A Bit Late, But Lenovo CTO Admits The Company Screwed Up
from the finally dept
We’ve had a bunch of posts today (and yesterday) about the “Superfish” debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was — first denying any serious security problem, and then calling it “theoretical.” It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the “theoretical” problem he discussed earlier:
?We messed up,? CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a ?man-in-the-middle,? or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.
[….]
The company has an engineering review that made sure the tool itself didn?t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.
?We should have known going in that that was the case,? Hortensius said. ?We just flat-out missed it on this one, and did not appreciate the problem it was going to create.?
He later admits that the company “deserves” to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn’t happen again.
While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it’s happening. Hopefully, the company is better off for it.
Of course, the same can’t be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.
Filed Under: adware, malware, peter hortensius, superfish, vulnerability
Companies: komodia, lenovo, superfish
Comments on “A Bit Late, But Lenovo CTO Admits The Company Screwed Up”
This is a non-apology apology, though. There is no excuse for anybody to interfere with encrypted traffic between you and a host under any circumstances, least of all an OEM.
The CTO is genuflecting to ensure profits aren’t going to be down too much this quarter. The only thing which ensures Lenovo and other competitors learn a good lesson from this is heavy losses or bankruptcy, which is what they deserve.
To still fall for the soothing words of professionally lying coporate executives in this day and age is folly.
Meanwhile, in the United States, tech companies continue to claim to protect privacy on the one hand while collaborating with the NSA to destroy it on the other.
Words from coporate executives have no meaning. You’re listening to a robot.
Re: Assume much?
Why would you think this isn’t another example of collaboration? Go research the principles of the vendor. They are all from the intel community.
Re: Re:
You’re exactly right. This isn’t an apology or an admission. It’s corporate bullshit from one of Lenovo’s professional liars. It’s worthless crap that means NOTHING.
Lenovo was and is no doubt fully aware of the Sony rootkit debacle: they simply gambled that it wouldn’t happen to them. And they probably calculated that even if it did, the profits they made by selling out the security and privacy of their users would outweigh the negative press.
The next Sony/Lenovo will do the same thing, unless Lenovo is sufficiently punished. And by “sufficiently punished”, I mean that they must be driven into bankruptcy. We need a massive online campaign that makes it clear that Lenovo supports spyware that enables pedophiles, rapists, phishers, spammers and stalkers: we need to drag them through the mud until anyone hearing their name thinks of the most foul, sleazy, awful people on the planet.
Everybody screws up sometimes
But it takes a “man” (or woman) of character to admit it when they do. I don’t like what Lenovo did, but I have gained a lot of respect for them in that their CTO is willing to fall on his sword over this. And even more respect for him.
Re: Everybody screws up sometimes
They were victimized, actually.
Re: Re: Everybody screws up sometimes
That’s laughable, at best. Even a properly secure version of this software would be garbage, and not something any vendor should bundle in a pre-installed OS in the first place. And if they had done any resting at all, they would have seen what a gaping security hole it creates.
Re: Re: Re: Everybody screws up sometimes
No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy-destroying software on their laptops in order to sell the data to the NSA.
That would be laughable if it were not already known what they actually do.
Re: Re: Re:2 Everybody screws up sometimes
Why would Lenovo, a company that people have been screaming about as they’re a Chinese company and thus could be ‘spying for China’, collaborate with the NSA?
Re: Re: Re:3 Everybody screws up sometimes
Money.
Re: Re: Re:3 Everybody screws up sometimes
“Why would Lenovo, a company that people have been screaming about as they’re a Chinese company and thus could be ‘spying for China’, collaborate with the NSA?”
NSA: Mr CEO, nice to meet you. Your kids still going to Lat Mai high school? I think I ran into your wife at the Gak Lai supermarket the other day. And the landscaping at your home on Momo Drive, magnificent, just magnificent.
True terrorism at it’s finest.
Re: Re: Re:4 Everybody screws up sometimes
Mr CEO : Why, Mr. NSA. It’s really nice to meet you too. This guy to my right? Oh, you haven’t met. Now, I’m not saying he’s with Chinese Intelligence and I’m not saying he’s not. But he’s awfully knowledgeable about your children, practically a trivia buff on the subject.
Hey, it’s just as plausible 🙂
Re: Everybody screws up sometimes
They didn’t admit anything until they got caught in a web of their own lies and had no choice but to backpedal to save face. They deserve no credit for this. They were forced into it.
Re: Everybody screws up sometimes
“I have gained a lot of respect for them in that their CTO is willing to fall on his sword over this”
Not me. After the first few rounds of deception, it’s hard to respect them for coming clean only once they realized that nobody was buying their BS.
It will be interesting to see if Lenovo’s promise to drop Superfish covers all computers — or only computers sold in Western countries?
Before anyone can say “that’s a stupid question!”, let’s not forget that back in the 1980s, after Pharmaceutical giants such as Bayer learned that their human-blood-derived products were spreading AIDS, they immediately took steps to revamp the products to make them safer — but only to products sold in Western countries. Rather than destroy their existing stock of tainted merchandise, these companies simply changed its destination and shipped it to 3rd-world countries instead (one of which was China, home of Lenovo).
And of course the tobbacco industry has been famous for agreeing to change its evil ways in one country, only to shift its target to other countries where it’s hoped that resistance will be weaker.
So let’s not completely discount the idea that Lenovo is only making a strategic *partial* retreat and not a capitulation.
…trying to figure out why comments are going to “moderation” right now.
The last denial from him was in WSJ who typically has an audience more likely to be less technically understanding and easier to calm by lies. re-code has typically a technology angle attracting people who can spot the lies and get angered by them.
I still see what the CTO does as media appeasement/damage control. While the re-code interview is a lot more real, it still seems to be a case of designing the message to the listener…
“No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy”
Not even that. I think they knew all along. They didn’t think they would get caught.
“Why would Lenovo, a company that people have been screaming about as they’re a Chinese company and thus could be ‘spying for China’, collaborate with the NSA?”
Lots of cash ?
This seems to have an amazing effect on people and corporations when the amount is high enough.
this komodia stuff is the tip of the iceberg with regards to how screwed up https and ca/cert based security is. I hope you guys will keep digging- lots of stories and knowledge that deserve attention and understanding here.
With no cooperation from any CA’s, this dinky little company easily created a complete inception style spy ware apparatus that went undetected for quite some time.
good thing the nsa/gchq can’t do such a thing…
wait, what?
how many trusted root CA’s do you have installed on your computer? …or a better question is how many root CA’s did your browser maker decide you should trust- it’s not like you consciously chose to trust those entities.. most probably don’t even know they exist. worse still- how did those entities even become ‘trusted’… it’s far more arbitrary then you might imagine.
Re: Re:
You might be misunderstanding the word “trusted”… “a trusted system is one whose failure may break a specified security policy.” It’s not a compliment, and notably doesn’t mean trustworthy.
I think, like bankers and ISO certifiers, they are focusing more on procedures and insurance than results. The CAs all follow “best practices” without much regard for whether those practices are actually good or sufficient (as opposed to the same mediocre practices as everyone else). For example, they send an unencrypted email to the domain owner, even though CAs exist because we expect unencrypted traffic to be observable and modifiable by adversaries. (It’s the “best” practice just because nobody else is doing anything better–except with EV certs, where the CAs say they’ll do the job they were supposed to do in the first place.)
The few CAs that are known to have been compromised or otherwise taken advantage of (e.g. MD5 collisions helped by predictable serial numbers) had some pretty egregious problems, stuff that serious penetration testers should have found, but they all had the requisite certifications and insurance before it happened. Most of them still do.
Re: Re: Re:
“You might be misunderstanding the word “trusted”… “a trusted system is one whose failure may break a specified security policy.” It’s not a compliment, and notably doesn’t mean trustworthy.”
Spot on. This is one of those “terms of the art”, and I have to admit that I never realized that people might not know what it means.
Sorry Lenovo, you should have learned from Sony in 2005. Never again will you see any of my personal or any corporate (friends family)I have any control over.
Actions speak louder than words
Dear Lenovo,
If you really regret Superfish (and not just the fact that it was discovered), I have a simple way you can demonstrate your integrity:
As soon as possible, begin offering all of your Windows computers–every single one–with a “clean install” option that includes nothing but Windows, Windows updates and WHQL-certified drivers. Not so much as a custom desktop background image added.
If you have software other than WHQL-certified drivers that you believe enhances the operation of the machine, make it a downloadable install, and keep it granular (e.g., don’t bundle uncertified drivers we need with apps we don’t).
Let us see how much more you have to charge without subsidies from bloatware and adware vendors and make the decision for ourselves which is the better value.
I think you’d win back a lot of respect… and maybe force some other OEMs to play catch-up.
The statement is exactly the one you would see if control of the situation was moved from marketing (“we are certain there is no risk”) to legal (“we didn’t know anything”).
Did they simply miss the implications of snooping-based advertising? Especially one that can insert their only advertisements? That doesn’t seem credible.
posting nice
many blog posts do not like this provide a useful article for visitors thanks admin
jaket kulit pria
Superphish
Torvalds notes (p.95) of “Just for Fun” “If money was to get involved things would get murky. If you don’t let money enter the picture you won’t have greedy people”.
greedy people we got and the lust to get adverts and recons into everyone’s computer is stunningly vicious
I ran across this in a blog post today
oldschoolh4ck3r
Welcome to the brave new world, where industries and governments collude to dissolve privacy and establish a digital battlefield. Deep-pocketed agencies can fund corporations towards their agendas of tainting technology in their favor, all the while pointing the finger at software ‘bugs’. We’re in a lot of trouble.
OpenSource and FSF software is the “Last Best Hope” for privacy and security
IMHO
This is why NONE of this 3rd party CRAP should ever be pre-installed on a new computer. It should Windows ONLY, free of all other crap!!!
Is it really worth it to get a Bad Reputation for this garbage? I know Windows like Android has issues with making any money on razer thin profits and they do this crap to try and make a little money. How much do you really get to have this crap installed on a PC? $20? Here’s a idea, bump the price of the PC up $20 and remove ALL of that crap.
Why not be known for Not throwing CRAP on your PC’s!!!
Worse than Superfish?
Here’s a new one:
https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html