Lenovo's apology is the perfect example of a non-apology; they are pretending that the outrage is about an inadvertent software vulnerability and not about MITMing/snooping on their customers.
"This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads. Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologize."
I'd rate this as the worst consumer betrayal I have ever seen. If people did this kind of thing, they'd be in prison.
If people went to prison for making apps that collect user information with the only consent being a sentence in page 30 out of 50 in the terms of use, pretty much all big app developers would be felons.
In a big company, this will have had nothing to do with engineers as they are not employed to do business deals.
A business specialist will have made a deal with Superfish in the name of the company. In all likelihood they won't have an understanding exactly how Superfish works, but they are drawn to the revenue opportunity. They'll have put a request in to the imaging team and then it's job done.
They'll be team at Lenovo now reviewing how they got into this mess and trying to ensure it does not repeat in future.
I'm not, but I'll grab the hook for a few seconds.
This is going to boil down to Lenovo getting $0.90, $2.00, some other amount per system or a one time payment. It could also be for a specific quantity of desktop/laptop systems, sysems shipped after a specific date or within a specific time frame. There could also be a geographical component to this. There may also be other details to the financial arrangement, targetting demographics and systems affected.
I would guess that this did not get installed on server or workstation products, but I wouldn't be all that surprised if the latter were.
I wonder how much Lenovo received and how the payments were structured.
Following the chain, "Any superfish engineers here? Do you think you could of mitigated a large amount of this PR hell (not that it makes it okay) by generating a random root-cert per install, and refusing to accept it on the WAN side of the proxy?" (I guess like AV software does). What was the motive for 1 static cert?
From the CTO's "Open Letter": http://news.lenovo.com/article_display.cfm?article_id=1932
"This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads. Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologize."
I'd rate this as the worst consumer betrayal I have ever seen. If people did this kind of thing, they'd be in prison.