Various outlets reported today that Lenovo had been shipping questionable software with some of its consumer PCs.
Apparently intended to make money by inserting ads in unsuspecting web browsers, "Superfish" went a step further by performing
a man-in-the-middle attack on HTTPS connections, thereby compromising all secure web connections made by the machine.
Lenovo, hands caught in the proverbial cookie jar, has since stopped the practice, albeit it leaving thousands of
insecure computers in its wake.
Much has been said about why this was dangerous, ill-concieved, and sloppily done, which I won't rehash. Consider
instead a slightly different angle. As Craig Hockenberry put it, "any software that gets between you and
your chain of trust should be considered malware". This statement is exactly right - Superfish is no mere adware,
it is full-on malware.
Reported the very same day, this Malware author now faces years in jail. There are obviously some differences in overall
circumstance, but the unambiguous commonality remains that both placed software on people's computers deliberately and
explicitly compromising their security for their own gain. Lenovo's actions are in many ways much more egregious and
irresponsible by virtue of scale. Nevertheless, I doubt Lenovo will be charged with "hacking", nor will anybody
responsible be incarcerated. Quite the double-standard.