I see a lot of calls for punishing Lenovo over this. However, I'd like to see a few more facts established before getting out the pitchforks.
First, did Lenovo commission the writing of Superfish, or did Superfish approach Lenovo (or most likely their marketing dept) with a request to be included?
Do vendors normally perform a full security audit of programs they include? Is there an expectation that they would give closer scrutiny to smaller outfits vs. top tier software vendors?
Also, is the bulk of the outrage over this incident due to the fact that Superfish serves no purpose that is in the interest of the users (i.e., its whole reason for being is to spam users with advertisements)? In other words, lets say that instead of adware, what if they included a malware detector that used the same https busting trick, yet was just as poorly designed (leaving the private key exposed) -- would there be just as much call for lawsuits and boycotts then?
> Do vendors normally perform a full security audit of programs they include? Is there an expectation that they would give closer scrutiny to smaller outfits vs. top tier software vendors?
OEMs absolutely should own up to responsibility for the crapware they load on their boxes. Saying "it wasn't built in-house" makes about as much sense as an automaker washing its hands of the airbags or other critical parts in the cars they build.
As for how deep of an audit, Komodia's own description of their product should have raised massive alarm bells. Anytime I see websites rewritten without my permission I get incredibly spooked, and that's when it's just HTTP over a network. Intercepting SSL/TLS is just not something any OEM should ever contemplate loading on a consumer machine. It's willful recklessness and engineering malpractice of the worst kind.
First, did Lenovo commission the writing of Superfish,
or did Superfish approach Lenovo (or most likely their marketing dept)
with a request to be included?
Lenovo can go sue Superfish all they want to coverup their expenses. Let the court figure out who cheated whom in a three way lawsuit.
I think the court case will answer all of these questions for you. Whether Lenovo is guilty or innocent here, it'd be great to establish a precedent to protect consumers from this type of thing.
First, did Lenovo commission the writing of Superfish, or did Superfish approach Lenovo (or most likely their marketing dept) with a request to be included?
Do vendors normally perform a full security audit of programs they include? Is there an expectation that they would give closer scrutiny to smaller outfits vs. top tier software vendors?
Also, is the bulk of the outrage over this incident due to the fact that Superfish serves no purpose that is in the interest of the users (i.e., its whole reason for being is to spam users with advertisements)? In other words, lets say that instead of adware, what if they included a malware detector that used the same https busting trick, yet was just as poorly designed (leaving the private key exposed) -- would there be just as much call for lawsuits and boycotts then?