[dandelo1953]

️ Things happen.

It's embarrassing to have to disclose such a thing to the public, but they did. I don't recall anything nefarious and they owned up - to at least some extent.

That is more than a lot companies can say. Is that the ONLY reason why you dis Lenovo? Because if so, it makes them that much more attractive in my book of flippant remarks

[SyneRyder]

> I don't recall anything nefarious...

Deliberately bundling adware that injects fake results with affiliate links into search engines [1] on their machines seems nefarious in itself. The MITM of SSL connections just seems like an unexpected added bonus on top, and it took the US Department of Homeland Security to make Lenovo own up to it [2].

[1] https://thenextweb.com/insider/2015/02/19/lenovo-caught-inst...

[2] https://www.reuters.com/article/us-lenovo-cybersecurity-dhs/...

[infogulch]

I want to emphasize how bad the TLS MITM malware was (adware is too nice a term): they installed a TLS MITM attack by adding the same CA public key to the trust store of every non-business device they sold, and proxied the internet traffic through an on-device proxy that contained the private key to that CA. Yes you read that right: every device with this malware had the public and private key used to decrypt the TLS traffic of every other device with this malware, effectively exposing every user to have all of their traffic not only decrypted, but also MITM'd again. Not only was it malicious, it was incompetent too.

I don't consider this a technical failure, it's a business failure. One of two options remains: either nobody in Lenovo reviewed this software from a privacy and security perspective, or they did review it and the business deal overruled the security team's ability to veto it. Either way, this indicates an organizational dysfunction so severe there's no way I can trust Lenovo with my personal or business security again.

[jammygit]

> Is that the ONLY reason why you dis Lenovo?

They installed spyware. That is more than enough reason to lose trust. IIRC, they did it more than once too[1].

If that isn’t cause enough, what is? Would it take pre-installed ransomware to lose trust?

https://thehackernews.com/2015/09/lenovo-laptop-virus.html?m...

[krn]

> They installed spyware. That is more than enough reason to lose trust.

I agree on principle, but Lenovo is no less trustworthy than any Smart TV manufacturer, such as Samsung, Sony, or LG.

It has become a common industry practice to subsidize consumer hardware with pre-installed spyware. The only solution here is to replace the pre-installed OS with an open-source alternative.

I would still pick Lenovo ThinkPad running Fedora Workstation over any iMac or Macbook product.

[pmontra]

Well, yes but at least I can refrain from setting the Wi-Fi password in my TV and still end up with a perfectly working TV (I do.) A computer without Internet is not very useful nowadaysm

[krzyk]

Well, until TV manufacturers will choose to add a GSM module to TVs :)

[krn]

And that shouldn't be far away:

https://en.wikipedia.org/wiki/ESIM

[snerbles]

> I don't recall anything nefarious

If an SSL backdoor installed by the OEM doesn't strike you as nefarious, I have beachfront property in Arizona to sell you.