For HP Users:

[LSW]

Just a heads up to HP owners. This is one of those situations where this is not really a security issue, but it is a privacy issue if you are sensitive about your privacy or control over YOUR PC. First the article:

HP Silently Installs Telemetry Bloatware On Your PC - Here's How to Remove It

https://thehackernews.com/2017/11/hp-computers-telemetry-data.html

Quote

Do you own a Hewlett-Packard (HP) Windows PC or laptop?

Multiple HP customers from around the world are reporting that HP has started deploying a "spyware" onto their laptops—without informing them or asking their permission.

The application being branded as spyware is actually a Windows Telemetry service deployed by HP, called "HP Touchpoint Analytics Client," which was first identified on November 15.

According to reports on several online forums, the telemetry software—which the HP customers said they never opted to have installed and had no idea was continually running in the background—was pushed out in a recent update.

Now some of you may quite legitimately ask what the big deal is. There are a few points here, none of which may have any meaning if you don't worry about your privacy or have different views on what makes up your idea of your privacy. For those people who do have an issue with this, here are some reasons why:

• Telemetry: Telemetry can mean different things depending on who collects it, NASA space shot telemetry is a different thing in many ways. For us, this is data about your machine. This can clearly be useful for HP, telling them as an example that "XX many HP users still use Vista", "XX% of HP machines with this patch level have over a 47% more chance of crashing when this and that software are installed". This is all good info, no arguments.
• Privacy Part 1: One issue is "What are they collecting and how does it ID me?" Normally this is not PII data of course, SSN, DOB etc., but it is still a form of Fingerprint. A fingerprint if of no use on its own, It would mean nothing to Wyatt Earp in the 1800s, but today and together with data bases it is a crime solving tool. Your PC fingerprint can be used to identify it by the way it is set up, what is on it, and various IDs like your IP address will tell them where it is, the MAC address will tell them exactly what Manufacturer made a part. this is some of what identifies my PC right now from your device you are reading this on. Alone the MAC address can lead someone to the serial number of the PC, that is connected to a payment for that PC which leads to me and the IP gives my general area of Alaska. It is like cop shows where they place random details in the trash together to get an idea of who the suspect is and what they are likely to do by profiling them.
• Privacy Part 2: Another issue aside from not knowing what data they are collecting, is the fact that they are doing so without our consent. Aside from legality and public domain legal arguments, just set all that aside... answer these questions and ask yourself if you feel the same about HP collecting data without your knowledge?
  • If you see some (clearly not homeless or starving) person going through your trash, would you be upset?
  • If I asked your permission to go through your trash, would you likely say yes or no (aside to thinking I am weird)?
• MY PC!: This is my PC, I decide what software goes on it and when it runs. HP intentionally put there software on "my" machine and they decided when it would run and what it collects, all without asking me! Again, imagine looking out your window and seeing guys in Ford branded clothing, opening up your Ford vehicle with some sort of "command key" and installing something... and then getting is a car and driving away, not saying a word to you.
• MY PC/Changed Result: Now take the above, but your neighbor sees it. You get into your car, get on the highway, give it the gas and... your car will not go above 55. You think something is wrong and you go home and your neighbor tells you what they saw. You open the hood and find a throttle installed without your knowledge or permission? Alaska would not be so bad as we are a 55 mph state, but Michigan is 65 mph last I looked and that would suck! Now this example is not quite the same because HP is not intentionally slowing your PC as it seems to have done according to some people in the article, but the result is the same. Gamers pay big bucks for fast PCs, I pay big bucks for fast internet, and now an app I did not want or even know about is slowing my machine down.

If you read may older posting s on web design and accessibility you will find a common thread, "Let the user choose what they want". The best example of this is building a website that plays music automatically.

1. Can my connection handle the extra load?
2. Is it costing more money in fees?
3. Is it music I even like?
4. Is it now playing over top of the music I was listing to already?
5. Can I even hear it? Maybe my speakers are off?

In the end this is not a security update, or a patch, or anything that even helps the owner? No, it only helps HP and they placed on PCs without the users knowledge or consent and it slowed many down. It should have been announced, and it should have been voluntary, and it should be easily and quickly deletable if it effects the machine.

That is why it is a big deal for many people and yet it may not bother others. Never force things on the users, let us use free will.

[LSW]

Quote

HP Releases Update to Fix Synaptics Touchpad Driver Security Issue

(December 11, 2017)
 SANS Institute

HP has released an update to fix an issue that could be exploited to activate a keystroke logger on more than 460 models of HP laptops. The issue lies in a developmental-level debugger feature of a Synaptics Touchpad driver. The feature is off by default, but someone with administrative privileges on affected machines could enable it. The HP update removes the Windows software trace preprocessor (WPP) debugger code. Users are encouraged to update their drivers.