Here are links to a few interesting news articles I came across recently. They are about the the behavior of supposedly image conscious and “rational” large corporations.
Link 1: Lenovo used Windows anti-theft feature to install persistent crapware
Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed. The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that “most” is not “all.” Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the “Lenovo Service Engine.”Lenovo’s own description of what the software did differs depending on whether the affected system is a desktop or a laptop. On desktops, the company claims that the software only sends some basic information (the system model, region, date, and a system ID) to a Lenovo server. This doesn’t include any personally identifying information, but the system ID should be unique to each device. Lenovo says that this is a one-time operation and that the information gets sent only on a machine’s first connection to the Internet.
For laptops, however, the software does rather more. LSE on laptops installs the OneKey Optimizer (OKO) software that Lenovo bundles on many of its machines. OneKey Optimizer arguably falls into the “crapware” category. While OKO does do some somewhat useful system maintenance—it can update drivers, for example—it also offers to perform performance “optimizations” and cleaning “system junk files,” which both seem to be of dubious value. Making this rather worse is that LSE and/or OKO appear to be insecure. Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April. In response, Lenovo has stopped including LSE on new systems (the company says that systems built since June should be clean). It has provided firmware updates for affected laptops and issued instructions on how to disable the option on desktops and clean up the LSE files.
Link 2: Even when told not to, Windows 10 just can’t stop talking to Microsoft
Windows 10 uses the Internet a lot to support many of its features. The operating system also sports numerous knobs to twiddle that are supposed to disable most of these features and the potentially privacy-compromising connections that go with them. Unfortunately for privacy advocates, these controls don’t appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft’s servers. For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to http://www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.
Other traffic looks a little more troublesome. Windows 10 will periodically send data to a Microsoft server named ssw.live.com. This server seems to be used for OneDrive and some other Microsoft services. Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn’t connected to a Microsoft Account. The exact nature of the information being sent isn’t clear—it appears to be referencing telemetry settings—and again, it’s not clear why any data is being sent at all. We disabled telemetry on our test machine using group policies. And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy. We’ve asked Microsoft if there is any way to disable this additional communication or information about what its purpose is. We were told “As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code.
Link 3: Banned’ Article About Faulty Immobilizer Chip Published After Two Years
In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was ‘banned’ in 2013 is being published after all.
What do you think? Comments?