Seems like a small fine, compared to the potential financial benefit of that installation. Hopefully it serves as a deterrent for future adware installs. If not, maybe we start calling our lawmakers.
For those of you in the adware space, would you pay >$10 per head to install your adware onto a computer? My guess is absolutely.
Amazon gives you a $20 discount to take ads on Kindle purchases. The possibility of having to pay $10 only if caught and fined seems like not at all a deterrent.
While I do think the punishment should be significantly more severe (including jail time for executives), I suspect the scandal has made companies aware that this is a bad idea.
I still don't get why it didn't hurt them more in the enterprise space (read: why large companies didn't institute a strict "no lenovo" policy for a couple years). That would have been way more effective than fines.
> I still don't get why it didn't hurt them more in the enterprise space (read: why large companies didn't institute a strict "no lenovo" policy for a couple years). That would have been way more effective than fines.
Using vendor OS images is a rookie mistake in the first place.
Yes, Windows has a feature called Microsoft Windows Platform Binary Table that allows the OEM to embed any executable file they want into the UEFI image which is then automatically run on every boot. Extremely terrifying backdoor mechanism.
Not half as scary as Apple's DEP program. Pretty much everyone is moving this way because it's super convenient for admins -- devices arrive out of the box working and configured. Google has "Zero Touch", Samsung as their Knox program.
I don’t understand about your point about Apple DEP. could you clarify? It’s predominantly used on company-owned laptops and requires an Apple company account or developer license to work. I haven’t seen it used for consumer computers.
I recently was asked by my girlfriends sister to help her choose a laptop. After finding a model that looked good spec-wise I searched for that same model but without Windows pre-installed. It was 150€ cheaper. Then I got a 10€ Windows 10 key from ebay, installed O&O ShutUp and Winaero Tweaker and now it almost feels like a great system that you can actually work with.
Vendor-bloatware has been bad since Windows 7 but now that even Microsoft chose to ship Windows itself with ads, pre-installed garbage like Candy Crush Saga and that annoying Cortana I can't imagine going back to it.
A rather unfair comparison, don't you think? That's like saying "I got a really good deal on a Macbook, all I had to do was pick it up and sprint out of the Apple store!"
It also would have been a better deal if I bought it from the official MS-Store for 145€ because it wouldn't have had all the Lenovo bloatware on it.
I personally don't want to support what Microsoft is doing with Windows so that's why I bought it from a shady ebay seller.
Of course, the more ethical solution would have been to talk her into a GNU/Linux machine but I don't have the time and energy to play IT support for the next six months.
Considering the quality and the fact that Win10 actually serves you adds and sells telemetry information, I think the price should be even lower.
The consumer has the responsibility to check the validity of the product, sure, but this is ridiculously unfeasible for digital licenses. A lot of companies actually do buy these 10$ keys and I don't blame them.
They haven't provided one, but I'm guessing if someone provides a source, it'll be a link to Microsoft's ads products. They'll argue this information _could_ be used to target users for advertisements, even though it might not be.
There are no legitimate Windows licenses that only cost 10€. They may activate but successful activation does not imply that you are not breaching Microsofts license agreement and they may decide to deactivate those licenses at any time
Wasn't the ban on resale of licenses declared illegal at least in some countries? In that case, second hand licenses would very well be legal, even if Microsoft doesn't like them.
This seems like ebay's problem. Why are they not shut down for this? If I came across some software on e-bay, I'd assume it was legit. I just checked ebay and it is full of windows keys. How am I, as a consumer, supposed to know that this is 'illegal'?
Commenting as a reaction would help more than just downvoting of course, because I am still not seeing how, as a consumer, I am supposed to know that those are illegal keys. Other platforms that facilitate fraud on this scale are always forced to take action, yet ebay gets away with it. I am wondering why that is.
The same way you're supposed to know if a bike is stolen. If the given market is grey/shady and the price is excessively low, and you really want to know, you ask (for starters).
If everyone got a "free" bike when you bought a computer then the people who didn't want to use their's and so bothered to sell it would probably sell it for $10 or so?
You can get £20 books for 50p, because either the person has finished using the book, and there are lots of books; or because the person got the book free (as a gift generally) and didn't really want it; or because they bought a copy and got a second copy gifted, etc.
Software isn’t a bike. It might be a special deal Microsoft has with those vendors. Bikes have an intrinsic minimal cost, like materials and shipping, software keys don’t. The average consumer would probably regard windows as something that is free to begin with so seeing it for sale for $10 probably won’t strike them as strange, you get it “free” with your computer after all.
Furthermore, this is not one vendor selling one ‘stolen’ item, it is many, selling many keys. This makes it seems like a legitimate channel for keys to the average consumer. It also makes eBay more responsible if you ask me. It seems to me as if they are making a profit from those sales. If they truly are illegal keys then they should probably do something about it.
I still cant bring myself to purchase a Lenovo product because of this, despite the generally favourable reviews I see on HN regarding the ThinkPads. Its just such a revolting decision to me to do that to a paying customer.
I may just put my money where my mouth is and start the break up with Google too, as painful as that will be. I just dont feel like I align with these fucking companies at all anymore.
SuperFish and other adwares were installed on Lenovos lower-grade laptops and Thinkpads. The X series and T series, the choice of most consumers who care enough to own a Thinkpad, were not affected by this issue[1]. While it's unacceptable for Lenovo to be doing this on ANY machine, I still feel confident that the company understands how consumers view the Thinkpad brand and how reluctant they are to do anything that might tarnish the brand for business and prosumer users.
Absolutely ludicrous. This is basically an incentive for other laptop manufacturers to do the same thing, knowing the punishment (if it even ever comes) is a drop in the bucket compared to the reward.
I'm always surprised that Lenovo use in the enterprise space didn't take a hit after all this came to light. I would have thought competitors like Dell and HPE would have used that opportunity to disparage Lenovo.
No enterprise is using the base windows image that came from Lenovo with the superfish malware. They all build their own standard operating environment image that would not include the Lenovo bloatware. I would be surprised if Lenovo enterprises even realized they were shipping this way and have no reason to react negatively. Their competitors also live in glass houses and so cannot throw stones.
So yes, in a normal case, one would expect to be safe because they are using their own built image. But Lenovo went much further than simply installing crapware, they added a firmware that updates files on startup in the OS to ensure that they had a way to install whatever they wanted onto your system [1].
To add to this, while the Superfish issue only affected their consumer laptop lines (e.g. IdeaPad), the LSE issue was found on their enterprise lineup (e.g. ThinkPad).
Wasn't aware of the LSE issue on enterprise models! This is a feature that would get enterprises angry if it messes with the OS by injecting bins full of vulnerabilities from BIOS. Gross!
No enterprise would use the factory image, but a lot of small businesses would and they were put at risk as a result.
We can of course say they shouldn't have trusted it, but honestly, should it be normal to expect the manufacturer of the machine to be malicious?
Not to mention the other commenters pointed out that they used the firmware to reinstall the malware even on otherwise clean images, so even enterprises could've been at risk.
Lenovo is behaving as an attacker against its customers. That sophisticated customers had defenses for this particular attack is irrelevant. Imagine if iPhones started trying dictionary attacks against their peers on WiFi networks. Would you shrug it off and continue buying Apple products because you trust your password complexity rules?
It’s great that the countermeasures worked this time, but Lenovo is still your adversary. They deserve the same response as any other insider who tries to MITM your traffic: immediate termination, a thorough search for any remaining implants, and an FBI battering ram through their door.
Didn't they also install some malware in UEFI at one point? Which is even worse, since you can install Linux on Lenovo laptops wiping out their pre-installed (but non refundable) Windows, but you can't easily replace UEFI there.
They did have a firmware-based malware dropper. The "only" thing it did was re-infect clean Windows installations, so installing Linux would still mean you'd be fine as the second stage wouldn't be dropped, but of course that's not a technical limitation - they could have built it to also infect Linux, but didn't.
The dropper was passive, abusing a Windows mechanism designed for installing vendor software, in which Windows looks for such software and executes it.
Linux does not go diving in UEFI looking for executables to run.
I wonder how costly this particular class-action suit was for Lenovo?
This is, the 7.3 MUSD to be paid, plus the prorated expenses to compensate the employees handling the case, plus court fees, plus travel expenses, etc., but ignoring factors like lost sales, other fines and settlements, etc.; is the final figure still around 7.3 MUSD, or would it be significantly more?
I do this on 100% of my computers now. I thought there was a risk of losing some functionality like the touch screen, but everything works and far better than when I bought it.
IBM Thinkpad t43p was my first heavy duty laptop. In 2005 IBM made a mistake that someone in their management must regret to date, selling Thinkpad laptop line to Lenovo. Things went downhill for Thinkpads and I lasted 3-4 more generations before finally giving up.
Thinkpad had a shot at being the world's most loved laptop, by developers and businessman on the go.
Passion for great products and great user experience is clearly not what drives the thinkpad product line today, and that is regretful. It is one of those business that I would love to run.
Thing is, Thinkpads are still the best productivity laptops on the market. Which isn't to say that your observations aren't true, but more of a comment on the general state of that market...
Thinkpads were actually manufactured by Lenovo right from the start, they were only badged by IBM.
But even then, why should anyone at IBM care what happened to the brand after they sold it? I know some creators love their product lines and such and care about posterity, but, IBM!
Did Lenovo really manufacture them back in 1992? From what I gather they only started in 2005?
Even then it's like saying iPhones manufactured by Foxconn are only badged by Apple. The original IBM Thinkpads all the way up to the T43 were developed by IBM and built/designed significantly better than the ones today. Also a large selling point of the old models was the software (!), which made some things easier.
Maybe nationalization should be an option when a company, say PG&E for example, has poorly maintained equipment that starts forest fires. It seems reasonable that an option like that should be on that table as a deterrent reserved for the worst actors.
I don't think that anything like that should have happened here, but the fine of ~$10 a laptop does seem a bit low for MitM.
This turns a problem company into a problem government bureaucracy. Cleaner to fine the company into oblivion, put it into bankruptcy--thereby teaching its shareholders and creditors a hard lesson--and then let the market figure out if it's worth more liquidated, split up into bits, or sold to a new owner.
This descends pretty quickly into politics, but Nationalised infrastructure should be managed by a government organisation who's goal is to deliver a quality product at (or slightly above) cost.
These organisations in turn report to the executive government of the day, who's interests should be aligned with that of the citizens they were elected to represent.
Nationalized infrastructure is a good way to create poor service, and a long lasting debt. Look at pretty much every country in Europe with national railtracks and rail lines: massively bleeding money, with worse and worse service and low levels of investements because there is no incentive to do so.
There are countless examples in Europe were privatized infrastructure actually has been bought back by the public because it has been neglected by the private holder.
It's not because there are failures of the private sector that it dooms the idea completely. But failures of operating train lines under national supervision is rather the rule than the exception. Look at the TGV in France, which is a complete commercial failure that needs constant government intervention to keep it afloat.
Other comments already pointed out counter-examples from the UK etc., so let me give you a German one:
The Berlin public transport system was running perfectly fine until it was privatized.
Now the infrastructure is starting to degrade, it's gotten less punctual by objective metrics and it has also gotten much more expensive. The new owners are basically just milking the ever living hell out of it because they know they can.
It's gotten so bad there's now a lot of talk that it should be nationalized again.
In Japan the government kept essentially all the companies' debt, and incurred the cost of the 80k employees that were fired. And even now the profitable companies seem to get their profits from shops at the train stations.
And from the 6 companies the public railroad was split into, not all are successful: "JR Hokkaido expects to incur a record pretax loss of ¥23.5 billion in the year that ended in March [2017], with the company’s president likening its loss-making business structure — due to loss of passengers caused by falling local populations and the expansion of expressway networks — to “a bucket with holes in the bottom."
Of course, you can't have successful train operations in low density areas. Hokkaido, Shikoku, and the extreme west of japan is doomed in that regard. I don't even know how you could expect things to turn differently. But in Tokyo, and Kansai, the private train companies are doing very well.
But that's the point - the profitable tracks were probably profitable before privatization, too (no idea about Japan, but it was the case in Germany). Service in low density areas is the crux of the matter: railroad is a necessary infrastructure there, and if a nation wants to keep quality of life high in these areas, the tracks have to be operated at a loss.
It's the same with postal services, broadband access and similar infrastructure.
Of course a society as a whole can decide to stop subsidizing these low density areas, but that discussion is largely orthogonal to the privatization topic.
Your comparison is probably not accurate. The situation now is completely different from 30 years ago. Cars have become much cheaper at the same time, there are low cost options for travelling larger distance like planes and buses, that did not exist as much before. This is not a single variable environment here.
On top of that, railroads (the actual rails and public transport lines) also tend to be a somewhat natural monopoly, so even the high profit lines veer towards minimal service and maximal price.
Completely wrong about the monopoly part. In the US most of the road tracks were created and driven by private companies. And they were competing on destinations and cost.
In Japan right now there are multiple lines that you could take to reach the same destination so there is actually a lot of competition going on.
There's a limit on the amount of subway lines you can squeeze under a city.
Nobody is going to run a parallel lines.
The most a government can do is figure out beforehand which private company would build and run those cheapest for a certain line, but then you end up with the cheapest solution again, which is not the solution you actually want for infrastructure your economy depends upon.
Also, as the parent pointed out, Japan is a good example for why private companies by themselves aren't enough to run infrastructure like that, since you still need it even
if they are unprofitable. And so they need government subsidies. You end up with a company
paid for by the tax payer - as if it was nationalized - but with much less control by the government. Basically a money sink that isn't accountable to the tax payer. We have that in Berlin after the public transport was privatized. Can't recommend.
> There's a limit on the amount of subway lines you can squeeze under a city. Nobody is going to run a parallel lines.
Tokyo is a good counter example: you have metro lines and multiple ground lines, and buses, all competing against each other.
> Japan is a good example for why private companies by themselves aren't enough to run infrastructure like that,
What is your point? Japan is exactly the right example here, you have country-wide private companies operating and running an excellent service (world class) at reasonable cost.
So, somewhat offtopic. I'd like to buy some tablets as presents and the Lenovo ones seemed well rated for the price. Are there others that are made by a, umm, nicer company? I'm looking for cheap and reliable rather than performant.
Last year I bought a Fire 7 for black friday, then rooted it and replaced the amazon OS with LineageOS and the Play Store. Made for an excellent cheap tablet gift which is still being used today.
I can't really comment on the iPad idea but in the context of Lenovo's malware install...
If you're purchasing a computer with Google software on it aren't you already handing everything to Google?
So is a Chromebook really an alternative if you're rejecting Lenovo tablets for poor security/privacy?
I've been interested in Chromebook hardware but have rejected them for security reasons previously. I'd be interested to hear other people's opinions on the mater.
For those of you in the adware space, would you pay >$10 per head to install your adware onto a computer? My guess is absolutely.