A Bit Late, But Lenovo CTO Admits The Company Screwed Up

from the finally dept

We've had a bunch of posts today (and yesterday) about the "Superfish" debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was -- first denying any serious security problem, and then calling it "theoretical." It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the "theoretical" problem he discussed earlier:
“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.

[....]

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”
He later admits that the company "deserves" to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn't happen again.

While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it's happening. Hopefully, the company is better off for it.

Of course, the same can't be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Feb 2015 @ 6:49pm

    The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

    This is a non-apology apology, though. There is no excuse for anybody to interfere with encrypted traffic between you and a host under any circumstances, least of all an OEM.

    The CTO is genuflecting to ensure profits aren't going to be down too much this quarter. The only thing which ensures Lenovo and other competitors learn a good lesson from this is heavy losses or bankruptcy, which is what they deserve.

    To still fall for the soothing words of professionally lying coporate executives in this day and age is folly.

    Meanwhile, in the United States, tech companies continue to claim to protect privacy on the one hand while collaborating with the NSA to destroy it on the other.

    Words from coporate executives have no meaning. You're listening to a robot.

    reply to this | link to this | view in chronology ]

    • identicon
      Pegr, 20 Feb 2015 @ 7:26pm

      Assume much?

      Why would you think this isn't another example of collaboration? Go research the principles of the vendor. They are all from the intel community.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Feb 2015 @ 4:41am

      Re:

      You're exactly right. This isn't an apology or an admission. It's corporate bullshit from one of Lenovo's professional liars. It's worthless crap that means NOTHING.

      Lenovo was and is no doubt fully aware of the Sony rootkit debacle: they simply gambled that it wouldn't happen to them. And they probably calculated that even if it did, the profits they made by selling out the security and privacy of their users would outweigh the negative press.

      The next Sony/Lenovo will do the same thing, unless Lenovo is sufficiently punished. And by "sufficiently punished", I mean that they must be driven into bankruptcy. We need a massive online campaign that makes it clear that Lenovo supports spyware that enables pedophiles, rapists, phishers, spammers and stalkers: we need to drag them through the mud until anyone hearing their name thinks of the most foul, sleazy, awful people on the planet.

      reply to this | link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 20 Feb 2015 @ 7:09pm

    Everybody screws up sometimes

    But it takes a "man" (or woman) of character to admit it when they do. I don't like what Lenovo did, but I have gained a lot of respect for them in that their CTO is willing to fall on his sword over this. And even more respect for him.

    reply to this | link to this | view in chronology ]

    • identicon
      Pegr, 20 Feb 2015 @ 7:27pm

      Re: Everybody screws up sometimes

      They were victimized, actually.

      reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 20 Feb 2015 @ 7:36pm

        Re: Re: Everybody screws up sometimes

        That's laughable, at best. Even a properly secure version of this software would be garbage, and not something any vendor should bundle in a pre-installed OS in the first place. And if they had done any resting at all, they would have seen what a gaping security hole it creates.

        reply to this | link to this | view in chronology ]

        • identicon
          Pegr, 20 Feb 2015 @ 8:00pm

          Re: Re: Re: Everybody screws up sometimes

          No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy-destroying software on their laptops in order to sell the data to the NSA.

          That would be laughable if it were not already known what they actually do.

          reply to this | link to this | view in chronology ]

          • icon
            Kaemaril (profile), 21 Feb 2015 @ 3:40am

            Re: Re: Re: Re: Everybody screws up sometimes

            Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?

            reply to this | link to this | view in chronology ]

            • identicon
              Pegr, 21 Feb 2015 @ 8:39am

              Re: Re: Re: Re: Re: Everybody screws up sometimes

              Money.

              reply to this | link to this | view in chronology ]

            • icon
              Bamboo Harvester (profile), 21 Feb 2015 @ 9:13am

              Re: Re: Re: Re: Re: Everybody screws up sometimes

              "Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?"

              NSA: Mr CEO, nice to meet you. Your kids still going to Lat Mai high school? I think I ran into your wife at the Gak Lai supermarket the other day. And the landscaping at your home on Momo Drive, magnificent, just magnificent.

              True terrorism at it's finest.

              reply to this | link to this | view in chronology ]

              • icon
                Kaemaril (profile), 21 Feb 2015 @ 10:51am

                Re: Re: Re: Re: Re: Re: Everybody screws up sometimes

                Mr CEO : Why, Mr. NSA. It's really nice to meet you too. This guy to my right? Oh, you haven't met. Now, I'm not saying he's with Chinese Intelligence and I'm not saying he's not. But he's awfully knowledgeable about your children, practically a trivia buff on the subject.

                Hey, it's just as plausible :)

                reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Feb 2015 @ 9:29am

      Re: Everybody screws up sometimes

      They didn't admit anything until they got caught in a web of their own lies and had no choice but to backpedal to save face. They deserve no credit for this. They were forced into it.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Feb 2015 @ 7:52am

      Re: Everybody screws up sometimes

      "I have gained a lot of respect for them in that their CTO is willing to fall on his sword over this"

      Not me. After the first few rounds of deception, it's hard to respect them for coming clean only once they realized that nobody was buying their BS.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 12:56am

    It will be interesting to see if Lenovo's promise to drop Superfish covers all computers -- or only computers sold in Western countries?

    Before anyone can say "that's a stupid question!", let's not forget that back in the 1980s, after Pharmaceutical giants such as Bayer learned that their human-blood-derived products were spreading AIDS, they immediately took steps to revamp the products to make them safer -- but only to products sold in Western countries. Rather than destroy their existing stock of tainted merchandise, these companies simply changed its destination and shipped it to 3rd-world countries instead (one of which was China, home of Lenovo).

    And of course the tobbacco industry has been famous for agreeing to change its evil ways in one country, only to shift its target to other countries where it's hoped that resistance will be weaker.

    So let's not completely discount the idea that Lenovo is only making a strategic *partial* retreat and not a capitulation.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 1:00am

    ...trying to figure out why comments are going to "moderation" right now.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 2:15am

    The last denial from him was in WSJ who typically has an audience more likely to be less technically understanding and easier to calm by lies. re-code has typically a technology angle attracting people who can spot the lies and get angered by them.

    I still see what the CTO does as media appeasement/damage control. While the re-code interview is a lot more real, it still seems to be a case of designing the message to the listener...

    reply to this | link to this | view in chronology ]

  • identicon
    Dreddsnik, 21 Feb 2015 @ 5:39am

    "No, what I mean is that someone inside Lenovo made a dirty deal with a defense contractor for inserting privacy"

    Not even that. I think they knew all along. They didn't think they would get caught.

    "Why would Lenovo, a company that people have been screaming about as they're a Chinese company and thus could be 'spying for China', collaborate with the NSA?"

    Lots of cash ?
    This seems to have an amazing effect on people and corporations when the amount is high enough.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2015 @ 6:43am

    this komodia stuff is the tip of the iceberg with regards to how screwed up https and ca/cert based security is. I hope you guys will keep digging- lots of stories and knowledge that deserve attention and understanding here.

    With no cooperation from any CA's, this dinky little company easily created a complete inception style spy ware apparatus that went undetected for quite some time.

    good thing the nsa/gchq can't do such a thing...
    wait, what?

    how many trusted root CA's do you have installed on your computer? ...or a better question is how many root CA's did your browser maker decide you should trust- it's not like you consciously chose to trust those entities.. most probably don't even know they exist. worse still- how did those entities even become 'trusted'... it's far more arbitrary then you might imagine.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Feb 2015 @ 9:22am

      Re:

      how many trusted root CA's do you have installed on your computer? ...or a better question is how many root CA's did your browser maker decide you should trust- it's not like you consciously chose to trust those entities..
      You might be misunderstanding the word "trusted"... "a trusted system is one whose failure may break a specified security policy." It's not a compliment, and notably doesn't mean trustworthy.

      worse still- how did those entities even become 'trusted'... it's far more arbitrary then you might imagine.
      I think, like bankers and ISO certifiers, they are focusing more on procedures and insurance than results. The CAs all follow "best practices" without much regard for whether those practices are actually good or sufficient (as opposed to the same mediocre practices as everyone else). For example, they send an *unencrypted* email to the domain owner, even though CAs exist because we expect unencrypted traffic to be observable and modifiable by adversaries. (It's the "best" practice just because nobody else is doing anything better--except with EV certs, where the CAs say they'll do the job they were supposed to do in the first place.)

      The few CAs that are known to have been compromised or otherwise taken advantage of (e.g. MD5 collisions helped by predictable serial numbers) had some pretty egregious problems, stuff that serious penetration testers should have found, but they all had the requisite certifications and insurance before it happened. Most of them still do.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 23 Feb 2015 @ 7:54am

        Re: Re:

        "You might be misunderstanding the word "trusted"... "a trusted system is one whose failure may break a specified security policy." It's not a compliment, and notably doesn't mean trustworthy."

        Spot on. This is one of those "terms of the art", and I have to admit that I never realized that people might not know what it means.

        reply to this | link to this | view in chronology ]

  • icon
    miatajim (profile), 21 Feb 2015 @ 7:38am

    Sorry Lenovo, you should have learned from Sony in 2005. Never again will you see any of my personal or any corporate (friends family)I have any control over.

    reply to this | link to this | view in chronology ]

  • icon
    Coises (profile), 21 Feb 2015 @ 5:01pm

    Actions speak louder than words

    Dear Lenovo,

    If you really regret Superfish (and not just the fact that it was discovered), I have a simple way you can demonstrate your integrity:

    As soon as possible, begin offering all of your Windows computers–every single one–with a “clean install” option that includes nothing but Windows, Windows updates and WHQL-certified drivers. Not so much as a custom desktop background image added.

    If you have software other than WHQL-certified drivers that you believe enhances the operation of the machine, make it a downloadable install, and keep it granular (e.g., don’t bundle uncertified drivers we need with apps we don’t).

    Let us see how much more you have to charge without subsidies from bloatware and adware vendors and make the decision for ourselves which is the better value.

    I think you’d win back a lot of respect... and maybe force some other OEMs to play catch-up.

    reply to this | link to this | view in chronology ]

  • icon
    DB (profile), 21 Feb 2015 @ 10:48pm

    The statement is exactly the one you would see if control of the situation was moved from marketing ("we are certain there is no risk") to legal ("we didn't know anything").

    Did they simply miss the implications of snooping-based advertising? Especially one that can insert their only advertisements? That doesn't seem credible.

    reply to this | link to this | view in chronology ]

  • identicon
    jaket kulit pria, 22 Feb 2015 @ 2:56am

    posting nice

    many blog posts do not like this provide a useful article for visitors thanks admin
    jaket kulit pria

    reply to this | link to this | view in chronology ]

  • icon
    Mike Acker (profile), 22 Feb 2015 @ 9:13am

    Superphish

    Torvalds notes (p.95) of "Just for Fun" "If money was to get involved things would get murky. If you don't let money enter the picture you won't have greedy people".

    greedy people we got and the lust to get adverts and recons into everyone's computer is stunningly vicious

    I ran across this in a blog post today

    oldschoolh4ck3r
    Welcome to the brave new world, where industries and governments collude to dissolve privacy and establish a digital battlefield. Deep-pocketed agencies can fund corporations towards their agendas of tainting technology in their favor, all the while pointing the finger at software 'bugs'. We're in a lot of trouble.

    OpenSource and FSF software is the "Last Best Hope" for privacy and security

    IMHO

    reply to this | link to this | view in chronology ]

  • icon
    JBDragon (profile), 23 Feb 2015 @ 9:30am

    This is why NONE of this 3rd party CRAP should ever be pre-installed on a new computer. It should Windows ONLY, free of all other crap!!!

    Is it really worth it to get a Bad Reputation for this garbage? I know Windows like Android has issues with making any money on razer thin profits and they do this crap to try and make a little money. How much do you really get to have this crap installed on a PC? $20? Here's a idea, bump the price of the PC up $20 and remove ALL of that crap.

    Why not be known for Not throwing CRAP on your PC's!!!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.