"What was Lenovo thinking?" asked Paul Venezia yesterday. It turns out it was as surprised as everyone else, according to Windows Ecosystem Vice President Mark Cohen. He told me that the first he knew of the issue was when he started reading about it in the press yesterday.
Cohen went on to explain that Lenovo had screened the software from Superfish before it was installed on Lenovo's consumer laptop lines last September and had asked Superfish to remove certain features that abused SSL connections. Superfish claimed it did this for Lenovo, which then felt confident to ship a feature Cohen told me it saw as a value-add rather than as adware. Cohen claimed the company was unaware of the certificate injection issues until yesterday.
The full magnitude of the problem has gradually unfolded for Lenovo, which is still updating its remediation instructions.
Apparently, Lenovo performs extensive testing, including penetration attacks by ethical hackers, on software it writes itself in-house, such as utilities, installers, and drivers. But the testing for third-party software has been less rigorous. Cohen told me that while Lenovo has only had 24 hours to begin devising a new policy, the company will now apply the same internal standards to third-party software.
More than that, he told me Lenovo will be "a hell of a lot more selective in future. Will we bundle this software again, or something that uses the same tactics? Hell no!" He also told me that later in the year, Lenovo will move to a model where customers can select which third-party software gets installed post-purchase.
Lenovo is not going to stop bundling adware, though. While Cohen told me that Superfish's software was included more for its function than its revenue, laptop and phone vendors bundle shovelware their customers mostly hate because it makes them money. We tolerate it, so they keep on doing it.
The same goes for Oracle and Java. They don't try to get us to install an adware toolbar with every Java install because they hate us; they love the money they get and don't care what the software does to us. In fact, some allege Oracle's Java installer pushed the same software as Lenovo. It's entirely possible that systems loaded with Java may have the same exposure; it's worth checking.
This has to be a wake-up call to enterprise users. Do you know what's in your product? I don't mean from a legal compliance perspective -- the fixation of the software industry on intellectual property and legal copyright usage has undoubtedly already driven you to have a strong compliance workflow (and if it hasn't, your business is at risk).
But the experience of Lenovo has to give you pause if you ship third-party code in any way or buy hardware that contains it. Lenovo was bundling a product by Superfish -- apparently an image search capability. But it turns out that to make that work, the company was using a product it acquired from Komedia, whose products read like a catalog for building a rootkit for the Web -- and the selective deletions that occurred on Komedia's website overnight suggest the company knows it.
The specific product in use here, SSL Digestor, ought to alarm any technical professional reading about its internals. Notably, it injects a fake SSL certificate into Windows system (as well as into more security-conscious software running on them, such as Firefox, Thunderbird, and Opera). That opens any affected machine to simple man-in-the-middle attacks, allowing interception of absolutely anything the computer user does on the Internet. It's hard to believe Superfish could have been unaware of the dangers of this technique. (At this writing, Superfish has not responded to my request for an interview.)
It's time for such shoddy practices to stop. Will it take a class-action lawsuit against Lenovo or Superfish, as Venezia suggested? The backlash against Sony didn't make a difference, maybe because it was clearly acting badly. An action against Lenovo would be a wake-up call to the computer industry, proving that shovelware is risky and abandoning it is safer. It might be slightly unfair -- Cohen assured me that Lenovo's practices in this area are better than its competitors' -- but it might be the action that propels a wave of change. It's time for our suppliers to stop believing we are still ripe for monetization after we've bought their products.
Meanwhile, we're left to wonder: How many hardware companies know for certain whether the software they bundle has install capabilities that a government or a criminal could use to compromise the credit card details, safety, or privacy of customers? The software supplier may say it's a "parental control filter" or a "content inspection log," but how is that achieved? What's needed is a walkthrough of the code not simply by a legal team checking licenses, but also by a technical team checking the ethics of the behavior of the code. Even then it may take a member of the public to find the problem -- and by then it's too late.
As for buyers, perhaps it would be safer to screen out suppliers who install preloaded third-party software. No one wants to equip staff with precompromised equipment that will incur liability for the breaches it enables. Lenovo told me Superfish software was included only on consumer brands and not business brands like ThinkPad, but in principle, a similar issue could arise there, too.
I dislike being sold credit cards on aircraft by flight attendants. I loathe adverts on pay-per-view TV. But I deeply despise vendors selling my safety and privacy when I conduct unrelated business. It has to stop.