Creative Zens Ship with Worms

An anonymous reader writes "Engadget reports about 3700 Creative Zen "Neeons" shipped with a virus. The virus in question was the W32.Wullik.B@mm worm. Creative released a statement today to help consumers pinpoint the possibly effected devices."

Product Liability

[Monte]

Ouch - that's going to be a black eye. Although it isn't the first case of software shipping with malware, IIRC there was some kid's game on CD that included a Bonus Virus inside.

Now a comment and a question for the peanut gallery - it's always been a pet peeve of mine that software companies aren't held to any real sort of accountability for shipping product that is clearly flawed. They hide behind the "shrink wrap" license, and (at least IMHO) get away with murder. Imagine if GM or Ford or Daimler-Chrysler put such a waiver of liability on a sticker on the doors of their new cars. The courts would tear them a new one so fast it'd be like lightning.

The question - what sort of liability does Creative have in this case, and what's fair recompense for shipping a clearly flawed product where said flaw has the possibility of harming the user's computer, data integrity and / or privacy?

How much is enough? Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

Personally, I say "Yes". GM spends a hell of a lot of time and energy making sure their brakes work, I'd like to see software companies (and you all know exactly who I've got my sights on here) make sure they ship product that isn't horribly broken right out of the box.

Re:Product Liability

[LordSnooty]

It's a fair point, but I suppose a key difference is that if the car makers released a defective product, people could die because of it. Having to re-install Windows is a pain, sure, but no-one dies.

Cue posts about hospitals running Windows... ok, in certain circs there is a valid agrument. I don't think you can stretch it to cover the average Joe. A refund might be nice, though.

Re:Product Liability

[kfg]

. . .what's fair recompense. . .

Well, according the division of their, ummmmm, "Creative" writing dept. known colloquially as "Accounting" it costs about 49 bazillion dollars per seat to remove a virus.

Hoist by their own petard seems about right to me.

KFG

Re:Product Liability

[Keruo]

Good thing modern viruses aren't like CIH and pals.
I'd hate to buy new motherboard/gpu just because my pc was infected with some virus that flashed bioses full of garbage.

Re:Product Liability

[jkrise]

Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

If we treat MS the same way, they'll have a valid reason to NEVER ship LongHorn. After a decade, they still can't get out code that DOESN'T NEED an anti-virus out of the box. Methinks Creative chose a wrong platform for their device.

Re:Product Liability

[Luigi30]

A trojan horse masquerading as a game somehow got onto the bonus folder on an Atari ST magazine disk.

Re:Product Liability

[lightspawn]

Although it isn't the first case of software shipping with malware, IIRC there was some kid's game on CD that included a Bonus Virus inside.

I don't know if that's the one you mean, but Atelier Marie (Dreamcast) shipped with a bonus screensaver that included a virus.

Re:Product Liability

[Lil-Bondy]

victim as in the actual person that gets mudered?? i hope not, or we have a zombie on our hands

Re:Product Liability

[niskel]

Wouldn't that be a bonus if they never shipped Longhorn...?

Re:Product Liability

[sr180]

Not true at all. There have been cases in history where hardware could fail because of a certain execution in software. So, what if your Operating System causes a hardware fault.. Say a flaw in windows causes a certain part of the motherboard to over heat and it causes a fire which burns a house down and kills two adults and 3 children. Should they be liable then?

Re:Product Liability

Why is this modded Flamebait? Wasn't the command shell withdrawn from LongHorn bcos of the proof-of-concept virus from F-Secure? The beta of LongHornn aka Vista includes an anti-virus built-in. What does this say of the product quality?

Re:Product Liability

[sdpuppy]

>Cue posts about hospitals running Windows... ok, in certain circs there is a valid agrument. I don't think you can stretch it to cover the average Joe. A refund might be nice, though.

Perhaps. But a computer virus can infest many many systems.

A car accident can only propagate so far. Just hope that someday when one of us is in the hospital, a virus doesn't get into their system and scramble our info in the data base or delay a blood transfusion.

Re:Product Liability

[Relic]

I seem to recall Gamespy Arcade shipped with some form of nimda.

So a virus piggybacking on a virus.

Re:Product Liability

[m50d]

Don't forget the first word macro virus. Not only did MS ship it on their documentation CDs, it had been written by someone within the company. Creative can at least make the argument that it was an external agent causing the problem, not them - like a cat burglar sneaking into the GM factory and cutting the brake cables.

Re:Product Liability

[tomatensaft]

Gosh, it reminded me that scene in the "Fight Club" movie, where that crazy guy blew up his apartment by leaving oven gas run out... Well, at least, that scene was realistic, whereas your case seems to be very unlikely... At least, nowadays (who knows what's going to be in the future)... :)

First of all, I don't think that a properly assembled motherboard can overheat so much, that it starts burning... It sure can overheat, but the odds are that it's the chip that's going to go burn out quickly and stop heating up, than that it's going to heat up until it starts burning... :)

Re:Product Liability

[jkrise]

Having to re-install Windows is a pain, sure, but no-one dies.

Atleast until XP, Windows died (BSOD) and a re-install would solve the issue. With XP it says something vague like "Dr Watson performed an illegal operation" or even more confusing "Win32 Generic Services failed unexpectedly" ... followed by the helpful "Send Error report to Microsoft?" Whatever for?

Atleast let the damn OS die in peace so the offending component (IE or kernel32 or whatever) can be de-installed. From XP on it's not possible to do this, so the user experience is really awful. As I said elsewhere, Creative seems to have chosen a wrong software platform for their device.

Re:Product Liability

[cloudmaster]

I have had brakes fail a couple of times, and I can assure you that I am not posting from beyond the grave (though I can't guarantee I'll have anything better to do, /. probably won't be one of my afterlife hobbies).

Re:Product Liability

[cocotoni]

Although it isn't the first case of software shipping with malware

The worst had to be MicroSoft sending CDs of Korean version of Visual Studio .NET infected with Nimda worm. As can be seen here.

Re:Product Liability

[CrackedButter]

how could you prove liability in a court of law that it was windows? The evidence burns in the fire. Unless the 3 children died because you wanted to save the evidence instead of them?

Re:Product Liability

[Goose+In+Orbit]

I remember that one (I think - if it was a UK incident)...

If it's the one I'm thinking of, I was rather lucky as the disk also had a virus checker on it, which I happened to run first - it detected the virus and, as a result, I managed to remove it before I even knew it was there... :^D

Re:Product Liability

[GauteL]

People dying are only the most extreme form of defective product which manufacturers are liable for, not the only one.

You can be sued for compensation if some stupid design flaw in your washing machine causes it to burst and spill water all over your apartment.

You can be sued for compensation when some daft design flaw causes your vacuum cleaner to explode ruining your carpet and possible causing some minor injury to yourself.

Likewise, requiring some license that excludes you from any compensation AFTER the product has been purchased is despicable business tactic that should never be allowed.

Requiring a license BEFORE you purchase or download is different, but this should still be very limited if you are actually paying for the product.

Because of the sheer prevalence of people with the intent to mess with your computer when connected to the internet, some limitations to your responsibility is in order, but real, stupid flaws that really should have been discovered before sale should require compensation for loss of productivity, limited loss of files, etc.

Backups of important stuff should be expected from the user, but purchased DRM content that do not allow backups certainly should be compensated for.

In particular decent terms should be required from companies having a monopoly on some product or service, requiring you to purchase from them even if you don't like their license.

Software is highly complicated, but so is many other types of engineering. The worst and most blatent flaws should make the software producer accountable.

When giving away some product however, you should be able to totally remove your accountability except for intentional breakage (malware for instance), as long as the user is made aware of this properly.

Re:Product Liability

[0x537461746943]

Back in the day I ordered a 200Mhz Pentium computer and found out later that the driver install disks had a parity boot virus on the driver install disks. What was really interesting is that my system mostly worked without much of a problem. We ended up infecting my friends computer and his immediately stopped working when it was infected. The reason was that my computer used EDO memory(no parity) and his used regular memory that used parity at the time. The virus mainly affected the parity processing of memory. So the virus caused immediate problems to his system while mine just keep going because the parity bits were not used. That was a very interesting phone call to the computer shop that day :).

Re:Product Liability

[DenDave]

I didn't think windows was allowed for life-supporting applications.

Re:Product Liability

[DenDave]

DRM Content that doesn't allow backing up is in breach of law in europe.

Re:Product Liability

[saider]

Not true at all. There have been cases in history where hardware could fail because of a certain execution in software. So, what if your Operating System causes a hardware fault.. Say a flaw in windows causes a certain part of the motherboard to over heat and it causes a fire which burns a house down and kills two adults and 3 children. Should they be liable then?

The hardware manufacturer. At no point should safety be driven by software. The hardware should be designed so that any exception cases do not produce a safety hazard. If a hardware manufacturer placed a product into the market and one of the machine states would cause a hazard, they would be liable. If the hardware can burn, shock, or do anything hazardous, it is up to the hardware to mitigate that problem.

Re:Product Liability

[Quixadhal]

So... if someone buys a portable MP3 player and takes it work with them, plugs it in (which, yeah, they shouldn't do.. but it happens) and the built-in virus moves onto the hospital network... are you SURE nobody dies?

You can make the argument that a hospital network should be secure against virii... and I can counter that a gas tank should be secure from sugar.

I know, sugar isn't designed to be installed in gas tanks... but most portable MP3 players ARE designed to connect to computers, and thus to networks.

*shrug*

Of course, if we just got rid of all the lawyers and spent all the energy we use to sue each other on fixing things, we probably wouldn't care.

Re:Product Liability

[FictionPimp]

no your looking at it all wrong. When a car is broke, people die. But when a computer is down people lose money. Which one is worse in the corp eye again?

Re:Product Liability

[Tim+C]

Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

Careful what you wish for; don't forget that RedHat, the Ubuntu people, and the hobbyist tinkering away on his small shareware/freeware projects are all "software manufacturers" too.

If the likes of Creative and Microsoft should be liable, then why not them? Simply not charging is not enough, cost should not be used as the measure for liability (especially as Creative's software is effectively free with their hardware)

Re:Product Liability

[Rayaru]

Clearly, death is worse. However, when a virus/worm/whatever brings down a business's' whole network by exploiting some unknown flaw in the operating system, that business stops working if they rely on computers for communication, sales, customer service, etc. This can impact not only on the economic well-being of the company in question, but also the livelihoods of each of the employees of the company. Again, it's not death, but it's still something significant that deserves attention.

Re:Product Liability

[SPSTech]

Years ago (early 90's) when I was in retail one of the brands we sold was Leading Edge. They released some computers with a virus on the hard drive's default installation. I forget which one it was but it caused me a lot of headaches at the time.

Re:Product Liability

[Hognoxious]

Free != Included in the price

Re:Product Liability

[Jondaley]

Ah, the age old question: what is a life-critical application?
A cell phone certainly isn't a life-critical application, right? It is just for the yakkers while they drive down the street.

Ok, what about police officers that use cell phones in emergencies, or when they require more privacy than a radio allows.

What about a doctor on call?

An EMT who works in Yellowstone National Park who needs an airlift for a lost hiker?

etc. etc.

Re:Product Liability

[hotdiggitydawg]

Or add "Do Not Resuscitate" to your patient record. Or replace all instances of "appendectomy" with "gender reassignment surgery". Or... hang on, my tinfoil hat is slipping...

Re:Product Liability

[DenDave]

I used the term life-supporting. Not life critical. But hey, I'll tango... If it were up to me (and in this universe it isn't..) windows would not be allowed anywhere because Microsoft has no product liability and isn't willing to show us the code so we can fix it or at least determine the risks. Would you fly an airplane that was "designed for Windows XP?"

Re:Product Liability

[FireFury03]

If the hardware can burn, shock, or do anything hazardous, it is up to the hardware to mitigate that problem

Not true at all - software _can_ make modern hardware damage itself:
  - Most modern PCs have software controlled voltage regulators (you can tune them in the BIOS) so a nasty piece of software _could_ max out the voltage on the regulators, leads to the hardware overheating - no idea about the potential fire hazard, most stuff inside PCs is failry non-combustable so I'd guess the chances of a fire are pretty small
  - Most modern PCs have the processor speed under software control (i.e. you can go to the BIOS and overclock your CPU). Again, overheating problem
  - Some PCs have software controlled fans - turn off your CPU fan from software and you'll have a problem... I'd guess turning off your PSU fan could create a reasonable fire hazard.
  - Many GPUs can be overclocked or overvoltaged from software

I'm sure there are many other ways of breaking hardware from software in potentially dangerous ways.

Re:Product Liability

[SquadBoy]

"Ok, what about police officers that use cell phones in emergencies, or when they require more privacy than a radio allows."

A cell phone *is* a radio and can be scanned just like any other radio.

"An EMT who works in Yellowstone National Park who needs an airlift for a lost hiker?"

Yeah cause I'm sure the coverage in the wilderness area of Yellowstone is just great. What with all those cell towers around.

Re:Product Liability

[kibbylow]

Car makers release defective products, remember Ford/Firestone? But they send out recalls which most people actually follow up on. I've had to do 2 recalls on my cars and it's an annoying process.

But for some reason, many(most?) software users don't follow up on the latest updates, even when it's as simple as following a few clicks on screen. When was the last time a virus made the rounds because of a software problem that did not have a security or update alert days/weeks prior to the attack.

And with regards to hospitals running Windows, any IT/CTO hospital employee that installs windows for a live/death service should be fired. Maybe the hospitals I've been to are in the stone age, but I only see Windows on administration desks and all important information is still charted on paper.

Re:Product Liability

[niteice]

The beta of LongHornn aka Vista includes an anti-virus built-in. What does this say of the product quality?

For that matter, what does it say about the users?

Re:Product Liability

[milimetric]

Your car analogy is interesting. Whereas I think it applies to buggy code out of the box (kernel crashes, etc.) it does not apply to viruses. A virus for an automobile manufacturer would be like someone hiding rats in the back seat of brand new Chevy Cavaliers rolling out of the factory. Or waiting by the corner of the dealership to shoot holes in your tires within 3 minutes of driving off the lot. I'm pretty sure GM doesn't face these sort of challenges.

As far as defects out of the box, that *company* you've got your sights on has not had many in recent memory. Whereas the windshield wipers on my Chevy Impala broke when the odometer read 3000 miles and I just saw a dude killed in a Chevy Cavalier because the airbag went off while he was stationary without any car hitting him, my windows 2000 advanced server box has been running disconnected from the viral internet for the past 6 years without any problems.

One point of yours I agree with however. In GM's case, they probably paid a huge amount of money to that poor Chevy Cavalier guy's family. Software companies are not held accountable for their actions, and I think they should be.

Re:Product Liability

[Jondaley]

Probably just feeding the trolls...

I didn't say I agreed with the police using cell phones for "security", just that they do. And I believe it is harder to scan than the plain old radios that everyone has a scanner for.

As for Yellowstone, that was an example, I haven't ever used a cell phone there, but it appears that some people do:
http://forums.wirelessadvisor.com/archive/index.ph p/t-2665.html

Re:Product Liability

[Ucklak]

There was a an address you could POKE some value in on the Commodore 64 that would increase the voltage to one of the chips that would cause it to overheat.

Re:Product Liability

[nmg196]

> After a decade, they still can't get out code that DOESN'T NEED
> an anti-virus out of the box.

Name anyone who can. Unless you install a really obscure OS, then it's very probable there are lots of viruses for it.

Re:Product Liability

[TheViewFromTheGround]

Though very rarely, strange shit like this happens. I had a friend brought home his clothes from the laundromat compressed together in big bags. The clothes (particularly the metal pieces) were hot enough from the drying that they set fire to the bags, which should have burned out but set fire to some paper, which resulted in his apartment slowly catching fire. The resultant fire and (mainly) smoke damage, his lack of insurance, and his slum-lord renter meant his family almost wound up homeless. Shit happens, but weird shit happens, too.

Re:Product Liability

[drsmithy]

Why is this modded Flamebait?

Because it is.

Wasn't the command shell withdrawn from LongHorn bcos of the proof-of-concept virus from F-Secure?

Highly unlikely, considering you could write a "proof of concept" virus for just about anything.

The beta of LongHornn aka Vista includes an anti-virus built-in. What does this say of the product quality?

You can't prevent "viruses" on a system designed to run arbitrary code.

Re:Product Liability

[Anakron]

I think you're missing his point. Sure, the hardware can be broken by software, but it is the responsibility of the hardware manufacturer to ensure that even if (say) you turn off the psu fan, it doesn't catch fire. Perhaps some sort of breaker circuit would work here. Similarly for other cases.

Re:Product Liability

[Jondaley]

I agree with you, just saying that it isn't obvious when a device is life-critical/supporting. By "supporting" do you mean that class of medical devices (http://msdn.microsoft.com/embedded/getstart/devpl at/meddevsys/default.aspx) that get implanted in a person etc?

Re:Product Liability

[Epistax]

As a reply to those who are replying to you, there is not much of a difference between costing money and costing lives. Costing money will indirectly cost lives. At the very least, as your income goes down your life expectancy drops. Even more direct are the suicides which result. For example, I wonder how many people will die and have already died as a result of Enron. A hundred or more wouldn't surprise me. Stress isn't good. Remember, it might kill people 20-30 years after the fact, but just like radiation, it's the original cause (and any subsequent doses) that are to blame. The blame is not spread around it's completely leveled on everyone, just like when 10 people murder 1 person, each of the ten is as guilty as if he or she did it alone.

Re:Product Liability

[dragonman97]

Death. Death brings serious legal and media attention on the company in a very bad way. If a client of theirs loses money because of their shabby product, the company probably doesn't care much at all - it's "not their problem." It becomes their problem when the client decides not to buy from them again, but depending on what kind of hold they have on the market, that might not even be enough to lose a significant number of clients. How many companies have lost a significant amount of money due to downtime on Windows systems? How many of those companies have actually tried to get some of that money back from Microsoft, or even considered leaving the Windows platform?

Re:Product Liability

[DenDave]

Something tells me that this is recent and not available in the EU ;) Only IBM has an adapter for that...

Re:Product Liability

[KDR_11k]

EULAs say "to the maximum extend permissable under law" which can mean they're fully liable if the law says you can't waive liability through an EULA.

Re:Product Liability

[Stevix]

Also, I know I need to clean out my computer case of massive dust, but what is the flamability of dust? Its dry, composed of the remnants of other flamable materials, like pollen, lint, dead skin etc. If it was coating your chips and or motherboard, would that increase the risk of overheating causing combustion? If it was dangerous, youd probably have heard cases about, but if there was ever a case of melted or fuming hardware, how did the presense of dust affect it?

time to clean my computer...

Re:Product Liability

[Evil+Adrian]

You are totally right, we should let the entire machine crash instead of simply ending the offending task, logging the information in the event log, and keeping the operating system running.

What a horrible user experience.

Re:Product Liability

[SquadBoy]

You believe wrong. And all the places listed in that thread are in the "built up" part of the park. No place that a hiker would get lost.

Re:Product Liability

[sukotto]

They screwed up. They were supposed to release the virus a few months after the product launch. So Symantec and Mcafee can gain a whole new market for their products.

Re:Product Liability

[CodeBuster]

If you read the license agreement for windows NT, 2000, 2003, XP, etc you will see that there is a clause that says something to the effect of, "do not use this software product in any circumstances where real time or mission critical operation is required," which means that nuclear plant operators, air-traffic controlers, hospital patient monitoring devices, and the like are out of luck if they wanted to (why?) use Windows.

Re:Product Liability

[whyde]

"In the corporate eye," losing money is worse.

It is the job of the actuaries to determine the break-even point of having killed someone versus the financial impact on the current quarter's bottom line.

Bean counters give corporations permission to do bad things, and draw the line over which corporations should not step to still consider themselves having "fulfilled their fiduciary responsibility to their shareholders."

In essence, if you invest in a company (personally, or through a mutual fund which invests in them), then you are party to the companies' collected crimes, since you own part of that company, and they will claim they did it to make you more wealthy.

Should we blame the CEOs? The CFOs? The shareholders? When a company commits a crime, should we dissolve the company's charter, in essence "killing" it? Is a financial penalty more "useful" than putting hundreds/thousands of people out of work? These are murky questions.

Re:Product Liability

[nmg196]

No but there are viruses for all of those systems. Read the post. ...and I would hardly call OSX an embedded OS!

Re:Product Liability

[harlows_monkeys]

Why is this modded Flamebait? Wasn't the command shell withdrawn from LongHorn bcos of the proof-of-concept virus from F-Secure?

There was no proof-of-concept virus. There was a proof-of-concept illustration of how a virus could spread--using code that is trivially ported to bash, csh, and every other scriptable shell in the world, and also trivially portable to perl, php, and every other scripting language.

A viable virus requires two things:

1. A way to initially infect a system
2. A way to spread from one file to another once it is in the first file

The latter is trivial, and what was demonstrated. It is the former that is hard.

Re:Product Liability

[Skye16]

Did you, by any chance, help design Windows 3.1?

Re:Product Liability

[saider]

Not true at all - software _can_ make modern hardware damage itself:

And when such damage occurs then it is up to the hardware to prevent serious injury. None of the examples you provide come close to anything but destroying the equipment.

This is exactly what UL tests for. They stress components to make sure that they do not provide a hazard, even under drastic conditions. And if the power supply is faulty and exposes the user to dangerous condidtions, then manufacturer is liable (as is UL if they approved it).

Everything inside your PC case is low voltage, with the exception of the primary side of your UL listed power supply. There are no dangerous voltages inside your computer. I think that 24V is probably the highest possible potential that exists inside a computer (+/- 12V for the RS-232 stuff).

Note: I have designed devices and software for consumer, telecommunications, and medical use, so I am fully aware of the capabilities of hardware and software components.

Re:Product Liability

[penguinrenegade]

This was the Commodore PET, NOT the C=64. Never any problems with the 64. Many used it into the late 80's and early 90's. There is even a C-One - basically a 64 on steroids.

Re:Product Liability

[Shakrai]

Or... hang on, my tinfoil hat is slipping...

Guess that means they already did the gender reassignment surgery on you.

Re:Product Liability

[firewrought]

It's always been a pet peeve of mine that software companies aren't held to any real sort of accountability for shipping product that is clearly flawed.

What makes you say that Creative's product was clearly flawed? Perhaps the virus was introduced by the CD manufacturer right before it went golden master. Perhaps they ran antivirus scans but--due to a subtle interaction b/t a bug in the antivirus product and a temporary network glitch--the latest virus definitions were not used. Perhaps Creative did due diligence at every step of the way, only to have their product intentionally compromised by a disgruntled employee with a bump key.

That said, let me approach this from another angle. The average commercial software ships with ~3000 bugs in it. Most of them don't matter, but you will occassionaly encounter some that do. Pain, frustration, and potiential monetary loss will result. We could avert this with extensive over-engineering (like we do for the space shuttle), but as a result we would not have all the great functionality that's readily available on today's computers. Imagine: the web might not exist within your lifetime. Militarily, industrially, and socially, we'd still be stuck in the 70's or 80's. With no economies of scale, computers would still be rare and expensive.

Fortunately, the market is smarter than you (not you specifically, but people who advocate software liability for non-critical systems)... the market has rewarded vendors who produce more functionality at lower quality. That's not to say that the market has got it perfect, but there are reasos for why things are balanced they way they are. (As an aside, I would argue that open source software--not being so strictly subject to traditonal market pressures--can occupy a wider range of the quality curve. That's probably a part of why it's so successful in the server market.)

I think the ideal solution to this would be to have a set of methodology standards which software vendors could claim their software adheres to. E.g., the consumer could determine for themselves if they want to buy a grade-B word processor or a cheaper grade-C word processor. The vendor would only be liable for not following the methodology they claimed. It would be difficult to set up such a system without locking developers into specific metholodogies though, and there's no guarantee that methodologies produce software of uniform quality across different software markets. (E.g., the methodology you would use to design a high-quality automotive subsystem probably doesn't have the amount of user-interface testing you would want if trying to design a high-quality video game.)

Re:Product Liability

[tolkienfan]

Actually, Windows was used on all the monitoring systems in hospital when my 4-week old daughter was critially ill with a septic Staph infection.

If it went down, it possibly could have resulted in the death of my daughter.

Re:Product Liability

[sjames]

Software product liability tends to get much more complicated than for most products. Some of that is due to the complex interactions between different software and user environments, and some of it is simply because users, judges, and juries have no understanding of the issues involved.

In part this is because everything in a computer can potentially interact. Hanging ba pair of fuzzy dice on your rearview cannot result in a brake failure, but installing a funky screensaver CAN be the reason your spreadsheets all went corrupt. It can even be part of the event chain that causes the HR department at your best friend's employer to lose employee records (or it might have been that wierd Chinese looking email Joe in sales got lats Tuesday). Next thing you know, everyone is playing "Who to Sue" and "The Blame Game" So now we have thousands of apps with only a degree or two of separation over the network and everyone has at least three conflicting opinions of where the problem started. It was probably the freakish porn the PHB downloaded, but nobody but him knows about that.

It doesn't help that in any given situation, many lawyers will start with a reasonable enough response, then embellish and overreach until it becomes a monument to outrageousness.

In this case, there's plenty of blame to go around. Creative should have kept much tighter control over the software load, users shouldn't be doing everything as 'admin', MS should make that a more reasonable proposition, when you're running Windows, you should be using anti-virus software, etc.

Re:Product Liability

[FireFury03]

Everything inside your PC case is low voltage, with the exception of the primary side of your UL listed power supply.

At no point did I suggest the user could receive a shock - my examples concentrated on overheating issues. And I can tell you that a failed fan in a PSU can make the PSU _very_ hot - if something flamable was near it I can see a potential fire hazard.

Re:Product Liability

[jd0g85]

If the hardware can burn, shock, or do anything hazardous, it is up to the hardware to mitigate that problem.

It's not unreasonable to assume that some piece of hardware (like a motherboard and CPU) will only be used with another piece of hardware (like a case). If someone chooses not to, then bad things can happen. (Maybe I can burn myself on the CPU? Who knows?) If it's reasonable to assume that I have hardware protections in place, why is it not reasonable to assume that I have software protections in place?

Let's go back to the automobile for a minute. How many hardware interlocks are being replaced with software? Quite a few.

What about Broadcom's wireless products. Although they're not dangerous, the hardward clearly is not designed to prevent you from stepping on (US) Military frequencies. They rely on software to do that.

Re:Product Liability

[saider]

At no point did I suggest the user could receive a shock - my examples concentrated on overheating issues. And I can tell you that a failed fan in a PSU can make the PSU _very_ hot - if something flamable was near it I can see a potential fire hazard.

Hot to touch is about 150 degrees. Hot to ignite a fire is usually in excess of 300 degrees. Big difference.

Anyhow, this case would most likely be ruled an accident. If the power supply caught something else (say a greasy rag) on fire, then it is neither the software's fault, nor the hardware manufacturer's. Flammable materials need to be handled appropriately and not stored in risky areas.

Re:Product Liability

[saider]

It's not unreasonable to assume that some piece of hardware (like a motherboard and CPU) will only be used with another piece of hardware (like a case).

It is when it comes to safety. Power supplies are all UL Listed, which indicates that they can handle fault conditions without risking the user. So whatever equipment they are hooked up to, they will protect the user from dangerous conditions.

Let's go back to the automobile for a minute. How many hardware interlocks are being replaced with software?

I don't know. I would assume that trivial things like windows and radios can be software controlled. but I'll wager a fair bet that your air bags are run through an ASIC.

What about Broadcom's wireless products. Although they're not dangerous, the hardward clearly is not designed to prevent you from stepping on (US) Military frequencies. They rely on software to do that.

You said it. You have a lot fewer requirements when lives are not on the line.

Re:Product Liability

[pyrrhonist]

Having to re-install Windows is a pain, sure, but no-one dies.

We all die a little inside when forced to re-install Windows.

Re:Product Liability

[Ungrounded+Lightning]

It is the job of the actuaries to determine the break-even point of having killed someone versus the financial impact on the current quarter's bottom line.

Of course life is priceless (if nothing else because you can't buy more). So the bean-counters have to come up with a number (if nothing else to keep from spending so much saving one person that they run out of resources and don't do something else that costs hundreds of other lives).

How many people do you risk letting die to build a bridge that takes a half-hour off a commute every work day for a hundred thousand people? (How many lifetimes worth of time are wasted sitting in a car if the bridge isn't built?)

You want to know why compensated psychopaths hold an enormously disproport share of government officces, corporate management positions, and the like? It's because they can think rationally, not emotionally, about questions like that.

Governmental project rule-of-thumb price for a life is the lifetime disposable income, i.e. how much he makes in a lifetime minus the minimum cost for food, shelter, and clothing, and minimal infrastructure. (This is also the way to compute the number of "life slaves" a government program costs: How many people would be enslaved totally to fund the program if the cost were concentrated on them rather than distributed in small slices over the lives of a large population? Answer: About three per million dollars as of about a decade ago.)

In essence, if you invest in a company (personally, or through a mutual fund which invests in them), then you are party to the companies' collected crimes, since you own part of that company,

Bull. You're only responsible if you had a chance to affect the decision. Minority stockholders do not.

(You might make an argument that you had some responsibility if you buy something that increases demand for their products, production, and risk.)

and they will claim they did it to make you more wealthy.

No. They will claim that they did it because they must to fulfill their government-mandated duties as corporate officers.

The job of corporate officers is to make money for the stockholders. The job of government is to arrange the rules so that doing it by doing more harm makes less money than doing it by doing less harm.

Example:

Accident in a steel plant about a century ago trapped a worker with his legs under a crane. They could take the crane apart or roll it over his legs, amputating them. Taking the crane apart to get him out would cost a shift's production. Cutting off his legs would cost the workman's comp for two legs lost in an industrial accident.

They rolled the crane over his legs.

These days a liability judge would award him damages greater than the money saved by keeping the crane in production. (Precedent: Award to a Pinto gas-tank burn victim in the amount saved by the conscious decision to build it in the more dangerous way.)

THAT's one place where big liability judgements come from, and why capping puntative damages is arguably a bad idea.

Re:Product Liability

[SmittyTheBold]

Yeah, that was my thought. As if the laundry wouldn't cool off to a large degree on the way home, anyway. If the laundry's cool enough not to melt/burn through the bags on the way home (the type of bag was not made clear) then it's not going to set your home on fire.

Unless you place it directly on top of your toaster that's broken and stuck in the "down" position.

Re:Product Liability

[PsiPsiStar]

Legally, I believe that software manufacturers can limit their liability to the cost of the software via the shrinkwrap license.

Of course, with cars there are lemon laws even if the defects aren't lethal.

My problem is that software makers don't actually honor their licenses. They're legally obligated to give me a refund if I don't agree to the license, but neither Macromedia nor the store I purchased the software from would honor that obligation when it came to the Flash software.

In that case, I don't think I should be bound by any of the terms in the license. I'd like to see a person argue for the legality of reverse engineering on that basis.

Re:Product Liability

[nmos]

"That was a very interesting phone call to the computer shop that day :)."

No doubt but can you imagine trying to explain something like that to a modern computer reseller like Dell? You'd never in a million years get them to understand something like that.

Re:Product Liability

[stephentyrone]

In general, dust is extremely flammable - anything with that much surface area is. On the other hand, there's not very much of it (mass-wise), and so it'll just flash burn in a split second, and usually wouldn't have the chance to light less-flammable materials on fire.

Re:Product Liability

[www.philpem.me.uk]

Actually, you're thinking about the Commodore PET. If you POKEd a particular byte into a CRTC register, you could increase the scan frequency of the video signal. Problem is, the monitor (which was built into the PET) was fixed-frequency. Apparently they don't fail particularly gracefully either...

I swear I'm not a grammar geek

[coshx]

but shouldn't it be affected?
the possibly effected devices means the devices that possibly came into existence because of the worm.

Re:I swear I'm not a grammar geek

[Fred_A]

Haven't you noticed yet that on the Intarweb you can use any vowel in place of any other ?

Re:I swear I'm not a grammar geek

[Punkrokkr]

You beat me to it. I honestly was confused for a moment when I first read that.

Re:I swear I'm not a grammar geek

[Daengbo]

They simply mean that the virus created these devices. You see, it's the next step in computer virus evolution...

Re:I swear I'm not a grammar geek

[trackguy]

See sig (blw)

Re:I swear I'm not a grammar geek

[cloudmaster]

Well, it does say "possibly effected". Maybe the author wasn't sure how the devices came to be?

Re:I swear I'm not a grammar geek

[mikiN]

Be..er st.ll, y.u c.n le.ve o.t t.e mi..le .f wo.ds a.d st.ll g.t th.ir me...ng!

Re:I swear I'm not a grammar geek

[sn0wflake]

Oh but you are a grammar geek by posting that comment.

Re:I swear I'm not a grammar geek

[nomadic]

Indibutaly!

Re:I swear I'm not a grammar geek

[Rummey]

Maybe because the original article is in a different language and it was translated using third-party software?

Mike

Re:I swear I'm not a grammar geek

[rpresser]

Manicheanist! Heretic! Only God is capable of true creation. The Devil can only produce illusion!

Re:I swear I'm not a grammar geek

[geminidomino]

Well, when a mommy iPod and a daddy iPod love each other very much...

Re:I swear I'm not a grammar geek

[hackstraw]

Yes, its affected and not effected. That is one of my pet peeves as well. Also, the incorrect distinction between 'bring' and 'take' gets me as well.

When I was in highschool English class we used the "Elements of Style" book that is now in the public domain here: http://www.bartleby.com/141/. It clears up commonly misused expressions like these.

(Now lets hope I didn't make a silly grammar mistake like I always do when correcting someone :)

Re:I swear I'm not a grammar geek

[FidelCatsro]

I have never fumigated that .baking verbs around is not a common chastised is it?

Re:I swear I'm not a grammar geek

[mobitron]

Yes, its affected and not effected
And one of my pet peeves is people not knowing when to use apostrophes. Although using "it's" where it should be "its" is much more common.

Re:I swear I'm not a grammar geek

[xutopia]

shouldn't it be infected in this case?

Re:I swear I'm not a grammar geek

[mapmaker]

And one of my pet peeves is people not knowing when to use apostrophes.

He (she?) missed the apostrophe in let's as well. Isn't pointing out other people's mistakes fun? :)

Re:I swear I'm not a grammar geek

[kartiknarayan]

Um you did - that should have been "let's hope". :)

Re:I swear I'm not a grammar geek

[hokeyru]

Yes, but while affect and effect have completely different meanings, thier syntactic usage is identical, so it's impossible to be certain that an error was committed. While here the context makes it clear (I think), I've seen sentences where that's not the case.

Mixing up "let's" and "lets" very seldom causes confusion, as they're syntactically different. I'm inclined to chalk it up as a typo or a spelling error (which warrant more leniency). Mixing up affect and effect is just ignorant.

And while we're at it, I don't think an emoticon can serve double duty as a closing parenthesis.

Why do I somehow think that..

[postgrep]

iPod and Mac zealots are now going to proclaim that "iPods don't get viruses!" ?

Re:Why do I somehow think that..

[Anonymous+Writer]

Well this doesn't exactly help Creative Zen being marketed as an "iPod Killer". 3,700 of them. Ouch.

Re:Why do I somehow think that..

[Keruo]

Do mac users run virus scanners often?
How do they know if they have viruses that aren't commonly known yet?
I keep virus scanner running on my linux machines just in case, and it disinfects few files every now and then.

Re:Why do I somehow think that..

[DeafByBeheading]

No, no. All they need to do is figure out how to spread the worm to the iPod. Then it will be an iPod killer.

Re:Why do I somehow think that..

[Henriok]

"Do mac users run virus scanners often?"

There are quite a lot of Mac users that have anti virus installed. Mostly because they fall for the virus hysteria in the Windows centric press, and thinks that it applies to them too, but also because they don't want to risk sending a virus infected document or mail to a Windows user by mistake. Even if the virus didn't infect the Mac itself.

"How do they know if they have viruses that aren't commonly known yet?"

There are exactly zero known viruses for Mac OS X right this minute. If one would emerge it will be commonly known in the Mac community quite fast. It is a closely knit community after all.

"I keep virus scanner running on my linux machines just in case, and it disinfects few files every now and then."

Prudent, but it's mostly for the benefit of your Windows friends.

Re:Why do I somehow think that..

[the_unknown_soldier]

Because iPods don't get viruses!

Re:Why do I somehow think that..

[1u3hr]

Do mac users run virus scanners often? How do they know if they have viruses that aren't commonly known yet?

The anti-virus companies would dearly love there to be, and if they found one would announce it with a fanfare, to promote sale of their software which is so far quite redundant on Macs (except for finding PC viruses attached to mails or documents that can't run on Macs).

Re:Why do I somehow think that..

[gnu-generation-one]

iPod and Mac zealots are now going to proclaim that "iPods don't get viruses!"?

Well, Creative are famous for supplying large, complex, Windows-only drivers for everything.

I'm selling a Zen now because it's useless as USB storage (requiring hundreds of megabytes of software, not being able to run on mac or linux, (hence incompatible with AmaroK) and with an EULA that forbids you from installing the drivers on more than one machine)

Re:Why do I somehow think that..

[Neurotoxic666]

Don't forget the BSD crowd. They're probably running it on a gramophone to be safe. :P

Re:Why do I somehow think that..

[MSFanBoi]

No they instead have batteries that up to VERY recently only lasted about a year and cost more than the actual iPod itself to replace.

Re:Why do I somehow think that..

[qwertphobia]

There are, however, viruses that affect applications which run on Mac OSX. We run antivirus on our Macs because we use Microsoft Office.

Re:Why do I somehow think that..

[isotpist]

Maybe because iPods don't get viruses. It seems obvious to point it out.

Re:Why do I somehow think that..

[theTerribleRobbo]

Too late for us. Marcus, one of our resident arsehats, decided to kindly point this out to us:

http://www.progsoc.uts.edu.au/lists/progsoc/curren t/msg02608.html

Re:Why do I somehow think that..

[wakejagr]

not if apple comes out with the iCondom to protect your iPod when you connect to an insecure (ie windows) computer . . ..

Re:Why do I somehow think that..

[penguinoid]

I managed to get my Debian box infected with some virus (rootkit, to be pendantic. See chkrootkit). The only reason I noticed was that it broke the color in ls, and a google search revealed that that likely meant my system got infected. I have no idea how I got that, but please remember that linux has no defence against trojans.

Re:Why do I somehow think that..

[burnin1965]

I have a dual G4 Mac with OS X. I do not run a virus scanner on it. It sits behind a linux based firewall with a custom set of iptables rules. And I make sure to check for updates frequently.

Now I suppose its possible that I have a virus and I'm just not aware, however, the same logic works towards virus scanners as well. Just because you run a virus scan how can you be absolutely sure that you don't still have a virus?

I also run several linux boxes, desktops, laptops, and servers. I'm curious about your linux virus scanner and the results. What virus software are your using on your linux box and specifically what linux viruses are you discovering? If your linux box is a server and your scanning for Windows viruses that may be propogated via the server then you may want to specifically state that.

The reason I ask is because I have yet to encounter a virus on my Mac or any of my linux boxes that I'm aware of. At work I use Windows boxes and in the past it was easy to tell when they had a virus because the box would slow down and act in unexpected ways. Unfortunately, it would be difficult to tell today if the Windows boxes had a virus because the current virus protection that runs on them makes them so damned slow and flakey in their operation that I would never know if it was a virus or just the stupid virus proctection software keeping things safe. Its rather sad when an upgrade to the latest and most expensive dual core submicron microprocessor from a muti-billion dollar 300mm factory seems necessary just to have a functional Windows box.

burnin

Re:Why do I somehow think that..

[Keruo]

I'm using F-Secure antivirus for linux, and the matches I usually get are windows viruses, since it's scanning changes on network drive where browser downloaded files and profiles are kept.
I don't recall ever finding any linux viruses with the scanner, but it helps to keep the windows machines clean on the network.
I also map administrative shares with samba from the desktops and run daily scan on them over network after work hours.
Takes the load away from the workstations.

Re:Why do I somehow think that..

[Truekaiser]

umm shouldn't any kind of root kit that effects *bsd's effect mac osx since it is basicly bsd with a diabetic induceing window manager?

Re:Why do I somehow think that..

[Anonymous+Writer]

I actually thought that, since iPods can also be used as external disks, there probably isn't a reason this couldn't happen to iPods as well, if a virus somehow got onto the assembly line process. But I think that iPods are formatted to the filesystem of the computer you hook them up to initially (that's how I recall it working). If you hook it up to a Macintosh, it uses HFS+, and if you hook it up to a PC, it uses NTFS. I recall reading that some people had problems if they wanted to use iPods as external disks between Macs and PCs because of this.

Re:Why do I somehow think that..

[martalli]

Back in the day (1989, to be more exact), I was first introduced to computer viruses on a Macintosh. The reason was that Mac viruses would hide in the boot sector (or FAT maybe) of Mac floppies, even just by popping the disk in. The DOS boxen simply ignored the floppies, giving me the impression that DOS was a much more spartan/simplistic system.

Honestly, Macs were far more popular on campus (Univ of Illinois) than DOS boxen at the time, and so any Mac virus had a better crack at spreading around...even back then we had the little virus scanner pop up and scan a floppy when you put one in...Now its Winboxen which are more porous and unpatched, and Mac users who let their boxen sit aroun d on the internet without AV software. That's a nice little turn of play.

Not the first, won't be the last

[jarich]

Microsoft did this a few years back if memory serves.

When you run Windows, you must run anti-virus ~all~ the time!

Re:Not the first, won't be the last

[jkrise]

That's a feature.. not a bug! Windows provides full upward compatibility for all code from DOS onwards, including viruses, worms and ticks... but excluding Lotus, WordPerfect, Netscape....

Can't think of a single virus that runs only on Win98 but not on XP...

Re:Not the first, won't be the last

[jarich]

Flamebait?

When I see the "quality" of /. comments, especially compared to just a year or ago, I realize it's populated with the younger generation, but things like this confirm it.

It's not flamebait, you just don't remember it happening. I wasn't referring to Windows itself.

Here are a few examples:

http://www.idg.co.nz/cw.nsf/0/CC256D400014E76CCC25 6A3A00806895?OpenDocument&Type=Column&More=Virus/ Microsoft makes the virus news section too, with confirmation that it shipped some hotfixes infected with the rather nasty (but old and well-detected by antivirus software) FunLove virus

http://news.com.com/2100-1001-935994.html/ Microsoft accidentally sent the virulent Nimda worm to South Korean developers when it distributed Korean-language versions of Visual Studio .Net

It doesn't MS is evil, it means they are human. Any company that ships tons of software will ~eventually~ make a mistake.

Today it's Creative's turn.

Re:Not the first, won't be the last

[Vo0k]

You're an ignorant wretch and there doesn't seem to be anything I can do about it... and let me prove that to you! Look! I install an antivirus here. I start it. See? None! I say... what? A virus? Must be a mista...nother? And yet another?

Been there. Sorry to burst your bubble. NAT, secure browsing habits, never using Explorer, email through webmail only, etc. And keeping only most essential programs running. After a year -something- crashed, something I didn't remember installing, ever. So just to be sure, I installed an antivirus. I had three. One - Java virus, exploiting some vulnerablity in Java plugin, one that installed itself through a hole in eMule, and one I really didn't know where from... Now, once-twice a month, complete antivirus sweep, and turning the realtime monitor on, when surfing "suspicious" webpages.

Re:Not the first, won't be the last

[aed]

I have NEVER had a virus, trojan, spyware, etc.
How can you tell, if you don't run an up-to-date virusscanner?

Re:Not the first, won't be the last

[LordSnooty]

How can you tell, if you don't run an up-to-date virusscanner?

He means he's never had a virus that popped up a message box saying, "Hello, I am a virus!!!1" As for those silent, invisible keyloggers - different matter altogether...

Re:Not the first, won't be the last

[megrims]

Heh.
He's yet to see one of those cool virus gui's, like on the movies.

Re:Not the first, won't be the last

[drsmithy]

When you run Windows, you must run anti-virus ~all~ the time!

I've been running Windows for over ten years, and run a virus scanner over my system at most once a year. No viruses yet.

Re:Not the first, won't be the last

[Soporific]

He can tell the same way all you linux users that don't run virus scanners can.

~S

Re:Not the first, won't be the last

[Reziac]

I vaguely recall that M$'s original fix for the Concept virus was itself infected, too.

Other commercialware that I know shipped infected versions -- the first Lucasarts Games Collection (ca. 1994, and I think only the floppy version was infected, as my CDROM version is not). PC Tools v7.something. One of the Night Owl shareware CDs. I'm sure there have been assorted others.

The fact is, shit happens, and occasionally it happens to software publishers too. Just because you sell software doesn't mean you're somehow magically immune to viruses. The wonder really should be that it doesn't happen more often, especially with large companies that have hordes of non-techie employees (secretaries, accountants, and the like) who nonetheless still use the company network.

Yay for machine translation...

[Gurezaemon]

Speaking as someone who translates from Japanese to English for a living, the quality of the so-called "translation" spat out by Babelfish make me feel a lot better about my long-term job security...

Re:Yay for machine translation...

[markild]

All your base are belong to us?

Re:Yay for machine translation...

[MadCow42]

>> the quality of the so-called "translation" spat out by Babelfish make me feel a lot better about my long-term job security...


It don't make me feel so goods about you job security. q:]

That isn't Engrish

[labradort]

In case anyone is fooled into thinking the
Creative press release was horrible Engrish,
that was a bablefish link.

It is unfortunate we don't have an english
version yet, if that is the market effected by
this.

Re:That isn't Engrish

[markild]

My guess is that they want to tell it, not yell it.

...even though they should at least try.

Re:That isn't Engrish

[xerxesdaphat]

In case anybody was fooled into thinking that the above post was in fact a poem, it was just a post in which the author likes using

's every line just in case your browser forgets to wrap text in html at the end of each line...

Probably...

[Knome_fan]

because you are desparately trying to start a flamewar?

Re:Probably...

[postgrep]

I are not! I've just seen hundreds of Mac users claiming they're free from viruses and spyware because they use mac's.

Re:Probably...

[niskel]

I'm no Mac zealot but what they are saying is true... They are free from any realistic virii.

Re:Probably...

[Chicane-UK]

Indeed.

No spyware, no virus's.. but i'm not going to shout about it as it clearly upsets some people.

Guess the truth just hurts.

That's why Win32 in a factory is a bad idea

[SysKoll]

This is exactly why having windows machines in a production process is a bad idea. You never know when a worm, virus, trojan or other beast is going to interfere with your fabrication, the files or the hard disk imaging.

IBM is running its new 90-nm microelectronics fab (in Fishkill, NY) entirely on Linux. So if it's feasible for a plant of that complexity, it should be feasible for a small assembly plant such as Zen Creative's.

Re:That's why Win32 in a factory is a bad idea

[Ingolfke]

IBM is running its new 90-nm microelectronics fab (in Fishkill, NY) entirely on Linux. So if it's feasible for a plant of that complexity, it should be feasible for a small assembly plant such as Zen Creative's.

Feasible, yes, cost effective or prudent... not necessarily. All the IBM example shows is that IBM, a company with a vast wealth of Linux resources, has invested their energies in creating a production process based on Linux for one of their most costly and complex environments. For a simple production process the cost in developing the Linux solution may not outweigh the benefits of alternative solutions. Also, that cost of development of the solution may become prohibitive if a wealth of expert Linux admins and developers is needed to develop and maintain the solution. Then again... maybe not.

The point is without real data behind what was deployed, how it was deployed, the benefits of the deployment, etc... you can't really determine if Linux makes sense for Creative.

I suspect better security management, particularly isolation of their Windows boxes involved in the production process, should substantially reduce the risk of this happening again.

Re:That's why Win32 in a factory is a bad idea

[LiquidCoooled]

What happens in a few years time when a Linux based virus spreads and all those "security by obscurity" factories and workshops are compromised?

Understand that Linux is not a shining light that will be 100% watertight, if market share increases, more eyes will be on it and the potential for a major virus outbreak grows (tbh, I think the entry points will come from an application rather than the kernel but thats just the way it is)

Any operating system can be made secure by following proper procedure and keeping ontop of security announcements.

Re:That's why Win32 in a factory is a bad idea

[ajs318]

Qu'est-ce-que tu fumes? The cost of developing a Linux solution from scratch is the same as the cost of developing a Windows solution from scratch. The cost of developing a Linux solution decreases with every similarity between an existing Linux solution and the one you are developing, whereas the vendors of Windows solutions will charge you the same for changing one line as for developing from scratch.

Re:That's why Win32 in a factory is a bad idea

[ajs318]

We hear this all the time from the Windows apologists {and if it were true in the general case, there should be more attempted attacks against the web server with twice the market share of its next competitor, but there quite clearly aren't}; but the fact remains that Unix-like systems -- and that includes Linux -- are by design more secure than Windows, and Open Source systems in general are by design more secure than closed-source systems. Linux supports privilege separation and hardware abstraction by default, and it forces you to use them.

Also, the only applications which could be a viable vector for virus propagation are closed-source ones. The open source ones are being looked at by the good guys as well as the bad guys, and the former outnumber the latter.

Re:That's why Win32 in a factory is a bad idea

[LiquidCoooled]

The GP poster was suggesting that using Linux was secure by default.

I was pointing out that its not the case, and that viruses and problems can still occur even in Linux.

Many eyes looking at a system does not mean that every problem will be solved and that bugs do not occur.

Firefox is a prime example, since bugs and errors are still embedded deep within and are as yet unclean.

Also remember that just because bugs can be fixed overnight does NOT mean that bugs will be removed from existance overnight. From the minute you release software there will be people who run unpatched until the day they drop that software, and to my knowledge there hasn't been a single bug free software release ever.

Re:That's why Win32 in a factory is a bad idea

[SysKoll]

LiquidCooled, Thanks for your reply. While I agree that no OS is 100% secure, a production plant or process shouldn't purposefully select an OS that has a huge number of known flaws.

It's like bungee jumping: Sure, even the super-duper-industrial-strenght rope could break, but that doesn't mean you should use decorative string as your rope.

Re:That's why Win32 in a factory is a bad idea

[SysKoll]

AC,

One evidence would be the hotmail fiasco. It was running a Unix-like system (Linux or *BSD, don't remember). When MS took over, they tried to convert all the machines to Windows. It was a total disaster. They had to backtrack and then greatly increase the number of machines for the same workload before moving to windows for good.

I even found an article here. Google it yourself next time, mmmkay?

Re:That's why Win32 in a factory is a bad idea

[1u3hr]

I was pointing out that its not the case, and that viruses and problems can still occur even in Linux.

Obviously Linux is not immune to exploits.

You said Linux relied on "security through obscurity". That's what I disagree with. Open source code is the complete opposite.

Re:That's why Win32 in a factory is a bad idea

[Daniel+Phillips]

"The point is without real data behind what was deployed, how it was deployed, the benefits of the deployment, etc... you can't really determine if Linux makes sense for Creative."

You can now. Avoiding this one black eye alone would have been well worth the price of admission.

If indeed there is a price. Manufacturing process control software is arguably less expensive to develop and deploy with Linux than Windows, and Linux can do the same work using fewer machines, giving you your choice of lower cost or better machines.

Which Microsoft employee modded that down as redundant?

Re:That's why Win32 in a factory is a bad idea

[micheas]

Unix-like systems – and that includes Linux – are by design more secure than Windows,

That is not entirely true.

Windows has well audited acl's that preform very well compared to seLinux. Windows NT type operating systems have all the pieces to make a very secure system.

The problem is not that Windows NT/2K/xp/2003 does not have the tool. The problem is that Microsoft did the equivilant of logging into a *n*x system as root and going:

• cd /
• chown -R root:root *
• chmod -R 777 *

Oh, you also have to reduce the number of groups from about 25 to 5 so that securing your system is as close to writing a Ph.D. disertation as possible. Windows has the tools, and they may work very well, but almost nobody uses them, especially Microsoft.

homophones

[ajs318]

Scrawny man in PE kit, about to lift a small weight: "Will this affect me?"

Muscular man, lifting two larger weight with each hand: "Look at the effect it had on me!"

From a poster in the Remedial Studies unit at my secondary school.

They not only didn't virus check...

[term8or]

These people don't even know how to grammer check their press release...

It was verified that it is the possibility the extermination possible worm type virus of the risk which is called to the player itself of Creative Zen of the digital audio player who it was produced was shipped from shipment preparation and late July this each time in our company Neeon "W32.Wullik.B@mm" having mixed low.

OK. The actual problem is probably not serious as far as I can tell, since running the virus software is not automatic on installation (which I bet is done by a super user or admin). But really, this is not professional and someone ought to get the sack. And the person who wrote the press release ought to be retrained as a petrol station attendant.

Re:They not only didn't virus check...

[term8or]

OK. I retract. It was a babelfish link - so why didn't they write the press release in english? ;).

Re:They not only didn't virus check...

[jimi+the+hippie]

Yeah, and the dumb SOBs decided to post on a "babelfish.altavista.com" address instead of "jp.creative.com." When will they ever learn??

Re:They not only didn't virus check...

[TheoMurpse]

If your complaints against the grammar come from the second link in the blurb, it is machine translation from Japanese to English via Babelfish. On the contrary, the original Japanese was written well enough.

For any Japanophiles in the house, for the translation It regards the problem of the Creative Zen Neeon digital audio player, the original was Creative Zen Neeon Digital Audio Player [dejitaru o-d'io pure-ya-] no mondai ni kan suru, which is better translated as regarding the problem with the Creative Zen Neoon DAP.

Re:They not only didn't virus check...

[rampant+mac]

"...retrained as a petrol station attendant."

That's petroleum transfer engineer you insensitive clod!

Re:They not only didn't virus check...

[shark72]

"so why didn't they write the press release in english?"

Just in case you're not making a joke... it's in Japanese because it was written by Japanese people, for Japanese people. This is a Japanese market product.

While it often seems nowadays that English is the universal language and everybody speaks it, travel enough and you'll find people who don't. If, just to throw some numbers out, 50% of Japanese people speak English but 100% of them speak Japanese, the prudent thing is to use the native language.

Re:They not only didn't virus check...

[mike.newton]

Since you're being pedantic, I figured I may as well point out the spelling error in your post! Grammar. ;)

I guess Zen doesn't run Linux

[AndroidCat]

Come to think of it, how does this worm manifest itself on a player device?

"W32.Wullik.B@mm is a mass-mailing worm that attempts to send itself to all the contacts in the Outlook address book. The worm makes numerous copies of itself in random locations, and moves to a new location when Windows Explorer browses to the folder from which it runs. It can spread to floppy disks and shared network drives under some conditions.

I doubt it executes on the player itself. Can it infect the PCs that you connect the player to for syncing?

Re:I guess Zen doesn't run Linux

[m50d]

As I read it, there's simply an executable on the player, so you'd have to run a random program you found on your player to get infected. Still, I can imagine someone thinking "Hmm, creative have put a program on my player, it must be a useful tool for using it".

Just wondering....

[someone300]

Is this virus on the software/driver CD or the actual device itself?

If it's on the device, how is it running on the zen, since I'd imagine the zen doesn't run windows, and how does it get from the zen to the operating system? (Wouldn't a zen be just like a bulk transfer device or something, and require the user to download and run the virus from it?)

Re:Just wondering....

[AndroidCat]

I don't think a mass-mailing virus would have much luck on a music player even if it could run. (Suddenly 452 new tracks appear in the playlist, like "HELLO I AM JOHN ABRACHI OF NIGERA" and "GET H4RDER F4STER!")

Most likely, the player shows up as a mountable USB drive on the connected PC. Unless the worm sets up an autorun for the PC to execute, it's probably just a dormant copy lurking in the player's volume. Someone probably did a full system virus scan with the player connected and found it.

Re:Just wondering....

[m50d]

It's on the device, which I presume acts as a USB mass storage device. You could run the virus directly off it, just like a virus on a floppy disc or CD or network share (windows treats anything with a drive letter the same), but yes it does require user intervention. It happened because this particular virus copies itself to (more or less) random directories, so someone had (presumably) the master disc image mounted and the virus made a copy of itself there.

Re:Just wondering....

[AndroidCat]

A lot of groups are pretty viral these days.

oopsies

[theheff]

It'll be interesting to see how both the consumer and the company react to this situation and to see how public this could get. If damage is actually done here from the defect, who would be liable? Oh the joys of transitioning into the digital age...

Insanity is king...

[martian67]

With the defectiveness of our company, we apologize the fact that very much annoyance was applied the customer and to the related everyone deeply.

So its true what they say about the "Creative" process, its often linked to mental impairment :D

Re:Insanity is king...

[ratatosk_the_squirre]

We apologise again for the fault in the defectiveness of our company. Those responsible for sacking the people who have just been sacked have been sacked.

Re:Insanity is king...

[mikataur]

A moose once bit my sister.

In related news...

The author of W32.Wullik.B@mm is suing Creative Zen for copyright infringement under the DMCA.

Zen has a worm

Maybe Avon can fix it with the help of Orac.

Re:Zen has a worm

[evilneko]

Was it planted by Servalan?(sp)

Re:Zen has a worm

[mikataur]

The ironic thing is, the Blake's 7 Zen was actually destroyed by a space virus...

It was at the end of season 3. The Liberator had flown through a region of space that contained an unknown substance. As the episode progressed, the ship gradually dissolved until it went boom.

The crew, including Orac, had teleported off and returned for season 4. Zen, sadly, did not. "Confirmed."

(I'm such an anglophile geek.)

Those Crazy Zens...

[utexaspunk]

They're so creative! First they invented shipping with styrofoam peanuts and now worms?! What'll they think of next?...

Spooky

[MaestroSartori]

I don't know too much about worms, but I'd assume that something like this would have to happen deliberately - ie someone deliberately put an infected executable into the drive image? Or are worms smart enough to infect things inside disk images (or whatever they might be using - how do industrial processes get stuff onto hard disks???)

The consumers won't be amused..

[manavendra]

..for a product vying a piece of personal hdd-based players dominated by iPod, this is bad news.

Creative may try to position itself as the player with replaceable battery (hence longer life), has few more quirks (such as allowing you to move files across computers, rather than going the iTunes way), however, iPod still remains the benchmark in usability and style (the USP of iPod).

Till they manage to one-up the market leader with innovative design or something special, such glitches will always render it as also-ran

Re:The consumers won't be amused..

[The+Lynxpro]

"Creative may try to position itself as the player with replaceable battery (hence longer life), has few more quirks (such as allowing you to move files across computers, rather than going the iTunes way), however, iPod still remains the benchmark in usability and style (the USP of iPod)."

Apple is developing iPods right now with replaceable batteries. We might see new models featuring them on September 7th, if not later this year.

Okay, a link to the original without babelfish

[Joseph_Daniel_Zukige]

For those who, like me, prefer reading intelligible Japanese over machine translation, here.

Once upon a time I remembered that %2f was slash and %3f was question mark, etc.

Where was their QA?

[flajann]

I thought QA was supposed to catch this type of thing, I mean really.

I can't imagine how something like this got into the production image unless there were a lot with their thumbs up their anal orficies that day...

Re:IPOD

[Salvarus]

And ignore the ipods superior OS and interface.

Shipped to the Japanese market

[Joseph_Daniel_Zukige]

So I doubt they'll see a need to publish it in Engrish.

Unless one of their stuff notices this and figures damage control is necessary.

Re:Shipped to the Japanese market

[mjtg]

... and to the Australian market too.

I bought my wife one of these about a month ago. It played music just great, but it kept on locking up when she recorded with it. Not just occasionally, but nearly every time.

Being a musician who jams with a bunch of other people, the recording feature was one of the main reasons she wanted an MP3 player. So, we took it back and got it replaced with a new one. Which has the same lock-up problems.

And guess what - the new unit one of the affected ones.

I printed the Register article and took it in to show the store where we bought it. I'm waiting right now for a phone call for replacement details.

BTW, thanks Slashdot for tipping me off about this.

Not just Windows

[RAMMS+EIN]

``This is exactly why having windows machines in a production process is a bad idea.''

Although Windows has a deserved reputation for being susceptible to viruses and break-ins, this problem is not unique to Windows. Any software written in unsafe languages (like C and C++) is bound to contain exploitable vulnerabilities. Any system that allows the user to run software that they bring to it is susceptible to trojans.

AFAIK, no current operating system is both usable and provides adequate protection mechanisms against viruses. A fine-grained permission system might help, though. Allow the MP3 player's software access to your music directory, but nothing else. Allow the word processor access to your documents directory, but nothing else.

I wrote a utility called chrootexec that allows you to run a program in a chroot jail (it cannot access files outside that directory). It's basically the same as the chroot command, except that you don't need to be root to use it (but it does have to be installed suid root to work).

However, some programs (file managers come to mind) need access to many directories to be useful. These will still be exploitable.

Re:Not just Windows

[RAMMS+EIN]

``AFAIK, no current operating system is both usable and provides adequate protection mechanisms against viruses.
---
Please correct me if I got my facts wrong.

You did get your facts wrong.

OS X...because making UNIX friendly was easier than fixing Windows.''

Do you really think OS X provides adequate protection against viruses? So OS X doesn't let software that you download and run delete or modify your files? OS X does not contain or run software that has buffer overflows, format string vulnerabilities, race conditions, memory leaks, etc?

Remember: just because something is working fine for you now, doesn't mean it will always work fine for everyone. If you evaluate OS X on the qualities that it has, it's far from immune. It may get broken less than Windows, it may even be more secure than Windows, but it's not bullet proof by any stretch of the imagination.

Re:Not just Windows

[SysKoll]

You are right, but as I said in a previous reply: While I agree that no OS is 100% secure, a production plant or process shouldn't purposefully select an OS that has a huge number of known flaws.

It's the difference between walking in a dark alley wearing a bullet proof jacket (sure, leaves your head exposed) and walking in the same alley wearing a fluorescent tee-shirt saying "rob me" and flashing a wad of cash. In both cases, you have some risk. In the latter, you're just asking for trouble.

Your chrootexec program is interesting. Did you post the source somewhere?

Thanks

Re:Not just Windows

[funwithBSD]

First off, C and C++ are not inherently unsafe, it is just that programmers that can use them safely are rare. Take a look OpenBSD, they write safe C/++ code.

Second, there are at least 2 very safe OS's that adaquate protection from viruses. zOS and VMS are the two that come to mind. Both use secure memory models that prevent such stupidity.

You might think they are unusable, but taking into consideration your ignorance about C and C++, I am thinking it would be just you.

There are more OS's in the universe than Linux and Windows.

Re:Not just Windows

[SQL+Error]

First off, C and C++ are not inherently unsafe, it is just that programmers that can use them safely are rare.

The problem these days is that the C mindset is so embedded that many programmers don't even know there's a better way to do things.

C and C++ are not inherently unsafe, it is just that programmers that can use them safely are rare.

That's what inherently unsafe means. A programming language that is inherently safe doesn't let you write unsafe code. Take a look at Ada one day, grasshopper.

Re:Not just Windows

[Alioth]

AFAIK, no current operating system is both usable and provides adequate protection mechanisms against viruses

SElinux does (and ships by default turned ON with distros like CentOS 4). SElinux adds the fine-grained permissions which don't just apply to users, but programs too (and even the login method used if you so choose). The 'targeted' policy made by RedHat for RHEL (and thus in CentOS too) prevents things like getting rooted via an exploit in a CGI script allowing an attacker to upload a local root exploit - even if the attacker gets root, SElinux stops them doing anything other than what the vulnerable CGI program was allowed to do (which can be very little).

Re:Not just Windows

[ajs318]

Any software written in unsafe languages (like C and C++) is bound to contain exploitable vulnerabilities.

C is not an unsafe language. It is a language which allows you to do things which might be potentially unsafe under certain circumstances. Riding a motorcycle wearing only a bathing costume and no crash helmet is not unsafe if you do it at low speeds on a soft surface. C is not unsafe if you do some simple checks or you know for certain you won't have to do those checks. Not everybody checks everything, of course ..... but that doesn't mean there is anything wrong with C. Garden light often use a low voltage -- 6V or 12V -- which will certainly be safe if someone touches it. That doesn't necessarily mean that 230 volt mains is always dangerous, just that you have to take special care around it. In a shower heater, you have 230 volts and running water, which sounds like a highly dangerous combination! But you need the volts to get the kilowatts: heating just one litre of water per minute requires 69 watts for each degree hotter you want to make it. The safety comes from the carefully-designed heat exchanger and the earth leakage cutout.

Any system that allows the user to run software that they bring to it is susceptible to trojans.

And any system that doesn't allow the user to run software that they bring to it is at best computationally incomplete and at worse useless.

As a compromise we could have a panel of experts reviewing the source code of all software to determine how safe it is. Just like they do at your favourite Linux distribution, for instance.

AFAIK, no current operating system is both usable and provides adequate protection mechanisms against viruses. A fine-grained permission system might help, though.

A permission system that is too fine-grained {viz. the one in Windows NT which is even more complicated than the one in VAX/VMS} suffers from about the same problem as a pay toilet in a forest. In fact, make that a pay toilet with a dress code in a forest.

Allow the MP3 player's software access to your music directory, but nothing else. Allow the word processor access to your documents directory, but nothing else.

Well, that's not a bad start. You can do it already with commonly available and household materials.

I wrote a utility called chrootexec that allows you to run a program in a chroot jail (it cannot access files outside that directory). It's basically the same as the chroot command, except that you don't need to be root to use it (but it does have to be installed suid root to work).

Logically you shouldn't need to be root to run chroot {except that it's in /usr/sbin/, and therefore outside a mortal's path, on my Debian machines}. However, there's probably something I haven't thought through fully; otherwise OpenBSD or someone like that would make every userland process run in a chroot.

However, some programs (file managers come to mind) need access to many directories to be useful. These will still be exploitable.

They will only be exploitable so long as the program's operation has not been verified {I am assuming this means by reading the source code: I genuinely do not know of an alternative means to achieve this end, though this by no means constitutes proof that there is none} and users have not taken appropriate action.

Re:Not just Windows

[RAMMS+EIN]

``Your chrootexec program is interesting. Did you post the source somewhere?''

It's here. Ports and packages also available.

Re:Not just Windows

[RAMMS+EIN]

``C is not an unsafe language. It is a language which allows you to do things which might be potentially unsafe under certain circumstances.''

Reading and writing beyond the beginning or end of an array is an unsafe operation. C allows this. This is what is meant by "unsafe language": one that allows unsafe operations. The fact that you can also write programs in C that are completely safe does not negate the fact that C is not a safe language.

The numerous buffer overruns, format string vulnerabilities, and memory leaks that continue to be found in current production software clearly demonstrate that just the fact that you can write safe programs in C is not enough to guarantee that software will not contain the sort of vulnerabilities that using a safe language prevents. I consider my point made.

``Any system that allows the user to run software that they bring to it is susceptible to trojans.

And any system that doesn't allow the user to run software that they bring to it is at best computationally incomplete and at worse useless.''

Which is the point I was making: it doesn't just happen to Windows, it happens to any usable system. If you allow third-party software, you're vulnerable.

``A permission system that is too fine-grained''

You don't have to use each and every feature. I imagine restricting the files a program has access to based on what program it is and what user runs it is not very complex, but goes a long way in containing the damage the program could do.

``Logically you shouldn't need to be root to run chroot''

I agree, which is why I wrote chrootexec. Unfortunately, Unix systems still require you to be root when the call to chroot(2) is made, so the program needs to be suid root. This may be different on a system with finer privileges (such as OpenBSD), but I haven't yet bothered to figure out how to work with these.

``However, some programs (file managers come to mind) need access to many directories to be useful. These will still be exploitable.

They will only be exploitable so long as the program's operation has not been verified''

Again, you have a trade-off here. Surely, a file manager that allows extensive scriptability is more useful than one that allows none. At the same time, scriptability opens the door to exploits.

Re:Not just Windows

[RAMMS+EIN]

I can't speak for the others, but OpenBSD and QNX definitely don't protect you against trojans. If you chose to run some software, it can delete any files you can delete. If you run someone's Makefile or post-install script as root, it can delete any file on the system.

Also, although the software in the OpenBSD base install has been audited, this (1) doesn't mean there aren't any vulnerabilities in it, and (2) doesn't protect you against any additional software you install. Someone could still exploit a vulnerability in a CGI script or interpreter and delete all files on all websites on your system.

Re:Not just Windows

[funwithBSD]

You keep using that word, I don't think it means what you think it means.

"Inherently Unsafe" would mean that there is no way to write safe code, because your code would inheret the "unsafeness" from the language or compiler.

An example would be a bug in the compiler (or the headers) that ALWAYS allowed unauthorized access to the system if you were running code compiled with it.

Specifically, where there is a bug in a widely used library like, say, the SSL libs. ANY language that used it, even ADA (assuming it could, I don't know) would "inheret" the security bug, regardless of how good of code the programmer produced.

And you can't convince me that you can't write unsafe code in any language. I bet you could in ADA, all you would have to do is code an open socket that passed arguements without validation to a shell with root access.

Are you really telling me ADA is smart enough to keep you from doing something stupid like that? It might be harder or easier in a lanaguage, but that does not mean it could not be done. C and it's derivitives are easier to shoot yourself in the foot, I will grant you that.

Re:Not just Windows

[NatasRevol]

Wow, so root can delete files on the system?

I'm not sure what fantasy world you live in, but there isn't and won't be an OS that doesn't allow this.

I think you need to go recheck your base assumptions.

Re:Not just Windows

[RAMMS+EIN]

`` Wow, so root can delete files on the system?''

Yes. Which is bad in a setting where you just want the script to _install_ files. If you don't see how this needlessly exposes your system to malware, maybe you shouldn't be claiming things about the security of OS X vs. Windows.

I don't even know why I respond to idiots like you who insult or mock me for being right.

Re:Not just Windows

[RAMMS+EIN]

``"Inherently Unsafe" would mean that there is no way to write safe code, because your code would inheret the "unsafeness" from the language or compiler.''

Just to set the record straight: I wasn't the one who said C and C++ are inherently unsafe. I said that programming in them is bound to lead to problems like buffer overflows, format string vulnerabilities, and memory leaks. Which, looking at various security advisories, seems correct.

``And you can't convince me that you can't write unsafe code in any language. I bet you could in ADA, all you would have to do is code an open socket that passed arguements without validation to a shell with root access.''

Which I would see as a kind of a format string vulnerability. What's happening is that you compose code using strings, which is fundamentally flawed. Strings don't have any structure, which means a string could contain any number of commands. This is what you are probably hinting at, and it's also how SQL injection attacks work.

The right way to do this kind of thing (passing user-supplied data to other code) is using a structured approach. Lisp, for example, lets you contruct expressions to be evaluated, but you do so by creating lists, rather than concatenating strings. You can include all the paretheses, semicolons, double quotes, backticks, etc. etc. in the string that you want; no part of it will ever be evaluated. I can give you an example by email; I tried to type it here, but it didn't come out right.

Re:Not just Windows

[funwithBSD]

"Just to set the record straight: I wasn't the one who said C and C++ are inherently unsafe. I said that programming in them is bound to lead to problems like buffer overflows, format string vulnerabilities, and memory leaks. Which, looking at various security advisories, seems correct."

Yes, yes you did:

"That's what inherently unsafe means. A programming language that is inherently safe doesn't let you write unsafe code. Take a look at Ada one day, grasshopper."

I said it WAS NOT inherently unsafe, you said it was.

"Which I would see as a kind of a format string vulnerability. What's happening is that you compose code using strings, which is fundamentally flawed. Strings don't have any structure, which means a string could contain any number of commands. This is what you are probably hinting at, and it's also how SQL injection attacks work.
"

Which you can in fact do in ADA, thus ADA is dangerous in the hands of a bad programmer in the same manner as C. In other words, it fails your ideal of an "Inherently safe" language. But then you moved on to LISP from ADA, so who knows what you are on about.

NO program language is "inherently safe", because a no programmer is a "inherently safe" programmer.

Re:Not just Windows

[RAMMS+EIN]

So how do you propose I install things in system-wide directories (/usr/local etc.)?

Re:Not just Windows

[RAMMS+EIN]

You seem to have mistaken the person you are replying to. I wasn't the one who said C and C++ are inherently unsafe. I wasn't the one who claimed ADA was a safe language.

Re:Not just Windows

[rolfwind]

Hi,

I think Paul Grahams sums up why Ada never made it and why C did:

http://www.paulgraham.com/popular.html

Scroll down to Point 4 "Hackability"

I tend to agree with him - a language can try to save you from yoursolf too much. Also, a language can get you burned without much effort.

It's a question of whether you want to learn to do things the safe way and know when you are going to the edge or if you want the language to hold your hand but also be there to spank you if you are trying something that it considers out of bounds.

Re:Not just Windows

[DMUTPeregrine]

Linux! The virus tries to run. The virus goes to dependency hell. Virus free!

Re:Not just Windows

[juhaz]

You're ignorant idiot and proud of it? Wow. Probably running unpatched 10.0 too, since after all it can't have any security holes, it's OS X.

OS X has had remote code execution bugs before, and there's no reason whatsoever to assume that it won't have more in the future.

BTW, I've got a bridge to sell, interested? I can paint Apple logo to it, if you want.

Re:So what about OSS??

[niskel]

When was the last time you saw an Open Source OS that would be compromised within 4 minutes of being on the net?

Yes OSS has it's bugs and even its showstoppers but even still does not even come close to the issues seen in certain other propriatary OSs.

Poorly edited news post

[theraccoon]

The author of the post and the editor who posted it both failed to mention that this only affects models shipped in Japan. The link to the creative page is a babelfish translated website! Plus, the engadget page says that in order to become infected, you'll need to "go running conspicuous applications found on your device".

Why does this sound like some Mac/iPod anonymous fanatic kicking dust?

Re:Poorly edited news post

[kalidasa]

So then it's a GOOD thing that 3,700 devices shipped in Japan with a virus on the drive?

Re:Poorly edited news post

[mallardtheduck]

I know if I found an executable on an MP3 player I'd assume it was a copy of the driver software or the like and probably run it.

Re:Poorly edited news post

[theraccoon]

Nope, sorry. I own a PowerBook, an iMac, and three iPods, and I work for a company that makes Mac stuff.

But FWIW: My one and only creative product was one of the very first Nomad Jukeboxes with the big 6 gig HD, back when the general public had no clue what an "MP3 player" was. And I still have it in a box somewhere.

Re:Poorly edited news post

[theraccoon]

I could care less about Creative. Like I said below, I own and use Macs and iPods. My point here was that the article could have been constructed a bit better. Even the Engadget article leaves something to be desired.

Re:Poorly edited news post

[theraccoon]

I think it's odd you'd reach that conclusion from my original post. My only real comment here was that the article was poorly pasted together, and that the editor could have done a better job on elaborating on the ACTUAL issue. The way this article was worded would have made me run screaming to my PC and ripping the USB cable from the Zen (or whatever it was) (and assuming that I actually owned a Zen or a working PC ATM).

We all know that like, only eight people on /. actually click the links and read the articles. All this is going to do is give Creative some bad PR.

And yes, it's true this isn't a GOOD thing, and that there's no GOOD PR to come of this, and Creative should have been more careful, and blah blah blah blah blah. But it was an isolated issue in a foreign country (who just so happens to have their very own slashdot site for this type of news, http://slashdot.jp/ ) and I'm certain it wouldn't have killed someone to include a few more facts in that posting.

I guess I'll post my little disclaimer here, too: This was typed on my PowerBook and submitted over a wireless AirPort Extreme connection, while listening to my 40 gig iPod with my Apple In-Ear headphones and syncing my Shuffle with my new iTunes songs that I just bought from the iTMS. (I'm trying to think if I can cram some more Apple devices into that, like my Bluetooth Keyboard and Mouse, or iMac or big Studio Display monitor, or maybe my Performa 637CD, but I don't think I can. :)

Re:Poorly edited news post

[Audigy]

Why does this sound like some Mac/iPod anonymous fanatic kicking dust?

...because you're reading SlashDot. It probably is. -_-

Re:Poorly edited news post

[Audigy]

If I found an executable on an MP3 player, the very first thing I would do is open it in a hex editor and try to determine what it does.

For example, the US release of Atelier Iris for Playstation 2 includes a Win32 executable stub in its RPK.BIN file... along with some other interesting things like the GPL, but that's beside the point.

I managed to dig out the Win32 .exe and the first thing I did was run a virus scan on it... poked around at it a bit more in a hex editor (I got curious because I saw multiple references to "LWO" and thought "hohoho, lightwave object viewer, kickass" ... so I finally ran it, to find out that it was a part of some type of LWO viewer. I was very amused. :)

Additionally, the Japanese version of BeatMania Best Hits for Playstation contains a huge .lzh file of the source code as one of the dummy files. ;)

Of course having a virus of this nature on shipping hardware is something completely different, but shit happens.

Re:Poorly edited news post

[mjtg]

Wrong, I've got one of the affected units here in Australia. The shop where I bought it rang me half an hour ago and confirmed it. I'm waiting for them to ring be back with replacement details.

speaking of Engrish

[Joseph_Daniel_Zukige]

stuff --> staff
this --> this thread on /.

Death vs. Back Door.

[Chaotic+Spyder]

While I totally agree with the concept I don't think your argument holds up.

If brakes fail on a car a person dies, while if a OS has a hole privacy is breached, and data is corrupted. This is not quite the same level of damage(although I'm sure there are cases which go both ways.. I'm speaking in general here)

The problem is if a new Honda Civic was to wait in storage for 2 years it would still be allowed on the road, and would be in better condition than the greater population of the cars out there. While if you wait 2 years for an os things change so rapidly that the os needs to be patched right out of the box.

Beyond that there are a lot of people (or very few very good people) who aim to destroy software and find vulnerabilities. While correct me if I'm wrong but unless murder is your goal not to many people target cars so they become a hazard to the owner.

With that said. I do believe that something like shipping a product with a virus which brings us back to TFA, is something that really needs to be followed up on. Creative got caught with their pants down here and I am curious to see what the final result will be.

We should applaud Creative

[RyoShin]

After all, they've saved countless users entire minutes by cutting out the middle man and having an already-installed virus. This could potentially teach the unsuspecting public about the harm and danger of viruses with an in-your-face attitude.

Microsoft should definately start doing this.

Re:IPOD

For about $100 more than the top of the line iPod, you can get an entry level laptop at Sears, Walmart, Circuit City, etc...

Of course, the laptop wont fit into your pocket quite as well.

Recall?

[greg_barton]

Why isn't there a recall?

Quick question

[mr_z_beeblebrox]

What the hell is a Neeon? A common complaint on "front page quality" articles is the lack of basic information. News for Nerds implies some sort of journalism, strive for some sort of journalistic standards.

Re:Quick question

[DiscoOnTheSide]

Funny thing is, I thought the same thing, until I went to creative's player... It actually IS Neeon. Blame Creative, not /.

Now that's what I call a ...

[un1xl0ser]

iPod Killer.

Creative is taking it WAY too far.

Re:IPOD

[Mark+Gillespie]

That's what flaming is about. 1 sided views are compulsary...

Intarweb Kiwi invention

[daBass]

Thet mist meen thi ientearnit es e New Zealind envintion, es thay ell seffor frem ientarchengible vowil syndrum.

Re:Intarweb Kiwi invention

[Hognoxious]

Yis, nilly es bed es thi Sith Ifrikens...

Re:Intarweb Kiwi invention

[daBass]

Almost, but not quite, they suffer from "non-existant vowel syndrome", there is a difference, you know! :)

defective virus scanner

[Scyt2]

When you run Windows, you must run anti-virus ~all~ the time!

Last year a lot of customers complained that our new product contains a virus. The product was compiled and packaged on a linux machine and the virus was detected in a plain text python file. Btw the misdetection was done by http://www.antivir.de/en/. Of course we had to explain to our customers that this is bullshit even after the anti-virus vendor had fixed their signature files.

Re:IPOD

[v1]

I'm no audiophile so I can't speak for the SNR but I will have to argue the battery life. I own an original 5gb iPod that I bought used. After it was better than 4 years old, the battery was down to about 3 hours runtime, so I replaced it. (four years is longer lifespan than most cel phone and cordless phone batteries) Now it gets over 12 hours on a charge. Anyone complaining about the iPod's battery life is misinformed.

Creative are clueless

[TractorBarry]

Well this doesn't suprise me as, by the desing of the Zen, Creative have already shown that they don't have a clue.

For fricks sake the Zen is Windows only and requires propietary drivers to talk to it (yes I know there's a Linux project that does this but Creative themselves don't supoprt anything other than Windows) Guess what Creative, THERE ARE OTHER OPERATING SYSTEMS ON THE PLANET.

Come on how hard can it be to make a device that supports direct access to its filesystem in the manner of a USB pen drive coupled with the ability of the device to play any media files found within its file system ? Maybe the designers could also be really clever (tm) and hold your playlists etc. in a small database held within the filesystem ? (wowee they could even use XML text files)

So why the hell is it that these wretched portable hard disk players all seem to feature yet another propietary file system ? Sorry that's just awful, awful, shitty design. Once again manufacturers choose to reinvent the wheel poorly instead of reusing existing, proven technologies to good effect.

Sheesh. Creative Zens suck enough already but now they come with bundled viruses.

Creative are clueless. Utterly clueless.

Marketing spin: It is a feature, not a bug

[jurt1235]

Serious, it adds to the experience, it lets the user know the device inside out, it sharpens the learning curve. Our users love this feature! Our sales will increase, we will beat the not so flexible multimedia devices out there with this feature.

Signed: Zen marketing representative

LOL!!!

[http101]

Finally, Creative products ship with software that actually works!

They could have spun this much better

[bullitB]

Come on, Creative, where was marketing on this?

"Yeah, our players have virii, but they're removable...like our batteries!"

"Sure you'll get your computer hopelessly infected with a virus, but as you're reinstalling Windows, you'll be able to listen to FM radio!"

"Don't worry, our Stik-On MP3 player stickers are totally virus-proof."

Motherboards catching fire

[cps42]

You may not have had Dell 1650s installed a while back, but there was a recall in 2003 because a voltage regulator on the MB overheated and could catch fire: http://news.zdnet.com/2100-9584_22-5145372.html?ta g=zdfd.newsfeed

Re:Motherboards catching fire

[qazsedcft]

So they recalled it because they (the hardware manufacturer) could be held accountable. That's exactly the point.

Re:IPOD

[Red+Flayer]

Yes, of course, one sample battery life speaks for all iPod batteries.

One of the problems was that iPods had demonstrably shorter runtime than advertised.

Another problem was variability in the runtime.

I'm going to fix your last sentence for you:

"Anyone complaining about my iPod's battery life is misinformed."

Your game, Sir.

[Khyber]

The game you mention was most likely Viewtiful Joe 2 demo disc, which, when inserted into your PS2, wiped your memory cards by accident.

I don't remember any game that deliberately shipped with a bonus virus unless it was obtained illegally.

Ever Been to a Nuke plant?

[Perl-Pusher]

At no point should safety be driven by software.

It's all software driven albeit embedded software.

Homophones? Must mean Apple's new phone

http://hardware.slashdot.org/hardware/05/08/30/129 232.shtml?tid=180&tid=3

As a former CEO of IBM once said....

[Hasai]

As Lou Gerstner once said, "There are things that go on in the IT field that would earn you jail time anywhere else."

>.

Very impressed with the full disclosure.

If you read the statement provided by Creative, you'll see that the serial numbers of the affected units are listed, and that Creative apologizes deeply for the problem. (yeah, it's babelfish translated, but you get the point)

This is an ASIA-ONLY problem.

Please get your facts straight before wanking all over the place about this. It happens, and since the virus is on the player in a place where it is extremely unlikely to be executed by a customer, this is not a big deal at all, and I'm sure it's a big wake-up call for Creative's Asian QA department, if they had anything to do with it.

Re:effect: noun while affect: verb

[Wabin]

well, not quite...

Affect as a noun: He speaks with an affect.

Effect as a verb: We plan to effect a change in policy.

Both are correct. Note that the second sentence could be also written with "affect," but this would have a totally different meaning. In the "effect" case, it means we are going to cause the change to occur. In the "affect" case the change is presumably going to happen whether we have anything to do with it or not, but we plan to influence it.

Critical to Life

[ShadowBot]

I once saw a BSOD on one of my banks cash machines. I don't know about you but I definitely consider my bank account a Life Critical application!!!

Re:effect: noun while affect: verb

[lothiel]

Not always:

I'm not sure how to effect a change in people to get them to understand the effect of using 'affect' or 'effect' incorrectly.

plash

[rbrewer123]

Check out plash, the principle of least authority shell, for a nice version of the chrooting you describe: http://www.cs.jhu.edu/~seaborn/plash/plash.html

Good analogy... great timing...

[krakelohm]

GM spends a hell of a lot of time and energy making sure their brakes work

Good analogy... great timing...DETROIT (Reuters) - General Motors Corp. is recalling 804,000 full-size pickup trucks and sport utility vehicles because of potential brake problems, federal safety regulators said Tuesday.

http://www.cnn.com/2005/AUTOS/08/30/bc.autos.gm. recall.reut/index.html

Hi, I'm Steve...

[feloneous+cat]

Haven't you noticed yet that on the Intarweb you can use any vowel in place of any other ?

No. I have double-copyrighted "iFfect", "oFfect", "uFfect" and just for good measure, sometimes "yFfect".

The rest of you can now continue to confuse effect with affect.

Your pal Steve

Windows' privilege system..

[YesIAmAScript]

Is vastly superior to Linux's system. It has a lot more fine-grained system of doling out privileges.

And Linux doesn't force you to use their permissions system. You can log in as root and run your daemons as root all day long if you'd like.

Neither of these statements means that Windows is more secure Linux. But I think that your statement that Linux is inherently more secure due to design principles is a pretty long stretch.

you can't tell the factory uses Windows...

[YesIAmAScript]

Not from this at least.

The content these devices was likely duplicated bit-for-bit from a master image. That master image had a virus, and was likely made on a machine running Windows.

But it could easily be that the factory uses Linux, and that the machine which duplicated the image onto these affected devices runs Linux.

I think it is...

[dantheman82]

a marketing decision - simply call the Neeons "Creative Zen Glow Worms." Hopefully, they can package a lot of different worms before they ship.

Lotus

[HermanAB]

I think the honour for being the first company to ship a free virus with their flagship product belongs to Lotus, who shipped Lotus123 on infected floppies.

Shrink Wrap License

[jcnnghm]

I have a real problem with the return policy on some software. Some years ago, I bought some software at CompUSA, got it home, and it just flat out did not work, didn't do what I wanted it to, and flat out sucked.

I took it back to the store and tried to return it, but because I had installed it, they didn't want to take it back. After calling my credit card company and finding out what to do, they started to play ball. I didn't want to return it for a refund, I just wanted a different product that worked.

The manager finally decided to install the software on a computer in the store and show me that it worked. He did, and the software showed him how bad it really was. After close to two hours I finally got to leave the store with another piece of software. That policy is rediculous, but it very well may have changed since then.

Actually happened to a former employer of mine.

[Nick+Driver]

I once worked for a software developer in the Dallas, TX area who had a mainframe development side, and a PC development side. I worked on the mainframe side of the house, and thus didn't have to concern myself with the PC stuff, which was relatively new at the time. One of the PC developers shipped a software update to one of our customers, a big law firm, who also had a large Novell PC network in their offices. The PC software was infected with a virus, because the PC programmer was habitually visiting BBS's to download pr0n and games while at work. This was in the days before even dialup Internet was widespread available. Well, the virus spread all over the law firm's network, and they simply hired an outside network security contractor to come in and clean everything up. They handed a $30,000 bill to my employer for the contractor's fees, plus another bill for $100,000 in lost work due to unavailability of their network. My employer at first refused to pay either, but after consulting with their own attorneys (at an additional expense of probably a couple $K) paid both bills since they were told there was about a 75% chance that they'd lose and the court would award triple damages. The programmer who'd fault this was, was fired... not for the virus, but because they (allegedly) caught him sleeping at his desk in the middle of the afternoon.

C++ Book

[Sanat]

Back in 1996 or 1997 I bought a book on C++ (for windows) and the CD that accompanied the book had a virus accidently recorded on it. As soon as the CD was installed in the drive then Norton would pop out a message about the virus.

Sort of embarrassing for the author of the book, I imagine.

Never did get a replacement CD. I guess it is sort of like finding a roach in a salad... makes one not want a replacement salad.

More games with virii

[iamlucky13]

I'm almost positive that my copy of Command and Conquer: Renegade came with a virus on it. I forget which one, but it was a memory hog and it was a pain in the butt to remove, especially since the Symantec article was woefully inaccurate. The game would always run slowly after playing for 20-30 minutes and I thought it had a memory leak, until I googled the process using all my RAM. Perhaps I genuinely messed up and something crawled off the school network to infect me while I was screwing around with permissions for a friend, but after clearing it off, I got reinfected twice more, and I had no more problems after I beat the game.

Human Translation of the Press Release

[ickoonite]

Re: Problem with Creative Zen Neeon Digital Audio Player
Notice to Customers and Advice on Dealing With The Problem

Creative has confirmed that there is a possibility that W32.Wullik.B@mm, a low-risk destructive worm virus, has infected the Creative Zen Neeon digital music players which were shipped from manufacture from the latter part of July onwards, some of which are still being prepared for shipping [?].

The issue concerns a specific factory line which was producing new units, and the Creative Zen Neeons which may have been infected by the worm (which were shipped from manufacture from the latter part of July and some of which are still awaiting shipment) number less than 1% of those shipped - of the roughly 3,700 units from this line that were shipped to Japan, less than 5% are affected.

It has already been confirmed that this issue affects no other Creative products.

The company offers its sincerest apologies for any inconvenience this will cause to its customers.

According to an internal company investigation, the cause has been identified as being in one of the various offline systems which form part of the final packing stage of the manufacturing process. The company can confirm that the problem has been rectified - it will have no effect on new units being manufactured at the factory in question.

Furthermore, in order to minimise the effect on customers and the market [for these devices], the company has currently halted shipping of all Zen Neeon units, and is working with its partners to arrange the return of units which may be affected.

Customers who have purchased Creative Zen Neeons with a corresponding line number and who have concerns about the safety of using their unit are requested to consult this special support page for more information.

Any mistakes/corrections, would be glad to hear!

iqu :)

IT'S 5% OF 3,700, NOT 3,700 UNITS!

[ickoonite]

Actually, less than 5%.

Don't rely on Babelfish for decent translation - see here for the full thing!

iqu :P

Bollocks - missed a line...

[ickoonite]

Instead of...

According to an internal company investigation, the cause has been identified as being in one of the various offline systems which form part of the final packing stage of the manufacturing process. The company can confirm that the problem has been rectified - it will have no effect on new units being manufactured at the factory in question.

...try...

According to an internal company investigation, the cause has been identified as being in one of the various offline systems which form part of the final packing stage of the manufacturing process.

As of this press release, the affected system has been withdrawn and the problem rectified. The company can confirm that it will have no effect on new units being manufactured at the factory in question.

Sorry about that.

iqu :)

It's all very clear now...

[Nom+du+Keyboard]

Revenge of the RIAA!

We apologize...

[Gary+W.+Longsine]

"But really, this is not professional and someone ought to get the sack. "

We apologize for the fault in the bablefish link to a Japanese press release. Those responsible have been sacked.

We apologize...

[Gary+W.+Longsine]

"OK. I retract. It was a babelfish link - so why didn't they write the press release in english? ;)."

We apologize again for the fault in the bablefish link to a Japanese press release. Those responsible for sacking the people who have just been sacked have been sacked..

Re:virus or worm?

[Gary+W.+Longsine]

W32.Wullik.B@mm is a "mass mailer", which means it uses email to send copies of itself. Technically it's not a worm, but the AntiVirus industry calls them "email worms" or sometimes simply "worms".

The confusion is partly due to the hybridization of malware in the last few years. The same bit of malware might exploit buffer overflow vulnerabilities over a network remotely and without user participation, like a worm, make copies of itself to removable media or other files on a hard drive or network drive, like a virus, or send copies of itself via email. The latter technique didn't get a cute name like worm or virus, and the lack of a cute name dedicated to this technique has helped foster the confusion.

Mass Mailers are typically the agents responsible for causing email outages in large organizations where the mail servers are Exchange and the clients are Outlook (and related). The mass mailer viruses cause particular grief in those environments because they are often equipped with the ability to harvest email addresses from the Outlook address book, so a handful of contaminated PCs can pretty quickly bog down the mail server by sending copies of the virus to everyone in the company over and over.

For the moment, organizations using other email systems tend not to get hit as hard. However, there really isn't any reason that these viruses couldn't learn how to read other address book formats and wreack havoc in other places, too, so someday they probably will.

Homonphone? Not really.

[Inoshiro]

Unless there's some really radical pronunciation changes between US and Canadian english, I think you'll find that affect is pronounced "AH-fect" and effect pronounced "EEEE-fect". Not really the same at all. Kinda like your and you're don't sound the same; your ends on an R sound, while you're is the sound of you + re (you + rrh, an extra h over your).

My ears can distinguish these; it makes it very interesting to hear how some people who are proficient actors still don't know the difference between you're and your.

How to get rid of the worms

[quintessent]

1. Put it in the microwave for 5 minutes.
2. Use a hot pad to carefully remove your now dewormed player.

Creative Zen Koan

[Orrin+Bloquy]

What is the sound of one hand slapping a forehead?

Re:Corporate (l)user-ship

[freaker_TuC]

some people seem not to be reading the message and rather seeing the sarcasm literally. Guess this one will be a troll too ...