Announcement

Collapse
No announcement yet.

Lenovo To Support Configuring ThinkPad BIOS From Within Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21

    Time for my copy-pasta on why no one should own CCP Lenovo products.
    --
    Seeing as how I recently spent the time digging up some of my sources and the logic behind my criticisms of Lenovo -- I thought I would post that in this thread.

    [1] ThinkPad is Lenovo.

    ThinkPad is a line of business-oriented laptop computers and tablets designed, developed and marketed by Lenovo. It was initially sold by IBM until 2005. ThinkPads have a distinct black, boxy design language, inspired by a Japanese bento lunchbox, which originated in 1990 and is still used in some models.[5]
    The ThinkPad line was first developed at the IBM Yamato Facility in Japan, and the first ThinkPads were released in October 1992.
    https://en.wikipedia.org/wiki/ThinkPad
    [2] Lenovo's HQ is Beijing China.

    Lenovo Lenovo Group Limited, often shortened to Lenovo, is a Chinese multinational technology company. Incorporated in Hong Kong, it has global headquarters in Beijing, China, operational headquarters in Morrisville, North Carolina, US, and an operational center in Singapore.
    https://en.wikipedia.org/wiki/Lenovo

    [6] The golden days of ThinkPad being IBM are long gone.

    ThinkPad [...] developed and marketed by Lenovo. It was initially sold by IBM until 2005.
    https://en.wikipedia.org/wiki/ThinkPad

    https://thehackernews.com/2015/08/le...t-malware.html

    Two years ago Chinese firm Lenovo got banned from supplying equipment for networks of the intelligence and defense services various countries due to hacking and spying concerns.
    Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware.
    One of the most popular Chinese computer manufacturers 'Lenovo' has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop and desktop systems it sells.
    The feature is known as "Lenovo Service Engine" (LSE) – a piece of code presents into the firmware on the computer's motherboard.
    If Windows is installed, the LSE automatically downloads and installs Lenovo's own software during boot time before the Microsoft operating system is launched, overwriting Windows operating system files.
    More worrisome part of the feature is that it injects software that updates drivers, firmware, and other pre-installed apps onto Windows machine – even if you wiped the system clean.
    So even if you uninstall or delete the Lenovo's own software programs, the LSE hidden in the firmware will automatically bring them back as soon as you power-on or reboot your machine.
    Users at a number of online forums are criticizing Lenovo for this move and suspecting that the Chinese computer maker has installed a "bootkit" that survives a full system wipe-and-reinstall.
    The issue was first discovered and reported by users back in May when using new Lenovo laptops but was widely reported Tuesday.

    https://www.forbes.com/sites/thomasb...h=7924f0b03877

    Lenovo might have made one of the biggest mistakes in its history. By pre-installing software called ‘ Superfish ’ to get ads on screens it’s peeved the entire privacy community, which has been aghast this morning on Twitter. There are serious security concerns about Lenovo’s move too as attackers could take Superfish and use it to ensnare some unwitting web users.
    Here’s what you need to know about Superfish and what you can do to stop it chucking irksome ads on your browser and leaving you open to hackers.
    Is Superfish malware?
    Lenovo won’t want anyone to call it that, but Superfish has been described as a piece of malware, or an adware pusher, that the Chinese firm pre-installs on consumer laptops. Superfish is also the name of the development company, with bases in Tel Aviv and Palo Alto, behind the tool. It claims it has “developed the most advanced and scalable visual search technology in the world” and was ranked America’s 64th most promising company by Forbes.
    From what’s known about it thus far, Lenovo uses Superfish to place adverts into Google search results that the laptop manufacturer wants them to see.

    [7] NO Chinese Companies are independent from the CCP Government. They are required to be "Partners" and have a Comittee that pushes political & government interests
    https://www.theguardian.com/world/20...erprise-huawei

    The relationship between the party and private sector companies is, up to a point, flexible – certainly more so than with
    state companies. The party doesn’t habitually micromanage their day-to-day operations. The firms are largely still in charge of their basic business decisions. But pressure from party committees to have a seat at the table when executives are making big calls on investment and the like means the “lines have been dangerously blurred”, in the words of one analyst. “Chinese domestic laws and administrative guidelines, as well as unspoken regulations and internal party committees, make it quite difficult to distinguish between what is private and what is state-owned.”

    [8] Companies in China are required to have a CCP Party Comittee that has a role in decision making
    https://thediplomat.com/2019/12/poli...ty-committees/

    A Party Committee is formed by a group of
    senior CCP members who are given a leadership position inside the halls of public and private companies operating in China. The legal pillars sustaining such a committee’s activity are marked in the 2012 Constitution of the Communist Party of China.

    [9] Orgizations in the West are independent organisms, orginizations in China are part of the CCP Government

    https://www.theguardian.com/world/20...erprise-huawei

    International governments have noted Xi’s interventionist instincts with alarm. When US officials were pressed in early 2019 to provide evidence that Huawei, the Chinese telecommunications giant, had facilitated spying on the US and its allies, they pointed out that Beijing had already made their case for them:
    first with the party’s systematic infiltration of private companies, and second with the introduction of a new national intelligence law in 2017. The law states that “any organisation and citizen” shall “support and cooperate in national intelligence work”. The director of the US National Counterintelligence and Security Center, when asked about China’s entrepreneurs, cited these two policies in asserting that “Chinese company relationships with the Chinese government aren’t like private sector company relationships with governments in the west”.



    Comment


    • #22
      An announcement on a ThinkPad WMI BIOS interface turns into an episode of Alias. Honestly I would rather watch Jennifer Garner than read all of this security posturing.

      Very few people in the world have any data worth taking anyway. All this posturing is simply another attempt to make one self-important.

      99.999999% of most people's data are backups of photos from the last family vacation. If the CCP wants to look at millions of baby photos at the beach, so what?

      Comment


      • #23
        Originally posted by Kemosabe View Post
        Is there any evidence for the lenovo-spies-for-CCP-on-you talk? Nothing really is equally attractive as a thinkpad to me. Too bad they were unable to deliver a few weeks ago so purchased DELL.
        Yes. Because the vbulletin filter is ass, and who knows how long if ever it will take Michael to unblock my post you can read my analysis here:

        https://www.reddit.com/r/linuxhardwa...linux/h13438j/

        Comment


        • #24
          Originally posted by artivision View Post
          Huawei refused to surrender the keys of their devices to the US government. After that they where accused of espionage without proof, only with the sole reason that if their devices are not open to the US government then something is hidden. That is the US law from a point and then.
          I think you're twisting the facts here a bit. The US, and any country for that matter, doesn't like having its critical infrastructure (5G, telephony) infiltrated by hostile foreign powers such as the Chinese government. It also doesn't like bugs equipped with microphones, cameras and modems being distributed among its own citizens, devices that it has absolutely no control over. That's an obvious security threat. You've discarded all these concerns to bash the US for making moves that protect its national security.

          Originally posted by artivision View Post
          If it where not for a certain eastern terrorist religion, i would say that US is the bottom of humanity.
          Do you mean Communism? You know, because its religious devotees are always committing genocide.

          Comment


          • #25
            Great. Now if only Lenovo would allow me to configure good ThinkPad models again. They seem to only want to sell me crap currently.

            Comment


            • #26
              Originally posted by Paradigm Shifter View Post
              I couldn't agree with this more!

              Giving the OS the ability to change the BIOS is a horrible feature that should never been permitted. I support a hardware (jumpers, yay!) read-only/writeable toggle for BIOSes, because it would be hard for BIOS viruses to get in (and UEFI is even more vulnerable) if they can't write anything.
              Then how would you update the BIOS?

              Besides most OS ignores most of the BIOS anyway once the OS is bootstrapped.

              Comment


              • #27
                Originally posted by ElectricPrism View Post

                Yes. Because the vbulletin filter is ass, and who knows how long if ever it will take Michael to unblock my post you can read my analysis here:

                https://www.reddit.com/r/linuxhardwa...linux/h13438j/
                A whole load of garbage and sinophobia disguised as a 'public service announcement'.

                Superfish is an American software product and was installed in many OEM computers, not just Lenovo's. The root certs were all signed by American CAs. So an Chinese company installing an American software product with American root CAs is in bed with the CPC for sending data to American servers managed by an American software company.

                And while China codifies the cooperation of private companies with law enforcement in the law books, American intelligence just backdoor and take it while completely ignoring American law institutions and process.

                Originally posted by board
                I think you're twisting the facts here a bit. The US, and any country for that matter, doesn't like having its critical infrastructure (5G, telephony) infiltrated by hostile foreign powers such as the Chinese government. It also doesn't like bugs equipped with microphones, cameras and modems being distributed among its own citizens, devices that it has absolutely no control over. That's an obvious security threat. You've discarded all these concerns to bash the US for making moves that protect its national security.
                And yet it's perfectly fine for the US to sell backdoored products all over the world and insist on American-backdoored products as a requisite for cooperation. It's also perfectly fine for the US government to make the ludicrous order that countries using Huawei gear that has not been proven to be backdoored will be blacklisted, but it reserves the right to retaliate against countries who refuse to use American equipment that have been exposed by Snowden as being compromised.

                Not once has a Chinese critical infrastructure product been definitively and officially proven to be backdoored, while there are loads of actual real-world evidence of the Americans backdooring their products and planting them into foreign governments. If one Snowden isn't enough, perhaps the world should have a Snowden#2 moment to expose to the world just how morally bankrupt the US imperialism machine is.
                Last edited by Sonadow; 17 June 2021, 03:49 AM.

                Comment


                • #28
                  Originally posted by Sonadow View Post
                  IKR?

                  It's really interesting and horrifying how so many people think it's a good thing that an OS should be allowed to arbitrarily manage BIOS or UEFI settings.

                  The only place where such settings should be modified is through the limited interface provided by the UEFI vendors themselves or though purpose-built software programs that are specially designed do so (like the Linux Foundation's MOKutil).
                  Yes. Or IPMI controllers.

                  Originally posted by Doomsdayrs View Post
                  I personally think this is a good thing, time to see if we can force hidden settings
                  That's about the only upside of it, IMO.

                  Originally posted by edwaleni View Post
                  An announcement on a ThinkPad WMI BIOS interface turns into an episode of Alias. Honestly I would rather watch Jennifer Garner than read all of this security posturing.

                  Very few people in the world have any data worth taking anyway. All this posturing is simply another attempt to make one self-important.

                  99.999999% of most people's data are backups of photos from the last family vacation. If the CCP wants to look at millions of baby photos at the beach, so what?
                  You are correct in that very few people have anything worth stealing. But that does not mean that anyone - even those people with "nothing worth stealing" should be willfully careless or ignorant.

                  A brief example: while I know that I, myself, was not being targeted, a few years ago systems I maintained, and had responsibility for, suffered hundreds of daily attempts to break in (my sshd logs each morning made for interesting reading!) from a variety of locations. Those machines contained confidential information. Having them broken into would have been much more than a "so what?" moment. If those active on the Phoronix forums "posture" about security, given the technical nature of the site, I would take that to indicate that they may now, or have been in the past, in positions in which security concerns were part of their job.

                  But of course, bread and circuses. Enjoy your entertainment.

                  Originally posted by carewolf View Post
                  Then how would you update the BIOS?
                  Well, other than the fact that modern BIOSes/UEFIs can be updated from a menu entry inside them, I will presume your question revolves around the idea of setting them read only. It's quite easy: you would manually adjust the jumper to permit writing to the BIOS when you want to update it, update it, and set the jumper back to read only. Actual settings could either be stored in a very small writable area (not ideal, but easier) or settings would be adjusted when the BIOS was writable. This means that people who want to have easy access to flashing their BIOS or changing settings can do so - while those who dislike the idea of potentially having a next-to-impossible-to-detect-or-remove virus getting in can be more circumspect.

                  Originally posted by carewolf View Post
                  Besides most OS ignores most of the BIOS anyway once the OS is bootstrapped.
                  That is a completely different matter, but it's still troublesome.

                  Comment


                  • #29
                    Originally posted by Paradigm Shifter View Post
                    Well, other than the fact that modern BIOSes/UEFIs can be updated from a menu entry inside them, I will presume your question revolves around the idea of setting them read only. It's quite easy: you would manually adjust the jumper to permit writing to the BIOS when you want to update it, update it, and set the jumper back to read only. Actual settings could either be stored in a very small writable area (not ideal, but easier) or settings would be adjusted when the BIOS was writable. This means that people who want to have easy access to flashing their BIOS or changing settings can do so - while those who dislike the idea of potentially having a next-to-impossible-to-detect-or-remove virus getting in can be more circumspect.
                    He probably means flashing it into a newer version. And even then, there are lots of methods available then and now.

                    Much further back, it was common for board vendors and computer vendors provide the BIOS update package and publish instructions on how to put the update package into a boot floppy.

                    Then, during the height of Windows' dominance of the mainstream desktop and laptop OS, vendors provided the upgrade package as an exe to be run within Windows. This was annoying, but there is a clear difference between upgrading the BIOS from within an OS and modifying the BIOS's settings from within an OS.

                    Now, we have options within the UEFI itself that allow for automatic download of the update package directly from the vendor's servers if the computer is connected to the internet at boot. And even then, it is common for vendors today to allow offline upgrading by provide the firmware update package with instructions on how to create a bootable USB.

                    Comment


                    • #30
                      While I support the idea of having better co-op between hardware manuf. / vendors and the FOSS/Linux world, I wonder if it is a good thing to expose all sorts of BIOS settings to the OS. I mean, UEFI is crap, we know, but there were cases where variables could be set from within the OS (according to UEFI specs) but then the machine bricked (and had no failsafe dafault fallback!).
                      Stop TCPA, stupid software patents and corrupt politicians!

                      Comment

                      Working...
                      X