What is it with companies that allow low-gain business initiatives interfere with the security of their customers?

Imagine the following conversation in a company that manufactures and sells door locks:

Product Development: "We've got this great idea for generating revenue from our products after we sell them. We build a set of hooks to into our locks that will allow callers to hang their marketing flyers"

Engineering: "What? Sorry?"

PD: "Yeah, y'know. Like the flyers that advertise pizza-delivery or that tell you how great the local politician is doing. We'd charge a small fee, maybe 10¢, per flyer. The distributors will be delighted because the home-owners will be guaranteed to see these."

Engineering: "…"

Ridiculous, don't you think?

But that's just what Lenovo has been found to be doing. Yup: for some time last year, the laptop company shipped its products will a module called "Superfish", which – the least of its offenses – popped up advertising to users which related to the web sites they were visiting.

But what they did was much worse:

  • Superfish interfered with encrypted connections to websites in order to pop up ads related to them.
  • Superfish did this by interposing itself between the web-browser and the remote web site and by pretending to be that remote website as far as the encrypted conversation was concerned.
  • Superfish, however, did this in such shoddy ways, like
    • using the same masquerading SSL certificate on all installations;
    • using a shockingly-easy-to-crack password to 'protect' the SSL certificate; and
    • implementing portions of the protection stupidly
  • And (finally, to date, but watch this space) Superfish uses a root-kit to make itself harder to uninstall.

And for much of this controversy, Lenovo has trouble understanding that this is bad, and why.

And this isn't new. Remember when Sony thought it was a good idea to install a root-kit onto everyone's PC to make it hard to remove the software they force-installed to prevent (very-much-legal) copying of CDs they released? That was, literally, 10 years ago.

There's no excuse for interfering with your customers' security. Even if you do it responsibly. If someone comes to you with the idea of installing something onto a customer's computer in a way that the customer would not want or be aware of, then you're red flag should wave, and you should refuse – to the extent that your honour permits, I suppose – to be involved.