Lenovo CTO: Hey, look around – we're not the only ones with a crapware infection
Friday is D-Day for PC lobber to regain trust
On Friday Lenovo is going to tell the world about how it plans to regain the trust of its users in the wake of the Superfish clusterfuck – and may even launch an independent security audit of its products.
"Our goal, in the end, is to make this right," Lenovo's CTO Peter Hortensius told The Register on Tuesday. "It's going to take a long road to earn trust back."
Lenovo was caught bundling adware Superfish with its cheapo laptops to make a fast buck by injecting adverts into websites, a move that left users vulnerable to online password theft.
Hortensius claims this is an industry-wide problem, and analysts have found other companies slipping software similar to Superfish into people's PCs.
"I'm not going to comment on the competitors but I think you guys know the reality of the state of our industry," he said. "Everyone is one step away from disaster and we're going to make sure that when we're done we're several steps away."
Hortensius said that last Thursday morning was the first he knew of a problem with Lenovo laptops and Superfish, and he initially assumed it was just an adware issue. Within a few hours he realized the problem was more serious, he says, and Lenovo went into crisis management mode.
Lenovo, with the help of Microsoft and antivirus makers, worked to rid its laptops of Superfish, its ad-injection code and its rogue root CA certificate that compromised HTTPS connections, even releasing an open-source uninstall tool.
That was the first step, Hortensius said, but his company recognizes that it's got a much bigger hill to climb to get trust back from buyers. The firm hadn't realized that so many of its PCs were used in businesses, he said, and it was clear that it is going to be difficult to reestablish trust.
"By the end of this week we will release a more concrete statement around exactly what that means and we're still working towards that but we're considering any and all considerations," he said.
One of the most likely scenarios is that Lenovo publishes a full list of all the software that is bundled onto its PCs – something Hortensius said was "a real possibility". He didn’t rule out an independent security audit of the firm's systems by experts in the future either.
"I'm not sure they need a security audit," security guru Bruce Schneier told El Reg. "They need someone sensible in marketing."
Another option is to simply ship computers without demos, trial software, pointless utilities and other bloatware, something Microsoft offers on some Lenovo hardware as part of Redmond's Signature Edition line. Hortensius couldn’t say how much bundling the extra software contributes to his bottom line.
It's clear that Lenovo recognizes quite how deeply it has screwed up. The company had one of the most valuable brands in the computer business and wants that back. ®
Sponsored: Becoming a Pragmatic Security Leader