undefined | Better HN

0 pointsjosteink6y ago0 comments

That caused so much of a backlash that they released a new BIOS version without that stuff. As was absolutely fair.

Abusing Windows' ability to obtain HW-drivers though UEFI (something which can be used for good) to bundle shit-ware is just absolutely rotten.

0 comments

deogeo6y ago

Fair would be sending executives to jail for hacking. Releasing a non-backdoored BIOS was the absolute minimum.

Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to install a backdoor. But calling what it installed "insecure Windows-software" is also inaccurate. According to https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci..., its purpose was man-in-the-middle attacks against the user. So I still think criminal liability and jail time would be just. Ordinary people have been sent to jail for far less.

josteinkOP6y ago

To be fair and technically correct, the BIOS itself was not backdoored.

The BIOS itself was fine, but it contained insecure Windows-software which it requested/instructed Windows to install.

Install any other OS (like Linux) and there would be no backdoor at all.

To be clear I’m not trying to defend Lenovo’s actions here, I’m just trying to be clear about what this incident was actually about. The simplistic description is IMO a bit too simplistic in this case.

stcredzero6y ago

Fair would be sending executives to jail for hacking.

That would be up to a prosecutor. A civil suit would take the form of a class action.

walshemj6y ago

Or banning for a period of years the company from any government work as happened to Arthur Anderson in the UK.

twblalock6y ago

Microsoft should prevent this. It's not in their interest to allow OEMs to circumvent the normal software installation methods for Windows. It should be prohibited in whatever agreement OEMs make with Microsoft, and maybe Windows should prevent execution of such code if it's possible to tell it apart from drivers.

bahmboo6y ago

Pretty sure there was a USG lawsuit about what MSFT could require from OEMs.

Gene_Parmesan6y ago

I don't think that settlement applies to this. The OEM part of that lawsuit, from my recollection, hinged on the fact that Microsoft's OEM licenses required that the OEM limit the percentage of computers they sold without a Windows OS pre-installed. I don't remember there being anything about how OEMs use their APIs.

I think it would be perfectly fair for Microsoft to require OEM licensees to not use that feature for shitware installations. I can't see how that would fall afoul of antitrust or related regulations. Maybe I'm wrong though, that was a while ago and it wasn't my specialty when I practiced law.

ru999gol6y ago

that's something Apple would do, but unfortunately Microsoft doesn't give a shit

ilikehurdles6y ago

I'm inclined to agree. Microsoft's philosophy has been "give vendors all the rope they could think of asking for" for a really long time.

MisterTea6y ago

I wouldn't call that good. More like a bad solution to a problem which shouldn't exist. Nothing should ever be located in system firmware save for the boot firmware and perhaps a basic diagnostic tool like memtest.

j / k navigate · click thread line to collapse