How Asus Recovery Disks Ended Up Carrying Software Cracks

Anthony_Cargile writes "We all now know about Asus shipping illegal software cracks and confidential documents/source code on their recovery DVD (and in the system root), but this article tells exactly how it happened. It's even more careless than you think, and most likely an accident."

Re:This doesn't explain everything

[RGRistroph]

I had forgotten that it was a windows restore CD, I was thinking in terms of a driver CD or something.

However, there exist tools that are designed to do exactly that sort of thing. I run something that checksums every file on a server and compares it to a known good value, as part of an intrusion detection system. If I were shipping a windows computer otu of manufacturing, I would take file lists from as-shipped as well as after restoration, and I would compair them against other windows installations, and make sure I knew a reason why every single different file was different.

It's not that hard. Once you write a script to go through and get the file list out of all the .cab files, and subtract that from what's on the disk, what's left is not that much. Just the pre-installed cruftware and whatnot . . . maybe they had so much of that, these files got lost in the noise.

So, what had to happen was this:

1) Employee got the "official vista install" USB fob, probably used it, and then he or someone else used it as a hand file transfer mechanism, adding more files to it

2) This non-pristine USB fob was used again to install the "master" harddrive that would be used to make recovery DVDs shipped with the product

3) No one carefully checked the files on that recovery, OR the USB fob infection had also gotten to the vista's that he compaired against

Still seems sloppy to me. If you know you are going to be dealing with a behemoth like Vista, one of the things you do is write scripts or develope tools to deal with it.

One thought I had, is that this would be a way to make a virus replicate. What if instead of random crap, it put some kernel driver in windows that checked to see if you were writing an "unattend.xml" file and dumped itself on that drive if so ? Some minimal attempts at hiding might take you a long way, given that there appears to be little quality control. How to get it into the OEM so it will be re-distributed ? Oh, just add it to a cracked copy of WinRAR and post it on a warez site, that apparently works.

Lately their quality has been going downhill...

[cyberjock1980]

This is disappointing. A few months back ASUS got into a flamewar with GIGABYTE. GIGABYTE came out and told Tom's Hardware that ASUS used inferior parts, changed their % gains versus their competitor without changing the product whatsoever, and that ASUS's EPU feature is software instead of hardware(meaning it is inferior to GIGABYTE). GIGABYTE did come back and appologize for claiming ASUS used inferior parts(it was found that it was a different vendor's board that contained inferior parts). ASUS threatened to sue any website that talked dirty about ASUS when this all came to light. Check out http://www.tomshardware.com/news/asus-gigabyte-motherboard,5348.html [tomshardware.com] to read about the GIGABYTE versus ASUS drama. Then check http://www.tomshardware.com/news/asus-gigabyte-motherboard,5480.html [tomshardware.com] for ASUS suing GIGABYTE for the bad publicity.

I have been an ASUS user for many years, building many computers with ASUS parts. While GIGABYTE did include some false claims, they did have valid complaints for their other arguements. I was one of the people that was stuck with a motherboard that cost me $250 that didn't do quite what it was supposed to do, and as a result my linux based computer cannot use their power management function(because it is software based). GIGABYTE's is hardware, and is enabled in BIOS and doesn't care which OS you use. This one hit home for me. My computer is on 24x7, and I wanted my computer to be green. Unfortunately that dream will not be a reality with ASUS hardware.

This again paints a bad picture of the quality work ASUS has been doing lately. I am sure that my next motherboard won't be ASUS. They have lost points with me, and I am going to check out one of the other top tier motherboard companies.

I have never purchased a motherboard from GIGABYTE, but I'm already looking for motherboards for Nahelem when it comes out next month, and I'm not even looking at what ASUS is offering. Bite me once, shame on you. Bite me twice, shame on me!

Reasons for leaving ASUS:

1. Changing your product efficiency % gains after shipping the product for months, AND not changing anything on the product! As if they wouldn't get caught? Competitors are always shopping their other competitors!

2. They fail to mention that EPU REQUIRES Windows to run. I don't care what ASUS says. If it requires software(Windows based at that!), then it's software based. Even if its hardware functions are enabled by using the software.

3. Suing anyone who talks about their bad publicity from GIGABYTE. WTF? Seriously, WTF? That's RIAA type behavior, and I will not tolerate that type of child in my house.

I'm curious about that anti DR-DOS document

[electrogeist]

OEM issued Microsoft document, which mainly says "do not distribute DR-DOS with any computers".

Is this something recent? Someone have one of these restore CDs to post the text? With the history of bad blood this could be a story in itself

Re:TFA

[AKAImBatman]

encrypt all sensitive data?

I was gonna say, "Use a Mac".

Or Linux. Or Solaris. Or SOMETHING other than Windows.

It seems to me that Windows and Office are far too often the culprits of accidental leaks. Microsoft's strategy has always been one of convenience rather than security, so it's no surprise to me when these things happen. If you're looking for a decent home system, fine, use Windows. If you're going to use it as an employee workstation, be paranoid. But never, ever, ever deploy it to the production floor of anything!

Not that anyone is going to listen to me. I'm just going to keep seeing more blue screens on busses, trains, airplanes, ATMs, factory floors, and anywhere else it's actually important not to use Windows.

Re:Crack vs. Foss

[__aardcx5948]

Then again WinRAR has no purpose. 7zip ( http://www.7-zip.org/ [7-zip.org] ) is superior and free, actually even Open Source.

Re:Crack vs. Foss

[zz99]

ASUS has a lot of its workforce in mainland China, where most of the installed software, both personal and on company computers, is pirated. Officially the government is against piracy, and at regular intervals raids are conducted in visual places, but at the whole I don't think they will shed any tears if MS looses licensing revenues. The better the anti piracy control is the more people will use FOSS. Because piracy disrupts the free market. If you can get something worth $200 for free, why choose something truly free (worth $0)?

Re:Crack vs. Foss

[deniable]

Yep, the price itself is usually less of a problem than figuring out how to pay for something. First, there is the paperwork. Then you have to see if the supplier is set up by Accounting. Then you may have to make a cost justification. Then you run into the 'we don't pay for things online, do they have a mailing address and can we get thirty days credit' line from the Accounting people. It's quicker and easier to get a cracked copy than jump through all of the hoops for a cheap item.

Re:This doesn't explain everything

[Anonymous Coward]

I used to produce computer magazine coverdiscs, and have also written several computer books with CD/DVDs attached. Millions of my authored CDs/DVDs have been produced, maybe more.

I am FREAKING PARANOID that anything untoward might get onto the disks that shouldn't be there. Once sent to the duplicator, there's no turning back. I personally have spent hours checking each and every file on discs that I've made, even going so far to check file dates to ensure files haven't been tampered with accidentally (maybe I've discovered a new bug that causes files to be mixed with, say, porn). I check them on different operating systems, and either delete hidden system files (.thumbs etc), or open them in a hex/text editor to see what they contain.

Also, and this is a golden rule, if you're producing a CD/DVD for distribution, you MUST USE A CLEAN COMPUTER. Luckily virtual machines make this a lot easier because you can keep the OS and the virtual file system clean -- nothing gets onto the virtual file system unless it's downloaded (provided you turn off file network sharing of course).

Tools can be fooled...

[JoeMerchant]

It is possible that the (nameless, now jobless) employee actually ran a QC script that was simply fooled because it built its reference file list from the already "enhanced" ISO.

Not saying that he's not a dip---- for not knowing what's supposed to be there, but I wouldn't be surprised if he actually executed a QC script given to him by some manager who got it from an employee they haven't seen in years....

Re:TFA

[SenseiLeNoir]

My real worry is that it may not even be the person mentioned in the CV at fault.

Assume the following scenario.

X has a USB drive with confidential infomation, which he keeps in his desks, it may even be a backup of sorts.

Y is a trainee/intern who is doing an OEM machine image. He gets his instructions which say "get a USB drive to perform the next steps". He doesnt have a USB flash drive, so he asks X if he can borrow a USB flash drive to "install something"

X, who may be busy and mislead by the rather vague request may think that Y wants to download something from the internet. A driver or something, and says, "sure use the drive on my desk, do not delete anything"

Y follows the instructions, and the debacle above happens, but no-one knows yet, and the above exchange is forgotten. Maybe Y is an intern and has even left the company by now. .. some time later....

the excrement hits the fan, and X looses his job.

Re:So the guy who goofed, is he BLACK?

[Anonymous Coward]

It's possible to have no ill feelings towards any race and no desire to discriminate against anyone and still think that racial humor is funny. What's stupid are the people who get all offended and on their high horse and take this shit so damned seriously.

ASUS and Gigabyte

[phorm]

The sad thing is that Asus used to be fairly decent, but it does seem that their failed/buggy boards are a bit more common these days.

On the other hand, Gigabyte doesn't have much to be proud of either. Back when I used them a few years back, their boards gained a notoriety for failure, mainly due to bad capacitors, etc.

It's funny because since I've moved to cheaper boards I've had less issues with dead hardware, but even if I did I'd rather have to replace hardware that costs half the price.

Re:TFA

[hatshepsut]

I threw Kubuntu onto an Asus laptop just before school started. Laptop shipped with Vista (shudder). Tried putting a 64bit version of XP on it, ran slower than molasses in January, lousy video, couldn't get the sound card working, etc. Threw on Kubuntu... video ran smoothly out of the box, had to fight with the sound (but only until I found a post in the Ubuntu forums about the well-known problem), got my bluetooth working and was able to sync up my palmpilot, and my iPod with very little trouble.

Asus hardware is just fine, Kubuntu/Ubuntu is just fine. Windows is proving more trouble than it is worth.

All that said, I'll be checking my recovery disk (which I kept, of course) for any interesting files tonight!

Re:This doesn't explain everything

[Velorium]

I think by recovery disk they just meant partition. Many "recovery discs" are typically just automated scripts to replace files in one partition with files in a hidden partition on the hard drive; as was the case on an old Dell that I bought 4 years ago. Use some more thought, they used a flash drive, do you really believe that while doing that, the CD in the drive wasn't finalized and was directed to burn extra files to it?