Seems to be a lot of self-righteous moral crusaders on Twitter, and some on HN too, who won't be satisfied until they see Lenovo employees hanging from lamp posts...
The people who made the decisions involved here essentially hacked hundreds of thousands of PCs and defrauded their customers. I don't expect anyone in Lenovo to be punished for a crime, but there's no doubt they did something clearly unethical and borderline illegal. Their best possible defense is that they were just incredibly negligent.
Not sure that you have to be especially self-righteous to think that there is some level of betraying user trust that ought to actually have some kind of negative consequences for people.
Violent murder is not an appropriate response to this, but certainly somebody (probably multiple people in the upper echelons of Lenovo) should be fired. The damage to Lenovo's reputation from this is enormous.
Even if 'average people' have no idea what a certificate is or why it's important, those who do have an outsized influence on PC purchasing, and are likely to remember this for years.
That's good. It seems too few consumers get a clean Windows experience, and this fiasco has quickly become the chief example. You'd think MS would want to address that, perhaps by hardening their OEM licensing.
Defender is my current Windows anti-malware software of choice. Basically, because they don't feel they have to shill so hard as the other AV companies, and this makes their user experience suck the least.
Yes, and: it's preinstalled on Windows 8, it costs nothing, and it's made by the very same company whose product it tries to protect, so incentives and motivation are clear (an exception to "if you're not paying you're the product").
It's quite a convincing product, quickly becoming an integral part of the OS. And rightfully so.
This is really great, but the real question is will users actually see this on a default Lenovo OS build? Can anyone confirm that Defender doesn't get disabled in favor or say... McAfee or Symantec?
No 15 years ago Microsoft would have been the ones installing it.
I think Microsoft went from being a hated software giant to sort of an underdog vis-a-vis Google, Facebook, Amazon and Apple.
They are very big and strong no doubt, but I think the attitude they are projecting since switching CEO recently, their open source efforts, and such make them look pretty good PR-wise among the tech crowd.
it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
Though given alternative methods of bypassing any Microsoft security, not really necessary.
In the past Microsoft would have been both installing it and have their security tool removing it, left hand does not know what the right hand do in large organization, then after figuring out they would whitelist their own spyware from the removal tool. This may have actually happened.
The rest is simply PR, microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.
> microsoft is still the evil corp it used to be but has to fight other evil corps to keep a share of a market it once dominated. Microsoft had too much money to burn to die quickly, its agony will take quite some time.
I don't buy it. I think Microsoft seems to have actually made real changes. If you want an example of what a giant evil tech corporation dying slowly looks like, take a look at Oracle. Their core business is basically obsolete, but they'll go on killing open-source projects and squeezing their locked-in enterprise customers for many years.
They are not removing someone else's software though, they are alerting you to a security issue, recommending removal, and providing the tools to do so. That's exactly what an antivirus is supposed to do.
Sorry, but as one who was on Slashdot from pre-userid days, and is in general a huge critic of the company, bullshit.
Microsoft is in a hard place in terms of determining what is or isn't allowed on their systems (due in large part to their own past and quite probably ongoing monopoly abuses), but fixing obvious flaws is to be applauded.
I don't champion the company often, but they're doing the right thing here. Actually, sanctioning Lenovo for letting this happen might be another option they've got. Though something tells me they won't play that card (and quite possibly cannot).
This is only is if Windows Defender is operational - in which case the user definitely wants the malware to be disabled/removed. It's akin to having a SPAM defender - in which you grant administrative rights to the owner of the Anti-SPAM tool to redirect spam to the bit-bucket.
Agreed. Seems like the lesser of two evils in this case. I applaud MSFT for realizing that the vast majority of their users will not have the impetus nor the requisite skill to remove this from their machine.
For all we know, Lenovo and Microsoft have been in communication and Lenovo asked or was ok with Microsoft doing this via Defender. Also, Defender specifically flags this issue as a "CompromisedCert", indicating that the impetus for removing it was not necessarily the app itself but because the private key for the cert was found and leaked everywhere.
The latest version of Windows Defender is actively removing the Superfish software and the cert.
The text of the definition is here: http://pastebin.com/raw.php?i=us7iXvkn