I'd hoped to begin 2015 with a stack of writing and information ready to post. I had plans for articles on enterprise security, BYOD, how I've set up my Raspberry Pi as a headless file server, and recommendations for apps and workflow improvements. Instead, I've been dealing with a death in the family, multiple illnesses that my young children have brought home from school, harsh winter weather, and now a major house renovation.
But spring is here, bringing with it both brighter weather and better health. Of course, as I sat down to finally get back to doing some writing, I was reminded that security problems wait for no one, and warmer weather doesn't have any impact on IT headaches.
As an IT professional, I get a regular stream of friends, family, co-workers, and acquaintances all asking the same thing -- what computer should I buy? I go through the usual questions: what are you planning to do with the machine? Does portability matter to you? What about future upgrades? Do you need to run specific applications? Are you planning to use it for games? Do you have specific hardware you need to use? Until recently, the answers usually led to either a recommendation for some sort of Mac, or, for those who needed/wanted Windows or were on a more constrained budget, a Lenovo machine. Unfortunately, that has to change.
I've been a fan of the ThinkPad line for decades; I used one all through college, and supported them in multiple IT jobs after graduation. I like the design. I like how easy it is to pull the drives and shell swap -- important in an enterprise setting. I like how the cases have drains to minimize damage from liquid spills. I love the TrackPoint.
Unfortunately, after the Superfish fiasco, I can no longer recommend any products from Lenovo, even if the ThinkPad line itself is not impacted. The way the company handled the disclosure was also lacking. Lenovo's CTO initially dismissed the very real security issue as nothing more than "theoretical concerns", and the company initially defended the SSL-breaking and ad-injecting software as something that would "help customers potentially discover interesting products while shopping". Margins for PC manufacturers are razor thin, but inclusion of undisclosed adware that also creates an enormous security hole is at best incompetent, and at worst outright malicious. (And to add insult to injury, Superfish apparently didn't even do much for Lenovo.)
You can test to see if your machine as been comprimised by Superfish at: https://filippo.io/Badfish/; if you have it on your system, Lenovo has provided a Superfish removal tool on their Web site. The good news is that the technical part of the damage is simple to correct; the damage to Lenovo's reputation and user trust will be much more difficult.