The malware is a cherry on top, but the story before that is pretty awful already, and unfortunately seems to be representative of specialized software like that: proprietary (with constant risk of malware, indeed), awkward, poorly (if at all) documented, likely the protocols to speak to the hardware without it are kept in secret, and occasional shipment of Windows machines where just software would do (but probably it's written to just barely work on a given system, and won't run on others easily).
I think the main and annoying problem is those general practices, not just a single instance of malware.
Edit: Apparently some focus on the "Chinese" part, but I suspect that hardware being specialized and software being shipped by the hardware manufacturer are larger factors here: at least all the awkwardness before the malware part I've observed to be approximately similar with hardware+software produced by Chinese, European, and US companies.
Tbf, the focus on secrecy is probably because everything in China is at risk of being copied / ripped off by competitors at the drop of a hat. Being an IP wild west has its drawbacks.
The problem is this approaches tend to not really prevent the rip of as any of this obscuring methods tend to not hold against someone with expertise in subverting them. Which companies which do this kind of rip-offs tend to have...
A pick and place really is one of those things that would benefit from being open source--the vision algorithms are very annoying and require high technical skill while the motion algorithms are stupid simple.
To be precise, I had in mind closed-source software: the software you can't inspect with reasonable effort/time before running, to ensure that it's not malicious. And especially in case of specialized software, that wasn't inspected by others either. Though these terms seem to be used interchangeably quite commonly [1], likely because of a strong correlation.
> the software you can't inspect with reasonable effort/time before running
What was the last time you inspected any command or application you executed on your computer?
How would you spot malicious code? Are you a security expert who has knowledge of all of the programming languages that have been used to write the apps you are running?
You have absolutely unrealistic view on this subject. Btw. Apple and many companies have a trivial way of spotting malicious application by simple checksumming the executables.
I'm surprised how this discussion turns out: didn't expect those bits to be controversial at all, and sibling comments make it sound like it's almost better to not have access to sources.
> What was the last time you inspected any command or application you executed on your computer?
A few months ago, and didn't run new code from untrusted sources since.
> How would you spot malicious code? Are you a security expert who has knowledge of all of the programming languages that have been used to write the apps you are running?
So far I haven't run into languages I can't read. Spotting malicious code could indeed be tricky, a subtle but critical vulnerability would easily evade quick skimming, just as malware is still possible even when it comes from a somewhat trusted source. But I'm more certain that a program does what it says it does after skimming its code.
> Apple and many companies have a trivial way of spotting malicious application by simple checksumming the executables.
That's how basic antiviruses work, not specific to Apple. They have to first add that checksum into a database, which isn't viable when we're talking about a small hardware manufacturer shipping their custom software to dozens of clients.
> Injecting malware in a single small widely distributed program and remaining stealthy for any length of time is a lot harder if it's open source.
Case in point, the famous Borland InterBase backdoor that went unnoticed for about 7 years and 3 versions of the software but was discovered in 8 months by one developer after Borland released InterBase as Open Source.
I think the context somehow gets lost in this discussion. You indeed need a chain of trust in general, and can't inspect all the software alone even if it's FLOSS, but I'm talking about odd specialized programs shipped by hardware manufacturers (like the one TFA talks about) and similar one-off ones that come from an untrusted source: there's no trust there, no reliance on others inspecting it, but if you have the source code, it's often reasonable to read. Also occasionally desirable to fix or otherwise modify, to integrate into your overall system (that's what I tend to do pretty much each time when interacting with such sotfware+hardware, sometimes reverse engineering and reimplementing it, so maybe my view is a bit skewed). So FLOSS is good, closed source and proprietary is less trustworthy and less usable.
>I'm talking about odd specialized programs shipped by hardware manufacturers (like the one TFA talks about
In that case, open source rarely has even one possible replacement, so there's no comparison.
>but if you have the source code, it's often reasonable to read
As someone working in code daily, I disagree. I find lots of open source projects once you get out of the few big ones to be a massive mess of code.
And most programs of much use are simply too big to do any sort of audit. I have lots of friends in open source - I doubt a single one has ever read over the source for an entire program to inspect.
Have you honestly read over an entire open source program to check it? Or is this a myth that gets repeated but no one does it....
As to modification, I've reverse engineered many, many programs to add hooks and interoperability. It's not that terribly difficult once you've done a few and get to know how to do it.
So sure, nice clean code is good. But open source software I find to be crappy for all but the few big uses. GIMP vs photoshop? No real good OS CAD, or finance, or comparing Octave to Mathematica? Buggy video editor of the week to DaVinci Resolve? Tax software? Inkscape vs AI? So as a result of lacking quality in OS, I prefer closed source solutions since paying for them gets me vastly better quality for a lot of things I want software for.
And in the rare case I want to hack something, I still can and do.
Open source is honestly a you-get-what-you-paid-for solution for most stuff.
Sounds like we had quite a different experience, and picturing different things too.
> In that case, open source rarely has even one possible replacement, so there's no comparison.
There's usually just one program shipped by a vendor in these cases, and most of the time it's indeed closed-source -- that's what I started with.
Big and widely used FLOSS projects are far from these programs shipped by small hardware manufacturers, I wasn't talking about those. Just as the established and polished commercial projects are far from those: you're getting some buggy and unsupported programs from unknown hardware vendors, possibly even with malware as in TFA, not Photoshop.
> Have you honestly read over an entire open source program to check it?
I have, pretty sure that many others read those too, but haven't read entire sources of large projects like GIMP; plenty of programs and libraries are just a few KLOC (or even just hundreds of LOC) long, easy to skim.
> As to modification, I've reverse engineered many, many programs to add hooks and interoperability. It's not that terribly difficult once you've done a few and get to know how to do it.
I have rather hard time imagining these being any major modifications and considered easy with arbitrary compiled binaries, while suspecting merely reading sources being something mythical. But once again, you're probably picturing a hairy mess of a huge project's source code, and I picture integration tasks like turning a buggy Windows GUI program into a working multi-threaded Linux daemon -- where having source code makes it easier (and I'm certainly reading at least decompiled code when that's an option), as well as making it practical/easier to see what the program is doing.
Something as small as a few kloc I can reverse back to compilable source in a day, so things that trivially small are not difficult to edit to your hearts content.
Heck, I suspect Ghidra nowadays makes that a single click task.
And if it's that small, it's also trivial to write. I doubt too many companies fret over stuff that small.
Proprietary or open sourced doesn't matter much if you're not verifying the checksums of all the binaries that come per-installed on your system. If the majority of tech savvy people can't be bothered to do it, then average joe is doomed.
Given that Windows 7 _Ultimate_ was installed on what is essentially an OEM machine, it's very likely that it's a pirated copy with a "home brewed" license key.
I think the most reasonable explanation is that either the OS was sourced already infected, or the crack tool they used was infected.
A bit off topic, but the last time I needed a Windows laptop for business reasons (a long time ago) I bought a laptop directly from Microsoft and it appeared to be secure and also not loaded with advertising junk. The price seemed OK, fairly competitive.
When buying a Windows machine, you can purchase "Signature Edition" versions through Microsoft which will come with only the crapware selected by Microsoft, and not by the manufacturer
It looks like that isn't available for those in the US, since the redirect takes me to a 'not available' page. Are the 'Signature Edition' versions at all available in the US?
I had Surface 3 Pro and it was a nightmare. In the end, the SSD died and the way the machine is glued together, it's impossible to open without breaking the screen.
Before its final death, it had problems with sleep/wake functions. A standard reinstall wouldn't fix it. Eventually had to take it back to Microsoft for a full re-image. That did the trick.
> Or it's just malware that's "around" the company since nobody cares what they download, which USB keys they plug
There's a fun story documented on Darknet Diaries (https://darknetdiaries.com/transcript/22/) about a wind farm that got hacked. The "malicious" actor had found his way into their infrastructure and installed some idle cryptominers. But he was also taking the time to maintain all the infrastructure; applying updates and patches on a regular basis in an effort to keep other would-be hackers out. The security consultant discloses all of this to the company. Well, the story ends with the company making a business decision to leave things as they are. They were effectively getting free IT.
Alright let's think about this. If equipment was entering the US with pirated Windows licenses, wouldn't Microsoft ask customs enforcement to block them until the manufacturer stopped pirating?
Also why would Windows Ultimate indicate piracy? Wouldn't it be weird if "Windows Home" flashed up on the screen while booting an industrial machine? It's more likely to make sense that Windows Home isn't licensed for use on industrial machines.
> wouldn't Microsoft ask customs enforcement to block them until the manufacturer stopped pirating
Well, they would if they knew. I have purchased a variety of random computing hardware from Chinese suppliers and despite the product pages claiming they had no on-board OS installed, they came with cracked versions of Windows. They do it because customers want an OS but don't want to shell out for a license. It costs them nothing to pirate software (especially when they lie about it) and getting caught and actually blocked is very hard. This isn't like them intercepting a shipment of counterfeit purses where you can clearly tell by looking at the item. You'd have to boot the computers and then verify that they have an OS installed and then that it's properly licensed, which is well out of reach for a random customs officer.
> why would Windows Ultimate indicate piracy?
It's a very expensive license and, if you have any experience pirating Windows (I cough don't) that's usually what you find since if you're going to steal something, why steal the shittier, less featurefull version?
Microsoft sells an embedded, stripped down version of Windows with extended support life for industrial machines like this. Ultimate is intended for workstations and power users.
You know what? I don't care anymore. When this type of thing happens it's almost always China. Whether it's intentional malware or a lack of QA, how could one tell? They have such a reputation for both I don't know why we still let their electronics into our countries.
> When this type of thing happens it's almost always China.
It could only happen in China - because the author bought dubious stuff from unknown third party on AliExpress. Craiglist scams happen mostly in US because people don't use it elsewhere.
Sort of like how you shoot the arrow first and then draw a target around it, 100% bullseye.
So most of this happens in products made where most of these products are made? Seems logically. Besides it doesn't seem any better in the US. By far the most backdoored internet equipment producer is Cisco.
it's because chinese goods are consistently good that anything bad is news. ironic isn't it
literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.
It seems critical thinking is rare among news outrage these days. The same comments were said of Japanese products back in the day, "IP thieves", "shitty quality", and here we are decades later praising Japanese products. Its hilarious at this point.
> literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.
no not literally everything. and who’s not annoyed by shopping on amazon and having to weed through all the cheap chinese “solutions”? The only time you get something quality from China is if some other company outside China is commissioning them to build their stuff with high standards. the rest of Chinese “innovation” is seeing how cheap they can make something before it does literally fall apart.
I don't recall the Japanese being accused of poor quality. Just imitating rather than innovating. Many Japanese products like swords, knives, cameras, have been known for surprisingly high quality for a long time. Centuries in some cases.
I'd say Chinese manufacturing is a little cheaper and a lot lower quality, and generally the price difference is not remotely sufficient to make up for the loss in performance. You need a company in the middle who cares about their reputation to be safe buying it.
First it was imitating, but not equaling, then it was imitating with equal quality but a little cheaper, and a few generations later nobody remembers that "Made in Japan" ever meant anything but high quality.
> literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.
And that's why nowadays things like washing machines and refrigerators which used to last decades now break within the first year or two.
> The same comments were said of Japanese products back in the day, "IP thieves", "shitty quality", and here we are decades later praising Japanese products. Its hilarious at this point.
But these stereotypes lasted only for a decade tops! I have not seen the same commitment to quality that Japanese brands produced. I believe it is a cultural difference, Japanese take great pride in workmanship.
> "efficient" MBA eloi outsourced everything to morlocks a long time ago.
This is the biggest weakness of the West - and it all stems back to "share holder value".
Companies, US ones, in particular, seem to have some absurd drive to pay endless dividends to shareholders, and drive 'value' via share price, by appearing to be profitable.
In other words, get stuff from the cheapest provider.
It didn't help that at the same time people like Carl Icahn came along and stripped a company that was cheap to buy, but also sat on a pile of cash. And again, if he could 'drive value' for the share holders, said company was a target.
Eventually state-level politics appear - artificially low-prices Chinese goods because the CCP fix the exchange rate, or subsidise an entire market to corner it globally.
Western MBAs and politicians think they know that manufacturing is just a fungible commodity and think that we're exploiting cheap Chinese labor to 'drive shareholder value'.
While they have this myopic focus on quarterly results, the CCP has a 100- and 500-year plan, and is happily exploiting that myopia for strategic economic and military value, including subsidizing massive undercutting of entire industries in order to kill all but their own. The result is that they are gaining the deep know-how of manufacturing, the ability to compromise their adversaries' military gear at the component level, and the ability to choke off supply chains.
Although there is still barely time to repair this, it will go down as a strategic blunder of historic proportions.
This was the case some 10 years ago, but Chinese labor is no longer cheap. The wealth brought in by making China the factory of the world drove the income level of its middle class up and now there are few advantages in manufacturing your products in China.
Western manufacturers are constantly pulling their factories back from China, many having gained an ultimate net loss from moving in in the 90s and now relocating again.
Yes, they have made a net loss, and meanwhile transferred an insane amount of technology to China. But those managers got their bonuses and are long-gone...
And sure Chinese labor isn't as cheap, they've moved up the value chain some, but it is still cheap enough compared to US wages to make items and ship them here - particularly with China's lax environmental and labor laws.
The relocations to even cheaper labor-rate counties are still an improvement, as at least they aren't creating all levels of strategic disadvantage...
The story here is not the fact of the malware - it is the purpose of the malware: industrial espionage. China is well-known in industry for its sheer volume and brazenness of industrial espionage. A pick-and-place machine is especially well placed for this since it will, by necessity, have access to PCB designs and BOMs.
I have seen enough stories of supply-line sabotage to think that if you are going to build your infrastructure with Chinese hardware, air-gapping it is a necessity.
Probably a good idea to air-gap your pick and place machine even if it is not Chinese.
Airgapping wouldn’t be enough here since it infects any USB device plugged in. You’ll have to run the USB through some antivirus any time you want to use a new design from a “good” computer.
You could go for overkill and establish a one-way data transfer methodology with built in crc/ecc. Receive-only optics on the destination side might be usable.
It's really tough to air-gap these days. Are you really going to set up a perimeter where every phone, watch, and computer is dropped off before entry?
A lot of places do have something like that, and even if you didn't, you could just make sure no official equipment has any wireless capability, and ban connecting any outside electronics to any official equipment.
Yes, some things look suspicious (packing, lack of signatures, hardcoded IP addresses/hostnames, network traffic) - but I'm not seeing any clear-cut evidence that this is malware?
Which seemingly infects .exes (ie., is not just a worm), so it's totally possible that the OEM here isn't acting maliciously, but they just got infected themselves.
I have seen a (badly written?) router firmware that behaved suspiciously just like you describe, but the only provable thing was that they checked for updates from the vendor in a rather non-optimal way.
Until today, I am not sure whether this was malice (=malware) or incompetence (=hey, let us phone home every 5 seconds and go crazy if the connection fails for any reason).
It's frustrating. I've seen anti malware software pick up anything that has a file name in Mandarin as malware. I used to use a great little program called Clover which was basically File Explorer for Windows but it allowed tabs. I stopped using it after a while because anti malware kept flagging it. Did it have malware? Maybe! I couldnt really get a good answer and I figured having tabs in file explorer isnt worth it.
I haven't thought about Clover in forever, but didn't it add tabs to your existing Explorer, versus being an Explorer clone plus tabs? The behavior required for the former probably looks a lot like malware to a heuristic detection engine.
I'm no expert, but I'm also not convinced that the device contained malware.
> We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address. Presumably it would be a way to steal company information such as designs, accounts, and so on. Pretty shady stuff!
Or, you know, it might be doing anything at all on the internet. A reasonable question is "why should this device access the internet?" Good point, but my LAN-controlled "smart plug" connects to an NTP server in France. Who knows.
From the report:
> When verifying the [executable] signature, it was identified that
the malware did not have any signature assigned to it as shown in the figure below. It means that the file has a malicious activity.
Doesn't that mean that the image is not signed? Again, I'm not an expert, but to say "it means that the file has a malicious activity" smells like "I'll consider almost anything suspicious if it will convince you that this report is valuable." On the other hand, maybe that really is suspicious. I don't do this for a living.
> The process explorer and procmon helped to know that the malware created a child
process and then killed the process. It was also identified that the file did not have the signature but had the company name, and the path, confirming that it is a suspicious file from a legitimate organization. The regshot helped in getting the two snapshots of the registry, one before execution and one after malware execution. Therefore, it can be concluded that the file analyzed contains a trojan spyware which creates a child process that kills the original file when run. The malware collects user information and sends it to http://freedns.afraid.org/.
Again, the conclusion does not follow from the premises. Maybe spawning a child and killing the parent is something that you wouldn't normally do unless you were malware. Maybe English is not the author's first language, fine, but it does look like a poorly edited template.
For all I know, it's totally malware built for corporate espionage originating from a country notorious for doing that, but I don't see any compelling evidence.
Please, let's not go down that road. It's unnecessary to politicize everything and turn to hyperboles.
Nobody here is promoting anything when we're saying that from a purely technical perspective this report alone is not enough to justify the claims being made. Extraordinary claims require extraordinary evidence, but no evidence has been provided whatsoever, so it's perfectly fair to challenge the validity of the claims.
What extraordinary claims? And what evidence has not been provided unless you don’t watch the news? It’s quite public the atrocities the chinese gov has committed. So no, it’s very necessary to politicize this and using your own logic you’ve provided no evidence as to why we shouldn’t.
A decade ago, an article [1] was published in the Russian "Hacker" magazine where the author alleged that a Russian OEM manufacturer's motherboard sourced from China had a BMC chip (which should've been disabled as per the mobo spec) inject a hypervisor into the host machine.
It was, again, allegedly, discovered because the author was developing some kind of distributed computing software that required a hypervisor of its own, and this exact mobo was crashing in a way that was consistent with a hypervisor being already present. The author goes further to describe how he devised a way to consistently detect hypervisors by measuring platform register access timings, and tried to report the findings to the FSB (Russian CIA/FBI) to no avail.
I personally don't put much stock in the story, as the magazine was a rag and I could come up with something like that at the time, but there it is.
I am more than a little concerned that since the miniaturization and commoditization of spy hardware (miniature microphones, cameras, and wireless communication), that run-of-the-mill consumer electronics are being bugged by default. Given the cost is pennies or just a couple dollars, from an espionage perspective, it'd be worth it to spend a few hundred million or even billion putting bugs into literally everything and letting the market put them into the homes of all your political targets in other countries. Then the problem is just sifting the data, which is easy with the massive amount of computational power that every nation state has these days. That's a great dystopia.
This has already happened: smartphones and wifi. People financed it themselves by buying the things. (Wifi can see you: "The next big Wi-Fi standard is for sensing, not communication" https://news.ycombinator.com/item?id=29901587 )
FWIW, I think whether we build a dystopia or utopia depends on whether or not we can make our rulers live under the same panopticon as the rest of us.
I don't disagree with the smartphones and WiFi, though the big 2 are highly motivated to at least secure the kernel and their own spyware. I am more thinking of these things targeting sensitive military installations or personnel.
> whether or not we can make our rulers live under the same panopticon as the rest of us.
Uh, nope. It's been "rules for thee and not for me" since the dawn of time.
> I am more thinking of these things targeting sensitive military installations or personnel.
Ah, yes, it sure would be nice to think that they're a bit more careful, but then I think of things like the OPM leak and I go cross-eyed. ( https://en.wikipedia.org/wiki/Office_of_Personnel_Management... - I'm sure you know what I'm talking about but I figured I'd add a link for anyone who didn't.)
> It's been "rules for thee and not for me" since the dawn of time.
Aye, but I think that's just what the panopticon could overturn, if we set it up that way. I'm not particularly hopeful, but maybe there's a possible future where we overcome our worser natures and use technology wisely. Star Trek vs. N. Korea.
FWIW I call this idea the "Tyranny of Mrs. Grundy": if everyone is on the lens-end of the cameras, including police and politicians, then no one escapes censure by Mrs. Grundy. ( https://en.wikipedia.org/wiki/Mrs_Grundy ) We're forced to create a "humane tyranny".
"Humane tyranny" sounds like an oxymoron from today's POV, but I think the challenge is to "de-oxymoron-icize" it. Due to the advancing tech, I don't think it's optional , the panopticon will happen (it arguably already has), so the challenge is to make it more-or-less livable.
I want to be hopeful about the future, but in the large there are too many negative trends. What I've learned is to be hopeful and optimistic about the things I can change. Just about to go watch an episode of TNG. Here's hoping that the long run is better than our current trajectory. Cheers!
TikTok, Facebook (for the FBI/CIA), and other platforms are probably lower hanging fruit. People just accept the surveillance, and there's not much reverse engineering one can do to determine what's being done with your data.
What would the chips connect to in order to phone home? My protected home wifi? A random telecom carrier for which it will have to have, by chance, a valid prepaid sim card?
> AliExpress Says Malware is OK [...] They stated that it does not breach their terms and that no action will be taken.
I'm sure many things don't explicitly breach their terms, but surely I expected there to be a catchall that would include malware. Of course, their terms are to protect AliExpress, and not the consumer, so it doesn't look like they'd wanna go above and beyond on that end, but I hoped they'd at least care about customer satisfaction.
I've bought systems off of Amazon that had pirated Windows licenses on them (otherwise a great little fanless box)
In a previous life I was an infosec consultant. We did some work for a hospital that found malware on the control hosts shipped with a brand new turnkey MRI system from a German manufacturer.
What did the malware do precisely? The definition is so broad and context-sensitive, that just saying malware doesn't really say anything. Some people would consider TPM and it's code malware, others would consider anything they don't like malware (like telemetry collection in Windows or whatever).
I've seen plenty of stick PCs on Amazon that definitely have pirated copies of Windows on them. I continue to be a bit surprised that Microsoft hasn't gone after Amazon for "aiding & abetting" this, but they probably have bigger fish to fry.
they dont make their money on Windows licenses anyway. they make it on all the crap they shove in your face when you use windows.
you've been able to pirate windows 10 using their "windows 7 free update" key even after they discontinued it. and everyone who got a free upgrade from 7->10 uses the same key so its not like you are gonna get caught.
If you can’t load the article, the machine is a desktop pick-and-place for populating PCBs and the malware is flagged as a backdoor/Trojan for remote access.
As these desktop pick and place machines come down in price, I hope that the OpenPnP software package becomes more developed: https://openpnp.org/ It was originally intended for full DIY PnP machines, but it’s a perfect candidate for converting these existing machines to open source software control.
So they bought a machine from a brand they have never heard of off AliExpress to save a little money, and it was infected with malware. Color me surprised...
Chinese phones sold here were found to not only send telemetry to Chinese IP's, some of them send SMS' to paid services, register Telegram accounts, etc. It's like a botnet.
I do wonder if this really was sabotage or if someone building these machines accidentally got their installer USB infected with some unrelated malware. If this was a targeted attack, I'd expect the manufacturer to ship the infection in the zip file with the replacement program as well.
The old components and the lack of modern drivers is a problem many industrial tools seem to suffer from. It's crap like the bad capture card that keeps Windows XP and 7 around. I don't expect there ever to be any modern drivers for an outdated capture platform unless a hobbyist writes their own open source version, so unless a compatible enough alternative card with modern drivers can be installed, I assume this machine is doomed to run Windows 7 for years to come.
Is that any kind of excuse? Supply Chain infection is a sidechannel way to infect YOUR network...what's your intellectual property worth? What's it worth if through the unintentional infection you find yourself figuring out how to get cash into bitcoin to pay a ransom?
Relying on an ancient card and drivers seems like a cop-out...they managed to create the solution once, they're obligated to do it again, lest your company's bottom line hinge on a house of cards an intern cobbled together for another company 12 years ago, that only works with the September 2008 drivers.
Of course intent matters. Accidents can happen and don't necessarily soil an entire brand name, but intent definitely does.
You'll be surprised how common these "house of cards an intern cobbled together for another company 12 years ago, that only works with the September 2008 drivers" situations really are when it comes to specialised hardware. As long as the machine keeps working, it can be sold, software security and maintenance be damned. There's a reason hospitals and factories pay Microsoft for the last few Windows 7 updates it'll release this year and it's not that management doesn't like the theme Microsoft put on Windows 10.
That's even more likely to be the case for industrial machines purchased off AliExpress, where hardware is often either old, second hand stuff or made as cheaply as possible from available parts. The standard of quality there is minimal, I'm surprised they risked buying this thing through AE in the first place.
> Presumably it would be a way to steal company information such as designs, accounts, and so on.
Does it collect user metrics like a lot of software does or does it actually steal designs? The report is absolutely not clear about this. I have not read many reports like this but are they all like the one they link to? Is that what a malware analysis looks like?
I'm completely behind the idea of calling every single software that collects user data and sends it off to a server malware but this is just not the case. We don't say Windows comes with malware, we in the West call it telemetry data to improve the user experience.
I'm going to broaden your definition to "malware is any software that hides its existence or its behaviour from the user". There's little value in knowing that a certain piece of software exists on your machine if you don't know what it's for.
I always wondered, how safe from tampering during manufacturing are devices 'designed in US/Europe/etc' that are built in China? Can anyone shed some light on the processes/practices that keep these devices safe, both from HW and SW points of view?
Measures could be put in place, like installing the OS only when it arrives from the Chinese construction site or shipping pre-installed SSDs with Bitlocker enabled (with unique keys per customer) so that the drives cannot be tampered with unnoticed.
In practice, I've never heard of companies actually investing in these checks. There are a few "assembled in the USA" products that probably flash their install image outside China, but who says the American intelligence agencies in turn won't tamper with those? They've done it before, after all.
I'm a little surprised there aren't any viable open source programs for what is essentially a precise plotter with a complicated plot head. A bunch of plants could work together to construct a system free of vendor lock-in and expensive replacement parts if they would just work together.
"The malware would collect user data and send it to a remote address."
unpopular question, but how is this any different than mistakenly forgetting to disclose 'telemetry' in your code? or backdoors that routinely get disclosed in US embedded hardware products like firewalls and routers? or Discord scanning your entire hard disk? Ill admit the product seems pretty poorly designed from the get-go, but the tactics at work here are pretty standard when you consider things like Alexa and Ring get a pass for similar chicanery.
As a concrete example of just how far the creeping acceptance of surveillance has come. Remember BonziBuddy[1], and the absolute shit storm over that and the lawsuits and all that?
Well what they did nearly indistinguishable from what Alexa does, and Cortana, and Siri, and Google Assistant. But it's just the way things are now. And no, it's not fine because everyone is doing it. It's still just as bad as it was then.
It’s marked as a “Trojan/backdoor”, meaning remote access tool, and it tries to spread itself by inserting files to any USB stick inserted into the computer.
Giving someone full remote control over a computer and trying to spread that control as a computer virus is nothing like anonymous analytics collection.
Alexa and Ring don't get a pass though, do they? For these very reasons.
I know this is the HN crowd and not the general population, but I think most of HN would agree that undisclosed telemetry is super bad / malicious, and that disclosed / configurable telemetry is much better...but still often must be disabled because the Well is Poisoned by inappropriately utilized telemetry.
It's not really any different but these are "legitimate" companies with "legitimate" interests in people's data so nobody says anything. Governments do the same things that many hackers have gone to jail for at much larger scales and they award themselves medals for it. They literally stockpile exploits and don't help patch vulnerabilities, allowing their own citizens to remain insecure. The FBI once let a child abuse case fall apart because the judge ordered them to disclose the vulnerability and they refused.
About 8 years ago one of our devs purchased a couple Android tablets from China to test if they would work as a host for Smoothieware (and/or 3d printers).
It had malware prebundled at the ROM level. You could not remove it by wiping Android (IIRC..our dev that tracked the issue said he had to block what it was doing). The tablet forced your homepage...regardless of what you set it to...and I believe he said it was phoning home info...likely wifi credentials...etc.
It started me off on the thought process of "How many other things can be compromised?" SD cards with fake/hidden partitions? MCU counterfeits with entire subsystems?
IMHO...anything with an ethernet port, wifi, bluetooth...or anything that is able to at any time connect to those things needs to be watched.
Ok...response from the dev who did the work. I was a bit mistaken but here are his copied words.
" well it wasn;t actually a ROM malware it was the seller installing their own version of Android, which would reinstall their browser and would not let you change the browser, this browser had a hard coded home page which it forced you too, and it was a home page basically that sells you stuff.
if you stopped their browser from getting installed, then the tablet went into a demo mode and displayed huge DEMO text across the whole screen. Eventually I was able to replace several Android core system modules which removed their check that their browser was active.
and yea I could see it phoning home whenever it was turned on."
I know I have this device in a box. If anyone would like to analyze it and see if there was more/less than what we found I am willing to send it to someone in the US via ground shipping (LIPO batteries). I believe it was not charging the last time I used it though.
TBH, this sounds like nonsense. What kind of ROM? There are not many ROMs in tablet SoCs. And how would it affect Android install in such a specific way? Wipe the whole eMMC and install a fresh, clean AOSP build and something is forcing a home page in a browser? Without a lot more detail, this sounds all kinds of improbable.
I worked in a factory, where all the pc’s were infected with malware - at the production line too. This would have the unfortunate effect that when we wanted to flash calibration data to the device, malware would write itself to it because the way we would write the data was to a special section of the eMMC that would get mounted as a drive - malware detected a new drive and copied itself. We only discovered it because sometimes the devices wouldn’t boot - I think it took 3 days of nonstop debugging to figure it out. They thought we were crazy, when we finally tried to convince them that something was not right with their setup.
That was a large factory in China. I remember Philips had a production line there also.
I wasn't the one doing the work on it and I may be incorrect about how it was working. It was at a level where it wasn't a simple update software fix...it required more. Asking now to see about specifics.
What I do know for sure was it was bad enough that we decided never use them.
Android uses an A/B partition scheme. Either the bootloader can be infected or both partitions can have the malware. With the A/B split, even if you blow away eg B, A can reinfect B. It would be trivial to add extra circuitry to reinfect both partitions as well.
Right I guess I assumed 'wiping android' meant starting over: erasing the eMMC via TRIM and flashing a new bootloader/repartitioning/etc. via BROM USB mode or something like that.
I guess OP might have meant just 'factory reset'. Which is not really 'wiping the android' at all.
Curious because I do use a lot of devices from Chinese makers myself and had no issues so far. If it's from a legit brand, I'd need to take a closer look at their products before buying more.
That depends. Can those headphones store any amount of information and possibly relay that information to another bluetooth device upon connecting to that? If not...are you absolutely sure it isn't? Anything with memory, a transmitter and an MCU "could" be doing a lot more than it is advertised as doing.
Not saying it is though...but is it possible. Absolutely
Bought a system on Ali Express to save money, the parts don't match what they ordered, it is infected with a virus designed to steal their data and infect executables on any USB device plugged into it to spread the infection. Ali Express says computers with viruses on them aren't against terms of service. They for some reason continue to use the system and try to get it to work.
£4k GBP...relatively low cost compared to a branded competitor...We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address.
As much as that sucks, it's not all that surprising. You decided to try to undercut everyone else who desired a living wage. That's not to say getting infected with malware is "what you deserved", nobody should have their security compromised. What I'm saying is that you compromised your security by not working with people you can trust, people who are asking for a living wage and thus don't have to resort to putting malware into the products they create.
People in China aren't bad people, they're just people put into a tough situation. It's plenty easy to get good quality products out of China, just like anywhere else. The problem is that few people are willing to pay the real price for products, they want cheap regardless of consequences.
As someone also in the electronics design and manufacturing space I find this type of behavior very troubling. I demand what I consider a fair wage for my work and in return I also try to support other people in the industry also getting a fair wage. If all you do is buy the cheapest possible services you are really telling others they should do the same and not support you. The only solution I see is to stop pushing the costs of your business onto others that can't afford it. Go buy quality used hardware from people you can trust rather than complaining that a former colony of yours is trying to steal something from you.
I bought a laptop once. It came with windows pre-installed. And a bunch of bloatware. And 101 things that phoned home under the guise of checking that a driver was up to date. And Norton. The definition of malware is open to large interpretation.
Moving manufacturing back to our home countries (assuming a mostly Western audience here) is important not just for economic reasons but also for health, safety, and security. Trying to do so might get you called a racist, but it might depend on what political party is giving it a shot. This is an old problem and too little is being done about it.
I remember I bought a few phones from Aliexpress once for one of my IoT projects. I was somewhat surprised they don't really hide the malware, it's preinstalled. These are not just the usual bloatware you can't install but also the main web browser already modified injecting random crap.
I'm a little bothered by the article title because it implies it's related to the manufacturer being from China, despite ample evidence that pretend-reputable software vendors like Google, Amazon and Microsoft all bundle universal backdoors with their systems.
Google infamously pushed settings changes on their phone lines without user consent via the Google Play Services backdoor. Amazon removed the (bought) book 1984 from all Kindles. Microsoft proudly bragged about their remote app "kill switch".
Let's not even talk about about CPU vendors embedding "anti-theft" solutions which are nothing more than RCE-as-a-service on a hardware/firmware level. Or hardware vendors bundling rootkits like Lenovo on some laptop series, and most phone manufacturers on all their devices.
I was royally pissed off when I suspected my brand new Lenovo laptop was acting strange. The only in the end to stop it was to reinstall the OS, I then later found out it was the superfish issue
The problem is more or less all hardware manufacturers do that. There's variations: some bundle only the Windows backdoor, some bundle Superfish, some bundle Intel/AMD's anti-theft and ME/PSP features. That society is ok with that is a huge problem to say the least.
And yet my CPU runs its own operating system (Minix) behind my back and reacts to undocumented secret commands i'm unaware of. Is the comparison that irrelevant?
I personally find the two questions awfully related: i'm buying hardware that performs operations without my knowledge/consent and answers to someone else's commands. Now one may genuinely believe there are valid usecases for this (i don't), but it's not exactly "whataboutism" as i'm definitely not trying to refute the original argument that pre-bundled malware is bad.
Although i personally consider hardware/firmware-level malware more troubling than OS-level malware which you can just wipe away by setting up a fresh system (which i recommend anyone to do when they receive a new machine, for related reasons).
Do you perhaps have a link about the story of amazon removing the 1984 book on all kindles? It sounds very interesting, partly because it seems so absurd.
Here's a writeup [1]. A third party started selling kindle editions of 1984 and Animal Farm through Amazon despite not having any rights to do so. When they found out (presumably the rights holders complained), Amazon deleted the unauthorized editions.
That story is about a lawsuit from one of the people they took it from.
Amazon sold 1984 on the Kindle store without permission, and when they realized their error they deleted it from everyone's kindle and refunded their money.
That's really something entirely different than malware. You know that Amazon books on kindle are subject to that. It's not malware on the Kindle, it's their whole schtick.
That's really something entirely different than malware. You know that Amazon books on kindle are subject to that. It's not malware on the Kindle, it's their whole schtick.
At the time it was suspected, but unknown. I remember the outrage, I'm not sure If I was lurking on here before I made an account, or I read it on slashdot or digg or something. Here are the HN comments from the time. https://news.ycombinator.com/item?id=710506
> You know that Amazon books on kindle are subject to that.
Most people don't. And the few that do only know because of this scandal.
There's something profoundly unintuitive about it. When you buy 5$ a book in the bookstore, you can't wake up some day with the door open, 5$ on your table and the book gone from your library.
Do western artists and corporations borrow stuff from other cultures and competitors? All 20th century rock & roll, most of hollywood, and pretty much all of pre-90s Silicon Valley is based on that premise.
That you think it's theft is a debatable/controversial point of view on Internet forums, but if that is to be the case, many more people/corporations from USA should feel threatened, not just a few chinese scapegoats which help avoid the elephant in the room: why would anyone own ideas in the first place? Ideas are born out of other ideas and every one benefits from that. Restricting knowledge sharing can lead to disastrous outcomes as Jonathan Blow brilliantly argued in a talk called Preventing the collapse of Civilization which appears to pop up on HN every so often: https://www.youtube.com/watch?v=pW-SOdj4Kkk
Um, no, there's a very clear difference between 'borrowing' ideas, building on other people's achievements etc, and outright theft, when you copy someone's detailed designs wholesale, especially from secret proprietary plans obtained through illegal espionage.
This "very clear difference" is the center of many trials in Hollywood / Silicon Valley history so i wouldn't say it's that clearcut. I personally don't see copyright in any way as a mechanism to bring retribution to the creative minds (instead it serves to capture value into big corps and let the artists starve), but as long as we have to deal with it i'll keep publishing stuff as copyleft so that the capitalist vampires think twice before "borrowing" my code.
Do companies hire/recruit (ex-)employees from competitors to re-implement the same features?
Yes.
Lots of IP between your ears. No point in the code/manuals/docs when you wrote them yourself. You’ll know they’re not exactly correct and may appreciate being able rewrite from the ground-up now knowing what you now know.
Sure, but if the employee brings along the architecture documents or the source code, that's theft. What's alleged here is that a CHinese company is exfiltrating actual PCB designs via PnP machine malware.
I've just passed the 20 year anniversary of my arrival in China. Having lived in at least eight cities over that period and traveled broadly, I would strongly caution against assuming this is a deliberate attack by the vendor, much less the government. The vast majority of Windows instances in China are sourced from pirated distribution media and it is usual for those to be infected. This affects everyone domestically, not just machines shipped out. Furthermore, most apps are pirated with the same issues. Finally, many people's thumb drives touch a plethora of dirty machines (printing shops that support the still largely paper-driven bureaucracy, photography shops, work and home PCs, etc.) and thus are excellent vectors for malware. As usual, Hanlon's razor: resist over-attribution to malice.
or maybe they don’t give a fuck about your tiny company that’s too cheap to buy a decent pic n’place? maybe the malware was actually intended getting ip from the company that manufactured machines like yours in the thousands. why do you always assume US companies are the only ones being copied from?
In 2019 the Chinese covered up the early spread of COVID then later repeatedly stonewalled anyone doing serious research into the disease's origin. By letting COVID spread for months unchecked the Chinese effectively ensured that there was no way to stop this thing from going global, which it did, ultimately killing over 5M people and counting.
If we're unwilling to hold the Chinese to account for that in any meaningful way, I can't imagine we're going to do anything whatsoever about a little (or even a lot of) industrial espionage.
We'll gladly let the Chinese run roughshod over us and humiliate us repeatedly if it means we can still by our iPhones on the cheap.
20 years ago, china hide 2nd network card that was in listener mode, transmitting documents at random times, mostly peek. This was at a research company. How it was discovered. We put a card on listening/prem mode and mirror everything for that subnet the printer was on. I thought I screwed it up with the double mirror/traffic.
when investigating why the issue, we found nothing wrong with the config, only when we plugged it to another network, we discovered it was something on the network. We narrow it down quickly to the printer. We told head of security (we were hired for an audit ) and it soon became known it was stealing trade secrets and sending them overseas.
that was 20 years ago, and till this day, I remember anytime someone says china doesn't steal technology... I remember this printer. this was done at the state level and was caught.
E.G: Microsoft being American (and them being part of PRISM), I just assume the OS has a backdoor for the US gov. Now with Windows 10 heavy telemetry, it's even easier.
I work for a client doing chips for credit cards. Did you know they are now full blown computers that can run a light version of Java (Java Card) ? The company is building their own hardware and software, and just to get to a conference room, you need biometric access + badge + pin code. Pretty sure they send data to my country agencies in some way despite having to trick the banking system to do so for them.
Same from any software, server/cloud hosting or hardware. If it comes from a specific country, this country is most probably using it for intelligence. It doesn't even need to be on a network now, because there is so much interactivity with all devices. And eventually, one will be.
It's pretty absurd to both sides something like this. Do you have evidence that the US government is doing this on computers it sells overseas, or is this just magical speculation?
"A document included in the trove of National Security Agency files released with Glenn Greenwald's book No Place to Hide details how the agency's Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers and other network gear being shipped to organizations targeted for surveillance and install covert firmware onto them before they are delivered. These Trojan horse systems were described by an NSA manager as being "some of the most productive operations in TAO because they pre-position access points into hard target networks around the world."
Well, but correct me if I'm wrong, the Snowden leak included nothing like this. Instead it included a lot of things that would be a lot easier to do if Google/Microsoft ect just gave them access. The very fact they had to do everything else is at least evidence that don't have direct access
It's just different use cases. Backdoors are more useful for targetted operations or specific data exfiltration, while plugging yourself to back bones is more useful for mass surveillance.
I don't even see why it's controversial to hold this opinion. Reading some comments, people seems to feel offended we could think that from the USA.
If anything, the USA are, with Russia and China, among the countries anybody in Europe like me would suspect the most about pulling things like this. The CIA and NSA have a terrible reputation, and the track record to support it.
We are talking about a country that went to war while lying about WMD against the UN vote, made money with south american cocaine while organizing coup after coup, elected Bush and Trump yet punished Chelsea Manning. A country that is still under the temporary 9/11 Patriot act, it used to mass spy on its entire population.
Of course I'm assuming the worse from them.
And yes, it's fair.
Actually, even if I were proven to be completely wrong in 10 years, it still would have been fair.
But I'm not even assuming that only from the US, but basically from any gov, including mine. Because history taught us that's what power does.
It's sane to be suspicious of people in power. Necessary for democracy, even.
But, and this is where the equivalency annoys me. You could literally end up in jail for saying some of these things about China in China. You could just as well talked about abuses of women and the me to movement, but the reason that hasn't happened in China may well be not that there men are somehow better behaved, but that they appear to have put a women who did come out with an accusation under house arrest until she agreed to stop talking about it. Yes the US has done and doubtless continues to do bad things, part of that comes just from having power which the US has had for a long time, part of that comes from truly bad people ect. But the Snowden leak happened in the US. US newspapers reported on it. College professors talked to their class about it. You can talk about it on this US hosted and owned website. None of that is true in China, right? So yes I am more skeptical of the US doing shady business when a large percentage of US citizens object to shady business and can talk about it than I am of China doing shady stuff when they've built their internet to insulate their government from as much criticism as possible
Well, but we can assume with different probabilities. For sure there are people in every government who would if they could, but the fact that the US has mechanisms to expose this sort of thing and lots of people in individual companies who feel like you and there are still no stories of this, that is evidence that it isn't happening at least not at any sort of scale
That's a hand-wavy redirection that isn't relevant to the issue at hand, which is that:
There is no evidence of the US (and, in fact, many other large countries, with exceptions for e.g. Israel) installing backdoors and breaking into computers in order to steal intellectual property.
There is ample evidence of China doing exactly that, against a variety of targets (not just the US - they've taken things from Japan and the EU, among many others).
I wouldn't be surprised if every nation with a functioning Internet connection tries to put the hac on whatever they can.
But that's not the topic under discussions - the topic is stealing and commercializing IP, for which there is tons of evidence for China doing, and accusations of e.g. the Five-Eyes doing it are rampant speculation with absolutely no evidence included.
I suppose it's true that you said "speculate", because one can speculate that the sky is green when you're not looking - speculation doesn't necessarily have anything to do with reality. Fair enough.
People have a hard time admitting that what Snowden/Assange revealed about the US is much more damning, from infected servers to keyloggers built into USB cables.
I find China is useful as a mirror to the US. If they are doing something problematic, it's highly likely the US gov is too but just hasn't disclosed it to the public.
> I find China is useful as a mirror to the US. If they are doing something problematic, it's highly likely the US gov is too but just hasn't disclosed it to the public.
You think the US is engaging in systematic genocide? I'm guessing not. If so, you should consider why you would say something so ridiculously out of step with reality.
Well, let's count how many people the USA killed with 2 wars in Irak, one in Afghanistan, one in Vietnam and countless operations in South America. Or how they mostly put non white people in a privatized prison system that then exploit them. Or how their police is so peaceful and close to the population the entire country had a debate about de-funding it.
Sure, China is worse, but it does make a useful mirror. Like Russia was a useful one during the cold war.
Not precisely the same thing, but even more insidious (or brilliant, depending on who you ask):
> Operation Rubicon (German: Operation Rubikon), until the late 1980s called Operation Thesaurus, was a secret operation by the West German Federal Intelligence Service (BND) and the U.S. Central Intelligence Agency (CIA), lasting from 1970 to 1993 and 2018, respectively, to gather communication intelligence of encrypted government communications of other countries.[1][2] This was accomplished through the sale of manipulated encryption technology (CX-52) from Swiss-based Crypto AG, which was secretly owned and influenced by the two services from 1970 onwards.[1] In a comprehensive CIA historical account of the operation leaked in early 2020, it was referred to as the "intelligence coup of the century" in a Washington Post article.
Just pointing it out: this is a really sneaky way to avoid providing any sort of evidence for your claims whatsoever.
But to address your claim: security and cyber attack stuff are not remotely comparable to IP theft. You'll have to do better than literally pull claims out of thin air.
And, exactly none of those incidents you mentioned have anything to do with IP theft. Your own examples demonstrate a consistent pattern of no IP theft.
I don't need evidence since from the beginning I'm insisting that it's my own assumption.
That's how assumptions work.
And I'm not focused at all on the IP theft, only on the backdooring.
People just started to focus on IP and the USA after the fact, because americans think the USA and money are the center of the world and see it everywhere even when they are not the main point of the conversation, but just examples.
I do. Highly effective propaganda has associated the facts around Chinese trade secret stealing with claims of racism and general xenophobia. As a result, now you have plenty of individuals all over the world whose moral compass pushes them to ignore the facts around trade secret stealing and even go dispute them in online conversations.
To look beyond the rhetoric, we can see how smart rich people are acting in their self interest, (presumably the profit motive generally trumps identity politics) and there are very very numerous cases of avoiding ip leakage to PRC while being very comfortable with RoC, challenging the racial or xenophobic explanation in your post.
Explain further, please. Your response doesn't answer the question; I can't decide if it's deliberate obfuscation through scary words or an complete misunderstanding of what is being asked.
Just go on to reddit, and you'll find lots of people defending China against what they think is a smear campaign. Lots of these people appear to be young westerners who have bought into China's propaganda.
I don't know that it's Christian sensibilities so much as a political view extremely susceptible to this sort of shrewd manipulation. As the person you're responding to said, the smoke screen is to cast criticism of China as racist or xenophobic. They even have a term, "baizuo", to mock this concept: https://en.wikipedia.org/wiki/Baizuo
In general you're right though. They are very successful at using weaknesses against us.
This is true. Growing up in an immigrant community (and as a minority myself), I would always hear people mock how open and trusting Americans were and how Americans were easily cheated. Anything involving the honor code would usually be violated.
Printers are a huge attack vector that often go unnoticed by less competent IT folk.
This is one reason why I try to avoid hardware from mainland companies like lenovo. Not that you can avoid it entirely but I try.
>> 20 years ago, china hide 2nd network card that was in listener mode, transmitting documents at random times, mostly peek. This was at a research company.
> Why was the printer connected to the public internet? A DMZ subnet would have prevented this vector of attack.
Aren't most network printers connected to office networks with public internet access? I sounds like this printer was making outgoing connections, and I doubt many people/companies go through the trouble of specially blocking those from printers.
You'd have to be especially security conscious and paranoid (especially 20 years ago!), to be operating under the assumption that your own equipment is working against you.
It doesn’t take long as a system administrator to become certain that printers are working against you. By and large they have user hostile hardware and software.
The Brother color laser printer I purchased 7-8 years ago was the best printer purchase I ever made. I barely print, and the toner doesn't dry up the way inkjet ink does. It just sits there, ready for the occasional print job. No BS software required.
20 years ago I would have expected that most printers were connected to a parallel or serial port on a PC and any network printing functions would be handled by the PC. But then I think, wait, that was the year 2002 (which seems like yesterday when I say it) so maybe printers with direct network connections were pretty common then. My sense of the passage of time has really gotten compressed as I get older.
I don't think I have ever seen a major US office building where the printers were on an isolated network. They are usually on the same network as the workstations, but sometimes on the server network, so the print server can connect directly to them.
And to be honest, (I have been out of it for a few years now) I have yet to see a company block OUTGOING access on a DMZ.
Actually it's pretty common nowadays to have printers on an isolated VLAN. The only way "onto" that network is through a central printing management server that handles billing/accounting and job release duties.
You see it often in Universities, but also in larger businesses where you want to stop someone from accidentally printing 5000 copies instead of 50, or having print jobs stack up on top of each other in the output tray (think HR/sensitive information being scooped up by accident.)
At my work the printers are on their own isolated network. Print servers act as the bridge between the networks. Basically they were not trustworthy enough to be on the same LAN as the workstations.
If it was a multi-function printer with email capability, then yes it would need to have internet access. Or because it was 20 years ago and printers being hacked was a very low security concern.
Hug of death probably so I cannot read the article.
Anyway that's the reason why I don't buy Chinese crap anymore. I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.
If something doesn't match the description send it back, if you find random executables that you cannot identify send it back, if you are asked to register on some weird Chinese website send it back, if you are asked to download a sketchy application with a Chinese readme send it back, etc...
After a while you'll notice you are sending everything back.
And it is not only Aliexpress or other Chinese marketplaces or websites, Amazon is full of Chinese crapware just the same.
edit: read the article from archive, well it just confirms to me what I wrote earlier.
I bought a bluetooth dongle on Amazon recently. didn't work out of the box, and the instruction booklet told me I had to download and install an unsigned device driver that I should download from a specific dropbox link.
I tried to write a measured review on Amazon explaining the problem, but Amazon rejected the review. I threw it away and composed an angsty tweet [1], but I really should have returned it.
I very rarely write negative reviews, but every time I have was for something of this magnitude and not once has any ever been left up on any platform.
What I don't get is that on Amazon I've purchased 10's to 100's of thousands in product (was an early user, business account admin etc). Of all the reviews that SHOULD have credibility, someone who doesn't review a lot and buys a TON of product - you think would be slightly credible?
Instead, for those (few) times I've posted a clearly negative review - gone for whatever reason. If you buy enough from Amazon, especially in last 5 years or so, you got some total absolute trash in there.
"Genuine" Apple products absolutely totally 100% fake trash. How amazon's supply chain thinks these are legit is mind boggling.
I've had such bad luck with "genuine" and "oem" battery replacements I've given up - most of these things are just crap scam stuff.
I'm actually curious how this even happens sometimes, some of the used crap was BADLY used, think of a bunch of electric pencil sharpeners for an office, all "new" that are filled with old pencil shavings, scratches etc etc. Product reviews that when you go back to understand how the piece of trash product got 5 stars you realize the reviews DO NOT EVEN RELATE TO THE PRODUCT you purchased. I mean, how does this even happen?
So you get out the review - hey, this things was garbage, and many of the 5 star reviews were for a knife set it looks like instead of a powerbank. Review rejected :)
I canceled Prime and stopped buying stuff on Amazon over 3 years ago for these sort of reasons. You cannot trust the product descriptions, you cannot trust the reviews, and you cannot trust that what you actually get is the same thing you thought you were buying.
> Product reviews that when you go back to understand how the piece of trash product got 5 stars you realize the reviews DO NOT EVEN RELATE TO THE PRODUCT you purchased. I mean, how does this even happen?
Several ways:
1. Repurposing product listings for something unrelated and keeping the old sales data and reviews
2. Merging product listings to aggregate unrelated sales data and reviews
3. Fake reviews that were unrelated to the product all along
"Why doesn't Amazon stop this from happening?" is a different question from "How does this happen?".
Any system Amazon puts in place will have a lot of false positives that require human review. And that is entirely aside from the fact that underhanded sellers will try to flood such a system with automated disputes until Amazon relents.
> The ones I've seen are WAY off when you look deeper.
You're assuming these disparate merges happen in a single step.
> I tried to write a measured review on Amazon explaining the problem, but Amazon rejected the review.
This facet of the Big Tech censorship problem hardly ever gets any attention, but it's no less bad than YouTube and Twitter censoring their political opponents.
That's one of the things that's interesting about it being a private company and censoring things. The whole "free speech" vs "not free speech" issues. I certainly understand both sides of the aisle on that one but tend to lean against censorship.
A chinese USB-C to Ethernet adapter had instructions to download and install a macOS kernel extension for it to work.
Thanks but no thanks. This was a product that was (presumably) vetted and retailed by an EU electronics retailer.
>I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.
If you spend just a small bit of effort, you can look for items not made in China. They are usually higher quality. Japanese companies (and increasingly large American ones) are moving / have moved their production elsewhere due to an increasingly hostile business environment in China.
Sony makes their phones in Thailand, speakers/headsets in Malaysia.
Panasonic produces a lot of consumer electronics in Malaysia.
Samsung makes some of their phones in Vietnam, and the high-end ones in Korea. Their fridges are also made in Thailand/Korea.
Google makes their Nest line of products in Thailand/Vietnam now.
Some Netgear Arlo products are made in Indonesia, (some?) Netgear switches are made in Thailand.
On the enterprise side, Cisco has moved production of a lot of lines to Thailand for example.
This trend is only going to accelerate after the SARS-COV-2 pandemic subsides.
If you buy a Sony product made in Thailand, what protects you from encountering crap like in the article is not that it's made in Thailand instead of China, but that Sony has a reputation to protect and the expertise to do proper quality control.
If you buy stuff directly from a Thai company that you never heard of before just because their product was the cheapest, you'll have to do your own testing and will likely discover some sharp edges.
> but that Sony has a reputation to protect and the expertise to do proper quality control.
They don't, though. Sony, like many other companies, makes products for developing nations which are not sold in more affluent Western countries. ("World" products)
Trying to buy replacement Bluetooth earphones in India really opened my eyes on this one. The store I was buying from had a strict NO RETURNS policy, but still bent the rule when the headphones weren't iPhone compatible (scratchy distortion). After opening two more pairs of Sony with the same problem, they decided to stop and just gave my money back.
This wasn't a budget model - it's a model which you'll never see in the US or EU. Their products aren't just differentiated by country of manufacture, but by the intended market. Depending on brand name isn't enough.
A lot of Chinese company owners have moved production to Vietnam, Thailand. Laos, Cambodia, Indonesia, etc., specifically because they are aware of this changing preference in the West. Chinese owned business is not China-based business, but most Chinese-owned businesses are subject to CCP influences.
As you pointed out: manufacturing standards vary factory to factory and region to region, and quality issues abound in newer manufacturing regions that lack the crazy competitive environment China has (a thousand pots et al).
Counterfeit PPE really revealed a lot about boys these factories operate. Very hard to verify ownership reliably.
But for context I’m basing part of that opinion on conversations I had with factory owners I’ve done business with in some of those countries running import/export. Many Chinese manufacturers see the conflict between the US and China as bad for business and have optioned third party countries to continue doing business no matter what happens. They’re very smart people.
You should probably read the guidelines. If you know for sure that an account is a sockpuppet of another then feel free to mail hn@ycombinator.com, otherwise such comments are boring.
Is there a reliable way to research non-Chinese manufactured products? I know to just look for the “made in” somewhere on the page or product, but it’s not as simple as including a search tag in a field, either.
I've noticed lately that in the Q&A section of the majority of the items I look at on Amazon, someone asks where the item was made.
That's helpful. I've always wanted to know where my stuff comes from, from my food to my gadgets. So I encourage other people do ask the same questions on Amazon. It helps other people.
> Sony makes their phones in Thailand, speakers/headsets in Malaysia. Panasonic produces a lot of consumer electronics in Malaysia. Samsung makes some of their phones in Vietnam, and the high-end ones in Korea. Their fridges are also made in Thailand/Korea. Google makes their Nest line of products in Thailand/Vietnam now. Some Netgear Arlo products are made in Indonesia, (some?) Netgear switches are made in Thailand.
Made/Manufactured/Assembled in X country doesn't mean not using Made/Manufactured/Assembled parts from Y country in the process. Take the Cisco router manufactured in Thailand. Out of the thousands of individual components on the circuit boards, not a single IC within it was manufactured in China?
> If you spend just a small bit of effort, you can look for items not made in China. They are usually higher quality.
I try to do this when I can, and they're definitely higher quality, but for some products, finding a version not made in China is almost impossible, a problem that's exacerbated by stores like Amazon not being required to disclose where their products are made.
"Their ideology is toxic and incompatible with ours."
But it's okay to buy Oil from regimes that kill gay people or cobalt mined by Child slave labour?
Lets place the blame where it actually belongs: our corporations will sell our values, our kidneys and the entire planet down the river id they can. China is just one of the few countries that beat them at their own game.
Trade ban and sanctions in the early 2000s when it should have become clear their ambition and dirty tactics would put us on a collision course. Instead, we were blinded by the cheap cost and outsourced everything there. To a country that doesn't respect IP, or even basic human rights, and, on top of that, is now ready and able to export their world vision and order.
Now it's a bit too late to stop them. NATO/West id too preoccupied by Russia when, imo, China is the bigger threat, by far.
Sorry, but we did this to ourselves. We moved our manufacturing capability to China in a hundred thousand tiny transactions and a couple of smaller ones for better quarterly earnings, the kind of stuff that Wall Street drools over.
I think the hopes were that China would benefit from trade and developed its own industries in a largely decentralized fashion (which happened). What didn’t follow was the assumption that this would cause them to become less authoritarian and more democratic.
Quite the gamble in the end; I don’t think those responsible over many decades realized what the consequences would be for getting this wrong. They all were championed by equally blind stock-market driven CEOs who wanted cheap labor, low/no environmental laws, no unions, a helpful and competent government, and new large markets who didn’t already have lots of stuff.
The US has gotten terrible at long term vision, while China has nothing but long term vision and long term memory.
The UN was also giving them subsidized shipping rates via the UPU. And as they exploited the subsidies in increasingly-vast numbers, domestic shipping had rates to be increased yet more to compensate. It was cheaper to ship from China than domestically in the US. Basically a tarriff on domestic goods. What do you expect businesses to do? Even if manfacturing wasn't cheaper, it would still be cheaper overall to manufacture there.
Trump finally withdrew from the UPU in 2018 and ended the subsidies.
that's the reason why I don't buy Chinese crap anymore. I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.
This is one of the big reasons that Apple locked down its Lightning/USB ports so hard.
There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems. It was a huge topic in tech circles, and on HN, at the time. I even have a few "data condoms" leftover from those years. (If you don't remember, they're little dongles you put between your USB cable and the USB charger that only have the power lines connected.)
The fact that it also locked out bad cops was a bonus.
>There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems. It was a huge topic in tech circles, and on HN, at the time.
source? I've heard of fake charges being planted with exfiltration circuitry as part of a targeted attack (eg. by red teams or actual bad guys), but I haven't heard of aliexpress vendors shipping them out en-masse.
in ~2005 whilst I was the IT manager at Lckheed Martin's RFID division - we were implementing TLS on Exchange for all email... among other security measures...
We had a compromised machine (linux) and had to un-plug it...
BUT
On the security calls was an interesting conversation about the Chinese infiltration of Lockheed.
Lockheed, had at the time, only (3) three egress connects to the internet.
The chinese did the following:
1. They did phishing attacks on those who worked at Lockheed + plus their orbit who attended various conferences and events... giving them seemingly valid contact info (business cards and such) of their agents who also attended said events.
2. Would email the Lockheed Targets and in the emails contain links to military phishing links which would install malware on said target's machine...
3. Would trickle out data so as not to be exposed...
4. Would attack known international suppliers of Lockheed's sub-components through air-gap measures (meaning that Lockheed epoxied USB ports in machines and suppliers were (ironically) then required to transfer data via USB sticks... and China was infecting the machine which the supplier was loading the USB sticks with such to infect Lockheed employees once they received and connected said sticks...
How this was discovered:
Lockheed employees bitches about machine being slow. Investigation ensues and the trickle malware is discovered;
The chinese know they have been discovered and they open the floodgates on all their bots within Lockheed...
HUGE firehose...
Lockheed had to shut down all three egress until resolution...
No thanks - the last time I did an anecdote about being on the design team to FB MLPW building and what they were doing WRT security - the legal team submitted a cease+desist order and threatened to ruin me, which they did and I have had a zero tech career since, per se...
There is so much dark in tech. Spying on all levels. Every single thing you say is now not only subject to legal action, but also dark pools of intel action...
Anyone ever notice that palantir has dropped off the HN map? Yeah...
Look at reddit driving the narratives these days... I have stories about exactly when and how reddit began to drive the negative narrative....
> There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems.
I think you're conflating two separate issues. IIRC, I think the exfiltration concerns were more for "in place" chargers at places like airports. There's definitely a separate retail "fake Apple charger" problem, but that has more to do with safety and quality control.
It wouldn't make much sense for a retail fake Apple charter to have exfiltration circuitry, because then you run into the problem of how to exfiltrate some rando's data from some random charter. Also I'm guessing that stuff would be expensive. It really only makes sense to me for a thing like that to be a targeted attack (e.g. swap out some research scientist's charger at a conference, and place an exfiltration receiver near his hotel room).
> I even have a few "data condoms" leftover from those years. (If you don't remember, they're little dongles you put between your USB cable and the USB charger that only have the power lines connected.)
Those are useful for other things. For instance, I have some devices that deactivate and switch to transfer mode when they connect to data, so I use those for charging those devices while I'm still using them. Also, I think they can allow faster charging from a data-enabled port in some cases.
Given the vast financial incentive apple has for keeping its chargers proprietary, I find it difficult to believe Apple is doing this for the primary reason of benefitting their users.
Has Apple had any USB chargers prior to the USB C ones on recent macs? I think in the past it was all magsafe on macs and lightning or the 30 pin thing on iPhones.
Good to see a good number of the comments here feel the same ..lots of downvotes though on my posts but who is downvoting vs. who is openly commenting and majority agreeing with my opinion that China needs to be taken care of in many ways!
Science always evolves so dont listen or jump on the early science bandwagon until year(s) down the road. The CDC has changed their guidance ... i was forced to get vaxed and i loathe it(past month ive had a metallic taste in my mouth wth). Got the flu shot after decades on the market already admin(ed) to millions over years time. Covid vaccines we already see the J&J shot isnt the one to get but the CDC said we should in March but said something different in December ... same with masks updating things. They don't have a true real clue about this or you think they know everything about it? IF so why do they keep updating the guidelines that we were told to follow early 2021?
Where is the conspiracy in what i just wrote? THat i don't believe and loathe early science... ever seen those hernia mesh lawsuit commercials i am victim to such as well an early drug damaged one of my organs. I live by experience not bias media political early science b.s.!
Personally I think china is the enemy to the world .. that's just an opinion. You can think they are friends to the world thats up to you .. your opinion.
You cannot possibly blame the Chinese government or the people for the Corona virus. That's just insane.
Granted, the official response wasn't good. But a virus pandemic was ever only a question of time. It's unlikely it could have been prevented wherever it had started.
Is there a credible reason why SARS and COVID both came from the same country?
The right official response would've been to not start a cover up (and the rest of the world could've hopefully prepared better). Even the WHO was carrying water for China in Feb 2020.
Because that coronavirus in endemic to bat populations in that part of China. Covid19, for layman's purposes, is basically slightly mutated SARS, and is called SARS-CoV-2. That's why the virology lab is in Wuhan.
Even if it was manmade the responsibility for that should fall on the international scientific community rather than the Chinese government and even less so on the people.
The lab in Wuhan was not scientifically isolated, funding came from abroad. Similar research has been conducted elsewhere.
Of course it's still important to find out the truth on the matter.
Sure we can blame them. They tried to cover it up in the beginning. It would be insane NOT to blame them for that. It’s also been debunked that the virus came from a wet market.
Depends on how you define free. The US population is definitely not free either when seen from Scandinavia. The US is only more free if freedom is defined as Free to be unprotected from big business etc.
> After a while you'll notice you are sending everything back.
What about shipping costs? When you're buying something the seller is usually paying for that in bulk and including it in the retail price to boast "0-cost shipping". Surely buyers can't possibly afford sending everything back.
What country you live in with so poor online protections you can't return things within the return window without incurring extra costs for doing so? Sounds broken.
> What country you live in with so poor online protections you can't return things within the return window without incurring extra costs for doing so? Sounds broken.
The sellers are in China and the products are ordered internationally. The sellers don’t care about your local return laws.
Then the fix is simple. Buy it locally or from a company from there. They might not care but then the local seller (amazon for example) is on the hook (in any country with a proper customer protection at least).
In France, for example, it's legal for the customer to be on the hook for return shipping. This is often the case with smaller merchants, but even bigger ones have this policy. Example: Darty [0]
So if you have to pay for the crap to be shipped all the way back to China, I can see how that may become expensive.
Return shipping is usually up to the customer and shipping back to China is much more expensive than the initial China to the US charges. Sometimes it exceeds the cost of the item itself to try to send it back so it's just cheaper to eat the loss.
That's down to store policies though not any legal requirement. And in the case of Walmart you're not shipping back to China anyways you ship back to some distribution hub/return center in the US. Amazon too often the products are staged and returned to the US.
>It was identified the malware is packed with Borland Delphi 6.0 - 7.0 as shown in the figure below
Borland Delphi is a compiler. It's not a packer. Saying that it's "packed with Borland Delphi" makes as much sense as "it's packed with visual c++".
>The strings of interest are as shown in the figure below
But if it's packed (as previously suggested), then any strings of interest won't be visible. All we see is a bunch of strings related to dynamically linked libraries. That also doesn't tell you much, because you can dynamically load libraries so all the evil APIs you use don't show up on the list.
The rest of the report seems to be reciting outputs from various reverse engineering tools, with little analysis added. The whole report gave the impression the author is a script kiddie.
I mean sure, the analysis isn't thorough and has some oopsies, but from my POV it's not a report written by malware analysts or experts (rather, by someone you wouldn't expect to analyse it at all), so I'm not setting the bar too high.
I think the main and annoying problem is those general practices, not just a single instance of malware.
Edit: Apparently some focus on the "Chinese" part, but I suspect that hardware being specialized and software being shipped by the hardware manufacturer are larger factors here: at least all the awkwardness before the malware part I've observed to be approximately similar with hardware+software produced by Chinese, European, and US companies.