Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Asus Recovery Disks Ended Up Carrying Software Cracks

Posted by timothy on from the nice-thing-about-free-software-is-no-cracks dept.

Anthony_Cargile writes "We all now know about Asus shipping illegal software cracks and confidential documents/source code on their recovery DVD (and in the system root), but this article tells exactly how it happened. It's even more careless than you think, and most likely an accident."

34 of 241 comments (clear)

  1. This doesn't explain everything by RGRistroph · · Score: 5, Insightful

    I can how an internal ASUS USB flash disk with an unattend.xml file on it, might get used to move documents around, and then also get used to install windows.

    That might explain how certain documents got put on a lot of harddrives inside ASUS.

    It doesn't explain how that directly ended up being part of what they made an ISO out of, and how no one apparently did quality control and checked every single file on a CD before it was replicated and sent out to the world.

    1. Re:This doesn't explain everything by Free+the+Cowards · · Score: 5, Insightful

      First rule of internal company dynamics: they are not nearly as well staffed, as organized, as thorough, or as competent as you think they are. They are in all probability just as quick and careless as you would be doing the same thing.

      --
      If you mod me Overrated, you are admitting that you have no penis.
    2. Re:This doesn't explain everything by master5o1 · · Score: 2, Insightful

      Or not supposed to be there?

      If it's Asus confidential crap or someone's personal CV then they should obviously be removed.

      --
      signature is pants
    3. Re:This doesn't explain everything by IceCreamGuy · · Score: 5, Insightful

      When was the last time that anyone checked every file on a CD when it's say, a windows restore? Yeah. Nice job dipshit. Think before you talk. What human actually knows every file that's supposed to be on there?

      diff -r, dipshit.

      If doing this kind of quality control doesn't seem trivial and normal to you, then congrats; you don't work in the IT field.

    4. Re:This doesn't explain everything by Miseph · · Score: 3, Insightful

      "When was the last time that anyone checked every file on a CD when it's say, a windows restore? Yeah. Nice job dipshit. Think before you talk. What human actually knows every file that's supposed to be on there?"

      How else do you think this stuff could have been found? Magic?

      I dunno... maybe the guy responsible for figuring out what the hell is supposed to go on there in the first place would know. Last I checked, Microsoft only hired humans for work outside of the legal department. More importantly, nobody would need to know off the top of their head, since they could just check against a list... or even better they could write a short script to do it for them.

      --
      Try not to take me more seriously than I take myself.
    5. Re:This doesn't explain everything by MerlynEmrys67 · · Score: 5, Insightful
      Uh - I do. You mean when you are building a large distribution you don't create a manifest that lists all of the files that are supposed to be on the disk - and then have a script automatically check that everything is on the CD that is supposed to be on it... nothing more - nothing less.

      Sloppy work at the best - a simple engineering problem to solve, takes 2 minutes to run after the ISO is cut. My QA lead would laugh hysterically at me if I tried to pull a stunt link this on her. Easy to verify final ship products

      --
      I have mod points and I am not afraid to use them
    6. Re:This doesn't explain everything by dougmc · · Score: 2, Insightful

      I think the point is that Asus *was* sloppy about it, and they just happened to get away with it until now. That's the nature of sloppy work -- if it's too sloppy, you don't get away with it, so you improve the quality until you generally can get away with it. Doesn't need to be 100% -- just most of the time.

      I'll bet they don't make the same mistake again. (Though of course, they may make similar makes, or may create procedures to help prevent them too. We shall see.)

    7. Re:This doesn't explain everything by lysergic.acid · · Score: 3, Insightful

      well, if they have a clean copy to compare with diff, then why wouldn't they have just used that disc image for the shipped discs?

      obviously more stringent quality control is needed here, but i don't think running a simple diff command is the solution.

    8. Re:This doesn't explain everything by Anonymous Coward · · Score: 1, Insightful

      Why not just give out copies of the installed software on their PROPER install media? Not too long ago when you bought a new computer you didn't get a crappy "restore disk" that became useless by a simple hardware change. You had the option to NOT install the crappy bloatware that came bundled with the machine. You could change your harddrive without jumping through hoops. It is sheer laziness and greed that came up with those silly things.

    9. Re:This doesn't explain everything by PopeRatzo · · Score: 5, Insightful

      First rule of internal company dynamics: they are not nearly as well staffed, as organized, as thorough, or as competent as you think they are.

      At least not any more.

      As long as a company's stock price gets rewarded by Wall Street for laying off employees, we're going to see stressed corporations.

      Remember that really slow guy in QA who took forever to write his reports, and was getting a little gray, and was making more than a lot of us because he'd been with the company forever? He was the guy who would catch these stupid mistakes.

      But he was laid off when we got "lean and mean".

      --
      You are welcome on my lawn.
    10. Re:This doesn't explain everything by JoeMerchant · · Score: 2, Insightful

      As an employee of an OEM that does these installs all day long, I can say they really messed up.....

      Yeah, but I bet you don't work for an asian vendor of cost competitive commodity goods. Sure there are procedures to prevent this, sure they don't cost much to implement, but the culture that enforces the kind of safeguards you mention does actually ingrain cost into the product along with quality.

      It's much more cost effective to fire a couple of guys as an example and continue with business as usual, especially when the majority of your customer base doesn't really care.

    11. Re:This doesn't explain everything by RGRistroph · · Score: 2, Insightful

      And keep in mind that if ASUS had been shipping Linux, this mistake would still be possible, if they were setting up their machines using a "kickstart" USB flash disk.

    12. Re:This doesn't explain everything by Sancho · · Score: 2, Insightful

      It's because your average grandma doesn't know how to install and configure Windows and any of the software they may want on their computer after a reinstall, and your average software company doesn't want to pay for 4 hours on the phone explaining the process. It takes a lot less time to say, "Insert the disc labelled 'restore', then reboot your computer. Call us back in four hours if it doesn't work." The company pays less, the customer doesn't have to follow difficult (to them) and tedious steps, and it makes reinstalling Windows a breeze. Considering how often this is necessary, I'd say that it's a perfectly reasonable thing for a company to do to make it as easy as possible.

  2. Crack vs. Foss by O('_')O_Bush · · Score: 5, Insightful

    FTA:
    "c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program...

    So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few harmless keygens and serials on it.."

    It amazes me that this employee chose illegal means of getting an archiving program instead of using a FOSS solution such as 7-zip ( http://www.7-zip.org/).

    I know some companies have protocols for handling FOSS software, but this should have never have happened if the employee had just turned to his company's legal department for obtaining software licenses.

    --
    while(1) attack(People.Sandy);
    1. Re:Crack vs. Foss by Anonymous Coward · · Score: 2, Insightful

      And yet your idiot rambling is being distributed and viewed globally with FOSS.

      I'm willing to bet that, in general, the quality of free software is is much higher than propietary software.

      The reason crappy proprietary software seems rare is that it sinks to the bottom of the barrel faster than crappy free software, as it should.

    2. Re:Crack vs. Foss by Anonymous Coward · · Score: 2, Insightful

      WinRAR is $30, for something that inexpensive I'd send an email to whoever handles purchasing requesting the software and reminding them that if I have to come explain to them why I need it, the waste of both our time will cost the company more than just buying the program in the first place.

      It's always worked for me, your mileage may vary.

  3. Could have been me by InlawBiker · · Score: 5, Insightful

    I am completely unsurprised. When I heard about it I thought, "Oh, some jackball inadvertently copied his personal files via some install script. That's pretty funny."

    I personally have the exact same stuff on my thumb drive - my resume and some cracking tools. As we all know, nobody tests their own work. That's why testers have jobs.

    So he screwed up - at least he has a good story to tell!

    1. Re:Could have been me by Morkalin · · Score: 2, Insightful

      As we all know, nobody tests their own work.

      Speak for yourself.

    2. Re:Could have been me by ogl_codemonkey · · Score: 5, Insightful

      As we all know, nobody tests their own work.

      Speak for yourself.

      I don't know anyone that tests their work as thoroughly as the next person to find a mistake in it.

  4. Carelessness by Anonymous Coward · · Score: 1, Insightful

    "It's even more careless than you think, and most likely an accident."

    Not really. While the details are interesting, this is about the level of carelessness I expected.

    Software cracks and other personal files somehow made it into the master ISO, and nobody caught it. We knew that already, and that fact alone implies massive carelessness by several individuals. TFA just shows the path that carelessness took.

    And of course this is an accident. Unless you think Asus decided to go into the software crack business, what the hell else would it be? Someone screwed up.

    I'm all for rhetoric and such, but come on--in a 2 sentence OP, 1 of those sentences shouldn't be throwaway.

  5. I always get keygens for software I buy by Matt+Perry · · Score: 4, Insightful

    I always get keygens and cracks for software I buy as a safety measure, and test them in a virtual machine to make sure they work. With all the phone home activation that software does these days I don't want to have to call a vendor and beg for access to to software I've already paid for when Windows takes a nose dive. What if the vendor doesn't support that version any more and doesn't want to give me a new activation key? What if the vendor is bought or goes out of business? If I reach that point I can at least use the keygen or crack to protect my investment.

    I can't fault anyone for having keygens for their apps.

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    1. Re:I always get keygens for software I buy by DigiShaman · · Score: 2, Insightful

      Let be real ok? 99.999% of the time someone uses a keygen, it's to pirate software. Hey I've been guilty of it, sure (with Nero Burning rom). But I've also purchased a real key from their website a few months later. The point is, it's still wrong.

      Do you think if I carried a crack pipe in my pocket, I could convince a COP that it's just a goodluck charm? You see my point right?

      --
      Life is not for the lazy.
  6. There is a simpler, safer solution. by NotQuiteReal · · Score: 3, Insightful
    I just back up my keys.

    I have one key that is over 10 years old, that was updated by the company from an 8 digit code to a more secure 6-groups-of-5-alphanumeric code that still works.

    Never needed a crack, and the key takes up a lot less space. Plus it I know it isn't a trojan program or a virus.

    --
    This issue is a bit more complicated than you think.
    1. Re:There is a simpler, safer solution. by powerspike · · Score: 5, Insightful

      It's not that easy anymore, programs like windows, anti virus software just to name a few, require you to either phone a number to active the software, or connect to the internet, if you don't do that, it won't run until you do. Now add in they usally only let you install the software X number of times per key/product, your going to be screwed in ten years if you need to activate software from today. Safely storing your serial/product keys these days for long term use is pretty useless.

  7. Re:TFA by HeronBlademaster · · Score: 2, Insightful

    I thought it would be "Don't buy Asus machines." It isn't hard to imagine a vendor doing something similar to this for Linux installations.

  8. Re:TFA by Nazlfrag · · Score: 5, Insightful

    Great, then the mac or linux files would have been copied from the usb stick to the windows install directory. Reduces the chances of cracks appearing, but does nothing for the documents.

  9. Re:TFA by DrSkwid · · Score: 5, Insightful

    That sounds like the dumbest choice. The only negative effect an Asus client could have is if the USB flash drive contained malware of some description.
    Condemning the whole company because of one employees ignorance of MS's stupid xml magic really is cutting your nose to spite your face.
    Asus products have always been good to me.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  10. Re:So the guy who goofed, is he BLACK? by Dr.+Hellno · · Score: 2, Insightful

    Has anyone else noticed he bizarre renaissance of racism going on right now? I know it's garbage trolling and I'm (sort of) taking the bait, but I don't remember Slashdot being this quick or eager to bash black people in the past. It's every thread now, right below first post!

  11. Re:So the guy who goofed, is he BLACK? by yahwotqa · · Score: 2, Insightful

    All it takes is one bored idiot. Just ignore it.

  12. Re:I'm curious about that anti DR-DOS document by Anonymous Coward · · Score: 1, Insightful

    Blaming Microsoft for the death of Amiga makes you sound like a rabid Amiga fanboy. I'm guessing you hail from the western side of the pond, and thus only experienced the Amiga popularity secondhand. (And also - kept the flag flying long after the masses over in Europe had abandoned Amiga)

    By the time Gateway got involved with the name 'Amiga' (c. 97), the platform was already dead. Personally, I think Amiga was dead by the time A1200 hit the market ('92) - a successor for the last great home computer (A500) came way too late to keep the masses buying.

  13. Re:TFA by atamido · · Score: 3, Insightful

    ignorance of MS's stupid xml magic

    Because all Linux config files make perfect sense... Seriously though, XML may be verbose, but at least the format is clear. In contrast, ever .conf file has its own peculiar formatting that makes editing an adventure.

  14. Re:So the guy who goofed, is he BLACK? by Toll_Free · · Score: 2, Insightful

    And they don't realize they are discriminating against the free speech of the people that are being "racist".

    The problem with racism, is, until every "race" gives up their "identity", we will all be different. Period.

    --Toll_Free

  15. Re:TFA by Toll_Free · · Score: 2, Insightful

    But, the problem is, nobody in their right mind (consumers) want to go through all the bullshit of installing linux.

    Yeah, I downloaded Ubuntu. Latest and greatest, 4 weeks ago.

    Took a week / week and a half for my roommate to get a friggin Broadcom wifi card working. It was done as a test, to see "just how good" the install of the newer distros is. (I run slackware). Yup, install windows, runs fine OOBE. Run Linux, go find some FWCUTTER thing, then have to compile it, then have to get it to work (it never did for him), then figure out where in the OS to install the "flash" files.

    Yup, that's an operating system destined for desktops everywhere!

    The problem with Microsoft isn't that they make things easy, that's what the world wants. Tech geeks, I'm sorry to say (as one), are NOT the people MOST companies mass market to, they do it to the people NOT classified as nerds or geeks in school because, magically, THEY ARE THE MINORITY.

    Anywho, just thought I would set you straight. Having an easy to install O/S isn't the problem. The problem was the asshole at Asus that didn't do his job correctly, was using illegal software cracks (presumably, nobody knows for sure where he lives), and the assholes that where supposed to actually TEST the OOBE (Out Of Box Experience) and the image verifiers should ALL LOSE THEIR JOBS!

    --Toll_Free

  16. Re:TFA by Sancho · · Score: 3, Insightful

    I don't get it. Why is this "XML Magic" bad? That flag is clearly documented. Open source wouldn't have prevented this problem any more than just reading the documentation would have. It's even likely that this person knew about that flag and just forgot about it.