My last two computers have been Lenovo ThinkPads (T520 and Yoga S1) and they bundle more crappy software than just about any other business computer maker. It's good hardware and once you reformat and reinstall Windows (or Linux) they are great machines.
I'm strongly considering the ThinkPad P1 as my next work machine -- any other issues you've experienced? I wouldn't have expected Lenovo to mess with the ThinkPad brand like that. My image of ThinkPad has always been no-nonsense, get-stuff-done, power-user-favored. Packing in a bunch of cruft doesn't seem to mesh with that image.
> I wouldn't have expected Lenovo to mess with the ThinkPad brand like that. My image of ThinkPad has always been no-nonsense, get-stuff-done, power-user-favored.
I used to think the same until I got a T480. I was drawn to it because it was one of the few laptops that still has a direct hardware Function-key row (I use linux, so software Function Keys are not fun).
The keyboard, while mechanically excellent, is horribly designed if you depend on it to do your job: They "innovated" by moving the Home/End keys up to the Function row, they "innovated" by completely removing the context menu key from the keyboard and placing the PrintScreen key (of all things) in its place, and they also placed the Fn key at the bottom left corner of the keyboard where Ctrl is usually located (you can fortunately swap Ctrl/Fn with each other in the bios, so the last one isn't a issue if you're willing to live with mislabeled keys).
If you're a heavy keyboard user, I strongly suggest properly testing a laptop's keyboard before buying.
While I never used the context key (and indeed neither my 60% layout nor the original IBM Model M layout seem to have it anyway), I don't see the purpose of a Print Screen there either.
The Fn/Ctrl swap is... confusing. I'm guessing Lenovo tried to copy the MacBook format without thinking it through. Personally, I prefer Caps Lock as Control, though. I never use Caps Lock.
Home and End on laptops have almost always (it seems) been up on the function row. On a traditional layout, they're to the right, which obviously would not work on smaller form factors. Even with the 7-row keyboard, it was on the top.
Having tried other light laptops including the MacBook 13, the XPS 13, the HP Spectre 13, the Razer Blade Stealth, and the Dell Latitude 73 something or other (this was pretty good)... they just can't compete mechanically. No concavity on the keycaps is a big bummer. Some of them are obnoxiously loud. Some of them have piss-poor tactile feedback. Some of them are okay, but lack travel. Some of them bottom out too hard. Some of them bottom out too softly. It's a rough keyboard game out there. None of the layouts work for me on their own, so I always have to end up tweaking them slightly to my tastes. Caps Lock is useless to me, and I prefer Backspace being one key down. I've considered swapping Right Shift, but I'm not sure what to swap it to. Any ideas?
The T520 mentioned above is the last in the T5x0 line before Lenovo started changing the keyboard layout and action in a way that seemed anti-ThinkPad. Same with the move from T420 to T430, so your T480 was a few generations further along an anti-ThinkPad path.
Personally, I'm currently standardized&stockpiled on two legacy ThinkPad models, and one of the reasons is keyboards. I also transplant keyboard parts manufactured to T60 specs, into later models, because Lenovo started making the keyboard flex-prone, even as the part was otherwise equivalent.
I own a T450s. Definitely no bloatware that persists through a reinstall (that was for a particular case with Lenovo's consumer lineup... completely unexcusable, but never touched ThinkPads), which I would recommend for any laptop regardless of the OS, especially if you're buying used. Doesn't matter if it runs MacOS (unless, of course, you implicitly trust Apple's supply chain to be 100% robust), Linux (which I don't think anyone except System76 or Dell actually sell out of the box), BSD (which I don't think anyone sells out of the box), or Windows (which has competent driver detection and management now, making most "system update tools" useless). Wipe it and restart.
The machines have been good and I'm not sure if there is a better choice in the Windows world.
For some reason some screws have fallen out the S1 and I have no idea where to get replacements, but it still feels fairly sturdy. I like the keyboards on both machines even though they are very different. The track pads are decent for a Windows laptop.
I really wish Lenovo would open retail stores. It would be nice to be able to try the machine out before you buy it and have a local place to take it for service.
The cruft that they pack in are a bunch of system utilities that replicate the basic Windows tools. It's mostly stuff about Wifi management, power management, etc... None of it seems to be very well made and I recommend getting rid of it all and getting as close to a stock version of Windows as you can.
Fair would be sending executives to jail for hacking. Releasing a non-backdoored BIOS was the absolute minimum.
Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to install a backdoor. But calling what it installed "insecure Windows-software" is also inaccurate. According to https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci..., its purpose was man-in-the-middle attacks against the user. So I still think criminal liability and jail time would be just. Ordinary people have been sent to jail for far less.
To be fair and technically correct, the BIOS itself was not backdoored.
The BIOS itself was fine, but it contained insecure Windows-software which it requested/instructed Windows to install.
Install any other OS (like Linux) and there would be no backdoor at all.
To be clear I’m not trying to defend Lenovo’s actions here, I’m just trying to be clear about what this incident was actually about. The simplistic description is IMO a bit too simplistic in this case.
Microsoft should prevent this. It's not in their interest to allow OEMs to circumvent the normal software installation methods for Windows. It should be prohibited in whatever agreement OEMs make with Microsoft, and maybe Windows should prevent execution of such code if it's possible to tell it apart from drivers.
I don't think that settlement applies to this. The OEM part of that lawsuit, from my recollection, hinged on the fact that Microsoft's OEM licenses required that the OEM limit the percentage of computers they sold without a Windows OS pre-installed. I don't remember there being anything about how OEMs use their APIs.
I think it would be perfectly fair for Microsoft to require OEM licensees to not use that feature for shitware installations. I can't see how that would fall afoul of antitrust or related regulations. Maybe I'm wrong though, that was a while ago and it wasn't my specialty when I practiced law.
I wouldn't call that good. More like a bad solution to a problem which shouldn't exist. Nothing should ever be located in system firmware save for the boot firmware and perhaps a basic diagnostic tool like memtest.
I just checked on my Dell workstation at work and it seems they are now using this method to load the Lojack anti theft rootkit. I see the wpbbin.exe file and it's signed by Absolute Software.
I guess that is what the feature is designed for, though.
Many computer manufacturers seem to do this at least. There might be a way to trick the UEFI into thinking that you’re installing a non-Windows OS but I’m not sure.
UEFI doesn't install anything. It provides a machine-specific binary for Windows to install (intended to ensure that Windows has proper drivers for all the machine’s hardware).
Windows then decides to install this, based on the assumption that OEMs won’t bundle non-critical shit-ware using this method. Which has turned out to be the faulty assumption here.
Either way: Use any other OS except Windows and these UEFI-bundled binaries does nothing. They’re duds.
UEFI doesn’t need to be “tricked” and it can’t force the installation of anything into an OS not wanting it.
It’s really simple, so no need to invent overly complicated threat models.
I think the parent is getting confused because previously Lojack did work as they describe, by injecting its binaries into the filesystem like that. But I guess they have now switched to using this WPBT feature instead.
That’s astounding. Suddenly my “zero the entire storage, including partition table” methodology which I always somewhat regarded as overkill appears to be reasonable and/or necessary.
Basically none. You’ve got the ME (or AMD’s equivalent) on the CPU anyway so you really can’t avoid having some kind of root kit. Older Intel hardware that doesn’t have the ME or can be neutered is the best bet, and these machines don’t use UEFI anyway. Otherwise you could go for a non-Intel/AMD architecture, but there aren’t that many of those around anymore.
Disabling all of the parts of the ME except the part that lets the computer stay powered on is fortunately now well-documented (NSA-requested HAP support).
Clearly there's some component of UEFI that's in firmware, right? I don't really know all the terminology and such here, so please correct my understanding, but -- even if you don't have a disk, you'll get some UEFI bootloader. I seem to recall that some devices like many Chromebooks will have some extensive EFI blobs in firmware partitions, at least some of which is a read-only "get back to factory settings if you really screw up" stuff. I don't see what could stop a vendor from putting whatever they want into a a read-only firmware EFI partition, I'm pretty sure they exist in the wild.
The Chromebook’s user partition is read-write, and the system is read only (save for updates). The “powerwash” factory reset just wipes the user partition. The OS restore (if you can call it that) is not stored in boot flash, just standard data/nvme disk.
If you wipe the whole disk, you still need to use a bootable restore USB to restore it.
This has nothing to do with the fact that it is UEFI booting.
After a quick gander, I'm actually more interested in their phone. The idea of a phone that can not and will not track me, and which I know is doing only what I want it to do is pretty damned exciting.
If it has a SIM card, it is tracking you. If you leave Bluetooth or WiFi enabled, then it is being tracked. All the Librem 5 can do is 1) give trusted RF kill switches, and 2) not add additional tracking on top.
I will probably still buy one if it materializes, and is functional.
> If you leave Bluetooth ... enabled, then it is being tracked.
Wait, can you expand on this? Are you saying (current, existing) Bluetooth radios can be used for location tracking without additional hardware/OS support?
Maybe the MAC address or other broadcasted information could be used to fingerprint your device. That’s why WiFi MAC addresses are randomized on iOS, but I’m not sure that Bluetooth has gotten the same treatment.
I have a librem 15. The screws inside the case seem to come loose every once in a while. Also I wish the body was a little more rigid (I'm guessing the librem 13 doesn't have this issue since it's lighter and smaller). Otherwise I like it. The speakers also aren't very loud so I often have to make the volume higher than 100% to hear clearly. I think the trackpad is fine using libinput (I haven't tried other drivers).
I didn't want to use PureOS so I installed NixOS and everything seems to work fine.
I used to have an issue where the fan would get stuck on high after resume, but I think that was fixed when I updated coreboot to the latest version.
Sure it isn’t the same thing. Microsoft created a system supporting malware that survives OS reinstallation. Lenovo was just using that system as intended.
I installed Arch on this Dell laptop without even seeing Windows. I personally would do as you suggest if I wanted Windows on it but then I own an MS "partner". Everyone else has to run the uninstallers and hope that they actually remove everything and not leave things behind.
It's been a while... but prior to my current laptop, I'd generally remove the factory HD and replace with an SSD before even booting once. Installing a fresh OS from the start.
It's barely 5 megabytes.. and it's probably not connecting to anything.
The protections for pre-installed apps help to make sure nothing else tampers with them, e.g. injecting some malware, but I'm sure you can remove those protections and reclaim the 5 MB if you really wanted to.
Chess was given as an example of the ridiculous situation that not even a game can be removed by default. There are a host of other larger apps I would like to remove such as Home, Maps, News, Books, FaceTime, Messages and Mail. I never use any of them and would prefer they were gone from my computer.
Disabling system integrity protection to uninstall them should not be required and I'm guessing wouldn't be a long term solution anyways because likely they would reappear when upgrading macOS versions. There is also the issue of why does chess need greater protection from being tampered with than say Apple Pages.
