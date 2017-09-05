Lenovo Won't Pay a Fine For Preinstalling Superfish Adware (theverge.com) 45
An anonymous reader shares a report: In 2014, Lenovo began bundling a third-party adware program called "Superfish" into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years. Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. According to the FTC's indictment, breaking HTTPS presented a clear risk to consumers -- but Lenovo isn't going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.
it will be spelled out clearly in the 10 page EULA.
Right? Any individual would be arrested, threatened with 15-life in federal prison and then left to hang themselves in their cell...
Corporations, not so much
I will agree that corporations should have the same rights as individuals when they are regularly found hanging in their cells while being tried for their crimes.
But who should be jailed?
Most of the problem in the company comes from a lot of people making a small lapse in judgement.
CEO - We need to sell our products for less money
Middle Management - Company X will pay us money to install their software on our PC, This way we can sell our product for less.
Engineer - Lets just install this software, it isn't worth putting our jobs at risk because of our concerns.
There is responsibility across the whole company. To jail the CEO for just saying they need to sell their
It is the CEO's responsibility to know what's going on in his company. What the fuck is that idiot good for if he doesn't? The "decisions" made at that level could be gained from a magic-8-ball with at least the same level of quality.
The CEO is the only one who can make the changes all the way down. If the CEO's written policy is "don't install slimeware on our client's machines", then that message is going to get passed down to the VPs and Directors. If their jobs and bonuses are at risk because they let a manager install slimeware, they're going to say "Teams, don't install slimeware." And if the engineers know that if they get caught installing slimeware they will be tarred and feathered, they won't do it.
Therefore, to solve the p
The buck stops nowhere?
CEO - i am just the chief, i don;t know how the injuns work
Middle Mgmt - i was just following orders and relaying those orders to engineers
Engineer - all i could do was what i was told, so i leaked the info as best i could.
its inconvenient so nobody should be punished.
But who should be jailed?
The entire C-suite - everyone with "chief" or "executive" in their title
C?O's are paid zillions because of all the alleged responsibility they shoulder; with great rewards comes great risks.
CEO and board of directors at the time of the decision to include it are responsible. And if it's a major shareholder involved in the decision then bring them in as well.
Guillotine is a suitable punishment.
if only software / IT people had PE powers and then can tell the CEO hell no find your own PE willing lose there cert over this
Pfft.
You seem to have the crazy idea that audit finding (whether hardware or software) are made public. Or that exceptions aren't regularly granted by the auditors. Or that auditors aren't almost mechanistic in only looking for the boxes they must check off.
Am I the only one that does a totally fresh OS install on every computer I buy?
The next time you plan to install a rootkit on PCs and spy on people, first found a corporation. Then it's apparently no longer a crime.
Lenovo isn't a root CA. In fact, superfish didn't have *lenovo* as a CA, it added Komodia's certificate, which was part of Superfish product (a california based company, incidentaly), which also is not a root CA, it installs a new CA certificate (with the private key in the clear).
Basically Lenovo didn't vet the software it was paid to install well enough, and a lazy California company picked up Komodia's technology, with each presuming the next was smarter then they were about security.
They literally got less than a slap on the wrist. They'll just put some super small print in with their 500 page long EULA and continue on with business as usual.