# More bad security from a Notebook manufacturer



## jrm@ (Nov 12, 2015)

Via @NikolajSchlej on Twitter.


----------



## tobik@ (Nov 14, 2015)

TeamBlackFox said:


> its spyware is easily taken care of by doing a full reload of the OS


Not true if you install Windows: http://www.techworm.net/2015/08/lenovo-pcs-and-laptops-seem-to-have-a-bios-level-backdoor.html


----------



## wblock@ (Nov 14, 2015)

TeamBlackFox said:


> I don't really get the controversy of Lenovo as its spyware is easily taken care of by doing a full reload of the OS, and I do that anyway with all computers I buy, regardless of manufacturer, or OS.


Do you trust them not to have spyware in their BIOS, or network, disk, USB, and webcam firmware?  They certainly could do that, and we know they are willing to ship spyware in at least some situations.

As far as the Acer issue, that looks to be plain incompetence.  But it's also odd that a UEFI password is not encrypted somehow.


----------



## wblock@ (Nov 14, 2015)

Special drivers would not be required for firmware executed by peripheral microcontrollers, it would be done at a level that could not even be seen by the operating system.

Really, the issue is how much you should distrust a vendor.

As far as Acer, some searching indicates there is a list of known BIOS supervisor passwords used by Acer or the Phoenix BIOS, so this issue is evidently not new.  News to me, but I do not use BIOS supervisor passwords.  There was a movement for open-source BIOS code at one point.  No idea how practical it is.


----------



## Carpetsmoker (Nov 15, 2015)

TeamBlackFox said:


> I don't really get the controversy of Lenovo as its spyware is easily taken care of by doing a full reload of the OS, and I do that anyway with all computers I buy, regardless of manufacturer, or OS.



And how many people do this, exactly?

Most laptops come with a recovery partition on the drive; if you run this, it will recover the laptop to the factory state; which includes the crapware. Almost all reinstall discs I've seen do the same (but I haven't seen a reinstall disc in years).

So one needs to get a different Windows install disc, which must be the right version & language; which is a bit of a pain in itself.

So it's not as simple as just clicking "Reinstall to remove crap".


----------



## Beastie7 (Nov 15, 2015)

What's more sad is that Microsofts' dominance and terrible horizontal business model will continue to go uninterrupted. Say what you want about Apple, but when you control the entire stack, you'll more likely come out with a better, more secure product. They got it right. All the old great big iron UNIX companies did this too.


----------



## Crivens (Nov 15, 2015)

TeamBlackFox said:


> I don't care if they have spyware in those firmwares - they won't get activated without drivers that are aware of them. I'd rather trust Lenovo over Apple any day.


It may be that you do not know enough about what can be done with those embedded controllers. As wblock@ pointed out, there is no driver needed in order to have some stupid microcontroller on your mainboard do evil things. 

There is a proof of concept out there which scans the main memory for known telltales of operating system kernels, then (for a varity of systems) identifies the places where you are inputting the passwords (looking for the keyboard buffer, when login is running is obvious here) and then drum these passwords out by jittering the packets of the ethernet. You can't even reliably pick up that crap with a dedicated network monitoring system if you do not know what you are looking for.



wblock@ said:


> Really, the issue is how much you should distrust a vendor.
> 
> As far as Acer, some searching indicates there is a list of known BIOS supervisor passwords used by Acer or the Phoenix BIOS, so this issue is evidently not new.  News to me, but I do not use BIOS supervisor passwords.  There was a movement for open-source BIOS code at one point.  No idea how practical it is.



You should distrust them _a lot_. What you mean is coreboot, which is something I am going to check out rather sooner than later. One of their guys told me there is some problems with ACPI, because they implement that after the spec and many OS vendors think they need to work around the faults present in all known ACPI implementations out there. Only to fail if that fault is not there. But the axe I have to grind with them is that coreboot is only compiling on Linux, at least out of the box, as they use include files from the linux kernel.


----------



## protocelt (Nov 16, 2015)

All OEMs and vendors could be potentially guilty of doing bad things. In this case, it is totally possible it was just an oversight/mistake. Maybe it wasn't, who knows? A lot of firmware is closed/proprietary and the code not available to audit. How do I or anyone for that matter know what is and what is not secure and free from faulty coding and back doors without being able to audit everything. All one can do if they want to use a product is take a risk. Do you want to trust a vendor known to purposely put spyware and back doors in their product firmware/software or do you choose a vendor that hasn't been known in the past or present to participate in any of this nonsense. As for me, I'll choose the latter.

I was seriously considering purchasing a Lenovo Thinkpad a few months back as they seem to increasingly have decent FreeBSD support. For me, that is no longer an option.


----------



## Beastie7 (Nov 16, 2015)

I think this is something the greater open source community needs to get together and tackle from all sides. An open, standard replacement for proprietary firmware and power management. Much like X; a platform agnostic, liberally licensed, collaborative, etc.

But then again the Linux crowd isn't fond of such fair pragmatism.


----------



## wblock@ (Nov 16, 2015)

I don't think that's fair to the Linux community.  The vast majority are smart and reasonable people, and some are involved in the effort to create open firmware.  The problem is convincing the manufacturers that it would be in their best interest to cooperate.


----------



## jrm@ (Nov 16, 2015)

Beastie7 said:


> But then again the Linux crowd isn't fond of such fair pragmatism.


The first sentence of the coreboot Wikpedia entry says, "coreboot, formerly known as LinuxBIOS...".


----------



## protocelt (Nov 16, 2015)

jrm said:


> The first sentence of the coreboot Wikpedia entry says, "coreboot, formerly known as LinuxBIOS...".


I could be wrong, but I see no reason the developers of that project would be opposed to participation from developers of FreeBSD or any other open source operating system really. It would benefit everyone.

Contrary to what some people think, a large majority of Linux developers are great people and quite receptive to working with other projects including the *BSD projects. Some people just like to focus on the negatives...

jrm, the last paragraph is not aimed at you, just a general opinion of mine.


----------



## jrm@ (Nov 17, 2015)

TeamBlackFox said:


> They always have phenomenal BSD support in most cases...


But AFAICT, that has less to do with Lenovo and more to do with *BSD/Linux developers working around Lenovo problems.  Here is an example.



TeamBlackFox said:


> The issue I have with coreboot is it is GPL...


The current selection of open source BIOS alternatives doesn't match such an idealistic view.  IMHO, if the alternative works well and the source code is available that's a big step forward from the status quo.  Everything else is just icing on the cake.


----------

