Ask HN: Would you buy a Lenovo again after Superfish?

13 points by secfirstmd ↗ HN

25 comments

[ 2.0 ms ] story [ 63.8 ms ] thread
I am really hating Mac at the moment and want off, so I guess - well I would be removing Windows anyway... the answer is if the cost is really good.
Since I usually run linux on the machines I buy, Superfish wouldn't be an issue. In fact, the current laptop I have is Lenovo. The hardware is what matters to me.

The matter of supporting them in this behavior gives me pause, though.

I only buy Lenovo. Paid $120 for my T61 from ebay a couple of years ago. Rocking Debian Stable.
I might consider it given that I just run Linux on it anyways. Quality issues with the case of my current thinkpad, an E530, are likely to give me more pause.

I really do think there is a niche for linux compatible bare bones laptops. I know that some companies make them, but most are of low quality. Maybe Dell will come out with more options in the future.

But to answer your question, I would buy again, but would choose a competitor over them if all other things were equal.

i'd only buy them 2nd hand now. Outcry and blog posts don't help with such an attitude. Vote with your money.
Lenovo is a big company, and I'm pretty sure that the department responsible for the preloaded junk is completely separate from the people doing security (or, for that matter, any) testing on their regular drivers and utilities.

Unfortunately preloading of software with (to put it mildly) limited usefulness is epidemic in the whole industry, and we also learned that Superfish is only one of many products built with the "Komodia MITM toolkit"! So, I really see this as one outlier in a crappy business. This could have happened to every laptop manufacturer that has crapware in their default-install. Which is every single of them.

> the department responsible for the preloaded junk is completely separate from the people doing security

Lenovo's CTO stated, "We're not trying to get into an argument with the security guys. They're dealing with theoretical concerns." If the CTO and the department that's responsible for choosing the default software are both "completely separate" from everyone at Lenovo who has a clue about security, what does that say about Lenovo?

The CTO also claimed that the preinstalled software would be appreciated by users ;-). So better take his words with a grain of salt.

❝In general, we get pretty good feedback from users on what software we pre-install on computers.❞

And yes, I'm pretty sure that security in third party software is at most an afterthought. Security holes hardly every are as blatant as the one created here, and my guess is that the normal process is to "just get an update from the vendor, should any security holes become apparent."

With the constant change of bundled software, do you really think that a thorough security review takes place? I'm very sure that this will only be done on the utilities, tools and drivers that are built to operate on a much broader range of devices (e.g. the ugly "battery icon" power manager blemishing most Lenovo PCs' taskbars), will also be installed by "enterprise"-customers, and generally are maintained over longer time periods.

The decision on including crapware certainly is done somewhere in marketing, and then just passed on to whoever has to build the default image.

"pretty good feedback" could be interpreted as: 'the amount of hassle it causes us is (normally) less than the amount of revenue we get'
Interestingly enough, the company that wrote Superfish (Komodia) is based in Palo Alto, California.

I don't think it was malicious intent by Lenovo to install adware on user's computers, rather, they were negligent to the fact they were dealing with an incompetent software vendor.

I wouldn't hesitate to buy another Lenovo.

> they were negligent to the fact they were dealing with an incompetent software vendor.

Was Lenovo's repeated downplaying of the problem also just negligence?

What would be considered malicious? They intended to and did install adware and was paid for it. It was exactly their intention.
> the company that wrote Superfish (Komodia) is based in Palo Alto, California

How do you reach this conclusion?

1) komodia.com/about doesn't have any geographic information on it.

2) Their whois entry says Israel, but is (deliberately?) misleading. Is that phone number real?

Registrant Phone: +00.6142772739 The leading digits "614" don't match the calling code for Israel which is 972, nor any Palo Alto area code. Instead it's Columbus, Ohio?

3) It's hard to be sure what was recently on their website, because of a claimed DDOS. But archive.org still has some old info https://web.archive.org/web/20150220024525/http://www.komodi... which points to a PO Box in Israel, and gives a phone number with an Israel calling code.

Yes, if you can't distinguish between hardware and software you shouldn't be buying a computer from anyone.
Problem is, what happens when they start doing this in firmware ROM next time? If they don't already.
How can you still buy a lenovo product? Superfish was a VERY a dangerous software to have preloaded. I'm pretty sure lenovo engineers knew exactly how dangerous this is and did absolutely nothing about it. And if no one in lenovo knew then that is much worse. In essence, the company installed software to spy on you, and I hear people defending their decision and say they will still buy their products. It does not matter if you use linux or not. This is not an honest mistake and I will never buy a lenovo product in my life. I will not sit here and defend them or try to associate with them and defend their incompetence/ignorance/maliciousness.
To me, the software that comes installed on a laptop is as relevant as the "special offer on peripherals and laptop bags" pamphlets in the box; immediately discarded without a look.

It's the hardware that counts and to date Dell and Lenovo have been pretty consistent in offering solid corporate hardware.

So personally I would buy Lenovo hardware particularly if payments made to them for including the irrelevant crap actually knocks a few dollars off the retail price!

Yes. Why:

* Good Linux support.

* Good price / performance ratio.

* Trackpoint.

Note that I only look at T series. The corporate-oriented T and X series were not affected with Superfish at all.

Not really, this time it's in software and fixable with free software, next time it's firmware…
As long as they have the only reasonable Trackpoint [with physical buttons! lol] I'll keep on buying.
I think I'll be swapping to Dell myself
ThinkPads rock(ed). The current generations (post 20, i.e. W520) have started to deteriorate in what I'd call developer friendliness (still need to pass a special boot line parameter to the kernel to get the system to boot up properly with the dedicated nvidia GPU) as they've changed the keyboard and mouse buttons (no longer 3 above the trackpad and 2 below, only 3 above) and trackpad itself. + quality issues with the modern models and the build feels weak compared to, e.g., the T61.

So, to be honest, I'm not sure.