Ad injection is quite lucrative. This is what entire companies like Phorm which intercepts in-flight connections and inserts ads.

As for ad injection like this, I've seen a number of consumer level PCs route traffic through a local proxy, installing Web browser add-ons to keep the browser switched to the proxy and to inject their own SSL key. The fix was removal, and even then, there were processes that had to be stopped via autoruns, as well as blocked from phoning home via the Windows Firewall (so there wasn't a chance they could do damage even if restarted.)

The exception to this seems to be HP, which might have sample programs on it (Norton, for example), but no crapware that loads in Web browser add-ons. It actually was a shock seeing a new HP consumer laptop actually in a usable state out of the box, without having to go swinging at what starts up with the autoruns pickaxe.

The problem is that companies face zero negative consequences for adding intrusive software like this onto a machine. Joe Sixpack won't know or care that his search engine gets redirected through some no-name third party site so his google search page has flash ads. With the private key out, he won't realize that his banking stuff is compromised until his bank account gets drained.

The fix? As a consumer, either bring your own OS and completely wipe and reinstall the box, or buy a business-line version. Lenovo would not dare to try installing anything like this on the Thinkpad line, just like Dell's Latitude line, and HP's EliteBook line. Of course, there is always Apple, which seems expensive, but if one compares like for like, a MacBook Pro actually has a price advantage to a comparable business line HP or Dell with the same features and chipset.

I personally use a disk image utility to clone the drives before the machine ever boots for the first time, but almost all non-IT people end up losing the recovery disks, or just not making them in the first place. This is why having an OS image in ROM (or technically read-only SSD) would be useful.

The ideal would be both install media, as well as a recovery instance. This way, one could boot the machine, mount the volumes, and save off documents to external media in preparation for a complete format and reinstall. A recovery instance would also be useful for fixing boot issues, or even dealing with malware (although it is best to reinstall if malware is present.)

This is why you use VMs. If malware hits the disk, it is going to find a generic HDD, like a VMWare Virtual drive, and that vector of attack stops for good right there.

We are almost at a point where we should virtualize everything, and what sits at the bare metal is a hypervisor, where there is a definite layer of separation between the OS and devices. This way, a compromise on the OS level won't allow hardware to be tampered with. If there is a firmware update needed, then it should be made available for manual flashing that takes a deliberate set of actions by the user (or via remote, using some administrator certificate) to ensure that a firmware update is authorized.

In fact, virtualization on newer machines is more of a "why not?" item, than a "why?" item. For example, Windows 8 and Windows 8.1 have Hyper-V available with a switch setting and a reboot. With a little bit of work, one can have one instance of Windows just for Web browsing, and the browser would be a seamless application. The advantage of doing this is that if/when something nails the Web browser and gets a user context, rolling back to a snapshot/checkpoint is pretty easy.

A good example of this was when I was browsing in a VM a certain social network without an ad blocking extension in the browser... 10 minutes later, that VM was slammed by malware, likely from an ad server that was serving up exploits. The fix was two clicks and a confirmation dialog away. Of course, if malware isn't detected, that is another story, but for browsing the Web, it is wise to just roll the VM back every so often anyway (at least every month for Patch Tuesday's festivities.)

What would be nice is if PC makers could allow one's choice of hypervisor to be installed on a dedicated SSD that either is physically set read-only and read-write by a DIP switch (with preferences and system info stashed on a separate writable partition), or similar functionality. The advantage of this is that the hypervisor would be pretty much static except for occasional updates (and the update mechanism can be made decently secure), and hardware would be isolated from the VMs.

If a device does need a firmware upgrade, a mechanism at the hypervisor level would address this.

GM cars seem to be relatively rare in my neck of the woods. For college students, Kias, Hyundas, VWs and Mazdas have that market, with the Toyota models after that.

I really don't like GM's ability to disable any vehicle, anywhere. I'm reminded of an Austin dealer which installed devices to disable vehicles if the buyer didn't pay their loan payment... and a disgruntled ex-employee logged on as a valid employee, disabled all vehicles in the system and set them to honk until the batteries went dead. Wasn't a relatively big thing... but if someone did hack GM, the damage they could do with OnStar could be tremendous... for example, if there is a forest fire, hurricane or a disaster causing an evacuation, killing all GM vehicles in that area can turn the disaster into a catastrophe with extreme loss of life, just because the GM cars stalled would prevent movement of everything else.

For desktops, I end up doing similar, and building my own (for my personal use.) However, for laptops, it is good to go with a brand's business line (not consumer junk, but business tiers that actually will offer decent CS). Similar if one needs desktops for a company (since for accounting and auditing, it is good to have machines that have similar hardware or one easily trackable model ID.)

Of course, for personal laptops, there is always Apple. Even if one installs Windows on it (easy to do as it is a UEFI machine), the hardware is quite solid, and for individuals, Apple CS is quite good. Businesses and the enterprise, it is a different story.

tl;dr, there isn't really one fix for this, but in general, avoiding consumer-line stuff like the clap is the best thing one can do, either by building one's own machine, buying the business/enterprise tier, or going Apple.

Even on Macs, I prefer to zero out the HDD and install completely cleanly, as a matter of course [1]. In fact, on any hardware, be it POWER7, SPARC, x86, and others, zeroing out the storage and installing clean is a good idea. This not just ensures that one has a clean OS, but anything that was stashed previously is gone. No cruft, no oddball transient stuff that might have accidently wound up on the HDD during QA or testing (assuming the box was tested), just a working OS (hopefully.)

[1]: It isn't hard to download the install image of the latest OS X, write it to a USB flash drive, then use a Linux drive to boot, TRIM the entire SSD, boot from the OS X drive, and install from scratch.

If it isn't firmware level, a blkdiscard /dev/sda on a SSD should purge anything for good, and definitely not recoverable by any known means.

I'm the same way. The recovery partition is just a chunk from the HDD, so malware can easily seize control of that. Plus, I prefer server operating systems (paid for, of course.) Some laptop makers like Dell can ship a business-line model with a server OS, and since it comes from the OEM, there is a good chance the OS can just activate from the BIOS certificates. I have yet to see a machine shipping with a server OS have any crapware on it, other than maybe some administration tools.

I wish laptop makers could do what Tandy did in the early 80s... put an OS instance in ROM. Have a read-only SSD section set aside that would boot up Windows PE or even an image of whatever Windows edition came with the machine, with drivers merged in as well (easy to do with Vista and newer's WIM functionality.) This way, the box can be completely reinstalled and barring a flash of BIOS or other firmware, there can be high confidence a malware infection is eradicated.

The only AV products I've found which actually do anything are SpywareBlaster and Malwarebytes, because MB actually blocks by IPs, and SpywareBlaster doesn't actively run, but sets kill bits and blocklists in browsers.

However, with an adblocking browser extension, Web based malware should never hit your system in the first place, and with click to play functionality, should not have a chance of being activated... and with a VM or sandbox, even if the browser does get compromised, it won't get past that.

As for Android, the weakness is that a lot of Chinese stores have little to no curation or filtering out bad stuff. Google does a decent job in stomping out the bad stuff, but I still think they need to go with two tiers, one tier as things are currently, and one tier where developers have to agree to more stringent rules, and the software has to pass more tests... that way, if a user sticks to the more curated tier, there is less chance of an infection happening.

One note -- the exploits we read about with Android almost always are related to either pirate repositories or "app stores" with little to no moderation. Even something like Cydia's ecosystem would be highly unlikely to have malware like this ever hit it it in the first place, and if it did, the devs would have it pulled in minutes to hours.

As for AV software, I use it on machines to make legal eagles happy. I've yet to see it actually actively stop a compromise of a machine. At best, it is good for scanning for 1+ day stuff. The real defense are the IP blacklists, hosts files, kill bits (SpywareBlaster is quite useful), Web browser extensions and click-to-play. The best mitigation if an infection happens are sandboxes (SandboxIE), virtual machines, and jails. AV was useful back when one scanned a floppy with the latest copy of Doom on it, but these days, it is more for the checkbox in paperwork than actual protection.

Even wiping the box may not work. For example in the case of LoJack for Laptops, there is BIOS support that can get a machine to reload the utility even if the main BIOS is reflashed and all media (hard disks, SSD, etc.) are erased. In the case of this product, it can be a good thing, but this same technology that can protect a laptop can be used to reinstall spyware.

Sad thing, the PIN part here in the US is optional. However, it does stop the sales clerk who swipes the card and uses it for mail order stuff.

As for mail order, I'm sure Visa/MC will continue to have a web object that pops up, asks for a PW or PIN, which is used for shopping via the Internet.

Is this a security increase? Yes, and much needed. Cloning a chip is a heck of a lot harder than writing down numbers or writing a magnetic strip on a blank.

However, because PINs are an option in the US, it won't be as big a security boost as it is in Europe.

I wonder if the latest generation of filesystems like ZFS, btrfs, and ReFS would be useful, so a corrupt file that wasn't completely written would be detected by the FS during a background scrub or garbage collection task. With RAID-Z, the corruption can be found. Z2, the corruption likely can be fixed.

There are some reviews of SSDs on the Net about what drives can stand the most in the way of being depowered while writes are in flight. The one thing about the review is that the Intel enterprise SSDs did not lose data or go into an unusable state. This was a few years ago, so I'm hoping that other drive makers have caught up, so a dirty power-off won't mean the entire SSD is destroyed... because recovering an SSD is orders of magnitudes harder than looking at the stored magnetic domains on a HDD.

The thing about SSDs is that backups are even more important because once the electrons are out of the gate, that's it. Data is gone.

The price is dropping. I'm seeing MacBook Pros ship with 1TB of SSD. It only is a matter of time before external SSDs become the storage medium of choice, just like USB flash drives are for small scale storage.

As for HDDs, I can see them winding up being re-engineered to be more for archival and backup storage as opposed to the role an external HDD does now.

The funny thing is that the random kicking of doors, breaking of clay pots, and killing anything that moved, was not the standard trope when I started. I am showing my age, but if PCs tried that in a town, the local watch would be on them in no time. If the PCs dispatched the watch, then they would be marked as bandits, and everyone and their brother would be going for them for the reward (and I'd have the "escape from the royal gaol" campaign at the ready.)

There also wasn't the element of opening a box and pulling out a +20 sword of omnislaying. Original 1E source had almost any magical items difficult to get, and highly coveted. That +1 sword may seem like a joke... but it would be the only thing that could damage various undead. Without it, it would take pouring holy water on weapons in order to have any hope of dispatching anything but a skeleton. A wight or wraith was unkillable by almost any melee, and required a wizard or cleric to hurt it.

With newer rulesets, it is easy for players to make magic weapons... but was lost is some of the original AD&D fantasy lore -- that magic was a rare phenomenon, and not really visible to the average level 0 or 1 human that wandered the surface.

I've never been a fun of TPW (er, TPK). This almost always causes the players to lose interest in the entire campaign. Of course, there was one thing about PCs dying and sub-plots to go out and get the crispy-crittered rogue back alive... but a wipeout did more harm than good... ...Unless it was scripted. I've used TPWs as a tool to further a campaign, which made things interesting, as opposed to "everyone hand me their character sheets and roll another level 1".