Slashdot Mirror
Olympus Digital Camera Ships With a Worm
An anonymous reader writes "Olympus Japan has issued a warning to customers who have bought its Stylus Tough 6010 digital compact camera that it comes with an unexpected extra — a virus on its internal memory card. The Autorun worm cannot infect the camera itself, but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device. Olympus says it 'humbly apologizes' for the incident, which is believed to have affected some 1,700 units. The company said it will make every effort to improve its quality control procedures in future. Security company Sophos says that more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer."
Whew, glad my Canon doesn't mount itself as a external disk. Think of all the grief I've saved myself by having to launch something to get photos off of it.
[/sarcasm]
So, where did these cameras originate? China, Japan, Taiwan?
Third World factories seem to keep on making these mistakes.
You think they'd try making these in Japan, with full Japanese citizens making them for once?
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I hate to ask the obvious question, but the article doesn't address it -- could this be intentional, or is it accidental?
I would imagine that some shady overboss would be willing to pay a relatively sizable amount of money (especially considering that the amount of money you'd have to pay someone in a Chinese factory to do this would not be very high) for the opportunity to infect potentially tens of thousands of computers.
Nemilar http://www.techthrob.com - Visit Me!
"So I took it back to Best Buy "
I'd post AC too if were I admitting that. Eeew.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
What kind of compensation are the makers going to offer everyone who's system they hosed?
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
It's kinda like this:
*Smack* -> *Ow!*
*Smack* -> *Ow!*
*Smack* -> *Ow!*
*Smack* -> *Ow!*
*Smack* -> *Ow!*
Would you eventually start to duck, even if you didn't understand all the reasons the fist was swinging around at nose level? But most people seem not to care about the whole hitting in the face part of things like this.
Seriously?
It's getting to the point where running a computer is turning into a full time job. I need to scan every single product I buy before using it? Isn't that why I bother to pay a premium to get name-brand products from legitimate outlets?
I'm annoyed that the ultimate time-saving device is becoming more and more of a chore. I'm expected to spend hours researching the ways in which to harden my browser against cookie tracking, to rate virus scanners using contradictory and confusing standards, to assess information that requires a degree in computer science everytime I want to get a PC game to work, to pull out my law degree everytime I use an online product or dive through an EULA, and now this?
I mean come on, where's it going to end? Should I do independant surge tests on the next microwave I buy before plugging it in? What about my printer, does it need a scan too? Should I take my newly purchased tires to an independant assessor? How about that new CD I bought?
Every piece of new writable media gets formated immediately. I also have autorun killed on all my windows boxes.
I wonder what bright soul at Microsoft thought it a good idea to extend autorun to all types of removable media. It was tolerable if annoying for CDs and DVDs, but it became downright dangerous once USB sticks and similar rewritable media were included. I wonder why they haven't decided to push an update that disables or limits the damage that this misbegotten feature can do.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Civil and criminal penalties should be imposed on manufacturers that ship hardware that's pre-loaded with malware. As of right now, there are no consequences, which means that this will continue to happen. The only remedy that will stop, or at least curb this behavior is serious civil or criminal charges.
Companies may blame this on outsourcing, but they have chosen to outsource. They may blame it on poor quality control, but quality control is their responsibility! There is no excuse for this, and the executives that make decisions that lead to this type of security hole must be held accountable. I wish I could say that I was surprised by this news, but I'm not. It's commonplace. And until hardware and software companies are held accountable, this will continue to happen.
Facts have a liberal bias.
Maybe they were trying to keep up with Sony's rootkit.
For the customers you have the appropriate product is in trouble indeed grateful, bon appétit do so as follows: anti-virus support, thank you.
Translation issues aside, they do 'fess up honestly:
Cause
The lack of production management, computer virus has been contaminated with the camera.
I'm sure glad I don't run Windows anymore.
"At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer"
But what if that malware, as it seemingly often is these days, is an actual intentional part of a product?
A system has to load the image over usb! so maybe that system has a worm on it.
Why isn't the memory card formatted and completely blank?
No, companies should stop selling memory cards with unnecessary crap installed.
So it's like a bottle of tequila?
Olympus should send an Ubuntu CD to their customers.
That _should_ read: "Microsoft should stop shipping its operating systems with security holes wide open."
"National Security is the chief cause of national insecurity." - Celine's First Law
On a fully secured (DEP, non Admin account, all updates) Windows machine, I can see "quarantined" items which all appear to be "autorun.xxx.worm" , pick anything you like. It is already out of hand.
If something happened like this on Apple OS X land, Apple would roll out an operating system update and disable Autorun. Perhaps, they could show a help document about installing applications with double clicking.
Shrink wrapped/boxed software is _dead_. Even if it is not dead, it is trivial to add the "install software" control panel back. Just a line needed to be on box or "driver cd". That is all. It won't be the first time some convenience is given up for security. How many times people install the same software anyway?
I heard it no longer enables autorun on USB drives by default!
it would be a shame if 30,000 pissed off geeks were to hit it (or do any number of "interesting" things to it)
[Picture of nice store front] This is your webstore
[Picture of smoking hole] This is your webstore on Slashdot
Any person using FTFY or editing my postings agrees to a US$50.00 charge
It has nothing to do with where it is made. It is just, Olympus who isn't a no name company doesn't buy 3 of best antiviruses and setup a system where every single byte which goes out of company (digitally or physically) is checked. "All files regardless of content and header" in Kaspersky fashion.
As a Video guy, once I had to ship a CD with Video players (back in days when you need to install a mpeg player) and I clearly remember buying 3 antiviruses from leading companies of that time (didn't change a lot) and scanning the file in master ISO before giving it out. A single video guy does that at home. It doesn't cost much anyway.
I heard IBM made a similar mistake recently, it is plain sad, once the undisputed king of AV/Security suites, the big blue...
I'd re-gift it
Recently I helped a friend who had 1TB disk formatted in FAT32 to convert it to HFS+ Journaled. As I image the disk, I notice some really strange things, like .exe files in Pictures folder, the _hard disk_ itself having autorun.exe. It is not some Taiwanese invention either, it is the Western Digital.I believe it is one of the most expensive ones.
It turns out, WD _idiots_ had this great idea of installing their USB drivers named something TURBO (no kidding!) who are supposed to speed up the drive transfer. I bet it does some cache hacks etc. It also does some very unwelcome things like adding itself to startup, not removing itself automatically (of course!), does trivial and dangerous hack of adding some "WD" logo to OS X icon of the drive. OS X, of course doesn't have autorun functionality, I believe on Windows, that drive is the ultimate driver hell machine which will _also_ install couple of viruses!
That is one of the most prestigious Hard Disk manufacturers. Just imagine what those no name freaks do.
The rest of files? Some really bad worms who _all_ uses autorun functionality. If I was responsible for security of Windows, I would really say "please, get a life" to those autorun loving companies and disable it the next day. Just output of ClamAV scan for that disk should make anyone who did anything about security alerted.
MS spent billions for security and fixing their image and yet, they just can't give up the absolutely stupid idea of automatically running an executable.
Well, Redhat Linux, back when the time they were shipping a Desktop Linux (5 I guess) had that neat idea of autorunning software from CD. Quake 3 from Loki did it.
Of course, as Redhat (and other vendors) have normal logic, they saw what is coming and it became a thing of past very quickly.
The problem with MS is, they even "extend" the functionality let alone getting rid of it. There is a huge risk of endless BSOD/system freeze in case of corrupt media since they made sure Windows Vista+ will check the contents of drive, reading whatever it can to show that nag window about what to do. Of course, if there is a flaw in their TIFF/JPEG etc. handling... Something way worse may happen like the Autorun/JPEG virus.
the worm or the pc?
Oh wow, I didn't see that one coming. Whoop whoop, you're so original.
that's teh shizzle bizzle
So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.
So your brilliant solution is to fire people you spent training how to do an actual job, and replace them with people who need more training and still will not know how to use a flash drive "correctly".
All because Windows can't keep its virtual pants on at the sight of a new device.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Fail.
If something happened like this on Apple OS X land, Apple would roll out an operating system update and disable Autorun. Perhaps, they could show a help document about installing applications with double clicking.
There were Apple viruses as of the original Macintosh, which had a similar feature for automatically loading drivers, software updates, and such.
They've been there, had that done to them, and moved on.
For some reason it took Microsoft decades to get the same message.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The antivirus companies will have a market at least as long as users have root privileges on the machines they buy at the store. It doesn't matter if they ship loaded with linux and SElinux *correctly* configured. People will do stupid stuff and the home user doesn't normally having anything worth wasting a first use exploit on, so the virus scanner will continue to be a moderately useful and necessary tool for any computing equipment with significant marketshare. And actually the iPhone is an example showing that even if all the user has is physical access, they will gain root and subsequently get attacked by malware.
That is why I primarily use OSs with little marketshare for my financial computing. Maybe I just made an argument for fragmentation?
refactor the law, its bloated, confusing and unmaintainable.
It's a feature!
I regret that I only have one mod point to give per post.
I know I got some tequila once that was shipped with a worm.
I sometimes wonder if people are going to get tired of exploiting AutoRun years before Microsoft fix it.
I've ran into this worm before (or one like it). One of my clients got an external HDD full of video data. They're into video production (not porn), so often they will require data from their clients. Anyways, this worm hides in a fake Recycle Bin folder which is executed by the autorun.inf file. In turn, the infected PC will replicate to all possible drive letters. Once on a server share, all other clients will soon get infected.
It's real annoying. But if all your PCs and Servers have an up-to-date anti-virus scanner, it they should now all prevent from getting infected.
Life is not for the lazy.
The average Windows user has no idea how to disable Autorun. Or even what that means for that matter.
That if it weren't for parasites, we wouldn't have sex. Just think... if it weren't for Windows malware, we might not have Ubuntu :|
I mean, what kind of banal existence would *that* be?
WD usb drives include an autorun function to install backup software, to assist customers who would otherwise be too daft to manage setting up a robocopy routine. There is no "TURBO" feature on any of their commercial products, but nice FUD you've got there.
Everybody harping on autorun. The larger problem is insecure defaults. Autorun hasn't been nearly as bad as "Hide file extensions". For people like myself, it lead to filenames like foo.txt.txt before I realized that stupidity was turned on. For people who weren't paranoid enough, it was the legendary HotChick.jpeg.exe kind of stuff.
But I digress. The real problem is poor default choices. Again and again. MS needs to realize that you can't pander too much to the very stupidest users who haven't used their product EVER. Double-clicking a CD icon, file extensions, and the permission dialog for Active X controls should be taught on day one.
In other words, MS needs to back off just a bit from the cult of useability, and educate the users ever so slightly. I mean, this is one time when their incredible market share would be helpful. It's not like all Windows users are just going to get up and leave. In the long run, it'll help them stay too.
Give up on the "cup holder" people (CHPs). They will either move beyond that stage, or they won't; but you can't, Can't CAN'T design an OS that can be used by CHPs without also making it useful for script kiddies... unless maybe you go to an AppStore model, and that's got other issues.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Probably the PC, since worms do a good job of re-gifting themselves.
Amusingly, this sort accidental infection would be totally prevented if media (including SD cards, device internal storage, etc) were shipped unformatted, just like it was back in the days of floppies.
It wouldn't really be a big deal: First time you switch the device on, or insert the thumb drive, or whatever, it/your computer simply formats the media. Done.
This would obviously not stop a more sinister (firmware-based) attack, but I see nothing here to indicate that this particular attack vector was deliberate.
Kid-proof tablet..
I mean there is a worm in Mezcal as well and nobody complaints. They even use it in their marketing and advertising.
Don't fight for your country, if your country does not fight for you.
Do you like subbed, or dubbed?
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Well, it's better than finding porn or child porn on your gadgets. [Not]. In Pakistan most of the cds sold in shops [pirated] are infected with viruses, this also holds true for any consumer product which is tested by the shop owner. Not many people are tech savvy here and they don't understands the risks involved when dealing with storage devices. It's a shame to see Olympus screw up in this case, but sooner or later it was bound to happen. I hope that in future they will keep an eye on things. inb4theusednortonsecuritysuite. Btw there are numerous free Antivirus software’s which can easily take of the problem. I recommend Avast.
Follow me: http://www.twitter.com/dfg
They're the quintessential gift that keeps on giving.
So lets require every piece of software and every gadget to be tested just as electronics have to be tested.
You willing to deal with delay and extra costs? Thought not.
For one thing it would mean we would need REAL software engineers. The kind with real titles and real salaries and real accountability. It would change IT back to the IBM prediction: Nobody wants a computer in their home.
Mostly because they couldn't afford it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
a simple batch file to make your USB flash drive immune from autorun.inf attacks:
@echo off /P drive=Drive (ie: D, E, F...):
set
%drive%:
cd \
md autorun.inf
md autorun.inf\con\
md autorun.inf\aux\
md autorun.inf\com1\
md autorun.inf\com2\
md autorun.inf\com3\
md autorun.inf\com4\
md autorun.inf\lpt1\
md autorun.inf\lpt2\
md autorun.inf\lpt3\
md autorun.inf\nul\
md autorun.inf\prn\
if exist %drive%:\autorun.inf\con\ echo Autorun Proof successfull!
echo.
pause
The problem with the article isn't that it blames the consumer, it's that it's flat out wrong. Autorun is off by default these days - so there's no need to blame the OS, or the consumer. (If the consumer grants privileges to an untrusted application, then yes they are to blame - and that's a problem in any OS, not just Windows.)
I was reading this and it struck me that I really don't *get* how this happens. The hardware is stamped out... assembled.. and then the device imaged from one source, right? Is this a case of an infected source via some jackass in the office playing around on 4chan, or is this a deliberate and malicious action ala corporate espionage?
Tm
Support TBI Research: http://www.raisinhope.org
"There is no "TURBO" feature on any of their commercial products, but nice FUD you've got there."
Dear AC or WD something
Here is the directory from that drive:
$ls
WD_Windows_Tools autorun.inf
(remaining file, since it is virus cleaned)
$WD_Windows_Tools: ls
restart.exe
Please tell me a logical reason why an hard disk, portable one runs "autorun" and why it even needs a restart? Let me tell why. Those incompetent friends of yours also installs a windows driver, in old fashioned way. My friend is very glad that she works at DTP sector where "everything happens", someone could even claim that she was installing trojans to their private network thanks to WD.
There is no "Turbo" software? WD support site says otherwise:
http://support.wdc.com/product/download.asp?groupid=116&sid=108&lang=en
File Name: WD+TURBO_Installer_v_1_1_0.zip
It is full of kernel extensions. At least it is OS X where such junk is easily hunted thanks to directory structure. On Windows with 3000 file system32 and 100MB registry? Good luck.
BTW, the drive which that image resides is a WD hard disk too and I am perfectly happy about it, my first drive that actually hit SATA1 bandwidth speed limit.
OS X has a HFS flag (bit I guess) that will display the content of the removable storage if it is set. Toast Titanium has that function and Apple -of course- uses it for OS X Install DVD, iLife tools install DVD. Note it DIPLAYS, doesn't do anything else. So you see a nice "Install xxxxxx" to double click on it, by _your_ decision.
Once upon a time, we users had a convinient feature, that we can install input managers to our home directory (e.g. 1password, grammarian) without needing to install them as Admin. The day couple of morons exploited this feature for their trivial "OS X can get viruses" demos, Apple depreciated it and totally removed it from 10.5+. Now, an input manager has to have very strict permissions and owner (root) and has to be installed to /Library/Input Managers. Input managers in home directory are ignored. That required a lot of software to be changed and in fact, unfortunately, some software to be totally dead for average user.
There are several decisions like that on Apple land which generates a lot of Developer flame sometimes. MS should take "good aspects" of Apple OS X just like Apple does sometimes. There would be no loss if some explorer window pops up instead of automatically running something.
Even better, how do you scan it before you use it on your computer? You have to connect it before you scan it, right?
Stupid (L)user: OK.
Yes, and five minutes after they are calling you back to explain it again. And again.
You have obviously never worked anywhere near IT support for a company of any size whatsoever.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You would need an execute file attribute first of course