
Yet another pre-installed spyware app discovered on Lenovo computers - tux1968
http://boingboing.net/2015/09/22/yet-another-pre-installed-spyw.html
======
toothbrush
See also this discussion:
[https://news.ycombinator.com/item?id=10263766](https://news.ycombinator.com/item?id=10263766),
which concerns the linked article at Computerworld.

~~~
pfooti
Aha! Here I thought this was an anomaly - normally stuff from BoingBoing is
stuff I read on HN the day before. I thought maybe this time it was the other
way around - we're discussing a BB article. But no, just a more extended
circle.

~~~
toothbrush
On an unrelated note (perhaps mere cathartic complaining): i have the really
strong impression that "these days" BB is really just another Buzzfeed-like
blog-spam platform. I find that a pity, because about 3 years ago i still
considered it one of my favourite places to go for a slightly less technical
but nevertheless savvy place, that had political leanings i could get behind.
I have the impression that there's really a dearth of solid commentary these
days, and that it's mostly videos of cats. Videos of cats _without further
comment_ at that, which is worse, if possible.

I am particularly disappointed because in my perception the decline has been
relatively steep and abrupt (whereas i would never mourn Buzzfeed or others in
the same way, simply because i never had the impression they had quality
‘content’ in the first place).

Anyway, time to move on i guess. Where else do you HN people get news that
isn't necessarily focused on startups or programming? I quite like the New
Statesman, personally, but i follow it less closely than i used to because of
time pressure.

------
JoeAltmaier
These guys have absolutely zero awareness of sensitive privacy issues. The
trample on their customers rights, secretly and obviously maliciously, and
they do it over and over again!

I can think of no reasonable response but to abandon Lenovo products entirely.

~~~
Ao7bei3s
And go where?

~~~
jamiesonbecker
UPDATE: I've made a huge mistake. seduced by the matte black dark side. Avoid
all modern Intel CPU/chipsets (post 2006) if you value your privacy and
security:

 _In summary, the Intel Management Engine and its applications are a backdoor
with total access to and control over the rest of the PC. The ME is a threat
to freedom, security, and privacy, and the libreboot project strongly
recommends avoiding it entirely. Since recent versions of it can 't be
removed, this means avoiding all recent generations of Intel hardware._

[http://libreboot.org/faq/#intel](http://libreboot.org/faq/#intel)

Original comment follows:

Former Thinkpad fan. I love my new Dell Rugged Extreme. I got the 12. This
thing is built the way Thinkpads used to be (complete with the price tag of a
used car).

The only thing(s) I don't like about it is the missing trackpoint. I really
miss that. And the fact that black-box UEFI is built in (but what do we know
about modern microcode anyway, might as well get some ostensible security
measures for 'free'). Oh, one more: the "QD" connectors do not accept standard
straps/slings -- only insanely expensive (and hard to find) Dell brand
straps/handles.

Everything else about it is outstanding. This thing is a brick with rounded,
rubber edges.

Drive over it with your truck. (watch the video)

Use it as body armor. (no, don't really)

Go scuba diving in the arctic. (Check out the frozen-in-an-ice-block video on
Youtube.. while running on battery.)

The screen is incredibly bright, but it also has a slick quick-kill for all
the lights. Just the thing for when a warlord is on your tail. The multi-color
LED backlit keyboard looks awesome.

It runs Kali Linux (built on Debian Jessie) perfectly. Everything works,
including the touch screen and stylus, out of the box.

~~~
JoshTriplett
> And the fact that black-box UEFI is built in

UEFI isn't any more black-box than BIOS in general. Sure, I'd rather run
entirely FOSS firmware, but in the absence of that, UEFI doesn't make things
any _worse_. If anything, it allows quite a bit more introspection and
extensibility. And its core _is_ FOSS
([https://github.com/tianocore/edk2](https://github.com/tianocore/edk2)), just
not the versions shipped by board/system vendors.

~~~
jamiesonbecker
UEFI starts with encrypted code and wraps additional layers of encrypted,
signed code around it. It's impenetrable, and purposefully so. That's the
practical definition of "black box". It's huge, too, with a much larger attack
surface.

[https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_In...](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Criticism)

~~~
JoshTriplett
You say "encrypted" and "signed" as though that's a bad thing. When they're
used against the owner of the system, sure; however, they can also be used
_by_ the owner of the system to protect themselves. "Only runs authorized
code" can be a good thing as long as you're the one doing the authorizing.

~~~
jamiesonbecker
> "Only runs authorized code" can be a good thing as long as you're the one
> doing the authorizing.

~~~
jamiesonbecker
_as you 're the one doing the authorizing [signing]._

------
sigmar
The "Lenovo.TVT.CustomerFeedback.Agent.exe" that this article labels as
spyware is explained on lenovo's website below. Did the author bother using
google? The program reports if you are using lenovo's apps for usage
statistics.

[https://support.lenovo.com/us/en/documents/ht102023?tabName=...](https://support.lenovo.com/us/en/documents/ht102023?tabName=Solutions)

"Some applications in the preload collect usage data that is transmitted to
Lenovo. This includes statistics about which features/settings are being used
and how often they are being used. The data does not include any personally
identifiable information (PII). Lenovo uses this information to improve our
applications and focus on the features that are being used the most."

Seems reasonable to me.

~~~
x0x0
No, burying notification of telemetry systems with unknown privacy impact (and
most likely sloppy coding/encryption practices (if any!), as is standard for
oems) in a eula that is probably 10+ pages of dense text is the opposite of
reasonable.

Yet another reason to just buy macs. Apple doesn't do this shit.

~~~
chipperyman573
I agreed with you until your last line - apple has been doing stuff like this
at least sense 2011[1]

[1] [http://arstechnica.com/apple/2011/04/how-apple-tracks-
your-l...](http://arstechnica.com/apple/2011/04/how-apple-tracks-your-
location-without-your-consent-and-why-it-matters/)

~~~
TazeTSchnitzel
Apple wasn't uploading that data to their servers. It was only used locally
for location accuracy.

------
agumonkey
rebuttal from reddit
[https://www.reddit.com/r/thinkpad/comments/3lz78g/thinkpads_...](https://www.reddit.com/r/thinkpad/comments/3lz78g/thinkpads_send_usage_data_to_lenovo_using_lenovo/cvav8ie)

tl;dr: uploaded data is lenovo program usage only

~~~
detaro
" The behavior is documented in the End User License Agreement that all users
must read and accept prior to using their Lenovo system for the first time.
The EULA can also be found in the “c:\windows\system32\oobe\info” folder."

Do current machines actually ship with the EULA on paper or require the user
to confirm it on first boot? (Not that that makes it a positive thing)

~~~
pdkl95
> accept prior to using their Lenovo system for the first time

Paper or first boot doesn't matter. While there are other necessary
features[1], the _post purchase_ ("shrinkwrap") EULA doesn't have a "meeting
of the minds"[2] and thus is not a contract.

A contract isn't a "gotcha" game - the entire point is that there is to
establish a _mutual agreement_ between parties. At the time of sale (when
consideration[3] is exchanged), there is no EULA. Nothing has been negotiated
and there is no mutual understanding of what is required of each party.

In an ongoing attempt to circumvent the first-sale doctrine[4], the software
industry has a bad habit of thinking they can throw an offer[5] at someone
afterwords and have it count as a contract. They can make all the offers they
want, but without another agreement and exchange of consideration[3] it's not
a contract.

[1]
[https://www.law.cornell.edu/wex/contract](https://www.law.cornell.edu/wex/contract)

[2]
[https://en.wikipedia.org/wiki/Meeting_of_the_minds](https://en.wikipedia.org/wiki/Meeting_of_the_minds)

[3]
[https://en.wikipedia.org/wiki/Consideration](https://en.wikipedia.org/wiki/Consideration)

[4] [https://en.wikipedia.org/wiki/First-
sale_doctrine](https://en.wikipedia.org/wiki/First-sale_doctrine)

[5]
[https://www.law.cornell.edu/wex/adhesion_contract_contract_o...](https://www.law.cornell.edu/wex/adhesion_contract_contract_of_adhesion)

disclaimer: see a real lawyer for proper legal advice

------
nly
In some ways, this is why I'm glad the year of 'Linux on the desktop' never
came. The last thing Linux (as an OS or community) needs are a tonne of OEM
tweaked 'editions' of various distributions shipping with all kinds of
garbage.

~~~
chadgeidel
IMHO - this is basically what happened to Android.

------
appleflaxen
Rootkits and spyware are an egregious violation of user trust.

One other company with a glaring example was the Sony root kit debacle.

Is there a list of companies who have done things like this? Kind of like
storing passwords in free text (for which there is a site to name and shame)
it doesn't get the press that it probably deserves to.

~~~
natch
I could give you my list of companies I know of that won't do things like that
with their hardware.

My list contains one name.

For some reason, this company on my list remains a hated company for some
geeks. Something about overly restrictive control of the platform, but for me
it means having control over my own data, because the platform tries its
damnedest to keep bad players from getting inappropriate access.

I won't give the list because doing so seems like a cheap shot. But I think
everyone knows what company is on it.

I'm not saying this is the only such company. It's just the one I know of.
Others may have longer lists.

~~~
DenisM
Yeah, Apple is like that. They charge you a pretty penny, but then they don't
feel the urge to nickel-and-dime you through backdoors like this.

The problem with crapware on Wintel is that Microsoft and Intel consumed all
the profit from the industry, commoditizing their compliments - OEMs. OEMs
then found themselves in a race to the bottom, which has entirely shaped the
field and brought about the behavior we've seen. Android is now facing the
same problem on mobile - a race to the bottom among the OEMs is bound to
produce all kinds of shady behavior.

Apple stayed out of this game entirely, they have thick margins which gives
them means to pursue their religion of design, UX, and whatever else they
think helps them keep their high-ground spot.

~~~
detaro
If it really is only usage reports for Lenovo software, I wouldn't bet on
Apple not collecting data like this, but it is hard to compare since they also
make the OS and don't add another component on someone else's.

------
JeremyMorgan
I love Lenovos, owned countless awesome thinkpads and I was teetering between
a thinkpad and a System 76 for my next upgrade. This just seals it for me.

[https://system76.com/](https://system76.com/)

Great hardware for the price, comes with Ubuntu but you could easily put a
good Linux system on there (ducks flying objects)

~~~
coldpie
I'm afraid touchpads are a deal-killer for me. Are there any manufacturers
other than Lenovo that do the nub-mouse or something similar?

~~~
Symmetry
There are some critical patents that Thinkpads use in their trackpoints that
ought to be expiring soon:

[http://worldwide.espacenet.com/publicationDetails/biblio?CC=...](http://worldwide.espacenet.com/publicationDetails/biblio?CC=US&NR=5570111&KC=&FT=E&locale=en_EP)

[http://worldwide.espacenet.com/publicationDetails/biblio?CC=...](http://worldwide.espacenet.com/publicationDetails/biblio?CC=US&NR=5521596&KC=&FT=E&locale=en_EP)

[http://worldwide.espacenet.com/publicationDetails/biblio?CC=...](http://worldwide.espacenet.com/publicationDetails/biblio?CC=US&NR=5489900&KC=&FT=E&locale=en_EP)

~~~
coldpie
Fuck patents.

Edit: But, thank you for the information.

~~~
Symmetry
I prefer to think that this means we'll be getting good pointers on not-
Thinkpads in 2016 or 2017.

------
wonkaWonka
This only sucks if you run Windows, sure...

But the fact that the company thinks this is perfectly acceptable behavior
because EULA, EULA, EULA...

...means they're just as likely to target BIOS, UEFI and other firmware that
do the same thing, no matter your OS.

A breach of trust foments a breach of loyalty, no?

------
voltagex_
[https://support.lenovo.com/us/en/documents/ht102023?tabName=...](https://support.lenovo.com/us/en/documents/ht102023?tabName=Solutions)

------
lukeschlather
It sounds like it's sending a list of what applications you have installed and
which ones you use. I'm not really in favor of this, but don't iOS, Android,
and Windows 10 all do this as a core part of their design?

Obviously it enables all sorts of malicious behavior by the companies and
governments they are subject to, but Lenovo seems like they're pretty tame by
comparison to the OS vendors.

------
AdmiralAsshat
This revelation is minor, but nonetheless unsettling. Previous Lenovo snafus
up to this point had specifically excluded the Thinkpad line. Apparently
they're not immune from Lenovo's meddling after all.

------
at-fates-hands
This is why I always build my stuff from the ground up. I feel like people
have gotten incredibly lazy with their hardware. As pointed out in the
article. the author tosses the hard drive and installs his own software when
he buys any Lenovo laptop.

As long as people don't think about their hardware, this will continue to
happen. Either build your own, or don't use vendors like this.

~~~
zorked
I wish building laptops was easy.

~~~
venomsnake
Reinstalling windows on them sure is.

~~~
Spivak
That's not enough if your Lenovo laptop uses LSE.

Here's their tool to remove it.
[http://support.lenovo.com/us/en/downloads/ds104370](http://support.lenovo.com/us/en/downloads/ds104370)

~~~
venomsnake
By reinstall I mean fdisk, dd if=/dev/zero

------
digi_owl
Oh even paying customers have long been the product. Just look at printed
magazines etc, where the number of subscribers is used as part of the
advertisement sales pitch.

Hell, buy/rent a DVD/BR these days and you will likely find yourself with a
face full of (unskippable) ads.

Edit:

Welcome to the modern metric laden day. Every waking moment will be measured
and assessed by algos and "experts" alike.

------
ChuckMcM
It makes me wonder if this is the only way to make a profit in the laptop
business then perhaps we have bigger problems.

------
tkinom
I have issue with HP PC in my parent's home. Some customer feedback program
will run in background non-stop and can't be disable/uninstall.

But Standard Windows/Ubuntu linux/Mac OS install all phone home and "check for
security upgrade" everyday too.

~~~
Drdrdrq
Ubuntu? Only if you choose to. And there is a difference between calling home
/ checking for upgrades and calling home / sending user activity data.

------
ksk
Is there any difference when Google/Apple/MS do it?

------
forscha
Lenovo is sure trying hard to drive their customers away...

If they insist, all right then, I will buy a Latitude next time.

------
jsumuano
Well, i own a Lenovo Y40-80 and i found it installed on my laptop, what's
going on Lenovo?

------
Balgair
Fudge, I have a lenovo just like the one they are talking about. When
superfish came out, I had it and managed to get rid of it with the help of the
internet. My question; how do I determine if I have this and how do I then get
rid of it?

~~~
jakejake
They give the path to the app in the article so you could check for that.

~~~
devopsproject
its finally happening here. people are just reading the headlines :(

