We purchased a machine from China and it came with malware preinstalled(rmcybernetics.com) |
We purchased a machine from China and it came with malware preinstalled(rmcybernetics.com) |
[1]: https://www.virustotal.com/gui/file/1679b086f649d92456b2f600...
[2]: (PDF) https://www.rmcybernetics.com/files/pdf/Malware-analysis-Fly...
seriously? It's rather poor.
>It was identified the malware is packed with Borland Delphi 6.0 - 7.0 as shown in the figure below
Borland Delphi is a compiler. It's not a packer. Saying that it's "packed with Borland Delphi" makes as much sense as "it's packed with visual c++".
>The strings of interest are as shown in the figure below
But if it's packed (as previously suggested), then any strings of interest won't be visible. All we see is a bunch of strings related to dynamically linked libraries. That also doesn't tell you much, because you can dynamically load libraries so all the evil APIs you use don't show up on the list.
The rest of the report seems to be reciting outputs from various reverse engineering tools, with little analysis added. The whole report gave the impression the author is a script kiddie.
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
Google infamously pushed settings changes on their phone lines without user consent via the Google Play Services backdoor. Amazon removed the (bought) book 1984 from all Kindles. Microsoft proudly bragged about their remote app "kill switch".
Let's not even talk about about CPU vendors embedding "anti-theft" solutions which are nothing more than RCE-as-a-service on a hardware/firmware level. Or hardware vendors bundling rootkits like Lenovo on some laptop series, and most phone manufacturers on all their devices.
https://slate.com/technology/2015/02/lenovo-superfish-scanda...
I will never buy Lenovo again
https://web.archive.org/web/20220125124520/https://www.rmcyb...
The risk the manufacturer bundling some "legitimate" remote access tool that won't show up as a virus seems high to me. Once burned twice shy.
It’s not always easy, the line is hardly easy to see, but it is a choice I will go out of my way to make.
It's hard to know which brands to avoid, and which brands are more trustworthy.
Even brands that are not chinese are still based in China...
If we're unwilling to hold the Chinese to account for that in any meaningful way, I can't imagine we're going to do anything whatsoever about a little (or even a lot of) industrial espionage.
We'll gladly let the Chinese run roughshod over us and humiliate us repeatedly if it means we can still by our iPhones on the cheap.
when investigating why the issue, we found nothing wrong with the config, only when we plugged it to another network, we discovered it was something on the network. We narrow it down quickly to the printer. We told head of security (we were hired for an audit ) and it soon became known it was stealing trade secrets and sending them overseas.
that was 20 years ago, and till this day, I remember anytime someone says china doesn't steal technology... I remember this printer. this was done at the state level and was caught.
Anyway that's the reason why I don't buy Chinese crap anymore. I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.
If something doesn't match the description send it back, if you find random executables that you cannot identify send it back, if you are asked to register on some weird Chinese website send it back, if you are asked to download a sketchy application with a Chinese readme send it back, etc...
After a while you'll notice you are sending everything back.
And it is not only Aliexpress or other Chinese marketplaces or websites, Amazon is full of Chinese crapware just the same.
edit: read the article from archive, well it just confirms to me what I wrote earlier.
E.G: Microsoft being American (and them being part of PRISM), I just assume the OS has a backdoor for the US gov. Now with Windows 10 heavy telemetry, it's even easier.
I work for a client doing chips for credit cards. Did you know they are now full blown computers that can run a light version of Java (Java Card) ? The company is building their own hardware and software, and just to get to a conference room, you need biometric access + badge + pin code. Pretty sure they send data to my country agencies in some way despite having to trick the banking system to do so for them.
Same from any software, server/cloud hosting or hardware. If it comes from a specific country, this country is most probably using it for intelligence. It doesn't even need to be on a network now, because there is so much interactivity with all devices. And eventually, one will be.
Does anyone believe that any non-CCP actors are disputing China’s ongoing, massive, organized trade secret theft?
> Why was the printer connected to the public internet? A DMZ subnet would have prevented this vector of attack.
Aren't most network printers connected to office networks with public internet access? I sounds like this printer was making outgoing connections, and I doubt many people/companies go through the trouble of specially blocking those from printers.
You'd have to be especially security conscious and paranoid (especially 20 years ago!), to be operating under the assumption that your own equipment is working against you.
And to be honest, (I have been out of it for a few years now) I have yet to see a company block OUTGOING access on a DMZ.
I tried to write a measured review on Amazon explaining the problem, but Amazon rejected the review. I threw it away and composed an angsty tweet [1], but I really should have returned it.
[1] https://twitter.com/ojensen5115/status/1351598563751559169
This facet of the Big Tech censorship problem hardly ever gets any attention, but it's no less bad than YouTube and Twitter censoring their political opponents.
If you spend just a small bit of effort, you can look for items not made in China. They are usually higher quality. Japanese companies (and increasingly large American ones) are moving / have moved their production elsewhere due to an increasingly hostile business environment in China.
Sony makes their phones in Thailand, speakers/headsets in Malaysia. Panasonic produces a lot of consumer electronics in Malaysia. Samsung makes some of their phones in Vietnam, and the high-end ones in Korea. Their fridges are also made in Thailand/Korea. Google makes their Nest line of products in Thailand/Vietnam now. Some Netgear Arlo products are made in Indonesia, (some?) Netgear switches are made in Thailand.
On the enterprise side, Cisco has moved production of a lot of lines to Thailand for example.
This trend is only going to accelerate after the SARS-COV-2 pandemic subsides.
If you buy stuff directly from a Thai company that you never heard of before just because their product was the cheapest, you'll have to do your own testing and will likely discover some sharp edges.
Made/Manufactured/Assembled in X country doesn't mean not using Made/Manufactured/Assembled parts from Y country in the process. Take the Cisco router manufactured in Thailand. Out of the thousands of individual components on the circuit boards, not a single IC within it was manufactured in China?
I try to do this when I can, and they're definitely higher quality, but for some products, finding a version not made in China is almost impossible, a problem that's exacerbated by stores like Amazon not being required to disclose where their products are made.
We should have never allowed them to become this powerful. Their ideology is toxic and incompatible with ours.
But it's okay to buy Oil from regimes that kill gay people or cobalt mined by Child slave labour?
Lets place the blame where it actually belongs: our corporations will sell our values, our kidneys and the entire planet down the river id they can. China is just one of the few countries that beat them at their own game.
What does this mean?
This is one of the big reasons that Apple locked down its Lightning/USB ports so hard.
There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems. It was a huge topic in tech circles, and on HN, at the time. I even have a few "data condoms" leftover from those years. (If you don't remember, they're little dongles you put between your USB cable and the USB charger that only have the power lines connected.)
The fact that it also locked out bad cops was a bonus.
source? I've heard of fake charges being planted with exfiltration circuitry as part of a targeted attack (eg. by red teams or actual bad guys), but I haven't heard of aliexpress vendors shipping them out en-masse.
We had a compromised machine (linux) and had to un-plug it...
BUT
On the security calls was an interesting conversation about the Chinese infiltration of Lockheed.
Lockheed, had at the time, only (3) three egress connects to the internet.
The chinese did the following:
1. They did phishing attacks on those who worked at Lockheed + plus their orbit who attended various conferences and events... giving them seemingly valid contact info (business cards and such) of their agents who also attended said events.
2. Would email the Lockheed Targets and in the emails contain links to military phishing links which would install malware on said target's machine...
3. Would trickle out data so as not to be exposed...
4. Would attack known international suppliers of Lockheed's sub-components through air-gap measures (meaning that Lockheed epoxied USB ports in machines and suppliers were (ironically) then required to transfer data via USB sticks... and China was infecting the machine which the supplier was loading the USB sticks with such to infect Lockheed employees once they received and connected said sticks...
How this was discovered:
Lockheed employees bitches about machine being slow. Investigation ensues and the trickle malware is discovered;
The chinese know they have been discovered and they open the floodgates on all their bots within Lockheed...
HUGE firehose...
Lockheed had to shut down all three egress until resolution...
Yeah, china is in EVERYTHING.
I think you're conflating two separate issues. IIRC, I think the exfiltration concerns were more for "in place" chargers at places like airports. There's definitely a separate retail "fake Apple charger" problem, but that has more to do with safety and quality control.
It wouldn't make much sense for a retail fake Apple charter to have exfiltration circuitry, because then you run into the problem of how to exfiltrate some rando's data from some random charter. Also I'm guessing that stuff would be expensive. It really only makes sense to me for a thing like that to be a targeted attack (e.g. swap out some research scientist's charger at a conference, and place an exfiltration receiver near his hotel room).
> I even have a few "data condoms" leftover from those years. (If you don't remember, they're little dongles you put between your USB cable and the USB charger that only have the power lines connected.)
Those are useful for other things. For instance, I have some devices that deactivate and switch to transfer mode when they connect to data, so I use those for charging those devices while I'm still using them. Also, I think they can allow faster charging from a data-enabled port in some cases.
That means I should send back laptops made by Sony and Dell too though?
What about shipping costs? When you're buying something the seller is usually paying for that in bulk and including it in the retail price to boast "0-cost shipping". Surely buyers can't possibly afford sending everything back.
>everyone should avoid Chinese crapware.
What country you live in with so poor online protections you can't return things within the return window without incurring extra costs for doing so? Sounds broken.
You see it often in Universities, but also in larger businesses where you want to stop someone from accidentally printing 5000 copies instead of 50, or having print jobs stack up on top of each other in the output tray (think HR/sensitive information being scooped up by accident.)
But the bad press and bad customer experience from people having problems with "Apple" chargers probably does.
It's called protecting the brand.
ImportYeti
That's helpful. I've always wanted to know where my stuff comes from, from my food to my gadgets. So I encourage other people do ask the same questions on Amazon. It helps other people.
I haven't tried it much though (I'm not in the USA).
https://webapps.stackexchange.com/questions/20069/is-there-a...
[1] https://gizmodo.com/amazon-secretly-removes-1984-from-the-ki...
That story is about a lawsuit from one of the people they took it from.
Amazon sold 1984 on the Kindle store without permission, and when they realized their error they deleted it from everyone's kindle and refunded their money.
At the time it was suspected, but unknown. I remember the outrage, I'm not sure If I was lurking on here before I made an account, or I read it on slashdot or digg or something. Here are the HN comments from the time. https://news.ycombinator.com/item?id=710506
Most people don't. And the few that do only know because of this scandal.
There's something profoundly unintuitive about it. When you buy 5$ a book in the bookstore, you can't wake up some day with the door open, 5$ on your table and the book gone from your library.
That you think it's theft is a debatable/controversial point of view on Internet forums, but if that is to be the case, many more people/corporations from USA should feel threatened, not just a few chinese scapegoats which help avoid the elephant in the room: why would anyone own ideas in the first place? Ideas are born out of other ideas and every one benefits from that. Restricting knowledge sharing can lead to disastrous outcomes as Jonathan Blow brilliantly argued in a talk called Preventing the collapse of Civilization which appears to pop up on HN every so often: https://www.youtube.com/watch?v=pW-SOdj4Kkk
Yes.
Lots of IP between your ears. No point in the code/manuals/docs when you wrote them yourself. You’ll know they’re not exactly correct and may appreciate being able rewrite from the ground-up now knowing what you now know.
There is so much dark in tech. Spying on all levels. Every single thing you say is now not only subject to legal action, but also dark pools of intel action...
Anyone ever notice that palantir has dropped off the HN map? Yeah...
Look at reddit driving the narratives these days... I have stories about exactly when and how reddit began to drive the negative narrative....
Fuck them all...
Reality is being coopted by ...
But then again, we got a PRISM, XKeyscore or NSO Pegasus coming out of the box every other year. So I stand by "fair play" to qualify my assumptions.
Just pointing it out: this is a really sneaky way to avoid providing any sort of evidence for your claims whatsoever.
But to address your claim: security and cyber attack stuff are not remotely comparable to IP theft. You'll have to do better than literally pull claims out of thin air.
And, exactly none of those incidents you mentioned have anything to do with IP theft. Your own examples demonstrate a consistent pattern of no IP theft.
That's how assumptions work.
And I'm not focused at all on the IP theft, only on the backdooring.
People just started to focus on IP and the USA after the fact, because americans think the USA and money are the center of the world and see it everywhere even when they are not the main point of the conversation, but just examples.
In general you're right though. They are very successful at using weaknesses against us.
They don't, though. Sony, like many other companies, makes products for developing nations which are not sold in more affluent Western countries. ("World" products)
Trying to buy replacement Bluetooth earphones in India really opened my eyes on this one. The store I was buying from had a strict NO RETURNS policy, but still bent the rule when the headphones weren't iPhone compatible (scratchy distortion). After opening two more pairs of Sony with the same problem, they decided to stop and just gave my money back.
This wasn't a budget model - it's a model which you'll never see in the US or EU. Their products aren't just differentiated by country of manufacture, but by the intended market. Depending on brand name isn't enough.
As you pointed out: manufacturing standards vary factory to factory and region to region, and quality issues abound in newer manufacturing regions that lack the crazy competitive environment China has (a thousand pots et al).
Counterfeit PPE really revealed a lot about boys these factories operate. Very hard to verify ownership reliably.
But for context I’m basing part of that opinion on conversations I had with factory owners I’ve done business with in some of those countries running import/export. Many Chinese manufacturers see the conflict between the US and China as bad for business and have optioned third party countries to continue doing business no matter what happens. They’re very smart people.
Eh, typical "user hostile hardware and software" is not even in the same league as exfiltrating your data to an adversary.
What I don't get is that on Amazon I've purchased 10's to 100's of thousands in product (was an early user, business account admin etc). Of all the reviews that SHOULD have credibility, someone who doesn't review a lot and buys a TON of product - you think would be slightly credible?
Instead, for those (few) times I've posted a clearly negative review - gone for whatever reason. If you buy enough from Amazon, especially in last 5 years or so, you got some total absolute trash in there.
"Genuine" Apple products absolutely totally 100% fake trash. How amazon's supply chain thinks these are legit is mind boggling.
I've had such bad luck with "genuine" and "oem" battery replacements I've given up - most of these things are just crap scam stuff.
I'm actually curious how this even happens sometimes, some of the used crap was BADLY used, think of a bunch of electric pencil sharpeners for an office, all "new" that are filled with old pencil shavings, scratches etc etc. Product reviews that when you go back to understand how the piece of trash product got 5 stars you realize the reviews DO NOT EVEN RELATE TO THE PRODUCT you purchased. I mean, how does this even happen?
So you get out the review - hey, this things was garbage, and many of the 5 star reviews were for a knife set it looks like instead of a powerbank. Review rejected :)
Several ways:
1. Repurposing product listings for something unrelated and keeping the old sales data and reviews
2. Merging product listings to aggregate unrelated sales data and reviews
3. Fake reviews that were unrelated to the product all along
> 1. Repurposing product listings for something unrelated and keeping the old sales data and reviews
Sure - but this seems trivially solvable by Amazon - you can't tell that a product listing for a knife set is not a tech product??
> 2. Merging product listings to aggregate unrelated sales data and reviews
Again - def happens I think. But can't these go through some type of review? The ones I've seen are WAY off when you look deeper.
> 3. Fake reviews that were unrelated to the product all along
This is harder, I'd have 2 amazon staff review higher volume products.
> That society is ok with that is a huge problem to say the least.
but you could compare any bad actor actions to ME/PSP and say it's the same or not as bad
it's bordering on Whataboutery
Although i personally consider hardware/firmware-level malware more troubling than OS-level malware which you can just wipe away by setting up a fresh system (which i recommend anyone to do when they receive a new machine, for related reasons).
Now it's a bit too late to stop them. NATO/West id too preoccupied by Russia when, imo, China is the bigger threat, by far.
Here’s Joe Biden in 2011 fawning over King Xi and calling for a rising China.
I think the hopes were that China would benefit from trade and developed its own industries in a largely decentralized fashion (which happened). What didn’t follow was the assumption that this would cause them to become less authoritarian and more democratic.
Quite the gamble in the end; I don’t think those responsible over many decades realized what the consequences would be for getting this wrong. They all were championed by equally blind stock-market driven CEOs who wanted cheap labor, low/no environmental laws, no unions, a helpful and competent government, and new large markets who didn’t already have lots of stuff.
The US has gotten terrible at long term vision, while China has nothing but long term vision and long term memory.
Trump finally withdrew from the UPU in 2018 and ended the subsidies.
China got powerful by doing business with the rest of the world.
Any system Amazon puts in place will have a lot of false positives that require human review. And that is entirely aside from the fact that underhanded sellers will try to flood such a system with automated disputes until Amazon relents.
> The ones I've seen are WAY off when you look deeper.
You're assuming these disparate merges happen in a single step.
The sellers are in China and the products are ordered internationally. The sellers don’t care about your local return laws.
So if you have to pay for the crap to be shipped all the way back to China, I can see how that may become expensive.
[0] Darty return policy, in French: https://www.darty.com/achat/services/retour-retractation/ind...
Not for orders from Amazon or Wal Mart, the two biggest places you'd tend to buy cheap Chinese products from.
https://en.wikipedia.org/wiki/Cisco_Systems#Firewall_backdoo...
"A document included in the trove of National Security Agency files released with Glenn Greenwald's book No Place to Hide details how the agency's Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers and other network gear being shipped to organizations targeted for surveillance and install covert firmware onto them before they are delivered. These Trojan horse systems were described by an NSA manager as being "some of the most productive operations in TAO because they pre-position access points into hard target networks around the world."
So call that educated magical speculation.
I don't even see why it's controversial to hold this opinion. Reading some comments, people seems to feel offended we could think that from the USA.
If anything, the USA are, with Russia and China, among the countries anybody in Europe like me would suspect the most about pulling things like this. The CIA and NSA have a terrible reputation, and the track record to support it.
We are talking about a country that went to war while lying about WMD against the UN vote, made money with south american cocaine while organizing coup after coup, elected Bush and Trump yet punished Chelsea Manning. A country that is still under the temporary 9/11 Patriot act, it used to mass spy on its entire population.
Of course I'm assuming the worse from them.
And yes, it's fair.
Actually, even if I were proven to be completely wrong in 10 years, it still would have been fair.
But I'm not even assuming that only from the US, but basically from any gov, including mine. Because history taught us that's what power does.
It's sane to be suspicious of people in power. Necessary for democracy, even.
I find China is useful as a mirror to the US. If they are doing something problematic, it's highly likely the US gov is too but just hasn't disclosed it to the public.
You think the US is engaging in systematic genocide? I'm guessing not. If so, you should consider why you would say something so ridiculously out of step with reality.
> Operation Rubicon (German: Operation Rubikon), until the late 1980s called Operation Thesaurus, was a secret operation by the West German Federal Intelligence Service (BND) and the U.S. Central Intelligence Agency (CIA), lasting from 1970 to 1993 and 2018, respectively, to gather communication intelligence of encrypted government communications of other countries.[1][2] This was accomplished through the sale of manipulated encryption technology (CX-52) from Swiss-based Crypto AG, which was secretly owned and influenced by the two services from 1970 onwards.[1] In a comprehensive CIA historical account of the operation leaked in early 2020, it was referred to as the "intelligence coup of the century" in a Washington Post article.
https://www.infoworld.com/article/2608141/snowden--the-nsa-p...
I'm a Brazilian, the NSA has been caught breaking Microsoft products on our largest companies for industrial spying too.
Sure, China is worse, but it does make a useful mirror. Like Russia was a useful one during the cold war.
Not the point.
The point of my comment is: I assume any gov to have such backdoor if they can.
That's a hand-wavy redirection that isn't relevant to the issue at hand, which is that:
There is no evidence of the US (and, in fact, many other large countries, with exceptions for e.g. Israel) installing backdoors and breaking into computers in order to steal intellectual property.
There is ample evidence of China doing exactly that, against a variety of targets (not just the US - they've taken things from Japan and the EU, among many others).
I wouldn't be surprised if every nation with a functioning Internet connection tries to put the hac on whatever they can.
But that's not the topic under discussions - the topic is stealing and commercializing IP, for which there is tons of evidence for China doing, and accusations of e.g. the Five-Eyes doing it are rampant speculation with absolutely no evidence included.
Yes, that includes your comment.
Which it is.
I think the main and annoying problem is those general practices, not just a single instance of malware.
Edit: Apparently some focus on the "Chinese" part, but I suspect that hardware being specialized and software being shipped by the hardware manufacturer are larger factors here: at least all the awkwardness before the malware part I've observed to be approximately similar with hardware+software produced by Chinese, European, and US companies.
being proprietary has nothing to do with risk of malware, indeed
[1] https://en.wikipedia.org/wiki/Proprietary_software
Edit: wording.
I think the most reasonable explanation is that either the OS was sourced already infected, or the crack tool they used was infected.
Autorun USB malware is very common
There's a fun story documented on Darknet Diaries (https://darknetdiaries.com/transcript/22/) about a wind farm that got hacked. The "malicious" actor had found his way into their infrastructure and installed some idle cryptominers. But he was also taking the time to maintain all the infrastructure; applying updates and patches on a regular basis in an effort to keep other would-be hackers out. The security consultant discloses all of this to the company. Well, the story ends with the company making a business decision to leave things as they are. They were effectively getting free IT.
that hasn't worked since windows xp sp2.
Also why would Windows Ultimate indicate piracy? Wouldn't it be weird if "Windows Home" flashed up on the screen while booting an industrial machine? It's more likely to make sense that Windows Home isn't licensed for use on industrial machines.
Well, they would if they knew. I have purchased a variety of random computing hardware from Chinese suppliers and despite the product pages claiming they had no on-board OS installed, they came with cracked versions of Windows. They do it because customers want an OS but don't want to shell out for a license. It costs them nothing to pirate software (especially when they lie about it) and getting caught and actually blocked is very hard. This isn't like them intercepting a shipment of counterfeit purses where you can clearly tell by looking at the item. You'd have to boot the computers and then verify that they have an OS installed and then that it's properly licensed, which is well out of reach for a random customs officer.
> why would Windows Ultimate indicate piracy?
It's a very expensive license and, if you have any experience pirating Windows (I cough don't) that's usually what you find since if you're going to steal something, why steal the shittier, less featurefull version?
Microsoft sells an embedded, stripped down version of Windows with extended support life for industrial machines like this. Ultimate is intended for workstations and power users.
It could only happen in China - because the author bought dubious stuff from unknown third party on AliExpress. Craiglist scams happen mostly in US because people don't use it elsewhere.
Sort of like how you shoot the arrow first and then draw a target around it, 100% bullseye.
literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.
It seems critical thinking is rare among news outrage these days. The same comments were said of Japanese products back in the day, "IP thieves", "shitty quality", and here we are decades later praising Japanese products. Its hilarious at this point.
Stuxnet, Pegasus, Vault 7 tech are far more dangerous with that capacity to cause real harm to actual people. Who developed these?
Probably a good idea to air-gap your pick and place machine even if it is not Chinese.
Yes, some things look suspicious (packing, lack of signatures, hardcoded IP addresses/hostnames, network traffic) - but I'm not seeing any clear-cut evidence that this is malware?
It was, again, allegedly, discovered because the author was developing some kind of distributed computing software that required a hypervisor of its own, and this exact mobo was crashing in a way that was consistent with a hypervisor being already present. The author goes further to describe how he devised a way to consistently detect hypervisors by measuring platform register access timings, and tried to report the findings to the FSB (Russian CIA/FBI) to no avail.
I personally don't put much stock in the story, as the magazine was a rag and I could come up with something like that at the time, but there it is.
I'm sure many things don't explicitly breach their terms, but surely I expected there to be a catchall that would include malware. Of course, their terms are to protect AliExpress, and not the consumer, so it doesn't look like they'd wanna go above and beyond on that end, but I hoped they'd at least care about customer satisfaction.
In a previous life I was an infosec consultant. We did some work for a hospital that found malware on the control hosts shipped with a brand new turnkey MRI system from a German manufacturer.
you've been able to pirate windows 10 using their "windows 7 free update" key even after they discontinued it. and everyone who got a free upgrade from 7->10 uses the same key so its not like you are gonna get caught.
As these desktop pick and place machines come down in price, I hope that the OpenPnP software package becomes more developed: https://openpnp.org/ It was originally intended for full DIY PnP machines, but it’s a perfect candidate for converting these existing machines to open source software control.
Here's the article: https://habr-com.translate.goog/ru/post/575626/?_x_tr_sl=ru&...
The old components and the lack of modern drivers is a problem many industrial tools seem to suffer from. It's crap like the bad capture card that keeps Windows XP and 7 around. I don't expect there ever to be any modern drivers for an outdated capture platform unless a hobbyist writes their own open source version, so unless a compatible enough alternative card with modern drivers can be installed, I assume this machine is doomed to run Windows 7 for years to come.
Relying on an ancient card and drivers seems like a cop-out...they managed to create the solution once, they're obligated to do it again, lest your company's bottom line hinge on a house of cards an intern cobbled together for another company 12 years ago, that only works with the September 2008 drivers.
You'll be surprised how common these "house of cards an intern cobbled together for another company 12 years ago, that only works with the September 2008 drivers" situations really are when it comes to specialised hardware. As long as the machine keeps working, it can be sold, software security and maintenance be damned. There's a reason hospitals and factories pay Microsoft for the last few Windows 7 updates it'll release this year and it's not that management doesn't like the theme Microsoft put on Windows 10.
That's even more likely to be the case for industrial machines purchased off AliExpress, where hardware is often either old, second hand stuff or made as cheaply as possible from available parts. The standard of quality there is minimal, I'm surprised they risked buying this thing through AE in the first place.
Does it collect user metrics like a lot of software does or does it actually steal designs? The report is absolutely not clear about this. I have not read many reports like this but are they all like the one they link to? Is that what a malware analysis looks like?
I'm completely behind the idea of calling every single software that collects user data and sends it off to a server malware but this is just not the case. We don't say Windows comes with malware, we in the West call it telemetry data to improve the user experience.
The reports mark it as a Trojan/backdoor. This means it gives the company remote access to the machine. They can do whatever they want with it.
This isn’t anything like analytics reporting.
The windows telemetry is on edge of being malwere, even if its of no consequence to you. You cant say it will always stay that way.
Last time I tried the amount of deep registry hacks to turn everything(?) of was silly.
Windows obviously ships with malware nowadays. I think you need enterprise edition for a supported way to turn all the BS off.
In practice, I've never heard of companies actually investing in these checks. There are a few "assembled in the USA" products that probably flash their install image outside China, but who says the American intelligence agencies in turn won't tamper with those? They've done it before, after all.
I'm a little surprised there aren't any viable open source programs for what is essentially a precise plotter with a complicated plot head. A bunch of plants could work together to construct a system free of vendor lock-in and expensive replacement parts if they would just work together.
unpopular question, but how is this any different than mistakenly forgetting to disclose 'telemetry' in your code? or backdoors that routinely get disclosed in US embedded hardware products like firewalls and routers? or Discord scanning your entire hard disk? Ill admit the product seems pretty poorly designed from the get-go, but the tactics at work here are pretty standard when you consider things like Alexa and Ring get a pass for similar chicanery.
As a concrete example of just how far the creeping acceptance of surveillance has come. Remember BonziBuddy[1], and the absolute shit storm over that and the lawsuits and all that?
Well what they did nearly indistinguishable from what Alexa does, and Cortana, and Siri, and Google Assistant. But it's just the way things are now. And no, it's not fine because everyone is doing it. It's still just as bad as it was then.
Giving someone full remote control over a computer and trying to spread that control as a computer virus is nothing like anonymous analytics collection.
I know this is the HN crowd and not the general population, but I think most of HN would agree that undisclosed telemetry is super bad / malicious, and that disclosed / configurable telemetry is much better...but still often must be disabled because the Well is Poisoned by inappropriately utilized telemetry.
It started me off on the thought process of "How many other things can be compromised?" SD cards with fake/hidden partitions? MCU counterfeits with entire subsystems?
IMHO...anything with an ethernet port, wifi, bluetooth...or anything that is able to at any time connect to those things needs to be watched.
£4k GBP...relatively low cost compared to a branded competitor...We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address.
People in China aren't bad people, they're just people put into a tough situation. It's plenty easy to get good quality products out of China, just like anywhere else. The problem is that few people are willing to pay the real price for products, they want cheap regardless of consequences.
As someone also in the electronics design and manufacturing space I find this type of behavior very troubling. I demand what I consider a fair wage for my work and in return I also try to support other people in the industry also getting a fair wage. If all you do is buy the cheapest possible services you are really telling others they should do the same and not support you. The only solution I see is to stop pushing the costs of your business onto others that can't afford it. Go buy quality used hardware from people you can trust rather than complaining that a former colony of yours is trying to steal something from you.
Some would say, not without merit in my opinion, that the malware part started with Windows itself.
https://www.gnu.org/proprietary/malware-microsoft.html
But even if we aren't that stringent with the definition of malware, we had malware preinstalled on our computers quite some time.
https://en.wikipedia.org/wiki/Lenovo#Security_and_privacy_in...
https://en.wikipedia.org/wiki/Dell#Self-signed_root_certific...
https://hackaday.com/2022/01/22/zhengbang-pick-places-your-c...
It looks like an instance of 'xred': https://s.tencent.com/research/report/880.html
Which seemingly infects .exes (ie., is not just a worm), so it's totally possible that the OEM here isn't acting maliciously, but they just got infected themselves.
Until today, I am not sure whether this was malice (=malware) or incompetence (=hey, let us phone home every 5 seconds and go crazy if the connection fails for any reason).
> We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address. Presumably it would be a way to steal company information such as designs, accounts, and so on. Pretty shady stuff!
Or, you know, it might be doing anything at all on the internet. A reasonable question is "why should this device access the internet?" Good point, but my LAN-controlled "smart plug" connects to an NTP server in France. Who knows.
From the report:
> When verifying the [executable] signature, it was identified that the malware did not have any signature assigned to it as shown in the figure below. It means that the file has a malicious activity.
Doesn't that mean that the image is not signed? Again, I'm not an expert, but to say "it means that the file has a malicious activity" smells like "I'll consider almost anything suspicious if it will convince you that this report is valuable." On the other hand, maybe that really is suspicious. I don't do this for a living.
> The process explorer and procmon helped to know that the malware created a child process and then killed the process. It was also identified that the file did not have the signature but had the company name, and the path, confirming that it is a suspicious file from a legitimate organization. The regshot helped in getting the two snapshots of the registry, one before execution and one after malware execution. Therefore, it can be concluded that the file analyzed contains a trojan spyware which creates a child process that kills the original file when run. The malware collects user information and sends it to http://freedns.afraid.org/.
Again, the conclusion does not follow from the premises. Maybe spawning a child and killing the parent is something that you wouldn't normally do unless you were malware. Maybe English is not the author's first language, fine, but it does look like a poorly edited template.
For all I know, it's totally malware built for corporate espionage originating from a country notorious for doing that, but I don't see any compelling evidence.
There's plenty of software out there that behaves this way. I don't think they have solid ground for claiming they've been hit with malware here.
FWIW, I think whether we build a dystopia or utopia depends on whether or not we can make our rulers live under the same panopticon as the rest of us.
> whether or not we can make our rulers live under the same panopticon as the rest of us.
Uh, nope. It's been "rules for thee and not for me" since the dawn of time.
https://www.cbsnews.com/news/hacked-from-china-is-your-kettl...
This caused quite the stir about a month ago: https://news.ycombinator.com/item?id=29555093
TikTok, Facebook (for the FBI/CIA), and other platforms are probably lower hanging fruit. People just accept the surveillance, and there's not much reverse engineering one can do to determine what's being done with your data.
<waits for answer>
Hey, Roomba, did you download the latest firmware yet? Great! Now go clean the dining room, I have a top-secret meeting in there in 10 minutes.
Hey, Alexa, set the dining room lights to "top-secret meeting" mode.
" well it wasn;t actually a ROM malware it was the seller installing their own version of Android, which would reinstall their browser and would not let you change the browser, this browser had a hard coded home page which it forced you too, and it was a home page basically that sells you stuff. if you stopped their browser from getting installed, then the tablet went into a demo mode and displayed huge DEMO text across the whole screen. Eventually I was able to replace several Android core system modules which removed their check that their browser was active. and yea I could see it phoning home whenever it was turned on."
I know I have this device in a box. If anyone would like to analyze it and see if there was more/less than what we found I am willing to send it to someone in the US via ground shipping (LIPO batteries). I believe it was not charging the last time I used it though.
That was a large factory in China. I remember Philips had a production line there also.
What I do know for sure was it was bad enough that we decided never use them.
Not saying it is though...but is it possible. Absolutely
Do you know of an alternative? I was partially hoping that when I mentioned it someone would say, "I did the same thing but now I use X."
I guess OP might have meant just 'factory reset'. Which is not really 'wiping the android' at all.
Hell, with a bit of fiddling, you could probably design a one-way RS232 serial system by simply not connecting the TX pin on a downstream device.
Then for good measure snap off the pin and block the corresponding socket's hole with superglue so the cable cannot be reversed.
There are also write protector devices which mirror a block storage device as read only, but will not issue a write, as used for forensics.
Ah, yes, it sure would be nice to think that they're a bit more careful, but then I think of things like the OPM leak and I go cross-eyed. ( https://en.wikipedia.org/wiki/Office_of_Personnel_Management... - I'm sure you know what I'm talking about but I figured I'd add a link for anyone who didn't.)
> It's been "rules for thee and not for me" since the dawn of time.
Aye, but I think that's just what the panopticon could overturn, if we set it up that way. I'm not particularly hopeful, but maybe there's a possible future where we overcome our worser natures and use technology wisely. Star Trek vs. N. Korea.
FWIW I call this idea the "Tyranny of Mrs. Grundy": if everyone is on the lens-end of the cameras, including police and politicians, then no one escapes censure by Mrs. Grundy. ( https://en.wikipedia.org/wiki/Mrs_Grundy ) We're forced to create a "humane tyranny".
"Humane tyranny" sounds like an oxymoron from today's POV, but I think the challenge is to "de-oxymoron-icize" it. Due to the advancing tech, I don't think it's optional , the panopticon will happen (it arguably already has), so the challenge is to make it more-or-less livable.
There literally are no markings or any other type of brand/vendor on the box other than what you see.
no not literally everything. and who’s not annoyed by shopping on amazon and having to weed through all the cheap chinese “solutions”? The only time you get something quality from China is if some other company outside China is commissioning them to build their stuff with high standards. the rest of Chinese “innovation” is seeing how cheap they can make something before it does literally fall apart.
I'd say Chinese manufacturing is a little cheaper and a lot lower quality, and generally the price difference is not remotely sufficient to make up for the loss in performance. You need a company in the middle who cares about their reputation to be safe buying it.
It was a different time: https://www.nytimes.com/1952/01/13/archives/japanese-machine... "The Japanese flair for imitating, but not equaling, the manufactures of occidental nations has caught up with her machine-tool industry, ..." (1952)
First it was imitating, but not equaling, then it was imitating with equal quality but a little cheaper, and a few generations later nobody remembers that "Made in Japan" ever meant anything but high quality.
And that's why nowadays things like washing machines and refrigerators which used to last decades now break within the first year or two.
> The same comments were said of Japanese products back in the day, "IP thieves", "shitty quality", and here we are decades later praising Japanese products. Its hilarious at this point.
But these stereotypes lasted only for a decade tops! I have not seen the same commitment to quality that Japanese brands produced. I believe it is a cultural difference, Japanese take great pride in workmanship.
Most people won't remember it because it's too long ago
What was the last time you inspected any command or application you executed on your computer?
How would you spot malicious code? Are you a security expert who has knowledge of all of the programming languages that have been used to write the apps you are running?
You have absolutely unrealistic view on this subject. Btw. Apple and many companies have a trivial way of spotting malicious application by simple checksumming the executables.
> What was the last time you inspected any command or application you executed on your computer?
A few months ago, and didn't run new code from untrusted sources since.
> How would you spot malicious code? Are you a security expert who has knowledge of all of the programming languages that have been used to write the apps you are running?
So far I haven't run into languages I can't read. Spotting malicious code could indeed be tricky, a subtle but critical vulnerability would easily evade quick skimming, just as malware is still possible even when it comes from a somewhat trusted source. But I'm more certain that a program does what it says it does after skimming its code.
> Apple and many companies have a trivial way of spotting malicious application by simple checksumming the executables.
That's how basic antiviruses work, not specific to Apple. They have to first add that checksum into a database, which isn't viable when we're talking about a small hardware manufacturer shipping their custom software to dozens of clients.
https://linux.slashdot.org/story/22/01/25/2259214/major-linu...
And you cannot do that on open source either. Both cases require a chain of trust, and empirically, neither is significantly more secure.
Injecting malware in a single small widely distributed program and remaining stealthy for any length of time is a lot harder if it's open source.
Case in point, the famous Borland InterBase backdoor that went unnoticed for about 7 years and 3 versions of the software but was discovered in 8 months by one developer after Borland released InterBase as Open Source.
https://www.zdnet.com/article/borland-interbase-backdoor-det...
Citation needed.
On the other hand:
If anything, having source also makes it easier to auto scan for flaws at the source level and find holes.
I know from CVEs that OS projects has a significant number of high profile long standing holes in it.
In that case, open source rarely has even one possible replacement, so there's no comparison.
>but if you have the source code, it's often reasonable to read
As someone working in code daily, I disagree. I find lots of open source projects once you get out of the few big ones to be a massive mess of code.
And most programs of much use are simply too big to do any sort of audit. I have lots of friends in open source - I doubt a single one has ever read over the source for an entire program to inspect.
Have you honestly read over an entire open source program to check it? Or is this a myth that gets repeated but no one does it....
As to modification, I've reverse engineered many, many programs to add hooks and interoperability. It's not that terribly difficult once you've done a few and get to know how to do it.
So sure, nice clean code is good. But open source software I find to be crappy for all but the few big uses. GIMP vs photoshop? No real good OS CAD, or finance, or comparing Octave to Mathematica? Buggy video editor of the week to DaVinci Resolve? Tax software? Inkscape vs AI? So as a result of lacking quality in OS, I prefer closed source solutions since paying for them gets me vastly better quality for a lot of things I want software for.
And in the rare case I want to hack something, I still can and do.
Open source is honestly a you-get-what-you-paid-for solution for most stuff.
Nobody here is promoting anything when we're saying that from a purely technical perspective this report alone is not enough to justify the claims being made. Extraordinary claims require extraordinary evidence, but no evidence has been provided whatsoever, so it's perfectly fair to challenge the validity of the claims.
> In that case, open source rarely has even one possible replacement, so there's no comparison.
There's usually just one program shipped by a vendor in these cases, and most of the time it's indeed closed-source -- that's what I started with.
Big and widely used FLOSS projects are far from these programs shipped by small hardware manufacturers, I wasn't talking about those. Just as the established and polished commercial projects are far from those: you're getting some buggy and unsupported programs from unknown hardware vendors, possibly even with malware as in TFA, not Photoshop.
> Have you honestly read over an entire open source program to check it?
I have, pretty sure that many others read those too, but haven't read entire sources of large projects like GIMP; plenty of programs and libraries are just a few KLOC (or even just hundreds of LOC) long, easy to skim.
> As to modification, I've reverse engineered many, many programs to add hooks and interoperability. It's not that terribly difficult once you've done a few and get to know how to do it.
I have rather hard time imagining these being any major modifications and considered easy with arbitrary compiled binaries, while suspecting merely reading sources being something mythical. But once again, you're probably picturing a hairy mess of a huge project's source code, and I picture integration tasks like turning a buggy Windows GUI program into a working multi-threaded Linux daemon -- where having source code makes it easier (and I'm certainly reading at least decompiled code when that's an option), as well as making it practical/easier to see what the program is doing.
Heck, I suspect Ghidra nowadays makes that a single click task.
And if it's that small, it's also trivial to write. I doubt too many companies fret over stuff that small.