HP Possible pulling a Lenovo with Stealthy spyware?
-
@dashrender said in HP Possible pulling a Lenovo with Stealthy spyware?:
I wonder if there is some something buried in HP's EULA that allows them to do this. Frankly I'd be surprised if there wasn't.
EULA is for the software, not the hardware. Would be essentially impossible for HP to have a EULA that covers this as it doesn’t get added to HP software.
-
Here is HP’s EULA. Clearly doesn’t allow this....
- NOTICE OF DATA COLLECTION. You agree that HP and its affiliates may collect, combine, and use device and individual user information you provide in relation to support services related to the Software Product. HP agrees not to use this information to market to you without your consent. Learn More about HP data collection practices at www.hp.com/go/privacy.
-
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
device and individual user information you provide in relation to support services related to the Software Product
In this case "you" (me for example), are not "providing" anything to them. To me, "provide" means willingly and/or knowingly supplying or making available. Key words are willingly and knowingly.
-
@tim_g said in HP Possible pulling a Lenovo with Stealthy spyware?:
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
device and individual user information you provide in relation to support services related to the Software Product
In this case "you" (me for example), are not "providing" anything to them. To me, "provide" means willingly and/or knowingly supplying or making available. Key words are willingly and knowingly.
Exactly. Me providing is totally different than them taking secretly via malware.
I would consider this a hacking crime, just because they did it through official seaming channels doesn't alter that.
-
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
I would consider this a hacking crime, just because they did it through official seaming channels doesn't alter that.
This is the very definition of "hacking".
They gained unauthorized access to data in a system.
-
If this was just a part of their DaaS service, then it's just a central management tool that is reporting on hardware/software issues, i.e. like Spiceworks I suppose.
http://www8.hp.com/us/en/services/daas.html
Question is, DaaS is a paid thing, so why would their telemetry tool be automatically installed on hardware that isn't enrolled in a DaaS plan?
Either this is just a windows update goof, or HP decides all computers need the tool even when not enrolled in any DaaS program. And if so, who is collecting the data?
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
We can't know that. We cannot have any assumption that only legitimate data is being collected. Is that a possibility? Yes. Can we assume it? Absolutely not. Unless you can prove everything that is and can be collected with it, you have to treat it as stealing anything and everything. This is malware we are talking about.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
If this was just a part of their DaaS service, then it's just a central management tool that is reporting on hardware/software issues, i.e. like Spiceworks I suppose.
Yes, if the situation was totally different then.... the situation would be totally different. That is a given.
-
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
We can't know that. We cannot have any assumption that only legitimate data is being collected. Is that a possibility? Yes. Can we assume it? Absolutely not. Unless you can prove everything that is and can be collected with it, you have to treat it as stealing anything and everything. This is malware we are talking about.
It's not malware if it's just a system management tool as part of their DaaS program. In this case it would just be a tool accidentally getting installed on systems that haven't been enrolled in the program.
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
We can't know that. We cannot have any assumption that only legitimate data is being collected. Is that a possibility? Yes. Can we assume it? Absolutely not. Unless you can prove everything that is and can be collected with it, you have to treat it as stealing anything and everything. This is malware we are talking about.
It's not malware if it's just a system management tool as part of their DaaS program. In this case it would just be a tool accidentally getting installed on systems that haven't been enrolled in the program.
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
Trojans are just management tools, too.
-
@tim_g said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
We can't know that. We cannot have any assumption that only legitimate data is being collected. Is that a possibility? Yes. Can we assume it? Absolutely not. Unless you can prove everything that is and can be collected with it, you have to treat it as stealing anything and everything. This is malware we are talking about.
It's not malware if it's just a system management tool as part of their DaaS program. In this case it would just be a tool accidentally getting installed on systems that haven't been enrolled in the program.
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
Trojans are just management tools, too.
Object your honor, relevance.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
We can't know that. We cannot have any assumption that only legitimate data is being collected. Is that a possibility? Yes. Can we assume it? Absolutely not. Unless you can prove everything that is and can be collected with it, you have to treat it as stealing anything and everything. This is malware we are talking about.
It's not malware if it's just a system management tool as part of their DaaS program.
This is totally untrue. What it CAN be included with has no relevance. That it is malware is the issue here. Malware can have legit uses too.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
@tim_g said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
This is either malicious or an accident pushing DaaS tools to computers that don't need it.
We can't know that. We cannot have any assumption that only legitimate data is being collected. Is that a possibility? Yes. Can we assume it? Absolutely not. Unless you can prove everything that is and can be collected with it, you have to treat it as stealing anything and everything. This is malware we are talking about.
It's not malware if it's just a system management tool as part of their DaaS program. In this case it would just be a tool accidentally getting installed on systems that haven't been enrolled in the program.
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
Trojans are just management tools, too.
Object your honor, relevance.
It's totally relevant. You just excused malware on the basis of the potential of being included in a legit package.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
m. In this case it would just be a tool accidentally getting installed on systems that haven't been enrolled in the program.
There is no grounds for this claim. How do you know that this is an accident? And accidental hacking is still hacking. It's better, but it's not nothing.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
How is this even similar in your mind? I can't even imagine what aspect of this you are picturing makes one anything like the other. I truly have no idea how you missing a CHrome installer as being related to HP hacking customers. What's the connection?
-
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
How is this even similar in your mind? I can't even imagine what aspect of this you are picturing makes one anything like the other. I truly have no idea how you missing a CHrome installer as being related to HP hacking customers. What's the connection?
The connection is something being installed without express permission. How is it you aren't seeing the connection? Chrome is a legit program, very likely the HP DaaS management tool is also a legit tool. You said yourself malware can also be legit packaging. But you call the HP malware and not Chrome. How is that confusing? It's the same thing to me.
In one case, some random program also thew in Chrome without my permission. And in the other case Windows updates threw in some HP software without permission. Both legitimate software with legitimate purposes and uses, but neither expressly permitted. -
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
Just the other day on a fresh load of Win10 on a laptop I was installing various programs and I think the antivirus automatically installed Chrome. I don't remember being asked to install Chrome, or the little checkbox was tiny and passed my view. Does that make Chrome malware? No, it just got installed without my explicit permission. It was opt-out rather than opt-in. Same as the HP software I guess.
How is this even similar in your mind? I can't even imagine what aspect of this you are picturing makes one anything like the other. I truly have no idea how you missing a CHrome installer as being related to HP hacking customers. What's the connection?
The connection is something being installed without express permission. How is it you aren't seeing the connection?
Because one is installed by you, the other is not.
-
@guyinpv said in HP Possible pulling a Lenovo with Stealthy spyware?:
In one case, some random program also thew in Chrome without my permission.
You said you didn't notice, you didn't say you were sure it never checked. Also, Chrome isn't collecting data, so isn't related. It's not spying on you. It is likely just classified as part of the original package.
I can't stress enough how every aspect here is flipped completely.
-
I can make software that includes Chrome as part of it. I can deploy that without asking you if you agree to deploy my software. You make the decision, not me. You can remove if you want. It's all open and above board. It's not malware.
If I install software without your permission, and RUN that software without your permission, and STEAL your data without your permission... that's malware.
Installing with, running with, collecting data with permissions versus all the same without permissions. Don't you see how they are opposites?
-
@scottalanmiller said in HP Possible pulling a Lenovo with Stealthy spyware?:
I can make software that includes Chrome as part of it. I can deploy that without asking you if you agree to deploy my software. You make the decision, not me. You can remove if you want. It's all open and above board. It's not malware.
If I install software without your permission, and RUN that software without your permission, and STEAL your data without your permission... that's malware.
Installing with, running with, collecting data with permissions versus all the same without permissions. Don't you see how they are opposites?
No, I see them as the same. Programs that were automatically installed without explicit permission. Don't give a crap what the programs DO, it's about them being installed not by me and I didn't ask for them.
It's no more malware than Spiceworks is malware, or Speccy is malware. It collects system health data and what not. Did you not look at the what the HP DaaS program is, or the the HP Management tool before it? It's for central management and system care.
My bigger concern is why did HP (or MS?) decide to install this on computers that were not in the DaaS program. Since they are not in the DaaS program, the data is just going to HP themselves I guess, which does smell of stealing data.
Could it be that these computers were already using the previous HP Management tool and so HP just upgraded it to this newer thing? Could it be HP was already collecting system health data and they just weren't aware of it before?
For all anyone knows, the computers were already pumping this data out, not it just got exposed when upgrading to the DaaS service.
Frankly, I feel like we still know nothing about it. Why was it installed, what does it do, what data is it sending to HP and why? Did it replace a previous program that was doing the same? Was it an accident? Or do you truly believe HP just wanted to stick random malicious malware on peoples computers to steal data? Is THAT proved yet?
We know nothing, so as far as I see it, a random HP system health service/app was auto installed and nobody knows why.