Saturday, 28 February 2015

Superfish? Never Been a Problem for Us.

If you've been following the tech news this week you will have noticed a breaking story about Lenovo bundling malware with its newlaptops. I think in many ways this is quite a sad story, because for a reputable company to ship laptops which include software like Superfish is a tragic indication of where the industry is at the moment.

Superfish is a piece of software that would euphemistically describe itself as something that enhances your web experience, and it does this by inserting targeted advertising directly into webpages that you are viewing. The average user won't even notice the presence of the software, and will assume that the advertising is embedded in the webpage itself, and it's the mechanism whereby this is achieved that is particularly scary. Without boring you with the technical details, what the software does is inject its own content directly into the data from websites you are visiting, and it's a technique that is also used in something called "man in the middle" attacks, where hackers use the same technique to embed password capture elements into, for example, your online banking website.

This in itself is frightening enough, but because the Superfish software was poorly secured a hacker could hijack the program and use it to fundamentally compromise the security of your computer, so that you next visit to your online bank might actually take you directly to a site in Russia where your banking details would be used to empty your account in pretty short order, and because you're going to see that green certificate flag next to the website address in your browser, your will have absolutely no idea that this is happening.

This isn't actually a new story, with Superfish being a regular topic of conversation in the Lenovo help forums over the last few months, and once the vulnerability was exposed Lenovo were quick to pull the software from all new laptops. What we don't know is whether its inclusion resulted in any real-world attacks.

You might be wondering why Lenovo were bundling this software in the first place, and the reason is quite simply because of the microscopic margins on consumer laptops. When manufacturers may only be making a profit of $5 on every laptop they sell, the temptation to include third-party software (for which they paid) is a strong one. That's why most new consumer laptops come bundled with all sorts of software that, if you know what you're doing, you will remove as soon as you turn on the computer.

This is a practice that's been going on the decades in what many see as a race to the bottom, and we've even created a word for it in the industry; crapware. You are statistically likely to be using a computer that still contains crapware that the manufacturer was paid to install. It's a business model that sees companies such as McAfee and Norton enjoying a far greater share of the antivirus market than they should based on the technical excellence of the products, so clearly it's a sustainable business model for some, and if at the end of the day it means that consumers are able to buy excellent laptops like the £300 LenovoEssential B50-70 then I've no problem with that for reasons I've given below.

So what should you, as a Computer Angels customer do? Well, if you bought your laptop through us, or if we prepared it for you then the answer is absolutely nothing. That's because the first thing we do when we’re preparing at Lenovo laptop for use is wipe the hard drive clean and reinstall everything from scratch. Not only does this removes the risk posed by this crapware, it also substantially increases the performance of the computer.

And if we didn’t prepare your laptop for you, and you’re worried that you might have a copy of Superfish lurking somewhere on your hard drive you can check for it here.

No comments:

Post a Comment