These guys have absolutely zero awareness of sensitive privacy issues. The trample on their customers rights, secretly and obviously maliciously, and they do it over and over again!
I can think of no reasonable response but to abandon Lenovo products entirely.
I guess I thought it was pretty common for people to understand if they don't want bundled crapware, then they shouldn't buy laptops from retailers.
Maybe buying direct from another manufacturer on the list in the link I posted or buying a laptop or PC without an OS on it solves 95% of the problem. Maybe I'm just assuming too much here.
I guess this confirms my initial point when it comes to hardware, people are not that well informed.
I just quote: "Lenovo is now using rootkit-like techniques to install their software on CLEAN Windows installs, by having the BIOS overwrite windows system files on bootup. Someone detailed this here: http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=dd... "
Of course, source aside, if you want a $300 laptop then you'll get the low build-quality, plastic-fantastic piece of spyware-riddled crap you pay for. If you're paying a premium, for a product range where reputation and quality actually matters, you stand a better chance. Unfortunately in the current laptop market, imho, that means paying a minimum of $1000, with low-end Apple prices being preferable.
Dells business range isn't so bad. I bought a Latitude in January of last year and, although it had some superfluous fluff bundled with it, it was lean enough that I didn't bother to format and reinstall from scratch (although I dual boot). I previously bought a Lenovo ThinkPad for more and returned it because the depressing build quality (I don't remember much about the bundled software because it simple doesn't factor in to my purchasing decisions).
I think the fact that this spyware was found on a refurbed ThinkPad shows just how far the brand has fallen.
It's not that straightforward; there are a ton of drivers that Lenovos come with; fingerprint scanners, synaptics touchpad, Sound cards and so on. These are usually bundled in a Lenovo System Update - when it gets installed, it installs a ton of cruft. It's a pity really - I have the latest X1 Carbon; it's a marvellous gadget. Pity the software is so poor.
There honestly isn't a perfect option out there, but for example I've sworn off Lenovo at this point entirely. The unfortunate thing is Google recently sold Motorola to them.
UPDATE: I've made a huge mistake. seduced by the matte black dark side. Avoid all modern Intel CPU/chipsets (post 2006) if you value your privacy and security:
In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can't be removed, this means avoiding all recent generations of Intel hardware.
Former Thinkpad fan. I love my new Dell Rugged Extreme. I got the 12. This thing is built the way Thinkpads used to be (complete with the price tag of a used car).
The only thing(s) I don't like about it is the missing trackpoint. I really miss that. And the fact that black-box UEFI is built in (but what do we know about modern microcode anyway, might as well get some ostensible security measures for 'free'). Oh, one more: the "QD" connectors do not accept standard straps/slings -- only insanely expensive (and hard to find) Dell brand straps/handles.
Everything else about it is outstanding. This thing is a brick with rounded, rubber edges.
Drive over it with your truck. (watch the video)
Use it as body armor. (no, don't really)
Go scuba diving in the arctic. (Check out the frozen-in-an-ice-block video on Youtube.. while running on battery.)
The screen is incredibly bright, but it also has a slick quick-kill for all the lights. Just the thing for when a warlord is on your tail. The multi-color LED backlit keyboard looks awesome.
It runs Kali Linux (built on Debian Jessie) perfectly. Everything works, including the touch screen and stylus, out of the box.
UEFI isn't any more black-box than BIOS in general. Sure, I'd rather run entirely FOSS firmware, but in the absence of that, UEFI doesn't make things any worse. If anything, it allows quite a bit more introspection and extensibility. And its core is FOSS (https://github.com/tianocore/edk2), just not the versions shipped by board/system vendors.
UEFI starts with encrypted code and wraps additional layers of encrypted, signed code around it. It's impenetrable, and purposefully so. That's the practical definition of "black box". It's huge, too, with a much larger attack surface.
You say "encrypted" and "signed" as though that's a bad thing. When they're used against the owner of the system, sure; however, they can also be used by the owner of the system to protect themselves. "Only runs authorized code" can be a good thing as long as you're the one doing the authorizing.
Intel Management Engine is the exact same thing as Windows' Group Policy or OSX's Enterprise Configuration Profiles, just applied at the hypervisor level[1]. IOW, it's a thing you use to pair a corporate-owned PC with its mothership. If you bought your PC, you control it; you can just turn IME off in the BIOS or whatever you like.
Note that this level of enterprise control has been possible for some time; even without IME, if HR hands you a laptop and doesn't tell you the BIOS password, then it might be set to, say, attempt to network PXE boot by default from the corporate intranet's deployment-and-compliance servers.
---
[1] Actually it's more literally like the kind of "smart" server-rack backplane that allows you to connect a remote serial console to an unresponsive server to see what's going on, or send it a hard reboot or whatever else. Except for managing desktops instead of servers.
You're applying several inadequate metaphors. To do the same thing, it's kind of like saying my tool box full of tools is similar to a screwdriver. No, wait, it's more literally like a box to carry tools in. ;)
It's hard to argue with metaphors, because they start out being inexact and go downhill from there. (oh, another one!) But I'll try anyway :)
It's really nothing like group policy's or configuration profiles, except it could be used to deliver similar functionality for your machine from either the manufacturer, or from your company, or from anyone else along the way who implemented their own backdoor into your hardware during shipping[1] or maybe just inserted their own microcode into the CPU, because it literally is an all-powerful hardware backdoor that lives below your OS. It can even be upgraded remotely in many cases.
Backdoors can be used for good or for evil, of course, but that's what it is. (and it actually has nothing to do with hypervisors, unless you take the metaphor that any operating system you install is really running under the control and whim of the Intel Management Engine.) Again, the metaphor of a remote management console is again over-simplifying, but, sure, it can do that, too.
When you're reading this[2], remember that you don't control those keys and you can't remove that software. You can't 'just turn it off':
> and it actually has nothing to do with hypervisors, unless you take the metaphor that any operating system you install is really running under the control and whim of the Intel Management Engine
What I meant was that, the same way the userland runs at the control and whim of the kernel, and the kernel at the control and whim of the hypervisor, the hypervisor itself will run at the control and whim of IME. Because IME sits at ring -2 (yes, that's a thing now), the hypervisor at ring -1, the kernel at ring 0, and userland at ring 3. So it's actually more than "hypervisor-level access", but a hypervisor is almost as capable, so it's a decent comparison.
> ...except it could be used to deliver similar functionality...
That's what I was trying to communicate, yes. The purpose (not the functionality) of IME is to enable enterprise management. Like Group Policy or Configuration Profiles, like server backplane management, like running your app as a VM on a hypervisor, like a lot of things.
The point is that these technologies exist to enable companies to control and manage their hardware assets. None of them are built in such a way that they can reach out and bite you if they haven't been set up and configured by the computer's owner, any more than someone could interface with your computer's serial console without attaching a serial cable to it.
A lot of devices come with privileged backdoors, for a variety of reasons. For example, a lot of CPUs have a JTAG debugger chip embedded, exposed via GPIOs. But since such backdoors require hardware access to enable, they're not all that scary. Of course your device isn't secure if someone gains physical access to it. While they were in there, they might have also installed a Bluetooth-transmitting in-line keylogger chip or something.
Now, what might be scary about IME is that it's enabled by default. But a lot of things are also insecure by default until hardening is applied, and have to be secured in a clean-room environment: Windows, for example. If you care, you do this.
But I don't see its existence in particular as troubling, insofar as it doesn't represent any greater loss of control than was already true. Intel chips (and I'm pretty sure those of most other CISC manufacturers) have been running microcode updated via encrypted blobs for decades; this microcode can have any number of backdoors embedded in it. You don't need a fancy special-purpose coprocessor to do this stuff; the main processor is perfectly capable of doing Intel's bidding instead of yours without any help. The IME just allows your computer to do the bidding of some arbitrary third-party that Intel likes (like DRM companies), instead of the code needing to be written by Intel themselves, embedded deep in the CPU's internals.
Note also that most firmware chips can be re-flashed to do bad things; CPUs are not alone in presenting this "bugged out-of-the-box" attack-vector.
...but then, to go one step further: if you don't trust Intel's chips because of their firmware, why does it matter whether it's firmware or not? Backdoors can be embedded in the traces of the CPU itself. Having updatable microcode doesn't change this; the existence of the IME doesn't change this. Do you think the NSA can't requisition a one-off custom variant printing of a CPU, and get that stuck the board of a Person of Interest's laptop, or phone, or TV, instead?
This is why I was concentrating on the Intel AMT (remote Internet access) feature of the IME: it's the only part that materially changes things from how-the-world-was before its existence. If you're an end-user and own your computer, you can disable AMT, and verify that it's disabled—the computer will no longer reply to probes on that port. Everything else is just a dozen new vectors for motivated attackers to do things motivated attacke...
Awesome, I like your response. I definitely agree that there are many ways to take this. But, some of the risk factors that you are comparing aren't really on the same level. To go back to a bad metaphor again :), what if I stuck a camera with encrypted feeds in your house that you couldn't remove, but I told you that they weren't attached to anything? and that you could just push this button to turn them off? See, the light goes off. That means it's off. Why are you so distrusting? What if they were in every room? over your bed?
As you move downward into more primitive levels of the system, or outward to edge parts of the system (ie a usb attachment), it becomes harder to see what's going on. For example: let's say that you p0wned the firmware on a non-boot SATA drive. You could see all the bits flying across, but you can't do much about them except tamper with them; they might be encrypted, or you maybe can't get access to the network in order to ship them off elsewhere. There's probably ways around each of those, but it's hard. But what if I took a Raspberry Pi and stuck it on the system bus? that's a different story :)
When you have a multi-megabyte secondary server and processor that's hooked directly into your system bus, watching everything that comes across and able to subtly react, tamper, watch just for keys, or ship data off elsewhere, then (as you point out) the attack vectors multiply compared to a exploiting a device's firmware. And, you can't ever get rid of them. EVER. No amount of flashing will fix it, because you can't flash it anyway. (That's why I posted the libreboot IntelME link).
What if just the hardware RNG (rdrand) watched for a particular sequence of bits to come into some registers, and then started spitting out a predictable sequence for random numbers?
What if this wasn't even a crazy conspiracy theory? (It's not, as we know now, although we don't know the exact mechanism that hardware RNG's are owned by). :(
> The IME just allows your computer to do the bidding of some arbitrary third-party that Intel likes (like DRM companies), instead of the code needing to be written by Intel themselves, embedded deep in the CPU's internals.
Yes, agreed - that's a radically different level of surface area.
Any firmware can be reflashed, but this isn't just any firmware; this is firmware that connects everything together. This is literally the heart of the system. And it's completely locked off from our even viewing it, let alone choosing not to using it.
> If you're an end-user and own your computer, you can disable AMT, and verify that it's disabled—the computer will no longer reply to probes on that port
Agreed, but you originally said you can disable IME, and that's all I was really taking issue with :)
Disabling AMT still leaves IME: what is it doing? You don't know, and we'll never tell you ;)
> Everything else is just a dozen new vectors for motivated attackers to do things motivated attackers have always been able to do.
Agreed. :(
Thank you for the interesting discussion! It'd be fun to relax and argue about it sometime in person. :)
At the risk of getting downvoted - Apple.
Sure, Apple is a huge corporation that sits deep within US government pocket, sure. But at least their software tends to be written by them and them only, their laptops come with a uniform operating system that has no 3rd party malware, for which you don't need external drivers, which has good encryption software built in(again, probably not US-government proof, but good enough for most), and really good permission settings which only allow approved apps to be installed. And then it's a great operating system for developers, programmers, web designers etc.
You can say many things about Apple, but at least when you buy their hardware you know exactly what to expect. If you used one of their laptops you've used them all.
But, to your point -- Apple hardware, like most modern laptops, are built on Intel chipsets and cryptographically signed to prevent tampering by the owner. You're locked out of your own laptop.
If you're concerned about security or even if you just like to hack on the stuff you paid for, it's probably not where you want to be. You have no idea what's going on in there, and it's heavily encrypted at multiple layers to keep you from finding out. See my comment above: you were backdoored before the operating system was even installed. I was too, with my sweet new matte black Dell. (See my comment above).
The sad part is that there are very few modern laptops (if any) that we're not steadily being locked out of. It's not just Apple. It's (almost) everyone. and, of course, it's our phones, too. Check out the libreboot and coreboot websites for some modern(ish) gear that isn't backdoored.
> These guys have absolutely zero awareness of sensitive privacy issues.
Just because they don't care, doesn't mean they don't understand.
I suspect they are fully aware but money beats morality every time.
> I can think of no reasonable response but to abandon Lenovo products entirely.
I'm with you there, but I doubt enough people with buying power are concious about the issue for it to make much difference and most of those that are concious of it either will forget soon enough. I've not knowingly bought a product with Sony written on it since the rootkit incident in 2005, and that doesn't seem to have done them much harm!
Sony are still in business, but they're not killing it like they were in the '80s and '90s. In fact one might see the rootkit thing as just one aspect of the long slow slide they've had for the last 1.5 decades.
They may not have awareness of sensitive privacy issues, but they certainly have awareness of bad press. Every time a big discovery like this is revealed, Lenovo laptops go on sale. It's both funny and scary.
This revelation is minor, but nonetheless unsettling. Previous Lenovo snafus up to this point had specifically excluded the Thinkpad line. Apparently they're not immune from Lenovo's meddling after all.
Rootkits and spyware are an egregious violation of user trust.
One other company with a glaring example was the Sony root kit debacle.
Is there a list of companies who have done things like this? Kind of like storing passwords in free text (for which there is a site to name and shame) it doesn't get the press that it probably deserves to.
I could give you my list of companies I know of that won't do things like that with their hardware.
My list contains one name.
For some reason, this company on my list remains a hated company for some geeks. Something about overly restrictive control of the platform, but for me it means having control over my own data, because the platform tries its damnedest to keep bad players from getting inappropriate access.
I won't give the list because doing so seems like a cheap shot. But I think everyone knows what company is on it.
I'm not saying this is the only such company. It's just the one I know of. Others may have longer lists.
Yeah, Apple is like that. They charge you a pretty penny, but then they don't feel the urge to nickel-and-dime you through backdoors like this.
The problem with crapware on Wintel is that Microsoft and Intel consumed all the profit from the industry, commoditizing their compliments - OEMs. OEMs then found themselves in a race to the bottom, which has entirely shaped the field and brought about the behavior we've seen. Android is now facing the same problem on mobile - a race to the bottom among the OEMs is bound to produce all kinds of shady behavior.
Apple stayed out of this game entirely, they have thick margins which gives them means to pursue their religion of design, UX, and whatever else they think helps them keep their high-ground spot.
If it really is only usage reports for Lenovo software, I wouldn't bet on Apple not collecting data like this, but it is hard to compare since they also make the OS and don't add another component on someone else's.
It does not matter if the OS spies people by itself, of if the company installs extra software to do that. So I guess you can remove that one company from your list too.
Having read the article, I'm sure that iOS has similar spyware. The App Store is spyware by this definition. I would be pleasantly surprised if Apple didn't collect this information on OS X as well. (Although obviously it applies to the app store there as well.)
For some reason, this company on my list remains a hated
company for some geeks
I don't hate it, in fact I recommend my friends try it, I have honestly tried to use one myself for 3 years but two things would always trip me:
1.) cmd/fn is swapped on their small keyboards and
2.) alt-tab requires you to think. Last app? Last document?
Furthermore there are lots of smaller issues like shortcuts: that there was no consistent way to mark to the start / end of the current line (at least three years ago).
The price is kinda ok, my biggest complaint about the mac is the lack of attention to things that actually matters to me: sane, consistent keyboard layout (or an option to swap, I don't look at the keys to much so I don't care about the label as long as it works) and not breaking the most basic workflows.
Aha! Here I thought this was an anomaly - normally stuff from BoingBoing is stuff I read on HN the day before. I thought maybe this time it was the other way around - we're discussing a BB article. But no, just a more extended circle.
On an unrelated note (perhaps mere cathartic complaining): i have the really strong impression that "these days" BB is really just another Buzzfeed-like blog-spam platform. I find that a pity, because about 3 years ago i still considered it one of my favourite places to go for a slightly less technical but nevertheless savvy place, that had political leanings i could get behind. I have the impression that there's really a dearth of solid commentary these days, and that it's mostly videos of cats. Videos of cats without further comment at that, which is worse, if possible.
I am particularly disappointed because in my perception the decline has been relatively steep and abrupt (whereas i would never mourn Buzzfeed or others in the same way, simply because i never had the impression they had quality ‘content’ in the first place).
Anyway, time to move on i guess. Where else do you HN people get news that isn't necessarily focused on startups or programming? I quite like the New Statesman, personally, but i follow it less closely than i used to because of time pressure.
This is why I always build my stuff from the ground up. I feel like people have gotten incredibly lazy with their hardware. As pointed out in the article. the author tosses the hard drive and installs his own software when he buys any Lenovo laptop.
As long as people don't think about their hardware, this will continue to happen. Either build your own, or don't use vendors like this.
It's a lot easier than you think. I've done twice and it was a lot easier than I thought it would be. There's two methods - starting from scratch, or buying a barebones system and going from there. I did both with a barebones system, but if you're going from scratch, I'd look at ASUS, CLEVO or SAGR for the parts. Sites like rjtech.com have pretty much all you would need.
In some ways, this is why I'm glad the year of 'Linux on the desktop' never came. The last thing Linux (as an OS or community) needs are a tonne of OEM tweaked 'editions' of various distributions shipping with all kinds of garbage.
It's the dark side of the freedom to customize. Apple's fascism keeps this stuff mostly off their platform. Windows is comparatively open with OEMs having much more leeway, hence shitware.
" The behavior is documented in the End User License Agreement that all users must read and accept prior to using their Lenovo system for the first time. The EULA can also be found in the “c:\windows\system32\oobe\info” folder."
Do current machines actually ship with the EULA on paper or require the user to confirm it on first boot? (Not that that makes it a positive thing)
> accept prior to using their Lenovo system for the first time
Paper or first boot doesn't matter. While there are other necessary features[1], the post purchase ("shrinkwrap") EULA doesn't have a "meeting of the minds"[2] and thus is not a contract.
A contract isn't a "gotcha" game - the entire point is that there is to establish a mutual agreement between parties. At the time of sale (when consideration[3] is exchanged), there is no EULA. Nothing has been negotiated and there is no mutual understanding of what is required of each party.
In an ongoing attempt to circumvent the first-sale doctrine[4], the software industry has a bad habit of thinking they can throw an offer[5] at someone afterwords and have it count as a contract. They can make all the offers they want, but without another agreement and exchange of consideration[3] it's not a contract.
Fudge, I have a lenovo just like the one they are talking about. When superfish came out, I had it and managed to get rid of it with the help of the internet. My question; how do I determine if I have this and how do I then get rid of it?
I love Lenovos, owned countless awesome thinkpads and I was teetering between a thinkpad and a System 76 for my next upgrade. This just seals it for me.
Some Dell business laptops and HP's older EliteBooks have touch pointers - though I seem to remember they're concave instead of convex (perhaps due to patents?).
I have never owned one myself, but potential buyers should be aware that these are Clevo rebrands, and there has been a lot of backlash about customer service, quality control, and just overall quality in general.
A few years ago I got a clevo barebone rebrand... it had everything I wanted hardware-wise but the keyboard was terrible.. (this was an i7-720 era machine - I guess that's the gen 1 of the current cpu rounds)
System76 just rebrands Clevo laptops and installs Ubuntu on them, and host their own PPA to deal with system-specific drivers. In my experience, the laptops aren't any more linux-friendly than your average laptop (certainly less than your average Dell, or older Lenovo), it's just that you have, in theory, somebody else coming up with the hacks to get certain functionality to work, and pushing it to you as an update. Which is certainly something that many people might find appealing, but not everyone (especially those that like installing their own system).
Personally, I would just buy an old Thinkpad (see [0] for a great guide that was posted here a while ago) from before the time Lenovo became evil. I have an x201 that I rebuilt from cannibalised parts for less than $100 total (not including the SSD). An i5 and 6GB of RAM, 3 USB 3.0 ports added via ExpressCard and a 9 cell battery, all for 1/6 the cost of System76's new 'Lemur'. I have never experienced such wonderful Linux support out of the box. Although, you don't get a warranty :P
I have an old x201 that I need to upgrade. Can you share what ExpressCard you're using? Also, did you get a new 9cell? My own 9cell is at 77% tot. capacity and at 90eur for a new one, I'm not sure if it's worth investing in. Oh, and how much battery life are you getting under what distro/desktop? Cheers!
Oh, get a few of these[0]. They are pretty flimsy, but cheap (I've seen them for sale on eBay and various sites like aliexpress for ~20 euro-ish before. They sure hold a charge; I've had 9 hours of constant use before (of course, that was with a highly optimised Gentoo setup and mostly just coding without a graphical environment. I get 6 hours on average).
I don't know what expresscard I'm using, but it's an expresscard/54 that has 3 USB 3.0 ports. It's a generic Chinese card, and it works fine. Though, in order to use it to boot from USB you need install libreboot (there might be another way, I'm not sure).
It sounds like it's sending a list of what applications you have installed and which ones you use. I'm not really in favor of this, but don't iOS, Android, and Windows 10 all do this as a core part of their design?
Obviously it enables all sorts of malicious behavior by the companies and governments they are subject to, but Lenovo seems like they're pretty tame by comparison to the OS vendors.
The "Lenovo.TVT.CustomerFeedback.Agent.exe" that this article labels as spyware is explained on lenovo's website below. Did the author bother using google? The program reports if you are using lenovo's apps for usage statistics.
"Some applications in the preload collect usage data that is transmitted to Lenovo. This includes statistics about which features/settings are being used and how often they are being used. The data does not include any personally identifiable information (PII). Lenovo uses this information to improve our applications and focus on the features that are being used the most."
No, burying notification of telemetry systems with unknown privacy impact (and most likely sloppy coding/encryption practices (if any!), as is standard for oems) in a eula that is probably 10+ pages of dense text is the opposite of reasonable.
Yet another reason to just buy macs. Apple doesn't do this shit.
The difference is obviousness. If you interact with the app store to buy an app, you clearly know you did so. If you run a spotlight search and it returns results from the internet, spotlight obviously queried the internet somehow.
Lenovo monitors what you are doing without in any way telling you, or the user taking any action.
I like iPhones and Macs but Apple certainly does more than just use Spotlight searches to query the internet. They also, for example, record and log your location without telling the user and without the user taking any action. This via cellular network and not GPS, so the user has no say in what is logged.
Exactly the type of thing Lenovo does that you imply Apple does not.
Apple recently updated their privacy policy. Warrant canary removed. They now "cooperate with the law and protect their consumers" AKA we don't give a shit about you, we're selling your data.
I don't know how to find it since Google's keywoards are gamed so heavily by newer sites now, but a while back a programmer found GPS logs from his phone when he was using zero GPS apps.
The last time around, they managed to leave all of their customers vulnerable to anybody who felt like it MITMing their HTTPS connections, even though they were only attempting to do some relatively minor thing.
Can we be sure that this app is as benign as it says it is? Given the history, I would not assume that until and unless it's verified.
Isn't the humorous part of all this in how the system is running Windows 10 anyway and collecting far, far more data than this poor CustomerFeedback thing is doing?
Oh even paying customers have long been the product. Just look at printed magazines etc, where the number of subscribers is used as part of the advertisement sales pitch.
Hell, buy/rent a DVD/BR these days and you will likely find yourself with a face full of (unskippable) ads.
Edit:
Welcome to the modern metric laden day. Every waking moment will be measured and assessed by algos and "experts" alike.
110 comments
[ 3.3 ms ] story [ 61.4 ms ] threadI can think of no reasonable response but to abandon Lenovo products entirely.
Maybe buying direct from another manufacturer on the list in the link I posted or buying a laptop or PC without an OS on it solves 95% of the problem. Maybe I'm just assuming too much here.
I guess this confirms my initial point when it comes to hardware, people are not that well informed.
via
https://news.ycombinator.com/item?id=10039306
That Rev. Stallman uses their laptop speaks for Lemote's trustfulness.
Dells business range isn't so bad. I bought a Latitude in January of last year and, although it had some superfluous fluff bundled with it, it was lean enough that I didn't bother to format and reinstall from scratch (although I dual boot). I previously bought a Lenovo ThinkPad for more and returned it because the depressing build quality (I don't remember much about the bundled software because it simple doesn't factor in to my purchasing decisions).
I think the fact that this spyware was found on a refurbed ThinkPad shows just how far the brand has fallen.
The machine in this article is a Thinkpad.
Not that I'd ever buy a device with Windows preinstalled anyway, nor do I recommend it.
Otherwise business class systems are typically better about pre-installed cruft.
In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can't be removed, this means avoiding all recent generations of Intel hardware.
http://libreboot.org/faq/#intel
Original comment follows:
Former Thinkpad fan. I love my new Dell Rugged Extreme. I got the 12. This thing is built the way Thinkpads used to be (complete with the price tag of a used car).
The only thing(s) I don't like about it is the missing trackpoint. I really miss that. And the fact that black-box UEFI is built in (but what do we know about modern microcode anyway, might as well get some ostensible security measures for 'free'). Oh, one more: the "QD" connectors do not accept standard straps/slings -- only insanely expensive (and hard to find) Dell brand straps/handles.
Everything else about it is outstanding. This thing is a brick with rounded, rubber edges.
Drive over it with your truck. (watch the video)
Use it as body armor. (no, don't really)
Go scuba diving in the arctic. (Check out the frozen-in-an-ice-block video on Youtube.. while running on battery.)
The screen is incredibly bright, but it also has a slick quick-kill for all the lights. Just the thing for when a warlord is on your tail. The multi-color LED backlit keyboard looks awesome.
It runs Kali Linux (built on Debian Jessie) perfectly. Everything works, including the touch screen and stylus, out of the box.
UEFI isn't any more black-box than BIOS in general. Sure, I'd rather run entirely FOSS firmware, but in the absence of that, UEFI doesn't make things any worse. If anything, it allows quite a bit more introspection and extensibility. And its core is FOSS (https://github.com/tianocore/edk2), just not the versions shipped by board/system vendors.
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_In...
Note that this level of enterprise control has been possible for some time; even without IME, if HR hands you a laptop and doesn't tell you the BIOS password, then it might be set to, say, attempt to network PXE boot by default from the corporate intranet's deployment-and-compliance servers.
---
[1] Actually it's more literally like the kind of "smart" server-rack backplane that allows you to connect a remote serial console to an unresponsive server to see what's going on, or send it a hard reboot or whatever else. Except for managing desktops instead of servers.
It's hard to argue with metaphors, because they start out being inexact and go downhill from there. (oh, another one!) But I'll try anyway :)
It's really nothing like group policy's or configuration profiles, except it could be used to deliver similar functionality for your machine from either the manufacturer, or from your company, or from anyone else along the way who implemented their own backdoor into your hardware during shipping[1] or maybe just inserted their own microcode into the CPU, because it literally is an all-powerful hardware backdoor that lives below your OS. It can even be upgraded remotely in many cases.
Backdoors can be used for good or for evil, of course, but that's what it is. (and it actually has nothing to do with hypervisors, unless you take the metaphor that any operating system you install is really running under the control and whim of the Intel Management Engine.) Again, the metaphor of a remote management console is again over-simplifying, but, sure, it can do that, too.
When you're reading this[2], remember that you don't control those keys and you can't remove that software. You can't 'just turn it off':
1. http://gizmodo.com/the-nsa-actually-intercepted-packages-to-... 2. http://libreboot.org/faq/#intelme
What I meant was that, the same way the userland runs at the control and whim of the kernel, and the kernel at the control and whim of the hypervisor, the hypervisor itself will run at the control and whim of IME. Because IME sits at ring -2 (yes, that's a thing now), the hypervisor at ring -1, the kernel at ring 0, and userland at ring 3. So it's actually more than "hypervisor-level access", but a hypervisor is almost as capable, so it's a decent comparison.
> ...except it could be used to deliver similar functionality...
That's what I was trying to communicate, yes. The purpose (not the functionality) of IME is to enable enterprise management. Like Group Policy or Configuration Profiles, like server backplane management, like running your app as a VM on a hypervisor, like a lot of things.
The point is that these technologies exist to enable companies to control and manage their hardware assets. None of them are built in such a way that they can reach out and bite you if they haven't been set up and configured by the computer's owner, any more than someone could interface with your computer's serial console without attaching a serial cable to it.
A lot of devices come with privileged backdoors, for a variety of reasons. For example, a lot of CPUs have a JTAG debugger chip embedded, exposed via GPIOs. But since such backdoors require hardware access to enable, they're not all that scary. Of course your device isn't secure if someone gains physical access to it. While they were in there, they might have also installed a Bluetooth-transmitting in-line keylogger chip or something.
Now, what might be scary about IME is that it's enabled by default. But a lot of things are also insecure by default until hardening is applied, and have to be secured in a clean-room environment: Windows, for example. If you care, you do this.
But I don't see its existence in particular as troubling, insofar as it doesn't represent any greater loss of control than was already true. Intel chips (and I'm pretty sure those of most other CISC manufacturers) have been running microcode updated via encrypted blobs for decades; this microcode can have any number of backdoors embedded in it. You don't need a fancy special-purpose coprocessor to do this stuff; the main processor is perfectly capable of doing Intel's bidding instead of yours without any help. The IME just allows your computer to do the bidding of some arbitrary third-party that Intel likes (like DRM companies), instead of the code needing to be written by Intel themselves, embedded deep in the CPU's internals.
Note also that most firmware chips can be re-flashed to do bad things; CPUs are not alone in presenting this "bugged out-of-the-box" attack-vector.
...but then, to go one step further: if you don't trust Intel's chips because of their firmware, why does it matter whether it's firmware or not? Backdoors can be embedded in the traces of the CPU itself. Having updatable microcode doesn't change this; the existence of the IME doesn't change this. Do you think the NSA can't requisition a one-off custom variant printing of a CPU, and get that stuck the board of a Person of Interest's laptop, or phone, or TV, instead?
This is why I was concentrating on the Intel AMT (remote Internet access) feature of the IME: it's the only part that materially changes things from how-the-world-was before its existence. If you're an end-user and own your computer, you can disable AMT, and verify that it's disabled—the computer will no longer reply to probes on that port. Everything else is just a dozen new vectors for motivated attackers to do things motivated attacke...
As you move downward into more primitive levels of the system, or outward to edge parts of the system (ie a usb attachment), it becomes harder to see what's going on. For example: let's say that you p0wned the firmware on a non-boot SATA drive. You could see all the bits flying across, but you can't do much about them except tamper with them; they might be encrypted, or you maybe can't get access to the network in order to ship them off elsewhere. There's probably ways around each of those, but it's hard. But what if I took a Raspberry Pi and stuck it on the system bus? that's a different story :)
When you have a multi-megabyte secondary server and processor that's hooked directly into your system bus, watching everything that comes across and able to subtly react, tamper, watch just for keys, or ship data off elsewhere, then (as you point out) the attack vectors multiply compared to a exploiting a device's firmware. And, you can't ever get rid of them. EVER. No amount of flashing will fix it, because you can't flash it anyway. (That's why I posted the libreboot IntelME link).
What if just the hardware RNG (rdrand) watched for a particular sequence of bits to come into some registers, and then started spitting out a predictable sequence for random numbers?
What if this wasn't even a crazy conspiracy theory? (It's not, as we know now, although we don't know the exact mechanism that hardware RNG's are owned by). :(
> The IME just allows your computer to do the bidding of some arbitrary third-party that Intel likes (like DRM companies), instead of the code needing to be written by Intel themselves, embedded deep in the CPU's internals.
Yes, agreed - that's a radically different level of surface area.
Any firmware can be reflashed, but this isn't just any firmware; this is firmware that connects everything together. This is literally the heart of the system. And it's completely locked off from our even viewing it, let alone choosing not to using it.
> If you're an end-user and own your computer, you can disable AMT, and verify that it's disabled—the computer will no longer reply to probes on that port
Agreed, but you originally said you can disable IME, and that's all I was really taking issue with :)
Disabling AMT still leaves IME: what is it doing? You don't know, and we'll never tell you ;)
> Everything else is just a dozen new vectors for motivated attackers to do things motivated attackers have always been able to do.
Agreed. :(
Thank you for the interesting discussion! It'd be fun to relax and argue about it sometime in person. :)
You can say many things about Apple, but at least when you buy their hardware you know exactly what to expect. If you used one of their laptops you've used them all.
But, to your point -- Apple hardware, like most modern laptops, are built on Intel chipsets and cryptographically signed to prevent tampering by the owner. You're locked out of your own laptop.
If you're concerned about security or even if you just like to hack on the stuff you paid for, it's probably not where you want to be. You have no idea what's going on in there, and it's heavily encrypted at multiple layers to keep you from finding out. See my comment above: you were backdoored before the operating system was even installed. I was too, with my sweet new matte black Dell. (See my comment above).
The sad part is that there are very few modern laptops (if any) that we're not steadily being locked out of. It's not just Apple. It's (almost) everyone. and, of course, it's our phones, too. Check out the libreboot and coreboot websites for some modern(ish) gear that isn't backdoored.
Just because they don't care, doesn't mean they don't understand.
I suspect they are fully aware but money beats morality every time.
> I can think of no reasonable response but to abandon Lenovo products entirely.
I'm with you there, but I doubt enough people with buying power are concious about the issue for it to make much difference and most of those that are concious of it either will forget soon enough. I've not knowingly bought a product with Sony written on it since the rootkit incident in 2005, and that doesn't seem to have done them much harm!
One other company with a glaring example was the Sony root kit debacle.
Is there a list of companies who have done things like this? Kind of like storing passwords in free text (for which there is a site to name and shame) it doesn't get the press that it probably deserves to.
My list contains one name.
For some reason, this company on my list remains a hated company for some geeks. Something about overly restrictive control of the platform, but for me it means having control over my own data, because the platform tries its damnedest to keep bad players from getting inappropriate access.
I won't give the list because doing so seems like a cheap shot. But I think everyone knows what company is on it.
I'm not saying this is the only such company. It's just the one I know of. Others may have longer lists.
The problem with crapware on Wintel is that Microsoft and Intel consumed all the profit from the industry, commoditizing their compliments - OEMs. OEMs then found themselves in a race to the bottom, which has entirely shaped the field and brought about the behavior we've seen. Android is now facing the same problem on mobile - a race to the bottom among the OEMs is bound to produce all kinds of shady behavior.
Apple stayed out of this game entirely, they have thick margins which gives them means to pursue their religion of design, UX, and whatever else they think helps them keep their high-ground spot.
1.) cmd/fn is swapped on their small keyboards and
2.) alt-tab requires you to think. Last app? Last document?
Furthermore there are lots of smaller issues like shortcuts: that there was no consistent way to mark to the start / end of the current line (at least three years ago).
The price is kinda ok, my biggest complaint about the mac is the lack of attention to things that actually matters to me: sane, consistent keyboard layout (or an option to swap, I don't look at the keys to much so I don't care about the label as long as it works) and not breaking the most basic workflows.
I am particularly disappointed because in my perception the decline has been relatively steep and abrupt (whereas i would never mourn Buzzfeed or others in the same way, simply because i never had the impression they had quality ‘content’ in the first place).
Anyway, time to move on i guess. Where else do you HN people get news that isn't necessarily focused on startups or programming? I quite like the New Statesman, personally, but i follow it less closely than i used to because of time pressure.
As long as people don't think about their hardware, this will continue to happen. Either build your own, or don't use vendors like this.
Here's their tool to remove it. http://support.lenovo.com/us/en/downloads/ds104370
Guides for barebones approach:
http://www.instructables.com/id/Build-your-own-laptop/?ALLST...
http://www.corsair.com/en-us/blog/2014/april/how_to_build_a_...
http://www.directron.com/laptopdiy.html
Ebay listing for Laptop Housing if you're going to start from scratch:
http://www.ebay.com/sch/Laptop-Housings-and-TouchPads-For-AS...
Barebones laptop kits:
http://www.rkcomputer.net/rkcnotebooks/index.php?l=product_l...
Yeah, it's not easy, but if you want to do it, it's totally possible.
tl;dr: uploaded data is lenovo program usage only
Do current machines actually ship with the EULA on paper or require the user to confirm it on first boot? (Not that that makes it a positive thing)
Paper or first boot doesn't matter. While there are other necessary features[1], the post purchase ("shrinkwrap") EULA doesn't have a "meeting of the minds"[2] and thus is not a contract.
A contract isn't a "gotcha" game - the entire point is that there is to establish a mutual agreement between parties. At the time of sale (when consideration[3] is exchanged), there is no EULA. Nothing has been negotiated and there is no mutual understanding of what is required of each party.
In an ongoing attempt to circumvent the first-sale doctrine[4], the software industry has a bad habit of thinking they can throw an offer[5] at someone afterwords and have it count as a contract. They can make all the offers they want, but without another agreement and exchange of consideration[3] it's not a contract.
[1] https://www.law.cornell.edu/wex/contract
[2] https://en.wikipedia.org/wiki/Meeting_of_the_minds
[3] https://en.wikipedia.org/wiki/Consideration
[4] https://en.wikipedia.org/wiki/First-sale_doctrine
[5] https://www.law.cornell.edu/wex/adhesion_contract_contract_o...
disclaimer: see a real lawyer for proper legal advice
If they insist, all right then, I will buy a Latitude next time.
But Standard Windows/Ubuntu linux/Mac OS install all phone home and "check for security upgrade" everyday too.
https://system76.com/
Great hardware for the price, comes with Ubuntu but you could easily put a good Linux system on there (ducks flying objects)
http://worldwide.espacenet.com/publicationDetails/biblio?CC=...
http://worldwide.espacenet.com/publicationDetails/biblio?CC=...
http://worldwide.espacenet.com/publicationDetails/biblio?CC=...
Edit: But, thank you for the information.
https://www.reddit.com/r/linux/comments/1xhtrj/what_are_your...
Personally, I would just buy an old Thinkpad (see [0] for a great guide that was posted here a while ago) from before the time Lenovo became evil. I have an x201 that I rebuilt from cannibalised parts for less than $100 total (not including the SSD). An i5 and 6GB of RAM, 3 USB 3.0 ports added via ExpressCard and a 9 cell battery, all for 1/6 the cost of System76's new 'Lemur'. I have never experienced such wonderful Linux support out of the box. Although, you don't get a warranty :P
[0] http://ktgee.net/post/49423737148/thinkpad-guide
Edit: spelling
I don't know what expresscard I'm using, but it's an expresscard/54 that has 3 USB 3.0 ports. It's a generic Chinese card, and it works fine. Though, in order to use it to boot from USB you need install libreboot (there might be another way, I'm not sure).
[0] http://www.amazon.com/CBD-Hi-Capacity-Battery-ThinkPad-7800m...
Obviously it enables all sorts of malicious behavior by the companies and governments they are subject to, but Lenovo seems like they're pretty tame by comparison to the OS vendors.
https://support.lenovo.com/us/en/documents/ht102023?tabName=...
"Some applications in the preload collect usage data that is transmitted to Lenovo. This includes statistics about which features/settings are being used and how often they are being used. The data does not include any personally identifiable information (PII). Lenovo uses this information to improve our applications and focus on the features that are being used the most."
Seems reasonable to me.
Yet another reason to just buy macs. Apple doesn't do this shit.
/s
Lenovo monitors what you are doing without in any way telling you, or the user taking any action.
Exactly the type of thing Lenovo does that you imply Apple does not.
[1] http://arstechnica.com/apple/2011/04/how-apple-tracks-your-l...
https://en.wikipedia.org/wiki/Spotlight_%28software%29#Priva...
I don't know how to find it since Google's keywoards are gamed so heavily by newer sites now, but a while back a programmer found GPS logs from his phone when he was using zero GPS apps.
Can we be sure that this app is as benign as it says it is? Given the history, I would not assume that until and unless it's verified.
But there seems to be lots of FUD in the comments on this post. If the apps are malicious, I hope someone finds actually evidence
Why? Gathering usage statistics without opt-in or clearly notifying users beforehand is unacceptable.
But the fact that the company thinks this is perfectly acceptable behavior because EULA, EULA, EULA...
...means they're just as likely to target BIOS, UEFI and other firmware that do the same thing, no matter your OS.
A breach of trust foments a breach of loyalty, no?
Hell, buy/rent a DVD/BR these days and you will likely find yourself with a face full of (unskippable) ads.
Edit:
Welcome to the modern metric laden day. Every waking moment will be measured and assessed by algos and "experts" alike.