No pony in this race

Story: Boycott Lenovo?Total Replies: 9
Author Content
penguinist

Aug 26, 2015
11:28 AM EDT
Well, as a Linux user who wiped /dev/sda on his Lenovo Yoga Pro in order to create a pristine Linux machine, I find myself not really caring a lot about what software Lenovo pre-loaded on that disk. Whatever was on it was destroyed without even a trial boot or even a reading of its eula.

If there is any sort of a Lenovo boycott it should probably come from their Windows users. I don't have a pony in this race.
NoDough

Aug 26, 2015
2:19 PM EDT
penguinist wrote:I find myself not really caring a lot about what software Lenovo pre-loaded on that disk.


Do you care about what software they load in your firmware?
penguinist

Aug 26, 2015
4:22 PM EDT
NoDough: Yes I would certainly care about that, it would be a dealbreaker for me, but I have no evidence or even serious reports of Lenovo ultrabook hardware having compromised firmware. If you can point me to something concrete on that, then I'll be happy to change my attitude. :)

I do periodic packet capture analysis at the point in my network where I connect to an external provider. If there was unusual Lenovo activity from my pristine Linux installation I would likely know about it.

For now, unless I hear something more concrete, I'm considering the Lenovo Yoga Pro hardware to be clean.
seatex

Aug 26, 2015
6:12 PM EDT
I sometimes boycott companies just out of principle. Even if they admit and stop doing something horribly awful, the fact that they did it in the first place forever destroys my faith and trust in their products. I'm afraid Lenovo now qualifies under my principles.
CFWhitman

Aug 27, 2015
11:00 AM EDT
Well, this software from Lenovo is actually in the firmware, and is not technically a rootkit, as it has been described in many places.

The reason why it has no real affect on a Linux installation is because it is designed to work with a Windows feature, the Windows Platform Binary Table (WPBT). The WPBT is a feature in recent versions of Windows allowing a PC manufacturer or a corporate IT department to load Windows drivers or software into a computer's firmware and have it automatically installed into Windows whenever Windows is loaded and the driver/software is missing, especially with a fresh Windows install.

The idea is to make it easier to deploy certain drivers and/or software to new installations of Windows. It is an interesting feature, but it does not seem well thought out. It's not as useful as one might think, and it is too easy for something to go wrong and create a security hole, which is exactly what happened in this case.

In a corporate setting, where this feature is the least intrusive, it's not really all that useful. The software or drivers would have to be loaded once on the firmware of each machine. Most corporations have better ways to deal with drivers and/or software they want loaded onto machines. They create an image for each hardware type that has every low level item loaded the way they want it, and they use Windows policies to load the rest.

When used by the PC manufacturer, this feature can be intrusive and create a security risk, both of which happened here. It was intrusive in that Lenovo support software was being installed automatically for people who were hoping for a clean install and were not intending to reload the Lenovo support software (some people aren't just incompetent, but really do not want it installed, Lenovo). It also created an exploitable security hole in this case (theoretically, it could have been implemented securely), and fixing this hole is what caused Lenovo to issue the firmware update which removed this feature and publicly advise that its customers apply it.

This behavior appears to be non-malicious in nature (unlike the Superfish fiasco). However, it is certainly a case of bad judgment by Lenovo if nothing else.
seatex

Aug 27, 2015
11:44 AM EDT
Trust, once lost, is very difficult to restore.

U.S. Navy Doesn’t Trust Lenovo With Their Weapon Systems

http://www.eteknix.com/u-s-navy-doesnt-trust-lenovo-with-the...
mbaehrlxer

Aug 27, 2015
11:48 PM EDT
to summarize: let's preload the drivers, and when someone reinstalls windows the drivers are still on the machine and will be reinstalled right along with the new windows, whether i want to install them or not. and then someone at lenovo decided to sneak in a "driver" with unwanted features.

seatex: i'd like to know whether they also stop trusting windows...

greetings, eMBee.
seatex

Aug 27, 2015
11:56 PM EDT
> seatex: i'd like to know whether they also stop trusting windows...

Does this answer your question, eMBee?

The Navy’s newest warship is powered by Linux

http://arstechnica.com/information-technology/2013/10/the-na...
JaseP

Aug 28, 2015
12:34 AM EDT
By the way,... That ship is Captained by none other than Capt. James Kirk...
CFWhitman

Aug 28, 2015
8:43 AM EDT
Incidentally, according to Microsoft's documentation for WPBT, it's only supposed to be used for software that is essential to Windows booting properly and accessing storage on the hardware that you're using because for anything else, you can just load it afterward. This idea makes the feature seem more practical, but something rarely needed, and certainly not to be used the way Lenovo did.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!