Somebody Tried To Convince a Raspberry Pi Exec To Install Malware On Its Devices (softpedia.com) 119
An anonymous reader writes: Liz Upton, Director of Communications for the Raspberry Pi Foundation, has just published an email where someone was asking how much would it cost them for the Foundation to install malware on its devices in the form of a .EXE file. The email sender was asking for a PPI [price per install] quote.
Okay... (Score:2)
That's just stupid on so many layers.
Re: Okay... (Score:1, Insightful)
Is it? Newer Linux distros typically come with systemd, which many users consider to be malware because it's unwanted and can have a very negative impact. So it's not like Linux is any better in reality, I'm sad to say.
Re: (Score:2, Offtopic)
Seriously, that is just uninformed bullshit. You can, for example, install a current Debian without systemd being active without too much trouble. In fact, for every server where you need reliability and security, it is a really good idea to do so as systemd sabotages both due to bad software engineering on all levels. Sure, if you want all trace of it to be gone, you may have to do without some not very good software like Gnome, but that is not really an issue.Gnome (and KDE) are pretty much redundant and
Re: (Score:1)
Diff AC here.
I think you're full of shit when you claim that:
I tried installing Debian Jessie recently. I wanted to do just what you claim is easy: not use systemd at all.
Now maybe I just overlooked it, but at no time during the installation process do I recall an option being presented to me to not install systemd.
Now if by "without too much trouble" you mean having to do some research, then run some potent
Re: (Score:3)
Well, if googelig "jessie without systemd" and then reading about 10 lines in the debian wiki is too much effort for you, then you are right that it is "too difficult". On any competence level above "incometent" this should however be acceptable, and it requires neither dangerous commands, nor even looking at any non-Debian documentation.
Sure, that the installed does not offer it is a valid concern and I have criticized that in the past rather strongly. However claiming that it is hard or risky to get Debi
Re: (Score:2)
Its not called Linux, its Systemd/Linux or like i prefer Systemd+Linux.
Re: Okay... (Score:5, Insightful)
Is it? Newer Linux distros typically come with systemd, which many users consider to be malware because it's unwanted and can have a very negative impact. So it's not like Linux is any better in reality, I'm sad to say.
Holy shit, why can't people shut up about systemd? You people seem to bring it up at EVERY single opportunity, even if it's REMOTELY related.
Re: Okay... (Score:1, Troll)
Re: Okay... (Score:5, Insightful)
Since you brought it up....
Complaints about systemd are like complaints about the TSA -- richly deserved, but kind of pointless, because that shit is just not going away (until it gets superceded by something even worse).
Re: (Score:3, Informative)
Just making sure you don't forget how bad that shit is. Works OK'ish when everything works but damn what a pain in the ass to debug when a service fails to start ..... for some reason.
All our servers have switched to BSD. Should have done this a lot sooner since BSD just makes sense when you have worked with a various Linux distros over the years .... LSB was a good idea but no one gave a fuck.
Re: (Score:2)
So, totally different to GRUB?
Says I, about to have to go into the depths of GRUB.
Re: (Score:2)
Layer 1: RPi runs Linux. Good luck with the exe. .exe for that? ...there are more if you think about it.
Layer 2. RPi comes without any internal storage to install this on. They'd need to include it in SD images
Layer 3. RPi is a tinkerer's machine, the malware wouldn't survive a day.
Layer 4: "The exe creates a desktop shortcut to our website" - you need
Layer 5: even if it does - most RPis are run headless. And many of these with screens run without network
Re: (Score:2)
Layer 1 has been done. THe "install now" icon on a live CD, the Store in Ubuntu, etc. Heck, just mkdir /etc/skel/Desktop and put the file there and call it a day....
Layer 2 would be sticky, but yes, include it on their images. Quote the $BAD_COMPANY $10 to cover the cost of a SD card to include with the board on sale and $2 or more of profit.
Layer 3 is the Truth and where it would stop even if it were included on a free SD card. Heck if I buy a new Dell laptop the first thing I do is image the hard dr
Short On Facts (Score:2)
That's just stupid on so many layers.
And that's where the problem with the story is: Who, especially a "black hat" would make such an approach or advise their "marketing" team to do so? I find it difficult to believe.
Not saying it didn't happen, but I think it's suspect. It's possible that it's a "false flag". Or perhaps it's completely made up by someone at RaspberryPi? Why would they censor the name of the offending company? Wouldn't they want people to know who's doing this sort of thing?
Too many questions to buy this completely.
Re: (Score:3)
Given that at least Lenovo installed such on new computers a while back I would not be surprised if many producers of computers did not get a lot of such proposals,
Re: (Score:3)
As someone who has followed RasPi since the beginning, I trust Liz Upton. She has always provided plain, unadorned truth to the best of her knowledge.
If she says someone wanted to pay them to put shit in the ice cream, I believe her. That the approach was so bold suggests to me this was not an isolated event. What we old grumpy technologists need to do is hunt these creeps down and make sure no computer is ever loyal to them again.
Re: (Score:2)
Not saying it didn't happen, but I think it's suspect. It's possible that it's a "false flag"
No, this is somewhat typical in Eastern countries, i.e. professional malware software companies pay system integrators to install crap on their systems. This letter itself looks like it was written by somebody from China (most of the spammers there learn English in chat sessions, i.e. selling gold in World of Warcraft, so they pick up a lot of the crap habits that people have in those places, hence this letter is full of shit speak, i.e. instead of "you" they say "u", or other things like often saying hehe
Re: Okay... (Score:1)
Not really stupid.
They asked because they know that, in the majority of people, everyone has a price.
Greed is a powerful motivator. It is pretty much why we are where we are today. Why we can't trust anything, or anyone, to do the right thing.
It's why I have to lock down any device I attach to my network. Isolate it, prevent it from probing or calling home.
Greed.
It's the reason this country exists today and will ultimately be the cause of its downfall.
Calm down, calm down (Score:4, Insightful)
It's just a generic form-letter email that would have been sent to an auto-generated list of any number of systems integrators and anyone else that might possibly respond. That's how the bloatware that gets included in Windows PCs ends up on there, it could be describing SymantecNortonLenovoToshibaHuluNetflixCyberlinkDellSkype7ZipAccuweatherRealTek SuperEssentialClickOnMe [pcworld.com].
In any case there's already a malware-installer [techcrunch.com] "EXE file that installs a desktop shortcut, that when clicked redirects users to a specific website" for the Raspberry Pi.
Do it. (Score:4, Insightful)
Hey, free money. Not like the PI has any permanent storage so they'd just have to stick the file on some chip somewhere, where it can't really be accessed. Not that an .exe would even be executable.
Better yet - ship every Raspberry PI with an SD card labelled "Malware - Please execute immediately."
Re: (Score:1)
I would even venture to guess that what this one company is doing is probably highly innocuous compared with the evil shit being i
Re: (Score:2)
"Bloatware" would probably have been a better term to use.
Re: Do it. (Score:3)
Shhhh! Don't ruin this! I want a free SD card!
Re: (Score:1)
Re: Do it. (Score:4, Funny)
I figure Raspberry charges them $20 per unit and gives us a free nice SD card. Now do you guys want to please stop ruining this with facts???
Re: (Score:1)
I don't think you know what RAM actually is.
Re: Do it. (Score:1)
Re: (Score:1)
Not really.
Windows has yet to introduce a halfway workable package manager.
Sad, considering their resources, but that's a ten page rant for another holiday weekend.
Anyway, it's more like a compiled binary with executable permissions.
Could be anything.
Re: .EXE file? (Score:5, Funny)
Windows has a perfectly fine package manager. When you want to install a package you simply double click setup.exe and hit enter until the window disappears. Uninstalls are easy to, you just reinstall Windows and install every package except for the one you don't want.
Re: (Score:1)
Re: .EXE file? (Score:1)
Oh? [hanselman.com]
Powershell not only has caught up these days to shells
Re: (Score:2, Interesting)
Windows 10 core running on Raspberry Pi is freely available from Microsoft.
How many people have actually installed it is a different issue entirely.
Re: (Score:2)
Sensationalist Headline, bad reporting (Score:3, Insightful)
So after reading the email, I would have to say this headline is sensationalist, and overall bad reporting. So much so that im actually making this post, which i have never done on /.
Nowhere are they asking them to install malware, or install it without the consumers consent. Essentially what they are asking is that their application be packaged with with the pi, and the user be asked to install the software. Basically the same thing most "freeware" on the internet does. He you want our app? What about this one and this one and this one to.
Ive dealt with representatives from foreign companies before, and their command of the English language is about as excellent as google translate will allow. You have to use your brain a little when reading them, but its usually fairly easy to understand and don't leap to conclusions to create headlines like this.
Re: (Score:2)
Re: (Score:2)
So after reading the email, I would have to say this headline is sensationalist, and overall bad reporting. So much so that im actually making this post, which i have never done on /.
Nowhere are they asking them to install malware, or install it without the consumers consent. Essentially what they are asking is that their application be packaged with with the pi, and the user be asked to install the software. Basically the same thing most "freeware" on the internet does. He you want our app? What about this one and this one and this one to.
Ive dealt with representatives from foreign companies before, and their command of the English language is about as excellent as google translate will allow. You have to use your brain a little when reading them, but its usually fairly easy to understand and don't leap to conclusions to create headlines like this.
That was my thought too -- this appears to be just like the bloatware that comes with every new PC (and phone). Annoying for sure, but it's a stretch to call it Malware unless the software does something more nefarious than installing a desktop shortcut.
Re: (Score:2)
That's called Crapware. It's not necessarily nefarious, just unwanted and unnecessary. If the developers are paying people to pre-install it, it's almost certainly crapware at the least or maybe even adware or other malware.
Re:Sensationalist Headline, bad reporting (Score:5, Informative)
Note that Liz Upton, the addressee, used the phrase malware herself. That's where the sensationalism started. Just blindly converting it into a Slashdot headline, that's the bad reporting part.
Whatever happened to common sense...?
Re: (Score:2)
Without seeing the linked site, it's hard to say what exactly the EXE was meant to accomplish. If it's some sleazoid V14GRA site, or Scan Your PC Now for Viruses site, it's pretty easy to call it malware.
Some relevant information was redacted, unfortunately.
Re: (Score:2)
It's suspicious but not definitively malware. They say they want to put a shortcut on the desktop, that's all. We don't know if it does anything else, or if the linked site is full if malware. It could be entirely innocent, so I don't think malware is correct at this stage.
Re: (Score:1)
Hang on a sec. A poorly written email asking to install an .exe into your customer's systems? Yeah I'd assume it's malware also, especially with no source available.
Which makes one wonder, how does Dell, etc. vet the crapware they put on their Windows systems? Do they insist on seeing the source?
Re:Sensationalist Headline, bad reporting (Score:5, Insightful)
Though this may be me projecting my own prejudices with bundled software, nearly a decade of working in tech support has loosened my definition of malware to include basically any software put on the user's computer without the user's informed consent. Many bundled packages and suites behave in the exact same manner as actual malware and are just as difficult to remove, if not more so in some situations as anti-malware/AV software will not see this software as "malicious" and will not remove it automatically. Given that one of the foci of RaspberryPi's is to provide a cheap computer option for whatever needs, it simply would provide a misleading option to users like the bundled junk that often comes on cheap Windows based laptops.
I am not purporting that this is what was meant by Ms. Upton, but it's not hard to see how she and basically most people could see the proposed software as "malware" to be bundled.
Re: (Score:2)
There is so much of this crap that requires malware tools to uninstall that comes bundled with other software. Toolbars, download assistants, things that make you an unknowing host in what is basically a torrent network.
You don't need to include a third party exe in your installer just to throw a desktop shortcut to thirdpartycompany.com. I think it is a little na
Sure (Score:4, Interesting)
Sure - install it on a Linux system and include in the documentation:
"Hey! We helped subsidize the cost of your device by including malware on it. If you really, really want to run it, you can install wine but without installing that framework or some sort of Windows emulator it will not run so we felt it is a safe choice to include on the system. It is located in /tmp and will be cleaned up by a cron job after a week, and it isn't marked as executable so even if it were a Linux executable it would not run without your adjusting permissions anyhow, but we urge you out of principle to do an 'rm /tmp/scumbag-sucker-malware.exe' at your first opportunity."
Offer it at a discounted price, and the malware-free version at the usual price. As a bonus dox the malware provider. ;)
Re: (Score:3, Insightful)
I hate SystemD because it is unnecessarily complex, becomes a single point of failure for many subsystems, logs to a binary file by default (dafuq?), and is contrary to the *nix mantra of one tool, one purpose. It is essentially a solution looking for a problem.
However, to be fair, I still have yet to see it be the cause of a boot failure.
Re: (Score:1)
Linux seems to be going this way. There is a simple trick you can do with syslogd on NetBSD: put an executable behind a pipe in the configuration file and it will pipe all the log data through that executable. Yesterday I spent several hours wading through the documentation for rsyslogd on debian and had to conclude that it just doesn't do that.
We seem to be moving to an architecture which does less with more.
Re: (Score:2)
udev != SystemD.
Re: Sure (Score:2)
Go to the win32 world and try to package and administer an SCCM environment with system center 2012 and you will be crying for SystemD back?!
SystemD will be an excersize in simplicity in comparison
Re: (Score:1)
OpenBSD isn't a replacement for Linux. Those using ZFS may find life difficult getting those file systems mounted. You could just remove it manually instead, would probably save a great deal of time/energy spent building things from ports.
Re: (Score:2)
Yep.
It isn't malware at all and calling it as such is just silly.
It's just a bad idea to put everything into one component. We may as well run something like Windows with its configuration database (regedit) and crappy logging system - which is fine (if time consuming to review) when it works, but when it breaks, it's a royal PITA to repair, hence Microsoft Tech Support's "Reformat & Reinstall" answer to all Windows problems.
Re: (Score:2)
You seem to be mistakenly thinking that systemd violates the "don't put all your eggs in one basket rule". The problem is that if you break a single egg you have broken the system, so sprea
Is it the same Liz Upton (Score:1)
who's married to the Pi hardware designer, and who made tasteless and morbid jokes on her Twitter stream about Steve Jobs' and him dying from pancreatic cancer?
Re: (Score:2)
I didn't see those, could you share? It's cold and wet here, could do with a laugh.
What is this, the FBI/CIA? (Score:1)
Why the redaction? Sounds bogus
An exe? Yeah that'll work. (Score:1)
drwxr-xr-x 2 pi pi 4096 Mar 9 2015 Desktop
drwxrwxrwx 3 pi pi 4096 Sep 4 11:51 Devel
-rwxr--r-- 1 pi pi 49 May 15 2015 golog
drwxr-xr-x 3 pi pi 4096 Nov 8 22:40 indiecity
drwxr-xr-x 4 504 staff 4096 Feb 11 2013 mcpi
drwxrwxr-x 2 pi pi 4096 Mar 10 2013 python_games
-rw-r--r-- 1 root root 254 Mar 15 2014 test.js
drwxr-xr-x 3 pi pi 4096 Mar 9 2015 tmp
-rw-r--r-- 1 pi pi