Somebody Tried To Convince a Raspberry Pi Exec To Install Malware On Its Devices

An anonymous reader writes: Liz Upton, Director of Communications for the Raspberry Pi Foundation, has just published an email where someone was asking how much would it cost them for the Foundation to install malware on its devices in the form of a .EXE file. The email sender was asking for a PPI [price per install] quote.

Okay...

[pushing-robot]

That's just stupid on so many layers.

Re: Okay...

Is it? Newer Linux distros typically come with systemd, which many users consider to be malware because it's unwanted and can have a very negative impact. So it's not like Linux is any better in reality, I'm sad to say.

Re: Okay...

Not really stupid.

They asked because they know that, in the majority of people, everyone has a price.

Greed is a powerful motivator. It is pretty much why we are where we are today. Why we can't trust anything, or anyone, to do the right thing.

It's why I have to lock down any device I attach to my network. Isolate it, prevent it from probing or calling home.

Greed.

It's the reason this country exists today and will ultimately be the cause of its downfall.

Re: Okay...

[NotInfinitumLabs]

Is it? Newer Linux distros typically come with systemd, which many users consider to be malware because it's unwanted and can have a very negative impact. So it's not like Linux is any better in reality, I'm sad to say.

Holy shit, why can't people shut up about systemd? You people seem to bring it up at EVERY single opportunity, even if it's REMOTELY related.

Re: Okay...

[SharpFang]

Layer 1: RPi runs Linux. Good luck with the exe.
Layer 2. RPi comes without any internal storage to install this on. They'd need to include it in SD images
Layer 3. RPi is a tinkerer's machine, the malware wouldn't survive a day.
Layer 4: "The exe creates a desktop shortcut to our website" - you need .exe for that?
Layer 5: even if it does - most RPis are run headless. And many of these with screens run without network ...there are more if you think about it.

Re: Okay...

[gweihir]

Seriously, that is just uninformed bullshit. You can, for example, install a current Debian without systemd being active without too much trouble. In fact, for every server where you need reliability and security, it is a really good idea to do so as systemd sabotages both due to bad software engineering on all levels. Sure, if you want all trace of it to be gone, you may have to do without some not very good software like Gnome, but that is not really an issue.Gnome (and KDE) are pretty much redundant and catering to those with weak skills anyways.

I can only conclude that you are one of the utterly dishonrorable proaganda-shills for systemd and mean to push the idea that you cannot escape getting fucked by it, so you better bend over and take it. Not so.

Re: Okay...

[i.r.id10t]

Layer 1 has been done. THe "install now" icon on a live CD, the Store in Ubuntu, etc. Heck, just mkdir /etc/skel/Desktop and put the file there and call it a day....

Layer 2 would be sticky, but yes, include it on their images. Quote the $BAD_COMPANY $10 to cover the cost of a SD card to include with the board on sale and $2 or more of profit.

Layer 3 is the Truth and where it would stop even if it were included on a free SD card. Heck if I buy a new Dell laptop the first thing I do is image the hard drive, then wipe and reinstall from the provided disk and get rid of all the add-on crap - what MS includes is enough, I don't need trial versions of various things on there as well...

Layer 4 running linux even a shell script is executable - you'll have to pardon the marketing intern that wrote the email ... after all, they are in marketing, how much technical knowledge do you expect them to have?

Layer 5 - headless, yes, my Pi runs headless doing DHCP and DNS duty for my home network. As do several others that I know of. The majority of the ones I've seen in the wild though have been used to run changing adverts/displays on TVs mounted in various places... and they are all on a network to enable updates via screenly or similar service. In short, a Pi has many more uses when connected to a network... not that they aren't useful with only 127,0.0.1 ...

Re: Okay...

Diff AC here.

I think you're full of shit when you claim that:

You can, for example, install a current Debian without systemd being active without too much trouble.

I tried installing Debian Jessie recently. I wanted to do just what you claim is easy: not use systemd at all.

Now maybe I just overlooked it, but at no time during the installation process do I recall an option being presented to me to not install systemd.

Now if by "without too much trouble" you mean having to do some research, then run some potentially-risky commands, and otherwise modify the system after doing an installation of Debian that includes systemd by default, then you've already entered the "too much trouble" zone.

Re: Okay...

[Lost+Race]

Since you brought it up....

Complaints about systemd are like complaints about the TSA -- richly deserved, but kind of pointless, because that shit is just not going away (until it gets superceded by something even worse).

Re: Okay...

[Skylinux]

Just making sure you don't forget how bad that shit is. Works OK'ish when everything works but damn what a pain in the ass to debug when a service fails to start ..... for some reason.

All our servers have switched to BSD. Should have done this a lot sooner since BSD just makes sense when you have worked with a various Linux distros over the years .... LSB was a good idea but no one gave a fuck.

Re: Okay...

[gweihir]

Well, if googelig "jessie without systemd" and then reading about 10 lines in the debian wiki is too much effort for you, then you are right that it is "too difficult". On any competence level above "incometent" this should however be acceptable, and it requires neither dangerous commands, nor even looking at any non-Debian documentation.

Sure, that the installed does not offer it is a valid concern and I have criticized that in the past rather strongly. However claiming that it is hard or risky to get Debian to run without systemd is just opening up oneself to ridicule, because it is not. Now, if you want to remove udev to have no trace from the systemd-complex left, that would be somewhat difficult, but getting rid of systemd itself is not.

Make no misrtake, I am very much opposed to the default an the missing alternative in the installer, as I think systemd is not ready for prime-time, not universal enough to be the default and has some rather questionable software engineering decision it it. But attacking it with wrong claims is not going to work well.

Re: Okay...

[RockDoctor]

Works OK'ish when everything works but damn what a pain in the ass to debug when a service fails to start

So, totally different to GRUB?

Says I, about to have to go into the depths of GRUB.

Re: Okay...

[allo]

Its not called Linux, its Systemd/Linux or like i prefer Systemd+Linux.

Do it.

[Jethro]

Hey, free money. Not like the PI has any permanent storage so they'd just have to stick the file on some chip somewhere, where it can't really be accessed. Not that an .exe would even be executable.

Better yet - ship every Raspberry PI with an SD card labelled "Malware - Please execute immediately."

Re: Do it.

[Jethro]

Shhhh! Don't ruin this! I want a free SD card!

Re: Do it.

[messymerry]

Whatr u gonna do w a 256k SD card???

Re: Do it.

I don't think you know what RAM actually is.

Re: Do it.

[Jethro]

I figure Raspberry charges them $20 per unit and gives us a free nice SD card. Now do you guys want to please stop ruining this with facts???

Re:Do it.

[meadow]

Why does she say it was malware? Perhaps that is the business model of the company and they just want to have their app/site or a link to it included on users desktops? If that alone makes it malware, then - excuse me - but just about every major company in Silicon Valley are huge malware distributors because that's all they do: Cram unwanted apps/sites down people's throats.

I would even venture to guess that what this one company is doing is probably highly innocuous compared with the evil shit being incessantly perpetrated by SV companies.

Re:Do it.

[Jethro]

"Bloatware" would probably have been a better term to use.

Re: Do it.

[leslieh1]

Don't call me dude, pal.

Sensationalist Headline, bad reporting

So after reading the email, I would have to say this headline is sensationalist, and overall bad reporting. So much so that im actually making this post, which i have never done on /.

Nowhere are they asking them to install malware, or install it without the consumers consent. Essentially what they are asking is that their application be packaged with with the pi, and the user be asked to install the software. Basically the same thing most "freeware" on the internet does. He you want our app? What about this one and this one and this one to.

Ive dealt with representatives from foreign companies before, and their command of the English language is about as excellent as google translate will allow. You have to use your brain a little when reading them, but its usually fairly easy to understand and don't leap to conclusions to create headlines like this.

Re:Sensationalist Headline, bad reporting

[JaredOfEuropa]

Linda, is that you?

Re:Sensationalist Headline, bad reporting

[hawguy]

So after reading the email, I would have to say this headline is sensationalist, and overall bad reporting. So much so that im actually making this post, which i have never done on /.

Nowhere are they asking them to install malware, or install it without the consumers consent. Essentially what they are asking is that their application be packaged with with the pi, and the user be asked to install the software. Basically the same thing most "freeware" on the internet does. He you want our app? What about this one and this one and this one to.

Ive dealt with representatives from foreign companies before, and their command of the English language is about as excellent as google translate will allow. You have to use your brain a little when reading them, but its usually fairly easy to understand and don't leap to conclusions to create headlines like this.

That was my thought too -- this appears to be just like the bloatware that comes with every new PC (and phone). Annoying for sure, but it's a stretch to call it Malware unless the software does something more nefarious than installing a desktop shortcut.

Re:Sensationalist Headline, bad reporting

[penguinoid]

That's called Crapware. It's not necessarily nefarious, just unwanted and unnecessary. If the developers are paying people to pre-install it, it's almost certainly crapware at the least or maybe even adware or other malware.

Re:Sensationalist Headline, bad reporting

[Xenna]

Note that Liz Upton, the addressee, used the phrase malware herself. That's where the sensationalism started. Just blindly converting it into a Slashdot headline, that's the bad reporting part.

Whatever happened to common sense...?

Re:Sensationalist Headline, bad reporting

[Mr+Z]

Without seeing the linked site, it's hard to say what exactly the EXE was meant to accomplish. If it's some sleazoid V14GRA site, or Scan Your PC Now for Viruses site, it's pretty easy to call it malware.

Some relevant information was redacted, unfortunately.

Re:Sensationalist Headline, bad reporting

Hang on a sec. A poorly written email asking to install an .exe into your customer's systems? Yeah I'd assume it's malware also, especially with no source available.

Which makes one wonder, how does Dell, etc. vet the crapware they put on their Windows systems? Do they insist on seeing the source?

Re:Sensationalist Headline, bad reporting

[Vokkyt]

Though this may be me projecting my own prejudices with bundled software, nearly a decade of working in tech support has loosened my definition of malware to include basically any software put on the user's computer without the user's informed consent. Many bundled packages and suites behave in the exact same manner as actual malware and are just as difficult to remove, if not more so in some situations as anti-malware/AV software will not see this software as "malicious" and will not remove it automatically. Given that one of the foci of RaspberryPi's is to provide a cheap computer option for whatever needs, it simply would provide a misleading option to users like the bundled junk that often comes on cheap Windows based laptops.

I am not purporting that this is what was meant by Ms. Upton, but it's not hard to see how she and basically most people could see the proposed software as "malware" to be bundled.

Re:Sensationalist Headline, bad reporting

[AmiMoJo]

It's suspicious but not definitively malware. They say they want to put a shortcut on the desktop, that's all. We don't know if it does anything else, or if the linked site is full if malware. It could be entirely innocent, so I don't think malware is correct at this stage.

Re:Sensationalist Headline, bad reporting

[Razed+By+TV]

It's hard to conclude that this is not malware based off the email when you don't know who the company is or what they wanted to install.
There is so much of this crap that requires malware tools to uninstall that comes bundled with other software. Toolbars, download assistants, things that make you an unknowing host in what is basically a torrent network.

You don't need to include a third party exe in your installer just to throw a desktop shortcut to thirdpartycompany.com. I think it is a little naive to assume that the third party must have honest intentions and that this is due to a language barrier.

Re:.EXE file?

Windows 10 core running on Raspberry Pi is freely available from Microsoft.

How many people have actually installed it is a different issue entirely.

Re:.EXE file?

[carbuck]

I thought it was common knowledge by now, but even the 2nd link states "Raspberry Pi devices can run Windows as well, not just Linux variants." So it's kind of like distributing a .exe for your Windows 10 machine..

Sure

[kimvette]

Sure - install it on a Linux system and include in the documentation:

"Hey! We helped subsidize the cost of your device by including malware on it. If you really, really want to run it, you can install wine but without installing that framework or some sort of Windows emulator it will not run so we felt it is a safe choice to include on the system. It is located in /tmp and will be cleaned up by a cron job after a week, and it isn't marked as executable so even if it were a Linux executable it would not run without your adjusting permissions anyhow, but we urge you out of principle to do an 'rm /tmp/scumbag-sucker-malware.exe' at your first opportunity."

Offer it at a discounted price, and the malware-free version at the usual price. As a bonus dox the malware provider. ;)

Re: Sure

[kimvette]

I hate SystemD because it is unnecessarily complex, becomes a single point of failure for many subsystems, logs to a binary file by default (dafuq?), and is contrary to the *nix mantra of one tool, one purpose. It is essentially a solution looking for a problem.

However, to be fair, I still have yet to see it be the cause of a boot failure.

Re: Sure

[Billly+Gates]

Go to the win32 world and try to package and administer an SCCM environment with system center 2012 and you will be crying for SystemD back?!

SystemD will be an excersize in simplicity in comparison

Re: Sure

[kimvette]

udev != SystemD.

Re: Sure

[kimvette]

Yep.

It isn't malware at all and calling it as such is just silly.

It's just a bad idea to put everything into one component. We may as well run something like Windows with its configuration database (regedit) and crappy logging system - which is fine (if time consuming to review) when it works, but when it breaks, it's a royal PITA to repair, hence Microsoft Tech Support's "Reformat & Reinstall" answer to all Windows problems.

Re: Sure

[Zero__Kelvin]

Mentioning the registry in the same discussion as systemd just shows that you don't understand at least one of those two things at all. 3rd part applications can (and do) change the Windows registry. That is where the clusterfuck comes from with the registry.

"It's just a bad idea to put everything into one component. "

You seem to be mistakenly thinking that systemd violates the "don't put all your eggs in one basket rule". The problem is that if you break a single egg you have broken the system, so spreading your eggs in different baskets just means you have more baskets to protect and manage, with no actual benefit from egg dispersion. Keeping "all your eggs in one basket" is an advantage as it allows you to focus on securing and protecting a single basket, and focus all your efforts on robustness of a single system, rather than several systems.

Short On Facts

[Frosty+Piss]

That's just stupid on so many layers.

And that's where the problem with the story is: Who, especially a "black hat" would make such an approach or advise their "marketing" team to do so? I find it difficult to believe.

Not saying it didn't happen, but I think it's suspect. It's possible that it's a "false flag". Or perhaps it's completely made up by someone at RaspberryPi? Why would they censor the name of the offending company? Wouldn't they want people to know who's doing this sort of thing?

Too many questions to buy this completely.

Re:Short On Facts

[luvirini]

Given that at least Lenovo installed such on new computers a while back I would not be surprised if many producers of computers did not get a lot of such proposals,

Re:Short On Facts

[leftover]

As someone who has followed RasPi since the beginning, I trust Liz Upton. She has always provided plain, unadorned truth to the best of her knowledge.

If she says someone wanted to pay them to put shit in the ice cream, I believe her. That the approach was so bold suggests to me this was not an isolated event. What we old grumpy technologists need to do is hunt these creeps down and make sure no computer is ever loyal to them again.

Re:Short On Facts

[ArmoredDragon]

Not saying it didn't happen, but I think it's suspect. It's possible that it's a "false flag"

No, this is somewhat typical in Eastern countries, i.e. professional malware software companies pay system integrators to install crap on their systems. This letter itself looks like it was written by somebody from China (most of the spammers there learn English in chat sessions, i.e. selling gold in World of Warcraft, so they pick up a lot of the crap habits that people have in those places, hence this letter is full of shit speak, i.e. instead of "you" they say "u", or other things like often saying hehe or haha when something isn't at all funny; note the "Hah." at the end of the paragraph.)

Anyways if you've ever heard of those incidents where anything from flash drives, phones, laptops, etc, have come with malware out of the factory, it's usually because some spammer paid off somebody with the ability to add it to the master images, and that person pockets the money.

Re: .EXE file?

Windows has a perfectly fine package manager. When you want to install a package you simply double click setup.exe and hit enter until the window disappears. Uninstalls are easy to, you just reinstall Windows and install every package except for the one you don't want.

Is it the same Liz Upton

who's married to the Pi hardware designer, and who made tasteless and morbid jokes on her Twitter stream about Steve Jobs' and him dying from pancreatic cancer?

Re:Is it the same Liz Upton

[Cederic]

I didn't see those, could you share? It's cold and wet here, could do with a laugh.

What is this, the FBI/CIA?

[fustakrakich]

Why the redaction? Sounds bogus

Calm down, calm down

[arglebargle_xiv]

It's just a generic form-letter email that would have been sent to an auto-generated list of any number of systems integrators and anyone else that might possibly respond. That's how the bloatware that gets included in Windows PCs ends up on there, it could be describing SymantecNortonLenovoToshibaHuluNetflixCyberlinkDellSkype7ZipAccuweatherRealTek SuperEssentialClickOnMe.

In any case there's already a malware-installer "EXE file that installs a desktop shortcut, that when clicked redirects users to a specific website" for the Raspberry Pi.

Re: .EXE file?

[AndroidCat]

If it had been a .com file, at least it would have been small.

An exe? Yeah that'll work.

[AndroidCat]

-rwxrw-rw- 1 pi pi 582 Apr 23 1999 Carved Stone.bmp
drwxr-xr-x 2 pi pi 4096 Mar 9 2015 Desktop
drwxrwxrwx 3 pi pi 4096 Sep 4 11:51 Devel
-rwxr--r-- 1 pi pi 49 May 15 2015 golog
drwxr-xr-x 3 pi pi 4096 Nov 8 22:40 indiecity
drwxr-xr-x 4 504 staff 4096 Feb 11 2013 mcpi
drwxrwxr-x 2 pi pi 4096 Mar 10 2013 python_games
-rw-r--r-- 1 root root 254 Mar 15 2014 test.js
drwxr-xr-x 3 pi pi 4096 Mar 9 2015 tmp
-rw-r--r-- 1 pi pi 5 Dec 26 01:10 totally_lame_malmare.exe