Various outlets reported today that Lenovo had been shipping questionable software with some of its consumer PCs. Apparently intended to make money by inserting ads in unsuspecting web browsers, “Superfish” went a step further by performing a man-in-the-middle attack on HTTPS connections, thereby compromising all secure web connections made by the machine. Lenovo, hands caught in the proverbial cookie jar, has since stopped the practice, albeit it leaving thousands of insecure computers in its wake.
Much has been said about why this was dangerous, ill-concieved, and sloppily done, which I won’t rehash. Consider instead a slightly different angle. As Craig Hockenberry put it, “any software that gets between you and your chain of trust should be considered malware”. This statement is exactly right - Superfish is no mere adware, it is full-on malware.
Reported the very same day, this Malware author now faces years in jail. There are obviously some differences in overall circumstance, but the unambiguous commonality remains that both placed software on people’s computers deliberately and explicitly compromising their security for their own gain. Lenovo’s actions are in many ways much more egregious and irresponsible by virtue of scale. Nevertheless, I doubt Lenovo will be charged with “hacking”, nor will anybody responsible be incarcerated. Quite the double-standard.