Hugh Pickens writes:
Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System, the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites, and perform other attacks on Lenovo PCs with the software installed.
Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."
[Editor's Note: For background information on this threat, Ars Technica has coverage here, here, here, and here.]
Homeland Security is Exhibit A for how the First American Republic jumped the shark. $41.2 billion annual budget to tell the American people that Superfish is bad, after every other party in the world has already said Superfish is bad. What's next, geniuses, jumping in to tell us that smoking kills? How about that jaywalking across the Dan Ryan is hazardous to your health, or that North Koreans are mean?
The whole department is a creature from Kafka's worst nightmare, a make-work program for degenerates, drooling fiends, and gibbering goons--the very dregs of 21st Century American decrepitude.
Defund Homeland Security, tell its members to self-deport, and strike its very name, an obscenity, from the history books. Un-make it.
Hey: Homeland Security:
Where are the instructions for removing spyware from our hard disk controllers?
It isn't spyware if it was placed there by your benevolent government. It is there to help you prove your innocence.
NK's aren't mean. Their psychotic leader is mean.
Defund Homeland Security, tell its members to self-deport
As aliens as they seem, the great majority of them - if not all - are US citizens, thus deportation [findlaw.com] is not possible.
As for exporting them or their by-product [wikipedia.org], we'd rather prefer that you actually manage them locally instead of polluting other places.
Signed: the rest of the world
Can't we exile them to Botany Bay?
Prime real-estate zone (over half-a-mil for a 2 bedroom, 1 bathroom, 71sqm [realestate.com.au] apartment)? Are you sure you want to punish them?
Or did you have the equiv of a golden parachute in mind, for their services?
No, mate, no. Better put them in road maintenance, surely you have lot of roads that need their pot-holes filled
See, this is why letting the government infiltrate everything is a good idea. If it weren't for the NSA looking out for our security, stuff like this would happen.
Even if you remove the Superfish crapware from your PC it will still exist in the Restore partition. So if you ever need to do a system restore you get the crapware. It is time PC makers started providing restore media with the machines that includes a clean install of the operating system, a driver disk, and a separate crapware disk.
Even if you remove the Superfish crapware from your PC it will still exist in the Restore partition. So if you ever need to do a system restore you get the crapware.
Well, since Microsoft Security Essentials removes it automatically, and MSE is installed by default, you might actually NOT get it back when you re-install.
Besides, that restore partition dies with the rest of the disk, and disk failure is the usual reason you'd ever need that partition. So I agree we should go back to requiring a DVD rather than an install partition, but I don't see the re-introduction as an insurmountable problem.
What is a Restore partition?? (serious question)
The actual name is usually a Recovery Partition.http://www.pcadvisor.co.uk/how-to/laptop/3462995/factory-reset-laptop/ [pcadvisor.co.uk]
See also http://en.wikipedia.org/wiki/Recovery_disc#Recovery_partitions [wikipedia.org]
Frojack... I followed your link and found this text which I found rather troubling...
In general this will work for Windows 7 and previous versions but Windows 8 laptops will typically have a recovery application which is launched from within Windows so check your app menu.
Ummm, I probably need that recovery disk because Windows won't work.
Right now, I am using "Clonezilla", with one of those Western Digital "Element" USB drives It seems to work, albeit I have never had to restore from it. Anyone here had any experience with it?
Admittedly I have about as much trust in my computer as I have in a whore. She's beautiful, but I can't trust her. I am always wondering what she is doing behind my back. I am afraid to leave her unsupervised, because at the weirdest times her CPU and memory use max out and I have no idea whose plans she is carrying out... all I can do is reboot her and hope she forgets what she was doing. I read daily of all of her really bad boyfriends on the 'net who are always calling her up to coax her to screw me up for them. Seems the only way to keep them from calling her is to pull the RJ45. It really surprises me businesses tolerate this kind of crap in their machines.
The Windows bootloader will automatically boot from the recovery partition if Windows fails to boot a couple of times. It's also there as an option in the boot menu (not sure if you need to hold a key to make this appear).
It's a small partition on the hard drive that ships with many Windows computers these days whose sole purpose is to restore your main partition (e.g., your C: drive) to its original state when the computer shipped. This is done by the computer manufacturers because:- they are too cheap to supply an actual restore CD/DVD.- they want to prevent a customer from wiping the factory installed crapware off their hard drive and reloading from clean media.- they want to be able to reinstall their crapware no matter what happens to your computer (except for when your hard drive fails).- they want to charge you to get a restore disk when your hard drive fails (if your hard drive fails then your restore partition goes with it *because they are on the same physical disk*).
For those of us running Linux a restore partition is something memes are made of.
Superfish? Is that some Windoze crapware?
Watch out! You are bound to summon HairyFeet and we'll all have to listen to his sermon on the Ubuntu Amazon lens fiasco... again.
Do you have to say the name 3 times?
I was not very happy with Amabuntu either, but I think this is worse.
Watch out! You are bound to summon HairyFeet
He won't have the courage to pop up here. He's been shilling for Comodo for decades and they've been busted doing the same thing.
The U.S. government on Friday advised Lenovo Group Ltd customers to remove a "Superfish," (...)
In every other country, the government would just advise the consumers to return the defective computer to their retailer for a full refund, and the retailer to the malicious seller (including postage and transport insurance) -- or else revoke that seller's license to sell in that country.
Doesn't the USA have consumer laws? I thought it was a capitalistic country?
If Toyota accidentally sells cars with dodgy brakes in the USA, does the U.S. Department of Road Traffic (don't know what it's called) provide the consumers with a list of instructions how to remove the dodgy brake, and a link to Alibaba.com to order a replacement one?
Bullshit, those cars are recalled, it's the problem and responsibility of the seller to sell functioning wares.
A car with dodgy brakes is worse than no car, and a PC that makes your bank and social security logins world-readable is worse than no PC.
I'm in the US, and your car analogy is spot on.
My Toyota had 5 recalls last year. Toyota decided to only fix two of them (one that causes the airbags to not deploy, and one that causes the front seats to come free of the floor in an accident-- nice combo). One of the ones they decided not to fix unless it is already broken / breaks before 100K miles is a bolt that holds the suspension together. Presumably, our government was OK with this decision.
We *are* a capitalist country. That is the problem. Capital has complete control of *everything* in this country. There is a silly ritual of voting for pre-selected (by money) candidates periodically, but it is all sham. The U.S. elite have achieved Mussolini’s ideal of fascism.
Returning Computers to the store is WORSE advice than taking your car in for a recall.
You're suggesting everyone who purchased a Lenovo hand all their data to some local retailer, who in turn hands it over to Lenovo, which is located in China. Nice windfall for them. Customer is left without both their data AND their computer. Thanks a lot buddy.
Fortunately the Government isn't that stupid, and knows that removing all traces of sensitive data from a computer is a tougher job then the average housewife can handle, and doesn't make such silly mandates.
The automatic removal tool and/or the manual removal steps [lenovo.com] are simple enough, and Microsoft Security Essentials (which also comes pre-installed) will remove it for you.
A nice fat fine for Lenovo is all that is required here.
Hm.. good point.. to continue the car analogy, it is advised to first take your child out of the car before you bring the latter to the garage for recall. Unfortunately your computer doesn't protest as loudly when you bring it back to the shop where you bought it.
And one of the first things you'd want to do with a new computer is put all the stuff from the old computer on it, so what you describe is probably quite common.
So what's the solution? Some local company that specializes in trusted wiping of computers? (Fee to be sent to Lenovo) and then return it to the retailer?
The solution was pointed out in my first reply. Maybe re-read that?
Remove the malware, and get on with your life.
Well if we're going to be statists about the thing, the recall could simply instruct consumers on how to remove their hard-drives. I don't know how difficult that would be on the affected models, but on my ThinkPad it's about as difficult as swapping out batteries on a normal consumer device. You'll need a screwdriver, but it's a world of difference from trying to wipe the thing clean before returning it. Let Lenovo eat the cost of not getting their hard-drives back.
Doesn't the USA have consumer laws?
Yes, but generally the corporations are the "consumers" protected by the laws passed by the US government. This is a totally reasonable definition of "consumer" seeing how most companies are giving money to the legislators for these laws.
Breaking SSL sessions is hacking. This is a clear violation of the CFAA. The CEO and board of Lenovo should be arrested and charged with this violation.
And all of this is before the civil suits...
...at least if corporations really are people and all...
Let's revisit the SONY BMG ROOTKIT for a moment, and read/listen to a quote from Thomas Hesse:
"Most people don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President, Global digital business, Sony BMG