Slashdot Mirror
Lenovo Hit With Lawsuit Over Superfish Adware
An anonymous reader writes with news that the fallout from the Superfish fiasco might just be starting for Lenovo. "Lenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with 'fraudulent' business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called 'spyware' in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits."
I hope it costs both of them twice what they earned
The EULA that is part of clicking through to use the PC states Superfish's conditions.
This lawsuit will be tossed out before it ever hits a court of law, just because EULAs have a legal precedent of being incredibly enforceable.
We've seen how much energy is wasted when customers try to sue to get refunded for the Windows license they don't use on their PC. Why would this turn out better? Yeah, it sucks that they did it but the big difference here is someone caught them doing it.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
how about the security flaws in the spyware? if it's a "BFD" go ahead and install it on you own system.
Because (most) bloatware doesn't spy on you or perform MITM attacks on your (supposedly secure) web browsing.
Maybe this will spell and end to this bundling horseshit, or at least make them VERY leery of what they choose to pollute new systems with. If they lose enough...
-- You are in a maze of little, twisty passages, all different... --
small operation businesses often source cots equipment, and cant afford a dedicated IT dept to produce and maintain system images.
this means they get crapware in a business seting.
I have a feeling this is less about recovering from damages and more about teaching them a formal lesson (well, cashing-in under the guise of teaching them a formal lesson).
I think we all want Lenovo's feet held to the fire for this one, but what is the right course of action? A class action lawsuit, that benefits few people in the class, but enriches lawyers... Or a criminal prosecution under the Computer Fraud and Abuse Act for aiding malicious actors in installing their malware/spyware?
The reason for the lawsuit is so that, the next time Lenovo or any other computer maker is deciding whether to include some adware or browser hijacker with their Windows OS install, they decide against doing so because of legal liability.
Companies care more about the bottom line than anything else. Computer makers will not stop putting crapware on computers until it costs more for them to add the crapware (via lawsuit settlements, etc.) than they get in kickbacks from the crapware makers.
Yeah it's a BFD, Lenovo took money to install an application that deliberately reduced end user security for the sake of inserting ads into their browsing activities! Not only is it completely bereft of ethics and respect for their customers, it's actively dangerous.
They shouldn't just be hit via a class action suit (assuming Lenovo isn't sticking a "binding arbitration" clause to defeat the ability for consumers to seek recourse) but Federal prosecution under one of the many computer security laws that would string up anyone else.
>This leaves us unscrupulous lawyers, who'll get all the money
Lawyers are like mercenaries. They get hired by people to do things that the people can't do themselves. Lawyers on their own do nothing, and have no motive aside from getting hired. The lawyers aren't the problem, it is the people asking the lawyers to act.
This fine bloatware didn't merely act as an MiTM, it do so so incompetently that it exposed the user to basically any MiTM attack on an SSL connection(the root cert it used to sign bogus certificates was identical across every installation and effectively unprotected and the MiTM component would re-sign any cert handed to it, even an invalid one, opening the user to downright trivial MiTM attacks.
Even if the actual behavior of the bloatware were downright saintly(which is not the case) it was so incompetently constructed as to be indistinguishable from malice.
Which is why it should be a criminal or regulatory investigation instead. However, because of the way our legal system is put together, this kind of DIY justice is pretty much the only option. People resort to class action lawsuits because prosecutors and law enforcement have written themselves out of responsibility and delegated enforcement of such laws to the consumer. Many laws and regulations are ONLY triggerable via class action lawsuit.
The loss of time and effort to figure out whether this is going to cause a problem and then the time and effort to get rid of it.
That loss is obvious not much on a dollar per user basis, but if you add up all those users it's enough to incent Lenovo to do something so scurrilous. That's precisely the situation which class action lawsuits exist to redress, and according to the article that's the kind of lawsuit that has been filed.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Going one step further, the problem is not even the people who hire the lawyers, but the legislators who crafted law enforcement out of the laws. People would not have to hire mercenaries if regulators and prosecutors were actually doing their jobs, but political expediency meant LEO does not have to do any of that pesky regulation enforcement against companies and keeps that cozy relationship between business and politics comfortable.
you missed the whole Komodia/Superfish kerfuffle, i gather: http://arstechnica.com/securit...
I'm not usually one to celebrate lawsuits. And you're right, there's not a lot of individual damage per computer. Rather, I'm perfectly fine with a modest payout per users that punishes Lenovo for this, both monetarily and with bad press. This sort of behavior absolutely has to stop, and I'm willing to enrich a few lawyers to make it happen. Sacrifices must be made for the greater good, I suppose.
Maybe this will wake people up to the fact that we seriously need some stronger consumer privacy laws. I'm also typically one who prefers to let markets manage themselves until it's clear that government actually needs to step in. I'm afraid we're at that point, because it's abundantly clear that too many companies are willing to go to just about any lengths to extract personal data from people in unscrupulous ways (as well as the government itself, ironically, but we'll tackle that issue separately).
So, yeah, it is actually a BFD. In fact, not every business customer uses their own system image - especially smaller business. And just because a personal user chooses specific services like Google whom they may trust, it does not give another company the right to make those decisions on their behalf. Many of those customers may well have chosen to avoid such services for that very reason. That choice was taken away from them, and instead, the computer they paid for was made less secure by that adware which was forced on them unknowingly. Fine, it's a first world problem, but that doesn't mean it's not a problem.
Irony: Agile development has too much intertia to be abandoned now.
I have a feeling this is less about recovering from damages and more about teaching them a formal lesson (well, cashing-in under the guise of teaching them a formal lesson).
That's the entire point of a class action suit. To stop powerful companies from doing a large number of small harms and getting away with it.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Good luck getting the Chinese to follow US Law.
I fail to see what kind of financial loss Lenovo customers might have incurred over this incident to warrant a class action suit.
Even if the class action suit only wins one penny, it will be worth it. Having a verdict on this issue can set a legal precedent (especially since Lenovo is probably not interested in defending the case too hard either).
For instance, it could pave the way for more easily winning a class action against Verizon. Verizon's case is a bit different, especially now that they're supposedly giving their customers the option to opt-out, but with a little bit of luck, a quick verdict on the Lenovo case could make Verizon reconsider its ongoing super-cookie/man-in-the-middle attack strategy against its own customers.
If it isn't a big deal, does that mean you will import my certificate authority public key as fully trusted into your computer and point your DNS client to my servers?
No?
Well now you might see why it is a big deal after all.
This fine bloatware didn't merely act as an MiTM, it do so so incompetently that it exposed the user to basically any MiTM attack on an SSL connection(the root cert it used to sign bogus certificates was identical across every installation and effectively unprotected and the MiTM component would re-sign any cert handed to it, even an invalid one, opening the user to downright trivial MiTM attacks.
Many "enterprise" (lol) class proxies (deployed by corporations to "protect" their internal networks") do the exact same thing.
She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.
Is she going to sue her ISP for doing the same thing?
It must have been something you assimilated. . . .
My employer is not a fortune 500 company and we just got a notice from IT that none of the corporate Lenovo laptops are affected and only consumer laptops are affected. This is most likely due to the fact that corporate laptops tend to not have all the usual consumer bloatware installed.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Agreed. The only way to hold them responsible is to hurt them financially.
Hasn't worked too well, has it? Class action is a trivial business expense compared to what is gained. What should happen is a revocation of the corporate charter, and all revenues and properties seized a la *civil forfeiture*.
“He’s not deformed, he’s just drunk!”
It's a common refrain to say that nobody benefits from class action suits except the lawyers. While that may be true for the class litigants themselves it is entirely untrue for the public at large. The purpose of large punitive rewards is to penalize corporate misbehavior and in turn incentivize good behavior. By that measure we all benefit from these suits.
What about various chrome extensions that have superfish embeded inside them?
A while ago, flash video downloader was one, not sure if it still there... http://download.cnet.com/FVD-D...
Google, do a better job, terminate all accounts to anyone using superfish.
CNET are fuckwits too, stop serving malware, they should be raided by the FBI now.
Liberty freedom are no1, not dicks in suits.
I think it should be clear to everyone now. Lenovo is not IBM and it may have managed to retain some of the reputation of the IBM branding that went with its computers. But with one mistake it has managed to wipe that all away with SuperFish. I learned my lesson a couple years ago that Lenovo was not IBM and it would never be anything close. I would not buy another Lenovo PC if they sold them for a dollar. I hope Lenovo pays dearly for this mistake, and I hope other PC makers see this as a lesson to not sell out its customers to some two bit crapware company to earn a few bucks.
This is exactly the sort of crap everyone was predicting when IBM sold their PC line to Lenovo.
The only thing that surprises me is that it took so long.
my sig's at the bottom of the page.
Their network, their rules. A company doing this sort of thing on their own hardware, which is there for employee work purposes, is not comparable to Lenovo shipping millions of consumer units with this stuff surreptitiously installed.
Well they will either follow the law or be forced out of the market.
When you cant win, ad hominem.
When you go to buy a car, Superfish hires a team of gnomes to destroy the original documents, such as fliers or the title to your car, and replace it with their own documents with their ads included. If they were signed documents, then they forge the signatures as well.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
His point was that not all businesses use business based laptops.
When you cant win, ad hominem.
That’s simple assuming anyone in the US actually gives enough of a damn. If fines are levied on Lenovo as a result of this lawsuit, US Customs would be within their power to seize any Lenovo merchandise shipped to the US at the border until all fines are paid in full.
That’s a pretty good whack in the bottom line for any company, regardless of the nation in which they’re located. As long as they expect to sell their widgets to people physically located in the United States, US law can trivially be applied to them in such a way that they would need to comply before they may continue to operate profitably.
Whether this suit will be successful of course is a completely different story, but there’s no problem enforcing any judgement which may emerge from it.
If the Class Action is successful, then other companies could be sued too. Samsung started accidentally inserting ads right into television broadcasts while a show was playing recently. They built their ad serving infrastructure right into the televisions they sold. Samsung and Lenovo are stealing internet bandwidth to show their self serving ads, and without users' knowledge, as well as compromising the security and privacy a user should expect to have.
I expect Lenovo will get a lot of support from corporations like Samsung in this class action suit because of the ramifications the outcome of the case has for the other corporations.
Who cares who benefits financially? By punishing Lenovo's ILLEGAL behavior and driving them from the marketplace, society benefits. If we have to send an army of lawyers as mercs for hire to get them to do what federal prosecutors should be doing, so be it.
HA! I just wasted some of your bandwidth with a frivolous sig!
I think they only installed it on their consumer line anyway, not any corporate models.
Large organizations will pay more to get "business" laptops that in theory won't have this sort of crapware preinstalled. Large enough organizations may have a customized order contract which precisely specifies what software (if any besides the OS) is there.
Many "enterprise" (lol) class proxies (deployed by corporations to "protect" their internal networks") do the exact same thing.
Totally different:
1. In a proxy, the key used to sign MITM traffic is on a device not accessible to anyone but the admins, not stored on a PC (probably improperly secured) that other malware could access.
2. A good proxy will check certs on the server side of the connection. The one we use will either "pass through" certificate errors, or allow us to block sites with invalid certs entirely.
3. A proper setup will use the URL categorization to not MITM certain traffic. We decrypt anything that's blocked (you have to in order to deliver a block page without cert errors), but that's not a big deal since it never even talks to the server. We also don't decrypt healthcare, banking, shopping, etc.
'Canonical works closely with Lenovo to certify Ubuntu on a range of their hardware.'
The slideware published on government attempts to undermine SSL web traffic suggests they are supremely interested in trying anything they can.
Getting a trusted cert with a key they control installed on a large number of laptops is a dream come true.
So who is actually behind Komodo?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
"She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits".
To me, this was more interesting than all the rest. It has the potential to break the big telcos, cable companies, Google, and anyone else who makes a living by tracking your browsing habits to server you "targeted advertising".
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Yes. Now where's that button to edit my slashdot post?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Lawyers don't sue people, people sue people?
This is why these kinds of thing never go to trial, and why the company always makes sure they never admit guilt. When they settle to "put it behind" themselves, it's like a cat burying it's shit. They can pretend that it never happened in the first place.
As for making things better in the long run, forget it. Lenovo will do what all other large companies do, which is settle and offer discounts to people who bought the offending systems. This costs them nothing. In fact, they may make more money on the deal because they move more product, and very few consumers take advantage of these offers. As other people have already said, the only ones who make out are the lawyers.
What's actually needed is consumer protection that means something and has teeth. However, in the current political climate, hell will freeze over before that happens. Big business can commit any crime and get away with it, and even make money as a result. Just search for "HSBC tax evasion" if you want to see a breaking scandal like this.
Why is Snark Required?
My employer is not a fortune 500 company and we just got a notice from IT that none of the corporate Lenovo laptops are affected and only consumer laptops are affected. This is most likely due to the fact that corporate laptops tend to not have all the usual consumer bloatware installed.
But those models also get an actual pricetag for windows pro and if you buy in volume(20+) through a retailer you can get them OS-free. Dell sells linux laptops though the backdoors, and all of the large vendors will charge seperately for windows proffessional and deliver them with stock microsoft settings and not do the bundling discount they do for consumer laptop, but you pay more for those systems, then similar specced consumer laptops.
The core problem is that we dont consider discount through bundling 3rd party software as illegal trade harming cartel activity, which is why it wont be the last time some company bundle malware, but then again those parts of "weath of nations" that deal with the dangers of cartels have more or less been censored out of the copies US students are taught from.
I like ThinkPads, they offer a good quality and a clean design and they run well with GNU/Linux. So I'm okay really okay with Lenovo, but in this case I hope the class-actions succeeds.
This is not a mistake or carelessness, which could happen. Just fix it and everybody is glad.
This is greed. The spyed on there own customers to sell advertisments (with the purpose to get even more of your money) and sacrified (the technical reason doesn't matter) the security of the customers. This is not okay.
So I hope Lenovo and the industry will learn from this. Offer only devices (laptops, computers, smartphones, appliances and even cars) with a clean installation this is and was ever what an customer requires. Additionally the option to select none pre-intalled system at all. This mad industry wide practice should be stopped years ago.
Sorry Lenovo, please learn the lesson! I hope the car industry will not copy the bad behaviour of the computer industry.
Can I buy a superfish loaded Lenovo laptop now, then join a lawsuit?
I have a feeling this is less about recovering from damages and more about teaching them a formal lesson (well, cashing-in under the guise of teaching them a formal lesson).
That's the entire point of a class action suit. To stop powerful companies from doing a large number of small harms and getting away with it.
Ironically, awarding damages on an individual basis to the claimants would be far more punitive than whatever damages are awarded.
Most human behaviour can be explained in terms of identity.
They shouldn't just be hit via a class action suit (assuming Lenovo isn't sticking a "binding arbitration" clause to defeat the ability for consumers to seek recourse) but Federal prosecution under one of the many computer security laws that would string up anyone else.
Honest question: is putting a backdoor/vulnerability into a product actually a crime in the US? As I understand it, most of the computer security laws are about actively breaking in ("gaining access"). The closest I can think of are contractual issues with sale ("fitness for purpose") and negligence, but both of those are civil.
Most human behaviour can be explained in terms of identity.
There's also the basic difference that 'enterprise' MiTM-ing is potentially kind of a dick move, depending on exactly how hard HQ feels like squeezing somebody's innocent checking of their email over lunch or whatever; but it's a fairly clear exercise of control over hardware by that hardware's owner.
Seeding hardware with malware and then selling it? Not so much. Yeah, maybe there is some nonsense clickwrap EULA; but there is no real consent of any kind, or even a proper warning.
If only for your own sake(having your own employees getting fooled because your MiTM proxy re-signs bogus certs without flagging them would be counterproductive) odds are that 'enterprise' systems are also more competent; but even if they aren't it's a pretty major difference in scope.
In my own admin-ly capacity, playing content cop is something I do reluctantly, and only as much as network security requires; but we never tamper with devices we don't own(deny them access to the network, sure, touch them, never) and staff are proactively warned and welcome to ask in more detail, if they wish, about what we do and why we do it.