Lenovo Hit With Lawsuit Over Superfish Adware

← Back to Stories (view on slashdot.org)

Lenovo Hit With Lawsuit Over Superfish Adware

Posted by samzenpus on Monday February 23, 2015 @06:57AM from the here-comes-the-trouble dept.

An anonymous reader writes with news that the fallout from the Superfish fiasco might just be starting for Lenovo. "Lenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with 'fraudulent' business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called 'spyware' in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits."

114 comments

Min score:

Reason:

Sort:

good by Anonymous Coward · 2015-02-23 07:00 · Score: 5, Insightful

I hope it costs both of them twice what they earned
1. Re:good by mwvdlee · 2015-02-23 10:55 · Score: 1
  
  More likely it'll cost the plaintiff twice of what she earns in her lifetime.
  Lenovo is a rich company and the court is in the US; she doesn't stand a chance of winning.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
2. Re:good by Anonymous Coward · 2015-02-23 11:27 · Score: 1
  
  Class Action. Assuming Miss Bennett isn't a lawyer herself, a firm will take the case. And just like in the NVidia lawsuit, will take 90% of the profit and give lenovo customers a 5 dollar off coupon for their next purchase.
Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 07:01 · Score: 3, Funny

The EULA that is part of clicking through to use the PC states Superfish's conditions.
This lawsuit will be tossed out before it ever hits a court of law, just because EULAs have a legal precedent of being incredibly enforceable.
1. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 07:14 · Score: 1
  
  Is it really the final word? People just chuck away EULAs without reading them. I'm pretty sure the user was not prompted with a clear question "Would you like Superfish to inject advertisements to your web traffic?"
2. Re: Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 07:15 · Score: 3, Insightful
  
  The lawsuit alleges fraudulent business practices - i.e., that the plaintiff was lied to. If the eula contains lies, then reading the eula would not do any good.
3. Re:Read the EULA... the lawsuit has no merit. by hey! · 2015-02-23 07:17 · Score: 5, Interesting
  
  The issue isn't whether EULAs are *potentially* enforceable. The question is whether *this* EULA is enforceable.
  In general there is no contract unless their is some kind of exchange of "considerations". Typically the consideration is the privilege of using the copyright holder's software. But, if you can show that users don't want to use this software, and that it is installed for the benefit of a third party, there is no exchange of considerations between the end-user and the copyright holder, and therefore no valid contract.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
4. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 07:19 · Score: 1
  
  EULA that says what exactly?
  "You agree by using this computer, that you paid good money for, to be spied upon and to have your computer cracked into and taken control of for possibly illegal activities. Agree? Yes/No".
  Like that you mean? Did it say stuff like that? Did it ask the user to agree to being spied on and having their computer broken into by crackers?
5. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 07:33 · Score: 1
  
  A EULA does not serve to make illegal things legal. EULAs are not laws.
6. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 07:43 · Score: 0
  
  Yeah, basically this is just a placeholder lawsuit. Chances are looking good that somebody will go after Komodia (the maker of the SSL cracker) for wiretapping or something similar, due to the broad use-case its software presents. Once criminal proceedings are underway, existing civil cases like this suddenly gain a lot more clout, and the defendants tend to get really eager to settle.
7. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 08:35 · Score: 0
  
  I hate being a devil's advocate, but the EULA is a contract, and this is first year law school stuff.
  The EULA is a contract here, no ifs, ands, or buts.
  Here is what the user gets: The ability to use the software preinstalled on the computer.
  The EULA states what conditions.
  All Lenovo has to do is show a judge that this was done, and show that it was in print that using the machine meant that they were A-OK with the third party software... and the case is dismissed with prejudice.
  Had the user not used the software, it would be a different story, but using it means the user has assented to Superfish's EULA, has agreed to settle via arbitration, and has explicitly consented to monitoring.
  Even if the Superfish case is valid, the user has not gone through arbitration (assuming that is part of the contract), so the case has to be thrown out of court.
8. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 09:17 · Score: 0
  
  "You agree that your beautiful, powerful and cheap computer contains software which will improve your shopping experience. Agree, Yes/Yes?" is the more likely EULA written by marketroids.
9. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 10:15 · Score: 0
  
  Let me guess: YANAL. Contracts can't be onerous. If I sign a contract that says in exchange for my getting $1, I owe you all dollars I otherwise make until the end of time, and you also get parental rights of my children, a judge will laugh you out of court. Wink 'n Nod contracts "I buy this property for a dollar" work only when no one contests them.
10. Re:Read the EULA... the lawsuit has no merit. by prelelat · 2015-02-23 10:18 · Score: 3, Insightful
  
  It's not so cut and dry though. This has gone through the courts multiple times and EULA have been enforced and not enforced multiple times. It seems to depend on more of which court you take it to. Now the issue here isn't only things that would be covered by the EULA. If it were this would be mildly interesting, the meat of it is the fact that they also are talking about leaving computers/users open for attack and damaging the equipment and hurting people(not physically obviously). It's really interesting, and I wonder if a company can be held liable for poorly written software like that. If they can be held liable who's responsible? Lenovo for probably taking some money to put this on their computer or komodia for having shitty security and poor design.
  If this goes for the people filing I wonder if it will have a positive affect and make manufacturers think before they do something like this in the future.
  Does anyone recall what happened with the Sony Rootkit deal?
11. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 10:20 · Score: 0
  
  I hate being a devil's advocate, but the EULA is a contract, and this is first year law school stuff.
  The EULA is a contract here, no ifs, ands, or buts.
  What are you smoking, troll?:
  Contract Of Adhesion
12. Re:Read the EULA... the lawsuit has no merit. by wiredlogic · 2015-02-23 11:08 · Score: 2
  
  There's also the gross negligence displayed by both Lenovo and Superfish in deploying this software. The fact that Lenovo specifically requested to not intercept HTTPS (documented in a JS comment) demonstrates that they were not as clueless about what Superfish has been doing as they want to let on.
  
  --
  I am becoming gerund, destroyer of verbs.
13. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 11:15 · Score: 0
  
  A EULA does not serve to make illegal things legal.
  But isn't spying, or collecting data, common in many web services such as gmail? Isn't it also legal due to the fact they state this in their EULA?
14. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 11:40 · Score: 0
  
  AFIAK, Part of the EULA indemnifies Lenovo from any damages, incidental or consequential.
  Again, because of severance clauses, each part of this EULA is basically a court case in itself, and even the lawsuit itself is in peril due to a clause stating arbitration is how this will be handled.
  This will be an uphill battle for any plaintiff, and it will be appealed until SCOTUS decides. There has yet to be a single victory in US courts over a EULA, especially with a company and third party software.
15. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-23 12:49 · Score: 0
  
  The difference is that it is not installed on your computer. And Google only collects data for sites that use its services. This is across all sites.
16. Re:Read the EULA... the lawsuit has no merit. by HiThere · 2015-02-23 13:39 · Score: 1
  
  Is the US the only place where this happened? (OK, so *this* case is in the US, that doesn't mean there won't be others.)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
17. Re:Read the EULA... the lawsuit has no merit. by Pinhedd · 2015-02-23 15:58 · Score: 1
  
  Not necessarily.
  Contracts do not shield parties from criminal liability resulting from recklessness (knowingly, and willingly placing someone at risk) or negligence (unknowingly, but unnecessarily placing someone at risk).
  One might argue that installing a root certificate on customer computers, including the private key on that same computer, and using an easily guessed password to protect that key constitutes negligent behaviour by placing customers at risk cyber attacks. It may even be argued that such an act is reckless because anyone skilled enough in the cryptographic systems used should have been able to identify that risk from the surface of the moon.
  What Lenovo did was so incredibly batshit stupid and irresponsible that it's hard to describe in better words.
18. Re:Read the EULA... the lawsuit has no merit. by Anonymous Coward · 2015-02-24 07:08 · Score: 0
  
  EULAs need to be standardized and/or regulated to avoid this type of abuse of power.
  The average person doesn't have the time/money to afford all the lawyers necessary to read all of these EULAs. They may not have the legal expertise to understand what is actually stated and what that implies. Try to edit/revise a EULA and send it back for approval. This slants power to the huge corporation with large legal teams. It's also incredibly expensive to fight all of these in courts.
  In some cases, you are not presented the EULA until AFTER the purchase has been made. The EULA should be presented at the point of sale and accepted before the sale takes place.
Lawyers rejoice!! by rodrigoandrade · 2015-02-23 07:04 · Score: 0, Troll

I fail to see what kind of financial loss Lenovo customers might have incurred over this incident to warrant a class action suit.

Business customers use their own system image so they're unaffected by this malware.

Home customers get to see different ads on their screen besides Google's own Adsense garbage. BFD!

This leaves us unscrupulous lawyers, who'll get all the money while customers who registered their machine will receive a $50 mail-in rebate on their next purchase.
1. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 07:07 · Score: 4, Insightful
  
  how about the security flaws in the spyware? if it's a "BFD" go ahead and install it on you own system.
2. Re:Lawyers rejoice!! by wierd_w · 2015-02-23 07:10 · Score: 2, Insightful
  
  small operation businesses often source cots equipment, and cant afford a dedicated IT dept to produce and maintain system images.
  this means they get crapware in a business seting.
3. Re:Lawyers rejoice!! by pak9rabid · 2015-02-23 07:11 · Score: 2
  
  I have a feeling this is less about recovering from damages and more about teaching them a formal lesson (well, cashing-in under the guise of teaching them a formal lesson).
4. Re:Lawyers rejoice!! by ColdWetDog · 2015-02-23 07:11 · Score: 0
  
  They might have gone to Harvard, but they looked at this cheesy ad for 'The International Technical Institute', signed up for that program and now can only get a job writing Java widgets for dental clinic systems.
  Seems pretty obvious to me.
  
  --
  Faster! Faster! Faster would be better!
5. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 07:15 · Score: 2, Insightful
  
  The reason for the lawsuit is so that, the next time Lenovo or any other computer maker is deciding whether to include some adware or browser hijacker with their Windows OS install, they decide against doing so because of legal liability.
  Companies care more about the bottom line than anything else. Computer makers will not stop putting crapware on computers until it costs more for them to add the crapware (via lawsuit settlements, etc.) than they get in kickbacks from the crapware makers.
6. Re:Lawyers rejoice!! by Microlith · 2015-02-23 07:16 · Score: 5, Insightful
  
  Home customers get to see different ads on their screen besides Google's own Adsense garbage. BFD!
  Yeah it's a BFD, Lenovo took money to install an application that deliberately reduced end user security for the sake of inserting ads into their browsing activities! Not only is it completely bereft of ethics and respect for their customers, it's actively dangerous.
  They shouldn't just be hit via a class action suit (assuming Lenovo isn't sticking a "binding arbitration" clause to defeat the ability for consumers to seek recourse) but Federal prosecution under one of the many computer security laws that would string up anyone else.
7. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 07:17 · Score: 1
  
  >This leaves us unscrupulous lawyers, who'll get all the money
  Lawyers are like mercenaries. They get hired by people to do things that the people can't do themselves. Lawyers on their own do nothing, and have no motive aside from getting hired. The lawyers aren't the problem, it is the people asking the lawyers to act.
8. Re:Lawyers rejoice!! by jythie · 2015-02-23 07:20 · Score: 5, Informative
  
  Which is why it should be a criminal or regulatory investigation instead. However, because of the way our legal system is put together, this kind of DIY justice is pretty much the only option. People resort to class action lawsuits because prosecutors and law enforcement have written themselves out of responsibility and delegated enforcement of such laws to the consumer. Many laws and regulations are ONLY triggerable via class action lawsuit.
9. Re:Lawyers rejoice!! by hey! · 2015-02-23 07:21 · Score: 3, Insightful
  
  The loss of time and effort to figure out whether this is going to cause a problem and then the time and effort to get rid of it.
  That loss is obvious not much on a dollar per user basis, but if you add up all those users it's enough to incent Lenovo to do something so scurrilous. That's precisely the situation which class action lawsuits exist to redress, and according to the article that's the kind of lawsuit that has been filed.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
10. Re:Lawyers rejoice!! by jythie · 2015-02-23 07:23 · Score: 1
  
  Going one step further, the problem is not even the people who hire the lawyers, but the legislators who crafted law enforcement out of the laws. People would not have to hire mercenaries if regulators and prosecutors were actually doing their jobs, but political expediency meant LEO does not have to do any of that pesky regulation enforcement against companies and keeps that cozy relationship between business and politics comfortable.
11. Re:Lawyers rejoice!! by fightinfilipino · 2015-02-23 07:23 · Score: 1
  
  you missed the whole Komodia/Superfish kerfuffle, i gather: http://arstechnica.com/securit...
12. Re:Lawyers rejoice!! by Dutch+Gun · 2015-02-23 07:23 · Score: 4, Interesting
  
  I'm not usually one to celebrate lawsuits. And you're right, there's not a lot of individual damage per computer. Rather, I'm perfectly fine with a modest payout per users that punishes Lenovo for this, both monetarily and with bad press. This sort of behavior absolutely has to stop, and I'm willing to enrich a few lawyers to make it happen. Sacrifices must be made for the greater good, I suppose.
  Maybe this will wake people up to the fact that we seriously need some stronger consumer privacy laws. I'm also typically one who prefers to let markets manage themselves until it's clear that government actually needs to step in. I'm afraid we're at that point, because it's abundantly clear that too many companies are willing to go to just about any lengths to extract personal data from people in unscrupulous ways (as well as the government itself, ironically, but we'll tackle that issue separately).
  So, yeah, it is actually a BFD. In fact, not every business customer uses their own system image - especially smaller business. And just because a personal user chooses specific services like Google whom they may trust, it does not give another company the right to make those decisions on their behalf. Many of those customers may well have chosen to avoid such services for that very reason. That choice was taken away from them, and instead, the computer they paid for was made less secure by that adware which was forced on them unknowingly. Fine, it's a first world problem, but that doesn't mean it's not a problem.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
13. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 07:25 · Score: 0
  
  Business customers use their own system image so they're unaffected by this malware.
  Ah, someone who's never worked for less than a fortune 500 company....
  The vast majority of businesses do not have the resources for re-imaging their machines. This rarely happens for any small business, never for the ma-n-pa shops (any of your local businesses that don't have multiple locations) and still doesn't happen a lot in medium sized businesses.
14. Re:Lawyers rejoice!! by dj245 · 2015-02-23 07:29 · Score: 4, Insightful
  
  I have a feeling this is less about recovering from damages and more about teaching them a formal lesson (well, cashing-in under the guise of teaching them a formal lesson).
  That's the entire point of a class action suit. To stop powerful companies from doing a large number of small harms and getting away with it.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
15. Re:Lawyers rejoice!! by mrlinux11 · 2015-02-23 07:43 · Score: 1
  
  Good luck getting the Chinese to follow US Law.
16. Re:Lawyers rejoice!! by stephanruby · 2015-02-23 07:46 · Score: 4, Interesting
  
  I fail to see what kind of financial loss Lenovo customers might have incurred over this incident to warrant a class action suit.
  Even if the class action suit only wins one penny, it will be worth it. Having a verdict on this issue can set a legal precedent (especially since Lenovo is probably not interested in defending the case too hard either).
  For instance, it could pave the way for more easily winning a class action against Verizon. Verizon's case is a bit different, especially now that they're supposedly giving their customers the option to opt-out, but with a little bit of luck, a quick verdict on the Lenovo case could make Verizon reconsider its ongoing super-cookie/man-in-the-middle attack strategy against its own customers.
17. Re:Lawyers rejoice!! by dissy · 2015-02-23 07:49 · Score: 3
  
  If it isn't a big deal, does that mean you will import my certificate authority public key as fully trusted into your computer and point your DNS client to my servers?
  No?
  Well now you might see why it is a big deal after all.
18. Re:Lawyers rejoice!! by AaronW · 2015-02-23 07:56 · Score: 1
  
  My employer is not a fortune 500 company and we just got a notice from IT that none of the corporate Lenovo laptops are affected and only consumer laptops are affected. This is most likely due to the fact that corporate laptops tend to not have all the usual consumer bloatware installed.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
19. Re:Lawyers rejoice!! by bigtrike · 2015-02-23 07:59 · Score: 1
  
  Agreed. The only way to hold them responsible is to hurt them financially.
20. Re:Lawyers rejoice!! by fustakrakich · 2015-02-23 08:00 · Score: 2
  
  Hasn't worked too well, has it? Class action is a trivial business expense compared to what is gained. What should happen is a revocation of the corporate charter, and all revenues and properties seized a la *civil forfeiture*.
  
  --
  “He’s not deformed, he’s just drunk!”
21. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 08:13 · Score: 0
  
  How large of an organization do you have to have before you start building your own LAPTOPs? Because I haven't heard of one company that does that themselves yet. (Apart from laptop manufacturers themselves.)
22. Re:Lawyers rejoice!! by cheekyboy · 2015-02-23 08:17 · Score: 1
  
  What about various chrome extensions that have superfish embeded inside them?
  A while ago, flash video downloader was one, not sure if it still there... http://download.cnet.com/FVD-D...
  Google, do a better job, terminate all accounts to anyone using superfish.
  CNET are fuckwits too, stop serving malware, they should be raided by the FBI now.
  
  --
  Liberty freedom are no1, not dicks in suits.
23. Re:Lawyers rejoice!! by thaylin · 2015-02-23 08:35 · Score: 1
  
  Well they will either follow the law or be forced out of the market.
  
  --
  When you cant win, ad hominem.
24. Re:Lawyers rejoice!! by thaylin · 2015-02-23 08:38 · Score: 1
  
  His point was that not all businesses use business based laptops.
  
  --
  When you cant win, ad hominem.
25. Re:Lawyers rejoice!! by Aaden42 · 2015-02-23 08:40 · Score: 4, Interesting
  
  That’s simple assuming anyone in the US actually gives enough of a damn. If fines are levied on Lenovo as a result of this lawsuit, US Customs would be within their power to seize any Lenovo merchandise shipped to the US at the border until all fines are paid in full.
  That’s a pretty good whack in the bottom line for any company, regardless of the nation in which they’re located. As long as they expect to sell their widgets to people physically located in the United States, US law can trivially be applied to them in such a way that they would need to comply before they may continue to operate profitably.
  Whether this suit will be successful of course is a completely different story, but there’s no problem enforcing any judgement which may emerge from it.
26. Re:Lawyers rejoice!! by mattventura · 2015-02-23 09:43 · Score: 1
  
  I think they only installed it on their consumer line anyway, not any corporate models.
27. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 09:52 · Score: 1
  
  Large organizations will pay more to get "business" laptops that in theory won't have this sort of crapware preinstalled. Large enough organizations may have a customized order contract which precisely specifies what software (if any besides the OS) is there.
28. Re:Lawyers rejoice!! by Anonymous Coward · 2015-02-23 13:07 · Score: 0
  
  I'm also typically one who prefers to let markets manage themselves until it's clear that government actually needs to step in.
  The problem is this is the United States. We need the government to STEP OUT! It is criminals like the NSA/FBI/DEA/DOJ that are demanding government back doors in EVERYTHING so they can spy on us without having probable cause to do so. Every computer hacking/theft of data is a direct result of the NSA deliberately weakening encryption and other computer safeguards solely for the benefit of the NSA's snooping agenda. Every Chinese and Russian hacker grabbing credit card numbers to sell thanks them. Superfish is yet another piece of software that should have earned the programmers that wrote it life in prison without the possibility of parole.
29. Re:Lawyers rejoice!! by colinwb · 2015-02-23 13:08 · Score: 1
  
  Lawyers don't sue people, people sue people?
30. Re:Lawyers rejoice!! by DUdsen · 2015-02-23 19:31 · Score: 1
  
  My employer is not a fortune 500 company and we just got a notice from IT that none of the corporate Lenovo laptops are affected and only consumer laptops are affected. This is most likely due to the fact that corporate laptops tend to not have all the usual consumer bloatware installed.
  But those models also get an actual pricetag for windows pro and if you buy in volume(20+) through a retailer you can get them OS-free. Dell sells linux laptops though the backdoors, and all of the large vendors will charge seperately for windows proffessional and deliver them with stock microsoft settings and not do the bundling discount they do for consumer laptop, but you pay more for those systems, then similar specced consumer laptops.
  
  The core problem is that we dont consider discount through bundling 3rd party software as illegal trade harming cartel activity, which is why it wont be the last time some company bundle malware, but then again those parts of "weath of nations" that deal with the dangers of cartels have more or less been censored out of the copies US students are taught from.
31. Re:Lawyers rejoice!! by rdnetto · 2015-02-24 21:45 · Score: 1
  
  I have a feeling this is less about recovering from damages and more about teaching them a formal lesson (well, cashing-in under the guise of teaching them a formal lesson).
  That's the entire point of a class action suit. To stop powerful companies from doing a large number of small harms and getting away with it.
  Ironically, awarding damages on an individual basis to the claimants would be far more punitive than whatever damages are awarded.
  
  --
  Most human behaviour can be explained in terms of identity.
32. Re:Lawyers rejoice!! by rdnetto · 2015-02-24 22:26 · Score: 1
  
  They shouldn't just be hit via a class action suit (assuming Lenovo isn't sticking a "binding arbitration" clause to defeat the ability for consumers to seek recourse) but Federal prosecution under one of the many computer security laws that would string up anyone else.
  Honest question: is putting a backdoor/vulnerability into a product actually a crime in the US? As I understand it, most of the computer security laws are about actively breaking in ("gaining access"). The closest I can think of are contractual issues with sale ("fitness for purpose") and negligence, but both of those are civil.
  
  --
  Most human behaviour can be explained in terms of identity.
How's this any different... by Anonymous Coward · 2015-02-23 07:05 · Score: 0

...than all the bloatware other pc manufacturers put all over Windows machines?
1. Re:How's this any different... by Mister+Transistor · 2015-02-23 07:10 · Score: 1
  
  Because (most) bloatware doesn't spy on you or perform MITM attacks on your (supposedly secure) web browsing.
  Maybe this will spell and end to this bundling horseshit, or at least make them VERY leery of what they choose to pollute new systems with. If they lose enough...
  
  --
  -- You are in a maze of little, twisty passages, all different... --
2. Re:How's this any different... by fuzzyfuzzyfungus · 2015-02-23 07:19 · Score: 4, Informative
  
  This fine bloatware didn't merely act as an MiTM, it do so so incompetently that it exposed the user to basically any MiTM attack on an SSL connection(the root cert it used to sign bogus certificates was identical across every installation and effectively unprotected and the MiTM component would re-sign any cert handed to it, even an invalid one, opening the user to downright trivial MiTM attacks.
  
  Even if the actual behavior of the bloatware were downright saintly(which is not the case) it was so incompetently constructed as to be indistinguishable from malice.
3. Re:How's this any different... by nyet · 2015-02-23 07:49 · Score: 2, Informative
  
  This fine bloatware didn't merely act as an MiTM, it do so so incompetently that it exposed the user to basically any MiTM attack on an SSL connection(the root cert it used to sign bogus certificates was identical across every installation and effectively unprotected and the MiTM component would re-sign any cert handed to it, even an invalid one, opening the user to downright trivial MiTM attacks.
  Many "enterprise" (lol) class proxies (deployed by corporations to "protect" their internal networks") do the exact same thing.
4. Re:How's this any different... by Anonymous Coward · 2015-02-23 08:34 · Score: 2, Insightful
  
  Their network, their rules. A company doing this sort of thing on their own hardware, which is there for employee work purposes, is not comparable to Lenovo shipping millions of consumer units with this stuff surreptitiously installed.
5. Re:How's this any different... by eth1 · 2015-02-23 10:28 · Score: 4, Interesting
  
  Many "enterprise" (lol) class proxies (deployed by corporations to "protect" their internal networks") do the exact same thing.
  Totally different:
  1. In a proxy, the key used to sign MITM traffic is on a device not accessible to anyone but the admins, not stored on a PC (probably improperly secured) that other malware could access.
  2. A good proxy will check certs on the server side of the connection. The one we use will either "pass through" certificate errors, or allow us to block sites with invalid certs entirely.
  3. A proper setup will use the URL categorization to not MITM certain traffic. We decrypt anything that's blocked (you have to in order to deliver a block page without cert errors), but that's not a big deal since it never even talks to the server. We also don't decrypt healthcare, banking, shopping, etc.
6. Re:How's this any different... by fuzzyfuzzyfungus · 2015-02-24 23:58 · Score: 2
  
  There's also the basic difference that 'enterprise' MiTM-ing is potentially kind of a dick move, depending on exactly how hard HQ feels like squeezing somebody's innocent checking of their email over lunch or whatever; but it's a fairly clear exercise of control over hardware by that hardware's owner.
  
  Seeding hardware with malware and then selling it? Not so much. Yeah, maybe there is some nonsense clickwrap EULA; but there is no real consent of any kind, or even a proper warning.
  
  If only for your own sake(having your own employees getting fooled because your MiTM proxy re-signs bogus certs without flagging them would be counterproductive) odds are that 'enterprise' systems are also more competent; but even if they aren't it's a pretty major difference in scope.
  
  In my own admin-ly capacity, playing content cop is something I do reluctantly, and only as much as network security requires; but we never tamper with devices we don't own(deny them access to the network, sure, touch them, never) and staff are proactively warned and welcome to ask in more detail, if they wish, about what we do and why we do it.
Seems pointless to sue by damn_registrars · 2015-02-23 07:06 · Score: 2

We've seen how much energy is wasted when customers try to sue to get refunded for the Windows license they don't use on their PC. Why would this turn out better? Yeah, it sucks that they did it but the big difference here is someone caught them doing it.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Seems pointless to sue by oodaloop · 2015-02-23 07:20 · Score: 2
  
  Well, with that attitude nothing will ever get accomplished.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
2. Re:Seems pointless to sue by Anonymous Coward · 2015-02-23 07:35 · Score: 0
  
  Well, with that attitude nothing will ever get accomplished.
  Right?
  I noticed this the other day when there was an article about the suit against nvidia - and, to be honest, in just about any article where there's people suing with the scope of a class action.
  It's like there's 3 options:
  A. You just let the companies screw you over because you can't be arsed to care about being screwed over and/or you don't want lawyers getting any money, thus perpetuating the status quo of companies screwing you over - apathy win.
  B. You go to court individually and you might get a decent judgment, but likely at far too great a cost to you (direct costs, loss of PTO, potentially loss of job if the case drags on, etc.), personally, to be worth it..and it doesn't help anybody else except to give other lawyers a case reference.
  C. You join the class action - generally by sitting on your butt and not opting out, though in some cases it can be opt-in - with the full understanding that you might only get a token amount in restitution while the lawyer(s) get a whole chunk, but more importantly the realization that companies do not like class action suits because they tend to cost them an even larger chunk of money (if lost) not only in direct costs, but in administration, paperwork, etc. as well - so they try to avoid them by either a. disallowing class action suits in their legal suits (insisting on arbitrage instead) or b. trying harder not to screw you over in the future (or at least try harder not to get caught), benefiting all consumers indirectly.
  Of these three options, a lot of commenters are basically saying you should just go with option A because B is obviously not good, and oppose option C because `only the lawyers win` read: `because I don't personally get a million bucks`
3. Re:Seems pointless to sue by damn_registrars · 2015-02-23 07:53 · Score: 1
  
  Well, with that attitude nothing will ever get accomplished.
  That's not true. I didn't say don't do anything, I just said the lawsuit seems pointless. The payout from the lawsuit could be effectively zero for the consumer. They could find more useful ways to exert pressure on the company than this (and when one considers that Lenovo is Chinese, which severely reduces the likelihood of getting a verdict against them enforced).
  
  All that the class action suit would do is line the pockets of some opportunistic attorneys (who get paid regardless of the outcome).
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
4. Re:Seems pointless to sue by Anonymous Coward · 2015-02-23 09:23 · Score: 0
  
  1. If you are lead plaintiff and win, you get the payout everyone else wants. And the lawyers make bank.
  2. The seediest of law firms are the ones who take these cases, hoping to make a name for themselves with a win or settlement.
  3. It's highly likely for a settlement. In this case, lead plaintiff gets a payout, law firm really wins over "legal fees."
  4. In a dismissal, the law firm probably would have spent more hours looking at porn then investigating this actual case, but gets to put it on their resume.
  Law firm is playing the odds that they'll come out on top no matter what.
5. Re:Seems pointless to sue by fermion · 2015-02-23 09:46 · Score: 1
  
  Suppose I sold people a full featured high end computer for $100. Suppose in the EULA I said I would collect data that would be aggregated and sold. Suppose I used technologies such as the web cam and keystroke monitor to collect such data. No data was personally identified to a machine, but I sold the video and emails to interested collectors.
  I assume that this would be like buying a useless windows license, and there would be no point to sue.
  Lenovo did something very very bad. It put users privacy and personal information at great risk. It was not just replacing ads. It was security certificates, potential back doors, full system security failure. The point of this lawsuit is not to recompense for damage, but to make sure there is a line that will not be crossed when PC manufacturers try to maximize profits for inexpensive consumer machines.
  Of course we know that the manufactures have to sell out the users in order to generate a profit. This is the deal that consumers make. The consumer gets a cheap PC in exchange for being exploited in the long term. It works and most consumers do not seem to have an issue with the deal. But there must be a line, and those that cross it must be punished.
  
  --
  "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
6. Re:Seems pointless to sue by tnk1 · 2015-02-23 11:37 · Score: 1
  
  Is your point to get a million dollars out of them, or is it to discourage them from doing this to you again?
  If you want a million bucks out of them, you could win. Maybe. On February 30th.
  If you want the company to be "corrected" or simply punished, then hit them with the class action suit.
  The victory in the class action suit is that you punished them, and you did, by getting more money out of them than you ever would have alone. The fact that it benefits lawyers is irrelevant. You paid nothing to get it done, and the lawyers did what you could not.
  There are problems with relying on lawyers. Perhaps the government should regulate more, but that's not free to you either. You will pay more taxes for more enforcement. At least with lawyers and a class action suit, you're not even indirectly footing the bill, and private lawyers can be very effective in extracting as much as possible from their targets.
  There is a point to these lawsuits, but it is not about financial compensation. It is about future outcomes where no one does that thing again (and maybe a little revenge). You may or may not benefit from the future outcomes. Certainly, like in the case of laptops, if you punish them now, you will be much less likely to face a problem when you buy your next laptop from *any* laptop manufacturer. If you pursued the suit yourself, you might lose and that judgement could embolden the perpetrator, instead of chastising them.
7. Re:Seems pointless to sue by damn_registrars · 2015-02-23 11:46 · Score: 1
  
  In the case of the Lenovo systems, there is an option D. Option D is put your own OS on it. If you're not inclined to use a *nix OS, you could even have someone else install your favorite version of Windows on it. Considering in the class-action you'd be lucky to get $5 - and you're still on the hook to get rid of superfish somehow through your own action - this would likely be a better option for a lot of people.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
8. Re:Seems pointless to sue by david_thornley · 2015-02-24 07:47 · Score: 1
  
  Option D is the same as Option A. You let them get away with whatever and try to deal with the damage done.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
An army of lawyers by Anonymous Coward · 2015-02-23 07:10 · Score: 0

All of the computer and mobile companies, and most likely Google, will unleash their lawyer to descend upon this Jessica Bennet. Nothing will remain but a steaming void of sulfur and brimstone where her savings account used to be.
So you have a problem with preinstalled adware/spyware in computer sales? I don't think she realizes what kind of fight she's up against.
Is this the right way? by GrooveNeedle · 2015-02-23 07:15 · Score: 4, Insightful

I think we all want Lenovo's feet held to the fire for this one, but what is the right course of action? A class action lawsuit, that benefits few people in the class, but enriches lawyers... Or a criminal prosecution under the Computer Fraud and Abuse Act for aiding malicious actors in installing their malware/spyware?
1. Re:Is this the right way? by Anonymous Coward · 2015-02-23 07:46 · Score: 0
  
  Criminal! One count of whatever offense a MITM attack falls under for everyone involved in the decision to put this crap on.
2. Re:Is this the right way? by GrooveNeedle · 2015-02-23 07:52 · Score: 1
  
  Actually, it would be one count PER "infected" computer, I think.
3. Re:Is this the right way? by fustakrakich · 2015-02-23 08:06 · Score: 1
  
  No criminal charges are necessary. A simple revocation of their charter and seizure of assets will have the desired effect. The problem is that business owns the government so basically nothing will happen until the voters wake up.
  
  --
  “He’s not deformed, he’s just drunk!”
4. Re:Is this the right way? by ShaunC · 2015-02-23 08:07 · Score: 1
  
  Why not both? It's not like losing a civil complaint would absolve Lenovo of criminal liability. A lawsuit is the only option available to the consumer.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
5. Re:Is this the right way? by swb · 2015-02-23 08:07 · Score: 3, Interesting
  
  Why not both? AFAIK there is no double-jeopardy protection between civil and criminal cases.
  Sure, the lawyers could get rich on a class action settlement but you never know, the class could get something useful out of this. I don't know what's involved in removing this spyware, but you could potentially argue for something like 4 hours of skilled time per system just to clean it as a rough median (maybe much less for brand new systems, maybe much more for systems that would need to be wiped, re-setup and have apps and data put back on). And that doesn't include any claims for damages resulting from the infection itself, just remediation. Even if Lenovo bargained that down to half, in theory they could be on the hook for $200 per machine.
6. Re:Is this the right way? by mwa · 2015-02-23 15:52 · Score: 2
  
  I'd be happy if the judgement required mandatory inclusion of vanilla OS install media.
  I install Linux but whenever I want to help family I'd love to start from a certified MS DVD.
7. Re:Is this the right way? by Anonymous Coward · 2015-02-24 03:27 · Score: 0
  
  The right course of action is the one that gets this issue lots of publicity. Enough publicity that Lenovo owners flame Lenovo and Lenovo is forced to respond, by more than just hush-money against the suit. Maybe the lawsuit will do that. Honestly not sure what will.
This is why... by Anonymous Coward · 2015-02-23 07:26 · Score: 0

we can't have nice things....
Uh, spyware? by Anonymous Coward · 2015-02-23 07:27 · Score: 0

That's like suing someone who battering down the walls of your house for being a peeping Tom.
The problem is not the amount of spying that Superfish did. The problem is that they melted down SSL and HTTPS for that: any site with self-signed certificates from invalid root certificates magically gets resigned as valid by the Superfish ware and gets displayed as legit by browsers.
The computers are open to everyone completely by this crapware, with SSL becoming useless. If blackhats pooled all their money for destroying security on all computers of a major player, they would not have been able to come up with a better scheme.
Re:Hosts files stall this easily... apk by Anonymous Coward · 2015-02-23 07:33 · Score: 0

Your post reads like the Book of the SubGenius.
Next on the docket... by fahrbot-bot · 2015-02-23 07:52 · Score: 1

She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.
Is she going to sue her ISP for doing the same thing?

--
It must have been something you assimilated. . . .
1. Re:Next on the docket... by GrooveNeedle · 2015-02-23 07:55 · Score: 2
  
  To be honest, that is poorly worded. As you pointed out, ISPs typically do that, as well as many websites, like Facebook. However, if the suit was phrased in a way that included the act of a MITM attack, I'd like to think it has some teeth.
2. Re:Next on the docket... by Anonymous Coward · 2015-02-23 10:41 · Score: 0
  
  HTF does a website (a la Facebook) perform MITM on a browser?
3. Re:Next on the docket... by GrooveNeedle · 2015-02-24 00:19 · Score: 1
  
  HTF does a website (a la Facebook) perform MITM on a browser?
  It doesn't. That's not what was being said. The original post stated, "invading her privacy and making money by studying her Internet browsing habits." That is definitely something websites do.
Israeli spy software by Anonymous Coward · 2015-02-23 08:03 · Score: 0

Why is this legally allowed to be used at all?
1. Re:Israeli spy software by Anonymous Coward · 2015-02-23 11:07 · Score: 0
  
  If you are implying the fact that it Israeli based then you are in for a rude shock. Quite a lot of the security software in the industry originates in Israel.
Common misconception about class action suits by JoeyRox · 2015-02-23 08:05 · Score: 5, Insightful

It's a common refrain to say that nobody benefits from class action suits except the lawyers. While that may be true for the class litigants themselves it is entirely untrue for the public at large. The purpose of large punitive rewards is to penalize corporate misbehavior and in turn incentivize good behavior. By that measure we all benefit from these suits.
1. Re:Common misconception about class action suits by DRJlaw · 2015-02-23 14:27 · Score: 1
  
  It's a common refrain to say that nobody benefits from class action suits except the lawyers. While that may be true for the class litigants themselves it is entirely untrue for the public at large.
  It's only true for the class members at large, if at all, because they typically refuse to pay any attention to the class litigation and/or court approval of the settlement. If you think that a settlement is only enriching the class lawyers -- OBJECT TO IT.
  It's a common refrain, yet almost nobody attempts to file objections with judges, much less retain legal counsel who might successfully oppose a settlement, because that would mean expending actual effort. If the class target, the class lawyers, and the class representatives are telling the judge that a settlement is fair, and nobody opposes that position, what do you expect to have happen?
  Judges are an independent check on class shennanigans, but only to the extent that any extremely busy professional receiving information from only one side can be. Just like in every other aspect of life, you must offer decisionmakers -- whether employers, politicians, or judges -- sound reasons for supporting and advancing your interests above other, competing interests.
  If you do not, you can hardly be surprised at what you get.
Lenovo is NOT IBM for sure by Anonymous Coward · 2015-02-23 08:18 · Score: 4, Insightful

I think it should be clear to everyone now. Lenovo is not IBM and it may have managed to retain some of the reputation of the IBM branding that went with its computers. But with one mistake it has managed to wipe that all away with SuperFish. I learned my lesson a couple years ago that Lenovo was not IBM and it would never be anything close. I would not buy another Lenovo PC if they sold them for a dollar. I hope Lenovo pays dearly for this mistake, and I hope other PC makers see this as a lesson to not sell out its customers to some two bit crapware company to earn a few bucks.
It was a matter of time... by ameoba · 2015-02-23 08:29 · Score: 4, Insightful

This is exactly the sort of crap everyone was predicting when IBM sold their PC line to Lenovo.
The only thing that surprises me is that it took so long.

--
my sig's at the bottom of the page.
Obligatory Car Analogy by penguinoid · 2015-02-23 08:36 · Score: 1

When you go to buy a car, Superfish hires a team of gnomes to destroy the original documents, such as fliers or the title to your car, and replace it with their own documents with their ads included. If they were signed documents, then they forge the signatures as well.

--
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
1. Re:Obligatory Car Analogy by Anonymous Coward · 2015-02-23 08:44 · Score: 0
  
  The problem is that they forge the signatures on anything put under your windscreen wipers and put it in your glove compartment.
Huge Ramifications to All Companies by FrodoOfTheShire · 2015-02-23 09:17 · Score: 3, Interesting

If the Class Action is successful, then other companies could be sued too. Samsung started accidentally inserting ads right into television broadcasts while a show was playing recently. They built their ad serving infrastructure right into the televisions they sold. Samsung and Lenovo are stealing internet bandwidth to show their self serving ads, and without users' knowledge, as well as compromising the security and privacy a user should expect to have.
I expect Lenovo will get a lot of support from corporations like Samsung in this class action suit because of the ramifications the outcome of the case has for the other corporations.
FBI, sic em! by TiggertheMad · 2015-02-23 09:22 · Score: 1

Who cares who benefits financially? By punishing Lenovo's ILLEGAL behavior and driving them from the marketplace, society benefits. If we have to send an army of lawyers as mercs for hire to get them to do what federal prosecutors should be doing, so be it.

--

HA! I just wasted some of your bandwidth with a frivolous sig!
1. Re:FBI, sic em! by PsychoSlashDot · 2015-02-23 12:16 · Score: 1
  
  Who cares who benefits financially? By punishing Lenovo's ILLEGAL behavior and driving them from the marketplace, society benefits. If we have to send an army of lawyers as mercs for hire to get them to do what federal prosecutors should be doing, so be it.
  What? Wait. Grow some perspective.
  
  Lenovo accepted remuneration in return for installing a program that injects ads and presumably reports statistics. How is that logically different from installing the Google Toolbar on IE? Right. It isn't.
  
  Oh, but the software is poorly implemented and could allow unexpected access to the users' data. How is that logically different from installing Java, Flash, and Adobe Reader, each of which has repeatedly been found to massive security vulnerabilities? Right. It isn't.
  
  Fact is, Lenovo didn't do anything new here. Certainly nothing illegal, all-caps or not.
  
  --
  "Oh no... he found the .sig setting."
Ubuntu on Lenovo Models .. by lippydude · 2015-02-23 10:54 · Score: 1

'Canonical works closely with Lenovo to certify Ubuntu on a range of their hardware.'
Re:Dumb by Anonymous Coward · 2015-02-23 11:03 · Score: 0

No, we don't.
It's because we are so fucking brilliant, we have our work done in record time, thus allowing us to slack off and make inane posts about computer security issues.
Tin Foil Hat Time by TechyImmigrant · 2015-02-23 11:26 · Score: 3, Insightful

The slideware published on government attempts to undermine SSL web traffic suggests they are supremely interested in trying anything they can.
Getting a trusted cert with a key they control installed on a large number of laptops is a dream come true.
So who is actually behind Komodo?

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
The last sentence was interesting.... by sconeu · 2015-02-23 12:21 · Score: 2

"She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits".
To me, this was more interesting than all the rest. It has the potential to break the big telcos, cable companies, Google, and anyone else who makes a living by tracking your browsing habits to server you "targeted advertising".

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Komodia NOT Komodo by Anonymous Coward · 2015-02-23 12:36 · Score: 0

Don't you mean Komodia ?
Komodo is a very nice multi-platform text editor and IDE made by ActiveState.
Komodia is the company responsible for the underpinning toolkit used by Lenovo to invade their customers privacy
1. Re:Komodia NOT Komodo by TechyImmigrant · 2015-02-23 12:38 · Score: 1
  
  Yes. Now where's that button to edit my slashdot post?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Hosts files stall this easily... apk by Anonymous Coward · 2015-02-23 12:38 · Score: 0

0.0.0.0 superfish.com
0.0.0.0 www.superfish.com
Add those to your custom hosts file & voila: NO MORE REDIRECTS to them via bogus SSL inserts...
(There is also directions galore online on HOW TO REMOVE IT -> http://www.bing.com/search?q=superfish+redirect&qs=n&form=QBLH&pq=superfish+redirect&sc=1-19&sp=-1&sk=&cvid=c9c7f7659655450589dd72723c746b3b by removing the bogus SSL cert, easily... )
* Advertisers = Scum of the earth with NO SHAME & dirty pool tactics!
(So, that all said & aside: Anyone wondering WHY I designed the program below after reading about this (& others like it who did the SAME trick 12 yrs. ago like GATOR + Zango)? Don't wonder - Advertisers steal your bandwidth & make you vulnerable to man-in-the-middle redirect attacks via these bogus methods (as well as serving infected ads galore over time)...
APK
P.S.=> For the BEST hosts file vs. this threat & others like it?
APK Hosts File Engine 9.0++ SR-1 32/64-bit -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Download & MalwareBytes = BEST antivirus http://www.av-test.org/en/news/news-single-view/17-software-packages-in-a-repair-performance-test-after-malware-attacks/
Reputational damage by Required+Snark · 2015-02-23 16:40 · Score: 1

Another aspect of a class action suit is reputational damage. The very fact of bringing a suit is negative publicity. Lenovo has a strong incentive to settle because the longer it is before the case is settled the more negative publicity there will be.
This is why these kinds of thing never go to trial, and why the company always makes sure they never admit guilt. When they settle to "put it behind" themselves, it's like a cat burying it's shit. They can pretend that it never happened in the first place.
As for making things better in the long run, forget it. Lenovo will do what all other large companies do, which is settle and offer discounts to people who bought the offending systems. This costs them nothing. In fact, they may make more money on the deal because they move more product, and very few consumers take advantage of these offers. As other people have already said, the only ones who make out are the lawyers.
What's actually needed is consumer protection that means something and has teeth. However, in the current political climate, hell will freeze over before that happens. Big business can commit any crime and get away with it, and even make money as a result. Just search for "HSBC tax evasion" if you want to see a breaking scandal like this.

--
Why is Snark Required?
This is greed, not a mistake or carelessness. by snake_case_hoschi · 2015-02-23 22:06 · Score: 1

I like ThinkPads, they offer a good quality and a clean design and they run well with GNU/Linux. So I'm okay really okay with Lenovo, but in this case I hope the class-actions succeeds.
This is not a mistake or carelessness, which could happen. Just fix it and everybody is glad.
This is greed. The spyed on there own customers to sell advertisments (with the purpose to get even more of your money) and sacrified (the technical reason doesn't matter) the security of the customers. This is not okay.
So I hope Lenovo and the industry will learn from this. Offer only devices (laptops, computers, smartphones, appliances and even cars) with a clean installation this is and was ever what an customer requires. Additionally the option to select none pre-intalled system at all. This mad industry wide practice should be stopped years ago.
Sorry Lenovo, please learn the lesson! I hope the car industry will not copy the bad behaviour of the computer industry.
buy a lenovo now? by neurovish · 2015-02-24 02:40 · Score: 1

Can I buy a superfish loaded Lenovo laptop now, then join a lawsuit?