ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Lenovo Ushers in a New Era of Mobile Workstation Power and Performance with Lenovo ThinkPad P50 and P70

    Scheduled Pinned Locked Moved IT Discussion
    141 Posts 14 Posters 30.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said:

      And yes, if LoJack is enabled (granted it's most often not) it does all those things completely silently.

      I don't think you understand what I am saying. What devices have you ever heard of where LoJack was put on there without the customer's knowledge or consent?

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said:

        @Dashrender said:

        only Lenovo's own tools. You may not like their tools, but those tools haven't been proven to be malware or spyware yet, least not in the postings I've read.

        Um, by definition what they've done makes those malware. Software for Lenovo's benefit, withtout the permission or desire or authorization of the customer... that's malware by any definition I've ever heard. What else could it be? It's malicious, it's ware. Just because it hasn't yet been shown to have a dramatic impact doesn't change what it is.

        Spyware no, that it is not. That's a specific type of malware. But malware it is. It is not bloatware alone because there is the added condition of this being a malicious intrusion to customers' systems without their knowledge or consent.

        Breaking and entering isn't excused just because the person gets caught before they get away stealing something. Breaking and entering alone is enough to arrest them. Malware is malware before it spies on your or damages your machine.

        But the users are notified by a popup, and given the chance to say NO.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @WingCreative
          last edited by

          @WingCreative said:

          Instead, it was used like some sort of hidden DRM to ensure Lenovo software persisted when one assumed only Microsoft software would remain. This DRM-like system did not use SSL, allowing anyone sharing your connection the opportunity to intercept and modify the connection and traffic created every boot cycle. Boo to that.

          I already agreed that Lenovo did a poor implementation of this solution, but the claim that this is malware - it's no more malware than Dell installing it's own solutions to the computer. They get off the hook ONLY because they prompt before the install actually takes place.

          scottalanmillerS W 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said:

            @scottalanmiller said:

            @Dashrender said:

            only Lenovo's own tools. You may not like their tools, but those tools haven't been proven to be malware or spyware yet, least not in the postings I've read.

            Um, by definition what they've done makes those malware. Software for Lenovo's benefit, withtout the permission or desire or authorization of the customer... that's malware by any definition I've ever heard. What else could it be? It's malicious, it's ware. Just because it hasn't yet been shown to have a dramatic impact doesn't change what it is.

            Spyware no, that it is not. That's a specific type of malware. But malware it is. It is not bloatware alone because there is the added condition of this being a malicious intrusion to customers' systems without their knowledge or consent.

            Breaking and entering isn't excused just because the person gets caught before they get away stealing something. Breaking and entering alone is enough to arrest them. Malware is malware before it spies on your or damages your machine.

            But the users are notified by a popup, and given the chance to say NO.

            Are you sure? That's not what is being reported.

            http://hothardware.com/news/lenovo-accused-of-using-rootkit-to-sneak-its-software-onto-clean-windows-installs

            DashrenderD 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              I already agreed that Lenovo did a poor implementation of this solution, but the claim that this is malware - it's no more malware than Dell installing it's own solutions to the computer.

              Unless these articles are lying (very possible) you and I have completely different definitions of malware and permission.

              http://www.itnews.com.au/News/407868,lenovo-rootkit-loaded-bloatware-onto-clean-windows-installs.aspx

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                There is a reason why the media is using the term rootkit. This is insidious malware that they are reporting. Actual loss of admin level control.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said:

                  http://hothardware.com/news/lenovo-accused-of-using-rootkit-to-sneak-its-software-onto-clean-windows-installs

                  According this , the OP says he is getting a popup about the Lenovo software.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by Dashrender

                    @scottalanmiller said:

                    There is a reason why the media is using the term rootkit. This is insidious malware that they are reporting. Actual loss of admin level control.

                    I'm not sure where the loss of admin control come in? Sure the software is self installing, but I don't see anyone reporting that they have 'lost control' of their systems - of course you'll retort by saying that any software installing without my express permission is probably lost control.

                    HP and Dell have also been accused of using this BIOS method to install software after a clean install - I'm pretty sure it's mentioned in that ARS link I just posted.

                    tl;dr version (since this blew up on Reddit and there's lots of stuff to digest)

                    • in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible.

                    • Lenovo uses this method if you try to install Windows 8, but if you install Windows 7, it >does the sketchy "overwrite your system file (autochk.exe)" method instead.

                    • Either way, Lenovo installs a service on your PC. It was found to have security bugs. I can't find the link, but they said this was placed on some laptops/PC's from late 2014 to Summer 2015. They've released a new firmware 2 weeks ago that turns this off.

                    I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.malwarebytes.org (as early as 2013)

                    Check your PC:

                    Windows 8 and up: Check your event log for "Microsoft-Windows-Subsys-SMSS" and if you see "A platform binary was successfully executed." your PC vendor is doing this. Or, look for a file called wpbbin.exe in windows\system32. (This file would ONLY exist if Windows found it in your firmware and ran it.)

                    Windows 7: Verify your autochk.exe is legit. I think you could simply do: "sfc /VERIFYONLY" in cmd.exe (as Admin) but I did not test it. My autochk.exe was signed by Lenovo in 2014 (which tipped me off it didn't come from the Windows 7 DVD I got in 2010!).

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said:

                      @scottalanmiller said:

                      http://hothardware.com/news/lenovo-accused-of-using-rootkit-to-sneak-its-software-onto-clean-windows-installs

                      According this , the OP says he is getting a popup about the Lenovo software.

                      I don't see that there. What I do see at that link is there...

                      "Any ideas how to remove this thing? Service turns itself back on after reboot, even if you stop it and disable it. Files reappear even if you delete or alter them."

                      Over and over again in the media and in social media threads I see that there is a rootkit. If someone, somewhere is claiming that some process asked for permission I'd be inclined to think that that is either something different, they are confused or it is an additional aspect.

                      It has been very clear that this cannot be stopped and happens transparently. Files forcibly replaced at boot time without notification doesn't sound anything like "asking permission."

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        Oh, I see, it was the OP. He's asking about something different that led to the discussion about the rootkit. Some things still have popups and ask permission. Just because something does doesn't mean that everything does.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          Oh, I see, it was the OP. He's asking about something different that led to the discussion about the rootkit. Some things still have popups and ask permission. Just because something does doesn't mean that everything does.

                          True, but when you get the full out technical explanation that someone WAY smarter than me did, you see what files are coming onto the system and where they are coming from. None of them are indicated as malicious. Bloatware, perhaps, even probably.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender
                            last edited by Dashrender

                            Here is where I'm guessing a security researcher actually dissected the problem by reading out the BIOS.

                            Disclaimer: Unless you really know what you're doing, you really don't want to try this: As for removing it, you need to edit and re-flash your bios. The downloadable bios update from Lenovo doesn't seem to be extractable at least with any methods I know, and using bios dumping tools only gets you 6 of the 8MB of the bios chip, so unfortunately it has to be done the painful way. You'll need a usb flash rom reader/writer(a cheap CH341A one works fine) and SOIC-8 test clips. You can get each of those 2 items for about $10 each. Take the back cover off the laptop, and also disconnect the battery, and locate the bios chip on the motherboard. Connect the test clips to the bios and connect the other end of the other end of the test clips to the usb writer, and connect the usb writer to another computer. On the other computer use the usb reader/writer to dump a copy of the bios. The bios dump will be an 8MB file. You need to split it into 2 files: the first 2MB and the last 6MB. Download UEFITool from github( https://github.com/LongSoft/UEFITool ) and open the 6MB file. Look through the modules and find the one called "NovoSecEngine2" and mark it for deletion. Save a new copy of the 6MB file. Now make a new 8MB file by taking the 2MB beginning from earlier and appending the new 6MB file on to the end. Use the usb reader/writer to flash that new 8MB file to the laptop's bios, then disconnect the wires and put the laptop back together. Reinstall a fresh copy of windows again, and check your C:\Windows\system32\autochk.exe file to make sure it's signed by Microsoft, not Lenovo. If you have the original Microsoft one there, congratulations, your laptop is now clean.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              True, but when you get the full out technical explanation that someone WAY smarter than me did, you see what files are coming onto the system and where they are coming from. None of them are indicated as malicious. Bloatware, perhaps, even probably.

                              How is that not malicious? Forced bloatware IS malicious. You keep saying that they are doing malicious things and then saying it isn't malware. It can't do what you are describing and not be malware.

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @Dashrender said:

                                True, but when you get the full out technical explanation that someone WAY smarter than me did, you see what files are coming onto the system and where they are coming from. None of them are indicated as malicious. Bloatware, perhaps, even probably.

                                How is that not malicious? Forced bloatware IS malicious. You keep saying that they are doing malicious things and then saying it isn't malware. It can't do what you are describing and not be malware.

                                We apparently don't agree on what malicious is.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  We apparently don't agree on what malicious is.

                                  Clearly. I'm shocked that you think that losing control of your machine isn't malicious. If I broke into your house without your permission and got caught because I did anything other than wash up and watch some television would you not consider that malicious?

                                  Their actions alone are malicious. What the files are that they are pushing can't change that. They've breached the malicious acts component before we evaluate what the files are. What they are doing is malicious in its action.

                                  Then there is the additional component that we don't know what the intent is or was. We don't know how this could have been used, would have been used or would have been exploited. Bottom line, this is what malicious looks like. What else can it be?

                                  Do you consider no hacking attempt to be malicious until the stealing of data is completed?

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.

                                      Then so is Dell's and HP's when they install drivers using this method and ergo this method needs to be completely removed from being allowed. But clearly even MS thinks this is a good idea because they built "Windows Platform Binary Table (WPBT)" which specifically has Windows go to the BIOS/UEFI to find these files that vendors put there do do exactly this.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        According to Wikipedia: "Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems."

                                        Disrupt, yes. Gain access, yes. It meets two of the potential qualifications. It might easily have been used for gathering sensitive information, that it was used or would have been used before stopped we don't know, but that isn't relevant as it is already a recognized malware (all rootkits are by definition malware.)

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          @scottalanmiller said:

                                          I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.

                                          Then so is Dell's and HP's when they install drivers using this method and ergo this method needs to be completely removed from being allowed. But clearly even MS thinks this is a good idea because they built "Windows Platform Binary Table (WPBT)" which specifically has Windows go to the BIOS/UEFI to find these files that vendors put there do do exactly this.

                                          Agreed. Are Dell or HP controlling people's desktops without their permission or knowledge? Do you have documentation of that? You said that LoJack was doing this too, do you have a link? This should be huge news.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            How does it disrupt? Of course it gains access.

                                            But the same could be said of Dell or HP install ONLY drivers into a system.

                                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 5 / 8
                                            • First post
                                              Last post