Superfish stumper: What did Lenovo know and when did it know it?

There's only thing worse than Lenovo not knowing about Superfish: Lenovo knowing about Superfish

Navigating a field of uncertainty and doubt questions

What does a person have to do to get a pizza delivered? If you're in the area formerly known as the great American Northeast, now doubling as Westeros, only with more white walkers, apparently no action is good enough. How cold is it? When I accidentally stepped outside today, my nose hair flash froze and it felt like someone had fired a staple gun into my cheekbones.

Sure, the slogan at my favorite local pizza place may claim, “Free delivery! When you’re hungry, we’re there,” but not today. Long story short: The proprietor and I had an extended exchange about broken promises, then proceeded to discuss how and with whom the other person could consummate a physical relationship. This is what happens when trusts are broken. Things get weird.

It’s not the first of my trusts to be broken this week. See, I’m also the unlucky owner of a 2014 Lenovo Yoga 2, a sweet Ultrabook that weighs next to nothing yet still has a full complement of laptop-sized power, including an i7 processor, 8GB of RAM, and a 256GB SSD -- as well as a host of malicious adware that Lenovo installed without telling me. That last feature came to light when security researchers reported Superfish adware installed on several Lenovo PC models, then proved it by purchasing a brand-new Yoga 2 (exactly like mine, gnash teeth!) and posting screenshots when Lenovo expressed doubts.

For its part, Lenovo at first slightly blushed and offered the following:

  • The software had been installed only to improve its customers’ online shopping experiences
  • It didn’t see any immediate security concerns
  • Refer any additional inquiries to customer service (888-BUG-OFFF;

Then security researchers further explained that not only is the Superfish software invasive, it’s also badly coded, compromises most any TLS-based session, and appears to use the same keys across different instances. Thus, it opens a wide door to people with even fewer morals than Lenovo execs creating fake HTTPS websites that would be undetectable to loser Lenovo customers ... like me.

Superfish makes Samsung look sane

That’s when things got weird for Lenovo. Why? Because it broke its customers’ trust. Samsung’s spying TVs may be creepy, and Mattel’s voice-recording Barbie may be far creepier. However, you can’t point to proven instances where those sorts of technologies have hurt anyone (yet).

But faulty certificates, man-in-the-middle attacks, rootkits, and fake data-sucking websites, not to mention the woes that even “legitimate” adware can bring to your email inbox -- those are known quantities. They're painfully known and painfully documented in ink made from the tears and minced credit reports of countless folks now finger-painting in mental institutions or living in luxury refrigerator boxes.

Lenovo put that stuff on my PC deliberately, without telling me and without testing it. At least I hope the company didn’t test it -- if it did, then installed it anyway that’s worse than all of Larry Ellison’s America's Cup tax swindles combined.

The apology campaign commences

Lenovo has now changed its tune. Apparently, it cared deeply about our privacy and security all along and it’s hurt, deeply hurt, that we’d think otherwise. It’s put instructions for sanitizing your PC on its website, sent “Get well soon” cards to all registered customers, and launched a full-blown PR love fest. Depending on which press release you read, you can find really genuine phrases like “working hard to restore trust” and “eager for feedback from our customers.”

It’s also rumored that Lenovo isn’t the only company installing Superfish, which certainly makes me feel better. To prove it, after I finish my mediocre-but-speedily-delivered-even-in-a-blizzard Domino’s pizza, I’ll wipe my Yoga and write an email to Lenovo CEO Yang Yuanqing with the customer feedback -- and maybe some relationship advice -- he’s so eagerly awaiting.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform