Yet Another Compromising Preinstalled "Glitch" In Lenovo Laptops

← Back to Stories (view on slashdot.org)

Yet Another Compromising Preinstalled "Glitch" In Lenovo Laptops

Posted by timothy on Friday August 21, 2015 @09:50PM from the hey-stop-catching-us! dept.

New submitter execthis writes: Japanese broadcaster NHK is reporting that yet another privacy/security-compromising "glitch" has been found to exist in preinstalled software on Lenovo laptops. The article states that the glitch was found in Spring and that in late July Lenovo began releasing a program to uninstall the difficult-to-remove software. The article does not specify, but it could be referring to a BIOS utility called Lenovo Service Engine (LSE) for which Lenovo has released a security advisory with links to removal tools for various models.

89 comments

Min score:

Reason:

Sort:

Who would have thought there was more? by Anonymous Coward · 2015-08-21 21:55 · Score: 0

I never would have expected more dodgy software on a lonovo... They said I could trust them!!
1. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-21 22:00 · Score: 1
  
  Lenovo is now a puppet for the Chinese government. Of course they will have backdoor to spy on you.
2. Re:Who would have thought there was more? by Z00L00K · 2015-08-21 22:04 · Score: 5, Insightful
  
  We are just seeing the tip of an iceberg here - we can't trust our computers anymore.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:Who would have thought there was more? by PolygamousRanchKid+ · 2015-08-21 22:50 · Score: 1
  
  we can't trust our computers anymore
  Our computers? Even though I "bought" my computer . . . I'm not sure that I actually "own" it. There is probably a legalese expression in the fine print pf the documentation somewhere, that the manufacturer has a right to install any sort of spyware that they want on "my" computer.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
4. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:15 · Score: 0
  
  Easy fix: wipe the system and install Linux. No self respecting /. reader runs an OS provided by the machine manufacturer, with all the crapware preinstalled.
  That goes for Lenovo, Dell, HP, Asus, etc -- all of them.
  Help your friends and family get converted over to OpenSource!
5. Re: Who would have thought there was more? by Crashmarik · 2015-08-22 00:18 · Score: 1
  
  Easy fix: wipe the system and install Linux. No self respecting /. reader runs an OS provided by the machine manufacturer, with all the crapware preinstalled.
  That goes for Lenovo, Dell, HP, Asus, etc -- all of them.
  Help your friends and family get converted over to OpenSource!
  LOL and then watch the UEFI bios reinstall everything without telling you
  http://www.techworm.net/2015/0...
6. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:24 · Score: 0
  
  Wipe computer and reinstall windows without installing all the additional software that isn't needed. You get to keep running Windows and your favorite software without any Spyware being installed.
7. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:29 · Score: 0
  
  Your link proves my point. Everything on that page is about MS Windows. However, it is scary to know that their BIOS is installing executables in Windows installations.
8. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:29 · Score: 0
  
  Install Linux? Really? And get all sorts of crap from Red Hat installed, like systemd and GNOME 3, instead? I mean, it doesn't even matter which Linux distro I choose to install. All of the usable ones (not Slackware and Gentoo) come with systemd, and many use GNOME 3 by default. Yeah, I could waste my time trying to swap them out, but that defeats the whole purpose of using a Linux distro in the first place: it's supposed to provide a fully functioning system for me, so I don't have to waste my time creating one!
9. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:41 · Score: 0
  
  WTH? First off, I would not call RHEL "crapware". Secondly, you are in full control with GNU/Linux to install whatever you want. Don't like systemD? Install whatever init system you want, pick a distribution that uses your favorite init system by default, or write your own damn init system. Same for gnome3, it is just a DE, there are a plethora of desktop environments you can use instead.
  AFAIK: the only Linux software I know of that " phones home" is Canonicals Unity interface (default for Ubuntu) -- yet there are plenty of derivative Ubuntu distributions that do not use Unity by default. I'm not aware of anything in RHEL that "phones home" outside of yum to pull updates from RHEL Satellite (upgrade) servers -- and it just pulls updates, it sure as hell doesn't upload personal data.
10. Re: Who would have thought there was more? by RoverDaddy · 2015-08-22 00:46 · Score: 5, Informative
  
  The BIOS isn't installing apps to the hard drive (give it time?) As AC indicates this is a Windows-only issue. the BIOS -holds- an application that Windows helpfully detects and installs into itself on behalf of the hardware. A Linux system will totally ignore the app (which is Windows-specific anyway!!) sitting in the BIOS.
  
  --
  RETURN without GOSUB in line 1050
11. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:50 · Score: 0
  
  The BIOS isn't installing apps to the hard drive
  That's exactly what it's doing. Read the linked article.
12. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 00:50 · Score: 0
  
  Did you even read that comment before replying to it?
  The GP addressed every single thing you brought up, before you even brought them up!
  It's not just RHEL, and it's not that Ubuntu is any better. It's all Linux distributions that are infected with this shitty software.
  Here is where the GP addressed that:
  
  it doesn't even matter which Linux distro I choose to install. All of the usable ones (not Slackware and Gentoo) come with systemd, and many use GNOME 3 by default.
  And your "freedom to change or do it yourself" argument is bunk. Like the GP pointed out, having to do all that work negates the reason for using a Linux distribution to begin with:
  
  I could waste my time trying to swap them out, but that defeats the whole purpose of using a Linux distro in the first place: it's supposed to provide a fully functioning system for me, so I don't have to waste my time creating one!
  If you really insist on arguing, at least make arguments that haven't been refuted by the comment you're replying to, before you even replied to it!
13. Re:Who would have thought there was more? by drinkypoo · 2015-08-22 00:58 · Score: 1
  
  We are just seeing the tip of an iceberg here - we can't trust our computers anymore.
  You haven't been able to trust your computer since flash bios and/or programmable CPU microcode. If you've been trusting your computer between then and now, you're a rube.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
14. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 01:01 · Score: 0
  
  And did you read my comment? I specifically pointed out each thing he brought up and rebutted it, dumb-ass.
  He specifically went after distribution #41 (see distrowatch): RHEL, and then generalized that one distribution's DEFAULT settings as a negative against all of GNU/Linux.
  Not only can you customize RHEL to have whatever software you want, he blatantly ignored the hundreds of other distributions where likely one of them has the default packages he wants, ALL of them can be customized to meet his expectations.
  You sir, and the other guy basing Linux, are trolls.
15. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 01:13 · Score: 0
  
  Well, who is right? Is the BIOS installing the software, or is Windows pulling the software from BIOS and installing it itself? This sounds more like a "feature" of Windows...
16. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 01:17 · Score: 0
  
  Are you sure. What is written into the update? What is your unit inputting with the call request? On, it lists what program and what version, what else? Location? Laptop or main unit identification? What is changed? What else? How do you know if that update is secure? If there is not a updated terms of service that violates one of your security settings, or do you go back and reset all you settings after each update? What do you expect grandma to do? Do you question your blind obedience now? What if unbuntu was compromised? Or became windowwise? Or worse yet, mackwise? No one is smarter the those who would comprise your system. They don't warn you when they do it.
17. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 01:31 · Score: 0
  
  Of FFS, how difficult is it to read the fucking article. The BIOS (or rather the UEFI firmware) replaces a file on the disk. It does look for a Windows file on an NTFS partition, so it does not affect Linux, but not for a lack of opportunity.
18. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 01:35 · Score: 0
  
  You didn't "rebut" anything.
  You obviously didn't even understand what you were reading!
  He obviously wasn't talking about "Red Hat" as in RHEL, the distribution. He was obviously talking about "Red Hat" as in the company that employs developers working on despised software like systemd and GNOME 3.
  Lennart Poettering and Kay Sievers are among the main creators of, and contributors to, systemd. Both are employed by Red Hat, currently.
  You should also learn more about GNOME. That article notes that "GNOME is developed by The GNOME Project, which is composed of both volunteers and paid contributors, the largest corporate contributor being Red Hat."
  And it's not just RHEL and Fedora that force systemd on users by default. You can see for yourself that almost every major Linux distribution now includes systemd, and almost all use systemd by default.
  So it doesn't matter if you choose to install Debian, or Arch Linux, or SLES, or Mageia, or even Ubuntu, you're going to get stuck with systemd.
  The only distributions that don't include it are niche distributions that aren't as usable as the main distributions.
  I can see why the GP listed Slackware and Gentoo as being problematic. Slackware is too ancient to be practical, and Gentoo's philosophy of compiling your own packages from source is impractical.
  Reworking major parts of a Linux distribution, including the init system, is not practical for most Linux users, either, especially those coming from Windows.
  These people need software that works right away, which does not include systemd and GNOME 3, given the many, many, many, many complaints from people who have had severe problems with both of them.
  The point that you're obviously missing is that even if you choose to use Linux instead of Windows, you aren't any better off. Maybe you don't deal with shitty bundled software from some hardware vendor. But instead you get to deal with shitty bundled software coming from Red Hat.
  Don't portray Linux as being any better in this respect when the evidence shows that it isn't any better at all.
19. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 01:49 · Score: 0
  
  So you knock a company that stands firmly behind OpenSource, and even pays employees to write OpenSource software, gotcha. Why don't you go back to your virus infected Windows installations then.
  As for the majority of distributions switching to systemD: I guess they are run by a bunch of dumbasses too? You are so smart, why don't you create your own distribution and make the default packages what you want them to be?
  The point is, if there were enough people who shared your ideals then there would exist a distribution that followed your model. That is the beauty of OpenSource and free software in general, you are free to do anything you want. You are even free to bitch and moan, even though the most popular distributions use systemD by default -- I'm also free to sit back and laugh at your "problems", while you do absolutely nothing yourself to deal with YOUR self-perceived problems.
20. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 02:03 · Score: 0
  
  Might want to really read the article there, AC.
21. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 02:44 · Score: 0
  
  No, dumb-ass, you are wrong. This is a feature of MS Windows:
  http://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx
  It is the Windows OS that is installing whatever software that vendors want. It is a friggin automated root-kit installer, enabled by Microsoft.
22. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 03:30 · Score: 0
  
  If you run Windows, you are SOL. This "feature" of Windows ensures that the binaries will get reinstalled even if you reinstall Windows from a clean retail copy of Microsoft's operating systems.
  Microsoft specifically enables this backdoor installation mechanism that Lenovo uses (abuses?) to install malware.
  Linux systems are completely unaffected because they do not auto-install crapware that vendors put into the UEFI/BIOS.
23. Re: Who would have thought there was more? by eggnet · 2015-08-22 04:27 · Score: 1
  
  If you have windows 7 the bios replaces the file. The feature you mention is only for windows 8 and 10.
24. Re:Who would have thought there was more? by Anonymous Coward · 2015-08-22 04:56 · Score: 0
  
  Fuck it! I'm buying an Amiga! No one should be spying on those -- they wouldn't know how!
25. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 04:59 · Score: 0
  
  You make it sound like the BIOS is mounting the NTFS partition (presumably while Widows also has it mounted and is booting), and replaces files without any help from the OS itself. I seriously doubt that is happening -- seeing as how MS added the backdoor so the OS will happily run executables found in UEFI (and those executables can do anything they want as part of the boot process).
  I suspect Windows-7 is immune from this Lenovo UEFI/BIOS attack, if as you say, the above "feature" was introduced in Windows 8.
  Perhaps you could link to a source showing the BIOS mounting NTFS and installing softwares while the OS is unaware?
  BTW: a BIOS "could" theoretically mount a position and do this, but I doubt it is happening (today). This is another win for Linux paired with CrytoLUKS -- impossible for a BIOS to be able to even mount an encrypted partition.
26. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 05:54 · Score: 0
  
  Yes, I'm sure:
  http://yum.baseurl.org/
  Check the code for yourself.
27. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 06:41 · Score: 0
  
  "And your "freedom to change or do it yourself" argument is bunk. Like the GP pointed out, having to do all that work negates the reason for using a Linux distribution to begin with:"
  This argument is complete nonsense. If you can't be bothered to customize your Linux install then go back to using windows. Linux was made for customization, so if that's a problem for you then you are using the wrong operating system.
28. Re:Who would have thought there was more? by Anonymous Coward · 2015-08-22 07:29 · Score: 0
  
  Or at least, anyone who trusts Lenovo needs his head examined. Saw this coming by the way.
29. Re: Who would have thought there was more? by Anonymous Coward · 2015-08-22 08:45 · Score: 0
  
  From a strict academic computer security standpoint, there remains a counterpoint that code on your computer that you know for a fact serves no purpose of the computer's owner (you), can only serve to increase the threat surface to the device. It's something you don't want to use. It's something your attacker might find convenient some how. Perhaps it allows their initial penetration to remain 'under the radar' of certain network detection measures. (i.e. now the attack code sent over the network is just a couple JMPs to much larger and more useful amounts of code already known available on the host.)
30. Re:Who would have thought there was more? by arglebargle_xiv · 2015-08-22 21:25 · Score: 1
  
  Funny thing about this, I have a business-grade Lenovo laptop, and whenever one of these stories has come out I've looked to see whether I've got whatever backdoor/malware is being talked about on my machine. Nothing. No trace of any of them. So it seems the way to avoid these things is to buy a business-market Lenovo PC, not a home/casual-user market one. Backdooring large businesses seems to be something they don't want to risk...
  (One possible reason for this is that apart from the political repercussions, you're paying a significant premium for their business-grade hardware, so they don't need to subsidise it with adware and other crap).
31. Re:Who would have thought there was more? by Z00L00K · 2015-08-22 23:38 · Score: 1
  
  Backdooring business is risky but also very profitable, just because you didn't see it doesn't mean that it's non-existent. It may just mean that it needs a specific trigger to get activated.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
32. Re:Who would have thought there was more? by Anonymous Coward · 2015-08-23 13:09 · Score: 0
  
  The tip of the iceberg was years ago with the Sony root kit.
What did they expect? by Anonymous Coward · 2015-08-21 22:00 · Score: 0

Didn't they think about the possible security repercussions before making this preinstalled? Or is this just another sacrifice on the altar of corporate pressure?
1. Re:What did they expect? by Anonymous Coward · 2015-08-22 03:16 · Score: 0
  
  The particular models were made for the peaseants (consumers) so it didnt matter. Corporations matter so the higher end models didnt have this crap.
WordPress Flash exploit .. by nickweller · 2015-08-21 22:12 · Score: 0

"Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits."

But can only be successfully exploited on Microsoft windows ..
Lenovo Ideacenter spyware too? by Anonymous Coward · 2015-08-21 22:18 · Score: 1

Are their PC's based on their laptops affected too? Stuff like the Idea Center?
IMHO, Lenovo are a piece of shit, I have an ideacenter of theirs and it won't switch on unless you unplug the network cable and power, press 'on' a few times, them plug them back in and press on. This is just yet another reason I won't buy any of their kit, PC, Android, phone.
And where exactly are the privacy laws ?: "The utility also sends non-personally identifiable system data to Lenovo servers"
Shitty article by buckfeta2014 · 2015-08-21 22:26 · Score: 5, Informative

Why even post this article. It's 2 lines. "Oh we found something", well good for you, how about telling us what you actually found?

--
Buck Feta. You know what to do.
1. Re:Shitty article by Anonymous Coward · 2015-08-21 23:02 · Score: 0
  
  Interesting indeed. It's says that the defect "could allow hackers to steal personal data" but all other details are omitted. Someone knows more than we do.
2. Re:Shitty article by Incadenza · 2015-08-21 23:15 · Score: 1
  
  Why even post a summary that is longer than the article? Doesn't make sense.
3. Re:Shitty article by Anonymous Coward · 2015-08-21 23:19 · Score: 0
  
  because.
4. Re:Shitty article by LVSlushdat · 2015-08-22 00:30 · Score: 1
  
  because.
  BECAUSE this is /. and THATS what /. does.......
  
  --
  THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
5. Re:Shitty article by Anonymous Coward · 2015-08-22 03:24 · Score: 0
  
  because.
  BECAUSE this is /. and THATS what /. does.......
  Why even post a reply that is longer than the parent? Doesn't make sense.
6. Re:Shitty article by execthis · 2015-08-22 04:17 · Score: 1
  
  I couldn't find any other news sites that had published anything about this. Also, NHK has shortened the article for some reason since I first saw it.
  However another good source of info is:
  How to Remove Lenovo's Alleged 'Bootkit' Software
  and also:
  Windows 10 Privacy Checklist mentions this issue
7. Re: Shitty article by Anonymous Coward · 2015-08-22 05:33 · Score: 0
  
  This site is more about talking about the news than anything else. So a long summary kinda makes sense.
Can't trust LOCKS anymore by Anonymous Coward · 2015-08-21 22:55 · Score: 2, Insightful

FFS, courtesy of the TSA backdooring luggage locks, even the locks are worthless these days.
http://boingboing.net/2015/08/21/make-your-own-tsa-universal-lu.html
Spotify decides to help itself to all your data on your phone on an upgrade. And Google make a phone that permits that.
Samsung installs spyware/helpware on their phones and tablets that let it take over the tablet remotely and do *everything*, read everything, fake SMSs intercept calls, the lot. Hackers backdoor this and suddenly people are aware their stuff is just spyware only because hackers 'misuse' it, as if that feature was ever useful.
HTTPS/TLS is backdoored because certificate authorities are NSA backdoors.
Uber has its 'god' app that spies on its customers wherever they go and whoever they meet with.
It's like governments have abrogated their duty to protect people from this kind of shit and companies like Uber and Lenovo are having a field day.
1. Re:Can't trust LOCKS anymore by ShaunC · 2015-08-22 05:58 · Score: 1
  
  It's like governments have abrogated their duty to protect people from this kind of shit and companies like Uber and Lenovo are having a field day.
  Governments love this shit. The more data Uber and Lenovo and Samsung and Spotify collect about you, the more data the government can subpoena (or just take without a subpoena). These companies have become, in effect, agents of the government.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
2. Re: Can't trust LOCKS anymore by Karlt1 · 2015-08-22 06:00 · Score: 1
  
  Spotify decides to help itself to all your data on your phone on an upgrade. And Google make a phone that permits that.
  Just checked my settings....Spotify has no access to my GPS, local contacts, or photos. I don't understand what this particular out cry was. Spotify can ask for whatever information it desires, but users are free to just say "no" when my phone asks me would I like to give it access.
3. Re: Can't trust LOCKS anymore by Anonymous Coward · 2015-08-22 06:36 · Score: 0
  
  Which half of the users will say "Yes, go ahead and take control of my entire phone, I don't know how to use it properly anyway, Google and android wouldn't do anything to hurt me right? Right?
4. Re: Can't trust LOCKS anymore by Anonymous Coward · 2015-08-22 15:20 · Score: 0
  
  No Spotify RELYING ON THE FACT THAT PEOPLE DON"T READ EULAS decided to grant itself the right to all your data in a contract change snuck in on an upgrade.
  When it was spotted, reported and caused outrage, their CEO backed down.
  http://www.wired.com/2015/08/cant-squat-spotifys-eerie-new-privacy-policy/
  However the EU Privacy right, defines some decent rules for this: 1. You can't collect data not needed for a transaction, 2. You can't keep it longer than needed, 3. You can't cross link it to other data to expand its scope.
  All thrown out the window as companies have stolen peoples private data for their own use.
Fuck it by Anonymous Coward · 2015-08-21 23:02 · Score: 0

Fuck lenovo, just fuck it...
Its a dumb feature by Karmashock · 2015-08-21 23:54 · Score: 5, Interesting

The last thing I want is my firmware getting updated automatically.
I'd really like for all writable memory in my computer to be removable. And that includes the bios memory. Have it be a micro SD card or something.
Here someone will say it will make the machine take 1 second longer to boot up or OH NOES the mobo will cost 10 cents more to make. But its worth it. It means you can audit the system to check for viruses really easily. You pull the chip, plug it into a clean system, and scan it. Or if you prefer... wipe it. Write the whole thing with ones then zeros... and then flash it with a proper version of the bios.
And this also means that corrupted bios memory is less of a problem. You can pull the chip. Sure, if the processors or something else is damaged then this won't help. But i've had a few mobos that were totally fine except the bios was so corrupt you couldn't flash a fresh version. With this change, that problem is gone.
Cue people saying "you can't do that because no one has done it that way yet"... climb a fucking tree so I can throw bananas at you then, you filthy animal! :-D

--
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
1. Re:Its a dumb feature by drinkypoo · 2015-08-22 00:12 · Score: 2
  
  What I want way more than removable is I want bios write enable jumpers back. Some motherboards have them, but they are rare. I buy Gigabyte boards, so they have dual BIOS, so I'm not worried about my BIOS being taken out. If I had a WP jumper, I wouldn't be concerned about it being maliciously overwritten, either.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 00:25 · Score: 0
  
  A write protect jumper would be an improvement, but not a solution. Once you have a compromised BIOS, it is very difficult to detect the infection and practically impossible to clean it in a way that removes all doubt, because you can't do it from a known clean system. In the old days, BIOS flash memory was in a socketed chip, so analyzing it externally was an option, although very few people had the means. But at least the option existed. The idea of completely avoiding non-removable writable persistent memory in the design of a host computer is the right one. Read only memory should be kept to an absolute minimum, just enough to load the actual firmware from a removable medium, like a micro-sd card (which has a dead simple access protocol).
3. Re:Its a dumb feature by drinkypoo · 2015-08-22 00:28 · Score: 1
  
  A write protect jumper would be an improvement, but not a solution. Once you have a compromised BIOS, it is very difficult to detect the infection and practically impossible to clean it
  If I have control over the WE line on the flash, who cares? But if that's your criteria, why not just give JTAG or similar access to the flash? The pins would be cheaper than socketing the chip, using an MMC, whatever.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:Its a dumb feature by wbr1 · 2015-08-22 00:42 · Score: 1
  
  There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other. Could also open up easy BIOS hacking or alt replacements.
  
  --
  Silence is a state of mime.
5. Re:Its a dumb feature by drinkypoo · 2015-08-22 00:57 · Score: 1
  
  There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other.
  Gigabyte used to do that, but I'm pretty sure they just use one big bios chip now. If the first bios fails to load they just tie one address line high (or low, but I think it's high) and try to load again.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re:Its a dumb feature by Karmashock · 2015-08-22 00:57 · Score: 4, Interesting
  
  I want the want the writable memory chip to be a micro SD card. or something equally easy to plug into another machine to independently wipe it and verify that its wiped.
  Let me add some additional benefits of this... DRIVERS.
  If we use an SD card, then we can put more stuff on it than just the bios. OR the bios could be fucking massive. Either concept has some interesting possibilities.
  Imagine if the OS queried the motherboard for drivers. We could store viable copies of the drivers the system needs to use most of the installed hardware. That's nifty. Reinstall... no need to go hunting around for the right driver files. Automatically installed... actually. Not in theory... but actually. Anyone that has built a lot of machines knows what I'm talking about.
  And a giant bios could mean the bios could have a lot of additional functionality built into it. Not just the man behind the curtain.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
7. Re:Its a dumb feature by wbr1 · 2015-08-22 01:50 · Score: 1
  
  And guess what... The preloaded in flash driver for our USB 3 controller includes.....ad blaster rootkit 2.0a
  
  --
  Silence is a state of mime.
8. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 01:52 · Score: 0
  
  SD cards are unsafe, too, just so you know (see Bunny's, the Novena guy's, presentations)
9. Re:Its a dumb feature by Karmashock · 2015-08-22 02:46 · Score: 1
  
  Because I want to pull it.
  As to the added cost... I'll pay it. Fucking charge me for it. I'll pay the extra 10 dollars for the feature. Other people don't want to pay it? Don't. I want that feature. Its well worth the 2~10 dollars it would cost to do that.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
10. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 02:46 · Score: 0
  
  Except for those BIOS chips that a soldered down.
11. Re:Its a dumb feature by Karmashock · 2015-08-22 03:10 · Score: 1
  
  ... yes if you drivers are infected then you'll have infected your machine. But if you have version control and known good copies then you can negate the issue by overwriting everything with known goods.
  You can erase and verify the erasure of all writable memory, then write the known good bios and drivers.
  Make constructive comments please. Anyone can gainsay anything. You can gainsay water, air, the Sun...its not hard to do. Be constructive. Its the only potentially useful thing.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
12. Re:Its a dumb feature by Karmashock · 2015-08-22 03:16 · Score: 1
  
  http://slashdot.org/comments.p...
  "Cue people saying "you can't do that because no one has done it that way yet""
  I can't tell if you're kidding... or if I'm psychic but forgot to buy bananas.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
13. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 04:43 · Score: 0
  
  It's worse than that, the Gigabyte bios (used to?) enables Host Protected Area on the first hard disk to store a copy of the BIOS. Even on a board that has two separate BIOS chips.
14. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 05:17 · Score: 0
  
  I think the Atari 2600 did this.
15. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 06:43 · Score: 0
  
  I'd really like for all writable memory in my computer to be removable. And that includes the bios memory. Have it be a micro SD card or something.
  You know, have a clue WTF you are talking about before you start talking. M'kay?
  Almost every chip has programmable firmware. That firmware is stored on-chip's flash. You have a disk drive? Firmware on it. You have a video card? Lots of firmware on that one. You have a south bridge? Firmware. You have a NIC? Firmware on there, running. Fan control? yeap, firmware on those.
  This stuff is either *hardcoded* into the chips, or it is made updatable. These days, it is made updatable so bugs can be fixed without the need to throw away your mobo and buy a new one. Heck, even your CPU has firmware - it's called microcode.
16. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 06:48 · Score: 0
  
  Drivers are related to the OS you're using. I dual boot and don't want to have to open my machine and swap out a memory card every time I switch. Maybe you haven't fully thought this through as this 'feature' would be a support nightmare and BIOS already have plenty of space. Motherboard manufactures can already add additional space, but they don't, likely because OSes change and drivers have bugs that get updated. You won't be able to update the SD card. If you take it out the computer won't boot as it won't have the proper drivers. If it's writable from within the OS then it'll quickly gain rootkits and viruses. So you need to have a second machine with a SD reader to update the card. Completely not worth it. Keep the BIOS small and simple, lets not try to bloat everything. Do one thing and do it well was and still is a good motto.
17. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 07:25 · Score: 0
  
  >l But if you have version control and known good copies then you can negate the issue by overwriting everything with known goods.
  And if I had some flour, I could make some cookies, if I had some sugar, milk, eggs, a clean kitehcn, an oven, and your mom to do the work. Sorry, but I have your mom busy with something else.
  I guess you'll have to do without the fantasy land of "if I have open source, I know everything is clean" approach to security.
18. Re:Its a dumb feature by Antique+Geekmeister · 2015-08-22 07:29 · Score: 1
  
  As soon as you put "removable" BIOS chips back, you have to provide physical access to that chip, you have to provide board space to mount it, it increases the price of the motherboard, and most important to security, it provides the possibility of corrupt vendor replacement of the BIOS chip with their _own_ socket replaced chip with only poweroff physical access, not console access to run the drivers or work with attached boot media.
  I'm not saying this is a greater attack vector: but it's one that has to be considered for high security systems.
19. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 08:12 · Score: 0
  
  The last thing I want is my firmware getting updated automatically.
  This is not about the firmware updating itself. There's a windows EXE file rolled out inside the BIOS flash, and an ACPI table entry pointing to it. Windows detects it, copies it to disk and runs it. The program then proceeds to download more files and installs the service. The "Computrace" theft protection service is probably based on the same mechanism, i.e. the service is reinstalled automatically, even if you install Windows fresh from a non-OEM CD.
20. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 10:16 · Score: 0
  
  We had that. It was called microchannel. It died for a reason...
21. Re:Its a dumb feature by Anonymous Coward · 2015-08-22 14:43 · Score: 0
  
  Because I want to pull it.
  As to the added cost... I'll pay it. Fucking charge me for it. I'll pay the extra 10 dollars for the feature. Other people don't want to pay it? Don't. I want that feature. Its well worth the 2~10 dollars it would cost to do that.
  Will you pay the extra $2-$10 on everyone else's motherboards too?
  Or the tooling costs for the "Karmashock Special Edition" model?
  No? Then pay an electronics guy with precise enough tools and skills to solder/jumper it in for you. It'll cost more than $2.
22. Re:Its a dumb feature by Karmashock · 2015-08-22 17:09 · Score: 1
  
  I would need to be able to physically pull the bios memory chip and plug it into another machine... and write lock it when I wasn't messing with it... to even begin to feel comfortable with this feature.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
23. Re:Its a dumb feature by Karmashock · 2015-08-22 17:54 · Score: 1
  
  Not even remotely similar.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
24. Re:Its a dumb feature by Agripa · 2015-08-24 07:08 · Score: 1
  
  The write protect jumpers were originally used because Flash memory at the time required an external high voltage supply for programming and the cheapest way to control this was through a physical jumper.
  I agree that controlling this through hardware is a good idea. The programming supply is no longer available for this but the write protect jumper could block the write strobe instead. Unfortunately some newer Flash memories do not have a separate write strobe either.
MADE IN CHINA by Anonymous Coward · 2015-08-21 23:56 · Score: 0

Did I even have to write that!
Buy AMERICAN And Buy Your Freedom!
1. Re:MADE IN CHINA by Anonymous Coward · 2015-08-22 00:13 · Score: 0
  
  USA! USA! NSA!
the article does not specify? by Anonymous Coward · 2015-08-22 01:08 · Score: 0

There is no fucking article and the text TFS links to does not specify anything. Do they have inverse snippet law in Japan now?
Good! by Anonymous Coward · 2015-08-22 01:51 · Score: 0

As a linux user and Thinkpad enthusiast, I very much welcome this kind of (software-only) bullshit: it will help lower the prices of great laptops :)
Why the old news? by Anonymous Coward · 2015-08-22 02:41 · Score: 0

This story broke 10 days ago, why is /. posting about it now?
1. Re: Why the old news? by Anonymous Coward · 2015-08-22 05:40 · Score: 0
  
  This is a discussion site. Notice how 99% of the articles are on another site. /. Is not about breaking news, it's for talking about whatever news we felt like voting up on today.
Simpsons did it by gavron · 2015-08-22 03:05 · Score: 1

Covered on slashdot ten days ago:
http://tech.slashdot.org/story...
"Those who do not learn from history are doomed to repeat it" - Santayana
E
Pro-Tip: Don't buy a goddamned Lenovo. by Anonymous Coward · 2015-08-22 05:14 · Score: 0

Three strikes and you're out. How many vulnerabilities / pieces of spyware does it take before we stop trusting a vendor?
1. Re: Pro-Tip: Don't buy a goddamned Lenovo. by Anonymous Coward · 2015-08-22 05:44 · Score: 0
  
  Literally everyone has had 3 vulnerabilities at least. So no more MS, Apple, HP, Dell....no more tech at all.
  If that was a rule, technology would be outlawed.
2. Re: Pro-Tip: Don't buy a goddamned Lenovo. by Anonymous Coward · 2015-08-22 06:51 · Score: 0
  
  These are blatant vulnerabilities though, that they added to their machines on purpose. Sony had their PS3 rootkit, but I can't recall mac doing something like this. Please link to those 3 instances where apple intentionally installed malware or their computers.
The real glitch is... by davidwr · 2015-08-22 08:55 · Score: 1

... it wasn't hidden well enough and somebody noticed.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Lessons won the hard way by villageelder1 · 2015-08-23 09:32 · Score: 1

Lesson to the wise: 1) Buy good, newish, used computers at a large discount off new prices and save money 2) Wipe the hard drive clean (or install a new one) 3) Install the OS of your choice (a Linux version is best) and save more money, and lastly, 4) Install whatever applications programs you want from a trusted Linux repository onto your hard drive and save even more money. End result: The only software residing on your "new" computer should be software that you want or don't mind having. Unfortunately, if you want something done correctly you usually must do it yourself.