Lenovo’s Chief Technology Officer provides Explanation on the ‘Superfish’ Adware Fiasco!

wordpress-527090-1677976.cloudwaysapps.com Blog

Lenovo’s Chief Technology Officer provides Explanation on the ‘Superfish’ Adware Fiasco!

We recently brought to you security news about how, Lenovo, currently the world’s largest PC manufacturer based in China had embedded a secret spyware, which the company prefers to call “Adware” in PCs sold to the public, in order to improve their customers’ buying experience, despite knowing that it was a major security vulnerability. Click here if you missed it!

We also reported that the so-called “Adware” installed within an area of the PCs not scanned by anti-viruses may allow the machines to become vulnerable to unauthorized access by hackers who may steal passwords and other confidential information on the PCs.

lenovo-product

The IT Security community were aghast when this revelation was brought to light and Lenovo had to respond to justify the rationale for their actions. Below is the excerpt of some of the explanation given by the company’s Chief Technology Officer, Peter Hortensius when interviewed by New York Times:

Q: How did Superfish even get onto Lenovo machines in the first place?
A: The original motivation for this was that the product team was being asked, “Can we do something to improve our consumer experience?” Someone had the idea to improve their shopping experience in a novel way — not to own their experience, but just, if the consumer is looking at a desk, can we suggest an alternative product that looks like that desk? The motivation was to enhance the experience. Obviously, in retrospect, if we had known what that meant in terms of how it was implemented, we would have never done it.

Q: I have to press you on that. Mr. Horne brought the security issue to Lenovo’s attention in mid-January, more than six weeks earlier.
A: At that time, we were responding to this issue from a web compatibility perspective, not a security perspective. You can argue whether that was right or wrong, but that’s how it was looked at. We thought turning off the servers at that point would address that problem and that was what was done. At that point, we concluded [Superfish] was not very useful and that is why we started to remove it from the preloads.

Q: Why wasn’t this issue picked up in the quality assurance process? What kind of quality assurance process would even allow for installing this kind of adware on Lenovo machines?
A: At a high level, the team that defines what is in these products will encounter stuff in the market, then they will say, “Here is something we want to do,” and they will engage an engineering team. Then we will go through this thing and make sure it adheres to our policies and practices. We make sure it doesn’t know who the individual is. We make sure it’s opt-in. But what was completely missed in this was the security exposure caused by the design of the certificate authority they used.

Q: I have to press you on that. Mr. Horne brought the security issue to Lenovo’s attention in mid-January, more than six weeks earlier.
A: At that time, we were responding to this issue from a web compatibility perspective, not a security perspective. You can argue whether that was right or wrong, but that’s how it was looked at. We thought turning off the servers at that point would address that problem and that was what was done. At that point, we concluded [Superfish] was not very useful and that is why we started to remove it from the preloads.

Q: Why wasn’t this issue picked up in the quality assurance process? What kind of quality assurance process would even allow for installing this kind of adware on Lenovo machines?
A: At a high level, the team that defines what is in these products will encounter stuff in the market, then they will say, “Here is something we want to do,” and they will engage an engineering team. Then we will go through this thing and make sure it adheres to our policies and practices. We make sure it doesn’t know who the individual is. We make sure it’s opt-in. But what was completely missed in this was the security exposure caused by the design of the certificate authority they used.

 

About Me

Theresa Jordan

Curabitur nec justo sit amet urna convallis viverra. Phasellus auctor id lectus vel tincidunt. Phasellus sed lorem id diam venenatis ullamcorper. Curabitur iaculis risus vitae magna eleifend, at auctor dolor ultricies. Sed rhoncus aliquam turpis, a hendrerit arcu.

Sponsored

Recent Comments
Movie, TV Show, Filmmakers and Film Studio WordPress Theme.

Press Enter / Return to begin your search or hit ESC to close

By signing in, you agree to our terms and conditions and our privacy policy.

New membership are not allowed.

Noxe Studio

The Noxe Film Studio
1418 Noxe Street, Suite 3845
California, USA

Center Office

+(01) 426-9824
hello@gloriathemes.com
12369, New York, USA

All Right Reserved 2020 The Noxe Studio. Powered by Gloria Themes.