Lenovo Won't Pay a Fine For Preinstalling Superfish Adware

An anonymous reader shares a report: In 2014, Lenovo began bundling a third-party adware program called "Superfish" into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years. Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. According to the FTC's indictment, breaking HTTPS presented a clear risk to consumers -- but Lenovo isn't going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.

Superfish?

[courteaudotbiz]

Customers were superfish to think that a ruling could be in their favor.

Re:

[zlives]

it will be spelled out clearly in the 10 page EULA.

No Hardware Audit Too?

[ossuary]

So they get a slap on the wrist. Especially since they are only agreeing to SOFTWARE audits with no mention of a hardware audit.

Re:

[Anonymous Coward]

Right? Any individual would be arrested, threatened with 15-life in federal prison and then left to hang themselves in their cell...

Corporations, not so much

I will agree that corporations should have the same rights as individuals when they are regularly found hanging in their cells while being tried for their crimes.

Re:

[jellomizer]

But who should be jailed?
Most of the problem in the company comes from a lot of people making a small lapse in judgement.

CEO - We need to sell our products for less money
Middle Management - Company X will pay us money to install their software on our PC, This way we can sell our product for less.
Engineer - Lets just install this software, it isn't worth putting our jobs at risk because of our concerns.

There is responsibility across the whole company. To jail the CEO for just saying they need to sell their

Re:No Hardware Audit Too?

[Opportunist]

It is the CEO's responsibility to know what's going on in his company. What the fuck is that idiot good for if he doesn't? The "decisions" made at that level could be gained from a magic-8-ball with at least the same level of quality.

Re:No Hardware Audit Too?

[plover]

The CEO is the only one who can make the changes all the way down. If the CEO's written policy is "don't install slimeware on our client's machines", then that message is going to get passed down to the VPs and Directors. If their jobs and bonuses are at risk because they let a manager install slimeware, they're going to say "Teams, don't install slimeware." And if the engineers know that if they get caught installing slimeware they will be tarred and feathered, they won't do it.

Therefore, to solve the problem you might try to throw a few CEOs in jail now, and keep throwing them in jail until the rest get the message. Much cheaper than prosecuting hundreds of engineers and middle managers. Seems like a good idea, right?

The real problem is that everyone knows it's darn profitable to install slimeware on client computers. All it will really do is get the rest of the C level execs in the industry to hire better lawyers, to find legally defensible loopholes around the rules, and to "donate" more to various "pro-business" politicians in order to change the laws. And you and I will still end up with slimeware in our new PCs.

Re:

[geekmux]

It is the CEO's responsibility to know what's going on in his company. What the fuck is that idiot good for if he doesn't? The "decisions" made at that level could be gained from a magic-8-ball with at least the same level of quality.

CEO positions are largely political and superficial in nature. Kind of like how we elect one person to be in charge of 300 million US Citizens as the "CEO" of America.

That said, why in the fuck would a CEO give a shit about what's going on? The only thing they care about is if they can make money off selling a product or service, legal or otherwise. And the reason I dismiss legality so easily is they've already proven no matter if you're caught, it's worth it. Bankers operate on this model every fucking

Re:

[zlives]

The buck stops nowhere?

CEO - i am just the chief, i don;t know how the injuns work
Middle Mgmt - i was just following orders and relaying those orders to engineers
Engineer - all i could do was what i was told, so i leaked the info as best i could.

its inconvenient so nobody should be punished.

Re:

[JaredOfEuropa]

The order had to come from somewhere. You find who it is, punish them and their immediate supervisor, and maybe a couple of compliance officers. If you can't find out who acted beyond their brief, or if this happened within company guidelines, the CEO and maybe the CTO / CIO or what have you are on the hook. Maybe not jail time but stiff fines at the least... coming out of their personal wallets, not the company coffers.

Re:No Hardware Audit Too?

[thomn8r]

But who should be jailed?

The entire C-suite - everyone with "chief" or "executive" in their title

C?O's are paid zillions because of all the alleged responsibility they shoulder; with great rewards comes great risks.

Re:

[Z00L00K]

CEO and board of directors at the time of the decision to include it are responsible. And if it's a major shareholder involved in the decision then bring them in as well.

Guillotine is a suitable punishment.

if only software / IT people had PE powers

[Joe_Dragon]

if only software / IT people had PE powers and then can tell the CEO hell no find your own PE willing lose there cert over this

Re:

[rtb61]

'ER', all of the above, with longer rehabilitative custodial terms for those with the greatest responsibility for decisions and actions, keeping in mind laws with regard to accessory before and after the fact. Everyone who participated in a corporate criminal act or was aware of it and failed to act, should face a criminal penalty, whether 10 or 1,000. As for the rest of us, so for the slimy scum hiding in corporations.

Re: No Hardware Audit Too?

[OMEGA Power]

The real solution, if the goal is preventing things like this from happening, is proportional fines (I.e. An independent accounting firm determines how much money the company made from its misconduct and they are fined say 5 times that amount). If misconduct is unprofitable they will stop doing it, if a CEO continues doing it when he should know it will be unprofitable he can be found personally liable to the shareholders for fiduciary misconduct.

Re:

[__aaclcg7560]

I would be suspicious of any firmware on a Lenovo laptop. Ironically, firmware hackers love Lenovo laptops.

Re:

[Nutria]

Pfft.

You seem to have the crazy idea that audit finding (whether hardware or software) are made public. Or that exceptions aren't regularly granted by the auditors. Or that auditors aren't almost mechanistic in only looking for the boxes they must check off.

Not even a slap on the wrist

[evolutionary]

With these kind of verdicts, what is going to deter other laptop vendors from doing this to their customer...or...is that what the government wants, as they access to all that data upon request.

Re:

[Anonymous Coward]

Am I the only one that does a totally fresh OS install on every computer I buy?

Re:Not even a slap on the wrist

[fearlezz]

I'd like to remember you of this piece of Lenovo crapware that survives reinstallation.
https://tech.slashdot.org/stor... [slashdot.org]
Just don't buy Lenovo if you care about privacy or security.

Re:

[Anonymous Coward]

Sadly they're one of the best laptop manufactures. They still provide service manuals for their laptops.

Re:

[pnutjam]

So do Dell and HP, if you buy their business class equipment. Dell has excellent instructions, just stick with the lattitude line. Bonus, parts are easy to come by and inexpensive.

Re:

[evolutionary]

Don't own it, have no intention of buying it. My next laptop is probably a Toughbook (wiped with Linux installed and maybe a Windows xp/7 Virtual OS), or maybe a Fujitsu Portable Workstation (high specs)

Re:

[Guybrush_T]

This is what I thought when I bought my Lenovo laptop : the laptop is partially paid by all the crapware they install which is fine if you are going to wipe it out.

But the hardware itself revealed being really bad as well. The webcam stopped working after 6 months because the ribbon didn't survive opening/closing the lid, and the plastic overall is crap.

I don't think I'll ever buy another one.

There are other brands like Toshiba that install the same crapware paying part of the laptop, but I've seen simil

Re:

[Aighearach]

With these kind of verdicts

If you can't tell what a verdict is, how can you hope to have any idea what the implications are or are not?

So listen and learn

[Opportunist]

The next time you plan to install a rootkit on PCs and spy on people, first found a corporation. Then it's apparently no longer a crime.

Re:

[Junta]

Lenovo isn't a root CA. In fact, superfish didn't have *lenovo* as a CA, it added Komodia's certificate, which was part of Superfish product (a california based company, incidentaly), which also is not a root CA, it installs a new CA certificate (with the private key in the clear).

Basically Lenovo didn't vet the software it was paid to install well enough, and a lazy California company picked up Komodia's technology, with each presuming the next was smarter then they were about security.

Uh what?

[wardrich86]

Now, nearly three years later, the company is facing the consequences.

...

Lenovo isn't going to have to pay for putting customers at risk

They literally got less than a slap on the wrist. They'll just put some super small print in with their 500 page long EULA and continue on with business as usual.

Re:

[Aighearach]

Interesting theory, however if they had been given a fine people would make the same complaint; a fine doesn't change their behavior, they should have been subjected to a consent decree. If they get a consent decree, the same people complain that without a fine there must not have been a punishment.

For your comment to have value, you have to actually say words that support your claim that is less than a slap on the wrist. What good is a bare conclusion, with no reasons or analysis?

Also, a EULA it is a valid

Who doesn't start fresh?!?

[cheddarlump]

Am I the only one that immediately wipes/reloads a machine when buying it? Hell, I usually give away the drives that come with PCs and put cheap SSDs in them, so I'm always starting fresh... I'll take the hassle of a fresh install for the subsidy that companies pay to preinstall their crap.. Doesn't affect me one bit anyways.

Re:

[Misagon]

Where do you get your legitimate copy of Windows installation disks?
Any normal person would not buy a new clean set from Microsoft but instead use the disks he got with the machine - the Lenovo disks that would have the malware.

Re: Who doesn't start fresh?!?

[cheddarlump]

You download the Windows Media creation tool, and it will make you a USB drive for installing windows. Then, insert new SSD, boot from USB, install Windows, and after first boot, it will find your license based on digital hardware signature and activate. If it doesn't find it automatically, there are many tools that will read the Windows key from UEFI, and you simply activate with the license included with the PC.

Re:

[tomxor]

Am I the only one that immediately wipes/reloads a machine when buying it? Hell, I usually give away the drives that come with PCs and put cheap SSDs in them, so I'm always starting fresh... I'll take the hassle of a fresh install for the subsidy that companies pay to preinstall their crap.. Doesn't affect me one bit anyways.

You are probably the 100th person who commented this... Superfish self installed via firmware, if you used windows there was no escape no matter how many times you wiped your block device, it's installed prior to the OS booting.

You can't just install a new OS and expect to have complete control over your computer these days, hardware is the new attack vector for everything since it's become way more soft and full of large pieces of firmware, people have been trying to make lenovo EFI firmware replacements f

Re:

[tomxor]

Got any sources to Superfish being installed via firmware? Google doesn't know about it.

Need to search for BIOS specifically:

I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot.

From: https://www.techdirt.com/artic... [techdirt.com]

Fake news on /. ?

[szy]

Lenovo will pay $3.5M. Source 1 [engadget.com] Source 2 [usatoday.com]

TL;DR There was no fine by the FTC, but they will pay a settlement on another lawsuit.

Both the title and summary here, as well as the TFA are misleading. Come on /. check your facts!

Egregious

[XSportSeeker]

This case is specially bad because it wasn't just once that Lenovo slipped on this... superfish was only the first of 3 times the company was caught red handed with shady tactics:
http://www.makeuseof.com/tag/n... [makeuseof.com]

It's why I don't recommend their stuff anymore nor I'll ever buy anything from Lenovo ever again.
Unfortunatelly, the overall tech press keeps advertising their shit and falling head over heels for it.

Fuck Lenovo

[thechemic]

I will never own a Lenovo device and superfish is only a small portion of the real problem: shitty hardware billed as enterprise/business class.