An IT Pro Perspective on Lenovo Superfish

By now I’m sure you’ve heard about the fiasco and PR nightmare for Lenovo surrounding Superfish adware and potential security vulnerabilities. If you missed it, take a look at Paul Thurrott’s Superfish report on the issue. I share most of his opinions and even though I am a big Lenovo fan, this is a huge disappointment. You would have thought that after the disaster surrounding the Sony rootkit, that vendors would be smarter. But that’s an entirely different conversation. Instead, I wanted to focus on a few take-aways from the Lenovo failure, but from an IT Pro perspective. I’ve been an IT Pro for just about 25 years and a computer consumer for almost as long so I’d like to think I have some credibility but everything that follows is simply my opinion so you can take it or leave it.

Crapware, Bloatware, and the Rise of Superfish

We’ll probably never know all the details about the internal business decisions that let to Superfish. Lenovo CTO Peter Hortensius has gone on record as saying that they probably didn’t go far enough with their due diligence. This brings me to the first and perhaps most important take-away. It is my understanding that profit margins on hardware, especially consumer-oriented commodity devices, is slim and that OEMs naturally need to consider all options to maximize value and return to shareholders. I have no doubt that this is why so many new laptops, tablets and computers ship with so-called bloatware.

IT Pro Perspective on Lenovo Superfish
The use of Superfish underscores the increasingly negative impact that PC crapware and bloatware has on not only PC users, but for PC vendors as well. (Image: Dreamstime)

It is reasonable to conclude that Superfish fell into this category. Although there is also evidence that someone at Lenovo felt the product would “enhance the user experience”, or some such marketing buzz-speak. Sadly, it is clear there was little to no technical guidance on this matter. I am surmising that some product manager thought including Superfish would be a good idea without checking to see if there were negative implications. In this day and age, especially with the all of the problems with Internet security, you shouldn’t make any business decisions regarding computing products without a thorough technical review. I suspect this is the due diligence failure Lenovo’s CTO is referring to.

One of the reasons it appears that Superfish was even on the table was as a result of focus groups or market research. Sadly, I think most consumers, like end-users you may have to support, don’t really know what they need or don’t need. I’m not saying to totally ignore the customer, but sometimes the IT professional has to step in and make good decisions on their behalf. But this is a technical decision not merely a marketing or business decision. Is it too much to expect both? Perhaps we need a model like DevOps: MarketOps. A continuous cycle or feedback loop between product marketing/development and IT.

You would think it would be obvious that companies ship products that only will sell but that consumers will embrace as brand loyalists. Isn’t that the essence of brand marketing? To me, this all boils down to a single word: Trust. Consumers come to trust their favorite brands. While it can take years to build that trust relationship, as we’ve seen with Lenovo and Superfish, it can come crashing down in almost no time. The same is true for IT Pros and the people we support. They trust us to do the right thing, keep their data safe and accessible and give them the support they expect. If you run a help desk and say you’ll be there in 20 minutes to fix a problem but it takes 2 hours to arrive, that isn’t going to build a lot of trust. If your consumers sense incompetence, apathy, antagonism or anything that instills a lack of trust, they will take matters into their own hands which probably isn’t going to make things any better for you. Lenovo has a huge credibility gap now that will take a while to close which will probably distract them from other work they would have otherwise performed. The same can happen to you.

In 2015, IT Security is Everything

But perhaps the ultimate lesson for Lenovo and IT Pros is that in 2015 security is everything. Yes, I realize there is a trade-off between absolute security and usability. But Lenovo, and other OEMs, need to do a better job looking at their shipping products from a security standpoint, especially for consumer devices. Is the finished product as secure as it can be? Are we shipping anything that could be used as an attack vector? Have we reduced the attack surface enough? Are we giving our customers a false sense of security through anything we are shipping? I am not a big fan of the anti-virus trials that ship on many new computers. I’ve seen my share of friends and neighbor home computers that arrived with a trial anti-virus that was essentially worthless after the trial, yet the user sees the icon every day and assumes all is well. In my opinion, Lenovo fell woefully short here. Ironically, I think there is a great marketing opportunity here: we sell computers without the crap. I’m sure a marketing pro would put a better spin on that, but I think you get the idea. Sell a product with minimal add-ons and market it as keeping you secure and saving the headaches of maintaining or removing software products you never wanted in the first place.

For IT Pros, security is a big challenge with the BYOD paradigm. Somehow we are still expected to maintain the security of our network and server infrastructure. For devices we manage, IT Pros should have more options. End users should not have local administrator privileges. Key computer settings can be managed via Group Policy. Proxy servers and other edge devices can control what goes out of our networks just as importantly as what comes in. Security should be a part of every IT Pro’s job, not just a select few. The bad guys will always be ahead of the curve, we just don’t want them to be that far ahead. And if they are ahead, then we need to mitigate the damage as much as possible. IT security is a task for the entire department, including developers. And yes, I realize there is a management story here as well as is evident from the Sony Pictures catastrophe.

Sure, IT Pros see a story like Superfish and pat themselves on the back for wiping new OEM devices before putting them into production, which I would expect them to do. But there is more to the story here and I encourage IT Pros and their managers, to look at the Lenovo situation and put yourself into their place. Would you have made similar decisions? What would you have done differently? What can you take away from their experience so that it doesn’t happen to you or that you can use to improve IT in your enterprise? I’d love to hear your take-aways from Lenovo’s disaster and whether you think I am on target or off.