This sound really bad. I expect that Google are not too happy with third party ads replacing their own ads on Google searches. Also, it has the ability to "snoop on secure connections"...

This is really bad. Reading more about this issue it seems there's a problem with a self-signed root https certificate which can intercept your encrypted traffic.

I assume they thought that as all their computers come with NSA spyware installed (see recent post in Foo on hard drive spyware) they might as well install their own as well....

According to Lenovo's CTO, in an interview with the WSJ, Lenovo are removing Superfish entirely.

WSJ: What are you doing now to ensure the security of people who bought Lenovo laptops with the Superfish app?

Hortensius: As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.

[blogs.wsj.com...]

I still don't know why they thought it was a good idea in the first instance.

I still don't know why they thought it was a good idea in the first instance.

in a word, money.

Marshall

Selling hardware rigged to break safety / SSL and more, I honestly think they should go to jail for this.

"The relationship with Superfish is not financially significant; our goal was to enhance the experience for users."
I hope the blowback is financially significant, and that people stop buying from them.
They knew exactly what they were doing.

I wish our fed and state govts would demand refunds on all machines they sold, ban them from schools and govt use and any contracted work, and bankrupt them.

Until we get serious with the repercussions, ashwipes like this will sell us out with impunity.

NYTimes details:
[bits.blogs.nytimes.com...]

"This software could track customers’ every online move, intercept secure web sessions and render their computers vulnerable to hackers.

The company buried its software in the lowest level of a PC’s operating system, precisely where customers and antivirus products would never detect it, and had been siphoning data back to servers belonging to Superfish, an Israeli software company headquartered in Silicon Valley that markets itself as a visual search company."

We were about to order the Yoga 2 notebook, canceled those plans.
We've blacklisted them as a vendor.

They should be banned from selling, advertising, importing, exporting, and de-listed from Search Engines, other than articles on what they did.

Their offices and factory should be raided, and shuttered - their executives involved in this decision should be arrested and jailed. Their ill-gotten gains should be frozen and liquidated.

They hid SSL-busting software down at the root op sys level so it couldn't be discovered by security software!

Department of Homeland Security urges Lenovo users to remove Superfish
[mashable.com...]

"Department of Homeland Security urges Lenovo users to remove Superfish"

Quite a headline!

[thehill.com...]

"DHS: 'Superfish' flaw in computers goes all the way back to 2010"

"The government is urging anyone who has purchased a Lenovo computer since 2010 to remove a software program called “Superfish” from their devices."

“SSL hijacker” behind Superfish debacle imperils large number of users
[arstechnica.com...]

~~~~~~~~~~~
The fake secure sockets layer certificate found on Lenovo machines preinstalled with Superfish came from Komodia. It was bundled with a password-protected private encryption key, presumably to prevent it from being used by malicious hackers to create websites that spied on users as they visited HTTPS-protected pages. But as Ars reported Thursday, the measure was laughably easy to bypass, since it took Errata Security CEO Rob Graham just three hours to discover that the password was—you guessed it—"komodia".
~~~~~~~~~~~

Smash and burn your Lenovo machines!

They were sold to you as compromised machines, on purpose.

That 2010 remark is not completely accurate. the software goes back that far, but Lenovo didn't make their deal until 2014, from September to December (so they say). Those machines have the software on them. Apparently no effort was made to hide Superfish, and it does appear in the user agreement (which no one reads) and does display in the installed programs function.

Just the same, it is a pretty nasty piece of work and I, for one, will never buy another Lenovo product.

"The government is urging anyone who has purchased a Lenovo computer since 2010 to remove a software program called “Superfish” from their devices."

Are they providing a tool to do that?

And if they did, could it be trusted not to load a similar government spyware?

Just wondering.

Governments' view of security:

[eviscerati.org ]