Ever since IBM sold off its laptop line to Lenovo, I’ve been a little wary. Not paranoid wary, mind you, but as my role as a Cyber Security Program Representative (CSPR) at Argonne, I’ve been cautiously wary.
This wariness was not eased with each revelation of spyware installed on Lenovo laptops, including instances of it actually being installed in BIOS. I remained wary, but noted in each case the bad behavior was limited to the "consumer" line of laptops – the same lower-quality laptops they were making before the IBM PC/Laptop acquisition. I believed they would treat the Think line as sacrosanct, since it came with a customer base that was almost entirely business-based and one that was more sensitive to this type of behavior. I didn’t think they’d do anything to jeopardize that relationship.
Today, that changed. News came out of a Lenovo Thinkpad shipped with pre-installed spyware. This is a shame, since I’m still generally of the opinion that if you don’t get a Mac, the Thinkpad is the best laptop you can lay hands on.
Now this story (linked below), has a number of caveats, the main one being this was a refurbished unit. However, it indicates that a line Lenovo had previously seemed to be treating as sacred has been crossed. I don’t think, from a cyber security standpoint nor from a privacy standpoint, it’s a safe bet to trust the default software install on Lenovo laptops going forward.
Most users in CELS are running Macs, or are running Linux on their laptops. At this point (and I am carefully noting this is a personal recommendation from me and not yet a lab policy), if you wish to buy a Lenovo laptop, I strongly recommend replacing the default OS with a known safe build of either your own design or one supplied by us in Systems. If you’re going to install Linux on it, you’re probably just fine (though that’s by no means guaranteed to always be the case). If you want to run Windows, I’d recommend going with one of the Argonne-recommended laptops from Dell’s offerings. If you really want a Lenovo, and really want to run Windows, let us go over the machine before you take it on and make sure it’s running trusted software.
At some point, it wouldn’t surprise me if these spyware vectors changed and started to affect various Linux builds via BIOS infiltration methods, or possibly even hardware-level sniffing and capture methods. I don’t think it’s *likely*, but I wouldn’t be surprised.
Lenovo BIOS software installation: http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-to-install-persistent-crapware/
Box is coming on site (date TBD) and are looking to have an open and frank discussion about document sharing and collaboration with linux users. They want to know how they can improve the product for linux users. They’re looking for 7-10 users from across the lab. If you have an opinion on this and are willing to give a couple of hours of your time, please let me know. We need to have the list finalized by next week. I was going to send this to email@example.com, but I wanted to cast a wide net so I’m using the general announcement list.
Also, if you have specific things you want to make sure are addressed, also let me know. Ideally, I’d want you in the room to be able to be your own advocate, but if you can’t be (or aren’t on the final list), I want to be sure the big opportunities for improvement are expressed.
Power work in the data center has taken a handful of compute nodes offline for a few hours. They should be back online early this afternoon. The affected machines are:
Sorry for the inconvenience. We didn’t believe these machines would be affected by the work, however we were incorrect.
For a list of alternative machines, see https://wiki.mcs.anl.gov/IT/index.php/General_MCS_Questions#computeservers.
The disk migration is finally finished. User home directories are now on their own partition, and the full disk problem has been rectified. There’s currently over 50GB available in user home directories on RDP for any files and programs that need local storage.
Thanks for your patience!
rdp.mcs.anl.gov is offline until further notice. The outage window is through 5PM, but I don’t expect it to take that long. I’ll post here when the work is done.
Unfortunately, the home directory migration was not yet successful, so we’re in the same boat we were in before the outage with space being very tight.
I’m going to take another crack at it on Sunday, which means from around noon to 5PM you can expect the machine to be unavailable. If anything changes, I’ll send a note to the blog and twitter feeds linked below. Thanks.
Those of you who use rdp.mcs.anl.gov (Remote Desktop server for Windows) may have noticed the disk is quite full. I need to migrate users to a new partition to free up space. This, however, requires the machine be offline during the migration. At the moment, the plan is to take the machine offline tomorrow at noon. I’m estimating a three hour outage, though it may be less than that. At any point I’ll post an announcement at the start and end of work on the blog and twitter feed linked below.
Thanks, and sorry for any inconvenience this causes. I’d like to do this on a weekend, but schedules don’t align to have it happen this coming weekend and I don’t want it to wait another week as the disk is quite full.
Quick summary: I just got back from the 221 data center (gee, it’s hot outside) having replaced what we suspect are bad power supplies in a Virtual Machine Host server. We isolated the issue to this specific server rebooting without offering any useful information as to why in its logs, coupled with a bad set of configs that prevented the virtual machines hosted on it from restarting without human intervention.
We’ve addressed the config issue, and replaced the power supplies as there were indications that one or possibly both were bad.
We’re ready to migrate these affected virtual machines to a new host if this last fix doesn’t stabilize things, but we’re feeling pretty good about this at the moment.
Thanks so much for your patience, and sorry for any troubles.
A similar outage to this morning is occurring (though limited in scope at the moment since we know what *won’t* work to bring things back. Stand by…