Notebooks


ASUS Announces the ZenBook Pro UX501

ASUS Announces the ZenBook Pro UX501

Today Asus announced their new ZenBook Pro UX501. The ZenBook Pro UX501 sits above all the other ZenBooks as a flagship laptop for people who need serious processing power when they’re on the go. It could be called a workstation laptop or a desktop replacement, but whatever the case may be it certainly packs some potent hardware. I’ve organized its specifications in the chart below.

ASUS ZenBook Pro UX501
Size 15.1 x 10.0 x 0.8”
38.4 x 25.4 x 2.03cm
Mass 5 lbs – 2.27 kg
Display 15.6″ 1920×1080 IPS LCD or
15.6″ 3840×2160 multi-touch IPS w/ 100% sRGB
Battery 60/96Wh battery rated for 6 hours of usage
Storage/DRAM 1TB 5400RPM HDD or
128/256GB SATA3 SSD or
512GB PCIe x4 SSD
16GB DDR3
CPU Intel Core i7-4720HQ (2.6GHz base, 3.6GHz turbo)
GPU NVIDIA GTX 960M
Wireless 2×2 802.11ac + BT 4.0
Ports 3 x USB 3.0, 1 x Thunderbolt 2.0/mDP, HDMI, SDXC,
3.5mm Headset Jack
Front Camera HD 720p
Operating System Windows 8.1 64-bit
Warranty 1-year limited
Price $1799 for UHD + 512GB SSD model

Starting with its appearance, we see that the UX501 features an aluminum chassis with the same spun metal finish that ASUS has put on most of their products. At 2.03cm thick at its thickest point and a mass of 2.27kg, it’s definitely not an ultra portable laptop. The aluminum build and high end specs will inevitably draw comparison to the MacBook Pro, and the name ASUS has chosen certainly gives the impression that they’re taking on Apple’s flagship laptop as well. That being said, in my view the UX501 is distinctly an ASUS product with its slightly tapered chassis and brushed metal lid.

Just looking at the specs, it’s clear that the UX501 is what one might call a desktop replacement laptop. The most notable point may be its display, which is a 15.6″ 3840×2160 IPS panel. At 282ppi it’s an extremely high resolution display, although I don’t think anyone was unhappy with 3200×1800 panels and the lower power consumption that comes with them. ASUS is also reporting full sRGB gamut coverage, and hopefully high color accuracy is bundled with that gamut. The rest of the specs are equally impressive, with a 2.6GHz quad core Intel Core i7 CPU, and NVIDIA’s GTX 960M GPU.

In terms of storage, ASUS is offering several options with the UX501. Buyers can opt for a 1TB 5400RPM HDD, a 128GB or 256GB SATA III SSD, or a 512GB PCIe x4 SSD. The PCIe SSD is definitely the most interesting option, with ASUS quoting maximum read/write speeds of 1400Mbps.

Battery life on the UX501 is a bit low, but hardly unexpected for a laptop with these specifications. With no Broadwell quad core i7 parts available, companies making desktop replacements are stuck using Intel’s 22nm Haswell parts. The display is undoubtably the biggest consumer of power, and one can debate the merits of moving to 4K from QHD+ or other resolutions. With a 96Wh battery in the UHD model, ASUS is also pushing up against travel regulations that do not permit battery packs above 100Wh on airplanes. Regardless, any users interested in a desktop replacement should always be ready to keep their charger with them.

The I/O ports on the UX501 are fairly standard for a laptop of this class, but there’s one port that is fairly unique among Windows laptops. ASUS has included a single Thunderbolt 2 port on the UHD model of the UX501. Thunderbolt never really took off like many had hoped, but it seems that there’s enough adoption of it in the professional space to warrant ASUS putting it on their flagship laptop. The 1080p models will feature a Mini-DisplayPort output rather than the Thunderbolt 2 port.

The ASUS ZenBook UX501 is available now in the United States from the ASUS Online Store as well as from various retailers. The fully featured model with the UHD display and 512GB PCIe SSD will be $1799 USD.

Lenovo, SuperFish and Security

Lenovo, SuperFish and Security

For the many of us that have purchased a laptop, we are somewhat used to the amount of bloatware that comes pre-installed. Most of this relates to the company specific software, or free trials for office applications or anti-virus software. I would imagine that the more technologically savvy users uninstall some of this bloat for themselves and their family and friends, but it does give an opportunity for the manufacturer to install what they want before the device gets shipped.

Here at AnandTech we receive laptops on a regular basis for review, and where we can we tend to ask for retail units so we can analyze the hardware without fear of getting a ‘review-focused’ sample. The same thing goes for motherboards, SSDs, and graphics cards, which also come with their own software but the user has to specifically install everything. With a laptop, smartphone, tablet, workstation, or notebook, it all comes pre-prepared for the user to plug and play. The demand to remove the bloatware has led to smartphones and tablets being offered with pure stock versions but also carrier customized ones, and some users get the choice of both.

A topic that has been in the news today, and whose symptoms date back a little further, has been with Lenovo laptops and notebooks. This software is called SuperFish and comes as a browser add-on, which Lenovo calls a ‘Visual Discover’ program that detects when a website has advertising and replaces it with targeted images based on what the user is looking at in order to make informed choices at potentially lower prices. This comes with a variety of issues.

First, it replaces the advertisement(s) on the website, which offers the website a form of income (such as AnandTech and other advertiser driven models). The new advertisement redirects the link to a server that may benefit Lenovo, distorting the ad views for that particular website and shifting income back to the laptop manufacturer.

Second, SuperFish is actively scanning the websites that people look at, resulting in privacy issues. Lenovo has stated that this software analyzes images in an algorithmic pattern (presumably similar to Google Goggles) rather than tracking the behavior of the user, but without access to the code most users will still not trust the software. After consistent issues regarding security and tracking in the media recently, especially with certain ‘Smart TVs’, it is understandable how users are concerned over devices that do not respect their privacy.

Third, the best explanation for SuperFish comes down as adware. Malware and adware have been a common threat of the century when it comes to web browsing, where software places unwanted advertisements in the eye-line of the user to generate revenue. If we take that definition then SuperFish falls under that category, no matter how it is dressed up.

The fourth issue (and arguably most severe issue) revolves around security. This is twofold – the SuperFish software will intercept any HTTPS encrypted webpage that has advertisements when it replaces them with its own, creating a mix of secure and insecure content. This allows other software to come in and potentially inject its own attack, stealing sensitive information. The second issue with security is that SuperFish issues its own SSL certificates for a large number of common sites, with severely reduced security than what is often required, such as with banks with the example that is circling the internet:

This essentially amounts to a fake root certificate, necessary for SuperFish to intercept HTTPS connections to do its image analysis, but in the process giving SuperFish access any information passed via HTTPS. Any and all alarm bells should be ringing in everyone’s ears at this point, as this means the SuperFish software has the means to see bank information, personal information, and any other sensitive information. These certificates are accepted because Lenovo has pre-installed the PC with details to accept SuperFish certificates, essentially creating a ‘self-signing authority’.

But most damaging of all is the potential for these certificates to be used by malicious third parties. As it turns out, the security of these certificates would seem to be using SHA-1, which is insecure and can be overcome with the right software and ordinary computing hardware. The 1024-bit RSA key has also been cracked, with the private key being bundled with the software in order to execute on-the-fly digital certificate signing. Consequently researchers have already cracked the key and password with relatively little effort, exacerbating the scale of the situation. Easily repeatable by hackers, this would allow a hacker to come in and use the same password/key combination to sign their own fake SSL certificates against the SuperFish root certificate, in essence allowing anyone with network contol to execute a man-in-the-middle attack on any Lenovo system with the SuperFish root certificate installed.

The reason this situation has come to the forefront today is due to a tweet on Wednesday by the co-director of the Open Crypto Audit Project and a single forum post by a Lenovo employee, describing how SuperFish works:

Despite whatever good intentions Lenovo had behind the software, the implementation as well as the execution leave a lot to be desired, especially in a climate where security and privacy are key factors with their main user demographic. I doubt that any such software would ever been considered in this digital age as viable, unless it was forced upon a user at a work machine to only ever be used for that purpose. But for home users, this post waves a black flag followed by a red one – the race is being stopped and you are being disqualified.

There are two elements to this story from Lenovo. Perhaps understandably, the forum post mentions that SuperFish is currently disabled on Lenovo’s end. However, the software is still present on the user machines and most importantly the weak root certificate is still installed.

The next is an official response from Lenovo on SuperFish, which you can read here. A brief summary is included here:

  • SuperFish was previously included in some consumer notebooks shipped between September and December 2014.
  • User Feedback was not positive.
  • SuperFish has been disabled server-side since January.
  • Lenovo stopped preloading the software in January.
  • Lenovo will not preload this software in the future.
  • Lenovo is providing support on its forums for any user with concerns.  If users still wish to take further action, detailed information is available here.

As noted, the response from the community about SuperFish has been negative. Marc Rogers writes a particularly scathing post about the situation, and mainstream media such as the BBC is actively picking up on the issue. Over 30 models are affected by this software, all of which are noted in the official Lenovo response, and details are provided on how to remove the software. If you think you are affected, @FiloSottile is hosting a SuperFish detector at https://filippo.io/Badfish/. There are also extra instructions to remove malicious certificates from a system at the bottom of the page here.

Lenovo has stated that new units are no longer preloaded with SuperFish. However, there are most likely units still in the supply chain from before January that have the software. Lenovo is issuing an update to SuperFish to disable itself if the user accepts the user agreement on first use.

The end result is that this comes at the expense of Lenovo’s reputation. As a brand that has made it into most of the largest markets around the world, there’s an element of trust that takes years to build and a single action to erode. I suspect there will be some calls for investigations or forms of compensation, and at this point it is difficult to estimate if any legal action will be sought or anything illegal can be proven due to compromised systems. Lenovo at this time is treading carefully, only providing an official statement on the issue despite the initial furor caused over a single forum post that has now been viewed over 100,000 times.

I’m sitting at my work desk with a Core-M based Yoga 3 Pro and fortunately it is not one of the models affected. Loading up a detection website confirms this. Normally on AnandTech our testing is directed mostly at the hardware, the performance and the design choices made, but rarely the politics. It is a difficult subject for a website like AnandTech to tackle, and given the amount of information around, it is important to stick to the facts here. There has already been a backlash over social media about SuperFish, and Lenovo has acted quickly. Some users will be expecting an apology, rather than the attempted justification, and we will have to see how this situation develops. I can imagine Lenovo not stating anything except through official channels for a while. They will be presenting and have a booth at Mobile World Congress in March, so we may (or may not) see any development then.

Sources: Lenovo, Marc Rogers, Errata Security, @FiloSottile

Update 2/20: It is now being reported that Windows Defender is taking a grim view of SuperFish and knocking it out of the frying pan and into the fire. Anyone for baked cod? Defender will now remove SuperFish as well as the installed certificate authority and the certificates still on the system. @FiloSottile has screenshots showing Defender in action:

Update 2/23: Lenovo has now launched its own tool for removing SuperFish and all certificates for major browsers. Also available is the source code for the software, and manual instructions for users who do not wish to install the tool. I can all be found here.

Lenovo, SuperFish and Security

Lenovo, SuperFish and Security

For the many of us that have purchased a laptop, we are somewhat used to the amount of bloatware that comes pre-installed. Most of this relates to the company specific software, or free trials for office applications or anti-virus software. I would imagine that the more technologically savvy users uninstall some of this bloat for themselves and their family and friends, but it does give an opportunity for the manufacturer to install what they want before the device gets shipped.

Here at AnandTech we receive laptops on a regular basis for review, and where we can we tend to ask for retail units so we can analyze the hardware without fear of getting a ‘review-focused’ sample. The same thing goes for motherboards, SSDs, and graphics cards, which also come with their own software but the user has to specifically install everything. With a laptop, smartphone, tablet, workstation, or notebook, it all comes pre-prepared for the user to plug and play. The demand to remove the bloatware has led to smartphones and tablets being offered with pure stock versions but also carrier customized ones, and some users get the choice of both.

A topic that has been in the news today, and whose symptoms date back a little further, has been with Lenovo laptops and notebooks. This software is called SuperFish and comes as a browser add-on, which Lenovo calls a ‘Visual Discover’ program that detects when a website has advertising and replaces it with targeted images based on what the user is looking at in order to make informed choices at potentially lower prices. This comes with a variety of issues.

First, it replaces the advertisement(s) on the website, which offers the website a form of income (such as AnandTech and other advertiser driven models). The new advertisement redirects the link to a server that may benefit Lenovo, distorting the ad views for that particular website and shifting income back to the laptop manufacturer.

Second, SuperFish is actively scanning the websites that people look at, resulting in privacy issues. Lenovo has stated that this software analyzes images in an algorithmic pattern (presumably similar to Google Goggles) rather than tracking the behavior of the user, but without access to the code most users will still not trust the software. After consistent issues regarding security and tracking in the media recently, especially with certain ‘Smart TVs’, it is understandable how users are concerned over devices that do not respect their privacy.

Third, the best explanation for SuperFish comes down as adware. Malware and adware have been a common threat of the century when it comes to web browsing, where software places unwanted advertisements in the eye-line of the user to generate revenue. If we take that definition then SuperFish falls under that category, no matter how it is dressed up.

The fourth issue (and arguably most severe issue) revolves around security. This is twofold – the SuperFish software will intercept any HTTPS encrypted webpage that has advertisements when it replaces them with its own, creating a mix of secure and insecure content. This allows other software to come in and potentially inject its own attack, stealing sensitive information. The second issue with security is that SuperFish issues its own SSL certificates for a large number of common sites, with severely reduced security than what is often required, such as with banks with the example that is circling the internet:

This essentially amounts to a fake root certificate, necessary for SuperFish to intercept HTTPS connections to do its image analysis, but in the process giving SuperFish access any information passed via HTTPS. Any and all alarm bells should be ringing in everyone’s ears at this point, as this means the SuperFish software has the means to see bank information, personal information, and any other sensitive information. These certificates are accepted because Lenovo has pre-installed the PC with details to accept SuperFish certificates, essentially creating a ‘self-signing authority’.

But most damaging of all is the potential for these certificates to be used by malicious third parties. As it turns out, the security of these certificates would seem to be using SHA-1, which is insecure and can be overcome with the right software and ordinary computing hardware. The 1024-bit RSA key has also been cracked, with the private key being bundled with the software in order to execute on-the-fly digital certificate signing. Consequently researchers have already cracked the key and password with relatively little effort, exacerbating the scale of the situation. Easily repeatable by hackers, this would allow a hacker to come in and use the same password/key combination to sign their own fake SSL certificates against the SuperFish root certificate, in essence allowing anyone with network contol to execute a man-in-the-middle attack on any Lenovo system with the SuperFish root certificate installed.

The reason this situation has come to the forefront today is due to a tweet on Wednesday by the co-director of the Open Crypto Audit Project and a single forum post by a Lenovo employee, describing how SuperFish works:

Despite whatever good intentions Lenovo had behind the software, the implementation as well as the execution leave a lot to be desired, especially in a climate where security and privacy are key factors with their main user demographic. I doubt that any such software would ever been considered in this digital age as viable, unless it was forced upon a user at a work machine to only ever be used for that purpose. But for home users, this post waves a black flag followed by a red one – the race is being stopped and you are being disqualified.

There are two elements to this story from Lenovo. Perhaps understandably, the forum post mentions that SuperFish is currently disabled on Lenovo’s end. However, the software is still present on the user machines and most importantly the weak root certificate is still installed.

The next is an official response from Lenovo on SuperFish, which you can read here. A brief summary is included here:

  • SuperFish was previously included in some consumer notebooks shipped between September and December 2014.
  • User Feedback was not positive.
  • SuperFish has been disabled server-side since January.
  • Lenovo stopped preloading the software in January.
  • Lenovo will not preload this software in the future.
  • Lenovo is providing support on its forums for any user with concerns.  If users still wish to take further action, detailed information is available here.

As noted, the response from the community about SuperFish has been negative. Marc Rogers writes a particularly scathing post about the situation, and mainstream media such as the BBC is actively picking up on the issue. Over 30 models are affected by this software, all of which are noted in the official Lenovo response, and details are provided on how to remove the software. If you think you are affected, @FiloSottile is hosting a SuperFish detector at https://filippo.io/Badfish/. There are also extra instructions to remove malicious certificates from a system at the bottom of the page here.

Lenovo has stated that new units are no longer preloaded with SuperFish. However, there are most likely units still in the supply chain from before January that have the software. Lenovo is issuing an update to SuperFish to disable itself if the user accepts the user agreement on first use.

The end result is that this comes at the expense of Lenovo’s reputation. As a brand that has made it into most of the largest markets around the world, there’s an element of trust that takes years to build and a single action to erode. I suspect there will be some calls for investigations or forms of compensation, and at this point it is difficult to estimate if any legal action will be sought or anything illegal can be proven due to compromised systems. Lenovo at this time is treading carefully, only providing an official statement on the issue despite the initial furor caused over a single forum post that has now been viewed over 100,000 times.

I’m sitting at my work desk with a Core-M based Yoga 3 Pro and fortunately it is not one of the models affected. Loading up a detection website confirms this. Normally on AnandTech our testing is directed mostly at the hardware, the performance and the design choices made, but rarely the politics. It is a difficult subject for a website like AnandTech to tackle, and given the amount of information around, it is important to stick to the facts here. There has already been a backlash over social media about SuperFish, and Lenovo has acted quickly. Some users will be expecting an apology, rather than the attempted justification, and we will have to see how this situation develops. I can imagine Lenovo not stating anything except through official channels for a while. They will be presenting and have a booth at Mobile World Congress in March, so we may (or may not) see any development then.

Sources: Lenovo, Marc Rogers, Errata Security, @FiloSottile

Update 2/20: It is now being reported that Windows Defender is taking a grim view of SuperFish and knocking it out of the frying pan and into the fire. Anyone for baked cod? Defender will now remove SuperFish as well as the installed certificate authority and the certificates still on the system. @FiloSottile has screenshots showing Defender in action:

Update 2/23: Lenovo has now launched its own tool for removing SuperFish and all certificates for major browsers. Also available is the source code for the software, and manual instructions for users who do not wish to install the tool. I can all be found here.

Investigating NVIDIA’s BatteryBoost with MSI GT72

BatteryBoost initially launched with the GTX 800M series earlier this year, and our first look at the technology came with the MSI GT70 with GTX 880M. That may not have been the best starting point, and unfortunately most of the gaming notebooks we’ve looked at since then haven’t been much better. Armed with the latest MSI GT72 sporting a Maxwell 2.0 GTX 980M, NVIDIA claims that BatteryBoost is finally going to hit the 2+ hours mark for gaming. Read on for our in-depth testing of BatteryBoost.

Investigating NVIDIA’s BatteryBoost with MSI GT72

BatteryBoost initially launched with the GTX 800M series earlier this year, and our first look at the technology came with the MSI GT70 with GTX 880M. That may not have been the best starting point, and unfortunately most of the gaming notebooks we’ve looked at since then haven’t been much better. Armed with the latest MSI GT72 sporting a Maxwell 2.0 GTX 980M, NVIDIA claims that BatteryBoost is finally going to hit the 2+ hours mark for gaming. Read on for our in-depth testing of BatteryBoost.