Lenovo's consumer division and ThinkPad division are two very different business lines with different roots and culture. ThinkPad came from the IBM PC acquisition and never had the spyware that the consumer machines had for a while. ThinkPad customers are mostly large (and small) corporations who would never put up with that.
You may still choose not to trust Lenovo, but it's worth noting the difference between ThinkPad and the consumer line.
After they replaced the menu key with the printscreen (!) key, I'm not so sure that this distinction exists anymore. They should have never played around with the keyboard.
Oh, I agree completely! I didn't mean to imply that Lenovo has been a perfect steward of the ThinkPad brand, far from it. But I think there is still some distinction vs. IdeaPad, especially regarding the malware being discussed here.
If you're running Windows, you can use AutoHotkey to turn PrtSc back into a Menu key, while keeping access to the screenshot function when you use the Windows key as a modifier. Just copy this snippet into a .ahk script that you run at startup:
; Remap the PrtSc key:
; PrtSc -> Menu (like an old ThinkPad keyboard)
; Windows+PrtSc -> Screenshot of all monitors
; Windows+Alt+PrtSc -> Screenshot of current window
PrintScreen:: AppsKey
#PrintScreen:: PrintScreen
#!PrintScreen:: Send {Alt Down}{PrintScreen}{Alt Up}
This doesn't fix all the keyboard changes, but at least it makes that one pretty easy to live with.
It's embarrassing to have to disclose such a thing to the public, but they did. I don't recall anything nefarious and they owned up - to at least some extent.
That is more than a lot companies can say. Is that the ONLY reason why you dis Lenovo? Because if so, it makes them that much more attractive in my book of flippant remarks
Deliberately bundling adware that injects fake results with affiliate links into search engines [1] on their machines seems nefarious in itself. The MITM of SSL connections just seems like an unexpected added bonus on top, and it took the US Department of Homeland Security to make Lenovo own up to it [2].
I want to emphasize how bad the TLS MITM malware was (adware is too nice a term): they installed a TLS MITM attack by adding the same CA public key to the trust store of every non-business device they sold, and proxied the internet traffic through an on-device proxy that contained the private key to that CA. Yes you read that right: every device with this malware had the public and private key used to decrypt the TLS traffic of every other device with this malware, effectively exposing every user to have all of their traffic not only decrypted, but also MITM'd again. Not only was it malicious, it was incompetent too.
I don't consider this a technical failure, it's a business failure. One of two options remains: either nobody in Lenovo reviewed this software from a privacy and security perspective, or they did review it and the business deal overruled the security team's ability to veto it. Either way, this indicates an organizational dysfunction so severe there's no way I can trust Lenovo with my personal or business security again.
> They installed spyware. That is more than enough reason to lose trust.
I agree on principle, but Lenovo is no less trustworthy than any Smart TV manufacturer, such as Samsung, Sony, or LG.
It has become a common industry practice to subsidize consumer hardware with pre-installed spyware. The only solution here is to replace the pre-installed OS with an open-source alternative.
I would still pick Lenovo ThinkPad running Fedora Workstation over any iMac or Macbook product.
Well, yes but at least I can refrain from setting the Wi-Fi password in my TV and still end up with a perfectly working TV (I do.) A computer without Internet is not very useful nowadaysm
I have no trust for Lenovo after this incident.