I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before.
Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months...
This is getting increasingly disturbing with each new generation of hardware.
You no longer have the right to own the hardware you buy. Now it has become a service subject to their terms.
That Windows Platform Binary Table sounds disturbing and is ripe for being exploited.
Interesting info found [1]:
> Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data.
> The system data that LSE collected includes machine type and model, system UUID, region and date. No personally identifiable information is collected.
> Once this data is sent, the service is disabled automatically.
> LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE is not consistent with these guidelines and so Lenovo has stopped shipping desktop models with this utility and recommends customers with this utility enabled run a “clean up” utility that removes the LSE files from the desktop. Instructions on how to download and run this program are below.
> The LSE functionality has been removed from newly manufactured systems.
When some people insist on having a Libreboot/Coreboot supported laptop, they call them crazy and idealistic. Now this is what happens.
It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines. I'm very interested in the Purism Librem laptop but I have low hopes. Maybe the future will be ARM.
> It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines. I'm very interested in the Purism Librem laptop but I have low hopes. Maybe the future will be ARM.
This isn't true. Libreboot is the fork that only works with completely free platforms, which the newer Intel chipsets make impossible. Coreboot is still very much committed to supporting new Intel chipsets, although the mainboard availability of course depends on what developers have time and interest for.
Google Chromebooks all ship with Coreboot, so they're fully supported and a great choice if you're trying to make the most free usable computer you can get. They can all run Linux, and some of them even Windows with a little more effort. They also have ARM-based ones, some of which are completely blob-free.
"If LSE is not enabled, it will not be shown under the “Security” tab in the system BIOS and the user is not affected"
FYI, This was not true for me - there was no option in the BIOS regarding this. So I'd say, the lack of this in your BIOS setup screen does NOT mean it is not there!
> It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines.
The new ones, perhaps. Older ThinkPads (like the X201 and T530) are still relatively-well supported by Coreboot (though apparently ACPI isn't quite green yet).
Personally, I'd like a return to the old days of Open Firmware on some RISC-running machine (I'm partial to POWER or MIPS, but ARM would be okay, too).
RMS is sounding less and less crazy with discoveries like this. To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become.
Would running TrueCrypt full disk encryption protect you from your own hardware? If the BIOS can't read the disk on boot, I don't think it would inject the binary into the file system.
No - see my reply to the Ars thread. Windows 8 introduced an "official" way to do this called "Windows Platform Binary Table". Every time Windows boots, it checks your ACPI table for an entry called "WPBT", writes that to disk as "wpbbin.exe", and executes it. There does not seem to be any way to disable this behavior in Windows. Truecrypt would not help in this case because it happens after boot.
You know, I have to agree. My gut reaction is "blame the policy not the technology", but after looking closely, I'm struggling to see how this feature could ever be applied towards the user's best interests.
I've bought a Lenovo notebook, wanted to download a copy of Windows from them (it's OEM), and searched on their forums for clues, since I didn't find anything on the site. This is what a moderator wrote
> If what you wish to achieve is an OEM imaged system, the only way is to obtain official recovery media through official channels. There are no legal downloads available, therefore discussion of it is not allowed. You may contact Service (info and hours below) to discuss your options.
Better response than I got. This was just a couple months ago, the laptop shipped with Superfish installed on it in spite of assurances that it wouldn't, so I called them to ask where I could get driver installers for after I wipe / reinstall windows. I was told that I could under no circumstances reinstall Windows (even if I went and bought a brand new Windows license), that it would void my warranty and break everything and there were no drivers because: "it's not Microsoft Windows on these machines, it's Lenovo Windows".
I am never buying from them again, and at this point there is literally nothing they can do to regain my trust as a consumer.
I can say with absolute certainty that (at least in America) reinstalling Windows does NOT void your warranty (despite what any rep may tell you), and selling you a device with a problem they assured you didn't exist is fraud.
I would return the laptop for a refund (regardless of how long you've had it), and if they refuse to take it back (which they likely will), file a small claims case in NC (I know, not necessarily an option depending on where you are). They may try to argue that you 'agreed' to arbitration, but because they misrepresented the quality of the device, you can argue that agreement was 'signed' under false pretenses, and isn't legally binding.
I'd also post recordings of your support calls online if you have them, or call back and record new ones if you don't. Posting those online does not run afoul of the broadcast laws which apply to phone recordings, and recording calls with only one party aware is legal in all but 11 states, and everywhere once they tell you they're recording the call.
I'm doing the same damn thing with the tech companies that screwed me over, so I made sure to do my homework.
I think after superfish and now this anyone would be mad to buy Lenovo - I work for large companies - and I would never ever recommend them (luckily I havent worked somewhere recently that uses them).
We (the US) allows IBM to sell its PC Division to China which becomes Lenovo, and you are now somehow surprised something like this happens? Failure to retain a comparative advantage in global free trade policy has many downsides. I fear this is just the tip of the iceberg.
"Comparative advantage" has a precise meaning in economics, and this is not one of the situations where the precise meaning applies.
"Strategic advantage" would be a better fit for your comment.
The majority of the profit from the sale of Windows PCs goes to Microsoft because everything in the PC besides the operating system are "commodities", meaning they are available from multiple suppliers who must compete with each other. (Actually Intel might be taking a significant fraction of the profits, too; I'm not sure.) Lenovo wants to become more than a supplier of a commodity because in a mature, shrinking market, there is little profit in supplying a commodity, and it is being clumsy and ham-handed about it, which annoys their customers.
I don't see how this is a danger to the US. If Lenovo persists in being clumsy, customers will simply shift to other suppliers. This is not a social crisis; this is just a relative newcomer to the game who did pretty well when the market was expanding and is not responding well to the end of the expansion.
I've worked in computer repair shops, and what you've described about OEM Windows is how it's worked for years. You have to either use the recovery partition that comes with the machine or order new recovery media from the manufacturer. This isn't unique to Lenovo.
I find a nice little program called Daz Loader works much more smoothly than Lenovo support. As long as you have the correct SLIC code in the BIOS you are golden.
As others have said there seems to only be a single Word document Microsoft have published on the "Windows Platform Binary Table". I then found the following MSDN Forums question (with posts between 2013-07-16 and 2013-07-18) about how to implement WPBT by someone with the username "kevinwu1980". A Google search for "kevinwu1980 lenovo" gave me this (the page is now a redirect). If that MSDN Forums post is by the same guy then Lenovo was likely working on this in mid-2013:
> ... for Client Security. Hui Jun (Kevin) Wu , Lenovo Global Desktop Development Laboratory ..... Contact him at kevinwu1980@gmail.com or wuhj@lenovo.com.
"a security vulnerability that was discovered ..by an independent security researcher, Roel Schouwenberg... As a result of these findings, Microsoft recently released updated security guidelines...on how to best implement this Windows BIOS feature."
tl;dr version (since this blew up on Reddit and there's lots of stuff to digest)
* in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible.
* Lenovo uses this method if you try to install Windows 8, but if you install Windows 7, it does the sketchy "overwrite your system file (autochk.exe)" method instead.
* Either way, Lenovo installs a service on your PC. It was found to have security bugs. I can't find the link, but they said this was placed on some laptops/PC's from late 2014 to Summer 2015. They've released a new firmware 2 weeks ago that turns this off.
I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.m...
Check your PC:
Windows 8 and up: Check your event log for "Microsoft-Windows-Subsys-SMSS" and if you see "A platform binary was successfully executed." your PC vendor is doing this. Or, look for a file called wpbbin.exe in windows\system32. (This file would ONLY exist if Windows found it in your firmware and ran it.)
Windows 7: Verify your autochk.exe is legit. I think you could simply do: "sfc /VERIFYONLY" in cmd.exe (as Admin) but I did not test it. My autochk.exe was signed by Lenovo in 2014 (which tipped me off it didn't come from the Windows 7 DVD I got in 2010!).
I just replied to the Ars thread - it's even stranger. Windows 8 and up have an officially Microsoft sanctioned way of letting manufacturers load software through Firmware, called "Windows Platform Binary Table". It means it is impossible to do a clean install of Windows now. I've seen zero mention of it anywhere - maybe Lenovo was the first to pull the trigger and make use of it recently.
Because people continue to make excuses for MS and continue to buy windows after they do things like this
>How much worse are they going to get?
Lots because people will whine on the Internet but will not do anything that actually matters or will make a difference;; You know like using an Operating System that respects your freedom...
Does anyone know if Lenovo try to put some rootkit on Linux / BSD based OSes? I mean, if it does attempt to do it on Windows, it may as well do it on Linux / BSD based OSes.
I was wondering about buying a ThinkPad soon to improve my hardware... And I'm pretty scared about this.
You'd be safe. First thing is that they are probably uninterested in we Linux & BSD users to begin with, but, entertaining the notion, I have a few thoughts.
The two methods of how this works could be blocked. For systems without support for WPBT, where the firmware attempts to overwrite system files, one could use whole drive encryption (like LUKS) on Linux to prevent the firmware from being able to write directly onto your drive. If they are more sneaky and have this tied directly to the firmware methods for writing to disk, you can always compile the Linux kernel to not require the bios after loading the kernel. This may be the default mode of operation now, i'm not entirely certain.
For the systems using WPBT, its even easier. There is no way in hell they could get a patch into the mainline or any real community kernels that would load contents of the system firmware and immediately execute them. No self respecting distribution would enable this either without the user explicitly authorizing it in the first place either.
If they are super evil and actually attempt to inject code directly into the system memory, this would depend on a explicit kernel version because the in memory model & organization aren't guaranteed to be the same between kernel versions. The last thing someone wanting to take over your computer wants to do is render it unstable. It just makes what they are doing more apparent.
The fact that Microsoft actually provided a way of having binaries executed without the user's permission (or ability to turn it off) is absolutely unacceptable. It's like they want to be able to run what they want on our systems...
Linux' boot process is at its core designed around mechanisms that allow the bootloader to control binary execution: they're called the kernel command line (init=) and the initramfs. Granted, the bootloader is not the firmware, but since everyone is using GRUB these days it wouldn't be too hard for firmware to locate the right configuration pieces to overwrite. And since initramfs is by design unencrypted because you need it to decrypt the rest, it's trivial to get your evil.ko injected in there.
There's only so much you can do against evil firmware, unfortunately. Getting a coreboot/libreboot capable machine is the only real way out.
There is no setting I can see to opt-out of what the Lenovo is doing. It's not an anti-theft software, it's software that makes popups appear, asking you to install their software.
Edit: I was wrong on all counts, see chuckup comment below. This happens after boot in cooperation with the OS. Encryption and secure boot are irrelevant.
I presume this type of firmware enabled OS modification will not be able to work with drive encryption enabled, but does secure boot help at all in this situation? Presumably Lenovo includes their own signing key in their firmware so their signed executables would also be trusted. Or is this not something secure boot would verify?
Finally ECC memory in a laptop, I've wanted this for years!
However, I am seriously unimpressed by the maximum memory specifications. 64GB?! I had 32GB in my ThinkPad W510, which was released over five years ago.
I've also had 16GB in my seven year old T400. 16GB was enough for me back then, 64GB now is barely enough for me, it will certainly not be enough in a few years, although by then maybe we'd get larger memory modules, which might work just fine.
Since this is such a huge machine, they should have put more memory slots inside.
I also hope they release a 13''-14'' machine with quad-core Xeon CPUs (or some other CPUs that support ECC, some i7 chips do as well).
I use more than 32 GB of RAM all the time for ad hoc data processing, analysis and transformation and personally I'd like to be able to do the same work on my laptop that I do on my workstation. Especially since I often divide my time between a couple of different offices.
I don't know. With this laptop I'd probably pretty much be there, assuming this new mobile Xeon CPU can post numbers in the same ballpark as a desktop Xeon from a year ago.
Correct, both are true actually. Normally I have my servers that do the stuff I need, but that's why I have a laptop with me, to be able to work anytime, even without internet connectivity (which is a pretty common occurrence).
I stopped using desktops around 15 years ago. Being able to carry state around me is a huge plus. And since I want to minimize the state, I want to carry only one laptop, so it better be performant enough.
I have powerful servers where I run what I need, but sometimes (too often actually), I can't depend on internet connectivity, and have to run everything on my laptop.
I work for a games development studio and for our demo booth at recent E3 we ran all servers off a super powerful laptop - in fact, the servers very barely fit in 32GB of ram. I have 64GB ram in my desktop PC and I do hit swap occasionally.
I'm very excited about ECC in laptops, and want to buy one as soon as possible, but...
Shame it's released by a company which cannot be trusted anymore. I know the bigger blunder (SuperFish) happened in consumer laptop, but all things considered, I can't trust Lenovo any more. That means I won't buy anything they make. I miss old Thinkpads.
Is there any serious laptop manufacturer left at all? A company that builds good hardware, allows user replaceable battery / memory / disk, and doesn't include any crapware, or things you can't disable (like secure boot, Lenovo style hard disk file replacement, etc.).
Not really, I think we can say goodbye to user-replaceable hardware with the rise of the Ultrabook form-factor.
A couple of months ago I was looking for a laptop to buy and I wasn't in a hurry so I checked out literally every manufacturer I could find. In the end I defaulted to Macbook Pros. The hardware is great and OS X doesn't really get in my way.
If you want customization and prefer matte screens, System76 is pretty neat but they weren't available with the keyboard layout of my choice.
Yeah, also using a 2015 Macbook Pro. 256GB SSD is already full and 16 GB non-ECC RAM is small and unreliable.
At least 2015 Macbook Pro 13" is pretty fast and light. I also love the display. Wifi is pretty snappy, download speed from internet is over 250 Mbps, which is enough for me.
I'll swap the internal SSD to 1 or 2 TB model once they become available.
> I'll swap the internal SSD to 1 or 2 TB model once they become available.
I'd personally only do this if the 1/2 TB models were also SSD. OSX is so IO heavy now that any machine without an SSD feels like it's wading through molasses to get anything done.
Well, their SSD pricing is pretty ridiculous but other than that I've been really happy with mine. Good keyboard, really nice screen, best trackpad I've ever used. And the thing feels really sturdy compared to most laptops I've tried.
Oh yeah, the trackpad is sweet! I don't understand why other manufacturers put those crappads in their products, they're often borderline unusable.
Its ability to drive 4k monitor at 60Hz is also nice. I know it's not enough for everyone, but 4k is all the resolution I'll ever need from a computer display.
Ok, call me skeptical but I did not think Intel would get these out for Q4 of 2015. That 15" laptop is probably way over kill but it has some really nice specs. I think what I really want though is one of these bad boys in the NUC form factor.
I love seriously over-powered "luggables" and these machines might have
impressive specs, but there's a big problem; a lot of open source folks
won't buy NVIDIA gear due to the need for non-free binary-blob drivers.
NVIDIA makes some impressive products, but they seldom play well with
others, and they seem to have a real vendetta against supporting open
source efforts by simply providing the necessary documentation. With
luck, other vendors will also implement the mobile Xeon chips, but make
a more friendly and compatible decision about graphics hardware.
If you love over-powered mobile solutions, have you by chance heard of Eurocom?
They make a portable server called Panther, and you can configure it with 12-core/24-thread Xeon, 32GB of ram, 4x1TB SSD in RAID 5 config and dual Quattro cards. In that config you have to use two(!!!) 300W power supplies though.
That's not a big problem, because most people aren't "open source" people. The "open source" people won't even get wifi working. The real problem for Linux users is that the Linux drivers aren't good, or don't support Optimus (do they now?), and you get poor battery life or poor performance or you have to manually do configuration just to get a basic working system.
The rule of thumb for Thinkpads and Linux is that you'll be fine as long as you get an Intel wifi card (or some other known quantity) and integrated graphics. For example, the NVS 4200M gpu hasn't really worked out of the box for me even on Ubuntu on a T520, nor the Quadro 2000M on a W520, without having to do some fiddling, or (later) knowing what specific packages to install. Optimus or certain multi-monitor setups was a lost cause, so when you do get it to work, the battery life hurts. (I've read things have improved since a couple years ago.) Wifi drivers (such as Intel's) carry proprietary blobs, which you have to install manually on Debian, but they work reliably -- that's only a problem for true open source radicals, or normal computer users that were tricked into using Debian.
I don't know whose rule you're referring to, but Atheros has always been far more celebrated in terms of their support and openness towards Linux consumers, appliances, etc. than Intel. They had such an impact on the Linux world that Broadcom ended up opening its drivers as a result.
Thinkpads typically come with two kinds of configuration options, when it comes to wifi: Intel, and "Thinkpad" wifi cards where you don't know what you're going to get.
Maybe we got lucky, but unless we do BTO, we won't get other than Intel wifi there. Maybe the local Lenovo representatives really like our market :)
The last time I've seen something unsupported was T400 with ATI/Intel hybrid graphics. I disabled the ATI part, as Intel was good enough and ATI was crappy under Windows too. (the ATI part worked under Linux, but the switching between ATI and Intel didn't. So it was use one or another until reboot.)
For your NVS4200M gpu, didn't Ubuntu offer you an installation of restricted drivers? I vaguely remember that when you booted on such configuration, there was an icon in upper right tray that did exactly that.
The T403s (yes, Intel wifi and Intel graphics) that I'm using right now works out of the box in both Ubuntu and Fedora. On the other hand, when installing Windows 7, it's good to have ethernet driver and tvsu ready at usb stick. (Windows 8 works out of the box too).
> For your NVS4200M gpu, didn't Ubuntu offer you an installation of restricted drivers? I vaguely remember that when you booted on such configuration, there was an icon in upper right tray that did exactly that.
Yes, I mean, I vaguely remember that, too. But often that didn't work, and when it did, you still didn't get Optimus, and multi-monitor stuff was still annoying to set up (until you learn to install some nvidia-settings package, but even then you're manually configuring the monitor mappings in a GUI every time you start up). Now it looks like the official drivers let you turn on/off the discrete GPU, but only after restarting X. Maybe using Bumblebee is simpler too now.
> On the other hand, when installing Windows 7, it's good to have ethernet driver and tvsu ready at usb stick. (Windows 8 works out of the box too).
Lucky. On some Latitude I had to put that on a DVD because the USB support wasn't there.
All of the Ubuntu distros have full support for many of Nvidia's cadillac video cards and it's drop in. I was literally playing CS:GO 5 minutes ago on my Xubuntu box I built to game on. I also haven't had to install a driver for any peripheral or other component in any of machines for at least 8 years now. The very few times I do have to do tier 1-2 support for someone on a Windows machine at work, it requires some driver related bullshit for even the most basic devices.
That's the ideal at least. I tried to install Lubuntu 15.04 on my Thinkpad W510 workstation about two months ago. No display, when I tabbed to console no WiFi or Ethernet. Poked at it for a while, couldn't make it work.
I bought the i3 version which has almost all of the Virtualization extensions and that thing is great for a home lab. I can easily run 6-8 small vms no problem.
It's a fine line with these products, because the memory can really add to the price tag, but its more favorable than cluster of Raspberry Pis to me.
That's very likely still going to have a chiclet keyboard – they didn't ask for user preferences on it –, but it will at least have a proper seven-row layout.
Personally, I don't mind the chiclets – the mechanic is the same as in the old keyboards – as long as the layout gets fixed…
Do you know if they are going to change the touchpad? I tried all the touchpads on the current Thinkpad generation in a store, and I was so disappointed that we chose to buy something else.
For me the biggest issue is the lack of discrete buttons for the touchpad. I felt betrayed when Lenovo finally went the way of the "clickpad", which is the only name I have heard for the style of touchpad where the whole pad's plane depresses to click. I can't be the only one who:
1. Doesn't like tap-to-click on touchpads.
2. Prefers two discrete, easy-to-feel buttons over awkward clickable regions in the bottom corners.
Yes, for you. For me, definitely not. I am getting close to RSI when using any chiclet keyboard besides MBP that somehow made it fairly acceptable but still inferior to original ThinkPad. The rest, like newer ThinkPads, ASUS, Dell, Toshiba etc. are just plain awful, I feel pain in my wrists after ~20 minutes of using them. And a lot of touch typists complain about chiclet keyboards as well. Flatness everywhere is getting absurd recently. Yes, chiclet keyboards look often better (well, it's the opposite with ThinkPad actually, they IMO look much worse than their original keyboard) but I prefer ergonomy to aesthetics when creating algorithms - the last thing I want is to feel pain in my wrists during a creative phase of coding when I need to write, delete, rewrite and refactor a lot of code, seriously.
Also, as a pianist I can notice subtle differences in the quality of keyboards. There is also one rule when playing on a piano - once you feel pain, you stop, you do something wrong or the instrument is not suitable for you and you'll injure yourself unless something is changed.
That's interesting. Most people who I've seen share their opinion on this matter prefer the newer Lenovo keyboards to that of MBPs.
Laptopmag also put out a fairly detailed comparison of Lenovo's "old" and "new" keyboards, with the newer island chiclet keys coming out on top, including on measures of audible and tactile feedback :
I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before.
Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months...