Lenovo Superfish

PC Manufacturers have been installing crapware in their machines for years, perhaps decades.  I bought a Packard-Bell computer in 1996 that needed to have quite a few "sponsored utilities" cleaned off to make it usable.  This week, Lenovo got caught red-handed installing actual malware: the Superfish utility added a bogus certificate to the root certificate store, enabling them to intercept and examine all HTTPS traffic via a simple-to-implement and impossible-to-detect man-in-the-middle attack.  Superfish created a deliberate data tap in all your encrypted traffic.
So yesterday Lenovo issued this press release, as companies do in this situation.  For the most part it was pretty standard eyes-glazing-over corporate doubletalk, most of which translates as “oh, s*, we got caught, how shall we walk it back?” 

Still, a couple of key points stood out for me.

  • We thought the product would enhance the shopping experience, as intended by Superfish. 

That’s what Superfish intended, is it? Enhancing my shopping experience? Well, I'll  tell you what would enhance my shopping experience: someone who follows me around and carries all the bags. This is not really accomplished with fake root certificates stealthed into my Windows certificate store.  Also, notice how the “intent” is now ascribed to Superfish, not Lenovo. A kettle of lawyers are circling....

  • It did not meet our expectations or those of our customers.

Oh those pesky customers. Always expecting not to have their banking credentials stolen.