Hacker News new | comments | ask | show | jobs | submit login
Lenovo to pay $7.3M for installing adware in laptops (hackread.com)
281 points by MagicPropmaker 48 days ago | hide | past | web | favorite | 126 comments

Seems like a small fine, compared to the potential financial benefit of that installation. Hopefully it serves as a deterrent for future adware installs. If not, maybe we start calling our lawmakers.

For those of you in the adware space, would you pay >$10 per head to install your adware onto a computer? My guess is absolutely.

Amazon gives you a $20 discount to take ads on Kindle purchases. The possibility of having to pay $10 only if caught and fined seems like not at all a deterrent.

Agreed it’s tiny.. hopefully this fine implies that future infractions may carry much more serious penalties

This fine implies to me that future infractions will not be taken seriously, just as this one wasn't.

Amazon ads are usually for things Amazon sells... Windows sorta advertises too... Products Microsoft sells too

I don't agree with it but cross promotion of products a company sells is at least a little more reasonable.

The article mentions another $7M worth of fines, and that's just for the US.

Also, they sold their customers pretty cheap, so the combined fines likely significantly exceed the profit from the deal: https://www.forbes.com/sites/thomasbrewster/2015/02/27/lenov...

While I do think the punishment should be significantly more severe (including jail time for executives), I suspect the scandal has made companies aware that this is a bad idea.

I still don't get why it didn't hurt them more in the enterprise space (read: why large companies didn't institute a strict "no lenovo" policy for a couple years). That would have been way more effective than fines.

> I still don't get why it didn't hurt them more in the enterprise space (read: why large companies didn't institute a strict "no lenovo" policy for a couple years). That would have been way more effective than fines.

Using vendor OS images is a rookie mistake in the first place.

Wasn't their shitty bios rewriting parts of windows? Vanilla OS images won't save you there.

Yes, Windows has a feature called Microsoft Windows Platform Binary Table that allows the OEM to embed any executable file they want into the UEFI image which is then automatically run on every boot. Extremely terrifying backdoor mechanism.

Not half as scary as Apple's DEP program. Pretty much everyone is moving this way because it's super convenient for admins -- devices arrive out of the box working and configured. Google has "Zero Touch", Samsung as their Knox program.

Apple seems interested in keeping things fairly secure, is this a theoretical fear or an exploit I've never heard of?

I don’t understand about your point about Apple DEP. could you clarify? It’s predominantly used on company-owned laptops and requires an Apple company account or developer license to work. I haven’t seen it used for consumer computers.

> I suspect the scandal has made companies aware that this is a bad idea.

I kind of wonder how many people were like, "pre-install adware on PCs? Why didn't I think of that?!?"

Preinstalled crapware for Windows based PCs has been the norm since I can remember - along with physical crapware stickers.

When I buy PCs, I only buy either the business line from Dell or from the MS store.

Hasn't this kind of thing been going on for years though?

Big companies usually already have their enterprise customized image of the OS, when they buy hardware, they are interested only in the hardware.

And the Windows Platform Binary Table let Lenovo put it back on the drive via UEFI at boot. [0]

[0] https://news.lenovo.com/article_display.cfm?article_id=2013

Small? It's negligible, and acts like the opposite of a deterrent: it's an implicit authorization.

I read the headline thinking it was a purchasing deal, not a fine...

I recently was asked by my girlfriends sister to help her choose a laptop. After finding a model that looked good spec-wise I searched for that same model but without Windows pre-installed. It was 150€ cheaper. Then I got a 10€ Windows 10 key from ebay, installed O&O ShutUp and Winaero Tweaker and now it almost feels like a great system that you can actually work with.

Vendor-bloatware has been bad since Windows 7 but now that even Microsoft chose to ship Windows itself with ads, pre-installed garbage like Candy Crush Saga and that annoying Cortana I can't imagine going back to it.

> Then I got a 10€ Windows 10 key from ebay

A rather unfair comparison, don't you think? That's like saying "I got a really good deal on a Macbook, all I had to do was pick it up and sprint out of the Apple store!"

It also would have been a better deal if I bought it from the official MS-Store for 145€ because it wouldn't have had all the Lenovo bloatware on it.

I personally don't want to support what Microsoft is doing with Windows so that's why I bought it from a shady ebay seller.

Of course, the more ethical solution would have been to talk her into a GNU/Linux machine but I don't have the time and energy to play IT support for the next six months.

Why not a chromebook?

Considering the quality and the fact that Win10 actually serves you adds and sells telemetry information, I think the price should be even lower.

The consumer has the responsibility to check the validity of the product, sure, but this is ridiculously unfeasible for digital licenses. A lot of companies actually do buy these 10$ keys and I don't blame them.

Any source on them selling telemetry data?

They haven't provided one, but I'm guessing if someone provides a source, it'll be a link to Microsoft's ads products. They'll argue this information _could_ be used to target users for advertisements, even though it might not be.

like this?


you're dismissive, but they've specifically claimed the legal right to sell your usage data. it seems pretty clear to me.

There are no legitimate Windows licenses that only cost 10€. They may activate but successful activation does not imply that you are not breaching Microsofts license agreement and they may decide to deactivate those licenses at any time

Wasn't the ban on resale of licenses declared illegal at least in some countries? In that case, second hand licenses would very well be legal, even if Microsoft doesn't like them.

I don't know, but I would be surprised if such a ruling applied to licenses that were never intended for the country they are resold in.

Those licenses are mostly from education institutions or from company MSDN subscription. I.e. from rogue IT admins that abuse their power.

it is illegal in Poland

It is 100% legal in Poland and rest of EU. Oracle vs Usedsoft http://www.osborneclarke.com/insights/the-end-of-the-usedsof...

yet on polish amazon (allegro) they do nothing :)

This seems like ebay's problem. Why are they not shut down for this? If I came across some software on e-bay, I'd assume it was legit. I just checked ebay and it is full of windows keys. How am I, as a consumer, supposed to know that this is 'illegal'?

Commenting as a reaction would help more than just downvoting of course, because I am still not seeing how, as a consumer, I am supposed to know that those are illegal keys. Other platforms that facilitate fraud on this scale are always forced to take action, yet ebay gets away with it. I am wondering why that is.

The same way you're supposed to know if a bike is stolen. If the given market is grey/shady and the price is excessively low, and you really want to know, you ask (for starters).

If everyone got a "free" bike when you bought a computer then the people who didn't want to use their's and so bothered to sell it would probably sell it for $10 or so?

You can get £20 books for 50p, because either the person has finished using the book, and there are lots of books; or because the person got the book free (as a gift generally) and didn't really want it; or because they bought a copy and got a second copy gifted, etc.

Software isn’t a bike. It might be a special deal Microsoft has with those vendors. Bikes have an intrinsic minimal cost, like materials and shipping, software keys don’t. The average consumer would probably regard windows as something that is free to begin with so seeing it for sale for $10 probably won’t strike them as strange, you get it “free” with your computer after all.

Furthermore, this is not one vendor selling one ‘stolen’ item, it is many, selling many keys. This makes it seems like a legitimate channel for keys to the average consumer. It also makes eBay more responsible if you ask me. It seems to me as if they are making a profit from those sales. If they truly are illegal keys then they should probably do something about it.

So why am I wrong here?

You could apply the same low price is stolen goods argument during black Friday too.

Vendor bloatware has been bad since 95

Ah yes, "Sign up for the Microsoft Network"

I still cant bring myself to purchase a Lenovo product because of this, despite the generally favourable reviews I see on HN regarding the ThinkPads. Its just such a revolting decision to me to do that to a paying customer.

I may just put my money where my mouth is and start the break up with Google too, as painful as that will be. I just dont feel like I align with these fucking companies at all anymore.

SuperFish and other adwares were installed on Lenovos lower-grade laptops and Thinkpads. The X series and T series, the choice of most consumers who care enough to own a Thinkpad, were not affected by this issue[1]. While it's unacceptable for Lenovo to be doing this on ANY machine, I still feel confident that the company understands how consumers view the Thinkpad brand and how reluctant they are to do anything that might tarnish the brand for business and prosumer users.


Agreed. The machines are lovely but I won't be buying one anytime soon. They got caught 3 times doing variations of this.

Three times. They don't deserve to exist anymore.



Absolutely ludicrous. This is basically an incentive for other laptop manufacturers to do the same thing, knowing the punishment (if it even ever comes) is a drop in the bucket compared to the reward.

I'm always surprised that Lenovo use in the enterprise space didn't take a hit after all this came to light. I would have thought competitors like Dell and HPE would have used that opportunity to disparage Lenovo.

No enterprise is using the base windows image that came from Lenovo with the superfish malware. They all build their own standard operating environment image that would not include the Lenovo bloatware. I would be surprised if Lenovo enterprises even realized they were shipping this way and have no reason to react negatively. Their competitors also live in glass houses and so cannot throw stones.

So yes, in a normal case, one would expect to be safe because they are using their own built image. But Lenovo went much further than simply installing crapware, they added a firmware that updates files on startup in the OS to ensure that they had a way to install whatever they wanted onto your system [1].

[1] https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nas...

To add to this, while the Superfish issue only affected their consumer laptop lines (e.g. IdeaPad), the LSE issue was found on their enterprise lineup (e.g. ThinkPad).

Wasn't aware of the LSE issue on enterprise models! This is a feature that would get enterprises angry if it messes with the OS by injecting bins full of vulnerabilities from BIOS. Gross!

Only a quick read, but both the lenovo pressroom and the guardian stated the thinkpads were not affected.

pressroom: https://news.lenovo.com/pressroom/press-releases/lenovo-stat...

the guardian: https://www.theguardian.com/technology/2015/aug/14/lenovo-se...

No enterprise would use the factory image, but a lot of small businesses would and they were put at risk as a result.

We can of course say they shouldn't have trusted it, but honestly, should it be normal to expect the manufacturer of the machine to be malicious?

Not to mention the other commenters pointed out that they used the firmware to reinstall the malware even on otherwise clean images, so even enterprises could've been at risk.

If you don't trust the manufacturer then the OS is the least of your worries.

You can't trust the hardware, microcode or firmware either.

Lenovo is known to install rootkits in their devices [1], which an OS image will not prevent.

Do you have a citation for Lenovo's competitors installing comparably vulnerable malware?

[1] https://threatpost.com/lenovo-hit-with-criticism-over-second...

Lenovo is behaving as an attacker against its customers. That sophisticated customers had defenses for this particular attack is irrelevant. Imagine if iPhones started trying dictionary attacks against their peers on WiFi networks. Would you shrug it off and continue buying Apple products because you trust your password complexity rules?

It’s great that the countermeasures worked this time, but Lenovo is still your adversary. They deserve the same response as any other insider who tries to MITM your traffic: immediate termination, a thorough search for any remaining implants, and an FBI battering ram through their door.

Very interesting! I had not heard of these incidences.

I mean Dell took the opportunity to do almost exactly the same thing shortly afterwards.

Didn't they also install some malware in UEFI at one point? Which is even worse, since you can install Linux on Lenovo laptops wiping out their pre-installed (but non refundable) Windows, but you can't easily replace UEFI there.

They did have a firmware-based malware dropper. The "only" thing it did was re-infect clean Windows installations, so installing Linux would still mean you'd be fine as the second stage wouldn't be dropped, but of course that's not a technical limitation - they could have built it to also infect Linux, but didn't.

They couldn't have.

The dropper was passive, abusing a Windows mechanism designed for installing vendor software, in which Windows looks for such software and executes it.

Linux does not go diving in UEFI looking for executables to run.

I had to read twice and go through the article to make sure of the amount.

IMO they'd deserve _way_ more than that. The precedent is scary.

Yeah, that looks like a minor slap on the wrist.

Lenovo makes $45b a year, so the fine is maybe an hour and a half of revenue.

Hope the same step is taken against mobile phone manufacturers who fill the phone with unwanted apps

I wonder how costly this particular class-action suit was for Lenovo?

This is, the 7.3 MUSD to be paid, plus the prorated expenses to compensate the employees handling the case, plus court fees, plus travel expenses, etc., but ignoring factors like lost sales, other fines and settlements, etc.; is the final figure still around 7.3 MUSD, or would it be significantly more?

Maybe a step towards the possibility to buy lenovo hardware without forced m$ license ?

You don’t actually pay more for the Windows license. The cost of the Windows license is usually offset by OEM installed crapware on consumer PCs.

Suppose I purchase a laptop from Lenovo. Do I have a surefire way to easily decrapify the laptop?

Reformat the computer?

I do this on 100% of my computers now. I thought there was a risk of losing some functionality like the touch screen, but everything works and far better than when I bought it.

But if you install Win10 don't you just get spyware/adware/crapware direct from MS then? (asking, I don't know, not a regular MS user)

I think Candy Crush or something was default, but thats just pre-installed games. I think there was links to some websites too.

The problem is pre-installed crapware. Windows seems fine.

Having done this in the past year... kind of. I view it as a lesser brand of evil though. Also it's possible to turn off telemetry.

Cortana still sucks though.

Can you? There was a security report posted last week on here recommending that enterprise users rotate their accounts to prevent some of it.

dd if=/dev/zero of=/dev/sda

To expand:

Lenovo's LSE used UEFI to redeploy the binaries thanks to Microsoft's wonderful Windows Platform Binary Table.

Microsoft's default Disk Management system cannot remove EFI partitions (in all cases), and you need to.

They also installed a "security" browser toolbar that was based on Conduit malware.

I wonder how much M$FT should pay for all the adware in their OS :)

IBM Thinkpad t43p was my first heavy duty laptop. In 2005 IBM made a mistake that someone in their management must regret to date, selling Thinkpad laptop line to Lenovo. Things went downhill for Thinkpads and I lasted 3-4 more generations before finally giving up.

Thinkpad had a shot at being the world's most loved laptop, by developers and businessman on the go.

Passion for great products and great user experience is clearly not what drives the thinkpad product line today, and that is regretful. It is one of those business that I would love to run.

Thing is, Thinkpads are still the best productivity laptops on the market. Which isn't to say that your observations aren't true, but more of a comment on the general state of that market...

Agree for some definition of best, however I'm very tempted to pick up a Xiaomi next, they seem to be very reasonably priced.

Thinkpads were actually manufactured by Lenovo right from the start, they were only badged by IBM.

But even then, why should anyone at IBM care what happened to the brand after they sold it? I know some creators love their product lines and such and care about posterity, but, IBM!

Did Lenovo really manufacture them back in 1992? From what I gather they only started in 2005?

Even then it's like saying iPhones manufactured by Foxconn are only badged by Apple. The original IBM Thinkpads all the way up to the T43 were developed by IBM and built/designed significantly better than the ones today. Also a large selling point of the old models was the software (!), which made some things easier.

Good points, I think you're right.

To this day I want an older 16:10 thinkpad to run xubuntu on. Happy with my 2013 mbpr, however.

They are dirt cheap on ebay, you can get an X200 for ~$60 and a new battery for around $20.

I have a 2010 t410s which runs fine, could do with a new battery though.

What did you switch to?

I really wanted to read the article, but, by principle, I leave websites that mess with the native scrolling. Bye hackread.



rjplatte 48 days ago [flagged]

Communism is not the answer to bad business practice.

Maybe nationalization should be an option when a company, say PG&E for example, has poorly maintained equipment that starts forest fires. It seems reasonable that an option like that should be on that table as a deterrent reserved for the worst actors. I don't think that anything like that should have happened here, but the fine of ~$10 a laptop does seem a bit low for MitM.

> Maybe nationalization should be an option

This turns a problem company into a problem government bureaucracy. Cleaner to fine the company into oblivion, put it into bankruptcy--thereby teaching its shareholders and creditors a hard lesson--and then let the market figure out if it's worth more liquidated, split up into bits, or sold to a new owner.

Why would nationalization ensure that the equipment is well maintained?

This descends pretty quickly into politics, but Nationalised infrastructure should be managed by a government organisation who's goal is to deliver a quality product at (or slightly above) cost.

These organisations in turn report to the executive government of the day, who's interests should be aligned with that of the citizens they were elected to represent.

Nationalized infrastructure is a good way to create poor service, and a long lasting debt. Look at pretty much every country in Europe with national railtracks and rail lines: massively bleeding money, with worse and worse service and low levels of investements because there is no incentive to do so.

Actually the opposite is true. For example the UK was at the forefront of modern railtrack privatization, and it went horribly wrong: https://www.citylab.com/transportation/2012/09/why-britains-...

There are countless examples in Europe were privatized infrastructure actually has been bought back by the public because it has been neglected by the private holder.

It's not because there are failures of the private sector that it dooms the idea completely. But failures of operating train lines under national supervision is rather the rule than the exception. Look at the TGV in France, which is a complete commercial failure that needs constant government intervention to keep it afloat.


Same thing for Deutsche Bahn in Germany:


Other comments already pointed out counter-examples from the UK etc., so let me give you a German one:

The Berlin public transport system was running perfectly fine until it was privatized. Now the infrastructure is starting to degrade, it's gotten less punctual by objective metrics and it has also gotten much more expensive. The new owners are basically just milking the ever living hell out of it because they know they can.

It's gotten so bad there's now a lot of talk that it should be nationalized again.

Is there a private train company that has good service, regularly invests and is profitable without government assistance?

Yup. Numerous private train companies in Japan.

In Japan the government kept essentially all the companies' debt, and incurred the cost of the 80k employees that were fired. And even now the profitable companies seem to get their profits from shops at the train stations.

And from the 6 companies the public railroad was split into, not all are successful: "JR Hokkaido expects to incur a record pretax loss of ¥23.5 billion in the year that ended in March [2017], with the company’s president likening its loss-making business structure — due to loss of passengers caused by falling local populations and the expansion of expressway networks — to “a bucket with holes in the bottom."


Of course, you can't have successful train operations in low density areas. Hokkaido, Shikoku, and the extreme west of japan is doomed in that regard. I don't even know how you could expect things to turn differently. But in Tokyo, and Kansai, the private train companies are doing very well.

But that's the point - the profitable tracks were probably profitable before privatization, too (no idea about Japan, but it was the case in Germany). Service in low density areas is the crux of the matter: railroad is a necessary infrastructure there, and if a nation wants to keep quality of life high in these areas, the tracks have to be operated at a loss.

It's the same with postal services, broadband access and similar infrastructure.

Of course a society as a whole can decide to stop subsidizing these low density areas, but that discussion is largely orthogonal to the privatization topic.

Your comparison is probably not accurate. The situation now is completely different from 30 years ago. Cars have become much cheaper at the same time, there are low cost options for travelling larger distance like planes and buses, that did not exist as much before. This is not a single variable environment here.

So much this.

On top of that, railroads (the actual rails and public transport lines) also tend to be a somewhat natural monopoly, so even the high profit lines veer towards minimal service and maximal price.

Completely wrong about the monopoly part. In the US most of the road tracks were created and driven by private companies. And they were competing on destinations and cost.

In Japan right now there are multiple lines that you could take to reach the same destination so there is actually a lot of competition going on.

There's a limit on the amount of subway lines you can squeeze under a city. Nobody is going to run a parallel lines.

The most a government can do is figure out beforehand which private company would build and run those cheapest for a certain line, but then you end up with the cheapest solution again, which is not the solution you actually want for infrastructure your economy depends upon.

Also, as the parent pointed out, Japan is a good example for why private companies by themselves aren't enough to run infrastructure like that, since you still need it even if they are unprofitable. And so they need government subsidies. You end up with a company paid for by the tax payer - as if it was nationalized - but with much less control by the government. Basically a money sink that isn't accountable to the tax payer. We have that in Berlin after the public transport was privatized. Can't recommend.

> There's a limit on the amount of subway lines you can squeeze under a city. Nobody is going to run a parallel lines.

Tokyo is a good counter example: you have metro lines and multiple ground lines, and buses, all competing against each other.

> Japan is a good example for why private companies by themselves aren't enough to run infrastructure like that,

What is your point? Japan is exactly the right example here, you have country-wide private companies operating and running an excellent service (world class) at reasonable cost.

> What is your point? Japan...

Only a bunch of them are profitable and some are even incurring record losses this year and relying on government money to keep operating.

Can't let them go bankrupt because they're still important. Honestly I explained this in my earlier post, good job cropping that.

Most of the Japan railway system was built by the state and privatized later.

Building it isn't the difficult part, keeping it running efficiently is. See: Britain.

Ironically most of the railways in Britain were built independently by private companies then nationalised then privatised again.

Not too sure what you're getting at, but the only part of Britain's rail network that runs acceptably is TFL which isn't privatised.

So what? what is expensive on a daily basis is maintenance and operations. That's the killer.

Not everything needs to make a profit. In fact it's better that some things don't.

And using European trains as an example of poor service is mind-boggling.

They are far, far better than the US or UK offerings (which are privatised, offer piss-poor service and are overpriced).

What has communism got to do with any of this?

So, somewhat offtopic. I'd like to buy some tablets as presents and the Lenovo ones seemed well rated for the price. Are there others that are made by a, umm, nicer company? I'm looking for cheap and reliable rather than performant.

So what's your price range? Ipads were down to 249 which I'd consider pretty darn cheap.

Amazon Fire 7 were down to £30 ( $40 ). That's cheap.

$249 is still serious money for most families.

"Some" tablets implies more than 2, that's an awful lot of money to spend on presents.

Last year I bought a Fire 7 for black friday, then rooted it and replaced the amazon OS with LineageOS and the Play Store. Made for an excellent cheap tablet gift which is still being used today.

Maybe give chromebooks a spin? Or pair up an ipad with a portable keyboard.

I can't really comment on the iPad idea but in the context of Lenovo's malware install...

If you're purchasing a computer with Google software on it aren't you already handing everything to Google?

So is a Chromebook really an alternative if you're rejecting Lenovo tablets for poor security/privacy?

I've been interested in Chromebook hardware but have rejected them for security reasons previously. I'd be interested to hear other people's opinions on the mater.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact