Lenovo Won't Pay a Fine For Preinstalling Superfish Adware (theverge.com)

← Back to Stories (view on slashdot.org)

Lenovo Won't Pay a Fine For Preinstalling Superfish Adware (theverge.com)

Posted by msmash on Tuesday September 5, 2017 @05:25AM from the getting-away-with-it dept.

An anonymous reader shares a report: In 2014, Lenovo began bundling a third-party adware program called "Superfish" into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years. Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. According to the FTC's indictment, breaking HTTPS presented a clear risk to consumers -- but Lenovo isn't going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.

86 comments

Min score:

Reason:

Sort:

Superfish? by courteaudotbiz · 2017-09-05 05:29 · Score: 1

Customers were superfish to think that a ruling could be in their favor.
1. Re:Superfish? by zlives · 2017-09-05 06:02 · Score: 2
  
  it will be spelled out clearly in the 10 page EULA.
2. Re:Superfish? by Anonymous Coward · 2017-09-05 06:17 · Score: 0
  
  There is competition to see who can be most abusive.
3. Re: Superfish? by Anonymous Coward · 2017-09-05 11:55 · Score: 0
  
  The best way to stop this is permanently boycott the company. I will never buy any thing from them or companies they own like Motorola. I already decided before this never to do business with them as long as I live after the one and only purchase I made from them after dealing with the most horrific customer service I have ever dealt with. They are wore than AT&T and that I didn't think was possible.
No Hardware Audit Too? by ossuary · 2017-09-05 05:35 · Score: 2

So they get a slap on the wrist. Especially since they are only agreeing to SOFTWARE audits with no mention of a hardware audit.
1. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 05:46 · Score: 1
  
  Right? Any individual would be arrested, threatened with 15-life in federal prison and then left to hang themselves in their cell...
  Corporations, not so much
  I will agree that corporations should have the same rights as individuals when they are regularly found hanging in their cells while being tried for their crimes.
2. Re:No Hardware Audit Too? by __aaclcg7560 · 2017-09-05 05:47 · Score: 1
  
  I would be suspicious of any firmware on a Lenovo laptop. Ironically, firmware hackers love Lenovo laptops.
3. Re:No Hardware Audit Too? by jellomizer · 2017-09-05 05:54 · Score: 2, Informative
  
  But who should be jailed?
  Most of the problem in the company comes from a lot of people making a small lapse in judgement.
  CEO - We need to sell our products for less money
  Middle Management - Company X will pay us money to install their software on our PC, This way we can sell our product for less.
  Engineer - Lets just install this software, it isn't worth putting our jobs at risk because of our concerns.
  There is responsibility across the whole company. To jail the CEO for just saying they need to sell their product for less, seems unjust.
  To jail the Middle Management for making an agreement with an other company seems unjust
  To jail the engineer who is pressured to keep their job, is unjust.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:No Hardware Audit Too? by Nutria · 2017-09-05 06:01 · Score: 1
  
  Pfft.
  You seem to have the crazy idea that audit finding (whether hardware or software) are made public. Or that exceptions aren't regularly granted by the auditors. Or that auditors aren't almost mechanistic in only looking for the boxes they must check off.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
5. Re:No Hardware Audit Too? by Opportunist · 2017-09-05 06:02 · Score: 4, Insightful
  
  It is the CEO's responsibility to know what's going on in his company. What the fuck is that idiot good for if he doesn't? The "decisions" made at that level could be gained from a magic-8-ball with at least the same level of quality.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:04 · Score: 0
  
  The Engineer if he didn't warn Middle Management of the risks of what they were asking for.
  Middle Management if they were warned of the risks and did so anyways.
  CEO of Middle Management warned them of the risks but they pressured them to do so anyways.
  If the corporate culture is so toxic that your engineers don't feel safe even just warning management above them, then go after the CEO. It's ultimately their responsibility. If they've cultivated or even just left in place a culture that makes things like superfish happen because everyone is too afraid of their jobs to even raise warning to those above them, then mistakes like this are their fault.
  It's also worth noting that if programmers were actual Professional Engineers, they would be held responsible for acts like this. If this was a bridge and they used shitty quality material which they knew would fail because they were "afraid for their jobs" then they would be fined and prosecuted.
7. Re:No Hardware Audit Too? by zlives · 2017-09-05 06:05 · Score: 1
  
  The buck stops nowhere?
  CEO - i am just the chief, i don;t know how the injuns work
  Middle Mgmt - i was just following orders and relaying those orders to engineers
  Engineer - all i could do was what i was told, so i leaked the info as best i could.
  its inconvenient so nobody should be punished.
8. Re:No Hardware Audit Too? by thomn8r · 2017-09-05 06:05 · Score: 3, Interesting
  
  But who should be jailed?
  The entire C-suite - everyone with "chief" or "executive" in their title
  C?O's are paid zillions because of all the alleged responsibility they shoulder; with great rewards comes great risks.
9. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:07 · Score: 0
  
  To jail the engineer who is pressured to keep their job, is unjust.
  "I was just following orders" is not a legitimate defense. Nail 'em all! And revoke the corporate charter... And put all of their patents/copyrights in the public domain... Otherwise quitcherbellyachin'
10. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:09 · Score: 0
  
  To jail the CEO seems entirely just to me. He(or She) makes the big bucks for a reason and part of that reason is responsibility.
  If CEOs went to jail for crap like this on a regular basis, the world would be a far better place.
11. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:14 · Score: 0
  
  Slap on the wrist? This is barely a sternly pointed finger.
  I have my own personal answer to this judgement though. I won't be touching anything by Lenovo for the next 25 years.
12. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:17 · Score: 0
  
  Jailed is a little soft for so many instances of a crime.
  How about they make up for it by saving people in need of transplants with their own rich bits? Hearts, corneas, kidneys, livers, lungs... They could save hundreds of lives. Is that not a noble way to give reparations?
13. Re: No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:20 · Score: 0
  
  Don't insult the Magic 8 Ball like that!
14. Re: No Hardware Audit Too? by Anonymous Coward · 2017-09-05 06:23 · Score: 0
  
  A way to put the capitalism back into capital punishment? Brings new meaning to "risking it all".
15. Re:No Hardware Audit Too? by plover · 2017-09-05 06:28 · Score: 4, Insightful
  
  The CEO is the only one who can make the changes all the way down. If the CEO's written policy is "don't install slimeware on our client's machines", then that message is going to get passed down to the VPs and Directors. If their jobs and bonuses are at risk because they let a manager install slimeware, they're going to say "Teams, don't install slimeware." And if the engineers know that if they get caught installing slimeware they will be tarred and feathered, they won't do it.
  Therefore, to solve the problem you might try to throw a few CEOs in jail now, and keep throwing them in jail until the rest get the message. Much cheaper than prosecuting hundreds of engineers and middle managers. Seems like a good idea, right?
  The real problem is that everyone knows it's darn profitable to install slimeware on client computers. All it will really do is get the rest of the C level execs in the industry to hire better lawyers, to find legally defensible loopholes around the rules, and to "donate" more to various "pro-business" politicians in order to change the laws. And you and I will still end up with slimeware in our new PCs.
  
  --
  John
16. Re:No Hardware Audit Too? by JaredOfEuropa · 2017-09-05 06:45 · Score: 1
  
  The order had to come from somewhere. You find who it is, punish them and their immediate supervisor, and maybe a couple of compliance officers. If you can't find out who acted beyond their brief, or if this happened within company guidelines, the CEO and maybe the CTO / CIO or what have you are on the hook. Maybe not jail time but stiff fines at the least... coming out of their personal wallets, not the company coffers.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
17. Re:No Hardware Audit Too? by Z00L00K · 2017-09-05 06:50 · Score: 1
  
  CEO and board of directors at the time of the decision to include it are responsible. And if it's a major shareholder involved in the decision then bring them in as well.
  Guillotine is a suitable punishment.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
18. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 07:01 · Score: 0
  
  "I was just following orders" is not always a legitimate defense.
  FTFY. The question then becomes, is it legit in this instance?
19. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 07:35 · Score: 0
  
  It is a clear cost-benefit analysis for the leadership of a company
  If the cost is minimal (slap on teh wrist) and the benefit large ($millions) then it is a no-brainer to let the slimeware be installed
  It is ONLY when the cost is brought up to being greater than the benefit that corporate policies will change
  On a side note, we need to find a legal means to prosecute legislators who work to subvert the effect of law by selling out to corporate insterests
20. Re:No Hardware Audit Too? by geekmux · 2017-09-05 07:55 · Score: 1
  
  It is the CEO's responsibility to know what's going on in his company. What the fuck is that idiot good for if he doesn't? The "decisions" made at that level could be gained from a magic-8-ball with at least the same level of quality.
  CEO positions are largely political and superficial in nature. Kind of like how we elect one person to be in charge of 300 million US Citizens as the "CEO" of America.
  That said, why in the fuck would a CEO give a shit about what's going on? The only thing they care about is if they can make money off selling a product or service, legal or otherwise. And the reason I dismiss legality so easily is they've already proven no matter if you're caught, it's worth it. Bankers operate on this model every fucking day, which is why they get away with raping your privacy and financial murder.
  Corruption will never be contained or controlled unless it is punished appropriately. Right now, punishment is a fucking joke.
21. Re: No Hardware Audit Too? by Anonymous Coward · 2017-09-05 11:00 · Score: 0
  
  The entire board of directors and the CEO. 10 years seems fine. But now we have precedent that organized crime goes unpunished at least. Fucking joke of a legal system.
22. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 12:23 · Score: 0
  
  I'm all for throwing CEOs in jail, and also extra punishments like reducing their assets to 0, and having their family live in poverty. The greater the responsibility, the greater the punishment I believe to stop them from abusing their positions.
23. Re: No Hardware Audit Too? by OMEGA+Power · 2017-09-05 13:43 · Score: 1
  
  The real solution, if the goal is preventing things like this from happening, is proportional fines (I.e. An independent accounting firm determines how much money the company made from its misconduct and they are fined say 5 times that amount). If misconduct is unprofitable they will stop doing it, if a CEO continues doing it when he should know it will be unprofitable he can be found personally liable to the shareholders for fiduciary misconduct.
24. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 19:30 · Score: 0
  
  Most of the problem in the company comes from a lot of people making a small lapse in judgement.
  Absolutily correct!
  I mean, look at all those individual illegal software (and other) downloaders. Just small lapses of judgement. Are they, for the same reason, off the hook too ? I mean, those should (than) also not be allowed to be added together, don't you agree ?
  Or are you here supporting a kind of class justice here, where, when collusion* inside a company is involved, it should *ofcourse* lead to a dismissal ?
  *yes, collusion. Silently advocating a company atmosfere of activily not wanting to know (read: creating "plausable deniability") what your underlings are doing/looking the other way when they are spending company dollars on "unknown" projects is exactly that.
  An old saying: "Do not attribute to malice which can easily be attributed to stupidity"
  Addendum: "Do not make the mistake to attribute to stupidity when 'the stupid action' directly benefits the other (finacially or otherwise)".
25. Re:No Hardware Audit Too? by rtb61 · 2017-09-05 20:12 · Score: 1
  
  'ER', all of the above, with longer rehabilitative custodial terms for those with the greatest responsibility for decisions and actions, keeping in mind laws with regard to accessory before and after the fact. Everyone who participated in a corporate criminal act or was aware of it and failed to act, should face a criminal penalty, whether 10 or 1,000. As for the rest of us, so for the slimy scum hiding in corporations.
  
  --
  Chaos - everything, everywhere, everywhen
26. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 20:54 · Score: 0
  
  Harry Truman used to say "the buck stops here".
27. Re:No Hardware Audit Too? by Anonymous Coward · 2017-09-05 23:48 · Score: 0
  
  no no.. he uses a "decision chicken"....
  it works like this... a table with a YES and a NO side... whatever side the chicken stays on the longest during a one hour monitoring session, is your answer!
28. Re: No Hardware Audit Too? by Anonymous Coward · 2017-09-07 11:51 · Score: 0
  
  The people who take responsibity when things go well ( c-level, board etc) they should also be made to take responsibility when things go shit like this.
Not even a slap on the wrist by evolutionary · 2017-09-05 05:41 · Score: 2

With these kind of verdicts, what is going to deter other laptop vendors from doing this to their customer...or...is that what the government wants, as they access to all that data upon request.

--
"Imagination is more important than knowledge" - Einstein
1. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 05:42 · Score: 1
  
  Am I the only one that does a totally fresh OS install on every computer I buy?
2. Re: Not even a slap on the wrist by Anonymous Coward · 2017-09-05 05:48 · Score: 0
  
  BING BOING BINGOOOO!
3. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 05:50 · Score: 0
  
  No, but plenty of people don't.
4. Re: Not even a slap on the wrist by Anonymous Coward · 2017-09-05 05:51 · Score: 0
  
  Buying any notebook other than fsf-approved, not building your own desktop PC.. It's shame that evolution is nonsense.
5. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 06:17 · Score: 0
  
  I install my own OS. You cannot count on the hardware supplier to not be tempted by adware/trialware/reel-you-in-ware options.
6. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 06:22 · Score: 0
  
  No, but plenty of people don't.
  Especially now that most vendors do not include the bare windows install media. The only thing you can do is wipe and re-install the vendor's bloated image.
7. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 06:31 · Score: 0
  
  Consider the timing. We should be happy that Lenovo settled for anything; the current Administration could have (and probably would have, if anybody had noticed the pending action) simply withdrawn the complaint. After all, corporations should not have to actually behave like polite people despite being "persons" in the eyes of the law.
8. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 06:39 · Score: 0
  
  On the plus side, many Windows 10 computers come with older releases and immediately update when connected - so that's sort of a fresh o/s (or can be made so by doing a clean install). However, stuff like Superfish seems to live below the o/s, closer to the hardware, at least in part. So it may be able to survive a fresh o/s install.
9. Re:Not even a slap on the wrist by fearlezz · 2017-09-05 07:03 · Score: 3, Informative
  
  I'd like to remember you of this piece of Lenovo crapware that survives reinstallation.
  https://tech.slashdot.org/stor...
  Just don't buy Lenovo if you care about privacy or security.
  
  --
  .sig: No such file or directory
10. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 07:34 · Score: 0
  
  Welcome to the world of large 21st century firmware bitch... hardware these days is filled with so much software that it can easily undermine your new OS even after you've wiped your block device. Superfish targeted windows specifically but in principle you could target any OS, Lenovo stashed it in the EFI which checked and modified the hard drive on every boot to ensure it's persistence.
11. Re:Not even a slap on the wrist by Guybrush_T · 2017-09-05 07:36 · Score: 1
  
  This is what I thought when I bought my Lenovo laptop : the laptop is partially paid by all the crapware they install which is fine if you are going to wipe it out.
  But the hardware itself revealed being really bad as well. The webcam stopped working after 6 months because the ribbon didn't survive opening/closing the lid, and the plastic overall is crap.
  I don't think I'll ever buy another one.
  There are other brands like Toshiba that install the same crapware paying part of the laptop, but I've seen similar experience from friends.
  So in the end, get a Dell or HP.
12. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 07:40 · Score: 0
  
  Superfish installs itself from firmware, the only way to avoid it on Lenovo hardware was to not use windows which it was targeted to.
13. Re:Not even a slap on the wrist by Aighearach · 2017-09-05 08:37 · Score: 1
  
  With these kind of verdicts
  If you can't tell what a verdict is, how can you hope to have any idea what the implications are or are not?
14. Re:Not even a slap on the wrist by Anonymous Coward · 2017-09-05 13:23 · Score: 1
  
  Sadly they're one of the best laptop manufactures. They still provide service manuals for their laptops.
15. Re:Not even a slap on the wrist by evolutionary · 2017-09-06 00:28 · Score: 1
  
  Don't own it, have no intention of buying it. My next laptop is probably a Toughbook (wiped with Linux installed and maybe a Windows xp/7 Virtual OS), or maybe a Fujitsu Portable Workstation (high specs)
  
  --
  "Imagination is more important than knowledge" - Einstein
16. Re:Not even a slap on the wrist by pnutjam · 2017-09-06 01:39 · Score: 1
  
  So do Dell and HP, if you buy their business class equipment. Dell has excellent instructions, just stick with the lattitude line. Bonus, parts are easy to come by and inexpensive.
  
  --
  Cheap storage VM.
You paid too much for your Macbook they said! by Anonymous Coward · 2017-09-05 05:46 · Score: 0

I only overpaid if your privacy has no value!
1. Re:You paid too much for your Macbook they said! by Anonymous Coward · 2017-09-05 06:00 · Score: 0
  
  Good thing Apple doesn't spy on you. You fucking idiot.
2. Re: You paid too much for your Macbook they said! by Anonymous Coward · 2017-09-05 06:00 · Score: 0
  
  My my, f--- off to 4chan/reddit.
3. Re:You paid too much for your Macbook they said! by Anonymous Coward · 2017-09-05 06:39 · Score: 0
  
  Apple isn't an advertising company or a Chinese company. What profit would they derive from spying?
Equal Protection by Anonymous Coward · 2017-09-05 05:55 · Score: 0

So long, and thanks for all the fish!
Lenovo is a Chinese company by Anonymous Coward · 2017-09-05 05:55 · Score: 0

Do not expect your system to be secure - ever.
Industrial espionage, hacking, data mining, whatever .... Lenovo is a state run company.
Remember that.
And with tensions mounting, who knows what the Chinese government will turn on - think of Lenovo computers are the ultimate manchurian candidate.
China will do ANYTHING to protect their North Korean satellite state.
So listen and learn by Opportunist · 2017-09-05 06:00 · Score: 3, Insightful

The next time you plan to install a rootkit on PCs and spy on people, first found a corporation. Then it's apparently no longer a crime.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:So listen and learn by Anonymous Coward · 2017-09-05 07:53 · Score: 0
  
  more like, the next time you plan to buy a new computer, understand that you are guaranteed to be spied on.
  oh, you construct your own computers? no problem, backdoor built into every CPU on the market. you're welcome.
  it's time to start over. it's time to end it all.
  #boom
Shame considering the Linux compat... by Anonymous Coward · 2017-09-05 06:03 · Score: 0

No it's not ok to break https, Lenovo should have their root CA revoked.
1. Re:Shame considering the Linux compat... by Junta · 2017-09-05 06:22 · Score: 2
  
  Lenovo isn't a root CA. In fact, superfish didn't have *lenovo* as a CA, it added Komodia's certificate, which was part of Superfish product (a california based company, incidentaly), which also is not a root CA, it installs a new CA certificate (with the private key in the clear).
  Basically Lenovo didn't vet the software it was paid to install well enough, and a lazy California company picked up Komodia's technology, with each presuming the next was smarter then they were about security.
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
Corporate Death Penalty by Anonymous Coward · 2017-09-05 06:04 · Score: 0

Lenovo should have been dissolved for this, or at least banned from doing business in the United States for at least a century.
Above the law? by Anonymous Coward · 2017-09-05 06:10 · Score: 0

Apparently they don't have to worry about consequences for their acts, so there should be no consequences for anyone if their organs are sold off, since it involves people who are above the law.
Uh what? by wardrich86 · 2017-09-05 06:14 · Score: 1

Now, nearly three years later, the company is facing the consequences.
...

Lenovo isn't going to have to pay for putting customers at risk
They literally got less than a slap on the wrist. They'll just put some super small print in with their 500 page long EULA and continue on with business as usual.
1. Re:Uh what? by Aighearach · 2017-09-05 08:53 · Score: 1
  
  Interesting theory, however if they had been given a fine people would make the same complaint; a fine doesn't change their behavior, they should have been subjected to a consent decree. If they get a consent decree, the same people complain that without a fine there must not have been a punishment.
  For your comment to have value, you have to actually say words that support your claim that is less than a slap on the wrist. What good is a bare conclusion, with no reasons or analysis?
  Also, a EULA it is a valid notice of conditions or terms that might affect a contract, but it is usually not an enforceable contract other than as relates directly to the issue of copyright, which is the license potentially being granted. Though, if it grants no rights then it isn't offering any consideration, and doesn't have any claim to even being a contract. But the part you really aren't understanding is what "affirmative consent" means. It means they have to ask that part separately and clearly, they can't bundle it or hide it inside another agreement.
if only software / IT people had PE powers by Joe_Dragon · 2017-09-05 06:55 · Score: 1

if only software / IT people had PE powers and then can tell the CEO hell no find your own PE willing lose there cert over this
1. Re: if only software / IT people had PE powers by Anonymous Coward · 2017-09-05 12:30 · Score: 0
  
  That's a good point. But software engineers will never have PE certification, because of Turing's Halting Problem, software is never provably correct.
Precedent by Anonymous Coward · 2017-09-05 07:01 · Score: 0

They couldn't afford to open the floodgates.
Stupid people buy Apple/Google/Intel/AMD/Lenovo/MS by Anonymous Coward · 2017-09-05 07:07 · Score: 0

The problem is there aren't that many options and very few companies are trying to fix things. When we are depending on "cloud" services and proprietary software we as users lose control and hand over any control to third parties that don't have our interests in mind.
ThinkPenguin's one of the few who have been working on a solution to these problems. They have EOMA68 that they've been working on and supporting for years- which should be shipping soon (recent updates see crowd funding page). But outside of this there really isn't much happening. We have "half" fixes like LibreBoot on seriously out of date hardware (and it isn't 100%, still CPU micro code, keyboard firmwares, etc) and a means of disabling part of the Intel Management Engine firmware, but it's not everything.
EOMA68 is a modular computing standard that's bringing down the cost to design and manufacture devices that are fully in the users and our communities control (ie a complete set of source code is available).
There is a laptop and desktop housing design being designed around EOMA68, which is a removable card that is the computer. Users can upgrade or swap computers without replacing the rest of the device (ie keyboard/LCD screen/etc) while the community also gains control over all the components going into the designs (ie like the CPU/SoC used don't have to be from Intel/AMD and we can get sources for things like bootloaders, ie uboot). Compare that to being forced to build off a stock AMD/Intel reference design where there are numerous components from Intel Management Engine firmwares to CPU micro codes and BIOSes needed which necessitate the licensing from one of 5 or so proprietary BIOS vendors.
Who doesn't start fresh?!? by cheddarlump · 2017-09-05 07:21 · Score: 1

Am I the only one that immediately wipes/reloads a machine when buying it? Hell, I usually give away the drives that come with PCs and put cheap SSDs in them, so I'm always starting fresh... I'll take the hassle of a fresh install for the subsidy that companies pay to preinstall their crap.. Doesn't affect me one bit anyways.
1. Re:Who doesn't start fresh?!? by Misagon · 2017-09-05 07:46 · Score: 1
  
  Where do you get your legitimate copy of Windows installation disks?
  Any normal person would not buy a new clean set from Microsoft but instead use the disks he got with the machine - the Lenovo disks that would have the malware.
  
  --
  "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
2. Re:Who doesn't start fresh?!? by tomxor · 2017-09-05 07:50 · Score: 2
  
  Am I the only one that immediately wipes/reloads a machine when buying it? Hell, I usually give away the drives that come with PCs and put cheap SSDs in them, so I'm always starting fresh... I'll take the hassle of a fresh install for the subsidy that companies pay to preinstall their crap.. Doesn't affect me one bit anyways.
  You are probably the 100th person who commented this... Superfish self installed via firmware, if you used windows there was no escape no matter how many times you wiped your block device, it's installed prior to the OS booting.
  You can't just install a new OS and expect to have complete control over your computer these days, hardware is the new attack vector for everything since it's become way more soft and full of large pieces of firmware, people have been trying to make lenovo EFI firmware replacements for some time, but when something like IME get's pwned or Intel A) go pure evil B) hand over their private keys to the highest bidder or C) are forced to by some three letter government agency... it's going to get way more fun, the 21st century security "duh" will be "what? didn't you buy open source hardware and verify the microcode and firmware?, well then you deserved to get hacked".
3. Re:Who doesn't start fresh?!? by Anonymous Coward · 2017-09-05 08:48 · Score: 0
  
  Well, I have been buying off-lease machines for years...I DO start fresh, with a fresh install of Linux. I know that Linux is not invulnerable, but is much harder to infect/infest. As I understand it, Sailfish does not work under Linux.
4. Re: Who doesn't start fresh?!? by cheddarlump · 2017-09-05 09:06 · Score: 1
  
  You download the Windows Media creation tool, and it will make you a USB drive for installing windows. Then, insert new SSD, boot from USB, install Windows, and after first boot, it will find your license based on digital hardware signature and activate. If it doesn't find it automatically, there are many tools that will read the Windows key from UEFI, and you simply activate with the license included with the PC.
5. Re:Who doesn't start fresh?!? by Anonymous Coward · 2017-09-05 11:00 · Score: 0
  
  Pfff. If you build your own machines you already have the discs.
6. Re:Who doesn't start fresh?!? by Anonymous Coward · 2017-09-06 04:02 · Score: 0
  
  Got any sources to Superfish being installed via firmware? Google doesn't know about it.
7. Re:Who doesn't start fresh?!? by tomxor · 2017-09-08 12:28 · Score: 1
  
  Got any sources to Superfish being installed via firmware? Google doesn't know about it.
  Need to search for BIOS specifically:
  
  I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot.
  
  From: https://www.techdirt.com/artic...
Fake news on /. ? by szy · 2017-09-05 08:18 · Score: 3, Informative

Lenovo will pay $3.5M. Source 1 Source 2
TL;DR There was no fine by the FTC, but they will pay a settlement on another lawsuit.
Both the title and summary here, as well as the TFA are misleading. Come on /. check your facts!
Superfish = EZ to stop via hosts files by Anonymous Coward · 2017-09-05 08:29 · Score: 0

See subject & stalling its ad servers = cake via hosts files. I did this the day it came out 0.0.0.0 www.superfish.com & yes, it works!
* Per http://www.bing.com/search?q=superfish+adserver&qs=n&form=QBLH&sp=-1&pq=undefined&sc=0-18&sk=&cvid=266267AD975248BF812E2604C86A8FD9/
APK
P.S.=>It's THAT easy to nullify this & to create the BEST hosts file vs. malware, rootkits, trackers, scripts, spam/phish, & other threats online (inclusive of DNS tracking/down avoiding dns, lightening DNS load too + locally FASTER resolutions in kernelmode ops + RAM speed of your favorite sites where you spend MOST time online - bonus) for more speed, security, reliablity & anonymity online APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk
Egregious by XSportSeeker · 2017-09-05 09:53 · Score: 1

This case is specially bad because it wasn't just once that Lenovo slipped on this... superfish was only the first of 3 times the company was caught red handed with shady tactics:
http://www.makeuseof.com/tag/n...
It's why I don't recommend their stuff anymore nor I'll ever buy anything from Lenovo ever again.
Unfortunatelly, the overall tech press keeps advertising their shit and falling head over heels for it.
This is why I uninstall all the crapware by Anonymous Coward · 2017-09-05 10:37 · Score: 0

This is why you uninstall all of the crapware or better still do a clean install.
FTC advises blackmail by Anonymous Coward · 2017-09-05 12:11 · Score: 0

... get affirmative consent before the software is installed.
What will Lenovo do when the customer says "No"? Delete all data files, perhaps? This FTC deal is less than not a slap on the wrist, it's an instruction to Lenovo to blackmail their customers.
Fuck Lenovo by thechemic · 2017-09-05 17:20 · Score: 0

I will never own a Lenovo device and superfish is only a small portion of the real problem: shitty hardware billed as enterprise/business class.

--
Let's make like a bird... and get the flock outta here.
list of people who should be jailed by Anonymous Coward · 2017-09-05 18:31 · Score: 0

Intel execs, for implementing Intel Management Engine
AMD execs, for implementing the equivalent
Microsoft execs, for backdoors in the OS that cannot be fully disabled
Firefox developers, for allowing telemetry and having geo and google safe browsing enabled by default
Google for spying on users' texts, mail, web activity on their android phones. Having Chrome call home
MacOS for their level of telemetry
CiscoVPN for call home features that cannot be disabled
Tesla keeping track of every statistic of their vehicles' usages and making that data available whenever their vehicles are brought in for regular maintenances
AdBlockPlus for calling home with usage data
$3.5 Million US by Anonymous Coward · 2017-09-06 04:13 · Score: 0

I guess it's technically not a "fine", but Lenovo did agree to pay $3.5 million US as part of the settlement for this case. http://www.reuters.com/article...