Three weeks ago, my mom told me she needed a new laptop, and wanted some recommendations. I pointed her toward a Lenovo with a 15 inch touch screen, a model I considered to be a great bang-for-buck high-end laptop that met her specific needs (she’s visually impaired, so the large touch screen is a must-have).
This weekend, I had to take a break from editing Winterwakers Part 3 so I could spend some quality time with said laptop, repairing one of the worst security holes in the history of computing.
The whole situation really drove something home for me: when it comes to computing, there are two worlds. I live in one of them, and my mom (and most people) live in the other. In my world, computers are an open canvas, one that is frequently shat upon by companies like Lenovo. In my mom’s world — the world of the “normal” computer user — computers are mysterious black boxes that work most of the time, but occasionally act malevolently for no apparent reason.
I learned about Superfish on Thursday morning because I follow the right people on Twitter, and understand what they’re talking about. My mom learned about it because I sent her an email titled “Lenovo severe security/adware issue,” in which I volunteered to fix it for her because I knew it was beyond her capabilities.
Let me be perfectly clear on that point: my mom would have never even known about Superfish, or how serious a problem it was, if it weren’t for me personally warning her.
What if my mom had bought a Lenovo laptop without telling me? What if I was on a trek through the wilderness this week, missing the whole Superfish story? More to the point: what if my mom was one of the millions of normal-world Lenovo users who didn’t have someone in the tech world to tell her about Superfish, and impress upon her how serious an issue it is?
My mom is in her mid-sixties. She has three university degrees, including a masters. Though now retired, she has worked as a nurse (public health, then hospital), a college instructor, and most recently, as a high-level manager in a Canadian health region that serves four million people. She has presented at huge conferences, written academic papers, and was the first president of her university’s nursing students’ association. And she’s been using PCs since the Windows 3.1 days.
In other words: she’s not stupid.
I feel I need to bludgeon that point home because of a pervasive notion many in the tech world seem to have: users are dumb and unwilling to learn, and that’s why they have all these problems. This attitude is not only insulting, it’s toxic and destructive, and it’s a big reason why computing is so insecure.
Examples of this dangerous thinking have been observed in the wild in response to Superfish. See if you recognize any of these gems:
“Should have used a Mac.”
“Should have used Linux.”
“Everyone knows OEMs fill their machines with crap. You should always do a fresh Windows install when you get a new laptop.”
“Just go into Certificate Manager and remove any suspicious root certs.”
“Superfish isn’t the only vulnerability like this. You should also check for …”
*grabs keyboard off advice-giver’s desk and throws it out the window*
Fellow nerds: None of this “advice” is helpful.
Yes, technically, all of the above would have prevented or removed Superfish, and probably other nasty vulnerabilities. But seriously: telling people they should have used Linux or reinstalled Windows is hopeless at best, victim-blaming at worst.
Yes, I went there, and I mean it. Giving a normal-world computer user advice like this is the “you shouldn’t have worn that short skirt” of computer security.
You see, even though we made these machines that are occasionally malevolent, and even though we frequently offer advice or assistance that is nothing short of victim-blaming, normal-world users still trust us. Really, they have no choice but to trust us. What else can they do?
When my mom came by to pick up her Lenovo after I’d removed Superfish (and removed a crap-ton of Lenovo bloatware, and removed that shit-fest known as McAfee, and enabled regular Windows Defender scans, and installed Firefox), she asked me why the store that sold her the computer hadn’t called her to warn her about Superfish. My reflex was to say that it’s not the store’s responsibility, that Lenovo or Microsoft were responsible for patches. But that response itself is problematic. Microsoft did provide a patch within 24 hours (kudos to them, by the way), but it only worked if the computer was running Windows Defender, which these laptops are not out of the box. As for Lenovo, they’re the ones who caused this mess in the first place, and they did it deliberately, with full knowledge of what they were doing. Expecting them to fix Superfish is beside the point. This disaster was their doing, and should never have happened in the first place. And, while we’re doling out blame, none of this would have been a problem if Microsoft themselves hadn’t enabled the technology and policies that made it possible.
My mom trusted the store (a decent business I won’t link to because I don’t want them involved in this, good or bad) to sell her a computer that wasn’t inherently insecure. She trusted Lenovo to build her a computer that wasn’t crammed full of crap and riddled with security holes. She trusted Microsoft to be able to lay the smackdown on anyone who makes Windows insecure.
All three violated my mom’s trust. Lenovo did so maliciously and deliberately, which is why I have a special hatred for them, and why I will never buy or recommend one of their products as long as I draw breath (which is annoying, because their hardware is actually very good). The other two parties either abdicated responsibility, enabled Lenovo to do what they did, or a combination of both.
You can argue about whose responsibility this actually was, or why certain parties should be blameless, but it’s all beside the point. Normal-world people trust tech-world people to “just make it work.” Shifting blame doesn’t make things work. Passing the buck to the hardware vendor or the OS vendor doesn’t make things work. Just because it’s not your fault doesn’t mean it’s not your responsibility. The trust of the normal world is a responsibility that everyone in the tech world must bear, and must take seriously.
Until we do, we’ll keep having more Superfishes. And I’ll have to keep taking time out of my busy schedule to help my mom with her computer.
(Oh, and Mom, if you’re reading this: I was happy to help you, and will do so again if the need arises. And, on behalf of the tech community, I’m sorry about all this.)