Earlier this week it was discovered that Lenovo, a prominent manufacturer of Windows PCs, had loaded Superfish adware into some of its laptops. In order to insert advertising on websites, the adware broke HTTPS certificate authority — and that leaves these machines open to untold traffic monitoring and manipulation.
The public discovery of this adware made for a very bad day at Lenovo headquarters. But it made for a very bad, no good, downright horrible day — and conceivably, a year or more — for Lenovo's customers.
If you think I'm being sensational or overstating, you're wrong. I'm sensationally understating it.
This is such an egregious assault on customer privacy and data, and in my personal opinion, it should be taken as an opportunity for everyone and anyone to re-consider the benefits of going with an Apple-made computer and switching to the Mac.
The Adware deceit
It's no secret that in the cut-rate world of ultra-competive, cheap-as-a-feature PCs, manufacturers try to make up for the money they don't make from hardware sales by selling out their customers. These hardware insertions are typically called "crapware" or "adware;" not only does it junk up and slow down Windows PCs the world over, it also hurts the company's customers. They may think that they're getting a deal, but they're really the ones getting dealt.
If it sounds like I feel strongly about this, you're damn right. I can't count how many times I've had to help PC-using family and friends de-junk their brand new, sluggish Windows desktops — sometimes having to buy them new copies of the Windows OS to nuke and pave over whatever utterly unremovable adware and crapware the vendor installed.
What Lenovo did was far worse than simple adware or crapware insertion, however. The company didn't just add programs that slowed down your PC or encouraged you to buy antivirus software: Lenovo's Superfish adware hacked into HTTPS security within every web browser installed on an affected machine so that it could inject adware into even supposedly secure web sessions.
Worse, Superfish used an incredibly easy-to-crack password — a common dictionary word guessed in minutes — to "protect" the forged certificate they used for the hack. That password is now common knowledge, and anyone with one of the affected machines is now thoroughly unprotected on the Internet.
The actual danger to any specific customer is hard to assess: It could well be minimal. Your average user may not be a huge target, but a group with the same vulnerability can make a larger, more attractive en-masse target to hackers. Think about the kinds of websites protected by HTTPS security: Banks. Tax services. Healthcare information. Now, think about that information accidentally ending up in unfriendly hands.
I want to make it completely clear in plain English: There is absolutely no possible way that Lenovo didn't know exactly what Superfish did.I want to make it completely clear in plain English: There is absolutely no possible way that Lenovo didn't know exactly what Superfish did.— InfoSec Taylor Swift (@SwiftOnSecurity) February 20, 2015February 20, 2015
A betrayal of trust
Now, all software has bugs, and all bugs can potentially be exploited. That's a risk something everyone — on every platform — has to live with, and something every well-intentioned platform owner and vendor has to be ever-vigilant about discovering and patching.
But this isn't a bug, or a risk. What Lenovo did was deliberate. They didn't fail to find or fix an exploit. They intentionally created one. The company isn't the victim of hackers. They're the perpetrators of a hack.
When first exposed, Lenovo responded by saying it used the adware to try and create a better shopping experience for their customers, which is both disgusting and insulting. The company also said that there was no security risk — which is negligent and malicious. When pressed, a follow up admitted to the security concerns.
Lenovo: "We have thoroughly investigated ... do not find any evidence to substantiate security concerns." Bullshit. http://t.co/goTKUYXAKvLenovo: "We have thoroughly investigated ... do not find any evidence to substantiate security concerns." Bullshit. http://t.co/goTKUYXAKv— Ed Bott (@edbott) February 19, 2015February 19, 2015
Why I'm putting my trust in Apple
This isn't the first time a manufacturer has deliberately sabotaged its products to service its own ends. (Sony, famously, implemented Root Kits on their own customers to try and prevent them from enjoying their own music on their own computers.) And despite the inevitable fallout from Lenovo's massive misstep, it probably won't be the last time, either. Adware and crapware have become increasingly ubiquitous on OEM PCs, and declining industry profits may turn yet more vendors towards their worst angels.
Except Apple.
Apple makes its money up front. The company makes great products that provide far more value than they cost, and enough people feel that to way to have made the Mac the only current desktop and laptop success story in the market. The Mac's share keeps growing even when the PC market as a whole has shrunk. And it's beyond profitable enough that we, as customers, don't have to worry about Apple implementing any adware or crapware schemes anytime soon.
Just like with Apple's services, the company believes in selling the product, not selling out the customer.
Whether anyone chooses to trust in Lenovo's products again makes no difference to me — I'm using a Mac. My interests and Apple's currently align. I'm fine. Not having to wake up one morning to discover the company that made my computer has betrayed me is of enormous comfort and value to me — far beyond the cost of the device itself.
Apple isn't perfect, and there are certainly bugs and features on OS X and iOS that need to be fixed. But they aren't intentional, they aren't malicious, and they aren't out to deceive or trick customers into giving away their personal data. As of right now, today, the company is making privacy, security, and integrity not only a point of pride, but a core feature and value proposition of its product line.
And I bet more and more people take notice of that, and more and more people switch to the Mac.
What to do if you're at risk
If you're afflicted with Superfish, Lenovo has posted resources on how to remove the damage to your system:
- https://support.lenovo.com/us/en/product_security/superfish
- https://support.lenovo.com/us/en/product_security/superfish_uninstall
You wouldn't be faulted, however, for getting a clean version of Windows and reinstalling from scratch. Better still, if you have to run Windows, get a PC from a Microsoft Store that's adware free. Otherwise, seriously, consider switching to Mac.
