Now that some of the dust has settled from the epic disaster that enveloped Lenovo last week, it’s time to take a close look at what happened, what decisions led to this meltdown, and what we might collectively learn from it.
Primarily, we've been given a list of actions a company should not take in the aftermath of such an event. The response from Lenovo has been, well, bizarre. First the company posted its official statement about the Superfish fiasco on its news site, then proceeded to edit the statement roughly 10,000 times in the days since. I haven’t been able to keep track of all the changes, but it’s safe to say that several people have been kept very busy trying to alter past statements based on what information has been made public.
At the beginning, Lenovo claimed, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” but that statement soon disappeared. The company also had this to say about the Superfish software itself:
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product.
Whether these statements are true or not is irrelevant. Nobody cares about Superfish’s software. The reason for the clanging, five-alarm fire was the installation of an unscoped root certificate authority in each system and the hijacking of SSL connections with spoofed certificates -- and how sloppily the software was made, and how easily the private key and passphrase were extracted. That’s the big to-do. However, Lenovo studiously ignored that, instead discussing how it wanted to help its customers find more crap to buy.
Then there was this part of the original statement:
The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.
Huh? I suppose the thinking here was that if we all understood there wasn’t much money involved in this deal, then it might reflect favorably on Lenovo. It might lend some credence to the claim that Lenovo only wanted to “enhance the experience for users.” Instead, it screams the opposite. If Lenovo was going to preinstall software on its brand-new laptops that literally destroyed SSL/TLS security for the users of those laptops, I would hope a ton of money was involved. Better to have sold its customers down the river for a pot of gold than for a pittance.
It seems Lenovo has even been trying to whitewash forum threads discussing the problem (note that this thread could apparently change at any time).
To call Lenovo’s response tone-deaf is an understatement. It looks as if nobody involved here really understands the implications of the company's actions. Presumably some developers somewhere put this horrible idea together, then tested and packaged it. One might wonder if even they understood what they were doing and the impact it would have. Clearly the management decisions to include this software were ill-informed, but the general theme now is that Lenovo doesn’t understand how computer security works -- and the company doubled down with its original statement and constant stream of edits, which noted it was as surprised as the rest of us. Heck, Lenovo's posted uninstall instructions left the root certificates in place -- shameful.
Lest you think I'm a bit harsh on Lenovo, remember that this company shipped computers with fake global root certificates to its customers and hijacked all of its customers' traffic on purpose.
As I said last week, this underscores the need for a reinvention of Web security. It was great while it lasted, but we can no longer trust certification authorities or hardware or software vendors. Without that trust, the whole SSL/TLS house of cards comes crashing down.
This isn’t only about SSL/TLS or even Lenovo. It’s about how far vendors are willing to go to subvert security in order to make a buck. The Superfish software should never have been developed in the first place, much less installed by default on brand-new computers. The fact that software like PC Decrapifier exists simply highlights this problem. Maybe the misadventures of Lenovo will have a chilling effect on the adware preloads that major PC vendors seem to love, but I doubt it. It will take a few more heavy hits to the corporate pocketbook for that to happen.