[fpgeek]

Wow. Releasing the source to the removal tool might be the first right (rather than actively wrong and then merely a little less wrong) thing Lenovo has done in this entire disaster.

It feels like I can almost hear the screams of the engineers explaining why a black-box removal tool is nowhere near enough.

[logn]

There's a directory with maybe 30+ exe's in this repo. So it's a black box to some extent but it looks like they're known browser utilities so presumably someone could verify them.

https://github.com/lenovo-inc/superfishremoval/tree/master/S...

[UnoriginalGuy]

While the NSS suite is fairly standard, I downloaded both pre-built Windows binaries from here:

ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/msvc9/

However the SHA256 hashes do not match those of the provided Lenovo binaries. The Lenovo binaries are also bigger than either build provided by Mozilla.

However this does NOT mean there is something wrong, Lenovo may have just compiled them using a different compiler/compiler options/library versions. It is actually common for two people compiling the same source to get different binaries (see, for example, the TrueCrypt issue where TrueCrypt's pre-built binaries were hard to reproduce because the library versions were so specific).

Lenovo may also have supplied the wrong Readme file (that's where I get the version number from).

If you're paranoid, delete them from the Lenovo package, and download them from Mozilla.

[nkozyra]

Their hand was forced. I'm sure this is going to cost some money, possibly by both sides.

The notion they were unaware of what Superfish was and did is simply implausible. This is damage control, full force.

[Ded7xSEoPKYNsDd]

> The notion they were unaware of what Superfish was and did is simply implausible.

They certainly knew they were installing creepy adware for money, there is no doubt about that.

I don't think we know whether they looked close enough to see that they were MITM-ing SSL connections. I don't think they'd have objected either way, but I'm not certain.

I'm sure they didn't know about the security issues. (Mostly because they wouldn't have thought to look for them, but still.) Even after that disastrous CEO statement that called the security issues 'theoretical' I don't think they'd knowingly ship software as broken as that. (It might be different for government backdoors, but those are more likely in the hardware, firmware or hardware drivers just because the interesting enterprise and government customers would never use a Lenovo-provided image with Superfish anyway. And most likely Lenovo the company doesn't know about the backdoor either, only the single engineer that built it.)

[CountSessine]

Even after that disastrous CEO statement that called the security issues 'theoretical'

I think this is the real outrage here - that the company is run by an asshat who thinks that little of his customers. I refuse to recommend Lenovo or any of their products until this guy either demonstrates unreserved contrition (and by contrition, I mean a clear apology that acknowledges that the very concept of installing such an intrusive and obnoxious program on their customers' computers is wrong), or is sacked. Buying or recommending anything from Lenovo under the current circumstances is unacceptable.

[tracker1]

By the same note... I haven't bought a sony piece of hardware in years (from what they did with CDs over a decade ago, and how they handled it)... this is a lot better in terms of a technical response, despite stupid upper management and PR response.

Even though the code isn't up to the standards of some.. (with full test coverage, etc)... having a relatively small utility that works is better than nothing.. and anyone here can fork and flush out the project.

I'm not quite sure why they are using other software checked into the repo as opposed to using nuget with restore/pull on build setup... Just the same, it's a decent move.

Putting Superfish and the software in question on the computer in the first place, far more of a bonehead move, but I doubt the people who released this patch are the same ones who decided to include it in the first place. This is how bad our personal privacy has been invaded...