
Lenovo hit with lawsuit over Superfish snafu - r721
http://www.pcworld.com/article/2887392/lenovo-hit-with-lawsuit-over-superfish-snafu.html
======
dredmorbius
Plaintiff Bennett will find strong support for her "spyware" claim from the
US-CERT security advisory over the Superfish / Lenovo / Komodia spyware. As
that's precisely the language that the US Government advisory used:

[https://www.us-cert.gov/ncas/alerts/TA15-051A](https://www.us-
cert.gov/ncas/alerts/TA15-051A)

"Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery
_spyware_ on some of their PCs. However, Superfish was reportedly bundled with
other applications as early as 2010. This software intercepts users’ web
traffic to provide targeted advertisements. In order to _intercept encrypted
connections_ (those using HTTPS), the software installs a trusted root CA
certificate for Superfish. _All browser-based encrypted traffic to the
Internet is intercepted, decrypted, and re-encrypted_ to the user’s browser by
the application – _a classic man-in-the-middle attack._ Because the
certificates used by Superfish are signed by the CA installed by the software,
the browser will not display any warnings that the traffic is being tampered
with. Since the private key can easily be recovered from the Superfish
software, an attacker can generate a certificate for any website that will be
trusted by a system with the Superfish software installed. _This means
websites, such as banking and email, can be spoofed without a warning from the
browser. "_

(Emphasis added.)

------
ghshephard
As much as I dislike class action law-suit trolling - I'll make an exception
when it comes to multi-billion dollar companies installing spyware as part of
their bloat-ware add-ons, particularly when it injects MitM attacks on the
browsers SSL links, particularly when it does so in a way that jeopardizes the
data confidentiality/integrity of individuals trying to use that computer.

Ideally, the next time a laptop/desktop vendor is looking at the bloatware
they are going to load onto a system, they'll do a cost-benefit analysis
against the (potential) punitive damages associated with a lawsuit, and decide
not to install the stuff.

I'm willing to pay the extra $0.65 for the laptop (or whatever tiny amount the
vendors are paid to include this crud) in order to avoid that sort of
exposure, I suspect most consumers (these days) are as well.

~~~
skuhn
I don't see this suit as trolling.

There exists a large group of people who were sold a product which did not
perform its primary function of "doing what its owner told it to do". It turns
out that this was intentional on the part of the manufacturer. The nature of
the problem is such that returning the product for a refund will not suffice,
so the consumers should sue. The most effect way to handle a large body of
plaintiffs against a single defendant is with a class action suit.

Lenovo will inevitably settle or go to trial and be found guilty, there is no
other possible outcome. I personally hope that this erases their profits from
Superfish, and quite a bit more for the flagrant and willful violation of
consumer trust.

~~~
laumars
I think you may have misread the OP because you're tone is one of disagreement
while your content is a near-reiteration of his post.

~~~
skuhn
I'm mainly responding to the first part: "As much as I dislike class action
law-suit trolling", as in I don't like their methods but I like the results in
this particular situation. I also don't see how I have simply re-iterated the
same post, OP and I are looking at different angles of the same issue.
Fundamentally I think we do agree: Lenovo did a shitty thing and should pay
for it.

I simply don't think there is anything wrong with the method or the result
here. This is exactly what a class action lawsuit is intended for, there's no
trolling about it.

~~~
laumars
_> I'm mainly responding to the first part: "As much as I dislike class action
law-suit trolling"_

Yeah I got that. My point was that first part was just setting himself up to
explain why he thought this lawsuit was a good idea - which you were arguing
as well. ie you're focusing on the wrong part of his post and thus arguing
against his post while agreeing with the majority of it.

 _> "I also don't see how I have simply re-iterated the same post, OP and I
are looking at different angles of the same issue. Fundamentally I think we do
agree: Lenovo did a shitty thing and should pay for it."_

Hence why I said "near-reiteration" rather than "simply reiterated". You still
argued the same points and came to the same conclusion regardless of your
differing starting point with regards to class action lawsuits.

 _> I simply don't think there is anything wrong with the method or the result
here. This is exactly what a class action lawsuit is intended for, there's no
trolling about it._

Again, nobody is suggesting otherwise. You're preaching to the converted. ;)

------
rayiner
Proving damages will be a major hurdle in this case.

The LinkedIn data breach lawsuit, which pertained to the 2012 compromise of
6.5 million user passwords because the company didn't salt stored passwords,
was dismissed because the plaintiffs couldn't prove any concrete damages from
the password disclosures:
[https://nakedsecurity.sophos.com/2013/03/08/linkedin-
lawsuit...](https://nakedsecurity.sophos.com/2013/03/08/linkedin-lawsuit-data-
breach).

A related LinkedIn lawsuit, based on California consumer protection law, did
go forward and end up settling, though for a very small sum. The theory in
that case was that LinkedIn advertised that they used "industry standard
security" in their privacy policy, and that people wouldn't have purchased
Premium had they known that LinkedIn ignored industry-standard practices like
salting their passwords. But only about 20,000 people actually read the
privacy policy, meaning that damages were fairly nominal.

So are there any damages to support a class action lawsuit here? Did anyone in
fact get their PC's compromised as a result of the pre-installed software? It
seems like Windows Defender has been removing the software within a few days
after the vulnerability was disclosed. Business users might have a stronger
case based on their costs of having to remove the software and check that
nothing was compromised as a result. But they probably didn't buy the
consumer-grade Lenovos this was installed on in the first place.

~~~
ptaipale
Domestic users also have to spend effort to check that nothing was compromised
by this malware. That is in fact quite hard, and people will spend a
substantial amount of time on it.

------
belorn
Why is it called a snafu when a large international company installs malware
into customers devices, and a cyber attack if its the Russian mafia? The mafia
might also use stronger attacks than just installing adware, but adware is
still one of the more common way binaries are infected with malware.

It would be interesting to hear from a anti-virus company on how much
resources is spent yearly on adware research.

~~~
shaurz
And a first class ticket to the nearest prison for an individual.

~~~
Agathos
And every affected computer would be a separate count, so that individual
would be looking at a minimum sentence in the millions of years.

------
SwellJoe
I would expect even more aggressive approaches in nations with better privacy
protections than the US. If systems effected by this were sold in Sweden or
Germany or other places with relatively strong privacy laws I would not be
surprised to see a criminal investigation.

I also wouldn't be unhappy to see such an approach. This is such a serious
breach of trust that it really shouldn't be taken casually, lest other
companies take it as consent to do the same (while fixing the glaring security
bug, but keeping the basic premise of hijacking traffic for profit). If Lenovo
doesn't go home thoroughly bloody from this fight (figuratively speaking),
then they didn't get what they deserve, and it's likely we will be dealing
with it again from them or another unscrupulous company in a few short months
or years.

It wasn't so long ago that Sony did something similar. And Samsung, as far as
I know is, still shipping TVs that silently spy on their owners. Not a
reassuring trend.

~~~
drzaiusapelord
> If systems effected by this were sold in Sweden or Germany or other places
> with relatively strong privacy laws

How is this a privacy issue? Was lenovo collecting information about you? This
is more a case of knowingly releasing software that was a security liability
on an unacceptable level.

I think the real outcome will be the judicial environment available for the
plaintiff. In a lot of eurozone countries, courts don't give out big punishing
settlements like we do in the US and are, from my understanding, very, very
big business friendly. If anything, the eurozone will be worse than the US if
you want a punitive settlement. I know there's a lot of "herp-derp the US is a
lawless nightmare of NSA spies" but the reality is that you have a better
chance winning here than elsewhere. Look at the Sony rootkit scandal.

[http://www.infoworld.com/article/2659436/security/sony-
rootk...](http://www.infoworld.com/article/2659436/security/sony-rootkit-
settlement-with-states-reaches--5-75m.html)

California and Texas took Sony to task, not Brussels.

~~~
SwellJoe
_" Was lenovo collecting information about you?"_

Superfish was (well, not _me_ specifically, but customers who bought infected
laptops). In the first HN thread about this, someone posted a snippet of the
JavaScript injected into every page by Superfish which contained user tracking
and retargetting data being sent to Superfish, despite denial by Lenovo of
doing exactly that.

 _" In a lot of eurozone countries, courts don't give out big punishing
settlements like we do in the US and are, from my understanding, very, very
big business friendly. If anything, the eurozone will be worse than the US if
you want a punitive settlement."_

That's disappointing. I'd always been led to believe the US was more friendly
to corporations than most of western Europe. I am certainly no expert. I did a
bunch of research in the past, when considering opening an encrypted mail
service, and looked at various privacy discussions, and it seemed like Sweden
and Germany were among the best western nations for individual privacy, but
maybe that only applies to government spying. Guatemala was pretty solid on
privacy, too, but it simply isn't large enough to take on Lenovo.

" _California and Texas took Sony to task, not Brussels._ "

Good for California and Texas. I should go talk to my AG (I live in Austin,
Texas), though I guess it'd be better coming from someone who was directly
effected.

------
ChuckMcM
While this makes for good copy I find it difficult to believe anyone could
prove actual harm from the installation. I am not a lawyer so I certainly may
have missed a big chunk of commercial law but the only thing I could find was
would be around incidental damages which no doubt are expressly disclaimed and
agreed to by buyers of the gear (software always disclaims all warranties). So
these plaintiffs would seem to have two very large hurdles, one to prove some
actual damage, and two to prove some sort of liability even if there was
damage.

When I first heard about Komodia it seemed pretty clear to me that anyone who
employed their software was just asking for trouble. That advice about
"Imagine this was on the front page of the NY Times" was pretty helpful.

~~~
rdtsc
From what I understand in individual "hacking" cases just circumventing the
security and accessing data without copying/selling it would be enough to get
someone in trouble.

It is at least nice to fantasize how large companies would be held to such
"standards" as well.

In a civil cases I also wonder if banks, governments or other large
institution would be able to file lawsuits as well, claiming perhaps that
breaches that have occurred recently occurred because their clients/workers
had been unknowingly running one of the this Komodia software installed by
Lenovo.

~~~
7952
I wonder if the DMCA anti-circumvention provisions could be used?

------
Tharkun
I don't think "snafu" quite cuts it. This is a fuckup of epic proportions.
They screwed up quite badly by installing this crap and then made it worse by
lying about it and pretending that it's not a security issue ...

------
rebootthesystem
This is the reason for which we have always done clean OS installs on any
Windows machine we buy (mostly just laptops as every single desktop we have
was self-built). It is unfortunate that the PC world hasn't shaken off this
practice of adding crapware to store-bought machines.

Microsoft could bring this into the realm of the sensible by adding a clause
in their licencing agreement that requires a clean install and allows a single
popup that prompts the user for authorization to install various add-ons along
with full disclosure of their intent and function. In other words, "Welcome to
your new Windows N PC. Here's the crap you can choose to install and what it
does." If the user selects "NO" everything is deleted and you get an
absolutely clean OS install.

That would be fair. Give OEM's an opportunity to make some money and users the
ability to purchase potentially useful stuff during first power-up. The point
is to give users full control of the machine they just purchased and not be
surprised with crapware they were not looking for.

------
DanBC
I'm kind of surprised that superfish (and similar) products are legal.

I don't understand why someone would willingly install such software. The
reasons the software makers list are deceptive.

------
bradleyjg
My guess is this is settled quickly: a few million for the attorneys, a few
thousand for the lead plaintiff, and either a coupon for each of the class
members or nothing at all (cy pres).

~~~
rayiner
Appellate courts have been cracking down on _cy pres_ awards recently:
[http://www.forbes.com/sites/wlf/2014/11/26/seventh-
circuit-c...](http://www.forbes.com/sites/wlf/2014/11/26/seventh-circuit-
continues-scrutiny-of-class-action-settlements-and-cy-pres). As the Seventh
Circuit recently clarified in overturning an approved settlement, a _cy pres_
award is only proper if it's impractical to find and compensate the class
members directly. Here, there will be sales records to allow easy
identification of affected purchasers.

That aside, a permanent injunction and a coupon would be a reasonable result
here. Civil lawsuits aren't intended to punish people, they're intended to
compensate people for their injuries. Who was actually harmed here?

~~~
bradleyjg
These type of class actions do consumers more harm than good. The exorbitant
legal fees are ultimately reflected in prices.

If there's wrongdoing with extremely diffuse consequences, that's what the
government with its GS scale attorneys are for.

Lawsuits, like email marketing, should be opt-in not opt-out.

~~~
rayiner
> The exorbitant legal fees are ultimately reflected in prices.

Prices are set by supply and demand. If companies had the market power to
raise prices to pass on the costs of defending class action lawsuits, they
would do so with or without the lawsuit.

~~~
bradleyjg
The supply curve reflects costs to producers. Increase the cost to all
suppliers and you shift the equilibrium price to right.

~~~
rayiner
Class action lawsuits don't usually uniformly increase costs to all suppliers
--some companies get sued less than others and have an incentive to keep it
that way. The exception is industry-wide actions like tobacco.

The fundamental problem is that it's really easy to get away with cheating
people out of nickles here and there so long as you limit your scale enough to
not attract the government's attention, and such activity is pervasive. The
European approach has been strict consumer regulations and government
enforcement, but compliance also has a cost, one that does fall uniformly on
the industry as opposed to just on bad actors. The alternative to all that is
to let things slide, but that's not wholly satisfactory either.

~~~
bradleyjg
I guess I don't see a problem with a tri-furcated system: 1) substantial
damages per individual -- opt-in tort system, 2) diffuse damages that
collectively add up to substantial wrongdoing -- government fines, 3) diffuse
damages that don't collectively add up substantially enough to attract
government attention -- reputational damage.

~~~
mikeash
What's the practical difference between accomplishing (2) through government
fines and accomplishing it through a class-action lawsuit?

~~~
bradleyjg
Mid-career federal government lawyers in an expensive city make $130k a year.
Class action attorneys generally get a significant fraction of the value of
the settlement. And the value of the settlement is calculated in kind of a
crazy way particularly when it comes to injunctive relief.

In the google buzz case, which resulted in no monetary relief to the class in
general (representative plaintiffs were given a small award, the rest was cy
pres) class plaintiffs were awarded over $2.1M plus expenses for 2550 billable
hours* over the course of a calendar year.

*That's a little understated because the filing that number came from was near the end of the litigation, but not at the very end.

------
elcct
If it was inserting adverts into 3rd party websites I think those websites
could sue Lenovo for stealing their advertising space, no?

~~~
mcwidget
This is a valid point. However, technically, nothing is changing on the third
party site. Those sites are changed locally on the user's laptop. I don't
think that's much different from something like AdBlock. I'm not sure there's
much any third party site could do about this.

------
throwawayaway
Terrible news for the brand! I really would like to think highly of Lenovo and
their products, but sadly they let themselves down time and again. I am
hesitant to recommend their non thinkpad models on the basis of their
construction - and this just adds to that on a different level.

------
smoyer
"The software plugs product recommendations into search results"

One of the most interesting parts of this whole debacle is that what the
software does is so far removed from the description of the company's
software.

------
louhike
A little off topic: Komodia (the company behind a part of the technology used
for Superfish) is currently facing a DDOS
([http://www.komodia.com/](http://www.komodia.com/))

~~~
ptaipale
Or that is what they say. I don't expect they are facing a real DDOS, they are
just facing so many embarrassing questions that it is convenient to call the
flood a DDOS.

------
ytdht
not that I approve of this bandit behavior, but they could have injected ads
using a browser extension without screwing with certificates, no?

------
_pmf_
If Microsoft had any residues of a spinal cord, they should react with a steep
increase in license fees for Lenovo, otherwise it's setting a precedent that
any vendor can mess with OS internals as they like.

~~~
mcintyre1994
Wouldn't this trigger antitrust craziness if framed as an increased license
fee for their choice of pre-installed programs?

------
MisterNegative
Lets hope the judge chooses the side of Lenovo, It would be devastating if
windows/gnu/linux/apple gets sued every time they have a security flaw in a
product.

~~~
onion2k
There's a significant difference between Superfish, an intentionally installed
application that deliberately mitigated security features in browsers to
inject ads, and a security flaw that arose from poor design or a lack of good
QA process. The latter are sloppy but ultimately an inevitable part of complex
design; the former is an obnoxious lack of respect for your customer that
deserves a serious penalty in damages and a complete reset of your brand's
goodwill.

That said, I think there's an argument that customers being in a position to
sue over security flaws might not be such a bad thing. It might push companies
to make security and privacy important features rather than second-class add-
ons.

~~~
MisterNegative
Any argument you make will contradict itself, because you make it a subjective
matter. So choosing superfish could be seen as a lack of good QA process.

------
derekp7
I see a lot of calls for punishing Lenovo over this. However, I'd like to see
a few more facts established before getting out the pitchforks.

First, did Lenovo commission the writing of Superfish, or did Superfish
approach Lenovo (or most likely their marketing dept) with a request to be
included?

Do vendors normally perform a full security audit of programs they include? Is
there an expectation that they would give closer scrutiny to smaller outfits
vs. top tier software vendors?

Also, is the bulk of the outrage over this incident due to the fact that
Superfish serves no purpose that is in the interest of the users (i.e., its
whole reason for being is to spam users with advertisements)? In other words,
lets say that instead of adware, what if they included a malware detector that
used the same https busting trick, yet was just as poorly designed (leaving
the private key exposed) -- would there be just as much call for lawsuits and
boycotts then?

~~~
cplease
> Do vendors normally perform a full security audit of programs they include?
> Is there an expectation that they would give closer scrutiny to smaller
> outfits vs. top tier software vendors?

OEMs absolutely should own up to responsibility for the crapware they load on
their boxes. Saying "it wasn't built in-house" makes about as much sense as an
automaker washing its hands of the airbags or other critical parts in the cars
they build.

As for how deep of an audit, Komodia's own description of their product should
have raised massive alarm bells. Anytime I see websites rewritten without my
permission I get incredibly spooked, and that's when it's just HTTP over a
network. Intercepting SSL/TLS is just not something any OEM should ever
contemplate loading on a consumer machine. It's willful recklessness and
engineering malpractice of the worst kind.

