How did Lenovo do something so inane asfundamentally breaking their customers’ laptop security by installing Superfish? What is Superfish, and what is wrong with it?
I have often asked clients to consider, “what business are you in?” The right answer is not, “to make profits”, or “shareholder return”, because those are bland, meaningless statements.Every business wants to make profits and return value to their shareholders.
Peter Drucker said, “the purpose of a business is to create [and keep] a customer.” The question I am asking is, “how do you create and keep your customer? What is it the customerbuying from you?”
This question is a crucial way to evaluate whether or not additional products, services or just ancillary revenue streams are: useful for your business; neutral for your business; or a negative for your business.
The Samsung Smart TV mess, as I wrote earlier this week, is an example of a negative. Even though they viewed it as a positive, it should at least have been neutral – no real benefit.However, often a neutral turns into a negative by virtue of a company’s lack of understanding of the market dynamics and operational requirements for a new set of offerings or even features.
Sometimes, however, a new revenue stream isn’t just negative in the “that was a waste of our money” or “our customers don’t like that” sense, but in a manner that a few minutes of cold-harded realism and awareness would create a“what could we possibly have been thinking??” moment.
The Superfish scandal – and, indeed, it is a scandal – is a prime example of both kinds of negative.
First, let’s look at what Superfish does, then at the serious mistakes Lenovo made.
In order to understand what Superfish does, let’s look at a simplifiedview of how a properly behaving visit to a secure Website works.
What happens if it doesn’t match? Yourbrowser gives you a big ugly warning that this site might not really be Facebook or your bank! (Whether or not people abide by those warnings is an entirely different question of user psychology…)
In other words, your entire system of secure trust depends onthe group of CA certificatessittingon your laptop, pre-installed with Windows or Mac OS X or iOS or Android. If the group of certificates on your laptop is compromised, anyone can masquerade as anything, and the whole system falls apart.
What does Superfish do?
Superfish, an ad company,convinced Lenovo to pre-install their adware on every (consumer)laptop they shipped. OK, this is common, if annoying but mostly harmless, behaviour. However, Superfishnot only installs the usual bloatware; it actually installs Superfish’s certificate as a trusted certificate, as if they were a real CA, in your Windowsgroup of certificates.
In other words, they convinced Lenovo to get your computer to trustSuperfish’s certificateas if it were a major CA, like Verisign! And how secure is that certificate? Well, it was publicly cracked yesterday. That means anyone who knows how can intercept all of a Lenovo laptop user’s communications with any secure site, and the user will not know it.
Actually, it gets worse. The above, as bad as it is, might be Superfish’s attempt to just get a cheap and secure connection to their Web sites, without having to pay aCA to certify them. But it doesn’t. Superfish’s softwareactively intercepts your communications to Google(and probably plenty of other sites). Ittraps when your browser goes to many sites, sits between you and those sites, and injects its owndata (while copying yours, of course).
This is pretty dirty.And why the certificate underhandedness?So they can explicitly intercept your secure communications as well. Yes, this was not an attempt to save a little money, itexplicitly intercepts your secure communications for their benefit.
Now that we know how Superfish works, let’s look at the major mistake Lenovo made.
Lenovo bought IBM’s personal computer businessa decade ago, in 2005. For all intents and purposes, despite the market knowing it no longer is IBM, people treat it as a continuation of IBM, with all of the trust that implies.
People buy a laptop to do their trusted work. We bring laptops into our homes and offices (and coffee shops, if you are a startup). We run our banking from it; we do our tax returns on it; we develop proprietary code on it.We trust it. While we understand that the Internet has become a dangerous place, and that malicious actors constantly are trying to infect our computers, wehave to trust someone, and so we trust our hardwaremanufacturer with two things:
We want to know that when we unpack it, it is safe for use (notwithstandingthe Snowden reports of the NSA intercepting servers and routers in shipment…).
Indeed,customers pay Lenovo to deliver safe computers.
Much as I hate “bloatware”, the garbage manufacturers pre-install on laptops in exchange for some healthy revenue streams fromother companies, we trust that those are justadd-ons that can be removed.
Lenovo is being paid for trusted computer equipment, yet accepted money to install a productthat fundamentally violates that trust.
This is notjust an add-on revenue stream that should be neutral but could go negative. Itis a direct violation of the implied “customer contract.”
In other words, it never should have passed the smell test.
Based on Lenovo’s public statements, I simply do not know;it is not in the tradition ofsomecompanies to “come clean” with their mistakes. Wecan, however, look at several possibilities:
Either way, heads are likely to fly. This was a severe mistake, and undercuts customer trust. Worse, no matter how many timesLenovo swears it did not install it on “business” computers, many businesses simply will not trust them again (as they should not).
A few simple rules cansignificantly reduce your chances of being the next scandalized company.
Every one of these isimportant.Get good advisors, ask them to help you build the culture and feedback loops you need to stay in customers’ good graces.