Yet Another Compromising Preinstalled "Glitch" In Lenovo Laptops 89
New submitter execthis writes: Japanese broadcaster NHK is reporting that yet another privacy/security-compromising "glitch" has been found to exist in preinstalled software on Lenovo laptops. The article states that the glitch was found in Spring and that in late July Lenovo began releasing a program to uninstall the difficult-to-remove software. The article does not specify, but it could be referring to a BIOS utility called Lenovo Service Engine (LSE) for which Lenovo has released a security advisory with links to removal tools for various models.
Re: Who would have thought there was more? (Score:1)
Lenovo is now a puppet for the Chinese government. Of course they will have backdoor to spy on you.
Re:Who would have thought there was more? (Score:5, Insightful)
We are just seeing the tip of an iceberg here - we can't trust our computers anymore.
Re: (Score:2)
we can't trust our computers anymore
Our computers? Even though I "bought" my computer . . . I'm not sure that I actually "own" it. There is probably a legalese expression in the fine print pf the documentation somewhere, that the manufacturer has a right to install any sort of spyware that they want on "my" computer.
Can't trust LOCKS anymore (Score:2, Insightful)
FFS, courtesy of the TSA backdooring luggage locks, even the locks are worthless these days.
http://boingboing.net/2015/08/21/make-your-own-tsa-universal-lu.html
Spotify decides to help itself to all your data on your phone on an upgrade. And Google make a phone that permits that.
Samsung installs spyware/helpware on their phones and tablets that let it take over the tablet remotely and do *everything*, read everything, fake SMSs intercept calls, the lot. Hackers backdoor this and suddenly people are aware the
Re: (Score:1)
It's like governments have abrogated their duty to protect people from this kind of shit and companies like Uber and Lenovo are having a field day.
Governments love this shit. The more data Uber and Lenovo and Samsung and Spotify collect about you, the more data the government can subpoena (or just take without a subpoena). These companies have become, in effect, agents of the government.
Re: Can't trust LOCKS anymore (Score:2)
Just checked my settings....Spotify has no access to my GPS, local contacts, or photos. I don't understand what this particular out cry was. Spotify can ask for whatever information it desires, but users are free to just say "no" when my phone asks me would I like to give it access.
Re: (Score:2)
We are just seeing the tip of an iceberg here - we can't trust our computers anymore.
You haven't been able to trust your computer since flash bios and/or programmable CPU microcode. If you've been trusting your computer between then and now, you're a rube.
Re: (Score:2)
Funny thing about this, I have a business-grade Lenovo laptop, and whenever one of these stories has come out I've looked to see whether I've got whatever backdoor/malware is being talked about on my machine. Nothing. No trace of any of them. So it seems the way to avoid these things is to buy a business-market Lenovo PC, not a home/casual-user market one. Backdooring large businesses seems to be something they don't want to risk...
(One possible reason for this is that apart from the political repercuss
Re: (Score:2)
Backdooring business is risky but also very profitable, just because you didn't see it doesn't mean that it's non-existent. It may just mean that it needs a specific trigger to get activated.
Re: (Score:2)
Easy fix: wipe the system and install Linux. No self respecting /. reader runs an OS provided by the machine manufacturer, with all the crapware preinstalled.
That goes for Lenovo, Dell, HP, Asus, etc -- all of them.
Help your friends and family get converted over to OpenSource!
LOL and then watch the UEFI bios reinstall everything without telling you
http://www.techworm.net/2015/0... [techworm.net]
Re: Who would have thought there was more? (Score:5, Informative)
Re: Who would have thought there was more? (Score:2)
If you have windows 7 the bios replaces the file. The feature you mention is only for windows 8 and 10.
WordPress Flash exploit .. (Score:1)
But can only be successfully exploited on Microsoft windows
Lenovo Ideacenter spyware too? (Score:1)
Are their PC's based on their laptops affected too? Stuff like the Idea Center?
IMHO, Lenovo are a piece of shit, I have an ideacenter of theirs and it won't switch on unless you unplug the network cable and power, press 'on' a few times, them plug them back in and press on. This is just yet another reason I won't buy any of their kit, PC, Android, phone.
And where exactly are the privacy laws ?: "The utility also sends non-personally identifiable system data to Lenovo servers"
Shitty article (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
because.
BECAUSE this is /. and THATS what /. does.......
Re: (Score:1)
I couldn't find any other news sites that had published anything about this. Also, NHK has shortened the article for some reason since I first saw it.
However another good source of info is:
How to Remove Lenovo's Alleged 'Bootkit' Software [tomsguide.com]
and also:
Windows 10 Privacy Checklist [wordpress.com] mentions this issue
Its a dumb feature (Score:5, Interesting)
The last thing I want is my firmware getting updated automatically.
I'd really like for all writable memory in my computer to be removable. And that includes the bios memory. Have it be a micro SD card or something.
Here someone will say it will make the machine take 1 second longer to boot up or OH NOES the mobo will cost 10 cents more to make. But its worth it. It means you can audit the system to check for viruses really easily. You pull the chip, plug it into a clean system, and scan it. Or if you prefer... wipe it. Write the whole thing with ones then zeros... and then flash it with a proper version of the bios.
And this also means that corrupted bios memory is less of a problem. You can pull the chip. Sure, if the processors or something else is damaged then this won't help. But i've had a few mobos that were totally fine except the bios was so corrupt you couldn't flash a fresh version. With this change, that problem is gone.
Cue people saying "you can't do that because no one has done it that way yet"... climb a fucking tree so I can throw bananas at you then, you filthy animal! :-D
Re: (Score:3)
What I want way more than removable is I want bios write enable jumpers back. Some motherboards have them, but they are rare. I buy Gigabyte boards, so they have dual BIOS, so I'm not worried about my BIOS being taken out. If I had a WP jumper, I wouldn't be concerned about it being maliciously overwritten, either.
Re: (Score:2)
A write protect jumper would be an improvement, but not a solution. Once you have a compromised BIOS, it is very difficult to detect the infection and practically impossible to clean it
If I have control over the WE line on the flash, who cares? But if that's your criteria, why not just give JTAG or similar access to the flash? The pins would be cheaper than socketing the chip, using an MMC, whatever.
Re: (Score:2)
Because I want to pull it.
As to the added cost... I'll pay it. Fucking charge me for it. I'll pay the extra 10 dollars for the feature. Other people don't want to pay it? Don't. I want that feature. Its well worth the 2~10 dollars it would cost to do that.
Re: (Score:2)
As soon as you put "removable" BIOS chips back, you have to provide physical access to that chip, you have to provide board space to mount it, it increases the price of the motherboard, and most important to security, it provides the possibility of corrupt vendor replacement of the BIOS chip with their _own_ socket replaced chip with only poweroff physical access, not console access to run the drivers or work with attached boot media.
I'm not saying this is a greater attack vector: but it's one that has to b
Re: (Score:2)
The write protect jumpers were originally used because Flash memory at the time required an external high voltage supply for programming and the cheapest way to control this was through a physical jumper.
I agree that controlling this through hardware is a good idea. The programming supply is no longer available for this but the write protect jumper could block the write strobe instead. Unfortunately some newer Flash memories do not have a separate write strobe either.
Re: (Score:2)
Re: (Score:2)
There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other.
Gigabyte used to do that, but I'm pretty sure they just use one big bios chip now. If the first bios fails to load they just tie one address line high (or low, but I think it's high) and try to load again.
Re:Its a dumb feature (Score:5, Interesting)
I want the want the writable memory chip to be a micro SD card. or something equally easy to plug into another machine to independently wipe it and verify that its wiped.
Let me add some additional benefits of this... DRIVERS.
If we use an SD card, then we can put more stuff on it than just the bios. OR the bios could be fucking massive. Either concept has some interesting possibilities.
Imagine if the OS queried the motherboard for drivers. We could store viable copies of the drivers the system needs to use most of the installed hardware. That's nifty. Reinstall... no need to go hunting around for the right driver files. Automatically installed... actually. Not in theory... but actually. Anyone that has built a lot of machines knows what I'm talking about.
And a giant bios could mean the bios could have a lot of additional functionality built into it. Not just the man behind the curtain.
Re: (Score:2)
Re: (Score:2)
... yes if you drivers are infected then you'll have infected your machine. But if you have version control and known good copies then you can negate the issue by overwriting everything with known goods.
You can erase and verify the erasure of all writable memory, then write the known good bios and drivers.
Make constructive comments please. Anyone can gainsay anything. You can gainsay water, air, the Sun...its not hard to do. Be constructive. Its the only potentially useful thing.
Re: (Score:2)
Not even remotely similar.
Re: (Score:2)
http://slashdot.org/comments.p... [slashdot.org]
"Cue people saying "you can't do that because no one has done it that way yet""
I can't tell if you're kidding... or if I'm psychic but forgot to buy bananas.
Re: (Score:2)
I would need to be able to physically pull the bios memory chip and plug it into another machine... and write lock it when I wasn't messing with it... to even begin to feel comfortable with this feature.
Simpsons did it (Score:2)
Covered on slashdot ten days ago:
http://tech.slashdot.org/story... [slashdot.org]
"Those who do not learn from history are doomed to repeat it" - Santayana
E
The real glitch is... (Score:1)
... it wasn't hidden well enough and somebody noticed.
Lessons won the hard way (Score:1)