Lenovo pre-installed advertising malware on laptops

I like the idea, but you’ve clearly not tried to re-install MS Windows for a few years. You don’t get a real installation disk any more - you get a ‘recovery’ disk, which reinstalls an image complete with all the original crapware.

+1 for Ubuntu, Mint, or any distro you fancy. I spend a good portion of my time using Linux, but it still doesn’t do everything. I’m stuck using Windows for CAD. Solidworks and Autodesk Inventor are both Windows only, and really don’t work through VMs. Sad when you think the CAD world used to be exclusively Unix.

3 Likes

As also stated Laptops not so much and while I don’t really lug my personal one around a lot I do it often enough that it is worth it over a build my own. My current one was not too much of a pain to remove the dell installed crapware vs. getting an ISO and installing a blank OS and work gave a nifty discount and yeah yeah windows but it is what I support for work as well and it pays the mortgage. But yeah going to the Microsoft store and buy there and they offer an clean install service as well for your own machine I thought, or you can download the ISO from Microsoft and use the key on the bottom of the machine hidden under the battery these days. But this is a whole new level dumb from the vendors.

My next purchase may be one like I got for the kid which was a used business class from a local shop (interconnection.org) that is a non-profit. I guess the only other option is pony up the $$$ for something from a place like PugetSystems.

The EFF is also following the story: https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptops

You can test whether your PC has this malware installed by visiting this site: https://filippo.io/Badfish/

Unfortunately, I have not yet seen any clear and comprehensive removal instructions. Lenovo support has instructions for removing the software (amounting to “delete it via Add/Remove Programs”, IIRC), but following those instructions does not remove the root certificate, so you’re still vulnerable to external attackers after removing the software. You have to manually go into the Windows certificate manager and delete the certificate (it’s clearly labeled; look for “Superfish”). If you have Firefox, you need to remove the certificate from its certificate manager as well; they are separate things.

3 Likes

and since I can only post two links at a time:

:frowning: now i haz a sad

1 Like

For my personal CAD use on Linux I started to use Draft Sight.
I even run it at work on my Windows machine alongside legal AutoCAD. I am preparing for time when Autodesk goes to subscription-only.

Or you could just not run Windows, which solves 99% of the bloatware problem (and I’m not referring to Windows, itself, in this instance).

Get an OS X laptop: only has OS X and a few Apple apps.

Get a Lenovo, wipe it, put Ubuntu on it: no bloatware.

It is only Windows that seems to get this treatment from Dell, Lenovo, etc.

1 Like

Uninstalling it doesn’t remove the certificate they’ve added to your root store, just the other software.

I have vowed to never-ever buy from Lenovo after a friend asked me to install stuff to his new Lenovo notebook. It not only did not come with an installation medium (sadly, the vast majority of suppliers only provide a restore image that contains all the crapware pre-installed), they did not provide means to create a backup media for system restore. I had to search the net, because I did not want to believe that there is no way to do that. Well, the official statement from Lenovo is that when your HD fails you have to bring it to Lenovo service centre to get a restore partition. No, thank you.

3 Likes

Sure, and for some people that’s actually an option. Many others can’t do this for various reasons - either the software they need isn’t available/doesn’t have an equivalent in those other OSes (or doesn’t run well in emulation), or budget reasons (OSX laptops are gorgeous pieces of hardware, but they’re pricey), or they simply fear trying to learn a new OS (though Windows 8’s radical new design has made that part of the argument less solid, since most non-techy folk have never heard of classic shell).

2 Likes

They did. I feel I had to tell them all. One by one…
Life of an engineer, life full of fun.

2 Likes

Well Apple controls the hardware as well as the software so closed ecosystem and all. The others to keep the consumer models cheap they get subsidized by installing the crapware. So yeah you can have a new machine cheap that you need to flatten and reload or go to a vendor that supplies a clean install for $$$ more which best I can tell works out to be about the same that Apple charges. This does not excuse Lenovo for installing what amounts to malware and a serious preinstalled security nightmare.

As far as you are installing over a wiped drive which you can also do with Windows. The ISO files should be downloadable from Microsoft and hey looks like they have nifty online tool for win8 to make a DVD or USB based option and you just use the license key on the COA sticker. I know I did this with my old machine and Visa without hassle.

1 Like

Interestingly, these laptops were also came preinstalled with McAfee. Lot of good that did.

4 Likes

As critical as I am about the US intelligence efforts against everyday citizens, China does and will continue to operate in this way very much as well. I considered it nearly a joke when IBM sold off Lenovo to China, and there is no way I would buy any of their systems.

Does not mean the US is not also inclined to install unwanted malware, they have, and they do. In the supply chain. As Snowden and other disclosures have shown. We still are lacking a lot of information on that, however.

China does have much worse quality controls, but they are also well known to use plausibly deniable attack software.

On getting systems which are clean: you can always wipe your system. About twenty years ago, right before I got into comp sec I worked at a major company which assembled computers: Gateway, Dell, Hughes, many different clients. Most were consumer products, but even military products were involved. While there was 24/7 cameras everywhere, this was largely to prevent workers from stealing components, some of which were highly expensive. If we were charged with installing custom made hardware bugs, no one would have been the wiser. Consumers get these branded products, not even aware that they were put together at the same place their competitor products were put together.

I’ve given up. I just tell them now “Figure out how to use it yourself, dummy”. 20+ years of tech support and I finally snapped.

As I said above - Microsoft will sell you a Signature Edition (link to Canadian store, US store has the same program) machine that has windows pre-installed, no bloatware. It’s nice. I’m presuming no malware as well, but haven’t checked it 100% to verify. And their prices are (at least in my experience, with the handful I’ve looked at) actually CHEAPER than the similarly specced models from the manufacturer directly (Lenovo in particular, they had some fantastic deals on signature edition Carbon ultrabooks)

You say that as if McAfee is anything but Malware itself.

2 Likes

Don’t worry, just the NSA stuff.

I have a Lenovo here. It is about two years old. I wiped it, put Ubuntu on it. I use it for some testing.

About six months ago, I got official Windows 7 DVD media so I could put Windows back on it for some other work. Ha ha ha. You can’t. You have to use a Lenovo disk because there is no driver support for their disk controller, among other things, in the Windows disks you can buy from Microsoft. A normal purchased Windows disk can’t even see that there is a hard drive in it. I said “fuck it” and kept Ubuntu on it.

Only if you can find the drivers for whatever hardware the manufacturer sticks inside.

3 Likes

Isn’t draftsight 2D only? I use it all the time, but, I usually draft in python…