The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

Superfish or Stupidfish? | Atomic Energy

How did Lenovo do something so inane asfundamentally breaking their customers’ laptop security by installing Superfish? What is Superfish, and what is wrong with it?

I have often asked clients to consider, “what business are you in?” The right answer is not, “to make profits”, or “shareholder return”, because those are bland, meaningless statements.Every business wants to make profits and return value to their shareholders.

Peter Drucker said, “the purpose of a business is to create [and keep] a customer.” The question I am asking is, “how do you create and keep your customer? What is it the customerbuying from you?”

This question is a crucial way to evaluate whether or not additional products, services or just ancillary revenue streams are: useful for your business; neutral for your business; or a negative for your business.

The Samsung Smart TV mess, as I wrote earlier this week, is an example of a negative. Even though they viewed it as a positive, it should at least have been neutral – no real benefit.However, often a neutral turns into a negative by virtue of a company’s lack of understanding of the market dynamics and operational requirements for a new set of offerings or even features.

Sometimes, however, a new revenue stream isn’t just negative in the “that was a waste of our money” or “our customers don’t like that” sense, but in a manner that a few minutes of cold-harded realism and awareness would create a“what could we possibly have been thinking??” moment.

The Superfish scandal – and, indeed, it is a scandal – is a prime example of both kinds of negative.

First, let’s look at what Superfish does, then at the serious mistakes Lenovo made.

How Superfish Works

In order to understand what Superfish does, let’s look at a simplifiedview of how a properly behaving visit to a secure Website works.

  1. You go to a secure Website, for exampleyour bank.
  2. You want to ensure that you actually are talking to your bank, and not someone masquerading as them, so as to do terrible stuff (like stealing $1,000 from your bank account).
  3. The Website presents your browser with a certificate, a very long stringof characters, that has been signed – or cryptographically validated – by a trusted authority, called aCertificate Authority (CA).
  4. Your browser looks at its group of trusted CA certificates, pre-installed on your laptop (or iOSor Android). If it finds one that matches the signature on your bank’s certificate, and acryptographic algorithm validates that this one really did sign it, then voil, you can trust the certificate, and hence that you really are talking to your bank.

What happens if it doesn’t match? Yourbrowser gives you a big ugly warning that this site might not really be Facebook or your bank! (Whether or not people abide by those warnings is an entirely different question of user psychology…)

In other words, your entire system of secure trust depends onthe group of CA certificatessittingon your laptop, pre-installed with Windows or Mac OS X or iOS or Android. If the group of certificates on your laptop is compromised, anyone can masquerade as anything, and the whole system falls apart.

What does Superfish do?

Superfish, an ad company,convinced Lenovo to pre-install their adware on every (consumer)laptop they shipped. OK, this is common, if annoying but mostly harmless, behaviour. However, Superfishnot only installs the usual bloatware; it actually installs Superfish’s certificate as a trusted certificate, as if they were a real CA, in your Windowsgroup of certificates.

In other words, they convinced Lenovo to get your computer to trustSuperfish’s certificateas if it were a major CA, like Verisign! And how secure is that certificate? Well, it was publicly cracked yesterday. That means anyone who knows how can intercept all of a Lenovo laptop user’s communications with any secure site, and the user will not know it.

Actually, it gets worse. The above, as bad as it is, might be Superfish’s attempt to just get a cheap and secure connection to their Web sites, without having to pay aCA to certify them. But it doesn’t. Superfish’s softwareactively intercepts your communications to Google(and probably plenty of other sites). Ittraps when your browser goes to many sites, sits between you and those sites, and injects its owndata (while copying yours, of course).

This is pretty dirty.And why the certificate underhandedness?So they can explicitly intercept your secure communications as well. Yes, this was not an attempt to save a little money, itexplicitly intercepts your secure communications for their benefit.

Now that we know how Superfish works, let’s look at the major mistake Lenovo made.

What Are They Buying?

Lenovo bought IBM’s personal computer businessa decade ago, in 2005. For all intents and purposes, despite the market knowing it no longer is IBM, people treat it as a continuation of IBM, with all of the trust that implies.

People buy a laptop to do their trusted work. We bring laptops into our homes and offices (and coffee shops, if you are a startup). We run our banking from it; we do our tax returns on it; we develop proprietary code on it.We trust it. While we understand that the Internet has become a dangerous place, and that malicious actors constantly are trying to infect our computers, wehave to trust someone, and so we trust our hardwaremanufacturer with two things:

  1. The hardware isclean.
  2. The operating system and pre-installed software are clean.

We want to know that when we unpack it, it is safe for use (notwithstandingthe Snowden reports of the NSA intercepting servers and routers in shipment…).

Indeed,customers pay Lenovo to deliver safe computers.

Much as I hate “bloatware”, the garbage manufacturers pre-install on laptops in exchange for some healthy revenue streams fromother companies, we trust that those are justadd-ons that can be removed.

Lenovo is being paid for trusted computer equipment, yet accepted money to install a productthat fundamentally violates that trust.

This is notjust an add-on revenue stream that should be neutral but could go negative. Itis a direct violation of the implied “customer contract.”

In other words, it never should have passed the smell test.

What Drove Lenovo to Do It?

Based on Lenovo’s public statements, I simply do not know;it is not in the tradition ofsomecompanies to “come clean” with their mistakes. Wecan, however, look at several possibilities:

Either way, heads are likely to fly. This was a severe mistake, and undercuts customer trust. Worse, no matter how many timesLenovo swears it did not install it on “business” computers, many businesses simply will not trust them again (as they should not).

Summary

A few simple rules cansignificantly reduce your chances of being the next scandalized company.

  1. Always have your customer-centric mission front and centre. Hang it everywhere.
  2. With everynew product, service or revenue stream, ask if it supports, is neutral to, or goes against your customer mission.
  3. With every new product, get feedback from experts deep in your organization on the impact of the product on engineering, supply chain, security, marketing, product management, sales, finance… and trust them.
  4. Create an environment that encourages non-management to speak out, both for innovative ideas and raising alarm bells. This is harder than it seems.
  5. With every new product, get feedback fromadvisors withno vested interest either in the new revenue stream or the existing one. Bias often is unconscious and always runs very deep.
  6. If it smells bad, stayfar, far away.

Every one of these isimportant.Get good advisors, ask them to help you build the culture and feedback loops you need to stay in customers’ good graces.

Continue reading on blog.atomicinc.com