And you're still running the OS that it came with? Even if you want to keep Windows, always reinstall fresh. It's far easier than trying to hunt down every piece of malware they put on it
This is repeatedly recommended, but I think it's overlooking that not all manufacturer customization is entirely evil. You then to hunt down all the drivers for bits of the motherboard. Are you sure your power consumption settings are optimal after you've done this?
Windows has gotten pretty good at finding and installing drivers for you. I'm not sure about 8.1 (only used it briefly on a tablet that came with it installed) but with the 10 preview it has found and installed all the drivers I needed for the two Thinkpads I tried it on. It didn't download the Lenovo power management utility which is key to really squeezing the most out of it, but in my experience it isn't significantly better than Windows power management + keeping the screen brightness down (which is what the Lenovo utility does anyway).
The time period where Superfish was included was a relatively small chunk of 2014, so you may not be impacted.
A good general guideline when buying an off-shelf Windows machine is to do a full wipe first. There may be some manufacturers who are immune to this, but assume everyone's included some bloatware. I find too many people who buy Windows machines start by attempting to manually remove this stuff, which is often a hopeless proposition. Clean wipe, reinstallation.
This isn't the reason why most startups/devs have moved to Apple, but it sure helps.
Because the business and consumer teams at Lenovo are largely separate. I can't order a Yoga through my Thinkpad rep. I have to go to a retail vendor and us a credit card. I expect there are lots of people at the old IBM offices in New York who are as horrified as we are at when the consumer team agreed to.
Thinkpad T430s. It's a year old so I'm in the clear upon more detailed reading of the article. I usually do a clean install but when I bought this box it came installed with Win 7 and the discs I got were Win 8 only. Didn't come with a Win 7 serial. This is what I get for buying from a reseller on Amazon.
If you have Windows installed I think you can extract the license key from it (assuming Windows is genuine), then use it to do a clean install, or just save it for posterity in case the hard disk ever dies. As far as I know this is fine WRT Windows EULA.
no you cant - not in lenovo's case. The reason for this is that the keys for lenovo correspond to a very special Windows release that Microsoft specially bakes for Lenovo. You cannot use the keys on any other ISO.
This is also a big problem - you cant download these ISOs (unless some *rrentbay) and Lenovo does not give you CDs readily.
Hey, I use a desktop machine. That paints me as some kind of startup weirdo. Granted, it runs linux, but still, it doesn't fold in the middle or have it's own monitor and keyboard built in.
Only after various rounds of denials followed by backlash against them. Even their "removal" instruction initially failed to fully remove the root certificate. Every single step they made PR-wise was too slow and just reactionary to the backlash. Somebody up there should be fired and replaced.
Their PR style is a bit outdated. Denying and minimizing worked before very well -- major news sources would publish the official denials only and it would kind of stop there.
And most of all it helped if there would be litigation. The thought goes if CTO goes on record admitting guilt that is a slam dunk case for anyone suing them.
Therefore the typical corporate non-apology apology "I am very sorry you feel this way" kind of bullshit.
The problem of course is information sources are a lot more diversified, with Twitter and other media bubbling up tech news to the top faster.
The other problem they are facing is a lot of technical people were their proponents and would advocate and drive purchasing decision (in turn putting their own reputation on the line). This is where it is going to hurt them.
Something to the effect of "We are very sorry, this was a mistake, here is how to remove the software, we'll send you free software or Lenovo.com discounts. We'll cut off our relationship with this company. Etc, etc.." I think would have been much better for them in the long run.
Assuming that this isn't an intentional backdoor that they had to place, there is no defense, period.
Intentionally weakening people's system, MITMing their traffic, and inserting ads in private communication.
If an individual was doing this, let alone at this scale, they would be stamped 'hacker' and put in some dark prison for ten years. Now it's Lenovo, they will get away with an apology or a class action lawsuit at most.
I warned all my friends and colleagues who use Lenovos, and their answers were all the same. "Who'd be crazy enough to use the default install? First thing I did was (a fresh reinstall of Windows|install Linux)."
(Edit: Obviously this is not representative of the general population, and I didn't mean to suggest it was. I was just noting that my efforts to warn people about the untrustworthiness of Lenovo were thwarted because none of them trusted Lenovo to begin with, not for software at least, and that seemed interesting.)
You live in a bubble. There are plenty of people who use Lenovo products that are not tech people. By saying this, even though you don't intend to, you are minimizing the effect of this and being an apologist for lenovo.
An intellectual should always be wary of semantic equivalents to, "You're either for us, or against us." In greatest part, because this is one of the major symptoms that one's consciousness is partly clouded by group psychology.
I don't like the attitude that if there's a problem, you aren't allowed to say anything along the lines of "here's something that makes it less of a problem than it might be".
Sometimes this is the only way to get CPU scaling to work properly, as the drivers for the laptop's particular quirky ACPI implementation may not be available sepatately. It's no fun having a clean system that either runs at 1999 speeds or burns a hole in your desk. Linux can be a bit better on some systems, but worse on others.
The last Lenovo laptop I got came with Norton. I uninstalled that completely. Then I went to download Chrome which Norton decided to protect me from. Uninstall means different things, and they never uninstall completely/cleanly. In this Superfish example they would have left the dodgy certificates behind. The only way you know you have a good install is to do a clean install, rather than attempt surgery on the crap that got shipped.
Fortunately Lenovo do have a system updater that does a fantastic job on driver downloads etc.
Apple provides Recovery Disk Assistant, which is more or less the same thing.
Also, when the SSD in my Macbook Air failed, I was able to netboot their internet recovery thing, which let me install OS X on a USB3 hard drive. Pretty cool.
Apple provides Recovery Disk Assistant, which is more or less the same thing.
I see. They have that stuck into Disk Utility now. One point to Apple.
Disk Utility is a bit kludgy nowadays, though, and it seems they're not doing as good a job as MS publicizing the tool. (Too small a sample size here, but I ran across the MS tool by accident while searching/browsing. With Apple, a human had to tell me.)
With Macs you have multiple options. The first being much easier than a typical Windows PC.
1) Boot into Recovery mode (Cmd + R), then use Internet Recovery [1] to install OS X. This works even if your HDD or SSD is completely blank. All Macs from around mid-2010 onwards are supported. [2]
2) Download the latest OS X installer from the Mac App Store, then either use the bundled 'createinstallmedia' command-line app to create a bootable USB flash drive [2] or a third-party app called DiskMaker X [3].
Piracy is actually quite hard on Windows 8+. The way it is licensed is way different from the past and the current circumvention methods require repeated reactivation and break a lot.
Note: I do own Windows 8.1 Pro, so don't think this is based on my experience pirating the software. I merely have examined the licensing system for some software I was writing.
Yes and no. There is at least one case that I can remember[0] of pirated software being modified to download and install a virus.
According to Microsoft[1], 32% of pirated Windows 7 copies and activation cracks resulted in some sort of malware infection
Speaking anecdotally, most of the friends and family whose computers I've had to clean up have been running some sort of cracked/pirated software that they'd downloaded or had been given to them by a friend
I'm still sticking to Windows 7, the Windows 7 OEM disks are now behind a barrier which requires you to put in a valid key only from certain retailers.
This is repeatedly recommended, but I think it's overlooking that not all manufacturer customization is entirely evil. You then to hunt down all the drivers for bits of the motherboard. Are you sure your power consumption settings etc are optimal after you've done this? Have you installed all the drivers "manually" via their inf files? (e.g. Nvidia drivers come with their own pile of bloatware)
Yes, not all manufacturer customization is evil. But my point is that no one in my circle trusts the manufacturer enough to leave any of it on their machine.
Lenovo does this for you with their system updater. It downloads and updates all drivers for your system, including bios updates and configuration tweaks that affect power and stability. It will install on a fresh install from Microsoft media - ie there is no need to keep what was preinstalled on the system. http://support.lenovo.com/us/en/documents/ht080136
I don't use those because i don't trust the manufacturer-provided "system updater" to only download drivers. What's to prevent them from surreptitiously installing their add-on garbage.
Even if it currently does not do that, I just don't trust it to not do that in general.
For Lenovo you can download the SCCM package for the given model. Includes all necessary .inf files and does not install anything itself (designed for use in corporate deployments).
The Lenovo one is a continuation of the IBM one. You get to tick what you want, they show what the existing installed version is, as well as changelogs. There has never been any misrepresentation. I believe corporate types use the system updater too, and pissing them off by installing garbage would quickly annoy valuable customers.
It does not let you install or update the crapware that comes with systems. It is actually quite difficult to get that stuff other than saving it when you get a new system. BTW IBM/Lenovo have historically had way less crapware than other vendors. I think Lenovo got complacent in this case, hearing "you guys do less crapware than the others" and confusing it with "you are doing a perfect job". Less worse is not the same as doing good.
Someone's useful add-on is someone else's garbage. They have some software called Access Connections which provides more gui and control over networking, such as which access points to connect to based on location profiles and who knows what else. I don't want that since I mostly use Linux, and Windows does a good enough job when I am using it. The system updater has never installed it, nor tricked me in any way.
Here's a fun surprise: Microsoft allows driver vendors to ship arbitrary programs in addition to drivers. They will download and install these programs automatically. For instance, I bought some "gamer" mouse because it was the closest thing to an Intellimouse 3 I could find. Suddenly I have a \Program Files\Razer directory, and a popup on install telling me to register and do all this other stuff.
So if Lenovo was evil, they can just ship shit in their drivers, get it certified by MS, and have it distributed automatically by Windows Update driver install.
I despise Lenovo. Purely from an engineering quality aspect, they aren't remotely close to IBM. I've been on the T440p for a year now, and I utterly hate using it. Every time I'm not docked, I'm really, really, annoyed. (Compared to feeling great when on the X201.)
But what am I gonna do? There's essentially no options to replace an old X-style ThinkPad. The newest Carbon X1 is as close as anything. Everyone else is moving to the Apple-style clickpad, which is unacceptable. HP and Dell sell mostly crap. Apple's devices are hot and unergonomic (apart from questionable Windows driver support).
So good luck not trusting them. And I doubt HP'd do any better.
I was under the impression that Lenovo supplies a lot of computers to government and enterprise contracts around the world. Was Superfish only installed on consumer oriented devices, like the ones typically found at Best Buy? I realize most large enterprise would re-image their computers before deployment. I'm shocked that Lenovo would release such a statement. The damage to its credibility is significant.
Yes, it was only installed on their consumer oriented machines. Their T model Thinkpad don't have it installed.
Now the question is of course what else are they installing and what other yet undiscovered issues we'll find. It sounds like FUD but so far based on their response, they seem either incompetent (stupid) or malicious. And I don't exactly like either...
I never quite got this distinction between consumer and non consumer machines, when you can buy high end ThinkPads (but not the blocky T models) at a retailer, and are just as nice as big old blocky good old ThinkPads.
I'm really interested if a high end (but "consumer") ThinkPad like http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-T... that you can buy at a retail store (in this case, a special MSFT Store version that has plain Windows supposedly on it) was infected.
I loved (well still do) my T model. It has a strong magnesium case. Very solid. Heck it lasted 7 years. Including travel and other abuse.
It didn't have bloatware crap installed (as say US govt or big companies would not like that). It came with a smart card reader and such. Had a fingerprint scanner (back when there were not common).
Initially also they didn't have all these "consumer" models (Y,G,W,...).
Agreed. Seems like the lesser of two evils in this case. I applaud MSFT for realizing that the vast majority of their users will not have the impetus nor the requisite skill to remove this from their machine.
No 15 years ago Microsoft would have been the ones installing it.
I think Microsoft went from being a hated software giant to sort of an underdog vis-a-vis Google, Facebook, Amazon and Apple.
They are very big and strong no doubt, but I think the attitude they are projecting since switching CEO recently, their open source efforts, and such make them look pretty good PR-wise among the tech crowd.
it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
Though given alternative methods of bypassing any Microsoft security, not really necessary.
In the past Microsoft would have been both installing it and have their security tool removing it, left hand does not know what the right hand do in large organization, then after figuring out they would whitelist their own spyware from the removal tool. This may have actually happened.
The rest is simply PR, microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.
> microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.
I don't buy it. I think Microsoft seems to have actually made real changes. If you want an example of what a giant evil tech corporation dying slowly looks like, take a look at Oracle. Their core business is basically obsolete, but they'll go on killing open-source projects and squeezing their locked-in enterprise customers for many years.
They are not removing someone else's software though, they are alerting you to a security issue, recommending removal, and providing the tools to do so. That's exactly what an antivirus is supposed to do.
For all we know, Lenovo and Microsoft have been in communication and Lenovo asked or was ok with Microsoft doing this via Defender. Also, Defender specifically flags this issue as a "CompromisedCert", indicating that the impetus for removing it was not necessarily the app itself but because the private key for the cert was found and leaked everywhere.
This is only is if Windows Defender is operational - in which case the user definitely wants the malware to be disabled/removed. It's akin to having a SPAM defender - in which you grant administrative rights to the owner of the Anti-SPAM tool to redirect spam to the bit-bucket.
Sorry, but as one who was on Slashdot from pre-userid days, and is in general a huge critic of the company, bullshit.
Microsoft is in a hard place in terms of determining what is or isn't allowed on their systems (due in large part to their own past and quite probably ongoing monopoly abuses), but fixing obvious flaws is to be applauded.
I don't champion the company often, but they're doing the right thing here. Actually, sanctioning Lenovo for letting this happen might be another option they've got. Though something tells me they won't play that card (and quite possibly cannot).
Defender is my current Windows anti-malware software of choice. Basically, because they don't feel they have to shill so hard as the other AV companies, and this makes their user experience suck the least.
Yes, and: it's preinstalled on Windows 8, it costs nothing, and it's made by the very same company whose product it tries to protect, so incentives and motivation are clear (an exception to "if you're not paying you're the product").
It's quite a convincing product, quickly becoming an integral part of the OS. And rightfully so.
This is really great, but the real question is will users actually see this on a default Lenovo OS build? Can anyone confirm that Defender doesn't get disabled in favor or say... McAfee or Symantec?
Seems to be a lot of self-righteous moral crusaders on Twitter, and some on HN too, who won't be satisfied until they see Lenovo employees hanging from lamp posts...
Not sure that you have to be especially self-righteous to think that there is some level of betraying user trust that ought to actually have some kind of negative consequences for people.
The people who made the decisions involved here essentially hacked hundreds of thousands of PCs and defrauded their customers. I don't expect anyone in Lenovo to be punished for a crime, but there's no doubt they did something clearly unethical and borderline illegal. Their best possible defense is that they were just incredibly negligent.
Violent murder is not an appropriate response to this, but certainly somebody (probably multiple people in the upper echelons of Lenovo) should be fired. The damage to Lenovo's reputation from this is enormous.
Even if 'average people' have no idea what a certificate is or why it's important, those who do have an outsized influence on PC purchasing, and are likely to remember this for years.
That's good. It seems too few consumers get a clean Windows experience, and this fiasco has quickly become the chief example. You'd think MS would want to address that, perhaps by hardening their OEM licensing.
"Beijing-based computer maker Lenovo has reportedly been blacklisted for years by spy agencies worldwide, as concerns about government-sanctioned Chinese hacking persist. According to the Australian Financial Review, Australia, the UK, Canada, New Zealand, and the US have all rejected Lenovo machines for their top-secret networks since the mid-2000s, though the computers can be used for lower-security tasks that don't involve sensitive information" [1]
Why buy a laptop from a company that has ties to the Chinese government [2], an authoritarian government that supports dictators in Africa and totalitarian government in Russia, oppressing women and children in those countries?
Why buy a laptop from a company that has ties to the Chinese government [2], an authoritarian government that supports dictators in Africa and totalitarian government in Russia, oppressing women and children in those countries?
Also (presuming grandparent is American, which may be incorrect) the US supports dictators and totalitarian governments that oppress women in Saudi Arabia.
Why buy a computer from a company that has ties to the US government, an authoritarian government that supports dictators in Africa, the Middle-East, South America, and East Asia, including torture, drug smuggling, misogyny, and has itself engaged in abduction, detention without trial, and in relation to this case, illegal interception of communications?
> Favourable to or characterized by obedience to authority as opposed to personal liberty; strict, dictatorial.
It's certainly reasonable to argue about whether this actually applies; but I don't think that it represents a useless dilution of the word to think that it might. (Well, not 'dictatorial', but the rest of it.)
> It's certainly reasonable to argue about whether this actually applies
literally that it is reasonable to argue, i.e., that neither position is obviously irrefutably true; and also I think I've created enough of a de-rail already here; but, if I had to make an argument for authoritarianism, I think that I would claim that the concept of free-speech zones instantly implies, for some parts of US government at some times, more respect for authority than personal liberty.
2.) In the way that a company can be compelled to comply with an order from the government, including the requirement that the company may not disclose to anyone the nature of that order or the gag order, and that there is effectively no way to challenge such orders in a court of law.
>Have you actually lived in a country that has no elected representative?
You know, you can have "elected" "representatives" and still be authoritarian. You can make sure the ballot only has people you like on it, you can ignore what the representatives have to say, you can lie to the representatives so their decisions are compromised, you can restrict the flow of information to the electorate so their decisions are compromised... All of the above happen in the US. Hell, China has elected representatives - they're just all from the same party.
"Don't blame me - I voted for Kodos." - Homer J. Simpson.
Well because they were making darn good hardware. I had my T60 for many many years. Carbon X1 seems nice.
Now I ended up buying a cheap ASUS Chromebook for traveling, replaced drive with a large one and installed Ubuntu. But still haven't decided if I want to replace my main machine.
Was eyeing Carbon X1 models for a while, but now will have to rethink.
Besides, like some people here, I always wipe everyone out and reinstall my own distro on it (Ubuntu usually).
The T60 was one of the very first laptops Lenovo released after it purchased the IBM PC division. I wonder if it had already been in development under IBM before the purchase.
I am pretty sure it was. Mine still has the old style IBM Thinkpad logo on the case. Documentation and driver downloads pointed to ibm.com site for a long while even after the acquisition.
While we're at it, Lenovo's statement that we might enjoy the adware: "The relationship with Superfish is not financially significant; our goal was to enhance the experience for users" is self-evidently bullshit.
The key word is significant. They're not claiming they didn't preload this software for money, they're just saying it wasn't for very much money. Such a small amount of money that they have no problem ending the relationship now that it's causing them problems.
My wild guess would be they got in the ballpark of $0.25 an install.
For me the key word is "enhance". Why would Lenovo go to the trouble of bundling this, knowing full well that it doesn't actually enhance anything for end users?
"Enhance" is the weasel word you use when you want to try to convince someone something is better, but you can't actually explain in detail what's better about it. Whenever you see a marketing claim that something is "enhanced" the warning bells should be sounding.
A different way to frame the comment might be something like: "we were willing to sell out your privacy and security for a mere pittance, 'cause we're cheap whores".
My co-worker Tom has this mental model he calls the "prostitute-physician scale." Basically, it's a scale for measuring how willing you are to simply take the client's money and do whatever, versus giving advice in the best interest.
I think many sex workers with personal standards would be insulted by your comparison with physicians, who seem to be happy to take money (not your money, I guess) to push drugs that may or may not actually help you[0].
I think many sex workers with personal standards would be insulted by your comparison with physicians, who seem to be happy to take money (not your money, I guess) to push drugs that may or may not actually help you[0].
I do not object to this notion at all! For one thing, it's not my comparison, it's my co-worker's. Also, an "inversion" of the scale's sign would serve as a sharp and salient commentary on problems in our society.
I assume they didn't intend to compromise security. I think it's more accurate to say that they stiffed their users with adware that nobody wants in exchange for a little bit of money, and that were so indifferent to security and privacy while doing it that either didn't notice or didn't care that it was a fundamentally bad idea.
In my opinion that is worse. Most any clueful technocrat can tell you that injecting traffic into HTTPS sessions is a MITM attack. I am willing to bet that fact most certainly did make it to an executive level (certainly at the fishy company) and a choice was made to not care about that problem.
The road to poor security is paved with indifference.
Which kinda sounds even worse. It says essentially that they're willing to break critical security components on their entire product line for pennies per device.
Hey Lenovo, can you install this root cert I made on your entire product line for me? I'll give you like $20 for it. It's at least better than Superfish - I promise not to include the private key with a trivially-crackable password in the install, so only I can intercept all secure communications by any of your customers, instead of anybody in the world.
I'm not even that miffed about being a product and not the customer; I am incredibly miffed that I'm apparently one of the products in the discount bin.
I am miffed, actually. I own a Lenovo laptop and it was not cheap. Fortunately it dates back to well before this thing and has a clean OS install anyway, but.
They sell laptops. It's not a free service, I am the customer not the product. Did Lenovo have a pressing financial need for these extra pennies on the side? Really? How is that benefit vs risk calculation looking now?
I wonder if this is actually true at all? I mean, yes, everyone around here absolutely abhors software like this, but there is a class of people who love hunting for bargains and accumulating coupons etc. Is there someone who buys a laptop like this and enjoys the additional advertisements? I always wondered the same about those annoying toolbars, I imagine some people actually perceive these as useful.
Looks like they also removed a number of posts in the forum where the discussion started, including a post where a moderator wrote that customers asked Lenovo for this kind of service. The same moderator also pointed out that it was against the community rules to argue with moderators...
Don't think it is purely happenstance. There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard. There was a garbage post on the front page yesterday and I left a completely benign post that didn't go with the pro-Microsoft/anti-Google narrative -- saw -11 within less than 60 seconds.
shrug. I thought someone needed to do machine learning as a service, especially that can be accessed from Python, so I upvoted an article on Azure. I think presentation should be separate from data, so I upvoted a comment on posh.
I'm a OS X / Linux person (my name's probably in your distro somewhere) and sometimes Microsoft does good stuff.
And, strangely, I didn't say otherwise. I'm typing this message on Windows. My main development IDE is Visual Studio. My primary RDBMS platform is SQL Server, deploy of course on Windows.
Yeah, the strawman that Microsoft can do no right is pretty easy to knock down, but has absolutely nothing to do with the context of this.
Again, a post on the second page (a ridiculous, extremely low quality post that had to be flagged off the front page) saw my benign comment get -11 within 60 seconds. I've never seen that before, much less for a completely moderate comment. I've seen this extremely pro-Microsoft moderation hit other threads hard, and it seems pretty obvious that it isn't by accident.
When startups choose tech these days based on what HN thinks is cool and hip at the day the decission is made, you can't blame tech companies noticing this and trying to turn the odds in their favour.
The part that 'nailer' is correcting is your statement that "There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard.". You accused him (and me, and others who voted up this story) of being either a "brigading Microsoft fan" or a "paid shill". Your comments are being downvoted because individual users think that they are rude and false, not because of an organized pro-Microsoft movement.
You accused him (and me, and others who voted up this story) of being either a "brigading Microsoft fan" or a "paid shill".
Sorry, but that's just false as far as I can tell. He cited those things as the reason for his other comment's moderation. Please quote the text from which you draw your conclusions of attribution.
jhou2: the amount of positive press that MS has been garnering recently on HN is impressive
engendered: Don't think it is purely happenstance. There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard.
My interpretation might be wrong, but I take jhou2's "positive press" to mean stories such as this one appearing on the front page. I interpret 'engendered' as saying that these stories would not appear on the front page if it were not for "brigading Microsoft fans" or "paid shills". Since the story is on the front page because of user upvote, and although there could be dispute about all vs most vs some, I read this to be accusing those who voted up the story as being one of these things.
In my read, he attributes the downvotes on his comments to the same faction, uses this as evidence that the faction exists, and thus can also be held responsible for elevating this and other Microsoft-positive stories to the front page. I think he's wrong, don't think the "brigading Microsoft fan" has much of an influence on HN, and doubt that Microsoft is paying anyone for getting things on the front page.
I'd happily consider evidence to the contrary, but I think the downvotes to engendered's comments are due to other factors, and that the pro-Microsoft stories are appearing more frequently on HN because they periodically act as a positive force. I don't know how prevalent my attitude is, but I find these stories interesting in a "Dog Bites Man" fashion. I am more likely to vote up a good deed done by Microsoft because I find it to be more noteworthy than a good deed done by others.
That's like saying the majority of HNers are Gruber's drones for praising his business model, or Google/Mozilla/Node having a brigade of posters to praise their languages.
Does everything have to be a conspiracy? So either Microsoft is building some good and interesting stuff, or there's some conspiracy to target HN that would get them...what, exactly? +Karma here?
Does my statement somehow make everything a conspiracy? Boy, we on HN are supremely good at knocking down those strawmen.
"or there's some conspiracy to target HN that would get them...what, exactly? +Karma here?"
Is this supposed to be intentionally naive? Microsoft is a technology company that heavily relies upon buy in and advocacy. Is this really difficult to understand?
Every single comment to my post has either been an absurd strawman, simply a lie (daeken's nonsense), or just someone thinking they earn peer points. Sad.
No, not intentionally naive, but perhaps intentionally not cynical. I'd like to believe that a technology company, such as Microsoft, relies on a bit more than buy-in and advocacy. Perhaps the soundness of a product, for example.
Without discounting the possibility that there may be some astroturfing, I think it's far more likely that you've run afoul of community expectations.
The HN guidelines specifically suggest you resist commenting on downvotes, and people take that seriously here. Editing your comment to add meta-commentary on votes will generally just get you more downvotes.
Additionally, your comments are fairly polarizing. You make statements about how something is obvious, but then provide nothing besides anecdotal evidence. If it's that obvious, real evidence should be easy to show, otherwise it's possibly not as clear as you think. You could possibly have avoided this problem by framing it as a question and leaving an opening for someone to provide a better answer. This also invites people who disagree, or have a different interpretation to engage in a useful way, rather than starting off in an antagonistic way. For example, stating something "absolutely and unequivocally" without evidence won't generally be seen useful to the discussion here.
It's no secret that we've had problems with pro-Microsoft astroturfing on HN in the past. But the way to deal with this is not to make angry, substanceless accusations and then complain when the community responds poorly. Please stop.
I'm going to detach this subthread as off-topic now.
I think it would actually be pretty interesting to do some kind of visualization over time with popularity of languages and mentions on forums like this.
I agree that it's not purely happenstance -- I think Microsoft the company is making a genuine bid to be relevant again.
It's a desperate bid, and I don't think it's in their DNA to succeed, but it'd be great if it happens. Personally I avoid using MS whenever possible; I still have to use Word and Excel to communicate with others, and some conferences still require a PPT file.
Even back when Microsoft was a big player I never found the Windows programming model technically appealing, but even if I had I would have stayed away because their anticompetitive approach was too risky and hostile for me to be willing to depend on. They became addicted to that instead of technical excellence, which is why I think this effort will fail, no matter how sincere the commitment is at the top.
But they do employ many smart people and surely it is good if we have more sources of good technology (where good is a combination of technical excellence & good policy). So why not encourage them in the hope they get their shit together?
Microsoft always has had pockets of technical excellence. It's also always had the problem of the left hand not knowing what the right hand is doing. This seems to be somehow built right into the company's structure. (So not DNA, more like epigenetics.) Perhaps these are just the problems faced by any big company in a nutshell?
> It's a desperate bid, and I don't think it's in their DNA to succeed
I'm not so sure. I think their DNA is changing pretty rapidly these days. Office for iOS is better than Office for Windows RT. Windows Azure services are actually really good, with tons of documentation on how to use them across all platforms (iOS, Android, Javascript, Node.js, etc).
It feels as though the last few decades, every team has been beholden to the Windows/Office hegemony, whereas now teams have the direction to make a good product on their own terms. Without having to answer the question "how will this keep Windows/Office dominant", the massive amount of talent at Microsoft can finally start to shine, and I really think we're starting to see the genesis of that environment lately. It's too early to tell, but I'm pretty hopeful.
There's also the possibility--very distant, I know--that Microsoft has been put into the odd position of being an underdog in many areas, which gives it the flexibility and necessity to act morally to make inroads against competitors among consumers.
Of all the BigCos, MS seems the best to me right now, and I say that as a guy who's made a habit of buying a Lenovo laptop every year or so and immediately installing Linux on it.
You're getting downvoted for tone because of your repeated accusations of shilling.
In general any post that accuses other people of being a fanboy or a shill will attract rapid heavy downvotes, regardless of which company is criticised or which company is accused of shilling. This is probably a good thing.
There is plenty of anti-MS sentiment on HN that doesn't get downvoted.
> I left a completely benign post that didn't go with the pro-Microsoft/anti-Google narrative
This is simply not true, that comment (https://news.ycombinator.com/item?id=9076549) included "HN has seen a HUGE influx of Microsoft shills, and it's getting disconcerting." You're also being inconsistent with whether the post was on the front page or the second.
Given that, I'm not inclined to believe that you actually got -11 in less than 60 seconds.
I down-voted you for this and nothing else that further followed.
Because anyone that believes in a) absolute objective truth and b) that they posses that said truth, is a person that will generally be wrong in many ways on whatever follows (or at the least, if this was an out-of-the-character emotional response, it will lack the needed logic and reason based evidence to support the statement).
Also, starting out a discussion with kill terms that accuse and label anyone who does not agree with the given POV, is not cool.
People do have strong opinions and favored suppliers and sports teams, but generally there is a polite way and an impolite way to disagree with something :-) Stating that a given sports franchise "sucks" and anyone who thinks it doesn't is "stupid" is a great way to start a brawl in pretty much any sports bar, and discussion forums like HN are no different.
And like sports teams, companies are constantly changing they are getting new employees and new management and new ideas. So the idea that any company is "good" or "bad" is unsupported on its face, all we can ever say is that "this action" or "this decision" was good or bad and criteria by which we have judged it.
Microsoft's decision to immediately cleanse this injector code as 'malware' was, in my opinion, a "good" decision. Based on the reasoning that it is better for the users and folks like my Dad who doesn't know how to get it off his system is helped by this.
Better yet would be killing any komodia cert (I don't think that's what they did), since even the spy-on-your-kids products have the effect of breaking ssl.
I hated Microsoft for years, for all the stupid garbage they pulled. Antitrust stuff, terrible software, mismanagement, etc. Even after switching to using a Mac full time, I still had to deal with awful Office documents with undocumented changes, or 'XML-based' documents with undefined data formats. Sending my resume to someone and finding out the entire thing had been reformatted into Courier New and lost all my indenting, making me look like an idiot, etc.
But lately, things have changed. Apple is the new Google, loved by the tech world. Google is the new Microsoft, using their market power to do dumb stuff that no one really cares about, and Microsoft is the new Apple, the underdog who got left behind by changing technology and ego and is making a serious, determined effort to become and stay relevant, to put out good products, and to regain their position as a market leader (earned this time, and not strong-armed).
Oddly insightful for such a simple analogy. Out of curiosity, what products do you use from these companies? (Eg android phone, mac computer, microsoft xbox?)
I found this whole Lenovo Adware-gate very hypocritical. Why everyone blames the messenger Lenovo but not the source Superfish? Why? Is it because Lenovo is a Chinese company whereas Superfish is a Iserali-American company based in Silicon Valley?
Before this adware-gate, EVERY PC manufacturer bundles adware, HP, Dell, Acer, Lenovo, Asus to name a few top players(Apple perhaps is the only exception as I don't count them as a PC manufacturer). Did anyone bother to look if there were tons of similar security risks with those?
Because there are all sorts of insecure malware/adware out there. They're all various levels of evil and a known quantity of badness.
Lenovo is a company that you paid your money to to buy a laptop. It shouldn't come pre-infected with something that compromises your security and privacy.
Lenovo had a chance to redeem itself by apologizing, removing the software and quickly distancing itself from the company.
They screwed up by denying there was problem in the first place. Which means they were defending both their decision to install Superfish as well as, by proxy, Superfish itself.
Thus they are seen to be either incompetent (can't trust them) or malicious (also can't trust them).
Also consumers never bought Superfish. They paid for a relatively expensive piece of hardware from Lenovo and got screwed. They are right to blame Lenovo for it.
Why everyone blames the messenger Lenovo but not the source Superfish?
Because Lenova is the one who took your hundreds to thousand+ dollars and in return compromised your experience (for what has to be pennies). And in this case it caused a serious security compromise?
"EVERY PC manufacturer bundles adware"
Crapware/bloatware and adware are very different things. Dell installs some bloatware crap that I can uninstall (and even that is, truly, unacceptable. Again, they can't make more than a dollar or two on that junk, yet they compromise the user experience), but they don't MITM my secure communications, or compromise my security.
This has nothing to do with Lenova being a Chinese company. Further, no one expects anything out of Superfish (some slimy adware company), but they do expect standards from Lenova.
It tickles me that Superfish is a DFJ-funded [1] start-up based out of Palo Alto. Reporters are focussing on Lenovo's Chinese lineage. Yet this bubbled up out of our backyard, from our own lack of diligence (or scruples).
[1] Edit: Draper Fisher Jurvetson, the $4 billion Menlo Park VC firm that backed Baidu, Hotmail, Tesla, SpaceX and Twitter.
Looking over the executive team of Superfish (Which, creepily, refers people to their linkedin profiles - presumably so they can see who is looking at them.) I see that their Chief Product Officer (Cmpt. Science from Stanford, so obviously knew what was going on) is formerly from Zynga. Mark Pincus is (infamously?) known for his comments about how sometimes, when you are small, you have to do all these terrible things that you are really ashamed of, just so you can get big and never have to think about doing them again. In the case of Pincus, he was referring to a the zwinky toolbar that earns money by redirecting web searches to advertisements - oddly close to what just happened with Superfish/Lenovo.
"But Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
Now that an official CERT announcement has been released:
" Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. "
" By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort"
"Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. ... Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern. "
Reminds me of story of "the ant letter". I'd describe it, but I'm interested to wait a bit to see if anyone else has heard/read it. Will describe it later if no one replies. I've not found via Google despite a search.
Lenovo's response is not astonishingly in the least, its the expected behavior. They made a business decision to include adware in order to raise some extra revenue and then got caught. The default response is to underplay the importance of it, sweeping it under the rug and hope no legal action will happen.
A few months ago there was a HN story about a car manufacturer who had made the decision to use cheaper parts for the ignition. They had the critical internal reports from engineers, and when the deaths started to pile up they did the same thing as lenovo. Act clueless, downplay the issue, make a fix, and silently move on. So long it just customer outrage, it is perfectly fine to do borderline illegal things in order to raise some revenue.
Last night I fired up a brand new HP stream desktop with windows 8.1 (only $179!). It had a Superfish icon on the desktop. When I get home I'll check for the cert.
So maybe Lenovo isn't the only offender.
Edit: Duh. It was snapfish, not superfish. I've been reading about superfish so much that's what I saw.
Can someone explains to me how Graham claims he can decrypt the intercepted traffic? The proxy communicates securely with the intended website. It's just the browser <-> proxy communication that's vulnerable but that's local on the machine, no ?
I'm wondering the same thing. As far as I understand, the proxy is local to the machine, so HTTPS traffic over Wi-Fi should be past the proxy and therefore encrypted using the real certificate.
The installed backdoor certificate is trusted as a root certificate. Its private key is contained in the MITM software, and is now known publicly. So anyone can now create phony certs signed by the backdoor cert, and Lenovo machines accept them as valid.
That's an image of the word "Yes" signed with the Superfish certificate. If your browser shows that image without warnings about an invalid cert, the backdoor exists.
Right but this only means you can decrypt data coming from websites using a starfish cert. It doesn't mean you can decrypt your bank traffic because you have this proxy installed which is what Graham is claiming.
Yes, it does mean others can decrypt your bank traffic.
Here's how this type of MITM attack works.
Situation: user is using laptop in public location with WiFi. Between WiFi device and net is a computer with MITM software.
Client laptop requests "https://www.bigbank.com". MITM box gets HTTPS request, sees it is for "bigbank.com", and generates a fake cert for that site. It then uses the Superfish root cert to sign the fake cert. MITM box acts as server for that connection and sees the user's traffic in the clear, unencrypted. The Lenovo client laptop sees a valid cert chain descending from the Superfish cert installed by Lenovo. The user sees a green bar and lock icon.
MITM box then opens an HTTPS connection to "https://www.bigbank.com", and acts as client for that connection. The two connections are connected together as a proxy, so that the user sees what looks like a valid HTTPS connection. The MITM box can log everything, including bank passwords.
Only if the root cert store of the user's machine has been tampered with. If you have a valid cert store, you can detect MITM attacks on HTTPS connections.
Usually sniffing refers to capturing packets. But yes if you can read and write then you can definitely decrypt the traffic since you can provide the user with a trusted cert.
if anyone knows someone who has purchased an infected lenova with superfish, send me an email. My wife is a class action attorney and is conducting an investigation in the matter. Eire1130 (at) gmail (Dot) com
224 comments
[ 3.6 ms ] story [ 225 ms ] threadA good general guideline when buying an off-shelf Windows machine is to do a full wipe first. There may be some manufacturers who are immune to this, but assume everyone's included some bloatware. I find too many people who buy Windows machines start by attempting to manually remove this stuff, which is often a hopeless proposition. Clean wipe, reinstallation.
This isn't the reason why most startups/devs have moved to Apple, but it sure helps.
We programmers should use this as an analogy for dealing with everyday psychological issues.
If we assume firmware is safe, wipe it and do a clean install from trusted media.
[1] http://www.phoronix.com/scan.php?page=news_item&px=Coreboot-...
They should just admit the problem, thank the security experts, and develop an easy fix.
> We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: http://lnv.gy/182BW8g
https://twitter.com/lenovoUS/status/568578319681257472
And most of all it helped if there would be litigation. The thought goes if CTO goes on record admitting guilt that is a slam dunk case for anyone suing them.
Therefore the typical corporate non-apology apology "I am very sorry you feel this way" kind of bullshit.
The problem of course is information sources are a lot more diversified, with Twitter and other media bubbling up tech news to the top faster.
The other problem they are facing is a lot of technical people were their proponents and would advocate and drive purchasing decision (in turn putting their own reputation on the line). This is where it is going to hurt them.
Something to the effect of "We are very sorry, this was a mistake, here is how to remove the software, we'll send you free software or Lenovo.com discounts. We'll cut off our relationship with this company. Etc, etc.." I think would have been much better for them in the long run.
If only there was some way they could have known what was pre-installed on the machines they're selling. /s
Intentionally weakening people's system, MITMing their traffic, and inserting ads in private communication.
If an individual was doing this, let alone at this scale, they would be stamped 'hacker' and put in some dark prison for ten years. Now it's Lenovo, they will get away with an apology or a class action lawsuit at most.
Whoever decided to include this belongs in jail.
Whoever decided to include this, I'm guessing, had ZERO idea what a MITM was. At best they knew it'd spam ads to hardware owners.
(Edit: Obviously this is not representative of the general population, and I didn't mean to suggest it was. I was just noting that my efforts to warn people about the untrustworthiness of Lenovo were thwarted because none of them trusted Lenovo to begin with, not for software at least, and that seemed interesting.)
Fortunately Lenovo do have a system updater that does a fantastic job on driver downloads etc.
Also, when the SSD in my Macbook Air failed, I was able to netboot their internet recovery thing, which let me install OS X on a USB3 hard drive. Pretty cool.
I see. They have that stuck into Disk Utility now. One point to Apple.
Disk Utility is a bit kludgy nowadays, though, and it seems they're not doing as good a job as MS publicizing the tool. (Too small a sample size here, but I ran across the MS tool by accident while searching/browsing. With Apple, a human had to tell me.)
1) Boot into Recovery mode (Cmd + R), then use Internet Recovery [1] to install OS X. This works even if your HDD or SSD is completely blank. All Macs from around mid-2010 onwards are supported. [2]
2) Download the latest OS X installer from the Mac App Store, then either use the bundled 'createinstallmedia' command-line app to create a bootable USB flash drive [2] or a third-party app called DiskMaker X [3].
[1] http://support.apple.com/en-gb/HT4718
[2] http://support.apple.com/en-gb/HT202313
[3] http://support.apple.com/en-gb/HT201372
[4] http://liondiskmaker.com/
Note: I do own Windows 8.1 Pro, so don't think this is based on my experience pirating the software. I merely have examined the licensing system for some software I was writing.
I haven't seen any recent statistics, but at one point, 74% of rootkit infections were on pirated copies of Windows XP [0]
[0] http://www.zdnet.com/article/study-rootkits-target-pirated-c...
According to Microsoft[1], 32% of pirated Windows 7 copies and activation cracks resulted in some sort of malware infection
Speaking anecdotally, most of the friends and family whose computers I've had to clean up have been running some sort of cracked/pirated software that they'd downloaded or had been given to them by a friend
[0] http://voices.washingtonpost.com/securityfix/2009/05/pirated...
[1] Admittedly, Microsoft has somewhat of a bias, but the number sounds reasonable to me: http://archive.news.softpedia.com/news/32-of-Pirated-Windows...
http://windows.microsoft.com/en-CA/windows-8/create-reset-re...
Got me a 8.1 ISO, installed with a volume key.
Even if it currently does not do that, I just don't trust it to not do that in general.
It does not let you install or update the crapware that comes with systems. It is actually quite difficult to get that stuff other than saving it when you get a new system. BTW IBM/Lenovo have historically had way less crapware than other vendors. I think Lenovo got complacent in this case, hearing "you guys do less crapware than the others" and confusing it with "you are doing a perfect job". Less worse is not the same as doing good.
Someone's useful add-on is someone else's garbage. They have some software called Access Connections which provides more gui and control over networking, such as which access points to connect to based on location profiles and who knows what else. I don't want that since I mostly use Linux, and Windows does a good enough job when I am using it. The system updater has never installed it, nor tricked me in any way.
So if Lenovo was evil, they can just ship shit in their drivers, get it certified by MS, and have it distributed automatically by Windows Update driver install.
It's why I've, in general, never trusted them.
But now that I know that Lenovo is a piece of shit company with zero integrity, I don't even want to trust their hardware.
But what am I gonna do? There's essentially no options to replace an old X-style ThinkPad. The newest Carbon X1 is as close as anything. Everyone else is moving to the Apple-style clickpad, which is unacceptable. HP and Dell sell mostly crap. Apple's devices are hot and unergonomic (apart from questionable Windows driver support).
So good luck not trusting them. And I doubt HP'd do any better.
Now the question is of course what else are they installing and what other yet undiscovered issues we'll find. It sounds like FUD but so far based on their response, they seem either incompetent (stupid) or malicious. And I don't exactly like either...
I'm really interested if a high end (but "consumer") ThinkPad like http://www.microsoftstore.com/store/msusa/en_US/pdp/Lenovo-T... that you can buy at a retail store (in this case, a special MSFT Store version that has plain Windows supposedly on it) was infected.
It didn't have bloatware crap installed (as say US govt or big companies would not like that). It came with a smart card reader and such. Had a fingerprint scanner (back when there were not common).
Initially also they didn't have all these "consumer" models (Y,G,W,...).
The latest version of Windows Defender is actively removing the Superfish software and the cert.
The text of the definition is here: http://pastebin.com/raw.php?i=us7iXvkn
I'm generally in favor of MS doing this specific thing, but there is potential for abuse here.
I think Microsoft went from being a hated software giant to sort of an underdog vis-a-vis Google, Facebook, Amazon and Apple.
They are very big and strong no doubt, but I think the attitude they are projecting since switching CEO recently, their open source efforts, and such make them look pretty good PR-wise among the tech crowd.
Though I believe virtually all preloads were OEM actions, not Microsoft's directly.
Hell of a name, you've got to admit.
Bruce Schneier's discussion at the time:
http://web.archive.org/web/20011005071623/http://www.counter...
One of his speculations:
it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
Though given alternative methods of bypassing any Microsoft security, not really necessary.
The rest is simply PR, microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.
I don't buy it. I think Microsoft seems to have actually made real changes. If you want an example of what a giant evil tech corporation dying slowly looks like, take a look at Oracle. Their core business is basically obsolete, but they'll go on killing open-source projects and squeezing their locked-in enterprise customers for many years.
Microsoft is in a hard place in terms of determining what is or isn't allowed on their systems (due in large part to their own past and quite probably ongoing monopoly abuses), but fixing obvious flaws is to be applauded.
I don't champion the company often, but they're doing the right thing here. Actually, sanctioning Lenovo for letting this happen might be another option they've got. Though something tells me they won't play that card (and quite possibly cannot).
It's quite a convincing product, quickly becoming an integral part of the OS. And rightfully so.
Not really. Microsoft, itself, actually suggests that you use a third-party antimalware product.
It scores pretty low on AV-Test.org[1] too, but it's better than nothing.
[1]: http://www.av-test.org/en/antivirus/home-windows/windows-8/
http://i.imgur.com/NCfBs6K.png
ArsTechnica covered this issue in their reporting today http://arstechnica.com/security/2015/02/windows-defender-now...
Even if 'average people' have no idea what a certificate is or why it's important, those who do have an outsized influence on PC purchasing, and are likely to remember this for years.
Its brand is as tarnished (if not more so) by this sort of crap.
Not that Microsoft's own hands are clean or that the issue of crapware preloads isn't a massive problem.
Google should also be paying attention: Android preloads are also increasingly a massive turn-off.
Why buy a laptop from a company that has ties to the Chinese government [2], an authoritarian government that supports dictators in Africa and totalitarian government in Russia, oppressing women and children in those countries?
[1] http://www.theverge.com/2013/7/30/4570780/lenovo-reportedly-... [2] http://en.wikipedia.org/wiki/Lenovo
I guess because they make good hardware.
2.) How is US government authoritarian? Have you actually lived in a country that has no elected representative?
But Lenovo isn't owned by the Chinese government, either.
> 2.) How is US government authoritarian? Have you actually lived in a country that has no elected representative?
The existence of more dictatorial countries doesn't mean the US isn't authoritarian—it is a spectrum rather than a dichotomy.
> Favourable to or characterized by obedience to authority as opposed to personal liberty; strict, dictatorial.
It's certainly reasonable to argue about whether this actually applies; but I don't think that it represents a useless dilution of the word to think that it might. (Well, not 'dictatorial', but the rest of it.)
> It's certainly reasonable to argue about whether this actually applies
literally that it is reasonable to argue, i.e., that neither position is obviously irrefutably true; and also I think I've created enough of a de-rail already here; but, if I had to make an argument for authoritarianism, I think that I would claim that the concept of free-speech zones instantly implies, for some parts of US government at some times, more respect for authority than personal liberty.
2.) In the way that a company can be compelled to comply with an order from the government, including the requirement that the company may not disclose to anyone the nature of that order or the gag order, and that there is effectively no way to challenge such orders in a court of law.
>Have you actually lived in a country that has no elected representative?
Yes. What difference is that supposed to make?
"Don't blame me - I voted for Kodos." - Homer J. Simpson.
Now I ended up buying a cheap ASUS Chromebook for traveling, replaced drive with a large one and installed Ubuntu. But still haven't decided if I want to replace my main machine.
Was eyeing Carbon X1 models for a while, but now will have to rethink.
Besides, like some people here, I always wipe everyone out and reinstall my own distro on it (Ubuntu usually).
There is nothing connecting this to the Chinese government. This appears to be a a cross-border display of greed and incompetence.
My wild guess would be they got in the ballpark of $0.25 an install.
Hint: It starts with $ and ends with $.
[0] https://www.youtube.com/watch?v=YQZ2UeOTO3I
I do not object to this notion at all! For one thing, it's not my comparison, it's my co-worker's. Also, an "inversion" of the scale's sign would serve as a sharp and salient commentary on problems in our society.
The road to poor security is paved with indifference.
Hey Lenovo, can you install this root cert I made on your entire product line for me? I'll give you like $20 for it. It's at least better than Superfish - I promise not to include the private key with a trivially-crackable password in the install, so only I can intercept all secure communications by any of your customers, instead of anybody in the world.
They sell laptops. It's not a free service, I am the customer not the product. Did Lenovo have a pressing financial need for these extra pennies on the side? Really? How is that benefit vs risk calculation looking now?
It's not we haven't thought about replacing management with shell scripts...
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”
I'm a OS X / Linux person (my name's probably in your distro somewhere) and sometimes Microsoft does good stuff.
Yeah, the strawman that Microsoft can do no right is pretty easy to knock down, but has absolutely nothing to do with the context of this.
Again, a post on the second page (a ridiculous, extremely low quality post that had to be flagged off the front page) saw my benign comment get -11 within 60 seconds. I've never seen that before, much less for a completely moderate comment. I've seen this extremely pro-Microsoft moderation hit other threads hard, and it seems pretty obvious that it isn't by accident.
The part that 'nailer' is correcting is your statement that "There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard.". You accused him (and me, and others who voted up this story) of being either a "brigading Microsoft fan" or a "paid shill". Your comments are being downvoted because individual users think that they are rude and false, not because of an organized pro-Microsoft movement.
Sorry, but that's just false as far as I can tell. He cited those things as the reason for his other comment's moderation. Please quote the text from which you draw your conclusions of attribution.
engendered: Don't think it is purely happenstance. There is absolutely and unequivocally either brigading Microsoft fans, or paid shills, hitting HN hard.
My interpretation might be wrong, but I take jhou2's "positive press" to mean stories such as this one appearing on the front page. I interpret 'engendered' as saying that these stories would not appear on the front page if it were not for "brigading Microsoft fans" or "paid shills". Since the story is on the front page because of user upvote, and although there could be dispute about all vs most vs some, I read this to be accusing those who voted up the story as being one of these things.
In my read, he attributes the downvotes on his comments to the same faction, uses this as evidence that the faction exists, and thus can also be held responsible for elevating this and other Microsoft-positive stories to the front page. I think he's wrong, don't think the "brigading Microsoft fan" has much of an influence on HN, and doubt that Microsoft is paying anyone for getting things on the front page.
I'd happily consider evidence to the contrary, but I think the downvotes to engendered's comments are due to other factors, and that the pro-Microsoft stories are appearing more frequently on HN because they periodically act as a positive force. I don't know how prevalent my attitude is, but I find these stories interesting in a "Dog Bites Man" fashion. I am more likely to vote up a good deed done by Microsoft because I find it to be more noteworthy than a good deed done by others.
Thanks for that moment of intellectual honesty. The following two paragraphs strike me to be as much of a stretch as his theory.
I am more likely to vote up a good deed done by Microsoft because I find it to be more noteworthy than a good deed done by others.
Credit where credit is due is commendable.
Yelling "shill!" does nothing but decrease the site's SNR. It's not helpful in any way.
Has your check arrived this week?
"or there's some conspiracy to target HN that would get them...what, exactly? +Karma here?"
Is this supposed to be intentionally naive? Microsoft is a technology company that heavily relies upon buy in and advocacy. Is this really difficult to understand?
Every single comment to my post has either been an absurd strawman, simply a lie (daeken's nonsense), or just someone thinking they earn peer points. Sad.
The HN guidelines specifically suggest you resist commenting on downvotes, and people take that seriously here. Editing your comment to add meta-commentary on votes will generally just get you more downvotes.
Additionally, your comments are fairly polarizing. You make statements about how something is obvious, but then provide nothing besides anecdotal evidence. If it's that obvious, real evidence should be easy to show, otherwise it's possibly not as clear as you think. You could possibly have avoided this problem by framing it as a question and leaving an opening for someone to provide a better answer. This also invites people who disagree, or have a different interpretation to engage in a useful way, rather than starting off in an antagonistic way. For example, stating something "absolutely and unequivocally" without evidence won't generally be seen useful to the discussion here.
I'm going to detach this subthread as off-topic now.
You can date many startups by first looking at their stack, and then checking when that stack was cool here.
2008 - So did you rewrite your PHP apps in Ruby?
2012 - So did you rewrite your Ruby apps in Node?
2015 - So did you rewrite your Node apps in Go?
I agree that it's not purely happenstance -- I think Microsoft the company is making a genuine bid to be relevant again.
It's a desperate bid, and I don't think it's in their DNA to succeed, but it'd be great if it happens. Personally I avoid using MS whenever possible; I still have to use Word and Excel to communicate with others, and some conferences still require a PPT file.
Even back when Microsoft was a big player I never found the Windows programming model technically appealing, but even if I had I would have stayed away because their anticompetitive approach was too risky and hostile for me to be willing to depend on. They became addicted to that instead of technical excellence, which is why I think this effort will fail, no matter how sincere the commitment is at the top.
But they do employ many smart people and surely it is good if we have more sources of good technology (where good is a combination of technical excellence & good policy). So why not encourage them in the hope they get their shit together?
I'm not so sure. I think their DNA is changing pretty rapidly these days. Office for iOS is better than Office for Windows RT. Windows Azure services are actually really good, with tons of documentation on how to use them across all platforms (iOS, Android, Javascript, Node.js, etc).
It feels as though the last few decades, every team has been beholden to the Windows/Office hegemony, whereas now teams have the direction to make a good product on their own terms. Without having to answer the question "how will this keep Windows/Office dominant", the massive amount of talent at Microsoft can finally start to shine, and I really think we're starting to see the genesis of that environment lately. It's too early to tell, but I'm pretty hopeful.
Of all the BigCos, MS seems the best to me right now, and I say that as a guy who's made a habit of buying a Lenovo laptop every year or so and immediately installing Linux on it.
In general any post that accuses other people of being a fanboy or a shill will attract rapid heavy downvotes, regardless of which company is criticised or which company is accused of shilling. This is probably a good thing.
There is plenty of anti-MS sentiment on HN that doesn't get downvoted.
This is simply not true, that comment (https://news.ycombinator.com/item?id=9076549) included "HN has seen a HUGE influx of Microsoft shills, and it's getting disconcerting." You're also being inconsistent with whether the post was on the front page or the second.
Given that, I'm not inclined to believe that you actually got -11 in less than 60 seconds.
I down-voted you for this and nothing else that further followed.
Because anyone that believes in a) absolute objective truth and b) that they posses that said truth, is a person that will generally be wrong in many ways on whatever follows (or at the least, if this was an out-of-the-character emotional response, it will lack the needed logic and reason based evidence to support the statement).
Also, starting out a discussion with kill terms that accuse and label anyone who does not agree with the given POV, is not cool.
https://news.ycombinator.com/item?id=9074704
And like sports teams, companies are constantly changing they are getting new employees and new management and new ideas. So the idea that any company is "good" or "bad" is unsupported on its face, all we can ever say is that "this action" or "this decision" was good or bad and criteria by which we have judged it.
Microsoft's decision to immediately cleanse this injector code as 'malware' was, in my opinion, a "good" decision. Based on the reasoning that it is better for the users and folks like my Dad who doesn't know how to get it off his system is helped by this.
But lately, things have changed. Apple is the new Google, loved by the tech world. Google is the new Microsoft, using their market power to do dumb stuff that no one really cares about, and Microsoft is the new Apple, the underdog who got left behind by changing technology and ego and is making a serious, determined effort to become and stay relevant, to put out good products, and to regain their position as a market leader (earned this time, and not strong-armed).
"Benign?" You accused a dude of being a lying Microsoft shill because he said that a recent Android version ran slowly on his device.
Before this adware-gate, EVERY PC manufacturer bundles adware, HP, Dell, Acer, Lenovo, Asus to name a few top players(Apple perhaps is the only exception as I don't count them as a PC manufacturer). Did anyone bother to look if there were tons of similar security risks with those?
Lenovo is a company that you paid your money to to buy a laptop. It shouldn't come pre-infected with something that compromises your security and privacy.
They screwed up by denying there was problem in the first place. Which means they were defending both their decision to install Superfish as well as, by proxy, Superfish itself.
Thus they are seen to be either incompetent (can't trust them) or malicious (also can't trust them).
Also consumers never bought Superfish. They paid for a relatively expensive piece of hardware from Lenovo and got screwed. They are right to blame Lenovo for it.
Because Lenova is the one who took your hundreds to thousand+ dollars and in return compromised your experience (for what has to be pennies). And in this case it caused a serious security compromise?
"EVERY PC manufacturer bundles adware"
Crapware/bloatware and adware are very different things. Dell installs some bloatware crap that I can uninstall (and even that is, truly, unacceptable. Again, they can't make more than a dollar or two on that junk, yet they compromise the user experience), but they don't MITM my secure communications, or compromise my security.
This has nothing to do with Lenova being a Chinese company. Further, no one expects anything out of Superfish (some slimy adware company), but they do expect standards from Lenova.
[1] Edit: Draper Fisher Jurvetson, the $4 billion Menlo Park VC firm that backed Baidu, Hotmail, Tesla, SpaceX and Twitter.
https://www.crunchbase.com/organization/superfish
links to their website, which links to
https://twitter.com/superfishteam
"But Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
Now that an official CERT announcement has been released:
https://www.us-cert.gov/ncas/alerts/TA15-051A
I think their misleading comments are going to come back and bite them more than they have already.
[EDIT - Looks like they are back peddling a little on: http://news.lenovo.com/article_display.cfm?article_id=1929
" Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. "
" By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort"
And on: http://support.lenovo.com/us/en/product_security/superfish
"Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. ... Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern. "
]
Just because I've been seeing this mistake a lot lately: peddling is selling. Pedaling is the thing you do with your feet.
A few months ago there was a HN story about a car manufacturer who had made the decision to use cheaper parts for the ignition. They had the critical internal reports from engineers, and when the deaths started to pile up they did the same thing as lenovo. Act clueless, downplay the issue, make a fix, and silently move on. So long it just customer outrage, it is perfectly fine to do borderline illegal things in order to raise some revenue.
So maybe Lenovo isn't the only offender.
Edit: Duh. It was snapfish, not superfish. I've been reading about superfish so much that's what I saw.
Here is such a page:
https://badfish.filippo.io/yes.png
That's an image of the word "Yes" signed with the Superfish certificate. If your browser shows that image without warnings about an invalid cert, the backdoor exists.
Here's how this type of MITM attack works.
Situation: user is using laptop in public location with WiFi. Between WiFi device and net is a computer with MITM software.
Client laptop requests "https://www.bigbank.com". MITM box gets HTTPS request, sees it is for "bigbank.com", and generates a fake cert for that site. It then uses the Superfish root cert to sign the fake cert. MITM box acts as server for that connection and sees the user's traffic in the clear, unencrypted. The Lenovo client laptop sees a valid cert chain descending from the Superfish cert installed by Lenovo. The user sees a green bar and lock icon.
MITM box then opens an HTTPS connection to "https://www.bigbank.com", and acts as client for that connection. The two connections are connected together as a proxy, so that the user sees what looks like a valid HTTPS connection. The MITM box can log everything, including bank passwords.
There's even open source software for doing MITM attacks: https://code.google.com/p/subterfuge/
(komodia is apparently the underlying tech for the superfish thingy)