Lenovo Ushers in a New Era of Mobile Workstation Power and Performance with Lenovo ThinkPad P50 and P70
-
@scottalanmiller said:
@Dashrender said:
If Dell did this, and had a BIOS shim that installed a NIC/WiFi driver that downloaded a Dell support package - would you crucify them?
No, because they don't have a track record of inexcusable behaviour. We are talking about a known malicious entity doing another thing very malicious.
Would I be happy if Dell was doing something similar? No. But if they were at least doing it with good intentions (legit drivers) it would not warrant crucifixion. If they did it to push malware? Absolutely.
OK so we're on the same page then, the general idea of what is going on here is OK'ish, but because it's Lenovo - and we hate them with cause - this is untrustable.
-
@Dashrender said:
OK so we're on the same page then, the general idea of what is going on here is OK'ish, but because it's Lenovo - and we hate them with cause - this is untrustable.
OKish at best. If it is well known and easily testable and controllable, then okay. If it is secret, not controllable and/or pushing malware it is not okay at all. That it is secret, pushing malware and doing so from a known threat source we have a pretty major issue.
-
For example, if Dell or HP did this and offered a way to turn it on and off in the BIOS settings, great. Having this sort of thing as an option is wonderful. Options are "always" good.
But it's no different than saying we are installing software. Guy comes to your house and installs MS Office for you. Good. Another guy comes to your house and installs five toolbars on IE or whose, a keylogger. Bad.
It's not the act of installing the software that is good or bad, it is what is being done. Primarily. In this case the uncontrolled push of the software is another problem. We can say "oh it's just a NIC driver, that's good" but we are specifically talking about a vendor who put spying capabilities into their NIC drivers.
-
What's more concerning to me is if hackers will be able to update the UEFI remotely to include their own updates to your system though either the older or now available MS solution, AKA a wipe and reinstall won't be effective anymore.
Just like a wipe and reinstall of Lenovo's machines wasn't effective because the shim was baked into their NIC driver, which was your only option for using the building in WiFi.
-
@Dashrender said:
What's more concerning to me is if hackers will be able to update the UEFI remotely to include their own updates to your system though either the older or now available MS solution, AKA a wipe and reinstall won't be effective anymore.
Yes, while what Lenovo has done technical makes them hackers (the Superfish case at least) the much bigger fear is not that Lenovo themselves will use their tools to siphon off your banking info because they have too much too lose (I have no doubt that they would if they thought that they could get away with it) but that others will leverage this as a gateway to your systems. This would be a field day for hackers - and it can be as easy as being a Lenovo employee or knowing one to potentially have access to data that would make this trivial to exploit without even needing to break into anything. And since Lenovo operates from a jurisdiction that will protect them in case of an attack on US companies, there is effectively no legal or financial incentive to keep them from doing so.
-
@Dashrender said:
Just like a wipe and reinstall of Lenovo's machines wasn't effective because the shim was baked into their NIC driver, which was your only option for using the building in WiFi.
Exactly, they are removing the ability for IT pros or end users to protect themselves or even discover when they are being attacked. It's a new level of risk introduced for no reason. Or not a very good one. Getting drivers loaded is not a big deal and there are simple options, like having them loaded in an optional space that would work just fine.
I wonder if this breaks certain OSes or OS version too.
-
@scottalanmiller said:
I wonder if this breaks certain OSes or OS version too.
You're wondering if what breaks certain OSes? The BIOS/UEFI (I'll call it a) authorized hack?
-
@Dashrender said:
You're wondering if what breaks certain OSes? The BIOS/UEFI (I'll call it a) authorized hack?
The forced push of drivers. Sorry that was pretty ambiguous. Even when it isn't doing something "bad" does it, for example, push a version of the NIC driver to Windows 10 even if you have Windows 8 or what about when 11 comes out? How does it do the "forced push" without adding new risks just around reliability?
-
@scottalanmiller said:
@Dashrender said:
You're wondering if what breaks certain OSes? The BIOS/UEFI (I'll call it a) authorized hack?
The forced push of drivers. Sorry that was pretty ambiguous. Even when it isn't doing something "bad" does it, for example, push a version of the NIC driver to Windows 10 even if you have Windows 8 or what about when 11 comes out? How does it do the "forced push" without adding new risks just around reliability?
The previously linked forums posts indicated that a single system was able to tell the difference between Windows 7 and Windows 8 and as such did something different for each system.
Also with rare exceptions Windows 7 drivers work in 8 and 10.
The manufacturer could release a new BIOS update for a new OS that could then support several versions of Windows if needed.
-
@Dashrender said:
The previously linked forums posts indicated that a single system was able to tell the difference between Windows 7 and Windows 8 and as such did something different for each system.
Could do it, yes. But that something is doing detection and force pushing leaves a lot of room for error, right? Does a simple typo case the system to force Windows drivers into ESXi for example? How does it do the detection? How does it ensure it doesn't do the wrong thing? Lots of questions to ask given that traditionally we had humans verifying this stuff.
-
I would assume that any legitimate usage of this function would be heavily marketed as a time-saving measure, something like:
"Many of our customers prefer to start off with a fresh install of Windows. We understand that hunting down drivers just to get hardware working after a reinstall is frustrating and time consuming. Now, we're using cutting-edge technology to ensure your computer has a direct line to automatically download the latest drivers even after a complete reinstall of Windows! System administrators: If you'd rather have a completely blank slate upon reinstallation, this option can be disabled in the BIOS."
You don't just spend time and money getting a feature like this set up without some sort of return on your investment, and in an ideal world this would actually be a pretty decent selling point. I would love to be able to do a fresh install without worrying about driver downloads & updates immediately afterwards. It's not a huge thing but it would be nice.
In contrast, Lenovo's implementation got shut down by Microsoft, and was only discovered by someone doing some deep diving into their own system. Otherwise it would have quietly been a thing until they had to patch it out. It was also difficult to disable, implying Lenovo didn't plan on allowing it to be disabled.
-
@WingCreative Great perspective.
-
@WingCreative said:
"Many of our customers prefer to start off with a fresh install of Windows. We understand that hunting down drivers just to get hardware working after a reinstall is frustrating and time consuming. Now, we're using cutting-edge technology to ensure your computer has a direct line to automatically download the latest drivers even after a complete reinstall of Windows! System administrators: If you'd rather have a completely blank slate upon reinstallation, this option can be disabled in the BIOS."
This would make me SO happy....
-
@WingCreative said:
I would assume that any legitimate usage of this function would be heavily marketed as a time-saving measure, something like:
"Many of our customers prefer to start off with a fresh install of Windows. We understand that hunting down drivers just to get hardware working after a reinstall is frustrating and time consuming. Now, we're using cutting-edge technology to ensure your computer has a direct line to automatically download the latest drivers even after a complete reinstall of Windows! System administrators: If you'd rather have a completely blank slate upon reinstallation, this option can be disabled in the BIOS."
You don't just spend time and money getting a feature like this set up without some sort of return on your investment, and in an ideal world this would actually be a pretty decent selling point. I would love to be able to do a fresh install without worrying about driver downloads & updates immediately afterwards. It's not a huge thing but it would be nice.
In contrast, Lenovo's implementation got shut down by Microsoft, and was only discovered by someone doing some deep diving into their own system. Otherwise it would have quietly been a thing until they had to patch it out. It was also difficult to disable, implying Lenovo didn't plan on allowing it to be disabled.
This tech isn't for businesses, it's purely for consumers. Businesses have people like you and I do make images that contain all the drivers needed, etc.
The vendors don't need to sell this to consumers, as the consumers won't understand what it means, and I'm sure they won't understand the value. Instead the vendor will use it because it CAN (but might not) help them reduce costs of support.
-
@Dashrender said:
This tech isn't for businesses, it's purely for consumers. Businesses have people like you and I do make images that contain all the drivers needed, etc.
The vendors don't need to sell this to consumers, as the consumers won't understand what it means, and I'm sure they won't understand the value. Instead the vendor will use it because it CAN (but might not) help them reduce costs of support.
With that in mind - the general idea of what Lenovo is now being accused of I find in poor taste because the technology is actually a really clever and useful idea. Of course this is Lenovo we're talking about, a completely untrustworthy company - who has shown yet again by their implementation that they don't care about the security of it's customers by deploying the tech in an extremely insecure fashion.
-
@Dashrender said:
With that in mind - the general idea of what Lenovo is now being accused of I find in poor taste because the technology is actually a really clever and useful idea.
Poor taste by whom? What they've been accused of is using this neat idea to actually deploy malware. They've secretly rootkitted people's machines.
Neat or useful or not, it's a breach of trust and ethics.
-
@scottalanmiller said:
@Dashrender said:
With that in mind - the general idea of what Lenovo is now being accused of I find in poor taste because the technology is actually a really clever and useful idea.
Poor taste by whom? What they've been accused of is using this neat idea to actually deploy malware. They've secretly rootkitted people's machines.
Neat or useful or not, it's a breach of trust and ethics.
What what we are reading, this is no more a rootkit than what Lo Jack has been doing for years - and currently there is no evidence that this solution is being used to deploy malware - only Lenovo's own tools. You may not like their tools, but those tools haven't been proven to be malware or spyware yet, least not in the postings I've read.
-
@Dashrender said:
What what we are reading, this is no more a rootkit than what Lo Jack has been doing for years
You are telling me that you've been buying computers where LoJack has taken control of your machine without your knowledge or authorization and has been using it to push unwanted software to your machine that you cannot control?
-
@Dashrender said:
only Lenovo's own tools. You may not like their tools, but those tools haven't been proven to be malware or spyware yet, least not in the postings I've read.
Um, by definition what they've done makes those malware. Software for Lenovo's benefit, withtout the permission or desire or authorization of the customer... that's malware by any definition I've ever heard. What else could it be? It's malicious, it's ware. Just because it hasn't yet been shown to have a dramatic impact doesn't change what it is.
Spyware no, that it is not. That's a specific type of malware. But malware it is. It is not bloatware alone because there is the added condition of this being a malicious intrusion to customers' systems without their knowledge or consent.
Breaking and entering isn't excused just because the person gets caught before they get away stealing something. Breaking and entering alone is enough to arrest them. Malware is malware before it spies on your or damages your machine.
-
@Dashrender said:
@WingCreative said:
I would assume that any legitimate usage of this function would be heavily marketed as a time-saving measure, something like:
"Many of our customers prefer to start off with a fresh install of Windows. We understand that hunting down drivers just to get hardware working after a reinstall is frustrating and time consuming. Now, we're using cutting-edge technology to ensure your computer has a direct line to automatically download the latest drivers even after a complete reinstall of Windows! System administrators: If you'd rather have a completely blank slate upon reinstallation, this option can be disabled in the BIOS."
You don't just spend time and money getting a feature like this set up without some sort of return on your investment, and in an ideal world this would actually be a pretty decent selling point. I would love to be able to do a fresh install without worrying about driver downloads & updates immediately afterwards. It's not a huge thing but it would be nice.
In contrast, Lenovo's implementation got shut down by Microsoft, and was only discovered by someone doing some deep diving into their own system. Otherwise it would have quietly been a thing until they had to patch it out. It was also difficult to disable, implying Lenovo didn't plan on allowing it to be disabled.
This tech isn't for businesses, it's purely for consumers. Businesses have people like you and I do make images that contain all the drivers needed, etc.
The vendors don't need to sell this to consumers, as the consumers won't understand what it means, and I'm sure they won't understand the value. Instead the vendor will use it because it CAN (but might not) help them reduce costs of support.
In the perfect world where companies use technological developments like this correctly, why not have it be for business too?
SMB and nonprofits rarely have imaging processes in place from what I have seen, and are more okay with buying the cheapest workable hardware instead of sticking to a standard hardware deployment.
If you could trust a system like this, you could use the same image across a variety of hardware without setting up and maintaining a driver repository. This would also allow places with mixed hardware to more easily integrate a standard imaging process without spending time finding the right drivers and keeping them up to date.
Instead, it was used like some sort of hidden DRM to ensure Lenovo software persisted when one assumed only Microsoft software would remain. This DRM-like system did not use SSL, allowing anyone sharing your connection the opportunity to intercept and modify the connection and traffic created every boot cycle. Boo to that.
