Malware Distribution Through Physical Media a Growing Concern

twitter brings us a story about the increasing number of digital devices reaching consumers with malware already installed. In this case, digital photo frames from three different Sam's Club stores were found to contain the same type of malicious code. We discussed a similar problem with iPods a while back, as well as a more recent situation with Maxtor hard drives. Quoting the Register: "While a compromise at the manufacturer is the most likely scenario, ISC's Sachs also pointed to retailers as a possible point of infection. Returned products, which could have been infected by the consumer, are frequently put back on the shelf, if they are in sale-able condition, and attackers could take advantage of a store's poor digital hygiene, he said. 'Trying to (infect a product) all the way back at the factory — getting it through all the checks and balances — would be pretty hard to do,' he said. 'But doing it at the store, where there might be loose return policies, and (where) they put it back on the shelf - you are not going to get a million infections, but you might get a person from an investment bank next door.'"

1990 called...

[Wonko+the+Sane]

and it wants its headline back.

(yes I know this is a different story than back then, but it's the same headline)

Pretty bad when photo frames spread computer virus

[Secrity]

I bet that most people would have NO idea that this could possibly happen.

It's only a problem if you use Windows.

These days, it's really only a problem if you use Windows. Those of us using Linux, *BSD, Solaris, Mac OS X, and other non-Windows operating systems have little to worry about.

Now, someday this may start to affect other, non-Windows operating systems. But in many ways I don't think it will be as much of an issue, because many of the alternative OSes have a far more sensible security model than that of Windows. So what easily causes problems with Windows has little to no effect on Solaris, Linux or OpenBSD.

Re:It's only a problem if you use Windows.

I can't find the "Mac's don't have viruses because no one writes them for macs" "wow, you can't even get people to write viruses for your OS." "yeah, i cry myself to sleep a lot." cartoon.

Re:It's only a problem if you use Windows.

I know what you mean. Writing a Virus for Windows is extremely complicated given its closed source proprietary nature. Windows users are very diligent on protecting their systems with scanners and always purchase software from a trusting source. Its rare you hear of a Windows infection. Those Linux users need to get with the program if they ever want to gain the desktop.

Re:It's only a problem if you use Windows.

[Torvaun]

I can't find the "Mac's don't have viruses because no one writes them for macs" "wow, you can't even get people to write viruses for your OS." "yeah, i cry myself to sleep a lot." cartoon. You mean this one?

Re:It's only a problem if you use Windows.

The Morris Worm of twenty years ago did cause problems in the UNIX world. However, unlike Microsoft, the UNIX developers and vendors quickly fixed their software. And thus we haven't seen a single worm for UNIX systems since then, although UNIX and UNIX-like systems are the most widely used server OSes, and hence typically networked. Now contrast this to the numerous Windows-only worms that have caused billions of dollars of damages for individuals, businesses and governments around the world, and only in the past decade!

I'm not sure why you've been marked as a "troll", because what you said is completely accurate. Windows systems are more susceptible to malicious software. I'm not sure how that could be disputed. Now, things have gotten vastly better than they were when Windows 95, Windows 98 and Windows ME were developed. But even Windows XP has been widely affected by worms and malware, and Windows Vista is usually little better.

Although I'm an accountant by trade, I've worked at several companies with mixed Windows and UNIX networks. And at all of them we've had significant downtime due to Windows worms and viruses wreaking havoc on our internal networks. But I've never once, at any of those companies, heard of any downtime of the UNIX systems because of such a security threat.

Re:It's only a problem if you use Windows.

"Its rare you hear of a Windows infection. Those Linux users need to get with the program if they ever want to gain the desktop." - by Anonymous Coward on Sunday January 13, @11:25AM (#22025570) True, if they did this stuff, here:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA + make it "fun" to do:

http://www.security-forums.com/viewtopic.php?t=50567&sid=c8b24a76a3974ec9bef2bed38c4b64d4 :)

* Windows CAN be secured very well, with a bit of effort, for years of security, even online, for years into the distance if you try what's in that URL above!

It works - & for a small investment of your time, only, & the work done by YOU, only!

(Simply by using the CIS Tool as your guide & advisor (it's been reviewed as legit & good @ what it does by places like COMPUTERWORLD for instance, & that gets cited on this site quite often)).

APK

P.S.=> A little common sense goes a long way too, but... either you have that? OR, you don't, I suppose, but... I can say it has kept this system setup on Windows Server 2003 SP#2 fully hotfix patched currently, up & running bug-free + bulletproof, online, since 2003. It just works, keeping you safe & secure online, by following a few simple rules really, PLUS, yet making you surf, FASTER, by far as well as a side effect bonus... apk

Re:It's only a problem if you use Windows.

I wouldn't be at all surprised if your Windows 2003 Server installation was compromised years ago. You just don't realize that it's compromised because Windows so limits the ability of developers to develop the security utilities equivalent to those that come standard with UNIX systems.

Re:It's only a problem if you use Windows.

[complete+loony]

"... numerous Windows-only worms". Yes and no. Most of them are trojans, hardly any of them are based on fully automated remote exploits.

Re:It's only a problem if you use Windows.

Are you suffering from Dementia? There have been MANY Unix/Linux worms and attacks...even more when you count things like Apache/PHP issues.

Are you on the Apple payroll? It's well known that Apple is responsible for much of the PC Virus problem. In fact, they were caught red-handed distrubiting windows malware on iPods. Jobs blamed it on "the Chinese."

Re:It's only a problem if you use Windows.

[TheRaven64]

A decade or so ago, 'UNIX security' was considered an oxymoron. If you wanted security, you ran a real OS like VMS or OS/360. UNIX had a very coarse-grained security model and the code had never been subjected to a proper audit. It's interesting how times change.

Re:It's only a problem if you use Windows.

[Monsuco]

Those of us using Linux, *BSD, Solaris, Mac OS X, and other non-Windows operating systems have little to worry about.

So in other words, only a little more than 90% of consumers should worry. Somehow I don't see manufacturers making that argument successfully.

Re:It's only a problem if you use Windows.

"I wouldn't be at all surprised if your Windows 2003 Server installation was compromised years ago." - by Anonymous Coward on Sunday January 13, @02:10PM (#22027048) Nope, not once!

-----

"You just don't realize that it's compromised." - by Anonymous Coward on Sunday January 13, @02:10PM (#22027048) What? Hey - There are DEFINITE ways of telling that, believe you me.

The behaviors alone of say, a system that's TRULY compromised (say remotely, via a botnet)?

I see everyday on the job (I often have to remove virus/trojans/spywares each day on the job & can tell pretty fast what's what here).

That is what gave me the means to write that guide, in part in fact.

Myself being a developer for more than 15 yrs. professionally, & being a network tech/admin in that ssme timeframe as well (that's how you gain understanding really, enough to be able to handle anything on Windows pretty much) gave me the experience to know what a user has to do to be safe online, & those principals don't extend to Windows only - to ANY OS out there they do (I just applied them to Windows for that URL's guide is all).

LOGS would be another way... & I use MULTIPLE layers of those, that go above the "norm" (1 courtesy of Microsoft in PortReporter, for example).

-----

"You just don't realize that it's compromised because Windows so limits the ability of developers to develop the security utilities equivalent to those that come standard with UNIX systems." - by Anonymous Coward on Sunday January 13, @02:10PM (#22027048) That's funny... I have been developing on Windows since Win16 & Win32 was just better in MOST ways!

See... When & IF I need a special tool bad enough? Usually, I just build one.

There's really not much you CAN'T do, computing-wise, if anything, with Win32 API (especially vs. UNIX & its lot - the very fact that there is more software for various purposes on Windows shows that easily enough).

APK

Re:It's only a problem if you use Windows.

[gzipped_tar]

Malware being shipped with hardware is hardly news. It is the common practice of computer vendors who ship their hardware with Windows pre-installed.

Re:It's only a problem if you use Windows.

[CAR912]

I misread that as "Malware being shipped, with hardware", as though they are now handing out malware with free hardware on which to run it.

Re:It's only a problem if you use Windows.

[ajs318]

Coarse-grained security that people actually bother to use is better than fine-grained security that is turned off because it annoys people.

Most people don't need powerful and flexible ACLs. They just need "Ordinary users can't modify this" and "This is not meant to be executable".

Re:It's only a problem if you use Windows.

[JulieHo]

You are indeed correct. If I cant recall on an article I have recently looked at. 1:11 Microsoft windows hosts on the internet are missing one or more critical security patches. Please also note, linux and other os's are not in the clear. All you have to do is subscribe to secunia's notifications.

Re:It's only a problem if you use Windows.

Must be nice not having your shit stink you fucking elitist!

Re:It's only a problem if you use Windows.

[catprog]

even more when you count things like Apache/PHP issues.

So do you count office,outlook and IE problems against windows?

I disagree ...

[ScrewMaster]

Trying to (infect a product) all the way back at the factory - getting it through all the checks and balances

Apparently this guy has never worked in a production firmware environment before: there are fewer checks and balances than you might think, especially because embedded-system guys generally don't have much awareness of Windows malware issues. Unfortunately, more and more embedded devices are being plugged into desktop machines, and with auto-run enabled ... well. This whole scenario is hardly surprising.

Re:I disagree ...

[NeverVotedBush]

I would bet a lot of systems that come preconfigured from some small-time vendor have a good chance of being infected too. I'm speaking of point of sale systems, computers attached to instrumentation, etc.

Re:I disagree ...

[Zeinfeld]

Apparently this guy has never worked in a production firmware environment before: there are fewer checks and balances than you might think, especially because embedded-system guys generally don't have much awareness of Windows malware issues. Unfortunately, more and more embedded devices are being plugged into desktop machines, and with auto-run enabled ... well. This whole scenario is hardly surprising.

There is a responsibility problem here. Do we blame the hardware manufacturers for producing faulty products or the users for leaving autorun turned on or the O/S providers for implementing such a brain-damaged feature?

Internet crime is not really Internet crime at all. Phishing is exploiting weaknesses in the financial infrastructure, not the Internet at all. If credit card payment systems security depends on the secrecy of the card number printed on the front it is going to fail.

One way to deal with this problem would be to make sure every device has a clearly marked reset button that performs a hard-reset and returns the system to its initial state. Most equipment has this but some does not.

A better way is to turn off autorun, only run a program if the code is signed by a trusted root. [Ob Disclosure, yes I work for VeriSign] A trusted root need not mean a public trusted root. It is possible to establish a mechanism for signing open source code, just make sure the user has control over the choice of roots.

Re:I disagree ...

[tlhIngan]

One way to deal with this problem would be to make sure every device has a clearly marked reset button that performs a hard-reset and returns the system to its initial state. Most equipment has this but some does not.

But you don't know how contract manufacturers work. Everyone farms out production to them.

The pace is extremely hectic - if you find a way to speed up testing per unit by 5 minutes, you can save a ton of money.

What happens at the contract manufacturer is a bunch of boards are made, then the "assembly" part comes into play, where each station is given a board and the rest of the manufacturing takes place. You can specify how many stations are in use simultaneously (usually dictated by how much specialized hardware you have that they need (JTAG, router ports, etc). Each station is equipped with a PC, lab power supplies, multimeters and oscilloscope. They can test voltages, or use the PC for various tasks via USB or serial.

These PCs are rarely, if ever, connected to the internet - they take a screenshot and save it to a disk and then get back to their manager and email you with the problem. Of course, disk, PC, etc. are in an unknown state. If you insist on a clean PC, you basically end up paying for a few hours per station while they're all clean reinstalled. Yes, it's added to your bill - you rent the stations and labor.

If the guy before you had infected software, the PCs you have may very well be infected. If your device is next in line to be made uses USB Mass Storage, it's very likely that your disk will get infected. Since it's all about throughput, downtime costs someone money. And if your device has a USB port, you want to test that. Either supply your own PCs, or USB test hardware, or use the PC and risk infecting a run of products.

Since each station is in an unknown state, it can very well be just one station is infected, and you end up with a production run where 5% of your product is infected, and the rest are clean (like the iPods were), making it hard to diagnose.

Stupid idea

[CastrTroy]

I've always said that autoexecuting stuff on any media inserted was the stupidest feature ever created. It's just asking for viruses to be installed. Actually strike that. It's the second stupidest thing. The stupidest thing is Windows being configured by default to restart for updates after the user doesn't respond for some very short amount of time.

Re:Stupid idea

[jo42]

This is part of a reg file I run on every Windows machine I set up:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDROM]
"AutoRun"=dword:0000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

Takes care of the autorun idiocy.

Re:Stupid idea

[ScrewMaster]

I have a similar file myself ... centralized all the best hacks.

Re:Stupid idea

[garett_spencley]

While I agree that auto-executing anything is very bad practice, most average users would go ahead and run the program anyway without giving any consideration to it's safety (or just assuming that it's safe because it wouldn't make sense for the manufacturer to harm their costumer's computers ... never thinking about a man-in-the-middle type of scenario).

Re:Stupid idea

[cheater512]

Of course but at least then it would be the dumbass's fault instead of the anonymous dumbass at Microsoft.

Re:Stupid idea

[CastrTroy]

I guess that is one advantage of having a single registry for all system settings. You can easily change tons of settings easily with just a single script file. Changing a bunch of settings in Linux would required a much more complicated script, or a lot more file editing. Still I think that having all the settings in a single file is not a great idea, but it has it's advantages.

Re:Stupid idea

[Peaceful_Patriot]

The stupidest thing is Windows being configured by default to restart for updates after the user doesn't respond for some very short amount of time...

grrrr...this one bit me at work again last week. I was in the middle of a big project and had probably half a dozen windows open. I cannot imagine why MS thought this was a good idea. Can I turn it off?

Re:Stupid idea

[bhtooefr]

I simply tell it to download updates, but not install them. It creates a yellow alert in Windows Security Center, IIRC, but not one that brings up anything in the taskbar. And, it won't automatically reboot unless you install the updates - which you can tell it to do when shutting down, or do before you were going to restart anyway.

Re:Stupid idea

[davester666]

But this is for stuff you wouldn't normally get software to install from, such as a picture frame or an iPod. People would have to go out of their way to find and execute the executable, instead of it just running automatically.

Of course, more and more of these devices [such as CD-R's per earlier slashdot story], Flash USB drives, etc. are coming with bits of software as a "value-add" thing...

Re:Stupid idea

Check that, the top stupidest thing is hiding file extensions.

It's all about making it easier for the stupid people.

Re:Stupid idea

[dotancohen]

This happened to me last year in the middle of a lecture. The professor's computer reset itself. Worse part is, that nobody in the room though it was abnormal. I made a comment about it being absurd, and the response was "what, you don't keep your system updated". I mentioned something about Fedora not automatically reseting itself in the middle of _my_ work, but all I got back were grunts.

Re:Stupid idea

[mstahl]

This is just what I've always been talking about with Windows. Why does it take this level of deep knowledge of the operating system to secure against the most idiotic of exploits? Ask an engineer of any other operating system about autorunning executable code from just any media that's inserted and they'll look at you like you've been taking crazy pills.

This is along the same lines as many other questions I have about Windows, like why can image files execute code? Why is it possible for ActiveX scripts to change system registry values and download software to your hard drive? Why is everything not named the same between versions? Why does everyone still use it?

Le sigh....

Re:Stupid idea

[TheRaven64]

Ask an engineer of any other operating system about autorunning executable code from just any media that's inserted and they'll look at you like you've been taking crazy pills. The feature was introduced back in 1995. At this time, there were two kinds of removable drives in the average computer; floppy drives and CD-ROM drives. CDs could only be commercially pressed cheaply in large batches and so could be considered trusted. Floppy disks could be written by anyone, and so were not. This made sense until CD writers became cheap, at which point it became an easy virus transmission vector. Enabling it for read-write media was just brain-dead.

By the way, like so many other Windows features, this one was copied from Apple. HFS CDs could have some flags set designating them as autostart CDs and a named file would be run when they were inserted. This 'feature' was used to spread a few Mac viruses in the '90s and was never added to OS X.

Re:Stupid idea

grrrr...this one bit me at work again last week. I was in the middle of a big project and had probably half a dozen windows open. I cannot imagine why MS thought this was a good idea. Can I turn it off?
Yep. If you're using XP Professional, run the Group Policy Editor (gpedit.msc).
Once in, use the left-hand pane to navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.
I then change several of the options shown in the right-hand pane:
"Do not display 'Install Updates and Shut Down..." - I set this to "Enabled"; I'll install updates when I choose to, thanks, not be bounced into doing so when I shut down the system without paying attention.
"Do not adjust default option..." - again, as for the one above, set this to Enabled, for the same reason.
"No Auto-restart for scheduled Automatic Updates installations" - this is the big one, and setting it to ENABLED will solve your particular problem.
"Re-prompt for restart with scheduled installations" - if you don't restart after doing an update, Windows will nag you incessantly every 10 minutes or so. If you're busily typing at the time, it's all too easy to inadvertently hit the "yes, please restart now and screw up my work" button when the nag window steals focus. Set this parameter to the highest value possible (1440) and it'll only nag you every 24 hours.. much more tolerable.

Re:Stupid idea

[mstahl]

...was never added to OS X

There you have it.

Re:Stupid idea

[Blkdeath]

Yep. If you're using XP Professional, run the Group Policy Editor (gpedit.msc).
Once in, use the left-hand pane to navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.

Something hit me today whilst looking up things involving WiFi networking under Windows and learning that under Vista to disable automatic connection to AdHoc networks you have to open a command prompt and type;

netsh wlan add filter permission=denyall networktype=adhoc

I thought Linux was the OS that had complex commands and Windows was all GUI point and shoot style? So now under Windows XP to change basic, every day functionality you have to find and utilize some obscure policy editing applet? How does one even run "gpedit.msc"?

(I know, type start -> run -> gpedit.msc, I was being facetious.)

"Re-prompt for restart with scheduled installations" - if you don't restart after doing an update, Windows will nag you incessantly every 10 minutes or so. If you're busily typing at the time, it's all too easy to inadvertently hit the "yes, please restart now and screw up my work" button when the nag window steals focus.

Major hassle, and indicative of a major fundamental interface flaw. Why should a context box ever be allowed to steal focus unless my computer is about to do something extremely harmful? When doing so, why is ANY option highlighted so that my next keystroke could cause damage?

Re:Stupid idea

Hiding file extensions is sometimes useful when you're renaming large batches of programs (organising your music collection, etc) and you often forget to put the extension back on. Ideally, turning file extensions on and off would be much easier to do, because you often need them interchangeably.

Re:Stupid idea

[greed]

In 1995, there were removable cartridge hard disks available quite economically, such as the SyQuest EZ-135. There were removable cartridge flexible high-speed disks from ioMega, like the early Zip drives or the Bernoulli Boxes from the 80s. There were cartridge tape drives, but they never worked well on PCs. There were SCSI enclosures with hot-plug removable disk carriers so you could yank the entire disk assembly (like IBM PortaFiles). There were the 128 MB "floptical" magneto-optical disks. There were optical WORM disks.

Maybe the average PC user didn't use these, but they were sure out there, and they were almost all available for the Mac, and all of them _could_ be used under DOS with a SCSI card.

All that aside, the single biggest virus infection vector on Macs and Amigas was via infected floppies. So by 1995, it was well-known that automatically running software from a newly-inserted disk was a BAD IDEA.

Developing a specific solution ("floppies and CDs") to a generic problem ("removable random-access mass storage media") is also a bad idea. There's a reason SCSI calls things that work like HDDs "direct-access storage devices"; it's because they don't know if everything that works _like_ a magnetic hard disk _is_ a magnetic hard disk... and they don't care. Your operating system shouldn't, either (though some sort of a "restricted overwrite" attribute would sort things like flash ROM drives nicely).

It's the difference between designing for what we had yesterday vs. designing for what we may have tomorrow.

Re:Stupid idea

Gee! I sure am glad I'm a Linux user. I don't know if I could handle all this command line editing of obscurely named files.

Re:Stupid idea

Agree, and that's my main rant against the otherwise wonderful Ubuntu. It autoruns dvds and cds by default. So far I'm not aware of this being used to get into the system, and yes as far as I can tell it doesn't directly execute any code, but seriously it's only a matter of time before some smart prick at a major label finds a hole in this system and drives a truck through it. Especially given how buggy the dvd playing software on Ubuntu is (still).

Automount I have no problem with, but autoplay? It was a bad idea back when the stoned virus was killing MBRs way back when, it was a bad idea in 1995 when windows was irritating the hell out of me by autoplaying cds I was trying to access data on, and it's still a bad idea today.

Re:Pretty bad when photo frames spread computer vi

[Anne+Thwacks]

"Digital Photo Frames" is a polite term for "Pornograph". The whole point of these devices os to view the pr0n on your USB key - why else would you want one?

Malware Economics 101: It's a quantity game

[G4from128k]

I'd seriously doubt that malware distributors would focus on returned products as a vector for infection. The value of a pwned PC is simply too low to justify the labor of buying a product, infecting it, and returning it in hopes that it will infect another machine.

Rather, I suspect infection at or near the source -- slipping malware into the firmware or shipped software that goes with the device. At that point in the software delivery chain, a single act of infection can be distributed to tens or hundreds of thousands of machines. I could also imagine targeting highly promiscuous machines (e.g. WiFi routers) that have a high chance of being in contact with other promiscuous machines (i.e. other routers or laptops).

Although I'm sure some people get their grins by infecting one machine at time, the malware industry is more about collecting the largest quantity of machines at the lowest possible cost.

Re:Malware Economics 101: It's a quantity game

[garett_spencley]

I agree with you, but never think that there aren't assholes out there who get kicks off of sticking it to random strangers. Money can greatly escalate a problem and it's scope, but sometimes people are just jerks and gladly act as such for free.

If the world was asshole-free then people would never get their cars keyed, tires slashed or houses egged unprovoked.

Re:Malware Economics 101: It's a quantity game

[smurgy]

If the world was asshole-free then people would never get their cars keyed, tires slashed or houses egged unprovoked.

No, we'd just go back to the Victorian times and define such crimes as not standing up when a lady enters a room as being an asshole.

Thank goodness for the freedoms of a permissive society! Now people really have to be vicious to deliver social harm to each other.

Re:Malware Economics 101: It's a quantity game

Why not do it this way? If you want a piece of malware out just for the sake of causing trouble...you can do this and return it. Even if they did trace it back to the hardware, if the person who returned the item paid cash odds are it'd be next to impossible to trace it back to them.

Returned media?

[ccguy]

It's really amazing that people can get infected by a returned item... do they still ship drivers in floppy disks? Everything is in read-only media these days, except for media itself (i.e. a "new" hard disk). So people buy a drive, it has a file and run it?

As usual, it's a matter of user education.

Re:Returned media?

[nurb432]

And you cant fake a CDROM driver disk, right?

Re:Returned media?

[ScrewMaster]

They buy a USB-enabled device of some kind (flash drive, electronic picture frame, MP3 player, cell phone, you name it) and plug it in. If their Windows box has auto-run enabled (and all do by default) then any malware on the device just got executed. Remember, many such products simply map in as a disk drive: any malware on the computer can recognize that and infect it, so the next time it gets plugged in it can infect another computer. Typical viral spread, the only difference being that now it's high-tech electronics being used as the vector, not simple media.

Re:Returned media?

[Damocles+the+Elder]

Not quite. I'll admit I got burned through this, through turning off auto-run-on-plugin but not turning off auto-run-on-double-click. The culprit was a Sansa e200 mp3 player.

I'm pretty paranoid about viruses and malware, and I've never so much as had an infection until this drive. And my computer was moderately more secure than most-- it didn't run the autorun feature the instant I plugged it in. Unless you consider trying to convince all Windows users to modify their registry keys to disable autorun on all drives, I would say this is less user education and more on the heads of either Microsoft to turn off this "feature" by default or the companies that produce and sell these drives to test them before shipping them and test them when people return them.

As for myself, I've taken up the habit of scrubbing any USB drives, MP3 players, and hard drives of any type out of the box now.

Re:Returned media?

[Technician]

Typical viral spread, the only difference being that now it's high-tech electronics being used as the vector, not simple media.

What is missing from most flash based devices is what floppies had.. A write protect.

Re:Returned media?

[ScrewMaster]

A few do (I had a thumbdrive once that did) but yeah, it'd be a good idea.

Sony? Sears?

[dotancohen]

The cases mentioned were just the accidents. What about deliberate malware installations, such as those done by Sony and Sears?

Re:Sony? Sears?

Good thing Blu-Ray is going to win the HD format war!

Learned About this a Long Time Ago

[NeverVotedBush]

I bought a new 80386 (maybe a 486 - I forget) motherboard a long time ago and it had a 5 1/4 floppy disk included with the board drivers software. It was also infected with the Michaelangelo virus. I never knew it until I saw a message on the FIDOnet BBS from some idiot in Bulgaria talking about how his virus was coming and it was going to kill everyone's computers.

I downloaded a free copy of McAffee and it found the virus on my computer as well as every floppy that I had inserted since then that wasn't write protected. McAfee's software offered to clean it but all it did was wipe out the MBR making it where I had to reformat and reinstall everything.

I told a friend at school who had just bought a similar motherboard. He broke the seal on his driver disk, scanned it, and found the virus there too. It was coming from the factory infected.

That was a lesson I will never forget and it happened almost 20 years ago.

Re:Learned About this a Long Time Ago

[ScrewMaster]

I'll give you a similar example. A big computer store not too far from where I live (I don't know if they're still in business, like you this happened about twenty years ago) sold hundreds of thousands of blank diskettes that came pre-infected from the factory with a boot-sector virus. Apparently, a lot of these were bulk corporate sales, so it hit a lot of machines. This was brilliant if it was deliberate: I mean, who would think to virus-scan a blank disk?

Re:Learned About this a Long Time Ago

[maxwell+demon]

Quite some time ago I heard about a virus which came with an AV program. I don't remember the details, though.

Re:Learned About this a Long Time Ago

[sjames]

It's amazing what went out on floppies back then. Out of curiosity, I would scan through "free" sectors on floppies and often I would find internal documents, source code, QA results, unrelated software, etc.

Re:Learned About this a Long Time Ago

[blackdew]

If it was a boot sector virus... Who would think to BOOT from a blank disk?

And as long as you didn't boot from it, making it bootable would surely destroy the virus, wouldn't it?

Re:Learned About this a Long Time Ago

[DavidTC]

Boot sector viruses did not spread because people attempted to boot from floppies.

Boot sector viruses spread for a single reason: Computers by default tried to boot from the floppy first. People would leave floppies in the drive, and get infected.

Re:Learned About this a Long Time Ago

[NeverVotedBush]

That is just the thing - most people wouldn't think to boot from a blank disk.

However, a whole lot of people would reset their computers and forget there was a floppy in the drive. In the time it took them to realize what they had done, the boot sector virus would load and then infect the hard drive boot sector.

It was extremely common.

Re:Learned About this a Long Time Ago

[jmauro]

I've always taken that more as a joke since most AV programs make the computer act as if they had a virus, so really what's the difference.

Re:Learned About this a Long Time Ago

[spikedvodka]

I always knew there was a good reason I bought my blank floppies unformatted. I mean it was at least a dollar or so cheaper for the dozen disks... I mean really, how long does it take to `format a:`?

Re:Learned About this a Long Time Ago

[spikedvodka]

not so long ago.

Symantec Corperate edition version 10.1 had a hole in it... that allowed a virus to spread, using SAV as it's vector

Called symantec, the fix: Update to 10.1.5, and scan. We took the switches down while we fixed it

Back in the, good ol' days...

[MrKaos]

this'd happen on floppy drives, 'fore any new fangled web browser or memory stick, when a real virus fit in a boot sector. Why we din'ner 'ave no serial bus unless it had a bored rate and even then it had'der have 25 pin's 'fore it were useful...

Special software included. Yay.

[cliffiecee]

"Trying to (infect a product) all the way back at the factory - getting it through all the checks and balances -- would be pretty hard to do"

No, it isn't anymore. Somebody in marketing had the bright (read: revenue-producing) idea of loading up a new storage device (which should be blank, damnit) with a bunch of advertising crap. Combine this with Windows' oh-so-helpful autolaunch features. Frankly I'm surprised it took this long to become a problem.

I long for the days when you could buy an UNFORMATTED device. The OS would tell you it's unformatted, so you formatted it. Done.

Re:Special software included. Yay.

[Lumpy]

It shouldn't be blank. it should be unformatted.

the only SAFE way is to force the user to format the disk on the first use.

Re:Special software included. Yay.

[lucas+teh+geek]

I long for the days when you could buy an UNFORMATTED device. The OS would tell you it's unformatted, so you formatted it. Done.

wtf? where on earth are you buying your drives? I've bought 3 hard disks in the past 12 months and they were all either unformatted, or NTFS formatted but blank.

Re:Special software included. Yay.

[sgtrock]

Bought a USB key lately? It's getting tough to find one without that marketing crap on it.

Re:Special software included. Yay.

[lucas+teh+geek]

I cant say I have, but you've cleared things up a bit for me.

the pervasiveness of malware contributes

[Grampaw+Willie]

The pervasiveness of the malware problem contributes to this

Our shop had one shrink wrapped package that had malware included and when this was tracked down the vendor didn't know they had become infected and were distributing shrink-wrapped malware

this underscores the importance of putting a stop to malware

the fundamental error is at the concept level: it is wrong to think it is OK to run your programs on someone else' computer without their knowledge or permission

to invert this properly back to the other end of the pole it is wrong to think that a computer should run anything and everything that anyone sends to it which is what is going on with the promiscuous Ms Window

and so this is a concept that has to change

programming changes have to be proper documented, authenticated and approved before they are applied. and this should apply to everything from cell phones to computers

ya think ya wanna argue with this? don't bother: the security mess we got on our hands say all that needs to be said. the concept of promiscuous remote updates has caused nothing but trouble. It's a concept that is a disaster and that has to be corrected, PDQ

NO SIGNATURE? NO EXECUTE.

Re:the pervasiveness of malware contributes

[cheater512]

Your logic fits well with the bozos at Microsoft as well.
Remember that its their 'feature' which is causing this problem, not the user and the malware authors are only taking advantage of it.

Re:the pervasiveness of malware contributes

[Grampaw+Willie]

what you say is exactly correct

thanks to services like /. hopefully we will be able to bring this into plain view

once the problem is in plain view corrective action will be forthcoming and I don't think it will take long at all

how about IBM provide us with a RACF version for the promiscuous Ms. Windows?

Re:the pervasiveness of malware contributes

[mstahl]

Do you want the job of authenticating and signing all "safe" apps? No? Well neither does anyone else. Look at what's happened with driver software for Windows. There's just too much of it for all of it to be approved by any central authority.

Re:the pervasiveness of malware contributes

[ajs318]

I call bullshit.

Driver software for Linux is approved by one central authority, and Linux actually supports more devices Out Of The Box than Windows. Reason being, there were many older devices for which new Windows drivers were never written; so they won't work with fully-patched-up Windows 2000, Windows XP or Vista.

AOL

[TrdrJoe]

has been distributing malware over physical media for years, in the form of floppy disks and CDs that install the AOL "service" on your computer... and through our own postal service, no less!

Re:Pretty bad when photo frames spread computer vi

My Pet's first year birthday?

Re:Pretty bad when photo frames spread computer vi

[Secrity]

Nice try; according to TFA, Digital Photo Frames are small flat-panel displays for displaying digital images. TFA didn't specify, but it was implied that they were sold by mainstream retailers.

I got one of these!

[NitroWolf]

I bought a digital photo frame from Microcenter that was infected. I can't recall what the specific trojan was, but it was fairly benign in so far as it just replicated itself. As I recall it was a fairly old trojan and not very sophisticated... but none the less, it was on the brand new frame that was still sealed in the original factory stuff.

I told Microcenter about it and they were like "Huh." Didn't ask anything more, nor did they remove the frames or check them. I was somewhat pressed for time, so I didn't try going up the chain of management to get someone to acknowledge that there was a problem.

It's a good thing I found it though, since it was a gift for my technologicallly illiterate parents. I had taken it out of the package to load pictures up on it. If I had just given it to them directly, I'm not sure what would have happened. AVG caught it when it was plugged in via USB, so probably nothing drastic, except a phone call from my Dad asking me what the pop-up box meant.

Old news...

[Bob+Hearn]

Digital devices reaching consumers with malware already installed?

Computers have been shipping with Microsoft products preinstalled for some time, I believe.

Re:Old news...

[Soft+Cosmic+Rusk]

Old, but still kinda funny:

Is windows a virus?

No, Windows is not a virus. Here's what viruses do:

        * They replicate quickly - okay, Windows does that.

        * Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that.

        * Viruses will, from time to time, trash your hard disk - okay, Windows does that too.

        * Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too.

        * Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. Yup, that's with Windows, too.

Until now it seems Windows is a virus but there are fundamental differences:Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.

So Windows is not a virus.

It's a bug.

I, for one

[DNS-and-BIND]

I work in manufacturing in China, and I would not be surprised in the least to find a worker who accepted a shockingly small bribe to place malware directly into factory produced firmware. Not saying that's what happened, but I sure wouldn't be surprised if it did. I also would not be surprised to discover that a worker's Windows PC transferred its infection to the master used for production.

Re:I, for one

Doubt it was deliberate sabotage.
Someone in development/test/production used a tool on a computer that was infected.

It filtered down into the production units.

Re:I, for one

[fluffy99]

Given how aggressively the Chinese are spying on the US govt and commercial industry, it wouldn't surprise me to see malicious code on computers and devices shipping from China. It wouldn't be common stuff that the a/v vendors have signatures for either. I'd guess this was suspected by the govt at some point because there was a brief ban on buying systems from Lenovo. First think I do with any new computer is to nuke and reinstall from a known good source. At the very least this dumps all the adware/spyware that come preinstalled.

I plead guilty... sort of

[dbc]

Once upon a time I managed a software product testing team. Part of our standard flow for all release candidate CD's was to get fresh signatures and virus scan as both step one and also with refreshed signatures as the last step (2 or 3 weeks later) of declaring a release candidate ready for release. We *still* shipped a CD with malware once, a virus that was too new to show up in the signature files from the scanning software company. Lukily, it was a beta that went to less than 100 customers, and it was a relatively benign Word macro virus. Still, I had to explain to a Vice President how we did virus scanning for releases.

As a result of this, we started using virus scanners from three different manufacturers. As a software vendor, the risk of shipping a nasty virus to your best customers is very real, no matter how hard you try to prevent it.

Re:I plead guilty... sort of

[veranikon]

There is the common practice of scanning a filesystem (whether on CD or not) for virus signatures via whatever anti-virus app suits your fancy, but this is an inherently reactionary approach. You can only scan for the virii you're aware of. Why not compute MD5 checkums or something similar over the CD image? Seems like that would be much simpler and more elegant than routinely checking your images against an ever expanding (and always incomplete) list of virii fingerprints. MD5 checksums for linux distros are commonplace, and simple. In addition, there less CPU time required to verify a single MD5 checksum per image than to verify that image against millions of signatures.

Re:I plead guilty... sort of

[dbc]

You're missing the point. Where does the good signature come from? This is a release candidate CD -- a CD full of freshly revised software and documentation from 100+ developers in 5 sites on 3 continents, all building their deliverables on workstations in some degree of maintenance. Any one of them can source a virus onto their deliverable. You can only make a checksum once you have a known good master. My job was to declare a candidate master "known good".

Re:I plead guilty... sort of

[greed]

Anyone else remember when Microsoft had an article that said they prevent viruses from getting onto the Windows master CDs by using Young Minds CD mastering software on a UNIX workstation?

Can't find a trace of that now....

Re:I plead guilty... sort of

[Reziac]

I think the average person overestimates the amount of control a manufacturing process has, unless it's entirely vertical. Buy one chip from some 3rd-party fab, or use a single binary (such as a driver) from outside your trusted, clean-room environment, and you've got a potential attack vector.

The wonder shouldn't be that it happens, but that it happens so *seldom* -- a testament to folks like yourself.

That "idiot" in Bulgaria was probably no idiot...

[i)ave]

Sophia, Bulgaria was the home of the Dark Avenger one of the most notorious virus authors in history. He was quite active during the 80386/80486 time period. Some interesting reading about what is known of him can be found in these links: http://en.wikipedia.org/wiki/Dark_Avenger http://www.research.ibm.com/antivirus/SciPapers/Gordon/Avenger.html http://www.wired.com/wired/archive/5.11/heartof.html http://findarticles.com/p/articles/mi_m1511/is_n2_v14/ai_13381563/pg_9

I have one

[Webs+101]

It's branded as an eMotion device (model DF-EM7), but it looks identical to the ADS product.

My question - because here at /., I'm not all that relatively geeky - is how would this spread? It accepts photos direct from the computer via a USB 2.0 cable or via memory card. Assuming I'm not stupid enough to plug the thing directly into my computer, am I safe? Will the trojan infect the memory card for subsequent infection of my hard drive (of my Windows machines, not my Mac, right?)?

Also, is there a way for me to use my Mac to explore the contents of the frame to look for the malware? What would it look like if I can? Is there any way to detect whether or not I have an infected frame?

Re:I have one

[LWATCDR]

That will not help if it is in the BIOS. If I was a government and was set to plant spyware on a system I would do it in the BIOS and not on anything that the user could scan or format.
Let's face it. The VAST majority of FOSS system have a lot of closed source firmware on them.

Autorun is evil

[kybred]

A better way is to turn off autorun,

I almost got some malware from autorun off a thumb drive, fortunately the anti-virus recognized it and stopped it from running. When that happened, I looked for a surefire way to turn off autorun (and autoplay) but all I found was a bunch of registry edits that may or may not (according to different accounts) turn off autorun/autoplay. Why is there no global option in a Windows control panel for that?

Re:Autorun is evil

[hairyfeet]

Hereis one for 9X and here is one for xp. Might work in 2K, but I haven't tried as I turned mine off with a reg hack years ago. Both are freeware and in the case of the WinXP one, doesn't need installation. Simply unzip and use. That is one of the quirks with Windows. Unlike Linux, all the useful tools have to be hunted down and common sense tools like an autorun control that you would think would be built into the OS aren't, and instead they give you junk like Moviemaker.

Re:Autorun is evil

hold shift when you connect/insert media and auto-run wont go

Re:Autorun is evil

It get's even more complicated than that. Most of those registry edit instructions *only* affect the CD-ROM drive. Which means you're still wide open to infections from USB devices. Typically if you have a problem with eata from USB devices (other than external optical drives) you'll find a counterpart registry key with a disk drive label. I won't garauntee your security with just anything, but this does affect thumb drives and external HDDs for me. I don't know where you'd find the exact key for it for autorun, but probably the same folder as the CD ROM instructions you find online. (And yes, the n 'change the value of Autorun from 1 to 0' is uaully valid.

Do not, in normal circumstances, use the AutoRunAlwaysDisable key. This disables Autorun by breaking your drive's ability to examine what's on the CD, which means music (redbook format) and movies won't work right.

I suppose you could just do a search for *all* Autorun registry keys, though the registry search feature is buggy and unreliable, so you may well miss some of the registry keys.

PS, don't be afraid of regedit, just document what you do so that you can undo it if somethign goes wrong down the road, and create a restore point fro same. Also, instead of deleting rouge registry values, put a ';' in front of it to comment it out. This lets you know what you did, and makes it easy to undo. If the system BSODs or whatever after your changes, the 'Boot to last known good configuration' option in the F8/Advanced Startup menu will pull the last registry backup (usually one is made every time you successfully start the computer).

Yes it's all a bit scary for the average user, but dammit this is Slashdot.

Re:Autorun is evil

[Repton]

The closest thing I know of to an official way of disabling autorun is to install Microsoft's powertoy TweakUI. As you might guess from the name, it gives you a GUI to tweak various aspects of the Windows user interface, including letting you turn off autorun. I've never had a problem with it.

Re:Autorun is evil

[fluffy99]

Can I have some of what you're smoking? Linux is infamous for forcing the user to chase down so esoteric option in a text config file. Of course, Windows is really confusing - it's called hold down shift when you insert the USB key (something they stole from Mac, btw).

Re:Autorun is evil

[ArmedGeek]

Chevrolets have four tires. (something they stole from Ford)

Re:Autorun is evil

[Nirvelli]

I agree, I turned off all of my autoruns with TweakUI, and nothing has ever auto-ran since. Plus, the program has plenty of other awesome options that really should have been shipped with Windows.

Re:Autorun is evil

[hairyfeet]

Maybe you are using the wrong Linux? I've been using Xandros Business Pro for over three years and have NEVER had to edit a .conf file. In fact the only time I even go command line is when I feel like using Apt instead of Xandros Network. Now as for the shift trick, why should I have to hold down the shift key EVERY time I stick in a cd? Simple tools that would fix the common sense things like killing autorun are never included, while they still keep giving us crap like notepad and paint.

I think the problem with Microsoft is that they try to shoehorn everyone into a single OS and try to make it everything to everyone (and fail) instead of building on the good thing that they had when they had both Win2K Pro and XP on the market. They should have kept Win2K and simply put out a Win2K6 for those that don't want the bloat and put out a XP with more eye candy for the gamers. Instead we got Vista which is designed to be everything for everyone and is a bloated piggy.

Re:Autorun is evil

[oreaq]

Improving security by running some programs from some guy on the internet is probably not an very good idea.

Re:Autorun is evil

[ajs318]

Linux is infamous for forcing the user to chase down so esoteric option in a text config file.

It's not esoteric or obscure. If you have a program, for example wibbulator, you most often can expect its configuration to be stored in /etc/wibbulator -- which, depending on the sophistication involved, may be a simple file or a folder containing several files. What's more, if you want to turn off blah messages, the option is generally a line something like enableblahnotify 1 in the configuration file (or in a file in the configuration folder) which can be changed with a text editor. Most programmers also support the use of comments in configuration files, so you may even see something like
# change this to 1 if these notifications annoy you
suppressblahnotify = 0
in the file. Or you can have a .wibbulatorrc file in your home folder, which is built with the same syntax and contains per-user options which override the system-wide settings.

The Windows registry is totally non-obvious.

21st Century CyberColdWar, who supplies the MBs?

[shoor]

Something like this came up before: http://hardware.slashdot.org/article.pl?sid=07/11/11/2246246

Motherboards are mostly made in various Asian countries now, aren't they? How paranoid is it to imagine the Chinese deciding to infect motherboards with spyware?

Lest you think I've got my tinfoil hat on, check out some thoughts of Ken Thompson (which I found in the discussion from the "Trojan Found In New HDs" link I provided, at least I think that's where I got it from.) http://cm.bell-labs.com/who/ken/trust.html

Re:Pretty bad when photo frames spread computer vi

[pcsourcepoint]

It's like a saying I have heard - buyer beware; Now even more so, for purchased media products. It would pay for the buyer to scan for virus and malware that may be present

All ipods contain malware

All ipods install Quicktime on your computer, and quicktime is DEFINITELY malware. Apple should be ashamed.

Re:All ipods contain malware

[Technician]

All ipods install Quicktime on your computer, and quicktime is DEFINITELY malware. Apple should be ashamed.

I haven't had that problem lately. I noticed that iTunes seems to try to install Quicktime, but since I've moved to Ubuntu, that problem has gone away. GTKPod
  with the proper lib works wonders on an iPod in place of iTunes/Quicktime on Windows.

iPods?

[tristian_was_here]

We discussed a similar problem with iPods a while back It seems like iPods must come with iTunes

2 solutions and a boot counter

[davidwr]

1) Right before the equipment is put in the box it should have its memory reset to factory condition AND have the firmware compared to what it should be.

This will offer some protection against factory sabatoge.

2) Any time a unit is returned it should be reset to factory condition.

This will take care of shoppers who buy, infect, and return merchandise.

The device should have a "firmware freshness" indicator that says this is the 1st, 2nd, or 3rd or more boot since a factory reset. When you buy the product it should be at the 1st or, if the store checked after resetting, 2nd boot. If it's more than that when you unbox it you should reset it before using or take it back for an exchange or refund.

Neither solution works.

[Ungrounded+Lightning]

1) Right before the equipment is put in the box it should have its memory reset to factory condition AND have the firmware compared to what it should be.

This will offer some protection against factory sabatoge.

No it won't - if the "factory sabotage" consisted of (deliberately or accidentally) having malware as part of "what [the firmware] should be".

2) Any time a unit is returned it should be reset to factory condition.

This will take care of shoppers who buy, infect, and return merchandise.

And how is a reailer supposed to do this? Do you know of ANY product that comes with a (true) "reflash to factory status" utility that doesn't depend on what's in the device itself - let alone a cross-industry standard for this? (And you can't trust the media returned with the device, either. If it's writable it also needs "resetting" - and if it's read-only it needs replacing with a fresh copy.)

Re:Neither solution works.

[davidwr]

No it won't - if I said it would offer some protection, not complete protection. This will close off some but not all opportunities for in-house sabotage.

And how is a reailer supposed to do this? Do you know of ANY product that comes with a (true) "reflash to factory status" utility that doesn't depend on what's in the device itself - let alone a cross-industry standard for this? (And you can't trust the media returned with the device, either. If it's writable it also needs "resetting" - and if it's read-only it needs replacing with a fresh copy.) It may not exist but this is easy enough to implement in hardware:
Divide the boot sequence into 3 steps:
Step 1, from ROM: Check to see if reset pin is pressed.
Step 2a, if reset pin is pressed: Erase volatile firmware and copy contents of read-only firmware backup to run-time firmware. Blink status lights to indicate reset-in-progress/reset-complete/reset-failed codes. Halt.
Step 2b, if reset pin is not pressed: Continue booting using volatile firmware.

Oh, as for not trusting the writable media you are correct. As far as not trusting read-only media, someone would have to go to a lot of trouble to replace a silk-screened factory-pressed disk with a counterfeit that had a virus. I'm not saying it couldn't happen only the risk is usually negligible.

Re:Pretty bad when photo frames spread computer vi

YUP! They're sold by Wal-Mart, Target, Meijer, Circuit City, Best Buy, etc.

Incidentally, Target sends ALL of their electronic devices back to the factory, just in case. CD players, iPods, USB drives, PS2 controllers. Everything.

Yup, I had a digital frame with a virus too

Bought a Westinghouse 8" frame from a local retailer, Canada Computers.

When I got it home I plugged it in in order to "preload" it with photos as a gift for somebody ... as soon as I plugged it in, NAV went nuts reporting two different trojans installed on two different .EXE files.

I contacted both Canada Computers and Westinghouse about it, but both seemed more concerned with fingerpointing and denial than actually addressing the fact I'd just bought a frame from them with fucking viruses preinstalled.

Windows ME

[Ngarrang]

And if we needed evidence of early forms of physical media malware spread, we need not look any further than Windows ME. Surely it qualifies as malware!

Registries and stupid ideas

[tjwhaynes]

I guess that is one advantage of having a single registry for all system settings. You can easily change tons of settings easily with just a single script file.

Erm - a single script file can easily update thousands of different configuration files on any platform. And for all the world-famous Windows user-friendlyness, I'll take editing some bizarre Linux scripts where key=value over trying to remember hexadecimal codes for Internet Explorer registry entries :-)

Lets not overlook the dangers of having a single, unrebuildable registry for all the system settings... What happens when it gets hosed? I seem to remember that Windows 95 used to keep two copies of the registry around and could rebuild it if you deleted it. Windows XP seems to have lost that ability - I have no idea if Vista has recovered it.

Cheers,
Toby Haynes

Re:Registries and stupid ideas

[CastrTroy]

Like I said, I prefer the Linux way of doing things, most specifically for the reasons you mentioned. However, there are some advantages to have all the settings in your system in the exact same format, and all able to be edited by the same API, or with a small set of commands.

Re:Registries and stupid ideas

[fluffy99]

IF you have thousands of machines, it's likely you have Active Directory by now. Simply set the autorun, as well as the tons of other security settings, in a group policy and be done with it.

Re:Registries and stupid ideas

Windows XP seems to have lost that ability It absolutely has not: http://support.microsoft.com/kb/307545
Vista is the same.

captcha: sighed... I sure did.

Re:blank vs. unformatted

There was a time when blank meant unformatted. A preformatted disk isn't blank - it contains formatting information (and a partition table if it is a hard drive). And a boot sector. Companies started providing preformatted disks because of the brain dead way MS operating systems format disks.

Verifying media...
Partition Whole Drive? (Y/N) Y
Verifying media...
Format Drive? (Y/N) Y
Verifying media...

Re:Ken Thompson's trojan

The best part is - he actually tried it. And it got out. Someone else at the lab (who didn't know) distributed his hacked binary to some UNIX customers.

Pwnd

And somebody modded you Insightful? Or did you mod yourself? Hmmm...

Photo CDs too

I've seen some pharmacy and Kodak branded photo CDs do some nasty stuff to registrys relating to CD/DVD burners. That counts as malware, doesn't it? If anyone knows of a fix, it'd be appreciated.

Feh

[eno2001]

If you use Linux, it means nothing to you (unless you run WINE or a Windows virtual machine). I always wipe the HDs I use. And I only buy media devices that I know will work with Linux.

--
Linux on the desktop has been a reality for me since 1997

Not too hard to believe.

Returned a mouse back in sept/oct to a store and went back there for the first time about a week ago. Said mouse was sitting back on the shelf with the other opened one which was there at the time I purchased mine. Not hard to believe that hd's and other infectable devices would return to the marketplace.

WOW; 13 screens of registry hacks and other tweaks

[knorthern+knight]

> HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA + make it "fun" to do:

> http://www.security-forums.com/viewtopic.php?t=50567&sid=c8b24a76a3974ec9bef2bed38c4b64d4 [security-forums.com] :)

> * Windows CAN be secured very well, with a bit of effort, for years of security, even online,
> for years into the distance if you try what's in that URL above!

There are linux distros with shorter install documentation than that. Wouldn't it be better to use an operating system that did *NOT*, by default, autoexecute autorun files on every Sony CD and every USB key and every external USB drive and every USB digital picture frame immediately upon connection???

And while we're at it, why is it that...
- in linux, I set up USB mass storage drivers *ONCE* in the kernel, and all USB keys and external drives just work, whereas
- in Windows, every USB key from every different manufacturer requires me to download and install a driver from the internet in order to access the USB key???

Re:WOW; 13 screens of registry hacks and other twe

That's just your experience. In mine, it's not always true.

I once bought a USB card reader. Worked with Windows, but only when you install some drivers. Later I tried to use it with my Debian installation -- no such luck. So I bought another card reader of which it was known it could support Linux, and guess what, no drivers needed for either Linux or Windows.

Re:Pwnd - AGREED 110%

Yea, I was wondering myself... I thought he was just "trying to be funny" but, somehow? I think the guy actually MEANT what he satd here above... someone's been misnforming him, & badly, imo @ least!

APK

Re:WOW; 13 screens of registry hacks and other twe

"There are linux distros with shorter install documentation than that" - by knorthern knight (513660) on Monday January 14, @01:42AM (#22031884) AND, if you look on that page? I posted LINUX scores (albeit, running under VMWare, which some folks say makes you LESS secure (BSD man Theo DeRaadt iirc in fact, pretty respectable in this field despite his having a temper, & even Bruce Schneier said "justified anger has its place" mind you, in regard to Mr. D's temper which many felt was "righteous indignation" rather than tantrums)...

The scores are by default, around the 46.xxx mark (same as Windows XP really, almost to the decimal point)...

----

"Wouldn't it be better to use an operating system that did *NOT*, by default, autoexecute autorun files on every Sony CD and every USB key and every external USB drive and every USB digital picture frame immediately upon connection???" - ----

"And while we're at it, why is it that...
- in linux, I set up USB mass storage drivers *ONCE* in the kernel, and all USB keys and external drives just work, whereas
- in Windows, every USB key from every different manufacturer requires me to download and install a driver from the internet in order to access the USB key???" - That's odd, I don't see that here @ home on Windows Server 2003 SP 2 (my home rig) & XP SP #2 (my work rig) & with several diff. ones tried in BOTH over time in fact!

(Same with the ones my colleagues use, & I have plugged theirs into my XP work rig too & they are DIFF. than my own (one of those TITANIUM jobbies is what my colleagues like vs. mine (PNY & some other type from some other generic OEM))

So, my turn:

Why does Linux have so much less software (for various purposes) than Windows does, & support less peripherals for purpose than Windows does?

I'll tell you why, in a nutshell - MONEY TALK$!

Sure - The infamous "they" say, "talk's cheap", but... not when money does the talking.

Money gets highly skilled developers working, under the "harsh taskmaster's whip", of mgt. in a software publishing house, & that of VENTURE CAPITALISTS investing in said projects...

Thus, since Windows IS THE MOST USED? It gets the MOST development & support for the MOST peripherals, simply because of the economic incentive for developers to bulid on it & for companies to invest in, because the market surface area is larger than any other platform out there.

(FOSS is nice, don't get me wrong - but, I'd wager Win32/64 IS where the monetary reward is, & THAT, feeds your family!)

APK

P.S.=> USB peripheral support is NOT a "strong area" for LINUX!

(& certainly NOT by comparison to the support for it which Windows gets for drivers & specifically for the USB peripherals out there today))

Proof of that statement (somewhat, we can debate specifics if you like, later)?

Well, GOOGLE this:

"USB" and "Linux problem"

apk

one of the big four did it to us...

[pointbeing]

It was about four years ago but we received an infected build from a major hardware manufacturer.

We bought several hundred computers and provided the laptop image to the manufacturer after we'd installed our standard suite of applications. The major hardware manufacturer certified the build and started imaging machines - we had about a hundred of them in house before the first ones got stood up and tripped virus scanners as soon as they were powered up.

The image we sent the manufacturer was virus-free but the preloaded machines we received with that image were not. Major hardware manufacturer had to do a fair bit of tapdancing and machine-replacing to make things right.

Add it to the list...

Because of piracy, burning, and file-sharing we're now have to jump through hoops to exchange/return defective CDs/games/movies (and in some cases even sealed media we flat out don't want)

I imagine if stories like this start hitting the mainstream we won't be able to return ANY sort of electronic/computerized device. And gee, Sam's Club and "loose return policies" in the same sentence? Go figure.

If a customer brings back an opened device, policy should be to send it back to the manufacturer. That nips that in a hurry.

removable hardware devices part of attack surface

[solinym]

While autorun is quite obviously profoundly dumb, it's also possible to create devices which do not use autorun feature and also exploit the OS directly over USB. I've discussed this a bit in my section on the "attack surface", currently here:

http://www.subspacefield.org/security/security_concepts.html#tth_sEc4.1

I'm going to incorporate these Microsoft vulnerabilities (centered around autorun) as well, to single it out...

Here's Bruce Schneier's article on a similar incident:

http://www.schneier.com/blog/archives/2006/06/hacking_compute.html

Re:Pretty bad when photo frames spread computer vi

[Jeruvy]

Not quite,

These are photo display devices you can buy at your favorite retailer to load a memory card or usb device to display your digital pictures on.

I'm sure you could peruse your pr0n collection on one, but don't take it to work ;)