A Bit Late, But Lenovo CTO Admits The Company Screwed Up

from the finally dept

We’ve had a bunch of posts today (and yesterday) about the “Superfish” debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was — first denying any serious security problem, and then calling it “theoretical.” It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the “theoretical” problem he discussed earlier:

?We messed up,? CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a ?man-in-the-middle,? or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.

[….]

The company has an engineering review that made sure the tool itself didn?t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

?We should have known going in that that was the case,? Hortensius said. ?We just flat-out missed it on this one, and did not appreciate the problem it was going to create.?

He later admits that the company “deserves” to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn’t happen again.

While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it’s happening. Hopefully, the company is better off for it.

Of course, the same can’t be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.

Filed Under: , , , ,
Companies: komodia, lenovo, superfish

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “A Bit Late, But Lenovo CTO Admits The Company Screwed Up”

Subscribe: RSS Leave a comment
27 Comments
Anonymous Coward says:

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

This is a non-apology apology, though. There is no excuse for anybody to interfere with encrypted traffic between you and a host under any circumstances, least of all an OEM.

The CTO is genuflecting to ensure profits aren’t going to be down too much this quarter. The only thing which ensures Lenovo and other competitors learn a good lesson from this is heavy losses or bankruptcy, which is what they deserve.

To still fall for the soothing words of professionally lying coporate executives in this day and age is folly.

Meanwhile, in the United States, tech companies continue to claim to protect privacy on the one hand while collaborating with the NSA to destroy it on the other.

Words from coporate executives have no meaning. You’re listening to a robot.

Anonymous Coward says:

Re: Re:

You’re exactly right. This isn’t an apology or an admission. It’s corporate bullshit from one of Lenovo’s professional liars. It’s worthless crap that means NOTHING.

Lenovo was and is no doubt fully aware of the Sony rootkit debacle: they simply gambled that it wouldn’t happen to them. And they probably calculated that even if it did, the profits they made by selling out the security and privacy of their users would outweigh the negative press.

The next Sony/Lenovo will do the same thing, unless Lenovo is sufficiently punished. And by “sufficiently punished”, I mean that they must be driven into bankruptcy. We need a massive online campaign that makes it clear that Lenovo supports spyware that enables pedophiles, rapists, phishers, spammers and stalkers: we need to drag them through the mud until anyone hearing their name thinks of the most foul, sleazy, awful people on the planet.

orbitalinsertion (profile) says:

Re: Re: Everybody screws up sometimes

That’s laughable, at best. Even a properly secure version of this software would be garbage, and not something any vendor should bundle in a pre-installed OS in the first place. And if they had done any resting at all, they would have seen what a gaping security hole it creates.

Bamboo Harvester (profile) says:

Re: Re: Re:3 Everybody screws up sometimes

“Why would Lenovo, a company that people have been screaming about as they’re a Chinese company and thus could be ‘spying for China’, collaborate with the NSA?”

NSA: Mr CEO, nice to meet you. Your kids still going to Lat Mai high school? I think I ran into your wife at the Gak Lai supermarket the other day. And the landscaping at your home on Momo Drive, magnificent, just magnificent.

True terrorism at it’s finest.

Kaemaril (profile) says:

Re: Re: Re:4 Everybody screws up sometimes

Mr CEO : Why, Mr. NSA. It’s really nice to meet you too. This guy to my right? Oh, you haven’t met. Now, I’m not saying he’s with Chinese Intelligence and I’m not saying he’s not. But he’s awfully knowledgeable about your children, practically a trivia buff on the subject.

Hey, it’s just as plausible 🙂

Anonymous Coward says:

It will be interesting to see if Lenovo’s promise to drop Superfish covers all computers — or only computers sold in Western countries?

Before anyone can say “that’s a stupid question!”, let’s not forget that back in the 1980s, after Pharmaceutical giants such as Bayer learned that their human-blood-derived products were spreading AIDS, they immediately took steps to revamp the products to make them safer — but only to products sold in Western countries. Rather than destroy their existing stock of tainted merchandise, these companies simply changed its destination and shipped it to 3rd-world countries instead (one of which was China, home of Lenovo).

And of course the tobbacco industry has been famous for agreeing to change its evil ways in one country, only to shift its target to other countries where it’s hoped that resistance will be weaker.

So let’s not completely discount the idea that Lenovo is only making a strategic *partial* retreat and not a capitulation.

Anonymous Coward says:

The last denial from him was in WSJ who typically has an audience more likely to be less technically understanding and easier to calm by lies. re-code has typically a technology angle attracting people who can spot the lies and get angered by them.

I still see what the CTO does as media appeasement/damage control. While the re-code interview is a lot more real, it still seems to be a case of designing the message to the listener…

Dreddsnik says:

“No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy”

Not even that. I think they knew all along. They didn’t think they would get caught.

“Why would Lenovo, a company that people have been screaming about as they’re a Chinese company and thus could be ‘spying for China’, collaborate with the NSA?”

Lots of cash ?
This seems to have an amazing effect on people and corporations when the amount is high enough.

Anonymous Coward says:

this komodia stuff is the tip of the iceberg with regards to how screwed up https and ca/cert based security is. I hope you guys will keep digging- lots of stories and knowledge that deserve attention and understanding here.

With no cooperation from any CA’s, this dinky little company easily created a complete inception style spy ware apparatus that went undetected for quite some time.

good thing the nsa/gchq can’t do such a thing…
wait, what?

how many trusted root CA’s do you have installed on your computer? …or a better question is how many root CA’s did your browser maker decide you should trust- it’s not like you consciously chose to trust those entities.. most probably don’t even know they exist. worse still- how did those entities even become ‘trusted’… it’s far more arbitrary then you might imagine.

Anonymous Coward says:

Re: Re:

how many trusted root CA’s do you have installed on your computer? …or a better question is how many root CA’s did your browser maker decide you should trust- it’s not like you consciously chose to trust those entities..

You might be misunderstanding the word “trusted”… “a trusted system is one whose failure may break a specified security policy.” It’s not a compliment, and notably doesn’t mean trustworthy.

worse still- how did those entities even become ‘trusted’… it’s far more arbitrary then you might imagine.

I think, like bankers and ISO certifiers, they are focusing more on procedures and insurance than results. The CAs all follow “best practices” without much regard for whether those practices are actually good or sufficient (as opposed to the same mediocre practices as everyone else). For example, they send an unencrypted email to the domain owner, even though CAs exist because we expect unencrypted traffic to be observable and modifiable by adversaries. (It’s the “best” practice just because nobody else is doing anything better–except with EV certs, where the CAs say they’ll do the job they were supposed to do in the first place.)

The few CAs that are known to have been compromised or otherwise taken advantage of (e.g. MD5 collisions helped by predictable serial numbers) had some pretty egregious problems, stuff that serious penetration testers should have found, but they all had the requisite certifications and insurance before it happened. Most of them still do.

John Fenderson (profile) says:

Re: Re: Re:

“You might be misunderstanding the word “trusted”… “a trusted system is one whose failure may break a specified security policy.” It’s not a compliment, and notably doesn’t mean trustworthy.”

Spot on. This is one of those “terms of the art”, and I have to admit that I never realized that people might not know what it means.

Coises (profile) says:

Actions speak louder than words

Dear Lenovo,

If you really regret Superfish (and not just the fact that it was discovered), I have a simple way you can demonstrate your integrity:

As soon as possible, begin offering all of your Windows computers–every single one–with a “clean install” option that includes nothing but Windows, Windows updates and WHQL-certified drivers. Not so much as a custom desktop background image added.

If you have software other than WHQL-certified drivers that you believe enhances the operation of the machine, make it a downloadable install, and keep it granular (e.g., don’t bundle uncertified drivers we need with apps we don’t).

Let us see how much more you have to charge without subsidies from bloatware and adware vendors and make the decision for ourselves which is the better value.

I think you’d win back a lot of respect… and maybe force some other OEMs to play catch-up.

Mike Acker (profile) says:

Superphish

Torvalds notes (p.95) of “Just for Fun” “If money was to get involved things would get murky. If you don’t let money enter the picture you won’t have greedy people”.

greedy people we got and the lust to get adverts and recons into everyone’s computer is stunningly vicious

I ran across this in a blog post today

oldschoolh4ck3r
Welcome to the brave new world, where industries and governments collude to dissolve privacy and establish a digital battlefield. Deep-pocketed agencies can fund corporations towards their agendas of tainting technology in their favor, all the while pointing the finger at software ‘bugs’. We’re in a lot of trouble.

OpenSource and FSF software is the “Last Best Hope” for privacy and security

IMHO

JBDragon says:

This is why NONE of this 3rd party CRAP should ever be pre-installed on a new computer. It should Windows ONLY, free of all other crap!!!

Is it really worth it to get a Bad Reputation for this garbage? I know Windows like Android has issues with making any money on razer thin profits and they do this crap to try and make a little money. How much do you really get to have this crap installed on a PC? $20? Here’s a idea, bump the price of the PC up $20 and remove ALL of that crap.

Why not be known for Not throwing CRAP on your PC’s!!!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...