Maybe there’s something good that can come out of the SSL-busting Superfish debacle.
Lenovo says it is changing its ways:
The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities. With this in mind, we will significantly reduce preloaded applications. Our goal is clear: To become the leader in providing cleaner, safer PCs.
We are starting immediately, and by the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications. This should eliminate what our industry calls “adware” and “bloatware.” For some countries, certain applications customarily expected by users will also be included.
Lenovo will post information about ALL software we preload on our PCs that clearly explains what each application does. And we will continuously solicit feedback from our user community and industry experts to ensure we have the right applications and best user experience.
We view these actions as a starting point. We believe that these steps will make our technology better, safer and more secure.
That’s quite a turnaround, especially when you compare it to their original head-in-the-sand position of thinking people were just grumbling about the irritating adverts that Superfish-afflicted Lenovo computers were displaying, rather than the serious security and privacy issues the software introduced.
If they’re true to their word, and chuck out the adware and bloatware, and don’t try to sneak it in under the umbrella of “certain applications customarily expected by users” then they are doing all of us a favour.
In fact, I’d like to see other PC manufacturers take the same approach.
Stop putting crapware on the PCs you’re trying to sell. Let users make their own choices about what software they want to install, rather than you forcing software on them that takes up unnecessary disk space, hogs memory and invariably is only there to bring incremental revenue to the vendor.
Lenovo, you better be telling us the truth. We’ll be watching you.
"Stop putting crapware on the PCs you're trying to sell. Let users make their own choices about what software they want to install, rather than you forcing software on them that takes up unnecessary disk space, hogs memory and invariably is only there to bring incremental revenue to the vendor."
If I may continue the -ware idea, it is a shame that – as you put it, correctly I might add, crapware – all of (that) isn't more like vaporware.
Still, even those who don't use commercial software (like me) have to be careful with certain things, in some ways more so (e.g. when helping family or friend) because of the obnoxious, ancient trick of including 'bonus' software in installers. Not to shame anyone like Adobe, but when I recently did an upgrade for my mother's computer, when I went to install .. what is it… Flash ? .. as I was downloading it (at least the link is slow enough to have noticed it prior) I noticed that they were playing that trick and so I had to start over (something like that – I think for at least their Windows version, they have a download that when running it downloads it in full, and wherever it was, it was some obnoxious so-called helpful .. crap).
Coyote – The "crapware" you refer to with Adobe Flash is "McAfee Security Scan Plus" and is pretty obviously checked as a pre-selected "Optional Offer" (at least, for Windows users – Mac OS, others?) on the main page for the Flash download at get.adobe.com/flashplayer/ . Not sure how you'd have missed that as this bundling offer has been in place for several years now and it's pretty clear, right there on the download page.
I have seen/heard a few reports of the McAfee installer being downloaded and run even though the offer was manually un-checked, but never seen that happen myself.
I caught in time (but because I'm stuck on 3.0Mbps and that is the sync rate of the profile which is very different from the sync rate – far from the remote terminal – and even more different from actual throughput). The reason is simple (although some of it might not make sense to you or otherwise seem odd):
.
1. I wasn't actually sitting down (was standing – no, it is not ergonomical but it was brief too).
2. Had a lot on my mind.
3. Even administrators are users (This is key!).
4. See below on how I usually deal with software (therefore not remembering or thinking of it).
Basic summary is: lots of distractions. Similarly in the case of un-checking it and it downloading – it could be they thought they had (and didn't) or they did and it wasn't registered (for whatever reason). They don't have it for Linux (I mean that option isn't there and therefore irrelevant), in any case. Having it for years is irrelevant though, because I simply forgot about it (keep in mind I'm used to software repositories and not third party downloads to install things).
Let's be clear, they're removing very little:
"…our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications. … For some countries, certain applications customarily expected by users will also be included."
So it includes unwanted hardware drivers (why?), "security" software (trials) (Superfish could be considered security!) and Lenovo's own software (crap).
If that's not enough they'll also bundle "certain applications" for users in some countries.
NO REAL CHANGE!
I agree it probably is still more than is wanted for many. However, superfish is absolutely not security. Far as I know they used it to make advertisements more tailored to the user of the computer. But since it acted as a MiTM and even taking ownership of certificate authenticity.. it could read, control.. unhinge the supposed secure connection (and let's be honest – ssl has a terrible track record when it comes to security as it is).
As for drivers, I interpreted that as if they include (that) hardware they will have the drivers for it (which is fair). Otherwise they won't. No real comment on the others.
The 'security' functionality offered by MiTM would be deep content scanning. A lot of workplace systems can view SSL connections to allow the organisation to enforce corporate policies. Microsoft even offer a tool to administrators which make the SSL inspection undetectable.
Also some large antivirus vendors install root certificates to scan websites (albeit mainly only for use with search engines) to allow them to offer website 'advice' on what is safe to visit and what is not.
… and none of that changes the fact that a hardware vendor (Lenovo) taking over as a CA, not allowing proper checks (that the browser should be doing) on whether the certificate is legit, has expired, is self-signed, is …, isn't secure… and neither was it authorised by the customer.
And yes, I can name two utilities off the top of my head that allow MiTM but it still has serious implications, and ignoring that is the problem. You can argue that antivirus software should be allowed to do whatever it wants, including saturating the systems resources (to high percent) and also scan too many archives (to the point of getting hit by a zip bomb), because it is "doing what it needs to do", but that would still be a problem (and it shouldn't be allowed that and in fact in some systems the resources would be capped and the culprit processes would potentially be terminated).
Most importantly, you're ignoring something: the customer didn't ask for this. The customer didn't know. The customer didn't willingly install this. Therefore, any claim that it benefits the customer is false. Yes, administrators have the rights (legal and ethical) to monitor their users (I've yet to meet one that didn't and I'm not an exception, either) and for many good reasons. But here they aren't the administrators. Shortly there isn't any security benefit from this software. None. There is only insecurity.
…and since I don't have scripts enabled to see the edit form, I'll just add it here (I realised I didn't answer this). Yes, antiviruses can do that. But this is different. And antiviruses typically have the option to disable it. And they're typically installed by the user.