[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /cyb/ - 30357

File: 1465182052780.png (69.05 KB, 235x300, 13339516_1739718032938481_1243825434913723065_n.jpg)


Thinkpads might not be your best option at the moment.


Give more details.

What kind of access is necessary to do this?


We definitely need more context. Is this a locally executable exploit? Is is attached to the boot by network functionality ( remote exploitability)?


And also what thinkpads are affected? I already don't trust modern lenovo from the last couple of years with all the bullshit they've pulled lately.


Unless your hardware is fully free, there's always going to be a backdoor.

Affected Thinkpads:
(javascript required)

Physical access.


Dammit. Now I have to flash the BIOS since mine is affected.

Thanks for the heads-up, OP.


Well luckily mine aren't affected but it does suck the x220 is one of them as I've been wanting one. Still it doesn't look too terrible if it requires physical access. I hope we don't see like used thinkpads with third party compromised BIOSes now. Oh well I hope if I ever get one of the listed ones I can install libreboot without too much hassle.


If you're allowing a 3rd party to access your machine without your permission, you deserve it.


Can we have a rule against threads like these?

This is a /g/-tier thread. Post a screenshot, a generic bait-level title, and no other information. Probably one of the lowest quality threads I've seen on /cyb/ since I started browsing.

In other news, luckily my ThinkPad isn't affected. But yeah, like >>30383 said, why would you ever allow 3rd party access to your machine anyways?


Easier said than done if you ever leave your house with your thinkpad (hackerspace, school, work).


I bring mine to school and work a lot, I just have it in my backpack. As long as you keep your personal belongings secure, this shouldn't be too hard to keep from happening.

But that said, the main point is this vulnerability shouldn't have been there in the first place. Shame on Lenovo for allowing something like this. As they say: A fanboy of a product will proclaim there's nothing wrong with a brand's products, even if there are blatant problems. A true fan will hold their beloved company accountable for any mistakes and issues, knowing that it will cause them to make higher-quality products in the future.


Whatever happened to the old adage "physical access is root access"?


I remember this from a DEFCON talk. It affects more than just Lenovo machines.

Just found it: https://youtu.be/QDSlWa9xQuA


File: 1465336981440.png (98.26 KB, 200x196, Heckert_GNU_white.svg.png)

tfw libreboot


Glad it doesn't affect my x200. That said, unless you get your ass beat and shit stolen by the megacorp security officers, its not something that people are gonna be able to exploit seeing as it needs physical access.



This doesn't require physical access to the machine, it can be run from both Windows and Linux with just an (admin?) shell. Here's a blog post by the same author on a similar issue:



Lenovo released a patch for this I think.
looking for a link now



Follow this link >>30368 and select your model to download a update that fixes this.


>Escalation of Privilege
>Execute arbitrary code
>Severity: Medium

What could be more severe than that?


Something that doesn't require a kernel exploit to work remotely.


File: 1465439814123.png (36.04 KB, 200x119, Game-of-Thrones-586544.jpg)

Stop using UNIX, and switch to Windows;
For the screen is black, and full of errors.


>my memepad ain't affected
X60 with libreboot for life


But I DO want to buy another ThinkPad. What are the chances it gets intercepted and fucked with in some NSA workshop since I've done my share of shady and cryptic things in the past?
If it is intercepted, is there a way to find out?



Buy used on craigslist.


What a fucked up and backwards society we live in where we have to be more watchful of our own gubbernmint stealing our information and threatening our freedom than actual terrorists or spooky 1337 hackers.


Spoilers: the only actual terrorists are states.


Will someone list the affected thinkpads here?

I shouldn't need to enable javascript to see if my model is on the list. I tried viewing the source, but it's hairy.


You're just paranoid. I doubt the NSA would care about a mere lainon like us.


They care about everybody datawise.


File: 1465484778523.png (31.18 KB, 200x143, special_hardware.jpg)

My strategy when in interception would be to intercept them right back.

I want to have my next machine chipped so that all I/0 will be fire-walled on my behalf.
A thin client layered above to the physical world so to say.
Just because it is possible.


What kind of sick fuck of a person even gets a job at the NSA? Nearly EVEYRYONE in the country if not the world hates their guts for being so fucking useless and offensive.


Thats some pretty broad assumptions. I imagine people who work at the NSA are attracted by what they'll work with (military hardware, backdoors etc).


Then why not join the actual military where they also have that sort of tech?
I'd imagine many of them would probably be more inclined to join up with psychological operations just to fuck with people. It's the same with police- not all are sadists who get off to having power over the weak, but it sure as shit attracts the type.


>What kind of sick fuck of a person even gets a job at the NSA?

math/security PhDs who love their cuntry. Not to mention they pay a shit-ton.

>Then why not join the actual military where they also have that sort of tech?

I have a friend who does military tech. He says most of his time gets wasted doing pointless shit, the contractors and DARPA are the ones who make all the interesting military tech.


File: 1465501374997.png (123.97 KB, 190x200, shibirerudarou'd.jpg)


Working at DARPA would be pure sex. Fuck the money (though they have lots of it), the projects they fund are far more interesting than any sci-fi I've ever read.

For those who are unaware, these are the guys who funded ARPANET https://en.wikipedia.org/wiki/ARPANET which eventually became the Wired.

You owe them your testicles.


Near-fucking impossible ever getting into it though when you consider they only have like 200 people working in there.


The NSA pays shit actually. It basically guarantees the only people working there are patriotic nutjobs who would go back in time and shoot Jefferson in the face if it fought terror.

Also nobody who works at DARPA is a scientist (by trade at least), they're grant managers who award grant money to academics. DARPA is just the DoD NSF.


>they're grant managers who award grant money to academics. DARPA is just the DoD NSF.

yes, and if you're funded by DARPA you're working for DARPA.

>The NSA pays shit actually.

I know that they offer cryptograpehrs pretty nifty packages.


Well, you're not employed by DARPA, you're a professor at your university and DARPA gives you a grant. By that account probably a few thousand or even ten thousand "researchers" (processors, post docs, grad students, undergrads) working on DARPA projects. (I make that point because a lainon up thread said "working at DARPA" which is a common misconception.)

These projects are pretty mundane, though. I think the DARPA grants I've been near have been about program verification and security (but boring stuff). DARPA funds about half of American computer science. They're just another NSF.

If you're a career mathematician, federal payroll might be very competitive, but the pay grades you live in as an NSA developer are crap compared to even other contractors in the DC area. If you work for the NSA you're basically dooming yourself to a life of drudge work you can't talk about, long commutes on the BW parkway or worse, I-95, and a medium sized house in Colombia. Most developers say fuck that when they could live in DC or NYC, get paid more, and have better quality of life. The people who work for the NSA either want federal pensions/a government job (overtime, no real management, no real budgetary pressure), or are fascists.


This, but you can buy off craigslist if you're too noided.

Yeah, but noy enough to sick T.A.O. on a lainon who only pirated S.E.L. and Cowboy BeepBoop.


The military's culture is a shit. Other feds get treated like real people.


Thank god I librebooted mine when I did


whew, I'm clear.


List of ThinkPads affected:

ThinkPad Edge E130
ThinkPad Edge E145
ThinkPad Edge E431/E531
ThinkPad Edge E440/E540
ThinkPad Edge E450/E550
ThinkPad Edge E455/E555
ThinkPad Edge S430
ThinkPad Helix (20CG, 20CH)
ThinkPad Helix (3xxx)
ThinkPad L430/L530
ThinkPad L440/L540
ThinkPad S1 Yoga (Non-vPro)
ThinkPad S1 Yoga (vPro)
ThinkPad S431
ThinkPad S440
ThinkPad S531
ThinkPad S540
ThinkPad T420
ThinkPad T420s
ThinkPad T430, T430i
ThinkPad T430s
ThinkPad T430u
ThinkPad T431s
ThinkPad T440/T440s/T440u
ThinkPad T440p
ThinkPad T450 (Broadwell)
ThinkPad T450 (Shark Bay)
ThinkPad T450s
ThinkPad T530, T530i
ThinkPad T540, T540p
ThinkPad T550
ThinkPad Tablet 10 (32-bit)
ThinkPad Tablet 10 (64-bit)
ThinkPad Tablet 8 (32-bit)
ThinkPad Tablet 8 (64-bit
ThinkPad Twist/Edge S230
ThinkPad W530
ThinkPad W540, W541
ThinkPad W550s
ThinkPad X1 Carbon (20Ax)
ThinkPad X1 Carbon (20Bx)
ThinkPad X1 Carbon (34xx)
ThinkPad X131e (AMD)
ThinkPad X131e (Intel)
ThinkPad X140e (AMD)
ThinkPad X220
ThinkPad X230, X230i
ThinkPad X230s, X231s
ThinkPad X230 Tablet, x230i Tablet
ThinkPad X240/X240s
ThinkPad Yoga 11e (20D9)
ThinkPad X250 (Broadwell)
ThinkPad X250 (Sharkbay)
ThinkPad 11e
ThinkPad Yoga 11e (20D9)
ThinkPad 11e/Yoga 11e (Broadwell)
ThinkPad Yoga 12
ThinkPad Yoga 14 (Broadwell)
ThinkPad Yoga 14 (Sharkbay)
ThinkPad Yoga 15


>x60*, x200 off the list


good thing there's no t60 or t61's on there. woo.


Wew lad just barely made it


yeeee boi

On the other hand my work laptop is fucked.


So I have win7 dual booted on my x220 for work (also running debian). You're saying I can fix the bios problem if I install the update from windows? Will this screw anything up on debian?


yup, i just updated my bios today via lenovo system update tool in windows 7 and my debian testing install did not break.


>mine isn't on the list
God is real and He is merciful.
That's still quite a lot of affected models, though.


my new L440 already had the new BIOS in it. No problemo.


Moved to >>>/tech/26955.