For what it's worth, the Superfish and LSE BIOS scandals didn't apply to ThinkPads. I think Lenovo understands that they have too many serious business and gov clients using ThinkPads to risk doing something silly like that to their professional-grade ThinkPad brand.
ThinkPad is under rather different leadership from Lenovo's consumer division that had the Superfish debacle on IdeaPads and the like. Sure, they are part of one corporation at the very top, but you don't have to go very far down the org chart before they split into separate teams and leadership.
ThinkPad is from the old IBM teams in Raleigh and Yamato. Lenovo made their own laptops before buying IBM's personal computer division, and that line (and its management) became IdeaPad.
If you're troubled by leadership that would allow Superfish (as I am), buy a ThinkPad, not an IdeaPad.
I shouldn't have to learn about the internal structure of a company in order to buy a laptop without malware.
Maybe Lenovo should have thought about their internal structure and their brand reputation before installing malware on their laptops, or maybe not (because they don't care about clients like me, they care about the 90% of bosses that buy bulks of Thinkpads and don't know what firmware is). But anyway, it wasn't a rogue engineer who did it, it was Lenovo, and in my eyes: Lenovo ships malware.
Of course it's up to you to decide what computer to buy or not to buy, based on whatever criteria you see fit.
But I don't think you're doing yourself a favor by ruling out ThinkPads just because of a boneheaded decision that Lenovo's consumer division made a few years ago. ThinkPad and IdeaPad really are two separate organizations under one corporate umbrella.
Superfish was not something handed down from on high, it was the bright idea of the consumer group. The ThinkPad team would never go along with something like that; it's not in their DNA and it would destroy their business. Their bread and butter isn't you and me, it's large organizations with IT and security departments who deploy hundreds of ThinkPads at a time and look very closely at the software on them.
Only offering food for thought, it's cool with me whether you buy ThinkPads or something else. :-)
Personally, I agree with the op. If we want to send a message that malware in our BIOSs is absolutely unacceptable, it makes zero sense to give Lenovo any business.
I don't see how boycotting ThinkPads sends a message that BIOS malware is unacceptable. ThinkPads never had that, and never would.
Anyway, I don't usually buy or not buy a computer to send a message. I buy one because it meets my business and personal needs. I've been using ThinkPads for over 20 years, and they have served me very well.
You may choose differently, and of course that's fine.
> I don't see how boycotting ThinkPads sends a message that BIOS malware is unacceptable
It sends a message to other manufacturers: add malware at your own peril. I frankly consider it unethical to buy or recommend products from companies, like Lenovo, who demonstrated anti-consumer behavior because it perpetuates bad behavior as companies think consumers will forget or forgive them.
> ThinkPads never had that, and never would.
That is speculative. I can't know that whatever harmful and irrational environment that led to Superfish in IdeaPad won't affect ThinkPads in the future. Even in the most generous understanding where IdeaPad is a different, physically separate branch of the company, and Superfish was an act of incompetence and not outright malice I can't be expected to keep up with the insider intrigue of the company to notice any changes that could negatively affect me. More importantly, leadership is still responsible for setting irrational environment that lead to Superfish, whatever that environment was. This is a multi-billion dollar company, there is no excuse for such incompetence.
> I think Lenovo understands that they have too many serious business and gov clients using ThinkPads to risk doing something silly like that to their professional-grade ThinkPad brand.
I think that they rely on their A team to develop the malware targetting business and government clients, rather than the C team responsible for Superfish.
