Slashdot Mirror
How Asus Recovery Disks Ended Up Carrying Software Cracks
Anthony_Cargile writes "We all now know about Asus shipping illegal software cracks and confidential documents/source code on their recovery DVD (and in the system root), but this article tells exactly how it happened. It's even more careless than you think, and most likely an accident."
Asus Recovery DVD scandal: How it happened
Posted by anthony Published in Security, Software
For those who havenâ(TM)t already heard, the PC OEM company Asus was involved in a major scandal where a directory on the recovery DVD and inside c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program, software serial numbers, a resume (presumably for a now-jobless Asus employee), an internal Asus powerpoint describing âoeknown compatibility issuesâ, Asus source code, and even an OEM issued Microsoft document, which mainly says âoedo not distribute DR-DOS with any computersâ.
We now know from an OEM source how exactly the files got where they did in the first place, and it isnâ(TM)t very surprising.
An Asus representative said they would be investigating the matter, and while someone is still going to lose their job over this just so Asus can say so, the way the files made it to thousands of PCs is pretty common.
An OEM employee (name not mentioned here) discussing the matter said that during the vista installs, the generic vista disc installing the OS looks for an XML file (unattend.xml) on a flash drive, and upon finding it the installation parses it and runs the XML code as installation instructions so nobody has to go through the installation menu for the hundreds of synchronous installations (hence the unattend).
BUT⦠there is another twist: If a certain tag or attribute is present, all files other than unattend.xml itself on the flash drive will be copied to c:\windows\configsetroot - see the connection?
So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few âharmlessâ(TM) keygens and serials on it as well, in his defence in case maybe he lost the serial to winrar or other programs. Apparently the same employee used the flash drive to store or back up confidential Asus documents and source code, as well.
So if the Asus internally distributed unattend.xml file was copied to this unnamed (and jobless) employeeâ(TM)s personal flash drive, and included the xml tag/attribute to copy over everything to the system root and, therefore, recovery DVD as well, then voila! Then the only way somebody could come under fire because of this is because of oh, I donâ(TM)t know, not checking the installation root once everything was installed!
So now we know HOW exactly this whole ordeal was started, and there is a lesson to be learned hereâ¦. somewhere.
As an employee of an OEM that does these installs all day long, I can say they really messed up. Using an unattend.XML from a flash drive is BAD. Using a USB drive that has anything else on it is WORSE. Having illegal software and ND docs on the MFG floor, on an unsecure USB drive, next to your install scripts, is enough to get you FIRED.
And to other comments...Yes, we do look at nearly EVERY SINGLE FILE, including c:\Windows\ConfigSetRoot\. If you send out for 100k recovery DVDs, you want to make sure they are correct.
It amazes me that this employee chose illegal means of getting an archiving program instead of using a FOSS solution such as 7-zip
Compare GUIs of those two programs. 7-Zip's GUI is quite bad. Also 7-Zip does not have the "Move" function where your files are archived and deleted. I use WinZip for that since the company has it licensed. I also have 7-Zip installed, but as I said it's GUI is very rudimentary, IIRC lacking buttons for many obvious functions.
This is actually a well known effect of piracy on free software. If the commercial software is free to the user, just as F/OSS software is, then the commercial software wins - it is simply better in most cases, at least because more effort and more money went into it.
Do you think if I carried a crack pipe in my pocket, I could convince a COP that it's just a goodluck charm? You see my point right?
Well, I believe that's the exact principle that allows head shops to operate. Unless they can prove that crack pipe is not a good luck charm, they've got nothing on you. Course what you said may be true -- even if he can't take you in, you may not be able to convince the cop. :-)
As we all know, nobody tests their own work.
Speak for yourself.
It should be:
As we all know, nobody should test their own work.
That is why I give folks Alzip instead of 7zip. The interface on 7zip is just too geeky for your average user. While Alzip isn't OSS,it is free,and the user interface is just as easy as WinRAR to use IMHO.
As for ASUS,I'm really surprised a company that size pulling such a rookie foul up. I guess it is pretty obvious that they didn't have anyone checking the images that went out. Has the images been scanned for malware? Because if the guy was carrying cracks and keygens there is no telling what else could have been on that stick,or even what all went into the image for that matter. If I had one of the affected machines I would definitely look at it as suspect. But as always this is my 02c,YMMV
ACs don't waste your time replying, your posts are never seen by me.
I have had problems using 7-zip on new winzip created zip files. I am not the only one to have this problem in my company. We wish we could get rid of Winzip, but we can't since out clients use it (not from bittorrent, wanker!) uses it. You do know that zip has different compression algorithms within it (not 7z, arj, just zip!). This is the problem, 7-zip doesn't handle the latest ones.
All I want from 7-zip is as I said, for it to work, and it not to waste 30 minutes figuring out it can't handle a file.
In my personal experience, it keeps failing. What more can I say. Not all the time, but a couple of times a day.
Here is a reference to that but Microsoft made sure the original articles got scrubbed off the Internet. There were things Microsoft did to GEOS, GEM, the Amiga, the Atari ST, Vision, Desqview, etc to discourage OEMS and hardware and software makers from supporting them and only supporting Microsoft products like MS-DOS and Windows instead. Microsoft did the same thing to IBM over OS/2. But most of the articles about that Microsoft had scrubbed off the Internet.
The history of the Amiga clearly shows its 8-bits roots with the Atari 2600 and Atari 400/800 series that evolved into the Amiga eventually, parallel to the Macintosh.
In the 1990's PC OEMS were fighting over the Amiga, but were loyal to Microsoft. But Microsoft used the same tactics against the Amiga that they used against DR-DOS, and killed the Amiga by leveraging what OEMS could and could not do and then Gateway had to sell the Amiga division to make Microsoft happy.
"The press attention to the Microsoft case reveals their relationship with Gateway. Jim Von Holle, a former Gateway employee, describes how the company tried to punish Gateway for the type of software they shipped. Although largely in the background, it became increasingly clear why Gateway chose to develop an alternative to the Windows market. Unfortunately, just a few months later Gateway's relationship with Microsoft regarding their set-top box would have a dramatic effect upon Amiga's plans. Who could have guessed Microsoft would play a major role in the Amigas downfall?"
I have said it before, but my comments got rated down as troll, by rapid Apple and Microsoft fanboys who hate the Amiga. This time I found the links that prove it.
It was not just DR-DOS that Microsoft murdered, but the Amiga as well. Apple had a hand in it by forcing Apple dealers to lose their license if they sold Amiga computers as well as Macintoshes. Then later Apple killed the Apple Dealers and did the store within a store and web store to sell Macintoshes as revenge on Apple dealers that still tried to sell Amiga One and Classic Amiga computers along with Macs.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
>Do you think if I carried a crack pipe in my pocket, I could convince a COP that it's just a goodluck charm?
Yes you could, there is nothing illegal about owning a crack pipe.
Having dealt with ASUS over the last 10 years I am not surprised that such carelessness happens within their organization. In the late 90s and early 2000s I probably had 500 or more of their motherboards in use at various small businesses. Early on I had a great deal of confidence in their product, never had any defects so never had to deal with their company. This was very rare at that time. That was until their A7x series of motherboards came along. Countless failed NB fans, intermittent PS/2 port failures, etc. When calling for support I was expecting very professional help but was met with people that didn't give a sh*t. They would only send one replacement fan at a time even though every single one failed and I needed like 10-20 at a time. Getting a motherboard replaced was insane especially when dealing with intermittent problems. They directed me to an incredibly bothersome webform rather than assisting me over the phone. They had a bad habit of sending the same defective board back to me 3 times saying it 'passed' their diagnostics. Out of frustration I resorted to putting them in the microwave for few seconds to make them really dead before I would get better working products. I lost thousands in lost hours and handling my own warranty. ASUS didn't give a sh*t for my problem, and it was probably the same attitude that led to this recovery disk debacle.
When I saw this I hear so clearly the words of Nelson... HAH HAH! And can't agree more.
(Looks in the box) ...
A red stapler to begin with, a desk lamp, 25 CDs with data I burned, 72 pens, business cards, a keyboard, a mouse,
Well, you get the idea. Everything that is in, on or around my desk. What are they going to do? Fire me? Too much trouble to call the police over it. At least were I am.
Don't fight for your country, if your country does not fight for you.
I am a Chinese, but I'm not going to cover them. Try take a look at the Taiwan manufacturer's driver ... all kinds of mistakes in the document!
The driver itself have similar problem was usual, and it truly reflect the quality control was a mess.
Not only Asus, also MSI, Gigabyte, IWILL, CMI, Realtek ... there're much more mistakes everythere!
It most certainly can read RAR files, but I'm not sure if it will extract from password-protected RARs.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
uh, by the time gateway bought the Amiga it was dead as a platform. No need to attribute to MS malice what is suitably explained by Commodore incompetence.