Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Won't Pay a Fine For Preinstalling Superfish Adware (theverge.com)

Posted by msmash on from the getting-away-with-it dept.

An anonymous reader shares a report: In 2014, Lenovo began bundling a third-party adware program called "Superfish" into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years. Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. According to the FTC's indictment, breaking HTTPS presented a clear risk to consumers -- but Lenovo isn't going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.

12 of 86 comments (clear)

  1. No Hardware Audit Too? by ossuary · · Score: 2

    So they get a slap on the wrist. Especially since they are only agreeing to SOFTWARE audits with no mention of a hardware audit.

    1. Re:No Hardware Audit Too? by jellomizer · · Score: 2, Informative

      But who should be jailed?
      Most of the problem in the company comes from a lot of people making a small lapse in judgement.

      CEO - We need to sell our products for less money
      Middle Management - Company X will pay us money to install their software on our PC, This way we can sell our product for less.
      Engineer - Lets just install this software, it isn't worth putting our jobs at risk because of our concerns.

      There is responsibility across the whole company. To jail the CEO for just saying they need to sell their product for less, seems unjust.
      To jail the Middle Management for making an agreement with an other company seems unjust
      To jail the engineer who is pressured to keep their job, is unjust.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:No Hardware Audit Too? by Opportunist · · Score: 4, Insightful

      It is the CEO's responsibility to know what's going on in his company. What the fuck is that idiot good for if he doesn't? The "decisions" made at that level could be gained from a magic-8-ball with at least the same level of quality.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:No Hardware Audit Too? by thomn8r · · Score: 3, Interesting

      But who should be jailed?

      The entire C-suite - everyone with "chief" or "executive" in their title

      C?O's are paid zillions because of all the alleged responsibility they shoulder; with great rewards comes great risks.

    4. Re:No Hardware Audit Too? by plover · · Score: 4, Insightful

      The CEO is the only one who can make the changes all the way down. If the CEO's written policy is "don't install slimeware on our client's machines", then that message is going to get passed down to the VPs and Directors. If their jobs and bonuses are at risk because they let a manager install slimeware, they're going to say "Teams, don't install slimeware." And if the engineers know that if they get caught installing slimeware they will be tarred and feathered, they won't do it.

      Therefore, to solve the problem you might try to throw a few CEOs in jail now, and keep throwing them in jail until the rest get the message. Much cheaper than prosecuting hundreds of engineers and middle managers. Seems like a good idea, right?

      The real problem is that everyone knows it's darn profitable to install slimeware on client computers. All it will really do is get the rest of the C level execs in the industry to hire better lawyers, to find legally defensible loopholes around the rules, and to "donate" more to various "pro-business" politicians in order to change the laws. And you and I will still end up with slimeware in our new PCs.

      --
      John
  2. Not even a slap on the wrist by evolutionary · · Score: 2

    With these kind of verdicts, what is going to deter other laptop vendors from doing this to their customer...or...is that what the government wants, as they access to all that data upon request.

    --
    "Imagination is more important than knowledge" - Einstein
    1. Re:Not even a slap on the wrist by fearlezz · · Score: 3, Informative

      I'd like to remember you of this piece of Lenovo crapware that survives reinstallation.
      https://tech.slashdot.org/stor...
      Just don't buy Lenovo if you care about privacy or security.

      --
      .sig: No such file or directory
  3. So listen and learn by Opportunist · · Score: 3, Insightful

    The next time you plan to install a rootkit on PCs and spy on people, first found a corporation. Then it's apparently no longer a crime.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Superfish? by zlives · · Score: 2

    it will be spelled out clearly in the 10 page EULA.

  5. Re:Shame considering the Linux compat... by Junta · · Score: 2

    Lenovo isn't a root CA. In fact, superfish didn't have *lenovo* as a CA, it added Komodia's certificate, which was part of Superfish product (a california based company, incidentaly), which also is not a root CA, it installs a new CA certificate (with the private key in the clear).

    Basically Lenovo didn't vet the software it was paid to install well enough, and a lazy California company picked up Komodia's technology, with each presuming the next was smarter then they were about security.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  6. Re:Who doesn't start fresh?!? by tomxor · · Score: 2

    Am I the only one that immediately wipes/reloads a machine when buying it? Hell, I usually give away the drives that come with PCs and put cheap SSDs in them, so I'm always starting fresh... I'll take the hassle of a fresh install for the subsidy that companies pay to preinstall their crap.. Doesn't affect me one bit anyways.

    You are probably the 100th person who commented this... Superfish self installed via firmware, if you used windows there was no escape no matter how many times you wiped your block device, it's installed prior to the OS booting.

    You can't just install a new OS and expect to have complete control over your computer these days, hardware is the new attack vector for everything since it's become way more soft and full of large pieces of firmware, people have been trying to make lenovo EFI firmware replacements for some time, but when something like IME get's pwned or Intel A) go pure evil B) hand over their private keys to the highest bidder or C) are forced to by some three letter government agency... it's going to get way more fun, the 21st century security "duh" will be "what? didn't you buy open source hardware and verify the microcode and firmware?, well then you deserved to get hacked".

  7. Fake news on /. ? by szy · · Score: 3, Informative

    Lenovo will pay $3.5M. Source 1 Source 2

    TL;DR There was no fine by the FTC, but they will pay a settlement on another lawsuit.

    Both the title and summary here, as well as the TFA are misleading. Come on /. check your facts!