Anyone who has purchased an inexpensive Microsoft-based laptop recently knows how the laptop vendors “supplement” Microsoft Windows with various “pre-installed” software and utilities such as the ever-nagging “have you paid for your subscription yet” anti-virus software. Not only is this “Crapware” practice annoying, and performance degrading (original ad-laden article), but it is also can endanger your security and privacy.
Over the last week or so it came to light that Lenovo (a Chinese-owned company) installs software from a Superfish called “WindowShopper” on laptops from September 2014 to January 2015. The good news is that they have stopped doing it. The bad news is that what they did is very, very, bad. Just how bad is hard to explain to someone who has a limited to little technical understanding.
They installed this software so that they could inject ads into your browsing experience. What this means is that they sell your information to ad providers who then buy ad space. This ad space is “injected” into your browser search results. It is as if you are reading a newspaper like the New York Times and another company comes along and inserts ads into it without either the New York Times or your consent. This is called a “man-in-the-middle” attack.
Let me be really clear on this. The Superfish software is HACKING your Google search feed with a man-in-the-middle attack and Lenova knowingly facilitated this attack vector to make money by selling access their customers to help boost the profits of their cheap laptops
What makes this so bad (the “Paul Harvey Page Two” for you old timers) is that they do it on SECURED web sites because Google encrypts the results they send you (hence the “https” in the URL and the little lock icon in your browser). And, it turns out (surprise, surprise) that the software they installed to do this is flawed. The flaw lets those that know how break secured access to other sites such as . . . your bank, your healthcare provider, etc. Hopefully, you get the idea.
Here is more information:
- The original post that brought the issue into the spotlight
- The reaction: “Lenovo accused of compromising user security by installing adware on new PCs” (shared as an Evernote to spare you the ads in the original article)
- The admission: “Superfish admits installing root certificate authority to show ads on secure sites” (shared as an Evernote to spare you the ads in the original article)
- The advice: “[Department of Homeland Security] urges removing Superfish program from Lenovo laptops”
- How to: “Instructions to determine if you have the SuperFish application installed
and how to Uninstall it”
And, some of my personal advice:
- If you own a Lenova laptop, follow the instructions above to check and see if WindowShopper is installed. If it is, remove it. If you are uncomfortable removing it yourself, pay to have someone at your local computer support company do it.
- If you need to buy a laptop and also need to minimize your spending in doing so by buying a cheap pre-loaded laptop, factor into the cost buying your own clean copy of Windows, wiping what comes installed on the computer, and installing your own copy of Windows from scratch. This is the ONLY sure way of having a clean Windows laptop that is not already loaded down with the “bonus” software the vendor sees fit to include. If you are uncomfortable doing this yourself, factor into the cost the expense to pay your computer store to do it.
- Or, if you can afford it, consider buying it directly from the Windows Store. I have heard, but not confirmed, that these PCs are sold “clean” of all the adware and “bonus” software.
- Unless you’re highly technical, my best recommendation is that you buy an Apple Macintosh. I am an Apple Fan Boy and admit it. There is a reason.
- If you are technical, and you really want to take control of your computing environment, they buy cheap hardware and then install one of the various Linux or BSD distributions. This skips the whole Windows versus Apple debate (but does put you in a Linux vs BSD debate) and gives you the most control of the situation. Although, it isn’t as easy. “My Other OS Is Linux”
Here are some updates:
- Lenovo is being sued over their Superfish implementation. There was an excellent interview with Bloomberg News this morning on NPR.
- Basically, you can no longer trust that a “secured” https connection really is secure. Turns out, that Superfish is not the only software vendor doing this for the sake of ads:
- From this article (original) and this article (original), the following additional software providers may be doing the same thing. These providers all have an Israeli technology called “SSL Digestor” and “Watchdog”, by a company called Komodia. Basically, these are commercial tools to hack and break your box.