Lenovo Ushers in a New Era of Mobile Workstation Power and Performance with Lenovo ThinkPad P50 and P70
-
@WingCreative said:
Fair enough - Ultimately we probably don't/won't know enough details about what was being downloaded every boot cycle to determine whether or not it was malware according to Wikipedia's definition.
This description alone makes it malware. Because it is automatically downloaded and installed by Lenovo's control the have control of the machine. It meets the malware definition from that part alone. Rootkits are malware. I don't see much grey area here, this is about as malware as it gets, right?
-
@Dashrender said:
OF course it does! Just like Dell and HP installing Drivers before the OS loads!
Of course it does what?
-
@WingCreative said:
....Software made to persist despite users' best efforts is malicious in my opinion....
Exactly. No matter what they intended to do, or how they intended to use it doesn't matter. What matters is only the part that we know. They installed a rootkit, they used it. Malicious intent and malicious action. The part about malware is without question, IMHO. Why would they do it? Stupidity for all we know. Doesn't matter, the inexcusable action happened regardless of how they planned to exploit it.
-
@WingCreative said:
All we know for sure is that a hardware manufacturer insecurely set up a system to make sure their computers reported system information for a few months before getting shut down. The insecurity and exploitation potential makes it badware. Software made to persist despite users' best efforts is malicious in my opinion, and I don't understand why Lenovo would go to such lengths to ensure the Lenovo Service Engine was persistently installed if it only sends system information once before disabling itself as they say.
This is only on desktop, Laptops they say it keeps coming back - as designed.
-
@Dashrender said:
Just like Dell and HP installing Drivers before the OS loads!
Do you have any links to this? I'm not saying it doesn't exist, just don't have any details on it to compare. Do they really have no means of disabling this?
-
@scottalanmiller said:
@Dashrender said:
OF course it does! Just like Dell and HP installing Drivers before the OS loads!
Of course it does what?
You linked saying that the Lenovo stuff downloads before the OS is loading - and I said Of course it does.. just like the HP and Dell stuff.
Though I might have stand corrected when it comes to Dell and HP - BUT when enabled, the LoJack stuff DEFINITELY did the same thing, installed software before the OS loaded.
Dell and HP as reported in the Ars link indicates that they are using the MS "Windows Platform Binary Table (WPBT)", but anything that runs from there does have full control of your system just like the Lenovo software.
-
@Dashrender said:
You linked saying that the Lenovo stuff downloads before the OS is loading - and I said Of course it does.. just like the HP and Dell stuff.
But if you knew that it loaded before the OS... why were you talking about the guy getting the popup which had to be from something else then, since a popup can't happen until the OS is running?
-
@scottalanmiller said:
@Dashrender said:
Just like Dell and HP installing Drivers before the OS loads!
Do you have any links to this? I'm not saying it doesn't exist, just don't have any details on it to compare. Do they really have no means of disabling this?
This is a function of "Windows Platform Binary Table (WPBT)" Until today I'd never heard of this, and presently I have no idea if it can be disabled or not.
Quoted from the Ars page, this tells you that you can search some (don't know which ones) Dell and HP machines and find the wpbbin.exe file which indicated that they are using this technology.
I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.malwarebytes.org (as early as 2013)
-
@scottalanmiller said:
@Dashrender said:
You linked saying that the Lenovo stuff downloads before the OS is loading - and I said Of course it does.. just like the HP and Dell stuff.
But if you knew that it loaded before the OS... why were you talking about the guy getting the popup which had to be from something else then, since a popup can't happen until the OS is running?
Because presumably even though the installer is already there, it won't do something if you tell it NO don't help me.
You're really completely OK with Dell and HP silently installing NIC or whatever drivers using these methods, but not OK with them installing a component that asks for permission to install itself?
-
@Dashrender said:
Though I might have stand corrected when it comes to Dell and HP - BUT when enabled, the LoJack stuff DEFINITELY did the same thing, installed software before the OS loaded.
It is only relevant if they did it without the user's knowledge or permission. That's what this is about. Not that there is technology to do this, but how it is used.
That's where I keep comparing to normal installers. Normal OS software installers can be used to install normal software OR malware. It's not the installer that makes the difference but how it is used.
The technology here can be used for legitimate reasons or for malware. This case is malware because of how it was done. LoJack, I'm quite sure, has the users make the decision about installing it to the UEFI or not.
-
@Dashrender said:
Because presumably even though the installer is already there, it won't do something if you tell it NO don't help me.
But it is too late, the rootkit action has already happened. That you get choices about something else later doesn't matter. I can see what you are saying, but you are talking about asking permission after the issue is said and done. The rootkit is what got us to the point of asking permission, there was no permission asked before that point.
This is like someone breaking into your house and then asking if you want they to make dinner. Sure, it's great that they asked permission before putting the pot roast in. But people are upset because they found a rogue cook in their kitchen.
-
@Dashrender said:
You're really completely OK with Dell and HP silently installing NIC or whatever drivers using these methods, but not OK with them installing a component that asks for permission to install itself?
No, I'm really not which is why I keep asking for a link to show me that this happens!
I'm totally okay with it if they ask permission, make it well known and/or have it able to be disabled. Which, I'm led to believe, we have no reason to doubt that they do at this point.
-
@Dashrender said:
Quoted from the Ars page, this tells you that you can search some (don't know which ones) Dell and HP machines and find the wpbbin.exe file which indicated that they are using this technology.
So you have no reason to believe that HP and Dell are doing this secretly or forcibly and are not talking about the same thing that we are talking about here? Or you just assume that they are doing those things?
We are talking about Lenovo's malicious behaviour, not optional behaviour. Unless you have a reason to believe that Dell, HP or LoJack are doing something similar to Lenovo (again: secret, without authorization and no ability to stop - until they got caught) then I don't think it is right to keep mentioning them as doing "the same thing." Sure they might be, but unless we know that they are we should not accuse them.
-
@scottalanmiller said:
@Dashrender said:
You're really completely OK with Dell and HP silently installing NIC or whatever drivers using these methods, but not OK with them installing a component that asks for permission to install itself?
No, I'm really not which is why I keep asking for a link to show me that this happens!
OHHHHHhhhh K! now we're getting somewhere You're completely against the idea that something - literally anything could happen before you the user has a chance to approve it. Now that I can completely stand behind.
But if that's the case, then you have to say that "Windows Platform Binary Table (WPBT)" is a horrible idea and needs to be removed from Windows, because it allows just this type of action - the ability of the vendor to install something into your computer without your knowledge or consent - and this is a Feature of Windows 8 and higher.
-
@Dashrender said:
OHHHHHhhhh K! now we're getting somewhere You're completely against the idea that something - literally anything could happen before you the user has a chance to approve it. Now that I can completely stand behind.
Yes, but to be clear, if I can go into the BIOS and enable/disable that feature then I'm totally onboard with it. Or if I can choose between firmware versions that do or do not do this. Whatever. If I am given the choice in some manner, then it is fine. So the pure installation of drivers silently is okay, as long as I am aware and could have stopped it (even if that meant proactively disabling it via the BIOS or whatever)
-
@scottalanmiller said:
@Dashrender said:
OHHHHHhhhh K! now we're getting somewhere You're completely against the idea that something - literally anything could happen before you the user has a chance to approve it. Now that I can completely stand behind.
Yes, but to be clear, if I can go into the BIOS and enable/disable that feature then I'm totally onboard with it. Or if I can choose between firmware versions that do or do not do this. Whatever. If I am given the choice in some manner, then it is fine. So the pure installation of drivers silently is okay, as long as I am aware and could have stopped it (even if that meant proactively disabling it via the BIOS or whatever)
LOL again on this we agree - though I'm sure the media would still rain fire and brimstone.
-
@Dashrender said:
But if that's the case, then you have to say that "Windows Platform Binary Table (WPBT)" is a horrible idea and needs to be removed from Windows, because it allows just this type of action - the ability of the vendor to install something into your computer without your knowledge or consent - and this is a Feature of Windows 8 and higher.
Well, I can see why you might feel that way. But that's just not a reasonable action and here is why...
You can say that about anything. You can say the same thing about being able to install software in the OS the old fashioned way. You can say it about JavaScript in web pages. You can say it about Word documents.
It's not reasonable to stop all means of software deployment because they could be used for malicious activity. Maybe this one is so problematic that we need to reconsider it, I'd agree with that. But the key issue here is a vendor that did something wrong given a tool that they had at their disposal. There will always be tools for wrongdoing, we can't take them all away.
What needs to happen is some combination of legal action, market pressure, awareness, etc.
-
@Dashrender said:
LOL again on this we agree - though I'm sure the media would still rain fire and brimstone.
I don't think that they would, because presumably this has been going on and hasn't been an issue until now. Only once it was secret and out of the end user's control did it flair up.
And that it was a vendor with a track record of issues specifically around security and hijacking the control of the end use.
-
You asked for a link to something showing something...
https://forums.malwarebytes.org/index.php?/topic/124460-unknown-virusmalware/
This link appears to be a Dell PC from some of the drivers installed, and has the wpbbin.exe, which Microsoft claims is part of their "Windows Platform Binary Table (WPBT)", and if I recall correctly, is only on the machine if the "Windows Platform Binary Table (WPBT)" pulled it from the BIOS.
-
Hey, we can always assume this trend is caused at least in part by IT pro outrage regarding their questionable practices right?
If there's one thing studying psychology taught me, it's that correlation = causation ✓
