1. Your OS installs malware (technically manufacturers software) from a 3rd party vendor in background, zero user interaction
2. Happens as soon as you or anyone with physical access plug in a device into the HDMI port
3. That malware has internet and full system access, no sandboxing
4. It starts with every system boot
5. This software gets installed when you plug in a new LG monitor
6. OR ALREADY HAD AN OLDER LG MONITOR PLUGGED IN, BECAUSE LG APPARENTLY ROLLED THIS OUT FOR MANY OLDER MODELS TOO!!
7. And yes, if you think that's horrendous, as mentioned in the video below, that also applies to 'Professional' LG monitors!
This situation has.. no precedent as far as I can tell..GamersNexus has a video diving deeper into what LG did here - https://www.youtube.com/watch?v=Q9uefFYe6bM
gpedit.msc
Computer Configuration > Administrative Templates > System > Device Installation
Prevent automatic download of applications associated with device metadata
Set to enabled
OK
On home editions sans gpedit.msc: sysdm.cpl
Hardware tab
Click Device Installation Settings
Under 'Do you want to automatically download manufacturers' apps for your devices?', select 'No'
Save ChangesMicrosoft decides what happens here, and presumably today they just take it on trust that hardware makers know what software to install. New driver? Sure. McSpam installer? OK. Maybe they have a guideline saying "Don't ship unrelated garbage" but today it's not enforced because why would you do that?
If the Microsoft customers (particularly larger corporate customers) tell Microsoft they hate this that policy will get tightened or if there isn't a policy one is introduced, and outfits like LG get told if you do this again we're taking away your update privileges, 'cos our customers hated this. Because (as I said assuming MS don't get a taste) this is all downside for Microsoft.
Pushing back on LG will be less likely to work because you already bought their product, so at most you can insist you'll forgo LG next iteration and they know such pledges evaporate in practice usually. Whereas Microsoft has contract negotiations every day, somewhere a $$$ contract is being renegotiated next week and if "Yeah, these LG popups suck" comes up - even if it's not a corporate system but the VP's niece's video editing suite for her vlog that's strictly unrelated - that Microsoft sales droid reports this was an impediment and it's on the list of things that don't benefit Microsoft.
Autorun of malware when you plugged in a USB drive was also a Windows issue, I'd classify this as the same security problem.
You can't block a just one driver. E.g. for my touch screen on the Lenovo website there is version X. When I install it the next day Windows installs X-1.
On Lenovo's website the latest version is 7.7.2.66 (https://pcsupport.lenovo.com/us/en/products/laptops-and-netb...).
Windows reverts that to 7.7.2.44.
I tried blocking that update with the Powershell command-thingy, but even that doesn't work:
Administrator in ~
get-windowsupdate -isHidden | ft Status,KB,Size,Title
Status KB Size Title
------ -- ---- -----
----H-- 92KB Wacom Technology - HIDClass - 7.7.2.44
(this command by the way takes 20+ seconds), and the filtering doesn't work because there is no KB.The GN video focuses a lot on consent, and while maybe this is notionally currently illegal without consent, that just steers towards companies shipping a generic ToS popup, claiming you "read" that 1.8 PiB of ToS, and including the "oh btdubs we can modify these terms at any times and if you want to go to court lol forced arbitration has other ideas about that."
MS & Windows having conditioned users to expect / think they need drivers for peripherals speaking standard protocols is also part of this. A monitor shouldn't need a driver. It takes the pixels, it displays the pixels.
This is one of those things where if I found the person responsible I would likely spit in their face; if not worse. It's quite literally spyware installed as you plug it in much like those old DVD DRMs from sony that would install spyware.
It's garbage.
As far as I know, the source of the graphics was not the unifying receiver that I plugged in the USB port, and the notification was not using any OS API meant for hardware to be avle to prompt the user for additional download. It was a Logitech-built DLL shipped and loaded by the operating system as part of some default driver for the Logitech keyboard.
It still blows my mind that most people still put up with this kind of behavior. I get that some people can't get away from Windows due to genuinely needing to use software that will only run on it, but that has to be around 0.1% or less of current windows users. There is no justification for the other 99.9% to choose to stay in such a toxic relationship.
I have been using it for both personal use and other work use-cases, here is a demo: https://www.youtube.com/watch?v=jObZzI2_pv0
Just like youtube, I can log in to my netflix, amazon prime and then use the touch screen to choose the movie to watch and it gets played on the external screen. I am building it how I would use it as a power user.
But those were different times...
[1] https://www.linkedin.com/posts/callam-d-b38b05105_windows-is...
Is this a good practice? I don’t really know. We used to get drivers on CDs, but barely anyone has a drive on their computer anymore. You could download them from the vendor website but these are usually a mess and very difficult to navigate to find the right thing — impossible for your grandma.
Could do like Linux and just build trusted software right into the kernel - but then people will complain about bloat.
So we are where we are. I guess.
My wife CONVINCED me to buy an LG tv instead of my typical dumb monitor.
Now I get constant ads and a constant nagging of updates available, that will install more ads and spying features...
It's hard to say directly from the article if there is any GDPR breach. If everything was part of the installer and it doesn't actually submit anything (including downloading the ad) to LG then it's harder to argue that there is GDPR violation, but knowing the SOP of these kinds of software that is unlikely.
If the software did indeed send personal data to LG then there are at least following question: How was Article 13 notice delivered to user? Article says that this was installed quietly. Did Microsoft deliver Article 13 compliant notice to user at some point? They probably did deliver their own notice (though it's open question if it's compliant), but not LG's. However since Microsoft is the one that installed the software and they exercise control over the standards which must be met, it's possible that they would end up being joint controller at least for some processing.
I should add that Article 13 requires that the notice is given "at the time when personal data are obtained". The only exception is when "data subject already has the information" and possible Article 23 restrictions, but those are unlikely to apply.
If someone wants to make a complaint they should first make Article 15 request to LG. Copy of personal data is useful, but 15(1) information is the primary goal. Additionally ask for information on how and when did LG provide you the Article 13 notice if they did indeed process your personal data.
After that if they cannot show that they provided Article 13 notice when they received your personal data submit a complaint to your local DPA. You can additionally flag other violations as well if they are applicable (e.g. not naming recipients as part of Article 15 response, not giving actual retention time or meaningful information how that is determined, invalid legal basis etc.). You should also flag in the complaint that Microsoft is likely joint controller for some of the processing given that they are the ones who approved the automatic install of the software which violated GDPR.
Not sure about other solutions, but one suggested workaround here would be to silently uninstall Windows without consent.
I guess my next machine will have a VGA port ;-)
And no Windows.
Whether it’s router safety or NVIDIA software hammering DNS servers hundreds of thousands of times or this. Across the board they seem below average competent when it comes to software. I get that they’re specializing on hardware but why so very bad?
Edit. This isn’t even the only thread today. See TPlink fucking up on leaking your GPS coordinates also on front page
It's basically how a virus would infect your computer through a USB Key.
Forcing itself to be installed, hiding what it does, sustaining itself across reboots, bypassing all security restrictions... because a monitor might need something new after all these decades?
You get what you pay for.
If you're the customer, you're the product.
"You get what you pay for" means if you buy proprietary software, you get software from proprietary vendors who act like modern proprietary vendors act these days, which is using every avenue to maximize profits. There's no recourse, because it is proprietary and, therefore, belongs to the software maker, and not you. It is not your property, it is theirs.
Which leads into...
"If you're the customer, you're the product" because customers are valuable products. You willingly bought the service, so your data is data from someone who is interested in the company and probably willing to buy more from it and its partners if the company can target you. Your data, therefore, has resale value, making you a product to be sold.
Honestly, if we don't push it back hard, it will only get worse and worse. Why we were cancelling people if they used wrong pronouns and suddenly we got tired of doing the same with stuff that we all should agree on that is terrible.
No, you can't have a "(o) just the driver" checkbox because... honestly there are a lot of reasons and the device manufacturers are the guys who demand that in the first place.
Are there any high quality panel manufacturers left that aren't run huge pieces of shit? Or at least try to respect the people buying their hardware?
Do. Not. Buy. LG.
There are a lot of decent alternatives. Stop buying from the sick heads.
As there is no consequence for them, again there is no reason that it changes or that it doesn't get worse in the future.
That's not your computer, that's Microsoft's computer. You're the threat model they lock it down against, you're the schmuck that keeps them fed, and you're the possible terrorist/hacker to be surveilled, tagged, tracked, and monitored.
If you care about consent as it relates to your use of technology, you shouldn't be using Windows in the first place, and this has been obvious for well over a decade now.
Remember when you used to own your "personal" computer?
Mostly anyone who has a need to work for privacy and making their own lives difficult by removing automations deserve working through the barrier of entry to do so.
My current windows 10 install is cleaner than any other windows machine I've ever owned due to using Claude to deep dive and rip stuff out.