enterprise/Corporate purchasers don't buy the Consumer versions of the laptops, they buy the Business versions, and if you're buying Lenovo Servers then you've got the cash to tell Lenovo *EXACTLY* what software gets installed on those 1,500 new laptops you'll be acquiring.

      Business grade laptops purchased in your typical corporate purchase schema don't get a lot of cruft slapped on them, primarily because the people doing the buying have the power to say "Loo, that program is crap. Don't include it or we'll take this purchase order somewhere else." If you're looking at a slip of paper potentially worth a million bucks in a single purchase order, you bend over backwards to make the customer happy so they'll give that paper/money to you rather than your competition.

      The Average Joe on the street buying a Consumer grade machine as a single unit purchase doesn't have the power that a Corporation with a million dollar purchase on the line does, so Average Joe gets the security flaws while the Corporation gets what they want, only what they want, and not a bit nor byte more.

      1. P. Lee

        Re: They shot themselves in the head

        Average Joe probably won't find the problem and if he does find it, he probably won't be making another purchase for five years or so anyway.

        Personally, I'd take the money and run. There will be sales on Lenovo kit and all the Linux guys will be happy to pick them up. As will anyone with an MSDN account.

        No-one does a clean install? That policy may cost you. It would have cost you before (being phished), it will probably cost you in the future (you pc may be more expensive). It will certainly cost Lenovo, but I don't think I'll let it cost me.

      2. Anonymous Coward
        Anonymous Coward

        Re: They shot themselves in the head

        The business machines may well be different and you may have some say over what gets installed however the comments from the CTO and CEO should be a MAJOR concern.

        "The software was preinstalled on a range of Lenovo's consumer laptops, a move Peter Hortensius, the firm's chief technology officer, admitted was a mistake. But he said that there were no security risks with using software which borks HTTPS."

        ANy CTO who thinks that pre-installing a trusted root certificate which intercepts HTTPS and can access all your encrypted traffic including your banking information and is done by a company who you didn't really know what they were installing on your machines cannot be trusted to take security seriously on any device in their portfolio.

        "Normally Lenovo performs due diligence on all software it preinstalls but in this case the vetting procedure was not carried out well enough, he opined."

        How much vetting would it have required? Why not just ask Superfish for the exact details of what their software does?

        " Superfish is completely transparent in what our software does and at no time were consumers vulnerable - we stand by this today" Said their CEO

        Consumers were absolutely vulnerable, ridiculously so. If the CEO can't see this then that is even more worrying.

        I am in a really difficult situation as I have been initialising a project for the last 6 months and the plan is to use some Lenovo kit - a lot of work has been done around their devices. I am now really struggling with the upheaval that not using it would bring, but I am so reluctant to carry on with them after the statements they have been releasing.

        1. Pookietoo

          Re: I am now really struggling

          Why? Weren't you intending to wipe the hard drive and re-install to your own specification? Or do you think the firmware might be similarly compromised?

          1. Anonymous Coward
            Anonymous Coward

            Re: I am now really struggling

            "Why? Weren't you intending to wipe the hard drive and re-install to your own specification?"

            No that isn't really possible for this project (don't ask why). However that is not the point, the issue is that the trust and philosophy of a company is important and how highly they regard their customers.

            If the leadership cannot even understand that what they did could pose a security risk for their customers then what hope that they keep private keys secure or use best security practices for their systems or for remote support.

            For instance if their techs are not trained in best security practice and care regarding customer data what's to say a debug dump might not contain sensitive information that hasn't been sanitised and that that data isn't then treated with the respect it deserves? If Lenovo can't recognise security threats as blatant as this what hope is there that they recognise more subtle ones?

        2. Anonymous Coward
          Anonymous Coward

          Re: They shot themselves in the head

          I want to see somebody prosecuted over this. If open but unauthorized access to AT&T's HTTP sites is criminal, unauthorized access to the user's HTTPS sites sure should be as well.

      3. Solmyr ibn Wali Barad

        Re: They shot themselves in the head

        "It is unlikely the Server side of Lenovo will suffer from the Consumer laptops being infected with a security threat "

        Not directly. But with clueless people at the helm, they'll bork something in servers sooner or later. Remote management cards are a prime example here. Their security sucks industry-wide. Thought that it could get even worse isn't exactly comforting. Then there's management software that all vendors are so keen to push, often claiming that only their own shitware is supported for management purposes.

        Enterprise customers are able to identify threats, at least mostly, and put up a good fight. But small business just doesn't have means for it.

        1. hoverboy

          Re: They shot themselves in the head

          Yes. Exactly this. This was a collosal quality failure by their management chain and it should call into question all of their products. I was weaned back to Wintel from Apple on the back of W7 usability and Lenovo build quality, since when my go-to supplier has been Lenovo. Funnily enough, a technophobe friend was so p*ssed off with her macbook she insisted she wanted a windows laptop. I found her a sweet deal on an i7 Lenovo Yoga2. I didn't have time to do the usual crapware cleanup and lockdown I would do on my own machines and sure enough within a week it was a nightmare of popups; unusable. W8 has a GREAT feature of the easy reinstall without losing data. I did this, did a proper install and she's had no problems since.

      4. admiraljkb

        Re: They shot themselves in the head

        @Shadow Systems

        You are likely correct, since Lenovo consumer division uses different factories than Lenovo Business (formerly known as IBM's PC division) and they are pretty separate entities like all the various companies of Sony that operate independently. The last time I was dealing with doing first article inspections on OEM'd IBM servers with my previous company the former IBM PC division (Lenovo) was still in the same mfg floor as the IBM servers, but Lenovo consumer was NOT there.

        HOWEVER - since it all says Lenovo on the nameplate - it still gives you pause on buying the next bit of kit from them, regardless of if its Lenovo consumer or business. Whether that is a long term pause, or short term will likely be determined by their actions in the next few weeks.

      5. Mephistro
        Flame

        Re: They shot themselves in the head (@Shadow Systems)

        people doing the buying have the power to say "Loo, that program is crap. Don't include it or we'll take this purchase order somewhere else."

        Not all business grade computers are purchased by big quangos, and I'd dare to say that not even a majority of them are. Disclaimer: I don't know if they're actually adding crapware to systems sold to small/middle sized companies, as I haven't purchased or advised to purchase any Lenovo kit since the infamous brouhaha with the bubbling capacitors in the nineties.

        And yes, Microsoft 'should' forbid the installation of crapware in systems sold with Windows pre-installed, but I somehow doubt they will do that. Instead they seem likely to add their own layer of crapware and force it down the user's throat, the same they tried to do with Win8 and they'll apparently do with Win10.

        Fuck'em both with a shovel!.

        1. Solmyr ibn Wali Barad

          @Mephistro

          "I haven't purchased or advised to purchase any Lenovo kit since the infamous brouhaha with the bubbling capacitors in the nineties."

          You what?! We're giving Lenovo a good bollocking for the things they do, but you managed to spoil the fun with just one sentence.

          - Lenovo was entirely unheard of in the nineties.

          - First capacitor plague started around 2000, low-esr.com had a good article about it in 2002. Basically, a good half of the Taiwanese cap production was rubbish because of badly copied chemical composition. Fascinating story, actually, if anyone can be arsed to look it up.

          - Second wave was a Chinese production in late 2000's. This time it included a lot of "mislabeled" caps (like having a 16uF cap in a bigger 47uF barrel), and counterfeits of the reputable names like Sanyo. Besides the usual noname business.

          - In both waves, affected caps ended up pretty much everywhere. In PSU's, monitors, motherboards, etc, all over the world.

          Well, besides these two major plague-like events, there have been lesser screw-ups every now and then. These are not so remarkable. It's quite easy to kill an electrolyte capacitor, if you don't leave a sufficient safety margin for it.

          1. Mephistro

            Re: @Mephistro

            Not to give too many details, but Lenovo was selling computers and mainboards under that brand since the nineties, in my country at least. They weren't very known or popular then, but they were there nonetheless. One of my customers was bitten by the above said trouble with capacitors and Lenovo and their resellers denied everything. And yes, it was due to defective capacitors. To put it short, we had to learn the truth by ourselves, by sending one of the affected mainboards to an electronic engineering firm.

            And yes, there was a similar outbreak -I think the one you refer in your post- a few years later.

            And FYI, Lenovo was created in 1984 and started pushing their kit overseas sometime around 1992.

            1. Solmyr ibn Wali Barad

              Re: @Mephistro

              OK, if you really managed to encounter Lenovo products in the nineties... But no, I still cannot say "fair enough" about it. There was no infamous brouhaha back then. Capacitor failures have happened since their invention, for any number of underlying reasons. And an equipment vendor that'll repair things outside the warranty period is a rare sight. Must be a truly known and endemic issue (like it was in 200x) to get free service.

              15-20 years is a very long time. Technologies have changed, product lines have came and gone, companies have changed. For better or worse, as the case may be. By such absolutist standards we shouldn't buy anything from anybody, ever. Because I really can't name a worldwide brand where I haven't seen a blown capacitor. Must've replaced thousands of little buggers over time.

              1. Mephistro

                Re: @Mephistro (tl;dr)

                "There was no infamous brouhaha back then"

                You know that the word 'infamous' has several meanings, don't you? And I remember reading about this particular SNAFU in some computer magazine several months after the fact, and reading comments in forums during the 2000 outbreak of bad capacitors. So it wasn't the Capacitorgeddon, but neither was it a trivial matter.

                Capacitor failures have happened since their invention, for any number of underlying reasons

                Yeah, but if you see at least one of them -probably more- failing in every mobo served by a company, you can safely conclude that said company's quality testing process is crap.

                And an equipment vendor that'll repair things outside the warranty period is a rare sight

                Actually, the failures happened always in the first fortnight after purchase, with two systems being directly DOA. The replacement machines exhibited the same behaviour. The amount of work we had to do in order to move the data and reinstall the OS's was simply unbelievable.

                Must be a truly known and endemic issue (like it was in 200x) to get free service.

                Not in Europe. And I thought that the USA had similar rules, but I might be wrong. The reseller finally took away the systems and reimbursed my customer, after receiving a copy of the technical report and letter from the company's lawyer.

                "15-20 years is a very long time..."

                Sure. But I operate following a simple rule: No company screws me twice, if I can prevent it. The incident related in TFA seems to hint strongly towards Lenovo's current management having the same philosophy the company had in the nineties.

                Seriously, the most infamous -or disgraceful, if you prefer- part about this incident is the way Lenovo tried to elude their responsibility. At first, they claimed the issue was caused by failures in the customer's leccy supply and/or the grounding. Luckily, the customer's electrical installation had been certified a few weeks before the purchase, so Lenovo and the reseller had to look for a different explanation.

                The next step was a meeting full of weaselspeak where they hinted -without saying it clearly- that the affected computers had been sabotaged. We had none of it, of course, and shortly after sent one of the units to an electronics firm for the forensic examination.

                After the events, I learned that other people had been having the same issues MONTHS BEFORE MY CUSTOMERS ORDERED THE MACHINES!!!

                When Lenovo acquired IBM's PC division, my first reaction was of incredulity and a lot of profanity. ;-)

                1. Solmyr ibn Wali Barad

                  Re: @Mephistro (tl;dr)

                  Thanks for sharing. Looks like you had a real scam pulled on you. Sorry for the doubts and geeky behaviour (hey, grab your keyboards, somebody seems to be wrong on the Internet! :-) )

                  This case wouldn't be any different between US/Europe. Refusal to fix DOA products is intolerable on either side of the pond. I assumed incorrectly that capacitors failed just outside the normal warranty, which is the most typical situation. And there it starts to depend on the context - is the problem widespread enough to justify a warranty extension, what's the cost/benefit ratio, is the component supplier willing to share costs, etc. Reputable names have done it occasionally. Albeit they don't advertise it outside the partner network. Public recalls are mostly for the safety-related issues like flaming batteries and dodgy power parts.

                  Anyhow, there's a saying that it's the ability to handle big screw-ups that separates boys from men. Some say even this is not enough - a real man has to cause a serious blunder first, then clean it up, and learn his lessons on the way.

                  Let's see how present-day Lenovo handles things. At first, CTO managed to pour oil on fire, but over the weekend, they pulled an U-turn. That's slightly better than the usual "you're holding it wrong" crap we've been accustomed to.

    3. Shannon Jacobs
      Holmes

      Which flavor of EVIL do you want today?

      I'm having trouble focusing on Lenovo as the primary culprit here. Yeah, they done wrong. They even done wrong in a big time way, but these days, it's just par for the course.

      Right now I'm hoping never to buy another Microsoft-infested machine. It was the end of so-called support for Windows 7 that finally blew my fuse. It's not as though the thing that Microsoft laughably calls support has ever been worth anything, but at least it was a nice theory. Okay, I'm exaggerating a bit. I think I actually have found some useful information there, but mostly I remember all the times when I found nothing but infinite loops. The feeling is 2% success, but it might have been as high as 10% averaging over the last couple of decades...

      Of course the punchline is that Microsoft is doing just fine. Terrible software is NOT a problem. Customer satisfaction? Pshaw. All you need is a EULA to disavow all responsibility and a sales strategy selling to the vendors, not the end victims.

      Sadly, maybe I'll have no other choice. The google has clearly gone to the EVIL side, and Chromebooks seem too limited anyway, whereas Apple has always been more of a fashion statement than an exercise of meaningful freedom... Ubuntu? Ah, that was a sad joke, though it might be the most "successful" of the Linux failed economic models. *sigh*

    4. 0laf

      Re: They shot themselves in the head

      MS already sell "Signature Edition" hardware which is marketed as "Bloat free"

      1. jason 7

        Re: They shot themselves in the head

        Unfortunately, the range available is rather small and uninspiring.

        However, it's a start.

        I'd like to see a video of Lenovo's CTO starting up one of their domestic laptops from out of the box and seeing how he enjoys the bloatware experience.

    5. Hieronymus Howerd

      Re: They shot themselves in the head

      > "Lenovo is finished"

      No. Because only a vocal handful of self-righteous, no-life geeks on an IT website even care.

      1. Anonymous Coward
        Anonymous Coward

        Re: They shot themselves in the head

        @Hieronymus Howerd

        So what are you doing making comments on this site then?

        Chump

      2. Anonymous Coward
        Anonymous Coward

        Re: They shot themselves in the head

        Like the ones who make IT purchasing desicions for Fortune 500 companies? We see those guys here sometimes

    6. John Sturdy

      The resignations won't happen

      Resignation in response to this would be part of having ideas such as honour and responsibility; and if they had those, they wouldn't have done this in the first place.

  7. Neoc

    Superfish?

    "But in light of the Superphish case..."

    There - fixed that for you.

  8. Anonymous Coward
    Anonymous Coward

    It's not just Superfish

    It's not just Superfish. Lenovo laptops sold in Japan come with Baidu IME (software that allows you to type Japanese on a qwerty keyboard). Baidu is the Chinese equivalent of Google. I was tidying up a relative's PC when I noticed it, and was puzzled. Windows has its own perfectly acceptable IME software, so who would bother to write a pointless replacement?

    The answer came when I put a proper Firewall on the laptop. The Baidu IME software was trying to open a network connection every you typed anything into a web page, passwords, the lot.

    So that got uninstalled very quickly.

    I'm not one to leap to conclusions and point, but there is a big problem with Internet banking fraud in Japan, originating mostly in China. And Lenovo sell a lot of laptops in Japan.

    The mindset revealed is astonishing. This wasn't even covert, the software's behaviour was plain as day to anyone willing to go looking for it. Who in their right mind would think that customers wouldn't notice and wouldn't care even if they did? It's the sort of thing that can wipe out entire markets, it's a helluva risk, yet they took that risk. Are they fond of Russian Roulette?

    The "maximum money now no matter the consequences" attitude will be their undoing. Consequences have a way of accumulating exponentially...

  9. Anonymous Coward
    Big Brother

    Brought to you by PLA Unit 61398

    1. Anonymous Coward
      Anonymous Coward

      PLA + IDF

      "Brought to you by PLA Unit 61398"

      To Chinese People's "Liberation" Army you might add Israel Defence Force alumni (authors of Superfish and Komodia).

  10. gollux
    Mushroom

    How not to do asymmetric key cryptography

    The private key is stored as a string in the adware program package software.

    Hey guys, the bank safe is uncrackable, don't worry.

    For ease of use, I just set the clock to allow 24hr entry, taped the combination knob key to the door and wrote the combination code on the front with a jumbo indelible felt marker.

    1. Daniel B.
      Joke

      Re: How not to do asymmetric key cryptography

      But ... but... it's a PKCS8 protected by encryption! By a password!

      And we stored the PEM file with the strings in reverse order so nobody will be able to read them even if they find them!

  11. frank ly

    @Iain Thomson

    " ... It'll be sad to let go of my laptop when it reaches end of life, ..."

    My ten year old Acer Travelmate 8000 (15" 4:3 matte screen) was very much revitalised by an SSD drive with Linux (Mint) installed on it. It's now the computer (out of four that I have) that gets the most use. I'd recommend it, give it a try.

    1. Bronek Kozicki

      Re: @Iain Thomson

      I have 10yo Toshiba Portege, a very nice machine running Mint and new SSD with PATA interface. Agreed, it's a very nice way to revitalize an old machine, if only the screen was better.

    2. Fihart

      Re: @Iain Thomson Linux not terrible.

      After years of concluding that Linux was too beardy and incomplete, I was strongarmed by a friend into trying Peppermint (as far as I understand it, a Lubuntu spinoff that sort of combines local disk with cloud programs).

      I like it. Fast and works well (without driver issues !!) on the first two machines I tried. Failed on one with an Intel Mobile CPU (issue with CPU maximum memory addressing or something).

      It's not going to replace Windows yet for me, but is now on my internet browsing machine of choice. Here's hoping this really is the future, this time.

      1. Anonymous Coward
        Anonymous Coward

        Re: @Iain Thomson Linux not terrible.

        Zorin and Sparky Linux both have a nice GUI, as well.

    3. Alan Brown Silver badge

      Re: @Iain Thomson

      My 10 year old Tosh satellite is a shedload faster with a SSD in it too.

      The problem is that it still sucks 90W+, whilst newer boxes pull a lot less and aren't nearly as noisy/dusty

    4. Dave K

      Re: @Iain Thomson

      Similar idea here. I have a 5-year-old ThinkPad X201. With an SSD, a memory upgrade and a replacement keyboard, it's been completely re-vitalised. And it has a 16:10 screen unlike the 16:9 crap that Lenovo (and everyone else) insist on sticking onto all their computers these days. There's no reason why older laptops can't be easily revitalised with a couple of quick upgrades, then no new laptop is required - malware or otherwise.

    5. Hieronymus Howerd

      Re: @Iain Thomson

      > "four that I have"

      You must be a devil with the ladies.

    6. eulampios

      @frank ly

      Mint is fresh for me here too on an Asus laptop. I am quite happy with my Asus K53 and LMDE which has both cinnamon and mate desktops installed. I use the latter. It has i5 (dual core) on it and builds my Debian kernels from source for 45 minutes (ARM cross compilation takes only 10 minutes though). Barely ever get to the half of the 8 gigs o'RAM. A great Linux laptop it is.. perhaps only needs a new battery for now. Awaiting a replacement from ebay costing $14 for me.

      This is not a new machine (4-5 years now) , however it's almost perfect for my needs. Came with EUFI option, while not active with Windows 7. Installing GNU/Linux was much more straightforward back then, can't comment on how the preinstalled Windows was bloated, though...

  12. Anonymous Coward
    Anonymous Coward

    I know I'll get downvoted to hell, but you don't get this sort of shit with Apple.

    Is any Windows PC safe to buy or are they all riddled with poorly written bloatware?

    1. nsld
      Paris Hilton

      of course

      You are ignoring the crapfest that is iTunes in that statement?

    2. Gant

      Yeah, I do have a lenovo laptop in the family, had it ship it out with FreeDOS and installed Windows myself.

    3. Anonymous Coward
      Anonymous Coward

      Try one of the "boutique" vendors. I got my last laptop from Sager (they sell rebranded Clevo laptops) and I don't think it came with anything besides the OS and drivers. Those companies also have the benefit that you've heard of the companies that produce the parts in the machine. You're not getting some hardware that'll self-destruct in a year just to save the OEM 5¢. A lot of them have better options for hardware configurations and still manage reasonable prices.

    4. obrien

      lolwut? Apple weren't even validating SSL certs, arguable an even worse situation for the end-user.

      https://www.imperialviolet.org/2014/02/22/applebug.html

      1. Daniel B.
        Alert

        lolwut? Apple weren't even validating SSL certs, arguable an even worse situation for the end-user.

        And yet, they issued an actual fix for that pretty quickly. Fixing the goto fail issue involved downloading the most recent update, while fixing SuperFish requires at least two actions, with at least one requiring the user to do advanced stuff (removing a root CA) by themselves.

    5. Wilseus

      "Is any Windows PC safe to buy or are they all riddled with poorly written bloatware?"

      Since a Windows PC is, by definition, running Windows, the answer to your second question is of course yes.

    6. Tim Almond

      Buy "business" laptops

      You don't get this shit with Apple because you pay a minimum of £749 for a laptop, and at that price, there's plenty of profit margin. If Apple tried to sell a £300 laptop, they'd be stuffing crapware on it too.

      It's really a problem that infests so much of life, that people buy on price rather than value. You can get a £379 Thinkpad Edge from Lenovo and at worst you can describe the pre-installed stuff as "maybe useful", like an Office trial, or a copy of Picasa. And they're solid machines. But a lot of people will look at that next to a £239 Dell Inspiron and go for the Dell.

    7. Greg D

      You don't get this sort of shit from Apple because there are no Apple OEM's.

      This is not Microsoft's fault per-se. They didnt put this software in the image for Lenovo laptops, Lenovo did. Had they also been an Apple OEM and Linux OEM, they would have put the same or similar on those laptop images also.

      1. jason 7

        This is why I'm surprised Microsoft hasn't tried harder to stop the spread of bloatware on OEMs machines. The practice isn't doing Windows/Microsoft any good.

        It's like Ferrari producing a fine car and then the dealership slaps loads of cheap sun strips, fluffy dice, novelty horns, beaded seat covers and furry steering wheel covers on it.

        The moans from customers are rarely about Windows itself, it's the issues caused by old bloatware they have never dared remove.

    8. hoverboy

      Surface.

  13. Gant

    So why didn't they generate a new CA certificate on the client computer again? They clearly must've shipped with something to generate certs. That would've at least been semi-safe if the software does upstream certificate validation.

    1. Dave Harvey

      This is what Avast do when they MITM your https traffic - whilst I personally don't find that acceptable either, at least "per machine" fake CA certs don't come into the league of utter stupidity seen by Superphish.

  14. Captain Scarlet Silver badge

    If Lenovo have included this what has any of the other makers included

    Got my mum a cheap HP laptop at Christmas and actually only removed the crapware I could see (I didn't have a spare USB key at the time to burn the image to a device and reinstall the OS). May have to start checking for anything hidden such as this.

    1. Uncle Slacky Silver badge
      Windows

      Re: If Lenovo have included this what has any of the other makers included

      Always keep a copy of PC Decrapifier handy: http://www.pcdecrapifier.com/

  15. Anonymous Coward
    Anonymous Coward

    Used to be "policemen looking young"

    but now a sign of age is begining to detect the true content of the offering, "waiter this salad contains a turd".

    I used to love the IBM Thinkpads.

    It's the wider technology mindset which allows this sort of "I didn't think it would matter!" slip.

    I Just "upgraded"? to latest Android on my company phone and it was keen to report back all I do, keep track of who I connect with, locate me to a fine degree on the planet etc.

    For goodness sake fuck off, seriously.

  16. Neil Barnes Silver badge
    Stop

    What is it with advertisers?

    They seem to have acquired the mindset that anything I buy, anything I use, anything I watch, anything I even look at should be a channel for advertising.

    For things I don't need, want, or have any intention of buying.

    It's not difficult, boys. Advertising *doesn't* work; if it did, there'd be nothing on the shelves and we'd all have six cars. So stop buggering about trying to attract my attention because I don't have one.

    1. Destroy All Monsters Silver badge
      Headmaster

      Re: What is it with advertisers?

      if it did, there'd be nothing on the shelves and we'd all have six cars

      The goal of advertising is not to increase the available wealth of the target, but but have him allocate wealth differently than it would have been done otherwise.

      And seeing how people are in debt up to their eyesockets while still having three cars....

      1. Doctor Syntax Silver badge

        Re: What is it with advertisers?

        "The goal of advertising is not to increase the available wealth of the target, but but have him allocate wealth differently than it would have been done otherwise."

        And it's very effective. I quite frequently reallocate my business away from companies who pester me.

      2. P. Lee

        Re: What is it with advertisers?

        Of course advertising works:

        1) blanket advertising: the idea is to gain mind share and thus market share. i.e. buy cuke rather than pepsi, McDonalds rather than Burger King. Which brands have you heard about most? This is how x-factor et al work. The idea is not that they will make people buy who don't want it, but to exclude alternatives fromt the market, so someone in the market for teeny-pop doesn't go and buy the "wrong thing."

        2) Blanket advertising: to tip those "on the edge of purchasing" over into buying. Just before lunch? There will be a fast food advert for you to get you to a fast-food restaurant rather than make your own food. Nobody needs chewing gum, adverts won't tell anything new about gum, but the reminder is there to get gum-chewers to buy it.

        3) Brand positioning: This is the kind of person who drives an SUV. If you want to be this kind of person, you need an OUR SUV, not a hatchback and not an SUV for plebs.

        Tell a big enough lie often enough and people will accept it even if they don't consciously believe it. Without advertising, consumption would drop overall and there would probably be more new entrants into the market.

    2. Anonymous Coward
      Anonymous Coward

      Re: What is it with advertisers?

      Pretty sure it started as a way of funding a few websites with a banner advert then Google came along and applied the usual aggressive evil US style tactics to it.

    3. Anonymous Coward
      Anonymous Coward

      Re: What is it with advertisers?

      @Neil Barnes: This is the problem: "Advertising *doesn't* work"

      Some of the smarter advertisers know this. They know their jobs are less than worthless (in that a lot of advertising probably harms the brands being promoted), and built on a lie, and they're panicking, because their clients will find out, sooner or later. Advertisers and clients know consumers are getting fed up with the constant bombardment, but it's a race to the bottom.

      1. auburnman

        Re: What is it with advertisers?

        The problem is, advertising DOES work. Granted, it doesn't work 99.9% of the time, but that inane bombardment is the price we all pay for the 0.1%.

        The key is it only works where a decision was going to be made (or close to being made) anyway, e.g. I don't know what I'm having for tea tonight and I cannot be arsed making anything - oh hey, I've got a flyer from the new pizza place in my letterbox. Or - I really should invest in a new car soon - hey, the new VW Polo is under ten grand.

        To put it another way, advertising is temptation trying to find a moment of weakness. But because marketers know practically nothing about you for all their profiling and demographic 'work', the carpet bomb approach is all they have to go with at the moment. Which is why Facebook and Google are frantically trying to get you to give up every last piece of data about yourself - they are convinced there is a 'Holy Grail' of advertising somewhere in that information that will allow them to deliver ads only to eyeballs that are most likely to be receptive.*

        *Suddenly occurs to me this is why Google became one of the corporate Goliaths so quickly - you can't not tell Google about what you are interested in if you use their services because telling Google what you want is an inherent part of the search service. If I'm Googling around for a red bomber jacket, Google can't not discover I'm currently interested in clothes even if they wanted to.

      2. Tom 38

        Re: What is it with advertisers?

        This is the problem: "Advertising *doesn't* work"

        Some of the smarter advertisers know this. They know their jobs are less than worthless (in that a lot of advertising probably harms the brands being promoted), and built on a lie, and they're panicking

        Yes. Yes. Yes. Yes. No!

        They aren't panicking in the slightest. Although advertising is largely bollocks, the client doesn't know that and feels they have to compete with their competitor. It's nothing to do with the advertising company or the consumer, ad spend is driven by corporate fears of loss of business.

        As companies go to the wall, they will often spend more and more on advertising in some mad attempt to bring in more revenue.

        1. Cynic_999

          Re: What is it with advertisers?

          Of course advertising "works". You need laundry detergent. You have a choice of buying Persil or Brax. Which do you think most people would buy? Your baby needs feeding. Do you open a jar of Heinz baby food or Nubb baby food?

          You need a new HDD. Western Digital or Saamdal?

          A new car - Ford or Rulink?

          We all tend to choose the familiar over the unfamiliar for day-to-day products. Take a guess at why the familiar names have become so familiar.

  17. OliverJ

    What a remarkable piece of PR twaddle

    "Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping," Lenovo said in a statement on Thursday."

    Apparently, Lenovo ships about 30 million units p.a. Making the assumption that half of them are "consumer" notebooks, this "short window between September and December" translates into something like up to five million affected devices. Clearly, there is no need for immediate concern.

    I also like (not) how they describe "inserting unwanted ads" as "helping customers potentially discover interesting products while shopping".

    Having been a big fan of ThinkPads in the past, I'm quite worried by this. And not only by the incident itself, which seems to be distressing enough, but also by the meaningless or even misleading statements from their PR units. To regain consumer confidence, Lenovo needs to be fully transparent on this; own the problem, then own the solution. I'm quite disappointed.

  18. Anonymous Coward
    Anonymous Coward

    "Komodia is a computer security firm which makes software.... to break SSL encryption"

    And is this a security company???

    I can see legit use for that as long as you are inspecting your SSL sessions for some good reason, but an SDK sold to anybody doesn't look really a "security product", especially if it lets you alter the session.

  19. Mystic Megabyte
    Alert

    Laptop manufactures take note!

    In the future I want the option to buy laptops that have NO hard drive. I do not want Windows or any other of your crap.

    1. Anonymous Coward
      Anonymous Coward

      Re: Laptop manufactures take note!

      Except that I couldn't even buy a UK lenovo a year or so ago which didn't come with windows,let alone a disk, when the exact same model was available in Europe for a lot less.

      Having said that, I'm conflicted by this story, even though it only affected the consumer end of the market. The keyboard on the E145 on which I am typing this went bezerk a few months back, and I steeled myself for the inevitable series of stumbling blocks the support line would place before me. Instead, I spoke to someone knowledgeable at the first step, who, within 5 mins, had arranged ofr a replacmeent keyboard. The keyboard arrived the following morning, by courier, who had driven from Greenock to our remote and rural location in north west Scotland.

      The moral of the story - it's the marketeers who who should be moved to the B ark as soon as possible.

      1. Greg D

        Re: Laptop manufactures take note!

        Let's face it. A keyboard issue is not exactly going to tax anyone's brain.

        The easy problems get good service. It's those slightly less obvious ones, where most customer service starts to fall on it's face.

  20. Anonymous Coward
    Anonymous Coward

    Would reinstalling from a recovery partition fix this?

    Never having done this, does reinstalling the new machine from the recovery partition get rid of the bloatware? What about reinstalling from clean MS-derived media using the licence that came with the machine?

  21. Ralph B

    Reputation Recovery

    Now that they've trashed the reputation and saleabilty of their products, I wonder if Lenovo might consider selling their PC division to someone more professional and ethical? Someone like IBM perhaps?

  22. wyatt

    All my work PCs/Laptops have been built from an image we create. Never have I had one with the customer supplied OS/Software on it, why would you do it to your company?

  23. Anonymous Coward
    Anonymous Coward

    Lucky me

    I have a 7 year old Thinkpad rescued it from a bin some four years ago (it has scratches on its screen, not a problem at all for something you intend as a server especially since over ssh or VNC the scratches don't matter) and obliterated all traces of Windows, including recovery partition. Then installed Linux.

    Today it acts as my "dirt cheap home file server and P2P node" Not much storage but enough for the purpose. Thanks to Superfish, when the current one breaks I'll hopefully have some second hand Superfished Lenovos to choose from.

  24. Jon Green
    Mushroom

    The law?

    OK, I'm now a lawyer, but from my reading of the Act, it looks to me as if Lenovo, by knowingly installing what constitutes backdoors and password-snoop-capable malware into systems sold in the UK, without the buyers' knowing consent, may be in breach of sections 1, 2 and 3A of the Computer Misuse Act 1990.

    I think it's about time to get the National Crime Agency involved, and nail the relevant directors of Lenovo UK to the wall.

    1. Anonymous Coward
      Anonymous Coward

      Re: The law?

      I was wondering if anyone had flagged this to their bank as a phishing attempt. A few of the banks seem to have started to think about security properly, so you might raise some excitement there if you're trying to shake things up a bit. Presumably a side-channel handshake is the only protection against a wide-open PC?

      1. Cynic_999
        Joke

        Re: The law?

        "Presumably a side-channel handshake is the only protection against a wide-open PC?"

        Only if the judge is also a Mason.

    2. Peter Simpson 1
      Happy

      Re: The law?

      ...and nail the relevant directors of Lenovo UK to the wall.

      And the chance of that actually happening in your lifetime is...

      ...significantly less than your chance of winning big at the lottery.

  25. David Lawrence

    I won't be buying Lenovo or ASUS.....

    My wife's lovely touch-screen ASUS laptop has just failed yet again. It's the third time since she bought it WAAAAAY back in October 2013. Since then it's had a new hard drive and then a complete replacement motherboard....... which appears to have packed up just 4 months later. Appalling, and now out of warranty too. Never again. Four hundred smackers down the drain after just 16 months. I wouldn't mind but it's had very light use and has never been dropped or abused in any way. Piss poor.

    Because I like to fix PCs and Laptops, someone brought me yet another ASUS laptop last year and that too had total motherboard failure just a couple of months after the warranty expired. I'm still scanning Ebay in the vain hope that I can buy a cheap donor machine but no luck yet.

    I've seen way too many Dell and HP machines with motherboard failure (mostly to do with Nvidia GPUs I hasten to add).

    Looks like I won't be considering a Lenovo replacement as they appear to have just decided they don't much care for the home consumer marketplace with their rather unfortunate strategy.

    From experience Toshiba make the most reliable machines, but even those have suffered from failed power supply sockets..... a cheap part but a pain in the ass to replace. A severe case of penny-pinching when you consider how much punishment they take. Someone else used the term "race to the bottom" in their posting..... it would appear to be true, sadly.

    1. Peter Simpson 1
      Holmes

      Re: I won't be buying Lenovo or ASUS.....

      My advice?

      Quit buying consumer-grade cr@p from Best Buy, and look at off-lease commercial grade hardware.

      I've had good luck with Dell stuff, which is what we use at work. Not Inspiron, which is their consumer junk, but the mid-range Latitudes. I'm currently using an E6430, which is holding up quite well after 3 years.

      You don't want something too high-powered, because Dell do have a reputation for trying to cram too many BTUs into a poorly ventilated package, and their "high performance" video cards tend to become "no performance".

      Anyhow, that's what I use. And a mid-tower, which has multiple DVD drives and such, and is extremely well ventilated. Both, of course, run Linux Mint.

    2. Solmyr ibn Wali Barad

      Re: I won't be buying Lenovo or ASUS.....

      There are always examples and counterexamples. Asus U35 happens to be well-engineered. Had to take one apart after a domestic accident, it was a pleasant surprise. Still works, too.

      Basically, brand doesn't mean much, all mentioned companies have produced lemons every now and then.

  26. Anonymous Coward 101

    'Normally Lenovo performs due diligence on all software it preinstalls...'

    'How many pennies are they giving us?'

  27. simon gardener

    No, you need to do less

    ...and we realized we needed to do more."

    No, you need to do less. For example, try not accepting money to install crapware on computers.

  28. Anonymous Coward
    Anonymous Coward

    "It'll be sad to let go of my laptop when it reaches end of life,"

    Not after you see the poor chicklet keyboards they're now fitted with. My T530 makes me miss my T41.

  29. Obvious Robert

    Linux friendly

    Hmmm... when I bought my daughter a Lenovo G50-70 for Xmas, it was chosen specifically because it was one of the few easily available £300ish laptops that was Linux friendly with minimum of fuss. Said daughter wanted a laptop she could use to dual boot Windows (for League of Legends) and Mint (for everything else) and I think that machine turned out to be the only one in the price range that had basic requirements like allowing the secure boot to be disabled, out-of-the-box driver compatibility, separate left + right click buttons so you can click both to simulate a middle click, etc.

    Much as I'm annoyed by Lenovo having done this, I have to admit that faced with the same choice again, if the other manufacturers are going to create arbitrary obstacles which outright prevent me from choosing which OS I want on a machine that I own, I'd have to go for the same model again. Sadly we as consumers are getting increasingly less choice in this area as time goes on. And look at it this way, Lenovo won't dare do it again now, will they?

  30. Anonymous Coward
    Anonymous Coward

    Lenovo did (almost) nothing wrong

    In a way, they just forgot to pretend the Emperor is wearing clothes.

    Ok, so this is actually a massive fail for them, but as I see it the real lesson that should be taken off this is that the hierarchical topology of the X509 public key infrastructure (that's the Emperor I'm referring to) is a terrible fit for the Internet and should a priori never be trusted.

    Just take a look at the list of CAs that comes by default with any browser installation and tell me you actually trust every one of those.

  31. Someone Else Silver badge
    Mushroom

    Discover THIS!

    "Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping," Lenovo said in a statement on Thursday.

    Hey, Lenovo! If I want to "discover interesting products", I can do that myself with out your help, assholes...isn't that what Google is for?

    The only unanswered question was posed by John BonerBoehner: "What I want to know is, who's going to jail?"

    Fuckheads!

  32. cortland

    Is it coincidence that

    ... this is the sort of access (AND source code, please) the PRC government is now insisting American manufacturers provide for products sold there? Or that many if not most of those "American" products (and parts for all the rest) sold ** outside** the PRC are probably made in the factories that will do the dirty-work?

  33. Peter Simpson 1
    Big Brother

    Cui bono?

    Superfish's developers may have got their code. Komodia is a computer security firm which makes software called SSL Digestor, which works in a very similar way to Superfish to break SSL encryption and inject advertising.

    My idle mind wonders if there isn't a fourth party involved in this debacle...an advertising provider, would be my guess, who made a deal to obtain what appears to be an image search engine from Superfish (whose website doesn't indicate that they're a platform for ads) and an ad-insertion mechanism from Komodia (whose website doesn't indicate that they're in the ads business, but does give off a slightly creepy vibe), and combined them with a view towards making money by having Lenovo install it for them, and then serving ads through it.

    Just wondering how deep the rabbit hole goes here.

  34. shaolin cookie

    So which laptop then?

    I was about to order an X1 Carbon before this debacle, and still need a new laptop. I like the trackpoint, but might learn to live without one. Any recommendations for a high end ultrabook for Linux use? Light weight and good battery life matter.

    1. Anonymous Coward
      Anonymous Coward

      Re: So which laptop then?

      I too had my hand in my pocket for a T440s.. no more. But what's the alternative.

  35. ecarlseen

    It's perfectly easy to buy a bloatware-free computer.

    Just walk into an Apple store. Haters can flame away, but you get a UNIX-like OS with free upgrades, no crapware, and well-designed hardware. You get what you pay for.

  36. launcap Silver badge
    FAIL

    Never impute to malice..

    .. what can easily explained by stupidity.

    Let me explain the thought process:

    Superfish contacts someone in the Lenovo marketing department with a wizard scheme for making them both money. They'll put a little bit of harmless software on the laptop that will watch people browsing and work out how to target adverts better. Superfish make money selling the software, Lenovo get a share of the extra ad revenue.

    Nothing excites a marketing exec more than the prospect of extra money with zero effort so (with great aplomb and an infinite lack of technical knowledge) the deal is done.

    Doubtless someone in the technical side of Lenovo protested that this was a very very very (repeat to the n+10 power) bad idea, but the siren call of free dosh drowned them out.

    Fast forward and it all comes out: the software is neither harmless or safe (as well as being a blatant privacy violation) and you can hear the sound of butts being covered all the way up to the top. Doubtless, someone on the technical side will get slapped around for not preventing it (and the email archives will mysteriously get eaten by some advanced data-rot) and the head of marketing will have to curtail their next round of official bonuses (although the flow of small brown envelopes will continue).

  37. Marty McFly Silver badge
    FAIL

    My last Thinkpad

    Thinkpad 600x. Thinkpad A20P. Thinkpad T30. Thinkpad T61P. Thinkpad W530. These are all my old friends who have traveled, worked, and collaborated with me over the last 15 years.

    I am sad to see Lenovo so willingly violate the trust of their customer base. Today it was only adding stuff to pre-built machine images. What will they do tomorrow? Add it to the drivers so that even if I nuke & pave the machine they are still violating me?

    It is a shame that trust, so difficult to earn, is to easily thrown away. I don't see how Lenovo can regain my trust, but I do hope they will try. And it will take more than words of denial to do so.

  38. Florida1920
    Terminator

    Lenovo dead?

    I don't think so. The Independent is the only consumer-oriented news source on the first page of a Google search for "lenovo malware." Forbes and CNNMoney have articles, but does the average PC buyer read them? ThinkPads, darlings of the business community, were spared. Even if Bob Bloke reads about the "firestorm," we've all dealt with enough non-techies to know they have a short memory span, and don't understand what such malware does anyway.

    While I agree that Lenovo should be subject to the BOFH's cattle prod for this, I think speculation on their imminent plunge off the cliff as a result is greatly exaggerated. And we probably can assume Lenovo will be more careful in the future. They execute incompetent business managers in China. Not that the other PC mfrs will learn from this. Lenovo could, by default, become the laptop source of choice.

    1. keithpeter Silver badge
      Windows

      Re: Lenovo dead?

      @ Florida1920

      "The Independent is the only consumer-oriented news source on the first page of a Google search for "lenovo malware."

      Print edition of the Financial Times this morning: teaser on front page with continuation towards the back. Hint: this is the one the MD and accountant read. Front page below the fold on BBC with link to Technology article. Hint: this is the one your MP/councillor/non-exec Director/School govenor reads.

      Corporate channel managed kit not affected but perceptions will suffer methinks...

  39. The Vociferous Time Waster

    Oh come on

    all this chat about McDonalds when we could be making the ' "something something super fish something" nah you mean "something something super phish something" there I fixed that for you' joke

  40. Anonymous Coward
    Anonymous Coward

    so long

    loved the x series but the new keyboard and keyboard layout plus mediocre screen resolution on the x240 made me think twice. superfish puts the nine inch nails into my lenovo budget

  41. beatle

    watch out for computrace

    lenovo also installed computrace, which allows to track&trace you and your laptop. it is in the bios.

    watch out for that too.

  42. Camilla Smythe

    In The Beginning Was..

    https://www.youtube.com/watch?v=8ALdL8oV_sY

    Then someone discovered 'The Long Tail'....

    http://i.imgur.com/xkXW2Va.png

    and invented X-Factor....

    https://www.youtube.com/watch?v=8ALdL8oV_sY

    Fortunately you, as a commentard, can vote for a Politician in order to get crap such as this sorted out.

    http://i.imgur.com/xkXW2Va.png

    Oh Dear...

  43. eulampios

    Mint tastes good

    Lenovo should speedily reach out to linuxmint.com to become their partners. Start offering, at least as an option, a preinstalled Linux Mint/LMDE on their machines to sort out all the mess they've created while working with their current partners. I would consider buying it then...

  44. Anonymous Coward
    Anonymous Coward

    This is nothing new. We are to blame, right?

    Well, how else can these PC manufacturers offer cheap desktop and laptop PCs to the average joe? We're just a greedy bunch that has forced PC prices down to what they are. People complain about how expensive Macs are, so we resort to PCs filled with crapware to the brim just because they're a lot cheaper! If you want bloat-free PCs, then pay the price.

  45. zen1

    Idiots

    If the stupid douche bags were so damn concerned about their users and the whole user experience I doubt quite seriously if they would have that ignorant, malicious or arrogant to install such a shit bag application. FFS, they could have at least given the user the option.

  46. GrumpenKraut
    FAIL

    $shitlist += "Lenovo"

    Just that.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: $shitlist += "Lenovo"

      You will find that you should have written

      push($shitlist,"Lenovo");

  47. briesmith

    Shat on for Years

    This isn't new; this isn't restricted to Lenovo or the computer business.

    The corporate world lost its way many years ago.

    Confusion marketing; where packages are assembled with so many variables which only slightly differ it's impossible to do meaningful comparisons.

    Bundling where you can only have the product or service you actually want if you buy a whole lot of stuff you don't.

    Contracts which tie you in for so long it's almost impossible to remember to end them.

    "Loyalty fucking" where anybody who renews a contract takes it up the arse while new customers get a free blow-job.

    "No you don't" purchasing where you think you've bought something - a copy of Windows, say - only to find out you haven't, you've only rented it or you can only use it in months with an R in them or some other similar shit.

    I'm sure Reg readers can think of many more practices which can't stand the light of day.

  48. DrXym

    Stop lying Lenovo

    "Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping,"

    Er no Lenovo. It was included because you sought to profit by inflicting crapware / adware / spyware on your customers. You're not alone in doing this - vendors like HP, Dell etc. preinstall crap because a substantial percentage of users will never remove it. You just took it one sleazy step further.

    It's very simple to fix. Do not install anything except Windows. If you absolutely must, put some programs in a single folder and allow people to electively install them. It's not hard.

  49. Oh Homer
    Big Brother

    Am I the only one who noticed?

    Lenovo's malware partner is a "former Israeli intelligence agent".

    That elevates this infraction from mere spam to a matter of national security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like