Famous PC Maker Exposed in Shocking Scandal
Another day… another appalling spying scandal.
One that would even shock infamous whistleblowers, Julian Assange and Edward Snowden.
But we’re not talking about the government skimming through a few emails or phone records, or snapping your photo with a surveillance camera and adding you to a database.
This was an egregious act of corporate larceny perpetrated by one of the world’s biggest companies.
The effects of this threat are so widespread, the Department of Homeland Security was compelled to release a special alert to consumers.
You may have even unwittingly brought its nasty scheme into your very own home…
The World’s Nastiest Fish…
Think of Lenovo (LNVGY), and you probably picture a company renowned for designing and manufacturing personal computers.
And you’d be absolutely right. The Chinese firm is the biggest PC manufacturer in the world.
But there’s a dark side to the company, too.
Indeed, if you bought a laptop from Lenovo in the past six months or so, you may have a tiny bank robber installed on it. Seriously.
Since September 2014, Lenovo preinstalled a nasty piece of spyware called Superfish VisualDiscovery on many of its laptops.
Lenovo and Superfish, a startup based in Berkeley, California, ostensibly intended to provide targeted advertising to Lenovo users. This isn’t necessarily a crime, but it’s akin to sticking you on a cold-call marketing list without your permission.
Here’s where the real problem lies…
Superfish was so invasive to computers that it exposed all actions a user made. That includes users entering sensitive information like banking data and passwords.
And not only did it expose this information to Superfish, but also to any curious person sharing a Wi-Fi network with the user!
So how did this utter calamity occur?
Give It up for the World’s Worst Apology
Simply put, it interfered with the secure connection between a laptop and any site the user accessed. In doing so, it created a phony “certificate” of trustworthiness in order to learn what words a person types, where he/she surfs the web, and other personal information. But once removed from the secure stream, the information becomes accessible to anyone determined and knowledgeable enough to steal it.
As I mentioned, it’s so serious that the Department of Homeland Security has issued an alert about it, stating:
“All browser-based encrypted traffic to the internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.”
What’s the Chinese word for “panic”?
Having been caught, Lenovo is backpedalling fast. But it’s made perhaps the most pathetic, insincere apology in the history of corporate confessions…
The company said that the “user experience” of Superfish was “not positive.”
Really? Exposing bank passwords to everyone at the local Starbucks(SBUX) was “not positive”?
Worse yet, removing the program isn’t an easy task.
Bizarro World Virus Removal
Superfish is so insidious that simply removing it using normal methods won’t do the trick.
If you still trust Lenovo, you can get its own removal tool. Alternatively, because almost all Lenovo laptops are shipped with a Windows operating system, Microsoft (MSFT) will help you remove Superfish and the bogus security certificate via the Windows Defender program.
Other anti-virus software may follow suit. But as of now, if you have a different anti-virus program, you’ll have to disable it in order to get Windows Defender to disable Superfish.
Yes, you read that right. Lenovo and Superfish messed up computers so badly that you have to disable your anti-virus program to remove the virus.
Alas, that’s just the tip of the iceberg…
Going Rogue: How PC Makers Pad Their Paltry Profits
Needless to say, the press is focused on the security threat from Superfish. But even if Superfish never interfered with secure communications, it still tracks users’ information in order to bombard them with ads that neither the users, nor the sites they visit, approve of!
Superfish isn’t alone here. Dozens of companies are trying to get access to your computer to track your actions and send ads, no matter whether they’re customized to you or not. Most companies use sly methods to get on your computer, such as hiding in a toolbar, sneaking in with programs you install, or fooling you into clicking a link.
But increasingly, they’ll be shipping with your computer. How is this possible?
The problem is that PCs and laptops aren’t very profitable for manufacturers, except for Apple (AAPL), of course. They’re commodities. And with most manufacturers buying the same components from the same vendors, there’s no significant difference from one brand to another.
Consumers know this, so they seek the lowest-cost computer to fit their needs. This leads to very low margins.
Case in point: Lenovo’s operating margin in the United States is a paltry 0.8%.
But one way to goose returns is to include software that your customers don’t ask for.
Some software companies have decided that the way to make money is to lurk right in front of you. And that one way to do that is to pay PC makers to place their software on machines during the manufacturing process.
These programs can range from benign to useful… to annoying. For example, your computer probably came with a free trial of anti-virus software. As you use it, it nags you to pay for the complete installation.
Similarly, many computers ship with direct links to Amazon(AMZN), Netflix (NFLX), and other popular companies. They know you won’t pay for the software, so they make it easy to access their paid services by paying PC makers to put it on the computer for you. How nice!
You’ve probably seen similar “preinstalled” applications on your smartphone. Despite much higher profit margins, big cellphone providers still want to collect a little more money by including these applications whether you want them or not.
There are many (unpublishable!) terms for these programs, but “bloatware” is an appropriate one.
They’re usually from companies that need to gain consumers’ trust, so they have an incentive to police themselves as to how annoying or intrusive they become. But not always – and Superfish is the latest offender.
They know most sane people won’t intentionally install software to make it easier to see ads – after all, there’s a whole industry dedicated to hiding them. So they pay PC makers and wireless companies to put it on without your consent instead. And since the money per installation is small, it doesn’t benefit these providers to spend much time vetting these programs.
But they should – because Lenovo just became the “carrier” for the Superfish scandal. And when they cause spying and data theft issues like Superfish, it triggers a firestorm.
In less severe cases, this software can also be incompatible with other programs you’ve installed, or spy on you in less obtrusive and obvious ways than Superfish. For instance, they can interfere with your search results or serve you ads that you don’t want.
Since the Lenovo scandal broke last week, Facebook (FB) has found dozens of programs and apps that use the same kind of certificate fraud that Superfish does, and dozens more that are suspicious in other ways.
Again, most of them snuck onto users’ machines covertly. Others shipped with their computers. And you can bet that unless Lenovo pays a very heavy price for its wrongdoing, this trend will continue.
Now, if you bought a Lenovo laptop in the past six months or so, you can find out if you have the Superfish bug here. And if you do, you can get Lenovo’s Superfish removal tool. (If you still trust Lenovo, that is.)
To living and investing in the future,