Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Asus Recovery Disks Ended Up Carrying Software Cracks

Posted by timothy on from the nice-thing-about-free-software-is-no-cracks dept.

Anthony_Cargile writes "We all now know about Asus shipping illegal software cracks and confidential documents/source code on their recovery DVD (and in the system root), but this article tells exactly how it happened. It's even more careless than you think, and most likely an accident."

24 of 241 comments (clear)

  1. TFA by Anonymous Coward · · Score: 5, Informative

    Asus Recovery DVD scandal: How it happened
    Posted by anthony Published in Security, Software

    For those who havenâ(TM)t already heard, the PC OEM company Asus was involved in a major scandal where a directory on the recovery DVD and inside c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program, software serial numbers, a resume (presumably for a now-jobless Asus employee), an internal Asus powerpoint describing âoeknown compatibility issuesâ, Asus source code, and even an OEM issued Microsoft document, which mainly says âoedo not distribute DR-DOS with any computersâ.

    We now know from an OEM source how exactly the files got where they did in the first place, and it isnâ(TM)t very surprising.

    An Asus representative said they would be investigating the matter, and while someone is still going to lose their job over this just so Asus can say so, the way the files made it to thousands of PCs is pretty common.

    An OEM employee (name not mentioned here) discussing the matter said that during the vista installs, the generic vista disc installing the OS looks for an XML file (unattend.xml) on a flash drive, and upon finding it the installation parses it and runs the XML code as installation instructions so nobody has to go through the installation menu for the hundreds of synchronous installations (hence the unattend).

    BUT⦠there is another twist: If a certain tag or attribute is present, all files other than unattend.xml itself on the flash drive will be copied to c:\windows\configsetroot - see the connection?

    So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few âharmlessâ(TM) keygens and serials on it as well, in his defence in case maybe he lost the serial to winrar or other programs. Apparently the same employee used the flash drive to store or back up confidential Asus documents and source code, as well.

    So if the Asus internally distributed unattend.xml file was copied to this unnamed (and jobless) employeeâ(TM)s personal flash drive, and included the xml tag/attribute to copy over everything to the system root and, therefore, recovery DVD as well, then voila! Then the only way somebody could come under fire because of this is because of oh, I donâ(TM)t know, not checking the installation root once everything was installed!

    So now we know HOW exactly this whole ordeal was started, and there is a lesson to be learned hereâ¦. somewhere.

    1. Re:TFA by Nazlfrag · · Score: 5, Insightful

      Great, then the mac or linux files would have been copied from the usb stick to the windows install directory. Reduces the chances of cracks appearing, but does nothing for the documents.

    2. Re:TFA by DrSkwid · · Score: 5, Insightful

      That sounds like the dumbest choice. The only negative effect an Asus client could have is if the USB flash drive contained malware of some description.
      Condemning the whole company because of one employees ignorance of MS's stupid xml magic really is cutting your nose to spite your face.
      Asus products have always been good to me.

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    3. Re:TFA by blind+biker · · Score: 4, Funny

      So apparently an Asus employee happened to have a personal flash drive, and stored his resume

      If that really was his/her resume, I doubt it will do much good to him/her, now.

      I love the twist, though: "I worked for 3 years at Asus, but I, er, decided to move on now. Oh, BTW: you can find my resume on your Asus recovery disk - isn't that convenient!"

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  2. This doesn't explain everything by RGRistroph · · Score: 5, Insightful

    I can how an internal ASUS USB flash disk with an unattend.xml file on it, might get used to move documents around, and then also get used to install windows.

    That might explain how certain documents got put on a lot of harddrives inside ASUS.

    It doesn't explain how that directly ended up being part of what they made an ISO out of, and how no one apparently did quality control and checked every single file on a CD before it was replicated and sent out to the world.

    1. Re:This doesn't explain everything by Free+the+Cowards · · Score: 5, Insightful

      First rule of internal company dynamics: they are not nearly as well staffed, as organized, as thorough, or as competent as you think they are. They are in all probability just as quick and careless as you would be doing the same thing.

      --
      If you mod me Overrated, you are admitting that you have no penis.
    2. Re:This doesn't explain everything by Anonymous Coward · · Score: 5, Informative

      As an employee of an OEM that does these installs all day long, I can say they really messed up. Using an unattend.XML from a flash drive is BAD. Using a USB drive that has anything else on it is WORSE. Having illegal software and ND docs on the MFG floor, on an unsecure USB drive, next to your install scripts, is enough to get you FIRED.

      And to other comments...Yes, we do look at nearly EVERY SINGLE FILE, including c:\Windows\ConfigSetRoot\. If you send out for 100k recovery DVDs, you want to make sure they are correct.

    3. Re:This doesn't explain everything by IceCreamGuy · · Score: 5, Insightful

      When was the last time that anyone checked every file on a CD when it's say, a windows restore? Yeah. Nice job dipshit. Think before you talk. What human actually knows every file that's supposed to be on there?

      diff -r, dipshit.

      If doing this kind of quality control doesn't seem trivial and normal to you, then congrats; you don't work in the IT field.

    4. Re:This doesn't explain everything by MerlynEmrys67 · · Score: 5, Insightful
      Uh - I do. You mean when you are building a large distribution you don't create a manifest that lists all of the files that are supposed to be on the disk - and then have a script automatically check that everything is on the CD that is supposed to be on it... nothing more - nothing less.

      Sloppy work at the best - a simple engineering problem to solve, takes 2 minutes to run after the ISO is cut. My QA lead would laugh hysterically at me if I tried to pull a stunt link this on her. Easy to verify final ship products

      --
      I have mod points and I am not afraid to use them
    5. Re:This doesn't explain everything by RGRistroph · · Score: 4, Interesting

      I had forgotten that it was a windows restore CD, I was thinking in terms of a driver CD or something.

      However, there exist tools that are designed to do exactly that sort of thing. I run something that checksums every file on a server and compares it to a known good value, as part of an intrusion detection system. If I were shipping a windows computer otu of manufacturing, I would take file lists from as-shipped as well as after restoration, and I would compair them against other windows installations, and make sure I knew a reason why every single different file was different.

      It's not that hard. Once you write a script to go through and get the file list out of all the .cab files, and subtract that from what's on the disk, what's left is not that much. Just the pre-installed cruftware and whatnot . . . maybe they had so much of that, these files got lost in the noise.

      So, what had to happen was this:

      1) Employee got the "official vista install" USB fob, probably used it, and then he or someone else used it as a hand file transfer mechanism, adding more files to it

      2) This non-pristine USB fob was used again to install the "master" harddrive that would be used to make recovery DVDs shipped with the product

      3) No one carefully checked the files on that recovery, OR the USB fob infection had also gotten to the vista's that he compaired against

      Still seems sloppy to me. If you know you are going to be dealing with a behemoth like Vista, one of the things you do is write scripts or develope tools to deal with it.

      One thought I had, is that this would be a way to make a virus replicate. What if instead of random crap, it put some kernel driver in windows that checked to see if you were writing an "unattend.xml" file and dumped itself on that drive if so ? Some minimal attempts at hiding might take you a long way, given that there appears to be little quality control. How to get it into the OEM so it will be re-distributed ? Oh, just add it to a cracked copy of WinRAR and post it on a warez site, that apparently works.

    6. Re:This doesn't explain everything by PopeRatzo · · Score: 5, Insightful

      First rule of internal company dynamics: they are not nearly as well staffed, as organized, as thorough, or as competent as you think they are.

      At least not any more.

      As long as a company's stock price gets rewarded by Wall Street for laying off employees, we're going to see stressed corporations.

      Remember that really slow guy in QA who took forever to write his reports, and was getting a little gray, and was making more than a lot of us because he'd been with the company forever? He was the guy who would catch these stupid mistakes.

      But he was laid off when we got "lean and mean".

      --
      You are welcome on my lawn.
    7. Re:This doesn't explain everything by Anonymous Coward · · Score: 5, Interesting

      I used to produce computer magazine coverdiscs, and have also written several computer books with CD/DVDs attached. Millions of my authored CDs/DVDs have been produced, maybe more.

      I am FREAKING PARANOID that anything untoward might get onto the disks that shouldn't be there. Once sent to the duplicator, there's no turning back. I personally have spent hours checking each and every file on discs that I've made, even going so far to check file dates to ensure files haven't been tampered with accidentally (maybe I've discovered a new bug that causes files to be mixed with, say, porn). I check them on different operating systems, and either delete hidden system files (.thumbs etc), or open them in a hex/text editor to see what they contain.

      Also, and this is a golden rule, if you're producing a CD/DVD for distribution, you MUST USE A CLEAN COMPUTER. Luckily virtual machines make this a lot easier because you can keep the OS and the virtual file system clean -- nothing gets onto the virtual file system unless it's downloaded (provided you turn off file network sharing of course).

    8. Re:This doesn't explain everything by Anonymous Coward · · Score: 5, Funny

      Once I had a phone call from a lady who claimed my magazine coverdisc was distributing porn. It was a real "holy crap" of a moment, because I had to admit that it was possible -- our coverdiscs went through many hands during compilation, and it was possible.

      I asked her to explain more, and it turned out she'd installed a screen saver slideshow application that was on the disc. Hmmm... I looked into it and the screensaver applicaiton merely scanned the user's hard disk for pictures, and then presented them in a slideshow.

      Ah. The porn pics weren't on our disc. They were on her computer. I communicated this to her in as many words. She denied any possibility of porn being on her disk but, upon further questioning, it transpired the only other user of the computer was her son... Who was 14. Yeah. OK. But it couldn't be him, she said. He wouldn't be into... this kind of thing. So she continued to blame us, even though she knew that I was probably right. I eventually hung up as she was threatning to call her lawyers. We never heard a peep out of her after this.

  3. Crack vs. Foss by O('_')O_Bush · · Score: 5, Insightful

    FTA:
    "c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program...

    So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few harmless keygens and serials on it.."

    It amazes me that this employee chose illegal means of getting an archiving program instead of using a FOSS solution such as 7-zip ( http://www.7-zip.org/).

    I know some companies have protocols for handling FOSS software, but this should have never have happened if the employee had just turned to his company's legal department for obtaining software licenses.

    --
    while(1) attack(People.Sandy);
  4. Could have been me by InlawBiker · · Score: 5, Insightful

    I am completely unsurprised. When I heard about it I thought, "Oh, some jackball inadvertently copied his personal files via some install script. That's pretty funny."

    I personally have the exact same stuff on my thumb drive - my resume and some cracking tools. As we all know, nobody tests their own work. That's why testers have jobs.

    So he screwed up - at least he has a good story to tell!

    1. Re:Could have been me by ogl_codemonkey · · Score: 5, Insightful

      As we all know, nobody tests their own work.

      Speak for yourself.

      I don't know anyone that tests their work as thoroughly as the next person to find a mistake in it.

    2. Re:Could have been me by this+great+guy · · Score: 5, Funny

      I personally have the exact same stuff on my thumb drive - my resume and some cracking tools.

      Hello, this is John, your boss's boss from Asus. We found your thumb drive plugged in one of our server used to build Vista images. Are you available monday 9:00am for a quick meeting ? We need to have a little talk.

      PS: bring 1 or 2 empty boxes.

      -John

  5. I always get keygens for software I buy by Matt+Perry · · Score: 4, Insightful

    I always get keygens and cracks for software I buy as a safety measure, and test them in a virtual machine to make sure they work. With all the phone home activation that software does these days I don't want to have to call a vendor and beg for access to to software I've already paid for when Windows takes a nose dive. What if the vendor doesn't support that version any more and doesn't want to give me a new activation key? What if the vendor is bought or goes out of business? If I reach that point I can at least use the keygen or crack to protect my investment.

    I can't fault anyone for having keygens for their apps.

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    1. Re:I always get keygens for software I buy by commodoresloat · · Score: 4, Funny

      You see my point right?

      That you're a crackhead?

  6. Lately their quality has been going downhill... by cyberjock1980 · · Score: 5, Interesting

    This is disappointing. A few months back ASUS got into a flamewar with GIGABYTE. GIGABYTE came out and told Tom's Hardware that ASUS used inferior parts, changed their % gains versus their competitor without changing the product whatsoever, and that ASUS's EPU feature is software instead of hardware(meaning it is inferior to GIGABYTE). GIGABYTE did come back and appologize for claiming ASUS used inferior parts(it was found that it was a different vendor's board that contained inferior parts). ASUS threatened to sue any website that talked dirty about ASUS when this all came to light. Check out http://www.tomshardware.com/news/asus-gigabyte-motherboard,5348.html to read about the GIGABYTE versus ASUS drama. Then check http://www.tomshardware.com/news/asus-gigabyte-motherboard,5480.html for ASUS suing GIGABYTE for the bad publicity.

    I have been an ASUS user for many years, building many computers with ASUS parts. While GIGABYTE did include some false claims, they did have valid complaints for their other arguements. I was one of the people that was stuck with a motherboard that cost me $250 that didn't do quite what it was supposed to do, and as a result my linux based computer cannot use their power management function(because it is software based). GIGABYTE's is hardware, and is enabled in BIOS and doesn't care which OS you use. This one hit home for me. My computer is on 24x7, and I wanted my computer to be green. Unfortunately that dream will not be a reality with ASUS hardware.

    This again paints a bad picture of the quality work ASUS has been doing lately. I am sure that my next motherboard won't be ASUS. They have lost points with me, and I am going to check out one of the other top tier motherboard companies.

    I have never purchased a motherboard from GIGABYTE, but I'm already looking for motherboards for Nahelem when it comes out next month, and I'm not even looking at what ASUS is offering. Bite me once, shame on you. Bite me twice, shame on me!

    Reasons for leaving ASUS:

    1. Changing your product efficiency % gains after shipping the product for months, AND not changing anything on the product! As if they wouldn't get caught? Competitors are always shopping their other competitors!

    2. They fail to mention that EPU REQUIRES Windows to run. I don't care what ASUS says. If it requires software(Windows based at that!), then it's software based. Even if its hardware functions are enabled by using the software.

    3. Suing anyone who talks about their bad publicity from GIGABYTE. WTF? Seriously, WTF? That's RIAA type behavior, and I will not tolerate that type of child in my house.

  7. I'm curious about that anti DR-DOS document by electrogeist · · Score: 4, Interesting
    OEM issued Microsoft document, which mainly says "do not distribute DR-DOS with any computers".

    Is this something recent? Someone have one of these restore CDs to post the text? With the history of bad blood this could be a story in itself

    1. Re:I'm curious about that anti DR-DOS document by Orion+Blastar · · Score: 4, Informative

      Here is a reference to that but Microsoft made sure the original articles got scrubbed off the Internet. There were things Microsoft did to GEOS, GEM, the Amiga, the Atari ST, Vision, Desqview, etc to discourage OEMS and hardware and software makers from supporting them and only supporting Microsoft products like MS-DOS and Windows instead. Microsoft did the same thing to IBM over OS/2. But most of the articles about that Microsoft had scrubbed off the Internet.

      The history of the Amiga clearly shows its 8-bits roots with the Atari 2600 and Atari 400/800 series that evolved into the Amiga eventually, parallel to the Macintosh.

      In the 1990's PC OEMS were fighting over the Amiga, but were loyal to Microsoft. But Microsoft used the same tactics against the Amiga that they used against DR-DOS, and killed the Amiga by leveraging what OEMS could and could not do and then Gateway had to sell the Amiga division to make Microsoft happy.

      "The press attention to the Microsoft case reveals their relationship with Gateway. Jim Von Holle, a former Gateway employee, describes how the company tried to punish Gateway for the type of software they shipped. Although largely in the background, it became increasingly clear why Gateway chose to develop an alternative to the Windows market. Unfortunately, just a few months later Gateway's relationship with Microsoft regarding their set-top box would have a dramatic effect upon Amiga's plans. Who could have guessed Microsoft would play a major role in the Amigas downfall?"

      I have said it before, but my comments got rated down as troll, by rapid Apple and Microsoft fanboys who hate the Amiga. This time I found the links that prove it.

      It was not just DR-DOS that Microsoft murdered, but the Amiga as well. Apple had a hand in it by forcing Apple dealers to lose their license if they sold Amiga computers as well as Macintoshes. Then later Apple killed the Apple Dealers and did the store within a store and web store to sell Macintoshes as revenge on Apple dealers that still tried to sell Amiga One and Classic Amiga computers along with Macs.

      --
      Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  8. Re:There is a simpler, safer solution. by powerspike · · Score: 5, Insightful

    It's not that easy anymore, programs like windows, anti virus software just to name a few, require you to either phone a number to active the software, or connect to the internet, if you don't do that, it won't run until you do. Now add in they usally only let you install the software X number of times per key/product, your going to be screwed in ten years if you need to activate software from today. Safely storing your serial/product keys these days for long term use is pretty useless.

  9. Asus Conspiracies... by RudeIota · · Score: 5, Funny

    and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few ÃharmlessÃ(TM) keygens and serials on it as well

    ... So, are you implying that you're a coincidence theorist???

    --
    Fact: Everything I say is fiction.