Update: Lenovo has now provided an official corporate statement about the Superfish situation and it is not going to help at all in my opinion.
I think the conversation about the extras installed on OEM computers is about to heat up and one company we have to thank for that is the one in the hottest seat of them all – Lenovo and their Superfish story.
Over on the Cigital Justice League Blog there is an excellent summary of just how bad this is:
It is hard to overstate how catastrophically bad this design is. It doesn’t merely insert advertisements into web pages. It undermines every secure connection the Windows computer might make. Lots of software—way beyond web browsers—use the certificate store to fetch certificates. Cisco VPN clients use the Windows Certificate Store to verify that they’re talking to the right end point. Database consoles (like Toad or SQL Developer) will use Windows to verify that they are connected securely to the database server. Programs like TweetDeck will use the Windows Certificate Store to check the identity of Twitter before connecting. Everything on a Lenovo computer that says it is “making a secure connection” is now lying. Except maybe Firefox, which has its own trust store.
The discussion around junk that comes pre-installed on a brand new computer has been going on for some time so the story itself is nothing new. However, to learn that Lenovo has installed this Superfish software on their brand new computers heading out the door to customers shakes trust to its core. To install a trusted certificate that breaks security on the system in so many ways is almost criminal.
Any business worth their salt knows that trust is the cornerstone of a successful endeavor of any type but most definitely when it comes to any dealings with customers.
No matter how great Lenovo’s hardware maybe, and they do make some awesome gear, this is going to impact a customer’s decision to buy a computer from them. When you place your bottom line above the trust of your customers then there will be fall out.
Lenovo leadership is also failing this situation miserably. Back in January a Lenovo forums administrator, Mark Hopkins, posted this in their online support forums in response to the uproar about Superfish:
“Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
Interestingly enough Mark’s signature in the forums indicates he is the Program Manager for Lenovo’s Social Media Services but this social outreach has backfired beyond what he likely expected from the above post.
It is a good example of what happens when you break the trust of your customers. At least they have now posted instructions on how to remove Superfish from these infected systems.
So what needs to happen?
Well first OEM’s must change this habit of bundling all the junk on computers but that is going to be difficult for them because first they have to acknowledge they have a problem. Right now they simply do not see it or they choose to ignore it.
The reality is we will never know the dollar figure impact this bundling of junk has on their bottom line but there is only one reason they do it – because they make money from it. This is not done for the convenience of the customer – that may be what comes out of their mouths but it is not why they do it.
The other half of this equation is the users. As a help desk support technician I see the everyday computer user and their computer issues.
They are not like us and by us I mean those of us who stay connected to the tech community and know this junk comes on a new computer and needs to be removed. The vast majority of users operate their computer like an appliance such as their TV or microwave. They want to be able to hit the power switch and just have it work – period.
So these users do not see the problem and are simply unaware of it.
For that reason the idea of replacing the income an OEM makes from including all of this junk on their systems with a special fee to get a clean Windows machine would not likely work.
Microsoft has a very popular program the Microsoft Signature PC Experience and this means you get your new computer or tablet with zero junk or extras on it.
The cost of this is zero – nadda – zilch.
The HP Stream 7 I picked up last week was offered under this service and it is such a treat to get a new system, go through the out of box experience and be ready to go – well short of installing published Windows updates.
Here is my last comment on this and it is about perception. When users have issues with the junk pre-installed on their system the blame does not usually go towards the OEM – it is pointed at Windows. That means the company with the most at stake here is Microsoft and they should lead the efforts to remedy this issue as soon as possible.