upvote
> A monitor cannot install software on your computer by the way.

I think everyone in the HN crowd knows that.

> the blame should be on Microsoft

No, they blame should ALSO be on Microsoft, they are the enablers.

reply
> I think everyone in the HN crowd knows that.

I actually did not. I know there is some degree of two-way communication over HDMI/DP, and was curious if this was how the software was installed. I think discussing the technical details is a great use of the HN comment section.

(Wifi enabled display device -> HDMI -> Device) would be an incredibly interesting attack vector.

reply
“I think everyone in the HN crowd knows that.”

I would think everyone in the HN crowd would be aware of HEAC, the hdmi Ethernet channel, etc.

With full access to the hosts tcp/ip stack, we’d do well not to overlook the potential vectors for a monitor to install software on your computer… especially when the operating system is complicit.

reply
Ok, I don't use Windows and never will, so wasn't aware of this feature, and it would've been nice to have that context. Thought maaybe LG is exploiting a vuln in Windows via USB-C or over one of the niche HDMI features, but gathered it's not that.
reply
> Autorun of malware when you plugged in a USB drive was also a Windows issue, I'd classify this as the same security problem.

Not really. AutoRun ran whatever was on the USB drive, with no oversight. This installs a driver from a company that's supposed to be reputable enough to get their driver signed by MS and pass validation. LG breached that trust here.

reply
> that's supposed to be reputable enough to get their driver signed by MS and pass validation. LG breached that trust here.

I think you overestimated how reputable is enough.

reply
So how is this malware?
reply
The blame should be on Microsoft and LG, both.
reply
Actually it frequently can, since a modern monitor is often on USB and in a position to impersonate a keyboard and/or mouse.

I wouldn't put it past most of these companies.

reply
The monitor should absolutely take the major part of the blame by being the source of the malware and poisoning the system for everyone else.
reply
its not the source though is it? its not like it's downloaded via the hdmi cable, it comes from Microsoft that offer the service of installing crap
reply
Ironically if Microsoft responded by just never signing LG software again, but kept this auto-install thing in, LG monitors would become the best to use with Windows.
reply
Blame should be on the user for buying Windows
reply
Please do not blame the user.
reply
deleted
reply
You are describing 'the blame should be on Windows'.

The consequence of Windows having the blame is that one should not buy it.

reply
deleted
reply
that's funny; because my root cause analysis didn't show the user as the person making the decision to show themselves ads? did yours, or was the victim blaming intentional?
reply
Not making the specific decision (showing ads) but making the general decision (giving power to Microsoft). Blaming customers for buying MS products is not really much different than blaming Trump voters for voting for him. In both cases risks were obvious beforehand.
reply
The word “victim” is honestly pretty funny in this context. Nothing really happened to anyone.
reply
I wouldn't classify getting random malware as "nothing happening".
reply
Because it spies on them and nags. But Windows itself already does that. LG could've done the same thing sans the mcafee popups and nobody would care, in fact Dell is probably doing that.
reply
> But Windows itself already does that.

So once an person is victimized in this way, it becomes a free-for-all where future transgressions cease to matter?

reply
Yep. Not free-for-all, but silently installed crap collecting metrics is well within their expectations.
reply
So... When people expect to be harmed because they've been harmed before, then it's perfectly OK when they get harmed again.

Neato.

reply