[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /cyb/ - 30357



File: 1465182052780.png (69.05 KB, 235x300, 13339516_1739718032938481_1243825434913723065_n.jpg)

No.30357

Thinkpads might not be your best option at the moment.

  No.30359

Give more details.

What kind of access is necessary to do this?

  No.30365

We definitely need more context. Is this a locally executable exploit? Is is attached to the boot by network functionality ( remote exploitability)?

  No.30366

And also what thinkpads are affected? I already don't trust modern lenovo from the last couple of years with all the bullshit they've pulled lately.

  No.30368

Unless your hardware is fully free, there's always going to be a backdoor.

>>30366
Affected Thinkpads:
https://support.lenovo.com/us/en/product_security/smm_attack
(javascript required)


>>30359
Physical access.

  No.30369

Dammit. Now I have to flash the BIOS since mine is affected.

Thanks for the heads-up, OP.

  No.30371

Well luckily mine aren't affected but it does suck the x220 is one of them as I've been wanting one. Still it doesn't look too terrible if it requires physical access. I hope we don't see like used thinkpads with third party compromised BIOSes now. Oh well I hope if I ever get one of the listed ones I can install libreboot without too much hassle.

  No.30383

If you're allowing a 3rd party to access your machine without your permission, you deserve it.

  No.30402

Can we have a rule against threads like these?

This is a /g/-tier thread. Post a screenshot, a generic bait-level title, and no other information. Probably one of the lowest quality threads I've seen on /cyb/ since I started browsing.

In other news, luckily my ThinkPad isn't affected. But yeah, like >>30383 said, why would you ever allow 3rd party access to your machine anyways?

  No.30407

>>30402
Easier said than done if you ever leave your house with your thinkpad (hackerspace, school, work).

  No.30410

>>30407
I bring mine to school and work a lot, I just have it in my backpack. As long as you keep your personal belongings secure, this shouldn't be too hard to keep from happening.

But that said, the main point is this vulnerability shouldn't have been there in the first place. Shame on Lenovo for allowing something like this. As they say: A fanboy of a product will proclaim there's nothing wrong with a brand's products, even if there are blatant problems. A true fan will hold their beloved company accountable for any mistakes and issues, knowing that it will cause them to make higher-quality products in the future.

  No.30416

Whatever happened to the old adage "physical access is root access"?

  No.30511

I remember this from a DEFCON talk. It affects more than just Lenovo machines.

Just found it: https://youtu.be/QDSlWa9xQuA

  No.30514

File: 1465336981440.png (98.26 KB, 200x196, Heckert_GNU_white.svg.png)

tfw libreboot

  No.30521

Glad it doesn't affect my x200. That said, unless you get your ass beat and shit stolen by the megacorp security officers, its not something that people are gonna be able to exploit seeing as it needs physical access.

  No.30537

>>30357
>>30368
>>30416

This doesn't require physical access to the machine, it can be run from both Windows and Linux with just an (admin?) shell. Here's a blog post by the same author on a similar issue:

http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

  No.30583

>>30357
Lenovo released a patch for this I think.
looking for a link now

  No.30584

>>30583

Follow this link >>30368 and select your model to download a update that fixes this.

  No.30586

>>30368
>Escalation of Privilege
>Execute arbitrary code
>Severity: Medium

What could be more severe than that?

  No.30590

>>30586
Something that doesn't require a kernel exploit to work remotely.

  No.30593

File: 1465439814123.png (36.04 KB, 200x119, Game-of-Thrones-586544.jpg)

>>30357
Stop using UNIX, and switch to Windows;
For the screen is black, and full of errors.

  No.30596

>my memepad ain't affected
X60 with libreboot for life

  No.30597

>>30596
But I DO want to buy another ThinkPad. What are the chances it gets intercepted and fucked with in some NSA workshop since I've done my share of shady and cryptic things in the past?
If it is intercepted, is there a way to find out?

  No.30599

>>30597
100%

Buy used on craigslist.

  No.30609

>>30599
What a fucked up and backwards society we live in where we have to be more watchful of our own gubbernmint stealing our information and threatening our freedom than actual terrorists or spooky 1337 hackers.

  No.30610

>>30609
Spoilers: the only actual terrorists are states.

  No.30612

Will someone list the affected thinkpads here?

I shouldn't need to enable javascript to see if my model is on the list. I tried viewing the source, but it's hairy.

  No.30619

>>30597
You're just paranoid. I doubt the NSA would care about a mere lainon like us.

  No.30621

>>30619
They care about everybody datawise.

  No.30624

File: 1465484778523.png (31.18 KB, 200x143, special_hardware.jpg)

My strategy when in interception would be to intercept them right back.

I want to have my next machine chipped so that all I/0 will be fire-walled on my behalf.
A thin client layered above to the physical world so to say.
Just because it is possible.

  No.30625

What kind of sick fuck of a person even gets a job at the NSA? Nearly EVEYRYONE in the country if not the world hates their guts for being so fucking useless and offensive.

  No.30626

>>30625
Thats some pretty broad assumptions. I imagine people who work at the NSA are attracted by what they'll work with (military hardware, backdoors etc).

  No.30628

>>30626
Then why not join the actual military where they also have that sort of tech?
I'd imagine many of them would probably be more inclined to join up with psychological operations just to fuck with people. It's the same with police- not all are sadists who get off to having power over the weak, but it sure as shit attracts the type.

  No.30637

>>30625
>What kind of sick fuck of a person even gets a job at the NSA?

math/security PhDs who love their cuntry. Not to mention they pay a shit-ton.

>>30628
>Then why not join the actual military where they also have that sort of tech?

I have a friend who does military tech. He says most of his time gets wasted doing pointless shit, the contractors and DARPA are the ones who make all the interesting military tech.

  No.30640

File: 1465501374997.png (123.97 KB, 190x200, shibirerudarou'd.jpg)

>>30637

Working at DARPA would be pure sex. Fuck the money (though they have lots of it), the projects they fund are far more interesting than any sci-fi I've ever read.

For those who are unaware, these are the guys who funded ARPANET https://en.wikipedia.org/wiki/ARPANET which eventually became the Wired.

You owe them your testicles.

  No.30641

>>30640
Near-fucking impossible ever getting into it though when you consider they only have like 200 people working in there.

  No.30642

The NSA pays shit actually. It basically guarantees the only people working there are patriotic nutjobs who would go back in time and shoot Jefferson in the face if it fought terror.

Also nobody who works at DARPA is a scientist (by trade at least), they're grant managers who award grant money to academics. DARPA is just the DoD NSF.

  No.30644

>>30642
>they're grant managers who award grant money to academics. DARPA is just the DoD NSF.

yes, and if you're funded by DARPA you're working for DARPA.

>The NSA pays shit actually.


I know that they offer cryptograpehrs pretty nifty packages.

  No.30645

>>30644
Well, you're not employed by DARPA, you're a professor at your university and DARPA gives you a grant. By that account probably a few thousand or even ten thousand "researchers" (processors, post docs, grad students, undergrads) working on DARPA projects. (I make that point because a lainon up thread said "working at DARPA" which is a common misconception.)

These projects are pretty mundane, though. I think the DARPA grants I've been near have been about program verification and security (but boring stuff). DARPA funds about half of American computer science. They're just another NSF.

If you're a career mathematician, federal payroll might be very competitive, but the pay grades you live in as an NSA developer are crap compared to even other contractors in the DC area. If you work for the NSA you're basically dooming yourself to a life of drudge work you can't talk about, long commutes on the BW parkway or worse, I-95, and a medium sized house in Colombia. Most developers say fuck that when they could live in DC or NYC, get paid more, and have better quality of life. The people who work for the NSA either want federal pensions/a government job (overtime, no real management, no real budgetary pressure), or are fascists.

  No.30653

>>30619
This, but you can buy off craigslist if you're too noided.

>>30621
Yeah, but noy enough to sick T.A.O. on a lainon who only pirated S.E.L. and Cowboy BeepBoop.

>>30624
wat?

>>30628
The military's culture is a shit. Other feds get treated like real people.

  No.30719

Thank god I librebooted mine when I did

  No.32434

>>30368
whew, I'm clear.

  No.34105

List of ThinkPads affected:


ThinkPad Edge E130
ThinkPad Edge E145
ThinkPad Edge E431/E531
ThinkPad Edge E440/E540
ThinkPad Edge E450/E550
ThinkPad Edge E455/E555
ThinkPad Edge S430
ThinkPad Helix (20CG, 20CH)
ThinkPad Helix (3xxx)
ThinkPad L430/L530
ThinkPad L440/L540
ThinkPad S1 Yoga (Non-vPro)
ThinkPad S1 Yoga (vPro)
ThinkPad S431
ThinkPad S440
ThinkPad S531
ThinkPad S540
ThinkPad T420
ThinkPad T420s
ThinkPad T430, T430i
ThinkPad T430s
ThinkPad T430u
ThinkPad T431s
ThinkPad T440/T440s/T440u
ThinkPad T440p
ThinkPad T450 (Broadwell)
ThinkPad T450 (Shark Bay)
ThinkPad T450s
ThinkPad T530, T530i
ThinkPad T540, T540p
ThinkPad T550
ThinkPad Tablet 10 (32-bit)
ThinkPad Tablet 10 (64-bit)
ThinkPad Tablet 8 (32-bit)
ThinkPad Tablet 8 (64-bit
ThinkPad Twist/Edge S230
ThinkPad W530
ThinkPad W540, W541
ThinkPad W550s
ThinkPad X1 Carbon (20Ax)
ThinkPad X1 Carbon (20Bx)
ThinkPad X1 Carbon (34xx)
ThinkPad X131e (AMD)
ThinkPad X131e (Intel)
ThinkPad X140e (AMD)
ThinkPad X220
ThinkPad X230, X230i
ThinkPad X230s, X231s
ThinkPad X230 Tablet, x230i Tablet
ThinkPad X240/X240s
ThinkPad Yoga 11e (20D9)
ThinkPad X250 (Broadwell)
ThinkPad X250 (Sharkbay)
ThinkPad 11e
ThinkPad Yoga 11e (20D9)
ThinkPad 11e/Yoga 11e (Broadwell)
ThinkPad Yoga 12
ThinkPad Yoga 14 (Broadwell)
ThinkPad Yoga 14 (Sharkbay)
ThinkPad Yoga 15

  No.34108

>>34105
>x60*, x200 off the list
mfw

  No.34113

>>34105
good thing there's no t60 or t61's on there. woo.

  No.34114

>>30368
>X201
Wew lad just barely made it

  No.34140

>>34114
yeeee boi

On the other hand my work laptop is fucked.

  No.34143

>>30368
So I have win7 dual booted on my x220 for work (also running debian). You're saying I can fix the bios problem if I install the update from windows? Will this screw anything up on debian?

  No.34145

>>34143
yup, i just updated my bios today via lenovo system update tool in windows 7 and my debian testing install did not break.

  No.35345

>>34105
>mine isn't on the list
God is real and He is merciful.
That's still quite a lot of affected models, though.

  No.35352

>>35345
my new L440 already had the new BIOS in it. No problemo.

  No.35618

Moved to >>>/tech/26955.