Really, this shouldn't come as a surprise. At this point, pre-loaded systems just aren't worth trusting. Better to remove them entirely and start from square one. It's a pain, but until consumers put more pressure on manufacturers, it'll continue being an issue. I'd honestly like to see MS force clean installs, limited only to driver's as an option, as this bloatware is just a huge security flaw, and something that lessens the machine.
Consumers and the review industry need to put more emphasis on this stuff. A very quick look around:
Laptopmag rates best & worst[1], but only gives 5 points to "software". Asus sits in 3rd place, with 3/5 rating for software, with the comment:
> Many of Asus’ laptops ship with more than their fair share of bloatware, including Line, Netflix, Candy Crush Saga, Flipboard and TripAdvisor.[2]
PC Mag rates the top 10 of 2016[3], with the 1st being a chromebook and 2nd place going to an Acer despite one of its cons being "lots of bloatware".[4]
On one hand, it's not that hard to reinstall an OS from scratch (something I always do), so to say "don't buy this laptop" because of that is maybe a bit extreme, but on the other hand, most consumers don't do that.
Good luck reinstalling lenovo laptops from scratch... I mean, I always do a clean Arch install, but if you want windows youll probably have to buy a copy or have them ship you their bloated version
Indeed, but I do think they are aware of it since they do offer "Signature Edition" computers, which require manufacturers to not install additional software.
There was a time when PC vendors had preinstalled applications — honest-to-goodness applications, not bloatware — as a competitive advantage. For Microsoft to forbid this would probably be called out as anticompetitive with regard to those applications, even though no one does that any more.
Well with Windows 8 and now 10, MS is tarnishing their brand, albeit it in different ways. The uncertainty over what MS does and inability to shut it off (apparently updates undo settings?) is why I still don't use W10. :\",
I'm in the same boat, and just want to add that they encourage that feeling to stay away in me by doing the same in my win 8.1 install. I have to 'ignore this update' for the windows 10 update (kb 3035583 I think) every single time I 'check for updates'. Seriously?
I've found enough issues in OEM-preinstalled/OEM-provided stuff that this isn't a surprise at all. (most have been fixed by now, at least. Not sure about the Asus one, as that got reported by someone else over a year prior to my full disclosure.)
Maybe I'm just slow, but their chart seems perfectly ambiguous to me. I can't figure out whether "red X" means "it's bad", or "green check" means "we successfully hacked it".
I'm more upset that drivers can download full programs. I plugged in a mouse, Windows did its thing, then I was greeted with a big "leet graphics" registration window.
On Linux systems you'll see a mix of apt-get (debs), yum/zipper (rpm systems), emerge (gentoo/funtoo based systems), etc.
All of the ones I've mentioned have certificate based checking for the repository lists. They're verified when they sync. If you want to add a new repository, you typically have to import their key (don't think this is the case with Gentoo overlays in layman, but I'm not sure).
Most systems used signed packages too, or at a minimum they verify the SHA sums.
There have been exploits found and you can search through the bug trackers for each distribution to find them. If you find any new ones, most distros have bug bounty programs too.
There are probably some other exploits out there, but in general Linux package managers are pretty good about verifying package manifests and packages before installing them.
there was a paper published 2008 on the state of linux/bsd package managers. some of the information is outdated (eg. pacman now signs their packages) however it is probably still of interest, esp. with all the language-specific package managers bent on repeating the security fuckups of the 90s/00s
26 comments
[ 6.2 ms ] story [ 57.6 ms ] threadLaptopmag rates best & worst[1], but only gives 5 points to "software". Asus sits in 3rd place, with 3/5 rating for software, with the comment:
> Many of Asus’ laptops ship with more than their fair share of bloatware, including Line, Netflix, Candy Crush Saga, Flipboard and TripAdvisor.[2]
PC Mag rates the top 10 of 2016[3], with the 1st being a chromebook and 2nd place going to an Acer despite one of its cons being "lots of bloatware".[4]
On one hand, it's not that hard to reinstall an OS from scratch (something I always do), so to say "don't buy this laptop" because of that is maybe a bit extreme, but on the other hand, most consumers don't do that.
[1] http://www.laptopmag.com/articles/laptop-brand-ratings [2] http://www.laptopmag.com/articles/asus-brand-rating#sthash.9... [3] http://www.pcmag.com/article2/0,2817,2369981,00.asp [4] http://www.pcmag.com/article2/0,2817,2498473,00.asp
Once it's activated it's stickiness to the CPU/Mobo means you can just re-install the dang thing on the same system.
http://www.microsoftstore.com/store/msusa/en_US/cat/Signatur...
http://cypherbridge.com/ProductsServices.html
http://lizardhq.org/2015/11/25/dell-foundation-services.html
http://lizardhq.org/2015/12/01/dell-foundation-services.2.ht...
http://lizardhq.org/2015/12/05/dell-system-detect.html
http://lizardhq.org/2015/12/05/lenovo.html
http://lizardhq.org/2015/12/05/toshiba-service-station.html
https://rol.im/asux/
https://github.com/docker/notary
All of the ones I've mentioned have certificate based checking for the repository lists. They're verified when they sync. If you want to add a new repository, you typically have to import their key (don't think this is the case with Gentoo overlays in layman, but I'm not sure).
Most systems used signed packages too, or at a minimum they verify the SHA sums.
There have been exploits found and you can search through the bug trackers for each distribution to find them. If you find any new ones, most distros have bug bounty programs too.
There are probably some other exploits out there, but in general Linux package managers are pretty good about verifying package manifests and packages before installing them.
https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.p...