“Last week it came out that Lenovo was installing a bit of software called “Superfish” as a default bloatware on a bunch of its “consumer” laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) “SSL hijacker” from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: “komodia” which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia. (Read more…)”

This is sort of the perfect storm at the intersection of ethics and cyber security, as it is behavior that has compromised/breached the security of Lenovo’s systems, and the two other companies involved refuse to even acknowledge that what they are doing is nothing short of a cybersecurity disaster, but from an ethical perspective, is just plain WRONG. It is an amazing demonstration of the kind of hubris that we see in so many corporations today, complete with”ignore and deny” followed by “circle the wagons” and quickly descending to plain old fingerpointing. Only after being raked through the coals in the press did the lead player fess up and take responsibility, and the other players, the ones with the irredeemably broken business model, are still in the the deny everything and hope it will go away mode. Here’s how this went down in the trade AND popular press, in approximate chronological order…

Lenovo Joins the Malevolent Side of the Online Advertising Industry - Gizmodo
Lenovo’s Superfish nightmare is a sign that marketing tech has gone too far – Venturebeat VB News
Lenovo CTO Admits It ‘Messed Up’ Allowing Major Security Hole Onto PCs - re/code
The biggest takeaway from ‘Superfish’: We need to push for “No OS” buying option.- Reddit /r/technology
Superfish admits installing root certificate authority to show ads on secure sites – The Next Web
Lenovo backpedals on Superfish adware, says it’s working to ‘restore trust’ - Mashable
Here’s How to Remove the Ghastly Superfish Adware From Lenovo Laptops - Slate
How to remove the dangerous Superfish adware preinstalled on Lenovo PCs - PCWorld
Lenovo CTO admits company ‘messed up,’ publishes Superfish removal tool - PCWorld
Lenovo finally admits its sleazy adware ploy put its own customers at risk of being hacked – BGR
Lenovo’s Superfish security snafu blows up in its face – C|NET
Here’s How To Get Rid Of That Nasty Superfish Vulnerability On Your New Lenovo Laptop - Consumerist
Lenovo has just released an automatic Superfish removal tool - The Verge
Bravo! Windows Defender, McAfee updates fully remove Lenovo’s dangerous Superfish adware – PCWorld
Lenovo Releases Tool To Remove The Sketchy Exploitable “SuperFish” Garbage It Pre-Loaded On Laptops – TechCrunch
Microsoft has updated Windows Defender to root out the Superfish adware - The Verge
Windows Defender destroys Superfish – Slashgear
Department of Homeland Security urges Lenovo users to remove Superfish - Mashable
U.S. Government Urges Lenovo Customers to Remove ‘Superfish’ Software – Entrepreneur
US government urges Lenovo users to remove Superfish, but the software maker denies security risk – The Next Web
CEO says Superfish is safe as US issues alert to remove Superfish from Lenovo PCs – PCWorld
Lenovo CTO admits Superfish put users at risk, talks damage control – Mashable
Lenovo slapped with lawsuit over dangerous Superfish adware – PCWorld
Or, just read the Techdirt complete Superfish coverage