

Ask HN: Any Lenovo engineers here part of Superfish fame? - skant

You can post with a throw-away account.<p>How did the decision to include Superfish materialize and what was the behind the scenes drama while this was added to the build?
======
jeswin
Lenovo's apology is the perfect example of a non-apology; they are pretending
that the outrage is about an inadvertent software vulnerability and not about
MITMing/snooping on their customers.

From the CTO's "Open Letter":
[http://news.lenovo.com/article_display.cfm?article_id=1932](http://news.lenovo.com/article_display.cfm?article_id=1932)

"This software frustrated some users without adding value to the experience so
we were in the process of removing it from our preloads. Then, we saw
published reports about a security vulnerability created by this software and
have taken immediate action to remove it. Clearly this issue has caused
concern among our customers, partners and those who care about Lenovo, our
industry and technology in general. For this, I would like to again
apologize."

I'd rate this as the worst consumer betrayal I have ever seen. If people did
this kind of thing, they'd be in prison.

~~~
bhayden
If people went to prison for making apps that collect user information with
the only consent being a sentence in page 30 out of 50 in the terms of use,
pretty much all big app developers would be felons.

------
MrZipf
In a big company, this will have had _nothing_ to do with engineers as they
are not employed to do business deals.

A business specialist will have made a deal with Superfish in the name of the
company. In all likelihood they won't have an understanding exactly how
Superfish works, but they are drawn to the revenue opportunity. They'll have
put a request in to the imaging team and then it's job done.

They'll be team at Lenovo now reviewing how they got into this mess and trying
to ensure it does not repeat in future.

~~~
dagw
_They 'll be team at Lenovo now reviewing how they got into this mess and
trying to ensure it does not repeat in future._

I wonder which "mess" they'll be focusing on? The fact that this kind of
software ended up on their laptops or the resulting PR problems?

------
Avitas
I'm not, but I'll grab the hook for a few seconds.

This is going to boil down to Lenovo getting $0.90, $2.00, some other amount
per system or a one time payment. It could also be for a specific quantity of
desktop/laptop systems, sysems shipped after a specific date or within a
specific time frame. There could also be a geographical component to this.
There may also be other details to the financial arrangement, targetting
demographics and systems affected.

I would guess that this did not get installed on server or workstation
products, but I wouldn't be all that surprised if the latter were.

I wonder how much Lenovo received and how the payments were structured.

------
fabulist
I think responding to this question would threaten their job security (and, as
MrZipf said, the were probably not involved.)

------
nonuby
Following the chain, "Any superfish engineers here? Do you think you could of
mitigated a large amount of this PR hell (not that it makes it okay) by
generating a random root-cert per install, and refusing to accept it on the
WAN side of the proxy?" (I guess like AV software does). What was the motive
for 1 static cert?

------
interdrift
You don't need to be a Lenovo engineer to tell it's because of money and they
knew it all from the start.

