Lenovo Ushers in a New Era of Mobile Workstation Power and Performance with Lenovo ThinkPad P50 and P70
-
@scottalanmiller said:
@Dashrender said:
If you believe that the POPUP mentioned in the OP in the Ars link is related, and that nothing more is coming down to the machine - then I would say this is similar to how LoJack works, possible exception is that YOU the owner have originally initiate the LoJack thing, but once enabled, if that computer is ever reinstalled, Lojack will reinstall itself from the BIOS - maybe you weren't aware that it could do that?
The popup is not related to what we are discussing. That's something else. There is NO permissions being requested for the rootkit issue.
I feel that finding one guy somewhere mentioning a popup about something else has led you down the garden path. The issue at hand is not one with a pop up.
Other people in that thread mention the popup as well. And the reality is probably most people just didn't see the popup, but If it shows that the popup isn't related.. then I'll ceed the point
-
@Dashrender said:
@WingCreative said:
Instead, it was used like some sort of hidden DRM to ensure Lenovo software persisted when one assumed only Microsoft software would remain. This DRM-like system did not use SSL, allowing anyone sharing your connection the opportunity to intercept and modify the connection and traffic created every boot cycle. Boo to that.
I already agreed that Lenovo did a poor implementation of this solution, but the claim that this is malware - it's no more malware than Dell installing it's own solutions to the computer. They get off the hook ONLY because they prompt before the install actually takes place.
Fair enough - Ultimately we probably don't/won't know enough details about what was being downloaded every boot cycle to determine whether or not it was malware according to Wikipedia's definition. Badware, definitely! But outside of the security vulnerability, it could be argued that making sure Lenovo Service Engine is installed dilutes the term malware to the point where Windows 10 could also be considered malware as it does not seem to truly respect all user privacy settings at the moment.
With that said, we (or at least I) don't know what exact info the Lenovo Service Engine was sending outside of Lenovo's description. With Lenovo's reputation for doing dumb, sneaky stuff for a quick buck, their slippery PR department, and the fact that they are a Chinese hardware manufacturer, many people are assuming the worst. I have seen people suggesting this was part of a backdoor for the Chinese government and other things along those lines. That would fall under the "gather sensitive information" part of the definition of malware, but we don't know if that was the case.
All we know for sure is that a hardware manufacturer insecurely set up a system to make sure their computers reported system information for a few months before getting shut down. The insecurity and exploitation potential makes it badware. Software made to persist despite users' best efforts is malicious in my opinion, and I don't understand why Lenovo would go to such lengths to ensure the Lenovo Service Engine was persistently installed if it only sends system information once before disabling itself as they say. In my opinion, there are too many unknowns to definitively say "Lenovo included persistent malware on their consumer devices" beyond reasonable doubt, but there are enough things that don't add up for me to avoid buying or recommending Lenovo in the future and keep an eye on this situation as it develops. I do understand hesitating to declare Lenovo outright malware peddlers though.
-
@scottalanmiller said:
Here is another link that states without any doubt that there can be no popup as the action takes place before the OS is even running...
http://thehackernews.com/2015/08/lenovo-rootkit-malware.html
OF course it does! Just like Dell and HP installing Drivers before the OS loads!
-
@WingCreative said:
Fair enough - Ultimately we probably don't/won't know enough details about what was being downloaded every boot cycle to determine whether or not it was malware according to Wikipedia's definition.
This description alone makes it malware. Because it is automatically downloaded and installed by Lenovo's control the have control of the machine. It meets the malware definition from that part alone. Rootkits are malware. I don't see much grey area here, this is about as malware as it gets, right?
-
@Dashrender said:
OF course it does! Just like Dell and HP installing Drivers before the OS loads!
Of course it does what?
-
@WingCreative said:
....Software made to persist despite users' best efforts is malicious in my opinion....
Exactly. No matter what they intended to do, or how they intended to use it doesn't matter. What matters is only the part that we know. They installed a rootkit, they used it. Malicious intent and malicious action. The part about malware is without question, IMHO. Why would they do it? Stupidity for all we know. Doesn't matter, the inexcusable action happened regardless of how they planned to exploit it.
-
@WingCreative said:
All we know for sure is that a hardware manufacturer insecurely set up a system to make sure their computers reported system information for a few months before getting shut down. The insecurity and exploitation potential makes it badware. Software made to persist despite users' best efforts is malicious in my opinion, and I don't understand why Lenovo would go to such lengths to ensure the Lenovo Service Engine was persistently installed if it only sends system information once before disabling itself as they say.
This is only on desktop, Laptops they say it keeps coming back - as designed.
-
@Dashrender said:
Just like Dell and HP installing Drivers before the OS loads!
Do you have any links to this? I'm not saying it doesn't exist, just don't have any details on it to compare. Do they really have no means of disabling this?
-
@scottalanmiller said:
@Dashrender said:
OF course it does! Just like Dell and HP installing Drivers before the OS loads!
Of course it does what?
You linked saying that the Lenovo stuff downloads before the OS is loading - and I said Of course it does.. just like the HP and Dell stuff.
Though I might have stand corrected when it comes to Dell and HP - BUT when enabled, the LoJack stuff DEFINITELY did the same thing, installed software before the OS loaded.
Dell and HP as reported in the Ars link indicates that they are using the MS "Windows Platform Binary Table (WPBT)", but anything that runs from there does have full control of your system just like the Lenovo software.
-
@Dashrender said:
You linked saying that the Lenovo stuff downloads before the OS is loading - and I said Of course it does.. just like the HP and Dell stuff.
But if you knew that it loaded before the OS... why were you talking about the guy getting the popup which had to be from something else then, since a popup can't happen until the OS is running?
-
@scottalanmiller said:
@Dashrender said:
Just like Dell and HP installing Drivers before the OS loads!
Do you have any links to this? I'm not saying it doesn't exist, just don't have any details on it to compare. Do they really have no means of disabling this?
This is a function of "Windows Platform Binary Table (WPBT)" Until today I'd never heard of this, and presently I have no idea if it can be disabled or not.
Quoted from the Ars page, this tells you that you can search some (don't know which ones) Dell and HP machines and find the wpbbin.exe file which indicated that they are using this technology.
I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.malwarebytes.org (as early as 2013)
-
@scottalanmiller said:
@Dashrender said:
You linked saying that the Lenovo stuff downloads before the OS is loading - and I said Of course it does.. just like the HP and Dell stuff.
But if you knew that it loaded before the OS... why were you talking about the guy getting the popup which had to be from something else then, since a popup can't happen until the OS is running?
Because presumably even though the installer is already there, it won't do something if you tell it NO don't help me.
You're really completely OK with Dell and HP silently installing NIC or whatever drivers using these methods, but not OK with them installing a component that asks for permission to install itself?
-
@Dashrender said:
Though I might have stand corrected when it comes to Dell and HP - BUT when enabled, the LoJack stuff DEFINITELY did the same thing, installed software before the OS loaded.
It is only relevant if they did it without the user's knowledge or permission. That's what this is about. Not that there is technology to do this, but how it is used.
That's where I keep comparing to normal installers. Normal OS software installers can be used to install normal software OR malware. It's not the installer that makes the difference but how it is used.
The technology here can be used for legitimate reasons or for malware. This case is malware because of how it was done. LoJack, I'm quite sure, has the users make the decision about installing it to the UEFI or not.
-
@Dashrender said:
Because presumably even though the installer is already there, it won't do something if you tell it NO don't help me.
But it is too late, the rootkit action has already happened. That you get choices about something else later doesn't matter. I can see what you are saying, but you are talking about asking permission after the issue is said and done. The rootkit is what got us to the point of asking permission, there was no permission asked before that point.
This is like someone breaking into your house and then asking if you want they to make dinner. Sure, it's great that they asked permission before putting the pot roast in. But people are upset because they found a rogue cook in their kitchen.
-
@Dashrender said:
You're really completely OK with Dell and HP silently installing NIC or whatever drivers using these methods, but not OK with them installing a component that asks for permission to install itself?
No, I'm really not which is why I keep asking for a link to show me that this happens!
I'm totally okay with it if they ask permission, make it well known and/or have it able to be disabled. Which, I'm led to believe, we have no reason to doubt that they do at this point.
-
@Dashrender said:
Quoted from the Ars page, this tells you that you can search some (don't know which ones) Dell and HP machines and find the wpbbin.exe file which indicated that they are using this technology.
So you have no reason to believe that HP and Dell are doing this secretly or forcibly and are not talking about the same thing that we are talking about here? Or you just assume that they are doing those things?
We are talking about Lenovo's malicious behaviour, not optional behaviour. Unless you have a reason to believe that Dell, HP or LoJack are doing something similar to Lenovo (again: secret, without authorization and no ability to stop - until they got caught) then I don't think it is right to keep mentioning them as doing "the same thing." Sure they might be, but unless we know that they are we should not accuse them.
-
@scottalanmiller said:
@Dashrender said:
You're really completely OK with Dell and HP silently installing NIC or whatever drivers using these methods, but not OK with them installing a component that asks for permission to install itself?
No, I'm really not which is why I keep asking for a link to show me that this happens!
OHHHHHhhhh K! now we're getting somewhere You're completely against the idea that something - literally anything could happen before you the user has a chance to approve it. Now that I can completely stand behind.
But if that's the case, then you have to say that "Windows Platform Binary Table (WPBT)" is a horrible idea and needs to be removed from Windows, because it allows just this type of action - the ability of the vendor to install something into your computer without your knowledge or consent - and this is a Feature of Windows 8 and higher.
-
@Dashrender said:
OHHHHHhhhh K! now we're getting somewhere You're completely against the idea that something - literally anything could happen before you the user has a chance to approve it. Now that I can completely stand behind.
Yes, but to be clear, if I can go into the BIOS and enable/disable that feature then I'm totally onboard with it. Or if I can choose between firmware versions that do or do not do this. Whatever. If I am given the choice in some manner, then it is fine. So the pure installation of drivers silently is okay, as long as I am aware and could have stopped it (even if that meant proactively disabling it via the BIOS or whatever)
-
@scottalanmiller said:
@Dashrender said:
OHHHHHhhhh K! now we're getting somewhere You're completely against the idea that something - literally anything could happen before you the user has a chance to approve it. Now that I can completely stand behind.
Yes, but to be clear, if I can go into the BIOS and enable/disable that feature then I'm totally onboard with it. Or if I can choose between firmware versions that do or do not do this. Whatever. If I am given the choice in some manner, then it is fine. So the pure installation of drivers silently is okay, as long as I am aware and could have stopped it (even if that meant proactively disabling it via the BIOS or whatever)
LOL again on this we agree - though I'm sure the media would still rain fire and brimstone.
-
@Dashrender said:
But if that's the case, then you have to say that "Windows Platform Binary Table (WPBT)" is a horrible idea and needs to be removed from Windows, because it allows just this type of action - the ability of the vendor to install something into your computer without your knowledge or consent - and this is a Feature of Windows 8 and higher.
Well, I can see why you might feel that way. But that's just not a reasonable action and here is why...
You can say that about anything. You can say the same thing about being able to install software in the OS the old fashioned way. You can say it about JavaScript in web pages. You can say it about Word documents.
It's not reasonable to stop all means of software deployment because they could be used for malicious activity. Maybe this one is so problematic that we need to reconsider it, I'd agree with that. But the key issue here is a vendor that did something wrong given a tool that they had at their disposal. There will always be tools for wrongdoing, we can't take them all away.
What needs to happen is some combination of legal action, market pressure, awareness, etc.