I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before.
Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months...
You no longer have the right to own the hardware you buy. Now it has become a service subject to their terms.
That Windows Platform Binary Table sounds disturbing and is ripe for being exploited.
Interesting info found :
> Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data.
> The system data that LSE collected includes machine type and model, system UUID, region and date. No personally identifiable information is collected.
> Once this data is sent, the service is disabled automatically.
> LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE is not consistent with these guidelines and so Lenovo has stopped shipping desktop models with this utility and recommends customers with this utility enabled run a “clean up” utility that removes the LSE files from the desktop. Instructions on how to download and run this program are below.
> The LSE functionality has been removed from newly manufactured systems.
When some people insist on having a Libreboot/Coreboot supported laptop, they call them crazy and idealistic. Now this is what happens.
It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines. I'm very interested in the Purism Librem laptop but I have low hopes. Maybe the future will be ARM.
This isn't true. Libreboot is the fork that only works with completely free platforms, which the newer Intel chipsets make impossible. Coreboot is still very much committed to supporting new Intel chipsets, although the mainboard availability of course depends on what developers have time and interest for.
Google Chromebooks all ship with Coreboot, so they're fully supported and a great choice if you're trying to make the most free usable computer you can get. They can all run Linux, and some of them even Windows with a little more effort. They also have ARM-based ones, some of which are completely blob-free.
Also, if you're putting your hopes on Pursim this may be of interested to you: http://blogs.coreboot.org/blog/2015/08/09/the-truth-about-pu...
"If LSE is not enabled, it will not be shown under the “Security” tab in the system BIOS and the user is not affected"
FYI, This was not true for me - there was no option in the BIOS regarding this. So I'd say, the lack of this in your BIOS setup screen does NOT mean it is not there!
The new ones, perhaps. Older ThinkPads (like the X201 and T530) are still relatively-well supported by Coreboot (though apparently ACPI isn't quite green yet).
Personally, I'd like a return to the old days of Open Firmware on some RISC-running machine (I'm partial to POWER or MIPS, but ARM would be okay, too).
Would running TrueCrypt full disk encryption protect you from your own hardware? If the BIOS can't read the disk on boot, I don't think it would inject the binary into the file system.
> The authenticated device owner should have the ability to disable or remove this functionality if desired.
The feature shouldn't exist in the first place. If a backdoor is hidden, this is an unlocked door with a "Please don't enter" sign on it.
>November 29, 2011 First publication
>July 8, 2015, 2015 Revision to include security guidance and requirements
I've bought a Lenovo notebook, wanted to download a copy of Windows from them (it's OEM), and searched on their forums for clues, since I didn't find anything on the site. This is what a moderator wrote
> If what you wish to achieve is an OEM imaged system, the only way is to obtain official recovery media through official channels. There are no legal downloads available, therefore discussion of it is not allowed. You may contact Service (info and hours below) to discuss your options.
You must buy DVDs from them. You can't even _talk_ about alternatives.
I am never buying from them again, and at this point there is literally nothing they can do to regain my trust as a consumer.
I would return the laptop for a refund (regardless of how long you've had it), and if they refuse to take it back (which they likely will), file a small claims case in NC (I know, not necessarily an option depending on where you are). They may try to argue that you 'agreed' to arbitration, but because they misrepresented the quality of the device, you can argue that agreement was 'signed' under false pretenses, and isn't legally binding.
I'd also post recordings of your support calls online if you have them, or call back and record new ones if you don't. Posting those online does not run afoul of the broadcast laws which apply to phone recordings, and recording calls with only one party aware is legal in all but 11 states, and everywhere once they tell you they're recording the call.
I'm doing the same damn thing with the tech companies that screwed me over, so I made sure to do my homework.
"Strategic advantage" would be a better fit for your comment.
The majority of the profit from the sale of Windows PCs goes to Microsoft because everything in the PC besides the operating system are "commodities", meaning they are available from multiple suppliers who must compete with each other. (Actually Intel might be taking a significant fraction of the profits, too; I'm not sure.) Lenovo wants to become more than a supplier of a commodity because in a mature, shrinking market, there is little profit in supplying a commodity, and it is being clumsy and ham-handed about it, which annoys their customers.
I don't see how this is a danger to the US. If Lenovo persists in being clumsy, customers will simply shift to other suppliers. This is not a social crisis; this is just a relative newcomer to the game who did pretty well when the market was expanding and is not responding well to the end of the expansion.
> Kernel Service Protection for Client Security
> by HJK Wu - 2010
> ... for Client Security. Hui Jun (Kevin) Wu , Lenovo Global Desktop Development Laboratory ..... Contact him at firstname.lastname@example.org or email@example.com.
Also, I see Microsoft has updated that document in the last two weeks, apparently due to Lenovo's use of it.
"a security vulnerability that was discovered ..by an independent security researcher, Roel Schouwenberg... As a result of these findings, Microsoft recently released updated security guidelines...on how to best implement this Windows BIOS feature."
* in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible.
* Lenovo uses this method if you try to install Windows 8, but if you install Windows 7, it does the sketchy "overwrite your system file (autochk.exe)" method instead.
* Either way, Lenovo installs a service on your PC. It was found to have security bugs. I can't find the link, but they said this was placed on some laptops/PC's from late 2014 to Summer 2015. They've released a new firmware 2 weeks ago that turns this off.
I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.m...
Check your PC:
Windows 8 and up: Check your event log for "Microsoft-Windows-Subsys-SMSS" and if you see "A platform binary was successfully executed." your PC vendor is doing this. Or, look for a file called wpbbin.exe in windows\system32. (This file would ONLY exist if Windows found it in your firmware and ran it.)
Windows 7: Verify your autochk.exe is legit. I think you could simply do: "sfc /VERIFYONLY" in cmd.exe (as Admin) but I did not test it. My autochk.exe was signed by Lenovo in 2014 (which tipped me off it didn't come from the Windows 7 DVD I got in 2010!).
Because people continue to make excuses for MS and continue to buy windows after they do things like this
>How much worse are they going to get?
Lots because people will whine on the Internet but will not do anything that actually matters or will make a difference;; You know like using an Operating System that respects your freedom...
I was wondering about buying a ThinkPad soon to improve my hardware... And I'm pretty scared about this.
The two methods of how this works could be blocked. For systems without support for WPBT, where the firmware attempts to overwrite system files, one could use whole drive encryption (like LUKS) on Linux to prevent the firmware from being able to write directly onto your drive. If they are more sneaky and have this tied directly to the firmware methods for writing to disk, you can always compile the Linux kernel to not require the bios after loading the kernel. This may be the default mode of operation now, i'm not entirely certain.
For the systems using WPBT, its even easier. There is no way in hell they could get a patch into the mainline or any real community kernels that would load contents of the system firmware and immediately execute them. No self respecting distribution would enable this either without the user explicitly authorizing it in the first place either.
If they are super evil and actually attempt to inject code directly into the system memory, this would depend on a explicit kernel version because the in memory model & organization aren't guaranteed to be the same between kernel versions. The last thing someone wanting to take over your computer wants to do is render it unstable. It just makes what they are doing more apparent.
The fact that Microsoft actually provided a way of having binaries executed without the user's permission (or ability to turn it off) is absolutely unacceptable. It's like they want to be able to run what they want on our systems...
There's only so much you can do against evil firmware, unfortunately. Getting a coreboot/libreboot capable machine is the only real way out.
The problem with coreboot/libreboot capable machine is they can't longer be shipped with Intel newer stuff. (thanks to Intel bastards).
I feel we are kind of stuck in eating proprietary and evil software until we die.
I presume this type of firmware enabled OS modification will not be able to work with drive encryption enabled, but does secure boot help at all in this situation? Presumably Lenovo includes their own signing key in their firmware so their signed executables would also be trusted. Or is this not something secure boot would verify?
However, I am seriously unimpressed by the maximum memory specifications. 64GB?! I had 32GB in my ThinkPad W510, which was released over five years ago.
I've also had 16GB in my seven year old T400. 16GB was enough for me back then, 64GB now is barely enough for me, it will certainly not be enough in a few years, although by then maybe we'd get larger memory modules, which might work just fine.
Since this is such a huge machine, they should have put more memory slots inside.
I also hope they release a 13''-14'' machine with quad-core Xeon CPUs (or some other CPUs that support ECC, some i7 chips do as well).
I'm afraid you will never get what you want as long as you keep upgrading both your laptop and your workstation.
I have 16 GB and I ran a cluster of 3-4 of Cassandra that are virtualized via Vagrant and it was pretty solid. Wouldn't mind 32 GB though.
As for the big data comment, an example is the programming language R runs in memory... And yeah running big data in memory require lots of memory.
I have powerful servers where I run what I need, but sometimes (too often actually), I can't depend on internet connectivity, and have to run everything on my laptop.
While I use desktops both at work and at home, I'd definitely switch to laptops if you could get the same power at roughly the same price point.
DDR4 bumps it up to 32GB per slot IIRC, so DDR4 maxes out at 128GB, assuming 4 max slot is still intact for Intel mobile CPUs.
I haven't seen any reports that the Intel mobile Xeon would go further than 4 slots.
Shame it's released by a company which cannot be trusted anymore. I know the bigger blunder (SuperFish) happened in consumer laptop, but all things considered, I can't trust Lenovo any more. That means I won't buy anything they make. I miss old Thinkpads.
Is there any serious laptop manufacturer left at all? A company that builds good hardware, allows user replaceable battery / memory / disk, and doesn't include any crapware, or things you can't disable (like secure boot, Lenovo style hard disk file replacement, etc.).
At least 2015 Macbook Pro 13" is pretty fast and light. I also love the display. Wifi is pretty snappy, download speed from internet is over 250 Mbps, which is enough for me.
I'll swap the internal SSD to 1 or 2 TB model once they become available.
I'd personally only do this if the 1/2 TB models were also SSD. OSX is so IO heavy now that any machine without an SSD feels like it's wading through molasses to get anything done.
Its ability to drive 4k monitor at 60Hz is also nice. I know it's not enough for everyone, but 4k is all the resolution I'll ever need from a computer display.
Specifically Thinkpad laptops are known to work out of the box with popular Linux distributions.
The last time I've seen something unsupported was T400 with ATI/Intel hybrid graphics. I disabled the ATI part, as Intel was good enough and ATI was crappy under Windows too. (the ATI part worked under Linux, but the switching between ATI and Intel didn't. So it was use one or another until reboot.)
For your NVS4200M gpu, didn't Ubuntu offer you an installation of restricted drivers? I vaguely remember that when you booted on such configuration, there was an icon in upper right tray that did exactly that.
The T403s (yes, Intel wifi and Intel graphics) that I'm using right now works out of the box in both Ubuntu and Fedora. On the other hand, when installing Windows 7, it's good to have ethernet driver and tvsu ready at usb stick. (Windows 8 works out of the box too).
Yes, I mean, I vaguely remember that, too. But often that didn't work, and when it did, you still didn't get Optimus, and multi-monitor stuff was still annoying to set up (until you learn to install some nvidia-settings package, but even then you're manually configuring the monitor mappings in a GUI every time you start up). Now it looks like the official drivers let you turn on/off the discrete GPU, but only after restarting X. Maybe using Bumblebee is simpler too now.
> On the other hand, when installing Windows 7, it's good to have ethernet driver and tvsu ready at usb stick. (Windows 8 works out of the box too).
Lucky. On some Latitude I had to put that on a DVD because the USB support wasn't there.
That said, I always choose performance.
I bought the i3 version which has almost all of the Virtualization extensions and that thing is great for a home lab. I can easily run 6-8 small vms no problem.
It's a fine line with these products, because the memory can really add to the price tag, but its more favorable than cluster of Raspberry Pis to me.
Personally, I don't mind the chiclets – the mechanic is the same as in the old keyboards – as long as the layout gets fixed…
1. Doesn't like tap-to-click on touchpads.
2. Prefers two discrete, easy-to-feel buttons over awkward clickable regions in the bottom corners.
Also, as a pianist I can notice subtle differences in the quality of keyboards. There is also one rule when playing on a piano - once you feel pain, you stop, you do something wrong or the instrument is not suitable for you and you'll injure yourself unless something is changed.
Laptopmag also put out a fairly detailed comparison of Lenovo's "old" and "new" keyboards, with the newer island chiclet keys coming out on top, including on measures of audible and tactile feedback :
I guess to each their own.
Something caught my eye, though: "Screen options are 1920×1080 with optional touch screen or a 3840×2160 non-touch screen"
Is there a reason for this? Is anybody doing quad-HD touch screens? I never see them.
People caring about DPI are less likely to want to smudge the screen by touching it.