It seems from the article that the best way to handle this is to uninstall all the trash that comes with a new computer (or hell, reinstall windows from scratch). Do I need Lenovo's power management tools? No. Do I need its Wifi connection manager? No. Windows has all this stuff already and it works really, really well.
In my case, when I received my Lenovo the first thing I did after opening the box was unscrew the case and change the drive for an SSD. Before even powering it on once. But yeah, if I used the default HDD, I'd at least reformat it first thing. I'm a Linux user though, so I'd have to reformat it anyway, but I'd still reformat it even if I were a Windows user.
Microsoft, Google, Apple, Ubuntu, et al. all make decent OSes that are designed to, um, work. I don't get why manufacturers don't get this simple fact and always have to tamper with stuff. For the less-technical people out there, can't we have a "Nexus" sort of PC manufacturer who prides themselves in selling with ONLY vanilla OSes and as-standard-as-possible hardware components?
What is the motivation for Lenovo to keep making that software? I can't imagine it would be cheap for them, and I find it hard to believe people buy their products for the preinstalled software; Are there other reasons?
Several years ago I tried to do a fresh Windows install on a ThinkPad Edge (their cheapo wanna be TPs), and I found out that I needed their power management software. I can't remember off the top of my head what the problem was, but it was quickly solved by downloading Lenovo's management tools. I just wanted things to work, so I didn't investigate further why my nilla install of Windows didnt' work.
I just bought a used five year old ThinkPad X201 Touch. One of the things I did with Lenovo's [new] upgradesoftware was upgrade the BIOS. Their software also offers fine grained control over lots of other proprietary hardware...e.g. the Watcom digitizer and security chip. It also offers fine grained control over the trackpad and function keys.
And the great thing is that Lenovo is keeping all that stuff current to support an ancient-in-internet years piece of hardware. This isn't HP consumer machine crapware...this is the stuff that costs Lenovo money not something they get paid to pre-install.
You might be better off installing a Free Software operating system from scratch. (e.g. OpenBSD for the security fanatics, or any other *BSD, or Solaris, or some Linux distro.)
Even better: Buy a laptop without any operating system. However, in some cases this may make the laptop more expensive. (e.g. what if Lenovo gets paid by crap providers for pre-installing?)
Where do you get the installation media? I haven't seen more than a "system recovery disk" shipped with a consumer machine in at least a decade.
And I don't know about Lenovo, but I know that on the Dell laptops I last dealt with could never get a stock Windows 7 install to be stable without downloading Dell's drivers for the video card at minimum.
We buy Lenovo. Its great hardware. We put in a custom image. The default image is a nightmare. I can't stress how terrible their applications are, even by the low standards of OEM default Windows apps.
I hope Win10 brings in more control from MS. The status quo really sucks.
1) This particular malware may be removable by reformatting and installing from a clean copy of Windows (which may not even be available without a separate purchase, since it's likely that the recovery disc that comes with the laptop contains the same default software installation.)
2) Reformatting and reinstalling to remove the malware requires knowing that there's a problem, which you wouldn't have if the articles about it hadn't come out.
It is well known (via Snowden) that the US installs backdoors into US hardware and software for export to China, and it has for at least 15 years warned about the same from imports.
So none of this is particularly new. What is new is that the US is now moving against China on all fronts to prevent it from acquiring superpower status - to isolate it economically and politically, to block its trade and international investment programs, and to increase the risk of its using its military (with the second largest funding of any nation) to project power lawfully in the Asia Pacific.
So these articles come at a good time for the US.
You should not trust pretty much any hardware - recent revelations have shown that products come with backdoors; that is the article does not establish the absence of 'security flaws' by other manufacturers.
There's a big difference in intercepting packages and installing backdoors in a targeted and legal way, at least acording to SCOTUS who have zero problems with our status quo SIGINT operations thus making them lawful - and massive cyberwar attacks from China and cooked in state mandated malware.
I know HN hates the US and thinks China and Russia are bastions of liberty and human rights, but the US's method are a million times more ethical than autocratic states in regards to SIGINT. Heck, Putin had Kaspersky give him information on journalists he didn't like. Meanwhile, my Russian friends on VK are always bugging me about citizenship and H1bs. Yeah, they WANT to come here, pal. They hate it there, they aren't blinded by anti-US, anti-UN, anti-NATO propaganda so popular here. They're gentle geeks in fear of a dictator who could eliminate them at any moment.
If I had the power and wealth I would hire them all and bring them to the states. Every. Single. One.
>China on all fronts to prevent it from acquiring superpower status - to isolate it economically and politically,
We power their economy via our manufacturing and via the sales of our products. If anything they are close economic partners. Are we moving all of our manufacturing to Mexico or something? Seems to me the US is very much tied to the success of China. I can't interpret your statement as anything but incredibly dishonest. Does our national firewall block alibaba now? Oh right, we don't have a national firewall. They do. hell, my own company is tortured by their VPN and censorship limitations. This is a daily headache for me and I'm TRYING TO DO BUSINESS WITH THEM. If anyone is business hostile its them - to us. Hell, they outright block Google services on Android.
> and to increase the risk of its using its military
This is asinine. China is unilaterally taking over disputed islands with zero attempts to use diplomacy, the UN, etc. The Japanese, Korea, and others have claims on those islands. Why are you dismissing their rights? Because they are "evil US" partners as well?
Meanwhile the Chinese prop up the worst state in modernity which has become a mass murder state we have not seen since Stalinist times. I was just in South Korea and its complete madness that a modern democratic state needs to be terrorized by a client Chinese state 24/7 via a madman with nuclear weapons because the CCP likes to "stick it to America." The Koreans we met, drank with, laughed with, etc were no different than me. They bought us gifts and were so gentle, humorous, and loving (especially of children and the elderly) it breaks my heart to think they are one madman's decision away to shell Seoul which would destroy it, and them, in minutes. But I get to fly home to a secure nation because of our strong military and they get to sit there waiting the CCP to tell their pet attack dog to invade or have their pet attack dog go off chain and shell a few things and blow up some nukes to terrorize them. Its depressing. The one man who had a son in the military was so proud of his son's service and showed us many photos, knowing full well, that kid is mincemeat when the North decides it times to roll tanks with Beijing's blessing. The kid looked 16.
> to project power lawfully in the Asia Pacific.
This is pro-China bullshit right here. Lawfully by whose standards? The CCP? Oh okay. Only on a kiddie politics site like HN or reddit would a dishonest and extremely biased anti-US comment like yours be voted to the top. Grow up.
They probably rewrote "privilege escalation" to that sentence.
So they probably have some sort of way to root the box after getting in as a standard user. Oops!
So I feel like I missed a memo. Is there a list / primer on what we do and do not know about hardware backdoors, firmware backdoors and software backdoors?
This bothers me - a16z podcast also threw up a reference to "200 security hygiene" functions - keeping patches up to date and encryption at rest. But Incan only get to about ten.
Is there an appendix in SysAdmin / oReilly I should read or do I have to watch all the CEF notifications and work backwards to what preventative action Inshould stick in my sh file.
It's a serious question - I just don't feel I know what is dangerous out there anymore let alone have it automated.
I have a Lenovo ThinkPad, if I blow away the stock version of Windows 8 I'm currently running with an incoming Windows 10, will that blow away all the Lenovo bloatware?
> if I blow away the stock version of Windows 8 I'm currently running with an incoming Windows 10, will that blow away all the Lenovo bloatware?
It will remove the Lenovo applications, but the 'bloatware' and security risks could exist elsewhere, or example in BIOS or in a separate partition on the hard drive.
Or even worse - it's not inconceivable that some a bit too clever firmware for a ethernet or wifi device could be exploited by a specially crafted IP package that could be sent over the public internet. As such a device usually has DMA access that would be really bad. I don't think even "High" would be sufficient in that case though.
[+] [-] orthecreedence|11 years ago|reply
[+] [-] dheera|11 years ago|reply
Microsoft, Google, Apple, Ubuntu, et al. all make decent OSes that are designed to, um, work. I don't get why manufacturers don't get this simple fact and always have to tamper with stuff. For the less-technical people out there, can't we have a "Nexus" sort of PC manufacturer who prides themselves in selling with ONLY vanilla OSes and as-standard-as-possible hardware components?
[+] [-] yuncun|11 years ago|reply
[+] [-] ZanyProgrammer|11 years ago|reply
[+] [-] brudgers|11 years ago|reply
And the great thing is that Lenovo is keeping all that stuff current to support an ancient-in-internet years piece of hardware. This isn't HP consumer machine crapware...this is the stuff that costs Lenovo money not something they get paid to pre-install.
[+] [-] tsomctl|11 years ago|reply
[+] [-] vog|11 years ago|reply
That will usually "restore" the crap as well.
You might be better off installing a Free Software operating system from scratch. (e.g. OpenBSD for the security fanatics, or any other *BSD, or Solaris, or some Linux distro.)
Even better: Buy a laptop without any operating system. However, in some cases this may make the laptop more expensive. (e.g. what if Lenovo gets paid by crap providers for pre-installing?)
[+] [-] ams6110|11 years ago|reply
And I don't know about Lenovo, but I know that on the Dell laptops I last dealt with could never get a stock Windows 7 install to be stable without downloading Dell's drivers for the video card at minimum.
[+] [-] drzaiusapelord|11 years ago|reply
I hope Win10 brings in more control from MS. The status quo really sucks.
[+] [-] ebbv|11 years ago|reply
1) This particular malware may be removable by reformatting and installing from a clean copy of Windows (which may not even be available without a separate purchase, since it's likely that the recovery disc that comes with the laptop contains the same default software installation.)
2) Reformatting and reinstalling to remove the malware requires knowing that there's a problem, which you wouldn't have if the articles about it hadn't come out.
[+] [-] themeek|11 years ago|reply
It is well known (via Snowden) that the US installs backdoors into US hardware and software for export to China, and it has for at least 15 years warned about the same from imports.
So none of this is particularly new. What is new is that the US is now moving against China on all fronts to prevent it from acquiring superpower status - to isolate it economically and politically, to block its trade and international investment programs, and to increase the risk of its using its military (with the second largest funding of any nation) to project power lawfully in the Asia Pacific.
So these articles come at a good time for the US.
You should not trust pretty much any hardware - recent revelations have shown that products come with backdoors; that is the article does not establish the absence of 'security flaws' by other manufacturers.
[+] [-] drzaiusapelord|11 years ago|reply
I know HN hates the US and thinks China and Russia are bastions of liberty and human rights, but the US's method are a million times more ethical than autocratic states in regards to SIGINT. Heck, Putin had Kaspersky give him information on journalists he didn't like. Meanwhile, my Russian friends on VK are always bugging me about citizenship and H1bs. Yeah, they WANT to come here, pal. They hate it there, they aren't blinded by anti-US, anti-UN, anti-NATO propaganda so popular here. They're gentle geeks in fear of a dictator who could eliminate them at any moment.
If I had the power and wealth I would hire them all and bring them to the states. Every. Single. One.
>China on all fronts to prevent it from acquiring superpower status - to isolate it economically and politically,
We power their economy via our manufacturing and via the sales of our products. If anything they are close economic partners. Are we moving all of our manufacturing to Mexico or something? Seems to me the US is very much tied to the success of China. I can't interpret your statement as anything but incredibly dishonest. Does our national firewall block alibaba now? Oh right, we don't have a national firewall. They do. hell, my own company is tortured by their VPN and censorship limitations. This is a daily headache for me and I'm TRYING TO DO BUSINESS WITH THEM. If anyone is business hostile its them - to us. Hell, they outright block Google services on Android.
> and to increase the risk of its using its military
This is asinine. China is unilaterally taking over disputed islands with zero attempts to use diplomacy, the UN, etc. The Japanese, Korea, and others have claims on those islands. Why are you dismissing their rights? Because they are "evil US" partners as well?
Meanwhile the Chinese prop up the worst state in modernity which has become a mass murder state we have not seen since Stalinist times. I was just in South Korea and its complete madness that a modern democratic state needs to be terrorized by a client Chinese state 24/7 via a madman with nuclear weapons because the CCP likes to "stick it to America." The Koreans we met, drank with, laughed with, etc were no different than me. They bought us gifts and were so gentle, humorous, and loving (especially of children and the elderly) it breaks my heart to think they are one madman's decision away to shell Seoul which would destroy it, and them, in minutes. But I get to fly home to a secure nation because of our strong military and they get to sit there waiting the CCP to tell their pet attack dog to invade or have their pet attack dog go off chain and shell a few things and blow up some nukes to terrorize them. Its depressing. The one man who had a son in the military was so proud of his son's service and showed us many photos, knowing full well, that kid is mincemeat when the North decides it times to roll tanks with Beijing's blessing. The kid looked 16.
> to project power lawfully in the Asia Pacific.
This is pro-China bullshit right here. Lawfully by whose standards? The CCP? Oh okay. Only on a kiddie politics site like HN or reddit would a dishonest and extremely biased anti-US comment like yours be voted to the top. Grow up.
[+] [-] nemoniac|11 years ago|reply
[+] [-] loudmax|11 years ago|reply
[+] [-] SixSigma|11 years ago|reply
What level of control should an attacker have ?
[+] [-] mryan|11 years ago|reply
The local attacker should have user-level access, but instead has admin/system-level access.
[+] [-] hobs|11 years ago|reply
[+] [-] DanBlake|11 years ago|reply
Should be : Researchers: Lenovo computers contain 'massive security risk'
[+] [-] lifeisstillgood|11 years ago|reply
This bothers me - a16z podcast also threw up a reference to "200 security hygiene" functions - keeping patches up to date and encryption at rest. But Incan only get to about ten.
Is there an appendix in SysAdmin / oReilly I should read or do I have to watch all the CEF notifications and work backwards to what preventative action Inshould stick in my sh file.
It's a serious question - I just don't feel I know what is dangerous out there anymore let alone have it automated.
[+] [-] badloginagain|11 years ago|reply
[+] [-] hackuser|11 years ago|reply
It will remove the Lenovo applications, but the 'bloatware' and security risks could exist elsewhere, or example in BIOS or in a separate partition on the hard drive.
[+] [-] hiby007|11 years ago|reply
[+] [-] thinkmac|11 years ago|reply
[deleted]
[+] [-] smarterchild|11 years ago|reply
If this is considered "Medium" Severity, how bad would it have to be to become High?
[+] [-] poizan42|11 years ago|reply
Or even worse - it's not inconceivable that some a bit too clever firmware for a ethernet or wifi device could be exploited by a specially crafted IP package that could be sent over the public internet. As such a device usually has DMA access that would be really bad. I don't think even "High" would be sufficient in that case though.
[+] [-] brudgers|11 years ago|reply
[+] [-] jefurii|11 years ago|reply
[+] [-] chaostheory|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] ryanlol|11 years ago|reply