Slashdot Mirror
How Asus Recovery Disks Ended Up Carrying Software Cracks
Anthony_Cargile writes "We all now know about Asus shipping illegal software cracks and confidential documents/source code on their recovery DVD (and in the system root), but this article tells exactly how it happened. It's even more careless than you think, and most likely an accident."
Asus Recovery DVD scandal: How it happened
Posted by anthony Published in Security, Software
For those who havenâ(TM)t already heard, the PC OEM company Asus was involved in a major scandal where a directory on the recovery DVD and inside c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program, software serial numbers, a resume (presumably for a now-jobless Asus employee), an internal Asus powerpoint describing âoeknown compatibility issuesâ, Asus source code, and even an OEM issued Microsoft document, which mainly says âoedo not distribute DR-DOS with any computersâ.
We now know from an OEM source how exactly the files got where they did in the first place, and it isnâ(TM)t very surprising.
An Asus representative said they would be investigating the matter, and while someone is still going to lose their job over this just so Asus can say so, the way the files made it to thousands of PCs is pretty common.
An OEM employee (name not mentioned here) discussing the matter said that during the vista installs, the generic vista disc installing the OS looks for an XML file (unattend.xml) on a flash drive, and upon finding it the installation parses it and runs the XML code as installation instructions so nobody has to go through the installation menu for the hundreds of synchronous installations (hence the unattend).
BUT⦠there is another twist: If a certain tag or attribute is present, all files other than unattend.xml itself on the flash drive will be copied to c:\windows\configsetroot - see the connection?
So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few âharmlessâ(TM) keygens and serials on it as well, in his defence in case maybe he lost the serial to winrar or other programs. Apparently the same employee used the flash drive to store or back up confidential Asus documents and source code, as well.
So if the Asus internally distributed unattend.xml file was copied to this unnamed (and jobless) employeeâ(TM)s personal flash drive, and included the xml tag/attribute to copy over everything to the system root and, therefore, recovery DVD as well, then voila! Then the only way somebody could come under fire because of this is because of oh, I donâ(TM)t know, not checking the installation root once everything was installed!
So now we know HOW exactly this whole ordeal was started, and there is a lesson to be learned hereâ¦. somewhere.
I can how an internal ASUS USB flash disk with an unattend.xml file on it, might get used to move documents around, and then also get used to install windows.
That might explain how certain documents got put on a lot of harddrives inside ASUS.
It doesn't explain how that directly ended up being part of what they made an ISO out of, and how no one apparently did quality control and checked every single file on a CD before it was replicated and sent out to the world.
FTA:
"c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program...
So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few harmless keygens and serials on it.."
It amazes me that this employee chose illegal means of getting an archiving program instead of using a FOSS solution such as 7-zip ( http://www.7-zip.org/).
I know some companies have protocols for handling FOSS software, but this should have never have happened if the employee had just turned to his company's legal department for obtaining software licenses.
while(1) attack(People.Sandy);
I am completely unsurprised. When I heard about it I thought, "Oh, some jackball inadvertently copied his personal files via some install script. That's pretty funny."
I personally have the exact same stuff on my thumb drive - my resume and some cracking tools. As we all know, nobody tests their own work. That's why testers have jobs.
So he screwed up - at least he has a good story to tell!
This is disappointing. A few months back ASUS got into a flamewar with GIGABYTE. GIGABYTE came out and told Tom's Hardware that ASUS used inferior parts, changed their % gains versus their competitor without changing the product whatsoever, and that ASUS's EPU feature is software instead of hardware(meaning it is inferior to GIGABYTE). GIGABYTE did come back and appologize for claiming ASUS used inferior parts(it was found that it was a different vendor's board that contained inferior parts). ASUS threatened to sue any website that talked dirty about ASUS when this all came to light. Check out http://www.tomshardware.com/news/asus-gigabyte-motherboard,5348.html to read about the GIGABYTE versus ASUS drama. Then check http://www.tomshardware.com/news/asus-gigabyte-motherboard,5480.html for ASUS suing GIGABYTE for the bad publicity.
I have been an ASUS user for many years, building many computers with ASUS parts. While GIGABYTE did include some false claims, they did have valid complaints for their other arguements. I was one of the people that was stuck with a motherboard that cost me $250 that didn't do quite what it was supposed to do, and as a result my linux based computer cannot use their power management function(because it is software based). GIGABYTE's is hardware, and is enabled in BIOS and doesn't care which OS you use. This one hit home for me. My computer is on 24x7, and I wanted my computer to be green. Unfortunately that dream will not be a reality with ASUS hardware.
This again paints a bad picture of the quality work ASUS has been doing lately. I am sure that my next motherboard won't be ASUS. They have lost points with me, and I am going to check out one of the other top tier motherboard companies.
I have never purchased a motherboard from GIGABYTE, but I'm already looking for motherboards for Nahelem when it comes out next month, and I'm not even looking at what ASUS is offering. Bite me once, shame on you. Bite me twice, shame on me!
Reasons for leaving ASUS:
1. Changing your product efficiency % gains after shipping the product for months, AND not changing anything on the product! As if they wouldn't get caught? Competitors are always shopping their other competitors!
2. They fail to mention that EPU REQUIRES Windows to run. I don't care what ASUS says. If it requires software(Windows based at that!), then it's software based. Even if its hardware functions are enabled by using the software.
3. Suing anyone who talks about their bad publicity from GIGABYTE. WTF? Seriously, WTF? That's RIAA type behavior, and I will not tolerate that type of child in my house.
It's not that easy anymore, programs like windows, anti virus software just to name a few, require you to either phone a number to active the software, or connect to the internet, if you don't do that, it won't run until you do. Now add in they usally only let you install the software X number of times per key/product, your going to be screwed in ten years if you need to activate software from today. Safely storing your serial/product keys these days for long term use is pretty useless.
and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few ÃharmlessÃ(TM) keygens and serials on it as well
... So, are you implying that you're a coincidence theorist???
Fact: Everything I say is fiction.