Superfishy - How Lenovo Fails to Put User Security First

Reading time ~2 minutes

Want to learn more about Security? Sign up for my mailing list!

Recently, it came to light that the computer manufacturer Lenovo is bundling malware called Superfish in with their Microsoft operating systems. This malware acts in two ways:

  1. It compromises the way that computers verify what is a secured connection and what isn’t - some of the most essential components of internet security. For example, when you visit your bank website you’ll likely see something like this:

Chase URL

A lock symbol, sometimes green, sometimes in greyish color that on a click should show you something like this:

Chase Secured Symbol

This website shows up in your browser as verified by VeriSign, Inc. a reputable company responsible for rigorously verifying connections and their authenticity. However, what the Superfish malware essentially does is insert itself between the connection you are trying to reach and yourself - Allowing it to read, see, and theoretically do whatever it wants as you. For various technical and security reasons (that this Forbes article does a good job of detailing) this is a huge problem.

  1. Second, it inserts its own search results into your search sessions on Google without your consent or knowledge, effectively hijacking your browsing session to give you spammier, often less relevant results that it (presumably) makes money from.

At the moment I’m skeptical that any form of legislative action will actually take place in the United States to curb things like this - Mostly because of the complete ineptitude of politicians to wrap their minds around modern technology and its consequences. (To be clear, they should try to prevent us from being the victim of this sort of action, I just doubt that they will anytime soon)

But what does this mean for the average consumer or privacy advocate? Well it means it’s time to bail on Lenovo.

Completely and bitterly.

If we want secure technologies we need to continue to offer the economic incentives to create them. If legal reform can’t give those incentives then we need to take matters into our own hands. Want malware-free computers? Boycott malware-bundling companies. Even with Lenovo saying they will stop this particular practice, we can’t let them get off with only a few ruffled feathers when they’ve bankrupted the privacy of every aspect of some 16 million computers. If we do, other computer manufactures and even software developers will take note and think it’s a feasible idea to sell our privacy for a few extra adware dollars.

TLDR: To safeguard our privacy we need to stop buying Lenovo and its Superfishy, adware-stocked computers.