Slashdot Mirror
Phoenix BIOS Phones Home?
Myrv writes: "There is an interesting thread over at DSL Reports discussing Phoenix Technologies new BIOS. This BIOS contains the PhoenixNet Internet Launch System . ILS resides safely within ROM and is activated the first time a user launches a PhoenixNet-enabled PC with a Windows 98 Operating System. When the PhoenixNet ILS detects an Internet connection, it makes contact with the PhoenixNet server and delivers user-selectable services. These services are delivered to the user as hotlinks on the desktop and in the web browser or, as applications that PhoenixNet automatically packages, downloads and installs. It's 3 a.m., do you know who your motherboard's talking to????" We've gotten a couple of submissions about this - another submitter pointed out this thread and this description by Phoenix. Phoenix has apparently been kicking this idea around for a while - see this old Slashdot story. Does anyone have any more information?
Is this necessarily a bad thing? Chances are that there is going to be an option to disable communication with the PhoenixNet system.
Even if there isn't an option to disable this, it sounds like this option will only function under Windows systems.
So why are you worried?
Good ol' ipchains has saved my lunch once again.
Yes?D OCUMENT.JS?NAME=UNTITLED&TYPE=DOC&BIOS_SERIAL=4438 21965B&SYSCONFIG=76d7e6274835140d08e50094e5e2571&S ENDINFOTO=PHOENIX+MICROSOFT
<User> HELP!!...!!!...!!
<Tech Support> What?
<User> HELP!!...!!!...!!
!!!
<Tech Support> Could you please elaborate?
<User> I NEED HELP!!!
<Tech Support> What do you need help with?!
<User> I CAN't SAVE!!
<Tech Support> Why can't you save?
<User> I CAN'T SAVE MY DOCUMENT!
<Tech Support> What sort of document is this; what are you doing to save it?
<User> I LEFT CLICK THE PICTURE OF THE DISK
<Tech Support> And what happens?
<User> IT SAYS I'm FORBIDDEN
<Tech Support> What exactly does it say?
<User> STUFF
<Tech Support> Try it again and tell me exactly, ok?
<User> OK
<User> It say 505 - FORBIDDEN HTTP://WWW.PHOENIX.COM/SPYNET/WINDOWS/98/USERSAVE
<Technical Support> Oh, that's just a little quirk; your BIOS provider is having some trouble with their website.. just try again later; if it doesn't start working in a few days; however, you might try replacing yours with a M$ BIOS; or you might try upgrading to the BIOS PRO(tm) service.
I doubt it could be done, but it would be very cool. A truely awesome hack. I'd pitch in for some beer for whoever does it.
I wonder if any motherboard makers are thinking about LinuxBIOS...
Like i said, it was a possible troll. :) Feel free to just ignore that part of the post.
I was just pointing out what could happen, if not with this bios, but maybe a future one... You never know... I'd be right there in the riot with you if it ever happened. Kind of an odd comment comming from somebody with an antioffline email address.
According to the thread linked to in the story, if the computer boots up with a cool new screen, it's probobly this new BIOS.
:)
The following venders have signed up: AOpen, Chaintech, ECS, EpoX, Giga-Byte, Jetway, Legend-QDI, MSI, Soltek and Zida. Notice no ABit
<possible troll> (but I don't think so...)
It was interesting to read in that thread also, that this could bypass the OS level networking code, and use it's own stuff. I don't think I could imagine the destruction that would be cause by millions of PCs with a backdoor/hole/bug in their firmware, that could easily be remotely exploited. If you thought DDOS attacks were bad now, you ain't seen nothing yet.
</possible troll>
I didn't notice anything about being able to actually turn this off in the BIOS. There is allready talk of using a hex editor to disable it... Just what we need, buggy roms because the vendor does what people don't want.
Guess that shows how old my computer is! :(
Well, according to the thread on DSLReports, when you install the MoBo drivers from CD, it is installed as part of the default install options.
It sounds like a custom install, skipping the PhoeinixNet stuff would get around it. Someone mentioned uninstalling the PhoenixNet stuff would also fix it.
Could you imagine how complex it'd have to be to be at the BIOS level only - a TCP/IP stack, network drivers, somehow using the NIC without the OS crapping out. Though, I must agree that the info on the phoenixnet site makes it sound like it is a MB only deal.
Guess I'll never find out...as now any new MB better have a huge Award sticker on it.
And the customers probably know when they are paying that this is a feature, and see it as a reason to go with Big Blue.
An interesting billing model - the more disk space you use, the more we bill you. I know the 3090 we had in school would call IBM if something bad happened to it (failure, temperature indicators said the room was too hot, lonely)
Just so you don't wonder what a graphics card has to do with hard drive speed: I erroneously typed "Matrox" for "Maxtor".
My Soyo motherboard (6BA-III+) has a boot up scren that announces "your computer is PhoenixNet enabled." I think I aquired this feature in a BIOS update that I installed to fix a Matrox related bug. Am I slightly paronoid about PhoenixNet? Yes. Do I reget that I flashed my BIOS, thus "enabling" my computer? No. The bug was rather nasty, reducing hard drive speed to 600 kbs.
In one of the CSS licenses, one of the clauses essentially bound the licensees to offer "security upgrades" to the user only as part of a enticing upgrade. Thus, the security fixes would get installed along with whatever flshy multimedia "upgrade" a licensee had advertised to the end-user/mark.
Now, I don't think Soyo delibrately intended to be dishonest, but be prepared to accept bugfixes packaged alongside unwanted (or even malicious) features.
Of course, if you use open source software, this can be avoided. One does not always have to accept the evil along with the good.
There are some computers you buy with disabled CPUs (IBM does it, and I remember Sun making a press release about it, but I don't know if they do it).
CPUs have two real costs. One is the cost to fab (build) the CPU, this is a large percent of the low end embedded CPUs and the Celoron type CPUs were cost is a major issue (you can count the cost of the fab plant here). The other cost is the design cost of the CPU. The more CPUs of a given design you sell, the less you have to pay per CPU for this. High volume CPUs like the x86 have very very little design cost per CPU. Low volume CPUs like the POWER3 and UltraSPARC have a much higher per-CPU design cost.
So IBM and Sun may charge well over $1000 for a CPU that costs them only $100 to build (in real life part of that $1000 is also profit). They can charge $100 for a CPU and not lose money on building it, but if they don't somehow get more money then that they won't manage to design the next CPU.
They can put extra CPUs in a box for $100 each, and "just" charge you the other $900 (or $1500, or whatever) if you want to use them. Given the price of large IBM and Sun machines a few extra $100 won't be noticed (the small Sun machines are about $1000, so that can't do that!).
Sun/IBM wins because there is a larger chance that you will buy the extra CPUs given the fast "shipping time". The customers win if they ever need another CPU in a hurry, because it can be "shipped" to them quite quickly. There was some talk that Sun would let you just turn them on and pay on the honer system. I don't know if that happened. If they never use the extra CPUs then they payed a extra few $100 on a multiple $10,000 box, which isn't helping them, but it isn't all that bad for them either.
It isn't likely to happen to x86 CPUs because the design cost is a much lower part of hte final cost. The profit margins are also lower now that there are two real supplyers (AMD and Intel), so a CPU that sells for $200 can't be thrown in for $20 without someone taking a loss...
PhoenixNet does not involve the BIOS somehow directly interfering with your Internet connection. That would be absurdly difficult to implement. It actually appears to hook into the Windows setup procedure somehow. If you don't run Windows, you need never know about this.
This is probably part of why Phoenix has gone from market dominance to a 2nd, 3rd or 4th fiddle lately. Seriously, though, I've gone through 4 or so MB's in the last couple years, and, although they were all different brands with different chipsets, none had a Phoneix BIOS. Evidently, eMachines was trying to make a buck off of this, and with Phoenix, it looks like it would be Phoenix's buck. I think that this will probably alienate OEM's, and I think that the minority who buy retail motherboards all have the intellience not to do this. Besides, with broadband access, who uses a phone line anyway? My PC hasn't been connected to my phone for 2 years now. Tim
Sent: Wednesday, June 20, 2001 2:48 AM
To: pnetcust_serv@phoenix.com;
Subject: banner ads for free motherboards?
FYI, I will gladly take a 5 second banner on startup if it means I can get my motherboard for free.
Actually, ABIT is listed:
http://home.phoenixnet.com/boards/index2.html
ABIT
ACORP
AOpen
ASUSTEK
A-Trend
BIOSTAR
ELITEGROUP
EPoX
Gigabyte
Iwill
JETWAY
Lucky Star
MicroStar International
Shuttle
Soltek
SOYO
Tekram
Taiwan Commate
flashing your bios, which is quite a dangerous operation for the common user
That's pretty sick, dude. Can't you just visit a pr0n site to get your kick? I do agree that it's dangerous, there are all sorts of sharp corners inside a PC to catch nude skin on.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Er.. screwing over customers *without them realising* has always been looked upon as good business sense. Capitalism sucks. Then again, so does communism....
Choice of masters is not freedom.
Can you imagine getting a popup every day: "Do you want to install Compuserve?".
Now it's the BIOS, tomorrow the ethernetcard, soundcard, videocard? All fighting to install software on your PC?
And the fact you need Windows 98?? The feature could be cool, but only to fix a crashed OS. When your PC is booted, you just don't need the BIOS.
--
Me
Any other takers for ways?
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
Unfortunately it looks like OpenBIOS hasn't updated in 14 months, and it's hard to tell if they ever actually achieved anything ...
...
The LinuxBIOS project (http://www.acl.lanl.gov/linuxbios/) looks more promising (originally covered in this slashdot article
o/~ Join us now and share the software
i hate script kiddies just as much as the next guy but they aren't all stupid. some have come up w/ various highly dangerous suites of attacks. besides, by the very definition, they are getting scripts from somebody who did the real work. just because they didn't write the exploit doesn't make your box any less owned.
something like this, if exploitable, could really be nasty. this is below os security controls and I imagine you could get away w/ nearly everything. can you have the bios write files to disk? i dunno but my guess would be yes.
you say you would just block it at the firewall. that is all well and good for you but most people still don't have firewalls on their boxen. especially as this is turned on by default many people won't even know it is a risk. then suddenly one day their machine participates in another yahoo DDOS and then fries itself just b/c the script kiddie is a 15 yr old shit that thought it would be cool to ruin other people's hardware.
i don't see this as "overhyped dramatics". i see this as a serious threat.
cj
Microsoft doesn't sell Windows 98 anymore!
Seriously, how does the merge into WinXP (NT) affect this? Secondly, how does something like ZoneAlarm react to your hardware trying to access the internet? Geez...
I understand the need for BIOS updates, and the need for companies to make it easier on the non-technical user... but this 'phone-home' capability (and all the data-collection demons it brings with it) is just a bit too much.
Good thing the OS it needs isn't sold anymore (at least, not 'officially').
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
You might find out even so, since Phoenix bought Award around 1998, and they've been a single company since.
They've been shopping around this stuff for several Internet companies, offering them the "opportunity" to be the default home page of the user... whether he wants to or not. The PowerPoint presentation I saw specifically mentioned Phoenix AND Award BIOSes as part of the deal.
With tux running in the kernel, it was only a matter of time before we had the next step: web server in the BIOS.
I smell innovation. Thanks Phoenix!
< tofuhead >
--
It is still the dark of night.
Instead of grinning...
I would have stood up, told him that he could stick his idea where the sun didn't shine, that you were personally never going to buy a machine with the Award BIOS in it, and would recommend the same to friends, and why, and that as of that moment, your friendship was dissolved, and if he couldn't understand why, then that was reason enough.
Your "friend" has created an idea that essentially allows remote monitoring and control of other citizens' property and habits. This is morally repugnant, and unethical, to say the least. People who dream up such stuff should be stuffed back into the holes from whence they came...
Worldcom - Generation Duh!
Reason is the Path to God - Anon
That's simply absurd. While I don't think it was a particularly good idea, there is nothing "unethical" about this at all. If the consumer doesn't want it, then the consumer won't buy it. This is not about some secret society spying on people.
The fact is that the idea is being foisted on a group of people who may be unaware that the system is capable of doing such a thing. If the consumer doesn't know about it, then they are unable to make a choice not to buy it. Your friend had to know this, yet went ahead and pitched the idea to be created anyhow - probably thinking "Yeah, more money for me!", rather than taking the high road (and not disclosing his idea to his employer).
The fact of the matter is that alternate revenue streams would serve to drive down the costs of PCs. If someone wanted the lower end PC that was subsidized by this, then it would be their choice.
We both know this is a lie. Such schemes won't drive the cost of PCs down, but rather keep them the same, and increase profits - it is all about money, and "Damn the citizen!"...
In fact, who are you to decide what people should or shouldn't have?
I am a person who knows that the nature of man is to be free, yet corporations and government continue to build chains to enslave and control. Do you honestly think people want their computers reporting details contained on their hard drives back to some "anonymous authority"? You may say it is only relevant details, but the individual doesn't know this - they can't see source code, and I doubt many know how to use packet sniffer/logging programs to analyze data coming out the backend. Do you honestly think people want another entity looking over their shoulders? If society honestly wants this, then we are far, far down the slope - and we might as well strip to the skin and be bonded in chains, because that is what the situation would be.
Something tells me you don't have too many friends.
The friends I do have are those who oppose corporate and government tyranny and control such as this. The friends I have know about freedom and rights.
Something tells me your friends would backstab you and society for a buck, grinning all the way to the bank...
Worldcom - Generation Duh!
Reason is the Path to God - Anon
Your heresy was detected, Windows reinstalled from on-board memory, you've been reported to the proper authorities, and your email address sold to spammers.
... which as I recall reading not long ago, for a PC to be certified for WinXP, REQUIRES that the user have NO access to BIOS settings.
IOW, a NON-user-flashable, NON-user-customizable BIOS. But the spec says nothing about whether the manufacturer is allowed to mung it up.
I've just notified Phoenix that under no circumstances will I purchase Phoenix-based products for myself nor for my clients. If that "limits" my choices, big deal, at least they'll be MY choices.
~REZ~ #43301. Who'd fake being me anyway?
Can't find a not-at-all-sucky system. Find the least-sucky system. Capitalism is less-sucky than communism, because there is the potential for liberty under capitalism. Too bad that potential has been sold out. Plus, the indoctrination of our children into a global corporate state in which they are merely docile consumerist droids is complete.
--
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
If you can disable it, then this isn't news. If you can't, then it could be illegal (using your bandwidth/computer without permission, etc).
------
(Why does it matter? I dunno about you, but I cram my '98 installs into either 256M or 512M partitions, just so I can keep my "OS" and data separate. OOBE is bloat, bloat, bloat.)
Out Of Body Experience, Out Of Box Experience. I dunno, same thing to me. I spend so much time inside my PC's case that I don't even bother to put the cover on anymore.
"It could be done with a backdoor, then leaving the port open, the script kiddie would have to scan complete address blocks, but if they're going to do something so difficult, then they're even bigger idiots for not downloading already availble trojans that'd do the same."
And you don't think that Phoenix is probably leaving a _specific_ port open to accept incoming connections to the computer? If they don't now, I'd bet it wont be long. At that point all you'd have to do is spoof packets etc. etc. etc.
From a security standpoint, this software is a horrible breach of "trust" between the MB/bios manufacturer and user.
Somebody tell me when all of a sudden capatalism turned into sell-my-privacy-to-the-highest-bidder?
--Remove chicken to e-mail
This frightens me, not just because it's happening already, but because it looks like the shape of things to come.
It looks like the computer companies are taking lessons from the cell phone industry. Your computer will soon render itself useless unless you're sending money into the appropriate chain.
Phoenix to your ISP: "Hey, we're gonna switch your user to our ISP unless you pay us not to."
Your ISP: "Hey, you can't do that!"
Phoenix: "We just did."
In addition, if you thought you got telemarketing calls and junk-mail NOW, just wait! Phoenix knows which batches of mobos were shipped to which retailers. Now they'll know exactly where those computers are being used. Paying in cash is futile, you WILL be tracked. Changing your browser's start page is futile, your PC WILL contact someone. Not using Outlook is futile, you WILL have programs installed on your computer without your consent.
Also, I doubt this thing can be made secure. How long until someone figures out a way to overflow the BIOS and install arbitrary code into the Flash chip? The ultimate BackOrifice involves control from the moment the machine's powered on.
Only massive public outcry, like that which surrounded the Pentium III serial number, will persuade companies not to do this.
Or calling 911 when you're not looking, like Japanese phones are doing now.
Will traditional ad-blocking software work with this? If they're flashing ads into my BIOS so that I see sponsorship messages during boot, I don't think the Junkbusters are going to be able to stop it.
Anyone think it'd be feasible to hijack this system and use it to provide greater USER configurability, custom logos during boot, and so on?
Yes, you can buy (or lease) them this way. IBM, Sun, and HP all have this feature available on one or more of their "midrange" systems; I don't know about any other co. 'cause we only use those 3.
...the RS/6000 (Which isn't a whole lot more than a Power Macintosh)....
:-)
Uh, the G4's are pretty hefty, and on the low end of the RS/6000-pSeries lines some of the systems are small, but there's a tad bit of difference between a 4-PCI slot, 1 CPU system (even with 1.5 GB memory) and a 24-CPU, 96GB system with 56 PCI slots, etc.
Besides, those black cases & keyboards are way cooler than wimpy pastels, and how do you rack-mount the Mac?
This BIOS is going to interface with your TCP/IP stack on whatever OS you are running, bind a port, and then have some sort of interactive interface on the other side? Gee, that's quite impressive. A bound port is no more useful than an unbound port unless you have some sort of service on the other side...
I see nothing wrong with Phoenix trying to make a call when I boot up my pc, because I barely ever shut it down for one, secondly I don't use Phoenix BIOS anymore, and thirdly if I did I would block it out on IPF.
It's nice for companies to attempt to improve their products however I think they should notify their customers with their intents and base their judgement on those results. Not every single company is out to shaft everyone, and not every company is out to monitor you like Big Brother.
Now what would have been an excellent YRO story would have been something about "Digital Angel." Now there is something I could spend hours on end posting on.
Want Root?
I don't think I could imagine the destruction that would be cause by millions of PCs with a backdoor/hole/bug in their firmware, that could easily be remotely exploited. If you thought DDOS attacks were bad now, you ain't seen nothing yet.
First off this applies to Windows98, and many people have migrated off of it to other MS OS's (NT, W2K, etc) or other OS' entirely. How could someone remotely execute anything when someone would still need an IP address from their provider? Script kiddies can baReLy sPeLL cOrReCtLy 95% of the times, do you expect them to yank off an IP address from a provider and designate it to someone?
Give me a break.
As stated in my above post, if I did have Phoenix Bios and a Winshit98 machine I would auto block it on a firewall should I not be allowed to disable it, which would make it obsolete. Sure it may dial, but there isn't any data going through, and if I saw anything peculiar such as my machine making its own settings, I'd contact EFF, ACLU, and EPIC and start a riot.
Want Root?
the "Not all corps are out to get you?"
;) I run AO have been running it since it was born www.antioffline.com/about.html
People misunderstand our site, we're not anti anything, we just don't give a shit about anyone
Anyways as for the BIOS and script kiddiots, it'd be an enormous task for someone to create an exploit since as stated, well let me rephrase this a bit... It's be hard for someone to create an exploit for your typical dial-up customer, since they would (the script kiddie) need to know which machine to interact with upon boot.
It could be done with a backdoor, then leaving the port open, the script kiddie would have to scan complete address blocks, but if they're going to do something so difficult, then they're even bigger idiots for not downloading already availble trojans that'd do the same.
Want Root?
The thing with IBM is, when you buy IBM servers, you also pay for them to manage the servers for you. Having this reporting tool is common sense for fast service.
But when you buy a personal PC for your home, you want to install software you like on it, and play with it as much as you want. You don't want your MB maker to manage your PC for you. If you did, you would have paid someone to do it.
So why would a MB maker be so stupid to offer a feature the consumer doesn't want to pay for or use, when it can sell the feature to corporate users? New features for the sake of new features?
---
a powerful tool for communication, entertainment, education and business.
In other words, Advertising Revenue.
ADs at Bootup...
ADs at Shutdown...
ADs at Hardware Setup...
ADs at Hardware Failure....
ADs...
ADs...
and MORE ADs....
I'll bet they even sneak a commercial in for a motherboard upgrade when yours starts to feel dated (two weeks after you've bought it.)
"Everything you know is wrong. (And stupid.)"
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Obviously NOT. This isn't for updating your BIOS automatically, which would be good. It's to install Adobe Acrobat and like 3 other programs and set your home page and search page. It has not point, there is no demand for it.
This "feature" is built into the bios of my new AMD Thunderbird motherboard, the Iwill KK-266 (nice MB by the way). Its not quite as evil as this article suggests. It is an attempt to get you to sign up with their ISP.
;-)
Unless you activate it within the bios "phoenixNet-enabled PC" and agree to their ISP partnery, you never hear a word from the program. It sits quitely on your bios and never contacts the mothership
Also from my mother board manual:
1. User reads system information from graphic launch screen
2. User registers MS Windows and completes MS OOBE.
3. User accepts/Rejects PhoenixNet service
4. User accepts/Rejects PhoenixNet ISP Partnery
5. PhoenixNet and ISP icon appear on desktop.
Some machines require this data to be in the database so that hardware engineers can enable upgrades on your system. For example, you can get an S/390 with some of the processors turned off and it'll cost you less. Then, if you expect processing to hit a peak (Like, around Christmas maybe, if you're a retail outlet) you can pay IBM some money and they'll enable the other processors for a limited period of time. Several of the disk array products work the same way. You can buy an 11 terabyte array and only want to use 1 terabyte of it. You can turn on more disk storage as you need it and you get billed for the extra storage as you turn it on. If the machine doesn't report back when it's supposed to, a friendly IBM CE will visit to repair your defective device. I don't know what those guys bill out at. Used to be $120 an hour.
Unlike the desktop segment of the population, IBM and its customers view this as business as usual, allowing IBM to deliver faster and better service to the customer. Sure it means IBM has more control over the system than it otherwise would have, but the customers often don't want to be bothered with the thing anyway. They just want it to work. They're paying a premium for just this feature as well as the IBM brand name.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Yet another case of a great idea and excellent engineering gone wrong due to ridiculous business practices (management?)...
Mike Roberto
- GAIM: MicroBerto
Berto
Well, I can start off by saying I watched AntiTrust last night. Wonder if there's a partnership in the making sometime soon with Phoenix and umm "Nurv".
Seriously, does this exciting new "feature" work with all the newer versions of Windows too? Like ME, 2000 and XP? Or just 98? (Can't imagine buying a new machine with 98 on it anymore.)
5 Steps to buying a computer:
1) Go to computer store.
2) Buy computer.
3) bring home.
4) Format Hard drive.
5) Install Linux.
FLR
Can anyone recommend an alternative, non-snooping BIOS maker? Award apparently merged with Phoenix.
Oops. Sorry about that. Proper link here.
What's next? M$IOS, which automatically installs the next version of windows and charges your credit card? In the race for money today, it seems that screwing over the customers is looked upon as good buisiness sense...
I doubt this is beyond the realms of possibility, and once some clever hack has figured out how to do it the skript kiddeez will soon get hold of it. Hell, maybe it could even be tagged onto a VB app and turned into an Outlook worm - cue millions of cracked boxen that can only be made safe by flashing the BIOS, and how many regular (i.e. non /. visiting) users have the first idea how to do that?
Please someone tell me if I'm just scaremongering here (and give details), but I do genuinely believe this is a problem waiting to happen.
I run everything through a dedicated linux router/firewall/server. it will not be upgraded. when it dies, it will be replaced by ... the same thing. Since all my other connections would have to go through it, I can cut off the phone-home on ANY application, firmware or not.
Use my userscript to add story images to Slashdot. There's no going back.
"Here is a list of the system board makers that are PhoenixNet-enabled. "
Ask for them by name, and just say no.
And new, more intrusive features are coming. Here's PhoenixNet's pitch to resellers:
This needs to be publicized in the mainstream media. It's far worse than the Intel Pentium III serial number fiasco.
It also needs to become well-known to corporate IT managers, who aren't going to want those things on employee desktops and won't like all those unauthorized outgoing connections.
There is the whole privacy issuses, etc... but I have a stupid question: What does a BIOS (Basic Input/Output System) have to do with push technolgy?
Seriously can I get a low level hard drive interface in my AOL Messager? I want my memory timings driven by my Email Client. I also think that the chip on my sound card to be able to download stock updates though hardware and my CMOS should store my Intenret Explorer book marks.
What ever happened to "Do one thing well"?
Oh wait, I guess I forgot BASIC INPUT/OUPUT these days involved http connections behind my back.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Sent: Wednesday, June 20, 2001 2:48 AM
To: pnetcust_serv@phoenix.com; pnet_tech_sppt@phoenix.com; public_relations@phoenix.com
Cc: robert.blincoe@theregister.co.uk; editors@tomshardware.com; news@arstechnica.com; henry.kuo@anandtech.com
Subject: re: PhoenixNet BIOS - backdoor whether I like it or not?
Phoenix,
I certainly hope that the information about PhoenixNet on your site [http://home.phoenixnet.com/about/index.html] is incomplete, or that I'm misinterpreting it.
My interpretation is that there is no way for me to disable PhoenixNet on a hardware level, that the program will run in Windows whether I like or not.
I consider this an unconscionable invasion of my privacy and a theft of my computing resources. I think that you're going to get lots of backlash and bad press, and you'll deserve all of it.
I for one will never buy a motherboard equipped with a PhoenixNet BIOS, nor will I install one in any of the dozens of PCs I manage.
Yours,
/me
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Easiest way is to not run windows.
But if you must, here's how to remove it. Uninstall Phoenix net in the windows, and in the bios change Phoenix net from installed = yes to No.
Phoenix net is installed when you install the drivers from the motherboard and you go with the defaults rather then choosing your own options.
4.1 PhoenixNet Introduction
PhoenixNet is a service that provides PC users with best-of-breed, free, software services to support their PC hardware and software and to turn their computer into a powerful tool for communication,entertainment, education and business.
4.1.1 Internet Launch System The PhoenixNet Internet Launch System (ILS) is a patent-pending technology built into the firmware to enable online PC users worldwide to communicate with PhoenixNet and to receive the free PhoenixNet services. ILS resides safely within ROM and is activated the first time a user launches a PhoenixNet-enabled PC with a Windows 98 Operating System.
4.1.2 PhoenixNet Online Services When the PhoenixNet ILS detects an Internet connection, it makes contact with the PhoenixNet server and delivers user-selectable services from PhoenixNet's Internet Partners. These services are delivered to the user as hotlinks on the desktop and in the web browser or, as applications that PhoenixNet automatically packages, downloads and installs.
We are not far now...
--
Wooden armaments to battle your imaginary foes!
The clueful will figure out a way to defeat this feature. The clueless will get what they deserve.
It's a good thing this is only a Windows-only deal. It's not just a bad idea, it's outright deranged.
The BIOS is firmware. That's all it is, and that's all it should behave as. And the point about reflashing BIOSes is worth remembering -- don't forget that nasty little firmware update that B&W G3 Mac users had to deal with last year.
I'd go so far as to say that it's a shame that OpenBIOS and LinuxBIOS aren't as far along as they could be -- at least the early IBM PC users could look through the listing for security holes and such. This is just flat out ridiculous.
(For the record, the LinuxBIOS idea seems to be a pretty specialized design -- too clunky and potentially difficult to maintain IMHO. I wouldn't use it personally, though OpenBIOS seems to have potential even if it's a comatose project.)
/Brian
I'm surprised that no one has already posted this.
Microsoft has placed very strict limits on what customizations vendors can do on systems before they ship. Microsoft wants Windows to control the horizontal and the vertical. Well, there's another player in town with a pretty large market share, and the tactical high-ground: Phoenix. The BIOS rules the machine, not Windows. I'm positive that this feature was requested by the systems vendors, and it's just a case of them fighting back against one of their suppliers who has gotten a bit too pushy.
Well, if I owned a WebTV then I wouldnt care. But when you motherboard becomes the pretense for a marketing tool you might want to be a little concerned.
Using your processing cycles, bandwidth, and connection time for their own purposes? Sounds like "Theft of computers services" to me. It would be interesting to see that used *against* corporate computer stupidity.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Sounds like the pilot (I think) episode of Lone Gunmen on Fox involving a CPU with a built-in modem to report secret stuff back to the eeeevil hardware corporation. Before you know it they'll have ethernet adapters built into the video cards and wireless adapters built into hard drives, so they can track your every activity. Time to cover the computer with tin foil now too (you should see my cat...)
TCP/IP ij the BIOS no problem, Linux BIOS does it. Heard of LOBOS?
--- Nukes don't kill people psychopathic megalomaniacs do.
I'm so sick of all these crappy features the BIOS companies are adding to their chips. There should be two common goals on their minds:
1. Boot in under 1 sec to the Operating System.
2. Be able to turn off all the startup mess and boot directly to whatever startup screen you want.
Basically this will enable you to make your computer look like a PS/2 if you were really creative.
Maybe the linux bios can help with these goals...
What idiot put the Submit button next to Preview button?
This one did... haha. Sorry, I just couldn't resist that one.
-----
-----
"The only difference between me and a madman is that I'm not mad." - Salvador Dali (1904-1989)
I wasn't sure I wanted to post this, because it could possibly give away my "secret identity", but...
A friend of mine is reasonably high up at Phoenix. He had been working on a "secret project" that he wouldn't tell me anything about, but he told me that it was going to be big. Of course, I badgered him for information, but he wouldn't tell.
Well, I had lunch with him one day not long after PhoenixNet was announced. I asked him, "so what's up with this PhoenixNet thing?" He replied, "what do you think of it?"
I then went on to totally trash the idea, saying why it wouldn't work, that people wouldn't stand for their BIOS downloading advertising, on and on. I railed on for quite a while. I might've even called it a "stupid idea".
Then I said, "hey wait a minute... is this the secret project you've been working on??"
He said, "Yes. It was my idea."
Oops. I kind of grinned sheepishly. Huge case of "open mouth, insert foot."
--
Sometimes it's best to just let stupid people be stupid.
Karma whorin' since 1999
Guess what? Award is made by Phoenix, and will have the spyware.
But this does sound like a promising business opportunity for AMI.
Liquor
Liquor
Sanity is a highly overrated commodity.
This may be as simple as the plug-n-pray bios reporting a new "device" - and when WIN whatever installs, it detects the device and installs the drivers. Fortunately, this will NOT work on other operating systems - yet.
Nonetheless, it's scary just how many consumers they are going to get their hooks into whether it is wanted or not.
And do you wan't to bet that if this IS the way it works, then Microsoft will include a default driver for the device that connects to MSN instead?
Liquor
Liquor
Sanity is a highly overrated commodity.
Easiest way for it to work is to have the motherboard plug-and-pray report a new device - a "PhoenixNet" device - that needs no resources, just a driver - and when Windows whatever goes looking for the device driver, they provide one that will link the bios routines (which are not really necessary - but they do make it hard to patch) to the tray and icon applications.
What worries me is that Microsoft may approve of this because the drivers for this 'device' will be window only - It would be quite easy for an un-handled acpi request or similar 'keepalive' mechanism to make *nix systems crash without a driver installed. (And this would also prevent a Windows system from completely uninstalling their software, too.)
Liquor
Liquor
Sanity is a highly overrated commodity.
http://home.phoenixnet.com/privacy/pcusers.html
This is bios level spying and advertising, even from Phoenix's partners. I think most users will not even know it is installed (by default). The only way to get rid of it is flashing your bios, which is quite a dangerous operation for the common user
"No way"; the whole idea of BIOS doing that sort of thing within an OS seems crazy -- installing items on a filesystem by the BIOS would be, reasonably possible probably -- but detecting a network, constructing packets, and independently talking with their little site? I doubt that.
/etc/motd (ala desktop -- i'm assuming that Phoenix will make use of the advertisement opportunity; but that I think you can count on.) oh yeah and sending your hostname, browser name, and of course random /etc/passwd snippets to the vendor!
What they're probably doing is a whole lot simpler and more plausible too... Since their BIOS can't do things like access the network itself, they have to depend on software they have the user (or the OEM) install on the system.. by making their `windows driver software' for supposed components on the motherboard include other software that simply launches an internet client they could do what they need without any involvement from the hardware; *Recalls flashbacks of 'MSN Network' setup icons mysteriously appearing on desktops of new windows installations and the desktops of any new user profile being created that drove him crazy*.
While it may be theoretically possible for a BIOS to implement its own network layer and a separate IP stack, to have built-in know-how to scan the status of modem/NICs to detect not only that a network is present but that the network is connected to the Internet; it is extraordinarily unlikely that this is what is happening -- it would simply be a waste if Phoenix could just as easily have software installed on the system's hard drives through traditional means.
The idea that their entire system (hardware drivers, client, network code, DNS stuff, etc) could be reasonably contained within BIOS ROM is preposterous in my opinion.
I think what is more likely; however, is that those who install software provided phoenix or those using pre-built systems with their BIOS get this installed by default and the otherwise traditional software might be able to make use of 'special BIOS hooks' which could have been created for its benefit...
In my opinion, this is similar to the makers of web browsers settting a default page of their maker; example: netscape's home.netscape.com; Microsoft's www.msn.com -- the difference? Phoenix is selling BIOSes, not client software: this is akin to buying a calculator program and having its installation add banner ads to your
Hmmmm, what did you say your Phoenix Technologies BIOS serial # was?
clickity-click
Oh dear, looks like your hard drive has been disabled. No, I can't fix it from here, but I have a friend who lives by you and could fix it in his spare time, he charges about $200/hr. Uh-oh, looks like one of your RAM chips just went!
He who joyfully marches in rank and file has already earned my contempt. - "Big Al" Einstein
I don't see what all you people are jumping up and down about. I haven't seen this thing in action, but from what I can gather, it doesn't have anything to do with the BIOS _at all_. It's a gadget that comes on the motherboard's driver disc, that you install in Win98. Probably the only thing it does with the BIOS is grab some activation code, just to keep non-Phoenix users from using the software, so they can license the "technology" to other makers.
The BIOS doesn't know TCP/IP (if you're on cable/DSL), nor does it know your ISP's phone number. Just like a winmodem is really just a sound chip with an RJ11 jack, and needs a windows driver to do the real work; this PhoenixNet thing is just some placeholder-data in the BIOS, with a windows driver that does everything.
-Billco, Fnarg.com
Does any know if VMWARE that is shipped with a PHX BIOS ha this same problem?
"There is not much code yet, but discussions have gone quite far." - from the openbios webpage. In similar news ford is now producing floating cars that run on solar power. or discussing it, or something...
sell your certainty and buy bewilderment
Remember the Microsoft anti-trust trial? One detail that emerged was that Microsoft does not permit OEMs to perform modifications to the desktop, startup sequence, etc. This means that the OEMs can't give the user a "custom experience" or differentiate their machine from others using Microsoft's software.
This Phoenix BIOS trick lets OEMs skirt the Microsoft OEM license by performing the customization after the user has the machine.
So, in one way, I say "kudos" to Phoenix for figuring out how to subvert Microsoft's restrictive OEM licensing agreements in this way.
On the other hand, I'd like to understand more technical details of the feature, whether it could bite me while I'm trying to use Linux, etc. Has anybody turned up relevant patents?
Hate stupid software on freshmeat? Laugh at
I just bought a WD 30 gb hard disk last week and after I put it in my computer I noticed my inet access was slow, when I checked the task manager I saw that the G*Ddamn "Data lifeguard" program was being loaded onto my system via the internet. I haven't even formatted the drive yet and windows (98se) hasn't assigned it drive letters. I did boot off of the floppy that came with it and ran the utility to make sure that the disk was in ata100 mode, but I didn't save any changes. I am assuming that somthing in the disks boot sector initiated the download but I found it quite disturbing and though that i would mention it since best buy is selling these for $99 and a lot of you might have bought them, S.
"Laws are like sausages, it is best not to see them being made" Otto Von Bismarck
It sums up everything, and also contains key (annotated) paragraphs from the PhoenixNet site (so if you're too afraid of evil scripts to visit the PhoenixNet site, you can see it safely from this site). The main page of cexx.org (no relation to anything disgusting; it stands for Counterexploitation) has other helpful and interesting pages about spyware, foistware, backdoors, scams, and such. Most of it pertains to Windows, but there's some other cross-platform/no-platform topics there (including a way to make the CueCat output raw barcodes without requiring any software intervention.)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
We have a right to expect honest, open behavior.
Before we buy a product, we have a right to understand anything that might make us change our minds.
Bush's education improvements were
Yet another reason to switch to OpenBIOS.
This sig intentionally left blank.
Script Kiddies rarely come up with the hack themselves... They let someone else build the tool, and then double click the icon.
+++ UGUCAUCGUAUUUCU
Hello Phoenix Helpdesk, what can i do for you ?
>Hey its me the new kid on the IT department and i cant seem to remember my password.
No Problem, *tickclickclick* your new password is *****
>And now we are on the phone anyways, what was the dialin number to connect to the network from home ?
Thats (insert telephonenumber here), is that all ?
>Yes, thank you.
*dailing into PhoenixNet Network*
Upload your Windows Auto Linux installer to be started with the ISL and set back and wait, reboot all win98 machines....
PhoenixNET user wakes up in morning, looks at his computer, who changed the start button for a big foot ?
Tralalala.....party on.....
Do you mean your CueCat? And what about your mouse? :-)
karma capped
text
-- RTFM:Slackware::Beer:Saturday
support.intel.com/design/PentiumIII/prodbref/
What idiot put the Submit button next to Preview button?
-- RTFM:Slackware::Beer:Saturday
The other problem I have with this is that, as I understand it, all requests and call go through the BIOS. I'm talking about file requests.
>Phoenix: Hello, our systems indicate that you have a copy of Chicken Run on your computer. We CRC'd it and that matches up with the CRC of an illegal DivX rip of that DVD. In accordance with our new partnership with the MPAA we have reported you to the FBI who will be coming by between the hours of 4:00 and 8:00 to seize you computer. Please be home to let them in.
Ok, so that's far fetched, but what if?
>Phoenix: Hello, we see that you have a file named necked _underage_boy.jpg We have reported you to the FBI. Thank you for buying Phenoix.
I'm NO fan of pervaours of child porn(they should be shot)but the file name is just to make a point. You could be busted for having how_to_make_a_kick-ass_pipe_bomb.txt
I can't find any documentation on how Phoenixnet works myself but my guess is that it's an bios extension like pcibios or apmbios for which you can probe and get an entry point using int 0x1a or int 15. It's not something that could feasibly wrestle control over the machine away from the OS. Like mysidia said, the phoenixnet bios simply can't come with drivers to support every network device (dsl..) or modem that is out there. Even more so it wont include filesystem code to actually store ads in _files_ on your computer. It could do so on a dedicated partition but accessing the same filesystem from to filesystem drivers at once is asking for trouble :-). For it to work it will definitely have to have help from the OS.
Fears that the bios will setup an internet connection three o'clock in the morning are therefore unfounded unless some dumbass windows driver actually gets the phoenixnet entrypoint and calls into romcode. I doubt that we're going to see Linux or *BSD drivers doing that anytime soon. The really paranoid among us could fix this for good by tracing the int 15 / 1a code till it gets to the phoenixnet bios extension probe and then nop that one out.
From a technical viewpoint, putting Phoenixnet into the rom really doesn't make any sense at all From the way marketing sees it, plenty. That way they have an application that is always installed on the computer, whether Microsoft wants it or not.
Maybe someone could hack this to make his/her motherboard automatically work at getting first post!
The Moo went "Cow!"
Has anyone thought what a great hack it would be to use this system to add a lojack into your machine? Just overwrite the ip of pheonix.net and put in you custom lojack server ip and now, whenever the machine is used, you get reports from where it is coming from. And since it's in BIOS, they can't just wipe the hard drive, scratch your name off the cover, and pretend it's just a "used" machine.
"Your superior intellect is no match for our puny weapons!"
As an option, this would make sense, be it that it should be announced in big red letters 'ET PHONE HOME?', and the default should be off. It's just another one of those 'helping illiterate users vs. protecting their privacy' issue, and I'd say that this scores pretty low on a privacy related scale.
...
Even if functions like this are options, there should be an authority checking companies collecting these kinds of info, and their use of it.
My experience, having access to and having designed several database driven internet sites containing sensitive information like credit card numbers, addresses and phone numbers and such that usually the intentions of the company are clean (if money orientated of course) but the real danger arises from very sloppy security, security being only available at extra expense, which is exactly what most companies are not willing to do.
Same goes here: how would this kind of information be sent (SSL?). Would it be stored at Phoenix? If yes, who would have access to the database containing the info? Etc. Etc.
---
Living is a way of life
---
"The chances of a demonic possession spreading are remote -- relax."
While some people question the feasibility of this system to exist on the BIOS ROM (ie, too many components), remember the most important aspect of this phoenixNet script: Windows (98). While its not confirmed that it can run on other flavors of Windows (good god, I used flavors and windows in the same sentence), we must assume that ME is also compatible. 2000 and XP are a bit of a stretch. Next, take into acount the piss-poor(it's all relative) networking capabilities of Windows. I wouldn't doubt that there is some file somewhere in the Windows OS that acts as a flag for a network connection. After that, there's the network device. Windows, once again, stores all that info in the registry. Tricky part is understanding it. Couple hundred kilobytes can do that, along with cloning the driver info. All this stored on the new, practically empty (but still corrupted by M$) HDD. And finally, the actual code to execute the "phone home" portion. Low level communication via TCP/IP isn't that hard, if you know how to construct packets from scratch. A few more kilobytes can take care of the initial handshake + serial #. The rest of the program can be run on the HDD. See? It's not that difficult. Give some BIOS engineers this project for a few weeks, and they'll spit out the same thing. Nevermind the ethics, because as my Econ 301 teacher used to say: "In order for capitalism to thrive, greed must be considered 'good.'" Yay capitalism! ---- O Viespatie! Vel Desreles! Man bloga.
O man, Sausage again! I'm sick of it.
IWARS.
People, in general, disappoint me. Politicians even more so.
Automatic is the part that I don't like. But if they can implement alot of checks saying, we are going to automaticly do such and such, is it alright, then I'd say, its an added bonus for stuff like this. Whatever happened to that advertising banners in bootup idea? Is this what has become of it?
-------------------
Insert Witty Remark Here ===>____________________________
This, combined with Intel's next generation of processor serial numbers and Microsoft's online product activation essentially guarantees that someone at tech support can laugh as your computer secretly downloads updates that don't work to the exact person who registered the product.
The future of corporate disaster has arrived at last.
I would be semi-interested in exactly how this works. If it were highly configurable and able to turn off and on it could be nice for someone like my mom. From what I have read it seems as though they are trying to be a bit sneaky about it and that usually means it's pure crap.
Until now, hardware and Software Providers had been two different entities (almost). If this works, in short time, we'll see Microsoft doing the same, making even harder for alternative OS to get their share of the market
However, this shouldn't happen, due to the lot of companies making computers, so Microsoft would have a hard time making aliances with them.
If this finally happens, the situation would be similar to Apple's (Hardware and Software Monopoly), but we know that one reason to the failure of Macs, is the monopoly on Hardware they have...
Would be cool to be able to ap-get a complete Debian system onto your disk through your BIOS, no? That way you would'yt even need an boot floppy.