Major Australian Retailer Accused of Selling Infected Hard Drives

skegg writes "Dick Smith, a major Australian electronics retailer, is being accused of regularly selling used hard drives as new. Particularly disturbing is the claim that at least one drive contained malware-infested pirated movies, causing the unlucky buyer significant data loss. Apparently the Fair Trading Commissioner will be conducting an investigation."

Re:What?

[Penguinshit]

The summary is wrong. The article says that the drive "was filled with pirated movies and which, he suspects, contained malware that corrupted his work."

He is embellishing for the media or trying to claim the dog ate his homework (or dingo ate his baby? ).

Re:Standard Practice

[KXeron]

The parent couldn't be more correct.

People discount regular data files as being malicious simply because they're not labelled executables. What they don't think is that those files are opened by executables. These executables are often trusted programs which makes this an even bigger threat to a system as the malicious code can run hidden under the legitimate process and do its work. There's anything from buffer overruns to file parsing mistakes in the programs that can open them up to become a conduit for abuse.

An example of this is Adobe Reader's countless exploits with the PDF file format.

Re:Dick Smith

[scdeimos]

Actually, Dick Smith is a great guy. Dick Smith Electronics on the other hand has been owned by Woolworths for over 20 years now and is useless compared to its former glory.

Re:14 days return

[syousef]

I don't know how it is in Australia, but around here, you can return anything you bought online within 14 days and get your money back (as long as you can actually return it as you got it, so food/software etc usually not included).
What do people expect happens to stuff that gets returned? Of course it goes on sale again. Otherwise selling online would be economic suicide...

In Australia it is illegal to re-sell used returned goods as new. The goods can be re-sold but must clearly be marked as returned items, and usually a discount is offered for accepting the goods in this condition. (The discount might not be offered if the item is in high demand).

What's more if goods have been returned and the item registered or activated online or similar they are not suppose to sell the item. That is the secondary reason that computer software isn't returnable at most stores (though there are exceptions like EB games).

Re:Standard Practice

[KXeron]

This is an incorrect assertion, an assertion my previous post debunked, but I suppose I'll re-explain:

You could have a drive full of PDFs, you could have it full of PNGs, whatever file format you'd like. You could mount the drive as noexec, however when it comes down to it, a trusted program (NOT ON THAT DRIVE) can interact with those files and since file formats can be complex AND since the programs opening them are also complex, there's a chance that the program will be vulnerable to a crafted file that tricks the program to do something that a "regular movie" or whatever wouldn't do and may not have been tested for.

If you've written a file parser of any kind, you'll see how complicated it gets in having your program code check the file for abnormalities before interacting with it. This complexity is a steep curve and all it takes is not checking an array boundary for your program to mistakenly leak data memory into its executable memory space.

The old addage plays correct here: Never trust user inputs.