Why is it called a snafu when a large international company installs malware into customers devices, and a cyber attack if its the Russian mafia? The mafia might also use stronger attacks than just installing adware, but adware is still one of the more common way binaries are infected with malware.
It would be interesting to hear from a anti-virus company on how much resources is spent yearly on adware research.
Because the Russian Mafia is an external party to the transaction, while the large international company is the one selling the computer in the first place. As unfortunate as it may be, it's accepted as normal these days that discount consumer laptops will come bundled with crap software that the computer manufacturer was paid to install. This particular piece of software crossed the line, but it's a difference in degree, not kind.
This might just be my view, but I don't think it has ever been accepted as normal. It's simply that the sticker price fails to represent the actual price of the product, a common practice throughout history. Once, it was common practice for handymen, construction firms, and automotive repair shops to hide additional costs in contracts. That practice went away quite fast as soon as consumer protection laws required that the cost was upfront and known to the customer. We can also see the exact same pattern with banking and travel, where hidden fees and surcharges was common practice everywhere until companies was forced to start informing customers.
If Lenovo laptops informed the customer prior to sale, then this would be a trade. They could have told the customer about the additional advertisement they would show on the sold device, how much they would earn, what private data they would transfer away from the device and sell. That to me is a difference in kind to what we have here, as I do not see an informed customer willingly accepting the adware deal. I would very much like to see the court judge if there has been a "fraud in the factum", that is, if there has been any "meeting of the minds" between the seller and the customer regarding this "discount consumer laptop".
I wouldn't. Modern judges have done a terrible job of keeping up with technology. It's as likely as not that the judge would rule something crazy like all EULAs are binding contracts and then we'd all be fucked.
That's the point where you take out the EULA from your pocket that says "This EULA applies when X is brought before any judge. If you intend to declare against X then you forfeit all goods, rights, chattels and possessions to X. By bringing X before you you are agreeing to release him without charge. By not destroying this EULA you accept it's terms as binding on pain of death." ...
They'd still put you away, or whatever, you'd just then have confirmation that the rule of law doesn't apply in that jurisdiction.
Not at all. I'm entirely for the rule of law - EULAs are clearly wrong and should be held to be entirely unenforceable. IMO the suggestion that their unilateral terms are legal requirements should instead be met with a severe penalty, it's deception.
Until there is a serious reform of the courts, either by active effort or by sufficient replacement with younger judges, taking things to court is likely only going to bring about the opposite.
"situation normal": OEMs looking for a way to make a quick greasy buck.
"All fked up": self-explanatory.
Not "cyber-attack": despite conspiracy theories I've heard about the Chinese government, my belief is that the intent behind this debacle was the aforementioned quick greasy buck, not backdooring users' computers for subsequent criminal or military exploitation. It's the distinction between murder and manslaughter.
It is most likely a quick greasy buck, but I would guess that many entry level criminals start by infecting binaries with adware and then spread them through download sites. I would not be surprised if a significant portion of revenue for the Russian mafia does come from adware, just because its so easy to do and has almost no risk associated with it.
This is why I suspect the police would call it a cyber-attack if they busted a ring that earned money this way. A computer security researchers might find a distinction between a trojan, a virus, and adware, which is why I wondered how much resources a anti-virus company spends on adware alone. That number would provide a good hint as to the seriousness of such malware.
The problem with this software is, sadly, not that it was adware at all, but that it was adware which contained a critical security flaw that compromised the computers Lenovo was selling.
If Lenovo had sold the machines with secure adware, there'd be no real problem.
It would be interesting to hear from a anti-virus company on how much resources is spent yearly on adware research.