Hubris: Lenovo and Superfish

From one of my favorite blogs, Techdirt, here’s a concise breakout of the Lenovo/Superfish/Komodia affair that came out in the media last week:

Last week it came out that Lenovo was installing a bit of software called “Superfish” as a default bloatware on a bunch of its “consumer” laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) “SSL hijacker” from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: “komodia” which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia. (Read more…)

This is sort of the perfect storm at the intersection of ethics and cyber security, as it is behavior that has compromised/breached the security of Lenovo’s systems, and the two other companies involved refuse to even acknowledge that what they are doing is nothing short of a cybersecurity disaster, but from an ethical perspective, is just plain WRONG. It is an amazing demonstration of the kind of hubris that we see in so many corporations today, complete with”ignore and deny” followed by “circle the wagons” and quickly descending to plain old fingerpointing. Only after being raked through the coals in the press did the lead player fess up and take responsibility, and the other players, the ones with the irredeemably broken business model, are still in the the deny everything and hope it will go away mode. Here’s how this went down in the trade AND popular press, in approximate chronological order…

Lenovo Joins the Malevolent Side of the Online Advertising IndustryGizmodo
Lenovo’s Superfish nightmare is a sign that marketing tech has gone too farVenturebeat VB News
Lenovo CTO Admits It ‘Messed Up’ Allowing Major Security Hole Onto PCsre/code
The biggest takeaway from ‘Superfish’: We need to push for “No OS” buying option.- Reddit /r/technology
Superfish admits installing root certificate authority to show ads on secure sitesThe Next Web
Lenovo backpedals on Superfish adware, says it’s working to ‘restore trust’ - Mashable
Here’s How to Remove the Ghastly Superfish Adware From Lenovo LaptopsSlate
How to remove the dangerous Superfish adware preinstalled on Lenovo PCs - PCWorld
Lenovo CTO admits company ‘messed up,’ publishes Superfish removal tool - PCWorld
Lenovo finally admits its sleazy adware ploy put its own customers at risk of being hacked – BGR
Lenovo’s Superfish security snafu blows up in its faceC|NET
Here’s How To Get Rid Of That Nasty Superfish Vulnerability On Your New Lenovo LaptopConsumerist
Lenovo has just released an automatic Superfish removal tool - The Verge
Bravo! Windows Defender, McAfee updates fully remove Lenovo’s dangerous Superfish adwarePCWorld
Lenovo Releases Tool To Remove The Sketchy Exploitable “SuperFish” Garbage It Pre-Loaded On LaptopsTechCrunch
Microsoft has updated Windows Defender to root out the Superfish adwareThe Verge
Windows Defender destroys Superfish – Slashgear
Department of Homeland Security urges Lenovo users to remove SuperfishMashable
U.S. Government Urges Lenovo Customers to Remove ‘Superfish’ SoftwareEntrepreneur
US government urges Lenovo users to remove Superfish, but the software maker denies security riskThe Next Web
CEO says Superfish is safe as US issues alert to remove Superfish from Lenovo PCsPCWorld
Lenovo CTO admits Superfish put users at risk, talks damage controlMashable
Lenovo slapped with lawsuit over dangerous Superfish adwarePCWorld
Or, just read the Techdirt complete Superfish coverage

About Ray Trygstad

I am a college professor who teaches a broad variety of Information technology topics including information security management, multimedia, operating system virtualization, Linux, disaster recovery/business continuity, cloud computing, and management. I can also fly a helicopter, preach a sermon, play the bagpipes, skipper a sailboat, and I have had formal instruction in how to rip someone’s ears off (never had to do that, though).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>