Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday February 21 2015, @03:46PM   Printer-friendly [Skip to comment(s)]
from the fishing-for-answers dept.

Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System, the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites, and perform other attacks on Lenovo PCs with the software installed.

Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."

[Editor's Note: For background information on this threat, Ars Technica has coverage here, here, here, and here.]

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Phoenix666 on Saturday February 21 2015, @04:14PM

    by Phoenix666 (552) Subscriber Badge on Saturday February 21 2015, @04:14PM (#147790) Journal

    Homeland Security is Exhibit A for how the First American Republic jumped the shark. $41.2 billion annual budget to tell the American people that Superfish is bad, after every other party in the world has already said Superfish is bad. What's next, geniuses, jumping in to tell us that smoking kills? How about that jaywalking across the Dan Ryan is hazardous to your health, or that North Koreans are mean?

    The whole department is a creature from Kafka's worst nightmare, a make-work program for degenerates, drooling fiends, and gibbering goons--the very dregs of 21st Century American decrepitude.

    Defund Homeland Security, tell its members to self-deport, and strike its very name, an obscenity, from the history books. Un-make it.

    --
    Washington DC delenda est.
    • (Score: 5, Insightful) by frojack on Saturday February 21 2015, @05:53PM

      by frojack (1554) Subscriber Badge on Saturday February 21 2015, @05:53PM (#147821) Journal

      Hey: Homeland Security:

      Where are the instructions for removing spyware from our hard disk controllers?

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Interesting) by davester666 on Sunday February 22 2015, @08:31AM

        by davester666 (155) on Sunday February 22 2015, @08:31AM (#148033)

        It isn't spyware if it was placed there by your benevolent government. It is there to help you prove your innocence.

    • (Score: -1, Offtopic) by Anonymous Coward on Saturday February 21 2015, @06:46PM

      by Anonymous Coward on Saturday February 21 2015, @06:46PM (#147839)

      NK's aren't mean. Their psychotic leader is mean.

    • (Score: 4, Insightful) by c0lo on Saturday February 21 2015, @11:08PM

      by c0lo (156) Subscriber Badge on Saturday February 21 2015, @11:08PM (#147918) Journal

      Defund Homeland Security, tell its members to self-deport

      As aliens as they seem, the great majority of them - if not all - are US citizens, thus deportation [findlaw.com] is not possible.

      As for exporting them or their by-product [wikipedia.org], we'd rather prefer that you actually manage them locally instead of polluting other places.

      Signed: the rest of the world

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
  • (Score: 5, Funny) by RobotMonster on Saturday February 21 2015, @04:42PM

    by RobotMonster (130) on Saturday February 21 2015, @04:42PM (#147802) Journal

    See, this is why letting the government infiltrate everything is a good idea. If it weren't for the NSA looking out for our security, stuff like this would happen.

  • (Score: 5, Insightful) by chperry01 on Saturday February 21 2015, @04:50PM

    by chperry01 (5094) on Saturday February 21 2015, @04:50PM (#147804)

    Even if you remove the Superfish crapware from your PC it will still exist in the Restore partition. So if you ever need to do a system restore you get the crapware. It is time PC makers started providing restore media with the machines that includes a clean install of the operating system, a driver disk, and a separate crapware disk.

    • (Score: 4, Interesting) by frojack on Saturday February 21 2015, @06:30PM

      by frojack (1554) Subscriber Badge on Saturday February 21 2015, @06:30PM (#147834) Journal

      Even if you remove the Superfish crapware from your PC it will still exist in the Restore partition. So if you ever need to do a system restore you get the crapware.

      Well, since Microsoft Security Essentials removes it automatically, and MSE is installed by default, you might actually NOT get it back when you re-install.

      Besides, that restore partition dies with the rest of the disk, and disk failure is the usual reason you'd ever need that partition. So I agree we should go back to requiring a DVD rather than an install partition, but I don't see the re-introduction as an insurmountable problem.

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 2) by fritsd on Saturday February 21 2015, @07:03PM

      by fritsd (4586) on Saturday February 21 2015, @07:03PM (#147849) Journal

      What is a Restore partition?? (serious question)

      • (Score: 4, Informative) by frojack on Saturday February 21 2015, @08:19PM

        by frojack (1554) Subscriber Badge on Saturday February 21 2015, @08:19PM (#147876) Journal

        The actual name is usually a Recovery Partition.
        http://www.pcadvisor.co.uk/how-to/laptop/3462995/factory-reset-laptop/ [pcadvisor.co.uk]

        See also http://en.wikipedia.org/wiki/Recovery_disc#Recovery_partitions [wikipedia.org]

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 1) by anubi on Sunday February 22 2015, @06:19AM

          by anubi (2828) on Sunday February 22 2015, @06:19AM (#148005) Journal

          Frojack... I followed your link and found this text which I found rather troubling...

          In general this will work for Windows 7 and previous versions but Windows 8 laptops will typically have a recovery application which is launched from within Windows so check your app menu.

          Ummm, I probably need that recovery disk because Windows won't work.

          Right now, I am using "Clonezilla", with one of those Western Digital "Element" USB drives It seems to work, albeit I have never had to restore from it. Anyone here had any experience with it?

          Admittedly I have about as much trust in my computer as I have in a whore. She's beautiful, but I can't trust her. I am always wondering what she is doing behind my back. I am afraid to leave her unsupervised, because at the weirdest times her CPU and memory use max out and I have no idea whose plans she is carrying out... all I can do is reboot her and hope she forgets what she was doing. I read daily of all of her really bad boyfriends on the 'net who are always calling her up to coax her to screw me up for them. Seems the only way to keep them from calling her is to pull the RJ45. It really surprises me businesses tolerate this kind of crap in their machines.

          --
          "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
          • (Score: 3, Informative) by TheRaven on Sunday February 22 2015, @09:50AM

            by TheRaven (270) on Sunday February 22 2015, @09:50AM (#148049) Journal

            Ummm, I probably need that recovery disk because Windows won't work.

            The Windows bootloader will automatically boot from the recovery partition if Windows fails to boot a couple of times. It's also there as an option in the boot menu (not sure if you need to hold a key to make this appear).

            --
            sudo mod me up
      • (Score: 1, Informative) by Anonymous Coward on Saturday February 21 2015, @08:21PM

        by Anonymous Coward on Saturday February 21 2015, @08:21PM (#147878)

        What is a Restore partition?? (serious question)

        It's a small partition on the hard drive that ships with many Windows computers these days whose sole purpose is to restore your main partition (e.g., your C: drive) to its original state when the computer shipped. This is done by the computer manufacturers because:
        - they are too cheap to supply an actual restore CD/DVD.
        - they want to prevent a customer from wiping the factory installed crapware off their hard drive and reloading from clean media.
        - they want to be able to reinstall their crapware no matter what happens to your computer (except for when your hard drive fails).
        - they want to charge you to get a restore disk when your hard drive fails (if your hard drive fails then your restore partition goes with it *because they are on the same physical disk*).

        For those of us running Linux a restore partition is something memes are made of.

  • (Score: 2, Funny) by Lunix Nutcase on Saturday February 21 2015, @05:04PM

    by Lunix Nutcase (3913) on Saturday February 21 2015, @05:04PM (#147809)

    Superfish? Is that some Windoze crapware?

    • (Score: 5, Funny) by jasassin on Saturday February 21 2015, @05:34PM

      by jasassin (3566) <jasassin@gmail.com> on Saturday February 21 2015, @05:34PM (#147814) Journal

      Superfish? Is that some Windoze crapware?

      Watch out! You are bound to summon HairyFeet and we'll all have to listen to his sermon on the Ubuntu Amazon lens fiasco... again.

      --
      jasassin@gmail.com Key fingerprint = 0644 173D 8EED AB73 C2A6 B363 8A70 579B B6A7 02CA
      • (Score: 3, Interesting) by nightsky30 on Saturday February 21 2015, @06:49PM

        by nightsky30 (1818) on Saturday February 21 2015, @06:49PM (#147843)

        Do you have to say the name 3 times?

        I was not very happy with Amabuntu either, but I think this is worse.

      • (Score: 0) by Anonymous Coward on Monday February 23 2015, @04:54AM

        by Anonymous Coward on Monday February 23 2015, @04:54AM (#148312)

        Watch out! You are bound to summon HairyFeet

        He won't have the courage to pop up here. He's been shilling for Comodo for decades and they've been busted doing the same thing.

        https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html [hboeck.de]

    • (Score: 2) by TheRaven on Sunday February 22 2015, @09:52AM

      by TheRaven (270) on Sunday February 22 2015, @09:52AM (#148050) Journal
      It's an impressively named product: something that enables phishing scams on a huge scale. The most shocking thing about this whole affair has been how honest they were in their branding - I'd assumed that superfish was its malware designation, not its marketing name...
      --
      sudo mod me up
  • (Score: 4, Interesting) by fritsd on Saturday February 21 2015, @05:21PM

    by fritsd (4586) on Saturday February 21 2015, @05:21PM (#147811) Journal

    The U.S. government on Friday advised Lenovo Group Ltd customers to remove a "Superfish," (...)

    (emphasis mine)

    In every other country, the government would just advise the consumers to return the defective computer to their retailer for a full refund, and the retailer to the malicious seller (including postage and transport insurance) -- or else revoke that seller's license to sell in that country.

    Doesn't the USA have consumer laws? I thought it was a capitalistic country?

    If Toyota accidentally sells cars with dodgy brakes in the USA, does the U.S. Department of Road Traffic (don't know what it's called) provide the consumers with a list of instructions how to remove the dodgy brake, and a link to Alibaba.com to order a replacement one?

    Bullshit, those cars are recalled, it's the problem and responsibility of the seller to sell functioning wares.

    A car with dodgy brakes is worse than no car, and a PC that makes your bank and social security logins world-readable is worse than no PC.

    • (Score: 5, Informative) by Anonymous Coward on Saturday February 21 2015, @06:03PM

      by Anonymous Coward on Saturday February 21 2015, @06:03PM (#147825)

      I'm in the US, and your car analogy is spot on.

      My Toyota had 5 recalls last year. Toyota decided to only fix two of them (one that causes the airbags to not deploy, and one that causes the front seats to come free of the floor in an accident-- nice combo). One of the ones they decided not to fix unless it is already broken / breaks before 100K miles is a bolt that holds the suspension together. Presumably, our government was OK with this decision.

      We *are* a capitalist country. That is the problem. Capital has complete control of *everything* in this country. There is a silly ritual of voting for pre-selected (by money) candidates periodically, but it is all sham. The U.S. elite have achieved Mussolini’s ideal of fascism.

    • (Score: 5, Interesting) by frojack on Saturday February 21 2015, @06:06PM

      by frojack (1554) Subscriber Badge on Saturday February 21 2015, @06:06PM (#147827) Journal

      Returning Computers to the store is WORSE advice than taking your car in for a recall.

      You're suggesting everyone who purchased a Lenovo hand all their data to some local retailer, who in turn hands it over to Lenovo, which is located in China. Nice windfall for them. Customer is left without both their data AND their computer. Thanks a lot buddy.

      Fortunately the Government isn't that stupid, and knows that removing all traces of sensitive data from a computer is a tougher job then the average housewife can handle, and doesn't make such silly mandates.

      The automatic removal tool and/or the manual removal steps [lenovo.com] are simple enough, and Microsoft Security Essentials (which also comes pre-installed) will remove it for you.

      A nice fat fine for Lenovo is all that is required here.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by fritsd on Saturday February 21 2015, @06:56PM

        by fritsd (4586) on Saturday February 21 2015, @06:56PM (#147847) Journal

        Hm.. good point.. to continue the car analogy, it is advised to first take your child out of the car before you bring the latter to the garage for recall. Unfortunately your computer doesn't protest as loudly when you bring it back to the shop where you bought it.

        And one of the first things you'd want to do with a new computer is put all the stuff from the old computer on it, so what you describe is probably quite common.

        So what's the solution? Some local company that specializes in trusted wiping of computers? (Fee to be sent to Lenovo) and then return it to the retailer?

        • (Score: 2) by frojack on Saturday February 21 2015, @07:08PM

          by frojack (1554) Subscriber Badge on Saturday February 21 2015, @07:08PM (#147851) Journal

          The solution was pointed out in my first reply. Maybe re-read that?

          Remove the malware, and get on with your life.

          --
          No, you are mistaken. I've always had this sig.
        • (Score: 3, Interesting) by JNCF on Saturday February 21 2015, @08:14PM

          by JNCF (4317) on Saturday February 21 2015, @08:14PM (#147875) Journal

          Well if we're going to be statists about the thing, the recall could simply instruct consumers on how to remove their hard-drives. I don't know how difficult that would be on the affected models, but on my ThinkPad it's about as difficult as swapping out batteries on a normal consumer device. You'll need a screwdriver, but it's a world of difference from trying to wipe the thing clean before returning it. Let Lenovo eat the cost of not getting their hard-drives back.

    • (Score: 1, Funny) by Anonymous Coward on Saturday February 21 2015, @08:25PM

      by Anonymous Coward on Saturday February 21 2015, @08:25PM (#147880)

      Doesn't the USA have consumer laws?

      Yes, but generally the corporations are the "consumers" protected by the laws passed by the US government. This is a totally reasonable definition of "consumer" seeing how most companies are giving money to the legislators for these laws.

  • (Score: 5, Insightful) by doublerot13 on Saturday February 21 2015, @06:37PM

    by doublerot13 (4497) on Saturday February 21 2015, @06:37PM (#147837)

    Breaking SSL sessions is hacking. This is a clear violation of the CFAA. The CEO and board of Lenovo should be arrested and charged with this violation.

    And all of this is before the civil suits...

    ...at least if corporations really are people and all...

    • (Score: 2) by TheRaven on Sunday February 22 2015, @10:09AM

      by TheRaven (270) on Sunday February 22 2015, @10:09AM (#148055) Journal
      The board of Lenovo is likely to be in China and difficult to get at. Superfish, however, is based in Palo Alto and is well within US jurisdiction.
      --
      sudo mod me up
  • (Score: 1, Interesting) by Anonymous Coward on Monday February 23 2015, @01:40AM

    by Anonymous Coward on Monday February 23 2015, @01:40AM (#148282)

    Let's revisit the SONY BMG ROOTKIT for a moment, and read/listen to a quote from Thomas Hesse:

    "Most people don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President, Global digital business, Sony BMG

    http://www.f-secure.com/weblog/archives/they_dont_know_so_why_should_they_care.wav [f-secure.com]

    http://www.f-secure.com/weblog/archives/00000703.html [f-secure.com]