Jump to content
Not connected, Your IP: 18.191.93.18
InactiveUser

How Lenovo & MS backdoor your OS

Recommended Posts

Lenovo is now using rootkit-like techniques to install their software on clean Windows installs, by having the BIOS overwrite windows system files on bootup.

(from https://news.ycombinator.com/item?id=10039306)

 

Starting with Windows 8, Microsoft even facilitates this process:

 

in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible.

(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)

 

 

My thoughts on this:

 

Proprietary software makes free and secure computing impossible.

 

"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.

 

"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.

It has DMA (= direct memory) access to the entire system memory and can access the networking adapters in a way transparent to the OS.

(from http://www.coreboot.org/Binary_situation)

 

 

Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.

 

 

What can we do?

  • Support alternative vendors such as System76, ThinkPenguin and Purism
  • Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing
  • Support organizations such as FSF and EFF
  • Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers

     


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

 

What can we do?

  • Support alternative vendors such as System76, ThinkPenguin and Purism
  • Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing
  • Support organizations such as FSF and EFF
  • Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers

 

I'd replace Purism with Libreboot.

I know, Libreboot is running mainly on Lenovo laptops but they have been freed of all proprietary firmware. This is what I'd call free.

 

I read a lot about Purism and I liked the enthusiasm at first but I am afraid that this is looking more and more like a charade to me. Purism's goals are noble but sound like an individual promising world peace. I'd love to be proven wrong and I am not an expert but most of the experts who have been working years on this subject aren't anywhere near what Purism is talking about.

 

I don't trust the latest hardware because more and more backdoors seem to be implemented. I use older hardware, my latest laptop is from 2010.

Share this post


Link to post

I agree with you about Purism, there are a lot of question marks and unfulfilled promises. I chose to include it in my (non-exhaustive) list because supporting any alternative vendor helps in the sense that it shows demand for alternatives. None of the projects I listed are truly free: the Novena comes closest, but even they had to reverse-engineer the 3d/video drivers.

Once we show demand in the millions, we can push hardware companies to build stuff that doesn't require reverse engineering. If Purism and all their publicity helps us get to such numbers - even if Purism are mostly hype with little substance - I'm fine with that.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

I just wanted to add a link where one can buy preconfigured libreboot computers:

http://minifree.org (fka gluglug)

 

I agree with you about Purism, there are a lot of question marks and unfulfilled promises. I chose to include it in my (non-exhaustive) list because supporting any alternative vendor helps in the sense that it shows demand for alternatives. None of the projects I listed are truly free: the Novena comes closest, but even they had to reverse-engineer the 3d/video drivers.

Once we show demand in the millions, we can push hardware companies to build stuff that doesn't require reverse engineering. If Purism and all their publicity helps us get to such numbers - even if Purism are mostly hype with little substance - I'm fine with that.

 

If they would help the cause I'd be all in. Hell, I almost preorderd one of the Librem but I went for the libreboot (fortunately).

I am having mixed feelings because it looks like it is all about money. It is most of the time. Yesterday there has been a tweet from Purism making fun of libreboot computers (the account has been closed now & there has been an apology). This is not the first time I am getting the impression that Purism is all talk and no action. The good thing is that some of the projects like coreboot, libreboot and companies dedicated to building Linux friendly laptops/computers are getting more attention.

 

I hope that more people care but I fear that the demand will not grow enough for big companies to build laptops respecting your freedom a little more. On the contrary.

 

Look at Snowden and his leaks. Most people don't want to hear about him anymore. I am asking myself - why?

 

Share this post


Link to post

Hello !

 

Slight thread necro here, but I think it's worth it, due to the good content OP posted, which deserves more attention. I just wanted to add to it:

 

A security researcher found exploitable SMM code in Lenovo Thinkpads.

 

The problem is: this stuff runs like 2 layers below the BIOS. Meaning that virusscans, changing the OS and even firewall/networking rules don't work.

 

So even if Lenovo did fix these things, it still shows the importance of fighting for our hardware & software freedoms.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Good God; I had no idea it had gotten so bad. I haven't bought a laptop in many years, but I will be needing a replacement soon. Could someone please suggest a late model laptop that would be free of snooping. Unfortunately I never learned linux so I need to run Win 7 and can install my own OS. Any suggestions will be much appreciated. Thanks.

Share this post


Link to post

Good God; I had no idea it had gotten so bad. I haven't bought a laptop in many years, but I will be needing a replacement soon. Could someone please suggest a late model laptop that would be free of snooping. Unfortunately I never learned linux so I need to run Win 7 and can install my own OS. Any suggestions will be much appreciated. Thanks.

That's a tall order. The problem is that even if you ran Linux, there's still software which runs on the various pieces of hardware in the laptop. This software is called firmware. In principle, we don't know

what this firmware does, if it's not open. Maybe you should take a crack at Linux anyhow, it's not too late. You could download a distro like Ubuntu or Linux Mint and burn it to a CD. This CD could then be used as a

"live CD", which would let you try out the OS without actually installing it. Alternatively, you could download virtualbox and run a Linux distro in there. You don't have to be a command-line guru to use it.

 

There's options to buy laptops pre-installed with Linux

 

Heck, you don't even need to install anything. You can just try it in  your browser!

 

As the OP said, providers like ThinkPenguin provide laptops which are perhaps less prone to snooping.

 

But really, it's kind of an oxymoron to not want snooping, yet insist on running Windows, sorry. Windows is governed by Microsoft & is closed-source. MS being MS, it most likely has backdoors; just check Windows 10

 

I recommend you watch this.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

I suggest people read up on UEFI to see how *Expletive Deleted* their motherboards are in reality.

https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

 

I will not mention my specific complaints here. The forums does not need the encyclopedia of things I dislike about it. You can read and see what irritates you if you like.

 

But I will say that I really do agree with Linus Torvalds about some of the issues.

 

Lenova is not doing anything uncommon among system makers. They are using UEFI as a club to bash our security into dust. Shame on the entire world.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

Alright. I will attempt a brief and mostly non-technical explanation.

 

UEFI is the successor to BIOS. BIOS was used for decades to handle the motherboard and all the hardware attached to it. But as time went on, BIOS became really complex. Now instead of Asus and Dell (Just two random PC makers. All others could be listed here.) each having to make separate BIOS for their systems, they can use UEFI and a few tiny specific modules for their hardware to work with it.

 

There are unfortunately many failures with UEFI. A notable one is on Apple systems as well. UEFI is being used to tell you what software you can install and run on your system. At this time, I think there are exactly three identifiers that a bootloader can choose from for UEFI to allow it to boot. The short versions of the names is Microsoft Windows, Red Hat Enterprise Linux, and Apple OSX. (I am sure I am off by a bit on the exact choice of words for the options here, but this is enough for any Human to figure out what I meant.)

 

So UEFI is actually designed to require most free operating systems to lie and say they are one of these three non free operating systems. And that has already caused some legal problems for Linux distributions.

 

And this is just for the bootloader. There is plenty more problems with UEFI that can and will be a problem later.

 

@sigmund_freud So far, the problem this thread is about has not been found on an Apple system. They may be fine.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

Alright. I will attempt a brief and mostly non-technical explanation.

 

UEFI is the successor to BIOS. BIOS was used for decades to handle the motherboard and all the hardware attached to it. But as time went on, BIOS became really complex. Now instead of Asus and Dell (Just two random PC makers. All others could be listed here.) each having to make separate BIOS for their systems, they can use UEFI and a few tiny specific modules for their hardware to work with it.

 

There are unfortunately many failures with UEFI. A notable one is on Apple systems as well. UEFI is being used to tell you what software you can install and run on your system. At this time, I think there are exactly three identifiers that a bootloader can choose from for UEFI to allow it to boot. The short versions of the names is Microsoft Windows, Red Hat Enterprise Linux, and Apple OSX. (I am sure I am off by a bit on the exact choice of words for the options here, but this is enough for any Human to figure out what I meant.)

 

So UEFI is actually designed to require most free operating systems to lie and say they are one of these three non free operating systems. And that has already caused some legal problems for Linux distributions.

 

And this is just for the bootloader. There is plenty more problems with UEFI that can and will be a problem later.

 

@sigmund_freud So far, the problem this thread is about has not been found on an Apple system. They may be fine.

 

You can compare the BIOS-UEFI thing to how cell phones evolved. First you had a handheld device capable of calling and being called on the go. If you were to implant a fully featured CPU into it and write a versatile OS for it, you'd get a smartphone.

Same with UEFI. Don't let it just start up the computer and load the next OS. Let it be a computer itself. Let it be.. UEFI.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

thank you so much for your replies, i kind of get it now!

If you have other questions, please don't hesitate to ask


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post
Guest

Yes I am also on a spymachine.  A g510 I believe

Share this post


Link to post

Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

 

Let's pretend we didn't suspect it and we're so shocked and surprised, like Oh my, we didn't know that, how could it be, we really didn't see that coming, god help us all!!!1!!!111!!!


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hehe, well for some people it is shocking


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

In every single implementation I have heard of, UEFI sounds like a rootkit at best. So I cannot understand how anyone would be surprised by this.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

In every single implementation I have heard of, UEFI sounds like a rootkit at best. So I cannot understand how anyone would be surprised by this.

Well I suppose it's a bit like with Snowden. Many people always suspected something bad was going on. But then they got actual evidence, which was still shocking.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

In every single implementation I have heard of, UEFI sounds like a rootkit at best. So I cannot understand how anyone would be surprised by this.

Not surprise just didn't care but I like to explore this different boot options.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

Share this post


Link to post

Not surprise just didn't care but I like to explore this different boot options.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

Then you might like this boot option: NSA and other TLOs can boot your cell phone camera, mic and GPS with your phone turned "off".

Share this post


Link to post

That leaves the only option for real privacy is to remove the battery from your phone. Very very annoyingly (and probably not coincidentally), most cell manufacturers are emulating IPhone in not allowing battery removal. FUCK!!!

Share this post


Link to post

most cell manufacturers are emulating IPhone in not allowing battery removal. FUCK!!!

 

I don't know why they do that. I can imagine it having something to do with costs and what people do with broken phones.

Most people just buy one of the newest phones if their old one breaks. I think they realized it costs less if they produce spare parts for guarantee cases only rather than offering it for everyone.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

It may indeed be cheaper, due to unibody design.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...