Reader Comments (rss)

(Flattened / Threaded)

1. 

   That One Guy (profile), Aug 13th, 2015 @ 6:59am

   
   

   How?

   How can anyone be stupid enough to buy anything from them at this point? I wouldn't trust them if they were selling a calculator, and I certainly wouldn't trust them with a computer.
   
   Forget 'stop buying until they wise up', after these last two stunts, people should stop buying from them permanently, as it's blatantly obvious they're not to be trusted.

   [ reply to this | link to this | view in thread ]

2. 

   Ninja (profile), Aug 13th, 2015 @ 7:05am

   
   

   Re: How?

   That. I was considering Lenovo for my next notebook but they had themselves removed from the list in that superfish issue. Now they made sure they will never be an option in anything.

   [ reply to this | link to this | view in thread ]

3. 

   Ninja (profile), Aug 13th, 2015 @ 7:06am

   
   

   If it can be abused it will be abused it seems. How can we know NSA doesn't replace such firmware with something that meets their ends for instance? Or China intel? Or whoever? Seems it's an 'useful' feature that is not that useful after all.

   [ reply to this | link to this | view in thread ]

4. 

   John Fenderson (profile), Aug 13th, 2015 @ 7:40am

   
   

   Re: How?

   This. Lenovo is on my "do not buy" list.

   [ reply to this | link to this | view in thread ]

5. 

   PaulT (profile), Aug 13th, 2015 @ 7:41am

   
   

   Re:

   "If it can be abused it will be abused it seems."
   
   The law of unintended consequences. It may well be perfect useful for its intended purpose. But, supply a tool and some people will work out how to misuse it.
   
   The only mystery is how it's is a surprise to anybody that it was misused - or why Lenovo apparently believed that nobody would notice.

   [ reply to this | link to this | view in thread ]

6. 

   Anonymous Coward, Aug 13th, 2015 @ 7:42am

   
   

   Re: How?

   How can anyone be stupid enough to buy anything from them at this point?

   Do you mean Lenovo or Microsoft here? It's Windows that has the non-optional feature to install crap from the firmware tables.

   [ reply to this | link to this | view in thread ]

7. 

   RightShark, Aug 13th, 2015 @ 7:48am

   
   

   a question

   What happens if you wipe the Windows and install Linux?
   Do the crapware call-home programs still work?
   
   Not that I am now inclined to buy Lenovo for any reason.

   [ reply to this | link to this | view in thread ]

8. 

   Anonymous Coward, Aug 13th, 2015 @ 7:49am

   
   

   How about crossing over to Linux? I tried to work with Win 8/Win10 (hooray driver enforcement), but things like this confirm my suspicion of these shenanigans with Windows these companies pull. My question is who else is using BIOS similar to this? At least Lenovo's trick is shown the door when it attempts to hijack a fresh Linux install.

   [ reply to this | link to this | view in thread ]

9. 

   Anonymous Coward, Aug 13th, 2015 @ 7:49am

   
   

   Duh! Lenovo is made in China!

   This is just the Junior Varsity warming up for the Big Game.
   
   Thanks, Microsoft, for making pwning so easy.

   [ reply to this | link to this | view in thread ]

10. 

    Karl Bode (profile), Aug 13th, 2015 @ 7:55am

    
    

    Re: a question

    Since it relies on Microsoft's WPBT technology to replace autochk.exe I assume Linux should be fine.

    [ reply to this | link to this | view in thread ]

11. 

    Ninja (profile), Aug 13th, 2015 @ 8:02am

    
    

    Re: Re: How?

    I pirate Windows when needed. I'd love to see stuff fully ported or at least well emulated on Linux. Wine is a good start.

    [ reply to this | link to this | view in thread ]

12. 

    Anonymous Coward, Aug 13th, 2015 @ 8:03am

    
    

    Re: Duh! Lenovo is made in China!

    You mean the JV is warming up for pwning Moto phones?
    
    https://www.theverge.com/2015/7/29/9067665/motorola-google-lenovo-pure-android

    [ reply to this | link to this | view in thread ]

13. 

    scotts13 (profile), Aug 13th, 2015 @ 8:15am

    
    

    Send this article

    Send this article to the people in government who think their much-wanted "backdoor into everything" will never be abused. They won't understand, but at least you'll have done your due diligence.

    [ reply to this | link to this | view in thread ]

14. 

    crade (profile), Aug 13th, 2015 @ 8:17am

    
    

    Re: a question

    As far as I can tell, the actual execution of this code is in the windows software itself, after boot, so if you boot Linux or anything else it will probably never check or run anything in the WPBT.

    [ reply to this | link to this | view in thread ]

15. 

    JustShutUpAndObey, Aug 13th, 2015 @ 8:22am

    
    

    WPBT considered harmful to security

    I'm old enough to recall plugging in a physical ROM chip when I wanted to upgrade my BIOS. ROM is Read-ONLY-Memory. I could step through the ROM to examine it, and I could be certain nobody could re-write it.
    
    As usual, the modern world has traded away safety for a little more convenience

    [ reply to this | link to this | view in thread ]

16. 

    That One Guy (profile), Aug 13th, 2015 @ 8:23am

    
    

    Don't give them ideas

    What makes you think they wouldn't support this method of slipping unwanted code into a system, whether the owner of the system knows it's there or not?
    
    'Delete everything and start with a fresh install in an attempt to try and ensure that the only programs on your machine are ones you chose yourself? Hah, no, soon as it boots it calls home and installs the backdoor code again.'

    [ reply to this | link to this | view in thread ]

17. 

    John Fenderson (profile), Aug 13th, 2015 @ 8:28am

    
    

    Re: Re: How?

    And it's Lenovo who flagrantly abused that ability. It isn't always possible to avoid Windows (although I do my very best to). It is always possible to avoid Lenovo.

    [ reply to this | link to this | view in thread ]

18. 

    Anonymous Coward, Aug 13th, 2015 @ 8:32am

    
    

    Re: Re: a question

    it will probably never check or run anything in the WPBT.

    
    WPBT tables, and other windows specific software constructs no longer apply when Linux is booted. To pull the same trick under Linux requires Linux specific software, and would have to deal with the variability of Linux, like different boot loaders. Windows provides a much more consistent execution environment than Linux, which relies more on source code portability.

    [ reply to this | link to this | view in thread ]

19. 

    Anonymous Anonymous Coward, Aug 13th, 2015 @ 8:38am

    
    

    It's not just Lenovo

    http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-sto p-talking-to-microsoft/

    [ reply to this | link to this | view in thread ]

20. 

    Violynne (profile), Aug 13th, 2015 @ 8:59am

    
    

    The anagram for "Lenovo" is "No Love".
    
    It's the corporation's secret motto.

    [ reply to this | link to this | view in thread ]

21. 

    lars626 (profile), Aug 13th, 2015 @ 9:05am

    
    

    All laptops?

    Did they pull this trick on the direct sale business models too or just the consumer ones? If they did this to GM or Ford or one of the big banks they could be facing a tsunami of legal action.
    
    Is there a way to pull this trick on a Linux machine?

    [ reply to this | link to this | view in thread ]

22. 

    Ben (profile), Aug 13th, 2015 @ 9:07am

    
    

    Re: Re:

    But, supply a tool and some people will work out how to misuse it

    I think "use it differently" might be more appropriate -- it is the epitome of "hacking". Granted this case is an example of the "black" form of hacking; to paraphrase Hanover Fist: "They should be torn into itsy little pieces and buried alive."
    
    Lenovo has certainly earned a spot on my "do not buy" list.

    [ reply to this | link to this | view in thread ]

23. 

    RD, Aug 13th, 2015 @ 9:10am

    
    

    Re: a question

    "What happens if you wipe the Windows and install Linux? "
    
    You get reported for "piracy", naturally.

    [ reply to this | link to this | view in thread ]

24. 

    Anonymous Coward, Aug 13th, 2015 @ 9:21am

    
    

    Re: How?

    How? That's easy enough. They have a long history of fairly robust hardware, resulting in a solid reputation. Both system quality, and reputation have declined over the years, but it's not the sort of thing that vanishes overnight.

    [ reply to this | link to this | view in thread ]

25. 

    Paul Renault (profile), Aug 13th, 2015 @ 9:25am

    
    

    Re: Re: How?

    Make sure you let them know of your decision, eh.

    [ reply to this | link to this | view in thread ]

26. 

    Phoenix84 (profile), Aug 13th, 2015 @ 9:25am

    
    

    Thinkpad killed

    Lenovo has succeeded in killing the great Thinkpad line.
    I was afraid it was going to happen.
    I have a T500 (T61p before that), back when Lenovo just bought them from IBM.
    The thing is a workhorse, and still works great to this day (the T61p sadly succumbed to the bad nVidia chip of that era, T500 replaced it).
    The keyboard change was the first nail. This is the final.
    So ended an era.
    It will most likely be my last Thinkpad. Sadly there isn't much else of quality anymore either.

    [ reply to this | link to this | view in thread ]

27. 

    tqk (profile), Aug 13th, 2015 @ 9:28am

    
    

    Re: It's not just Lenovo

    After watching this slow motion trainwreck (Win 10) unfold, if you're in IT and proposing to update machines to Win 10, I'd have to wonder who you're actually working for. It's been quite a while since MS pulled such boneheaded crap and was still able to say and get away with, "What? What did we do wrong? This is supporting users. These are features they'll appreciate!"
    
    I suspect the Russian FSB, Israeli Mossad, and the NSA have all taken minority ownership positions in MS.

    [ reply to this | link to this | view in thread ]

28. 

    crade (profile), Aug 13th, 2015 @ 9:28am

    
    

    Re: Re: Re: a question

    It would also be even more pointless in Linux than it is in windows.. Linux doesn't have the concept of software that is outside the User's control. If they implemented WPBT support, a hypothetical thief who installed a fresh Linux on the system could just not install the WPBT support part.

    [ reply to this | link to this | view in thread ]

29. 

    Anonymous Coward, Aug 13th, 2015 @ 9:32am

    
    

    Stallman was right

    Every day the FSF's stances seem less and less extremist.
    
    https://www.fsf.org/campaigns/free-bios.html

    [ reply to this | link to this | view in thread ]

30. 

    stimoceiver (profile), Aug 13th, 2015 @ 9:37am

    
    

    customers who want actual control of the hardware they own

    This is a great article because it gives a nice clear example of not only what corporate-level actors think of our privacy and security, but also just how opportunistically they will act when left to their own unregulated and profit-driven whims.
    
    It leads me to ponder: between now and the future of armed AI battlebots kicking down doors instead of cops, what kind of future can we predict for implantable computing?
    
    Lenovo's actions are a nice foreshadowing.
    
    So are smart tv's that share your every spoken word with third parties.
    
    So are advanced persistent threats in the hard drive mcu firmware(s) and unpatchable firmware vulnerabilities that affect nearly every USB memory stick in existence.
    
    So is the hidden second operating system in every phone, the baseband OS.
    
    So are the terms in the Windows 10 license agreement that obligate the user to agree to so many kinds of spying, automatic updating, and remote top-down command-and-control from big brother Microsoft.
    
    For that matter, so are the ubiquitous, corporate-owned, proprietary and for-profit nature of the cell phone and internet network architectures. Why aren't corporations racing to embrace the Internet Of Things and the future beyond by designing an open, community-owned, peer routed and decentralized network architecture where all we will need to do to join is put up an antenna? Something that is free to join, neighborhood-centric, and useful for civic and community organising?
    
    Its clear that if the hardware manufacturers are left to their own devices (pun intended), implanatable computing with a proprietary for-profit software-as-a-service unmoddable hardware locked proprietary baseband operating system, and advanced persistent spyware and adware in every BIOS and firmware will be the norm, and not some glaring exception.

    [ reply to this | link to this | view in thread ]

31. 

    Anonymous Coward, Aug 13th, 2015 @ 9:44am

    
    

    I don't think it'd be much of a stretch to use something like this to prevent installation of a non-MS OS. Give it a few years.
    
    And considering how small memory chips are in things like flash drives, perhaps in the future, the OS would be preinstalled directly on the motherboard and cannot be overwritten. That'd spell the end of Linux (competition to M$ and a possible hindrance to Big Brother) in several years, after the gurus' old hardware becomes too old or breaks.
    
    Just something I've been thinking about lately.

    [ reply to this | link to this | view in thread ]

32. 

    Joel Coehoorn, Aug 13th, 2015 @ 9:47am

    
    

    China

    Lenovo is a Chinese company. Given all of the recent government and corporate security breaches tied to the Chinese government over the last few years, how long until they get Lenovo to use a feature like this that acts as their espionage arm? They did it once; they can do it again. Even if (when) they caught again, by then it might not matter.

    [ reply to this | link to this | view in thread ]

33. 

    John Fenderson (profile), Aug 13th, 2015 @ 10:15am

    
    

    Re: All laptops?

    This "trick" requires the cooperation of the operating system being used, so it's Windows-only. It is technically possible to add the required support into Linux, but the community would never accept such a change.

    [ reply to this | link to this | view in thread ]

34. 

    Anonymous Coward, Aug 13th, 2015 @ 10:17am

    
    

    lenovo caught useing the NSA's toys.

    These capabilities exist on nearly all modern systems- they just aren't usually used in mass, or in ways that are otherwise easily detected.
    
    You've missed the story here Karl. There's an iceburg below the tip you just pointed out, one that TDs articals seam to obliviously run into again and again... All modern hardware is backdoored like this. Intel ME, Secureboot, TPM, UEFI...etc...
    
    Also- this type of attack absolutely works against linux, the injected software just has to be tailored to the target software environment; harder then windows, sure, but far from impossible.
    
    Ironically- gluglug's (old/reflashed) lenovo thinkpads are some of the only machines you can buy today that are imune to these types of subverstion/attack. So boycott new lenovo's, by all means, but if you want to support a solution to this catastrophic mess- buy a gluglug and support the libreboot team.

    [ reply to this | link to this | view in thread ]

35. 

    John Fenderson (profile), Aug 13th, 2015 @ 10:18am

    
    

    Re:

    This trick couldn't be used to do that -- but the ability to prevent non-MS OS installs already exists in many modern machines: UEFI. Now that Microsoft no longer requires OEMs to provide a way to disable UEFI, look for an increasing number of systems that do this.

    [ reply to this | link to this | view in thread ]

36. 

    John Fenderson (profile), Aug 13th, 2015 @ 10:21am

    
    

    Re: lenovo caught useing the NSA's toys.

    "this type of attack absolutely works against linux"
    
    You've mixed together a bunch of technically very different attack vectors, so I'm not sure which one(s) you're talking about with this assertion.
    
    Assuming you're talking about the one the article is discussing, then no, this attack does not work against Linux. It requires the active support and cooperation of the operating system, and Linux does not provide the necessary support.

    [ reply to this | link to this | view in thread ]

37. 

    Anonymous Coward, Aug 13th, 2015 @ 10:42am

    
    

    Re: lenovo caught useing the NSA's toys.

    Linux and the similar BSDs, vary in all sorts of details, mainly under the users control, which includes variations in boot loaders, and init systems. Also, there are various file systems in use, all of which makes this sort of attack more difficult, and liable to failure on some installations of nominally the same operating system.

    [ reply to this | link to this | view in thread ]

38. 

    Matthew A. Sawtell, Aug 13th, 2015 @ 10:56am

    
    

    So... how many folks here are not firm believers of following "the Bleeding Edge"?

    Show of hands without Band-Aids?

    [ reply to this | link to this | view in thread ]

39. 

    Anonymous Coward, Aug 13th, 2015 @ 10:57am

    
    

    Once a corporate develops this sort of mentality, it is best to stay away from them. The one thing they will understand is loss of profit. It's a long hard hoe back to trusting such a maker. They've shown their colors and I refuse to show them the color of my money because of it. They can promise the world but the damage is already done.

    [ reply to this | link to this | view in thread ]

40. 

    Anonymous Coward, Aug 13th, 2015 @ 11:14am

    
    

    cant understand why the Lenovo bosses would want to do this sort of thing. i have an old Lenovo laptop running XP and it has to be the best laptop i've had. why they would want to piss customers off by doing or allowing to be done this crap doesn't make sense. i thought it had more respect for customers, unlike Sony, Microsoft and Apple, for example, who want to know the length of my foreskin and how many times i screwed the missus this week! looks like they've joined the class of 'Dont Trust The Bastards' now!

    [ reply to this | link to this | view in thread ]

41. 

    John Fenderson (profile), Aug 13th, 2015 @ 11:38am

    
    

    Re:

    Lenovo thought its customers were so stupid that they'd never notice. They weren't far wrong -- look how long it took to get noticed.

    [ reply to this | link to this | view in thread ]

42. 

    quadeddie (profile), Aug 13th, 2015 @ 11:43am

    
    

    Run Fdisk.exe /MBR to clear everything.

    [ reply to this | link to this | view in thread ]

43. 

    383bigblock (profile), Aug 13th, 2015 @ 11:46am

    
    

    Already flushed the toilet

    I've run into too much of this with Lenovo. We pulled the plug on all Lenovo's last year. We liked their M93P boxes for out on the manufacturing floor because of small footprint and wifi capable. Unfortunately, they have a bad habit of generating IPv6 broadcast storms basically shutting down the network. We traced the storms to several machines that didn't even have IPv6 enabled.
    
    Good Bye...so long. We only have about 350 users but that's 350 less Lenovo's. Someone needs to pull their head out of their asses otherwise they will lose all of their business customers.

    [ reply to this | link to this | view in thread ]

44. 

    John Fenderson (profile), Aug 13th, 2015 @ 11:47am

    
    

    Re:

    But that won't clear the firmware. As soon as you install Windows again, the malware will be back.

    [ reply to this | link to this | view in thread ]

45. 

    Colin Bragg, Aug 13th, 2015 @ 12:04pm

    
    

    Bad Press

    With bad press like this, it can only affect their sales. People will vote with their feet. Especially businesses

    [ reply to this | link to this | view in thread ]

46. 

    crade (profile), Aug 13th, 2015 @ 12:16pm

    
    

    Re: Bad Press

    Yep, but only because they got caught this time.

    [ reply to this | link to this | view in thread ]

47. 

    Anonymous Coward, Aug 13th, 2015 @ 1:15pm

    
    

    Re: Re: lenovo caught useing the NSA's toys.

    Seems like if you can get the right code into the bios/firmware, and know the target os, this should not be a problem.

    [ reply to this | link to this | view in thread ]

48. 

    Anonymous Coward, Aug 13th, 2015 @ 1:16pm

    
    

    Re: Re: Re: How?

    Not just them, but ALL of the other manufacturers as well. This is where you make examples of things like this.
    
    It needs to be a real fear for any company pulling shit like this to face going right the fuck out of business!

    [ reply to this | link to this | view in thread ]

49. 

    That One Guy (profile), Aug 13th, 2015 @ 1:58pm

    
    

    Re: Re: How?

    And? The highest quality hardware in the world doesn't mean squat if you can't trust it, and quite clearly if it's coming from them you can't. With actions like this, what little reputation they have should vanish overnight, as unless it's a reputation for being sleazy and treating their customers like crap, they clearly don't deserve it.

    [ reply to this | link to this | view in thread ]

50. 

    Anonymous Coward, Aug 13th, 2015 @ 4:47pm

    
    

    Re: Stallman was right

    As I recall, it took a while for others to convince Stallman a free BIOS was important, as he had considered it basically hardware until that point (these were probably the pre-TPM/restricted-boot days). He doesn't seem fully conviced of the importance of free hardware designs yet, suggesting people wait for fabrication technology to improve before rejecting non-free hardware (whereas he declared non-free software unethical long before free-software-only systems were practical). Others such as the lowRISC project are working on it though.
    
    It may be worth noting, by the way, that it's not so difficult to grab an old system (one you don't mind bricking) and port Coreboot to it.

    [ reply to this | link to this | view in thread ]

51. 

    Groaker (profile), Aug 13th, 2015 @ 8:10pm

    
    

    Re: Bad Press

    I would be happy if they voted with their feet and wallets, but that is disticntly not within the human paradigm. Look at all the crap that companies have pulled that the user population just ignores.
    
    Sony is a great exemplar. Rootkits in audio material that take over a computer if you list to a legally purchased CD on your PC. Taking out capabilities that were touted as a reason for purchase (removal of Linux from a game console.)
    
    Companies that produce absolute garbage (MPAA and the RIAA) abuse the user and the law. And users are so hungry for crap they don't need, that they put up with it. Perhaps they all need to go to submissive school, and learn that it is the bottom who really holds the power.

    [ reply to this | link to this | view in thread ]

52. 

    Anonymous Coward, Aug 13th, 2015 @ 8:30pm

    
    

    Why should they?

    It looks like Lenovo may not have learned much from February's Superfish shenanigans.
    
    Were the company's managers prosecuted? If not, then what they learned is that laws don't apply to them, so why should they care?

    [ reply to this | link to this | view in thread ]

53. 

    Anonymous Howard, Aug 14th, 2015 @ 6:27am

    
    

    Re: So... how many folks here are not firm believers of following "the Bleeding Edge"?

    Hi!

    [ reply to this | link to this | view in thread ]

54. 

    John Fenderson (profile), Aug 14th, 2015 @ 9:05am

    
    

    Re: Re: Re: lenovo caught useing the NSA's toys.

    The way this worked is that Windows actively looks for the code embedded in the BIOS, loads it, and executes it. This is a "feature" of Windows.
    
    Simply having the code in the BIOS (even if that code can execute under any OS) doesn't do anything at all. Something on the OS side of things must load and execute that code. Linux does not look for, load, or execute any such code and so is immune from this attack vector.

    [ reply to this | link to this | view in thread ]

55. 

    GEMont, Aug 18th, 2015 @ 3:14pm

    
    

    Re: Why should they?

    Truth is, they may have been under contract to do exactly what they did, for law enforcement and the security state.
    
    Could have just been "shock testing" too.
    To see how the public would react.
    
    ---

    [ reply to this | link to this | view in thread ]

56. 

    cena energii, Nov 23rd, 2015 @ 5:43am

    
    

    Legend, of course, benefited from the low production costs that had foreign electronics manufacturers outsourcing their own production to China.
    
    Read more: http://www.referenceforbusiness.com/history2/52/Lenovo-Group-Ltd.html#ixzz3sK1cQ66i

    [ reply to this | link to this | view in thread ]

57. 

    Almost Anonymous (profile), Nov 23rd, 2015 @ 2:16pm

    
    

    Re: Re: Re: How?

    They are, with their wallets. This is the only language most corporations understand anyway.

    [ reply to this | link to this | view in thread ]

58. 

    Almost Anonymous (profile), Nov 23rd, 2015 @ 2:18pm

    
    

    Re: a question

    It's possible that the operating system is locked into Windows using UEFI Secure Boot. Just sayin'.

    [ reply to this | link to this | view in thread ]

59. 

    RalphieW (profile), Nov 24th, 2015 @ 3:58pm

    
    

    Re:

    Nice try, FUDpacker. This is *Lenovo*- noonoe else has been caught red-handed TWICE doing this..
    
    but sure, anyone else *could* do this.
    
    IF you could cast your aspersions elsewhere while we discuss the greedy, arrogant Chinese company who's done this (again) *TWICE* in the space of 18 months. Eyeaaah, that'd be greeeeeat.

    [ reply to this | link to this | view in thread ]

60. 

    Anonymous Coward, Jun 6th, 2016 @ 7:54am

    
    

    Re: How?

    honestly was just looking at a lenovo laptop like 5 mins ago and then I stumbled upon the superfish articles. I was reminded that these companies do too much.

    [ reply to this | link to this | view in thread ]

Add Your Comment