
Lenovo collects usage data on ThinkPad, ThinkCentre and ThinkStation PCs - ingve
http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html
======
sspiff
Many people are saying "just use Linux" or "always do a clean install of
Windows on a new laptop."

However, that's no guarantee to help you escape this kind of malware. Even if
you replace the hard drive and put an open source OS on a laptop, you're still
booting from an increasingly complex, opaque blob of UEFI firmware that you
can't get rid off in most consumer devices. Who knows what goes on in there?

Then you've got the NIC firmware, the TPM (which is basically an entirely
separate computer), and for corporate laptops often Intel's vPro stack as
well.

Realistically, if a vendor wants to track or trick you, they'll always have
the means to do so.

And if the past few years have taught us anything, it's that they really want
to track you.

~~~
pdkl95
The TPM just sores keys. Intel's "Active Management Technology" (the OS in
vPro) is a serious problem. Igor Skochinsky's talk[1] about this is very
troubling.

The final piece of the puzzle is the new "Software Guard Extensions" in
Intel's latest CPUs. This is clearly designed to protect SMM[2]. It is going
to be a lot harder to "root" this stuff when the RAM is encrypted.

[1] [http://www.slideshare.net/codeblue_jp/igor-skochinsky-
enpub](http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub)
[https://www.youtube.com/watch?v=Y2_-VXz9E-w](https://www.youtube.com/watch?v=Y2_-VXz9E-w)

[2]...and DRM in general. See this diagram of GlobalPlatform's "Trusted
Execution Environment"; in particular, note how the "Rich OS" (windows, linux,
etc) is allowed to run outside the chain of trust, with the DRM being
protected by hardware.
[http://i.imgur.com/rjbzWyB.jpg](http://i.imgur.com/rjbzWyB.jpg)

~~~
pjmlp
Some of the new extensions are also intended as yet another band aid against C
style memory corruption.

~~~
pdkl95
You only need a memory manager for pointer protection. Intel states their
intent for SGX on their website[1]. Some of the more important goals are:

    
    
        1. Allow application developers to protect sensitive data
           from unauthorized access or modification by rogue software
           running at higher privilege levels.
    
        ...
    
        5. Enable the development of trusted applications [...]
    
        6, Enable software vendors to deliver trusted applications and updates [...]
    
        ...
    
        8. Enable applications to define secure regions of code and data that
           maintain confidentiality even when an attacker has physical control
           of the platform and can conduct direct attacks on memory.
    

This isn't about buffer overflows. You don't need to create a system where
software vendors can create regions of memory that are protected against a
_logic analyser_ or _cold boot attack_ to fix C style pointer bugs. You do
need this capability if you want to hide things from the owner of the
computer.

It's not like they are hiding anything - "trusted applications" has been a dog
whistle for DRM at least since "Palladium" (later called "Next-Generation
Secure Computing Base"), part of Microsoft's "Trustworthy Computing" plans ~15
years ago.

[1] [https://software.intel.com/en-
us/blogs/2013/09/26/protecting...](https://software.intel.com/en-
us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx)

~~~
pc2g4d
Aren't there also legitimate use cases for these things? E.g. a password
manager loading itself into a confidential memory region to prevent
infiltration?

~~~
josteink
That may be, bit I'm absolutely confident it is perfect for malware and
spyware too.

------
chris_wot
Oh, but they've been doing this for ages now! They install Perion Network's
Conduit toolbar in their Lenovo SafeProtect toolbar. When I tried to track
down what it installs, I found Perion's website and created my own free
toolbar with the same components, and I attached it to notepad.exe.

It gathers location data and other nasties.

I asked Lenovo about this but they denied it was malware, but they would not
tell me what information it was gathering. Interestingly, initially they
denied installing it at all!

That was... Until I pointed them to a press release that showed that they were
indeed paying Conduit Client Services...

[http://www.businesswire.com/news/home/20140618005930/en/Peri...](http://www.businesswire.com/news/home/20140618005930/en/Perion-
Partners-Lenovo-Create-Lenovo-Browser-Guard#.VgJxdyNknCQ)

Perion later acquired them:

[http://www.businesswire.com/news/home/20140102005313/en/Peri...](http://www.businesswire.com/news/home/20140102005313/en/Perion-
Completes-Acquisition-Conduit’s-ClientConnect-Creating-Leading#.VgJxxyNknCS)

------
throwaway7767
Honestly, I would not trust any pre-installed OS, no matter the manufacturer.
They pretty much all load crapware.

The case where lenovo were using a UEFI dropper in their consumer machines to
reinstall malware after a reinstall was really bad. But what would make me
stop buying their machines is if a similar below-the-OS malware/backdoor
injection were present in their business thinkpads. Is there any suggestion
that this is the case?

~~~
buffoon
Do they deserve a chance to explain if it's there or not?

Probably not. They're off our purchasing list.

Problem is: now what? Hardware vendors have all turned to crap in the last 5
years. Lenovo ships crapware and poor quality kit now. HP is stupid expensive
and even enterprise support is crap. Dell are unreliable as hell. Literally
all other vendors won't support a model more than about 6 months old i.e. no
part stock, no service, just replacement with another chunk of junk that will
fail in a few months (Acer, Asus I'm looking at you mostly).

Just leaves Apple but then they're just glued together folding iPads with
keyboards attached now with no chance of maintenance and reliability issues as
well. New battery? Get the paint scraper and heat gun out.

I'm using a Lenovo X201 myself with Mint and I suspect this is the last brand
laptop I'm going to use. Back to the custom desktops at home.

~~~
drzaiusapelord
Dell looks good right now. From what Ive been hearing they're QA is at Lenovo
levels.

~~~
buffoon
__stares at the large pile of dell XPS machines that are dead in the corner of
the office __.... Not quite there yet...

------
tiplus
Up until the Thinkpad X230, there was coreboot support which was great.
However, with the new Intel chips now enforcing 'Boot Guard' this is no longer
an option [1], is it?

I wouldn't be surprised if Lenovo decided at some point to also distribute
malware modules for Ubuntu as well.

[1] [https://www.phoronix.com/scan.php?page=news_item&px=Intel-
Bo...](https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-
Kills-Coreboot)

------
pja
Reading the source blog post rather than boingboing, it looks like this code
is _supposed_ to just report back to Lenovo on the user’s use of the Lenovo
specific code on the machine in question.

Unfortunately, Lenovo has seriously blotted their copybook in this area & the
onus is on them to demonstrate trustworthiness. It’s notable that prior to the
Superfish debacle, they didn’t even bother to notify the end-user if the blog
post is to be believed.

------
vacri
It is interesting that the author reminds us that this tracking, while
certainly an issue of trust, is much less tracking than MS is doing with
standard Windows 10.

~~~
fulafel
To echo Cory Doctorow's BoingBoing article (where this originally linked), you
only suffer from this if you put Windows on your ThinkPad.

~~~
sspiff
It only matters if you use the Lenovo image for Windows. A fresh install will
also work around this.

~~~
niklasni1
Still, do you want to give money to these wankers?

~~~
tomswartz07
I'm not defending Lenovo for their actions.

However:

3 years ago, my department went with Acer V5-571P laptops. Every single one
has been broken and destroyed from casual use. We've found serious
manufacturing defects and other flaws, and Acer is not interested in fixing
it.

5 years ago, however, we had a small batch of Lenovo E430 devices. These
devices are in much better shape than the devices two years younger than them.
We have a few other groups of 'incremental updates' that have the exact same
results. Lenovo devices hold up much better.

Say what you will about Lenovo's shady practices, but their computers are
built like tanks.

------
adultSwim
Ugh. This is a such a fuck you to us.

I've well aware that computers come pre-installed with crap. Shocked to see
the tricks being used to keep it there. Maybe I'm just naive...

------
chinathrow
The stupidity of large OEMs seems never ending in that case. See Windows 10
for another recent example.

~~~
9fb29947
Why does OEM versions of Windows even exist in the first place? How is a
bloated, crapwared system ever going to be a better user experience than a
clean install?

~~~
diyorgasms
As for the why, have you ever tried installing vanilla Windows on a modern
notebook? I know Linux has a reputation for bad driver support, but in my
experience with Dell, Lenovo, and HP, a vanilla Windows installation will have
no graphics driver, no network driver (neither wired nor wireless), sometimes
the sound drivers are missing. It is a shitshow. Meanwhile, Linux on the same
machine generally works out of the box.

But the answer to the question "Why do OEM versions of Windows even exist in
the first place" is that without OEM customization, a Windows computer is a
non-functional computer.

~~~
chris_wot
So how do most corporate IT teams build SOEs?

~~~
dagw
They get the drivers from the OEMs.

~~~
mhurron
They are also paid teams to put the image together.

------
dang
URL changed from [http://boingboing.net/2015/09/22/yet-another-pre-
installed-s...](http://boingboing.net/2015/09/22/yet-another-pre-installed-
spyw.html), which points to this.

