While this whole Superfish/Lenovo thing is certainly quite scary, let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns, which includes among other things (un)installing software like Superfish, and also adding/removing trusted certificates. There will be those who advocate locking down the certificate stores and other areas of the OS (e.g. only "approved" software can be installed) in an effort to prevent companies from doing things like this, but I think that could lead to an even worse situation - imagine if this was preinstalled on a locked-down system that made it nearly impossible to remove (or perhaps even discover!)
To put it bluntly, I'd still prefer to buy a system "infected" with Superfish but which lets me reinstall the OS and configure it however I choose, than one which is locked-down so much that, even if such malware was not present initially, if something similarly undesirable is eventually installed by default, it would be nearly impossible to remove. Of course buying an open system that has no malware/adware preinstalled is even better, but given the way things seem to be going with "smart TVs" adding ads and whatnot, it feels like that might not be an option in the future.
> let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns
Swift on Security has argued - quite convincingly IMHO - that as long as we have this attitude that the user "can" fix their machine by "just remove a SSL cert" we are going to utterly fail the vast majority of ordinary people who now depend on having a machine connected to the internet.
"Maybe this isn’t her fault. Maybe computer security for the average person isn’t a series of easy steps and absolutes they discard from our golden mouths of wise truths to spite the nerd underclass.
Perhaps it’s the very design of General Purpose Computing. And who built this world of freedom, a world that has so well served 17-year-old Jessica? You did. We did."
> While this whole Superfish/Lenovo thing is certainly quite scary, let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns, which includes among other things (un)installing software like Superfish, and also adding/removing trusted certificates.
Go into a room full of average computer users. Say what you just said here, and watch the blank stares and listen to the "what did he just say/what language is he speaking" comments.
You seem to forget this is on consumer laptops, not machines that will be bought by enterprise IT departments and wiped/reinstalled for company use. The affected laptops are ending up in Joe and Jane User's homes, where they will immediately begin visiting their banks, social networks, email providers, and any other sites people use daily, and will therefore be vulnerable out of the box. They won't know about a root certificate; they won't even know what a root certificate is!
THAT is why this is such a shitty thing for Lenovo and Superfish to do.
I don't understand how this would be the conclusion reached. If you asked a person on the street, would they not think that Lenovo is a entity of authority? That they were the ones dictating the computers configuration? That they were any more or less fallible/malicious than Sony or Microsoft or HP?
If you asked anyone, would they not follow the line of reasoning that, if the manufacturer was releasing hardware in a default state of compromise, that we could not trust the default state of released hardware? Why would you conclude the opposite after this?
I can't see a way to construe this as "We need to ensure that machines must stay as the manufacturer ordained to protect us from security threats introduced by the manufacturer!"
This is exactly what I thought (I spammed many of my friends with the link to the talk). I bet you that this (which is a step in the wrong direction) will trigger a something worse (a leap in the wrong direction to 'protect' consumers).
I'm very hesitant to use this word, but this is a very privileged position. Many customers don't have the skills to even see the technical problem while expecting that not to happen. The same goes for reinstalling the machine (or they don't trust in their skills).
Grandma just bought her laptop from the fine folks at Best Buy. They obviously know best, and why would the sell her a computer in less the pristine condition? It's fine as is, she doesn't know to or have to pay someone to fix something that should be ok.
Do we stop allowing home loans because the majority of those signing them honestly don't most of those clauses? Do we ban cell phone contracts because only 1 in 100 even read what they are signing?
I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to. Maybe one that is needed, but it would be far reaching if consistently applied.
In EU we do have laws that make unreasonable contracts unlawful. This sits with "buyer beware". A buyer should take efforts to learn about the contract they're entering into, but supplier can't hide onerous terms deep in a complex contract and say that they warned the buyer.
> I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to.
We already have this in "informed consent" - the permission a patient gives for medical intervention. The consent has to be voluntary and made after being informed - in a way the patient can understand - about the risks and potential harms as well as the benefits.
We also (at least, in England) have regulated advertising ("legal, decent, honest, and truthful") and strict consumer protection laws.
> I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to.
Just going off your examples, I don't think it would be unreasonable to require both parties entering into a contract to understand what they are agreeing to. I'd say anything else is unethical, really.
This is standard in the EU and I think that is a good thing.
Full contractual freedom is a B2B thing here.
And yes, having people sign that their communication will be monitored is an unreasonable thing in my opinion, cutting to the core of constitutional rights e.g. in Germany.
While we are at that, Germany has a constitutional right of privacy in your place of living - which is in an interesting juxtaposition to devices listening to what happens in your living room and sending it somewhere.
And finally, there is a non-negligible part of the population that cannot grasp those contracts - expecting them to keep track of all the things they signed in their life is an extreme burden.
The problem with whiping a brand new computer and installing your own will not necessarily void warranty but if you have a problem like something is not working, technical support will tell you to restore the system.
Many new systems now don't even come with original software disks requiring you to backup the machine using preinstalled crapware to create a backup DVD.
This was the case with a couple of laptops I purchased in the past three years; one of which was a Toshiba.
Years ago, when you purchased a machine, you got driver disk separately and even now I'm seeing a trend where that's becoming less the case.
> let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns
What about hard-disk firmware being re-flashed by the "Equation Group" [0]? No easy possibility to detect if you are infected, nor what it is actually doing, not even to reinstall. Hard-disk firmware is software too.
You're right. Still, it would be better to just say nothing, so as not to dilute the thread further. The right tool here is flagging. You can flag an inappropriate comment by clicking on its timestamp to go to its page, then clicking on "flag".
Fortunately, enough other users did so that the comment was killed.
+1, I also had no idea this was an option until you pointed it out, I'll make sure to use it in the future. It might be helpful to perhaps add it to the HN FAQ, or some other help page that has information on "hidden" features like this one.
To put it bluntly, I'd still prefer to buy a system "infected" with Superfish but which lets me reinstall the OS and configure it however I choose, than one which is locked-down so much that, even if such malware was not present initially, if something similarly undesirable is eventually installed by default, it would be nearly impossible to remove. Of course buying an open system that has no malware/adware preinstalled is even better, but given the way things seem to be going with "smart TVs" adding ads and whatnot, it feels like that might not be an option in the future.