One of the most effective ways we can shut down companies that make this kind of crapware is public shaming.
Publicly naming companies and executives associated with this horrendous breach of privacy and security should hopefully serve as a deterrent for VCs who are considering making a quick buck by funding companies that are fucking over non-tech literate consumers.
You and the parent are both right. The problem with Comcast is that many people (I being one of them) have no choice in the matter. It doesn't matter how much I despise my ISP, for they are literally the only game in town. My vocation dictates I have high-speed internet, thus I'm forced to work with Comcast.
Shaming Lenovo or its partners can make a difference because people do have a choice here. There are many laptop vendors out there. And if "Vintage Investment Partners" becomes well enough known as something the public finds distasteful, it could conceivably cause other companies to shun them as well.
You know, at least until they change their name. Still, I'd argue that if people cared enough, this approach would work in non-monopolistic cases.
I live in the Midwest and thought the same thing. After some research, I found several smaller companies who offer high speed internet, including the local telecom company.
I guess it boils down to if you're willing to pay more or pay the same and get slightly slower speeds without having to deal with Comcast and their horrible customer service.
> My vocation dictates I have high-speed internet, thus I'm forced to work with Comcast.
Or move. Sorry to sound like a Comcast apologist, but it annoys me when people claim that they’re being “forced” to do something when they aren’t explaining why the obvious alternatives are unacceptable. I mean, maybe you can’t move because of your job. Or maybe you can’t afford to move. Or you have to live where you do because of your health. Or you can’t leave the state for legal reasons.
(This post is not in any way intended to condone or support the actions of Comcast or that of any other ISP.)
I actually think that part of the reason why Comcast has had such a horrific time getting their proposed merger approved is because they suffer from such a horrific reputation.
Obviously, shaming only goes so far... but realistically speaking, besides boycotts and shaming, there really aren't many effective ways to register your disapproval towards privately owned companies.
It's misdirected. There needs to be legal consequences. There is nothing about maximizing profits that says be a moral citizen when doing so. The only way any corporation will be reigned in is through the legal system.
We should be publicly shaming the politicians that let this (comcast) happen or worse, are a part of the scam.
I'm not so sure about that. Within a few weeks of the Time Warner/Comcast merger announcement (which has still yet to occur), I closed my Time Warner account and opened up one with the Verizon.
I don't have a ton of love for Verizon, but certainly the lesser of two evils.
Why is Superfish getting all of the heat, while Komodia gets comparatively very little?
A product that injects ads in your web traffic is crapware, but the scandal here isn't that superfish was crapware, the scandal is the security hole it introduced, which compromised Lenovo users. Yes, we all hate crapware, but there's a big difference between bothering people with sneaky, unwanted, ads, and opening the doors for malicious parties to intercept their online banking credentials.
However, a SSL intercepting software does not need to expose such a security flaw. It was only Komodia's moronic implementation which did so. If instead of using a fixed private CA key, they had generated one on the fly when the software is run for the first time, users wouldn't have been exposed.
Regarding the VCs, I would give them the benefit of the doubt as well. What where they pitched? SuperFish was about shopping using image recognition. For all I know, they raised money on a pitch about offering a search service, and then ended up pivoting. I don't know for sure if that's the case, but it's possible, and the VCs should get a chance to tell their side of the story before being dragged in the mud.
See superfish advisors who are prof. from MIT, Yale...
http://www.home.superfish.com/#!board-members/c1whv
Professor Tomaso Poggio, PH.D – MIT
Prof Lior Wolf – MIT/Tel Aviv
Professor Yosi Keller – Yale/Bar-Ilan
Olga Russakovsky, PH.D – Stanford (Fei-Fei)
Ron Bekkerman, PH.D - University of Massachusetts
I doubt the investors really knew about the MITM attacks with the universal private key either. I think Superfish and Komodia did something bad, but the buck should stop with them.
Why? It was probably pressure from the investors that drove them to do it. You can't say to someone "get this done no matter the cost" and then expect to be held blameless when they do something shady.
It's kind of like a mob boss who says to his lieutenant, "Boy, it sure would be helpful to us if that grocery store burned down". How else were they supposed to monetize their tech? They did exactly what everyone else does and found a way to use it for advertising.
That's rather strange institutional association listing, or at least Lior Wolf only did a postdoc at MIT, albeit under Tomaso Poggio, who's a Brain and Cognitive Sciences department professor.
What about criminal prosecution? In plenty jurisdictions this is illegal. Wiretaping, unauthorised access, unauthorised decryption, "Hacking", breach of privacy (manybe even copyright infringement; they edited other peoples content without their permission) or something like that is usually prosecuted harshly if it's done by a individual. I hope a company does not get away with it.
I hope that there will be legal ramifications to discourage this kind of behavior, but ultimately, the vendor that packaged Superfish with the computers is a Chinese company who will probably claim that this kind of thing is permitted by their EULA.
That's not how it works. Even if your plumber has "I might come back later and take look your safe" hidden somewhere in his EULA, it's still burglary. Laws are, thank god, over EULAs.
Although Superfish was founded in Israel, they're headquartered in Palo Alto now.
The nationality of Lenovo is relevant insofar as it affects the applicability of US law. IANAL so I can't say how relevant that fact is, but I suspect it complicates litigation..
Damn right. A grand jury can indict without the defendant present (in fact that's how it usually works). Then the US can work to extradite, or just arrest if any of the defendants ever try to enter the US.
So what the hell do we buy now? HP's quality has hit rock bottom and is starting to dig, Lenovo is doing their best to destroy the Thinkpad brand, Asus is incapable of making a device without at least one fatal flaw... is Apple the only one making laptops that aren't garbage anymroe?
Some Bitcoiners don't like Coinbase's know-your-customer measures for anti money-laundering. Reddit's /r/bitcoin has had reports of people being suprised about what documentation they have to provide; or having their accounts shut down because they withdrew their bitcoins to an address Coinbase determined was connected to something shady, or put a joking reference to drugs in their transaction memo field.
CoinBase does far more than just look at the blockchain. They go beyond know your customer (KYC) requirements and actively
1. Ask users about income sources and Bitcoin usage, even for low volumes far below legal requirements.
2. Monitor and analyze blockchain transactions for activity they disagree with and close accounts with BTC in these chains, with no prior notice and no evidence of wrongdoing.
When a company is more aggressive at removing users than Chase bank you know there is a problem.
The very notion of a service like coinbase is problematic, and coinbase's implementation is especially poor for privacy. First, they are taking an inherently trustless system and demanding a very high level of trust for AML/KYC requirements, which is unavoidable when dealing with fiat conversions. Why not just trade directly in bitcoin (of course few people want to do this which is why coinbase exists)? Specifically however, coinbase by default keeps your private keys under their control, which is where the bigger violation is IMO. They push everyone to go through their service and not use bitcoin directly, so they can track and control everything. The blockchain may or may not even be involved in some of their schemes (they offer a fiat-fiat service that supposedly involves bitcoin!). This is inevitable, as they are a company out for profit not an idealistic bunch of ancap hackers, but they are not just looking at public blockchain data. Even their name is a conflation, coinbase is a technical term for the block reward transaction.
Apart from discouraging future VCs, legit question - do you think those listed ones had any idea about how does it exactly works? I mean, you need to be careful what you support, so I think that list is great anyway, just wondering how it usually looks like.
It's their obligation as owners to know what their portfolio companies are up to. When the big investors who supply capital to these funds ask questions, "We don't know what they are up to" is not a reasonable answer.
As a human, you needn't be culpable for offenses perpetrated by others regardless of their relation to you. If you belong to principles and help the people to foster them, your only shame will be from your own failures; a shame you can actually do something about. I'm a proud American but it doesn't mean what people think it means.
Who said I was proud of achievements? I'm proud of my associations for a number of reasons, all by my own choosing, which is consistent with the aggressions I choose to have nothing to do with.
Countries inculcate values, educate people on the public dime, support R&D, etc. People should be proud when those policies bear fruit. E.g. Sergei Brin's family emigrated to the U.S. when he was six, because of Soviet discrimination against Jews. E.g. they were graded harder on university entrance exams, or given tougher exams altogether. He went to public high school and college, and went to graduate school at Stanford on a National Science Foundation fellowship. And Stanford, as an institution, heavily benefits from public spending on research.
So why shouldn't Americans take a little credit for Brin's success?
You would have no trouble sketching a ranked list of countries more and less likely to produce Google. You would be shocked to see Google emerge from Burma. You would be surprised to see the world's powerhouse search engine emerge from Greece, Spain, or Italy. Even among the top-tier countries, if you had to put money on it, you'd need an extremely good payoff to bet on anyone but the US.
If the US has "overwhelmingly nothing to do" with the success of Google, you have to believe Brin could have moved to Greece, or even Burma, and successfully built that company. Most of us probably don't even believe he could have succeeded in Germany, or the Netherlands.
Even if you stipulate away all the extrinsic network-effects stuff --- ie, stipulate he'd have gotten funded despite parking his company in Greece --- you would not place the same bet for his hypothetical attempt to buid Google in Greece.
You're completely missing the point. The message I'm responding to says:
"So why shouldn't Americans take a little credit for Brin's success?"
I'm not saying that living in America had nothing to do with it, it obviously did. I'm saying that the overwhelming majority of Americans had nothing to do with it, ergo being proud to be American is, in general, about as warranted as being proud that your favorite team won a tournament.
If you're a founding father, fought in the revolutionary war, influenced legislation in a historically significant ways, or did something of the sort, you may have a claim to be "proud", otherwise, you're a spectator, just like most people.
I'm not sure I can get my head around a debt owed to America the country that is not implicitly therefore owed to the American people. Teachers taught at schools that produced the professionals that built Google. Engineers designed the roads that workers built. I could just go on and on listing this stuff. Google benefited from an infrastructure built by all Americans.
I think there's an element of the narrative fallacy implicated in the idea that the historical figures have a cause to be proud of American achievements, but ordinary people don't. Ordinary people are instrumental in everything achieved by those historical figures. The contributions of historical figures are immediately available to our consideration, because our stories revolve around them. Availability is usually a pernicious bias rather than a helpful signal.
later: it's also worth considering whether the fallacy might be in our concept of "pride", and who "deserves" "pride". There are practical reasons to attribute American successes to America; it reinforces them, motivates us to continue doing what works. There are fewer practical reasons to accord accolades to historical figures.
This is severely misguided. If you're Tim Berners Lee, then yes, Google success could be a source of pride, because you enabled the success of this company by inventing the web. If you were one of Larry Page's professor, then maybe you can take some pride in the accomplishments of your student. If you're Sergey Brin's mom, you can be proud of how successful the son you raised has become. But that pride has nothing to do with being "British" "American" or "Russian". It has to do with your personal contribution to Google's success.
At the end of the day, either you've had a measurable contribution to something of value, and you can be proud of that, or you didn't, and you don't get to be proud just because people who have a similar passport to yours have.
You insist on using the word "pride", which Rayiner didn't. If you'd like, I'll stipulate that ordinary Americans shouldn't feel "proud" of Google, so that we can move back to the actual discussion of whether Americans should "take a little credit for" Google.
The discussion was started by Tepix which referred to pride. And no, merely being American does not give you credit for Google. For most people, it's very hard to know if they've made the environment better or worse for Google.
I would consider neglecting to parent a child an offense. If you did not commit that offense then I would say you still have the right to disassociate yourself from your child's offenses, as sad as that really is. I would probably still choose to own them.
even thgough im Palestinian and these guys are Israeli, should we really be blaming superfish? this company makes software, seams like a bunch of hackers to me. Lenovo is the real culprit here.
Not to mention how reluctant they were to even admit the security issues presented by Superfish installations. They (and Lenovo) repeatedly denied that the injection of a trusted root certificate posed a security threat.
Spin your mistakes however you want in a press release, but don't lie about security vulnerabilities that put users at risk.
>even thgough im Palestinian and these guys are Israeli
that has nothing to do with anything.
>should we really be blaming superfish? this company makes software, seams like a bunch of hackers to me.
More like a bunch of crackers. They produced a nefarious piece of software (which couldn't be used responsibly or in a just way), and it got used in a way that harmed users. Both parties profitted from hostile actions, which then hindered the defense of their userbase.
"Should be we really be blaming Cult of the Dead Cow? This company makes software, seems like a bunch of hackers to me. The users of BackOrifice are the real culprit here."
(yes, I know, my cyber-threat definition list is frightfully out of date. Maybe I just like cDc)
They deserve their part of the blame. They make a subcategory of software known as "malware". And they're perfectly aware of it (companies making "software" usually don't have to hide from antiviruses).
Eh. Investors invest in lots of companies, some of which make pretty bad mistakes. I think Superfish should be forced to wither on the vine because of this - and especially because it pawned off responsibility by saying, "hey, it was those guys, not us!" as should Lenovo ("it is just theoretical!"), but I doubt the investors explicitly backed something with the intent to break security. Few do.
Few do, I can probably agree with that. But it's not like investors through money out of the window unknowingly of where it ends.
They either knew about it and didn't care about it or they just didn't care about it in any case, because following due diligence would've raised some red lights.
Most likely someone showed them some Powerpoint slides, and the hapless investors just did not understand that there could be serious privacy and security implications.
That doesn't mean they aren't responsible and shouldn't burn their fingers; investors actually should look into these things when they decide where to invest.
Ultimately its worth remembering this is Windows..... Microsoft has to be responsible for the crapware installed when people buy a Windows computer. The reasonable conclusion is that if you buy Windows you risk stuff like this because Windows resellers install crapware on top of clean Windows builds.
I used to work in security for one of the big OEM hardware vendors, Microsoft has been working with all vendors for years trying to secure the Window's ecosystem by extending out their SDLC and providing free security services and training to OEM partners.
We use to ship them our consumer laptops for testing, and the result was always the same "get rid of the crapware". MS is probably more upset about this than anyone, because ultimately this isn't about Windows at all, but people don't differentiate between Windows and the garbage that OEM's throw on their boxes, so they get blamed as well.
Not so sure that you can pile all the responsibility onto Microsoft for this debacle. If your favorite Linux distro is to include some adware crap on it, should Linus take the blame?
Ultimately, Lenovo should take the full blame for this.
Linus is the maintainer of the Linux kernel. Linux is a product of the work of many people.
Linux is free, and can be redistributed without securing licensing or rights to do so.
Microsoft Windows is a proprietary product, which many people are only exposed to from the initial install on their bought hardware. The company who supplies the hardware, along with the company that supplies the software engage in contractual deals to allow this to happen.
Microsoft's image benefits when it is known that they do due-dilligence in checking out the suppliers who they allow to represent their product through licensing.
How are you okay with companies who create malware for corporations for pay? They deserve no responsibility themselves for simply existing with nefarious motivations? Microsoft requires licensing their product to use it, and goes an extra step by providing evaluation of the products which use their licensed software, and are vocally against the addition of crapware; but they take no blame when they allow their product to be continually licensed by a vendor that does harm to the image?
To answer your question: The distribution that is responsible for spreading the adware should be held responsible, as should the developers of that adware. That's likely why Mint became so popular (numbers wise) after all the Ubuntu fiascos in semi-recent history.
I don't think it's as simple as a one-party fault. Sorry.
Linux is free and there's no stopping anybody from doing whatever they want to it.
Windows is not free.
When an OEM licenses Windows for resale in their PCs, that comes with certain terms and conditions about what the OEM can install. If this falls within the terms of the agreement of what the OEM can do, then Microsoft needs to take at least some of the heat.
I agree, I like Windows, and I think Microsoft agrees too... But they also have agreements that come from times that were very different. The official Microsoft store, their own hardware, special new editions are some of the ways they seem to try to get around it. Sucks for users, either they don't know better, they have to build their own/clean their own, or buy from a limited selection.
Publicly naming companies and executives associated with this horrendous breach of privacy and security should hopefully serve as a deterrent for VCs who are considering making a quick buck by funding companies that are fucking over non-tech literate consumers.