341 comments

[ 2.4 ms ] story [ 273 ms ] thread
(comment deleted)
I'm a little bothered by the article title because it implies it's related to the manufacturer being from China, despite ample evidence that pretend-reputable software vendors like Google, Amazon and Microsoft all bundle universal backdoors with their systems.

Google infamously pushed settings changes on their phone lines without user consent via the Google Play Services backdoor. Amazon removed the (bought) book 1984 from all Kindles. Microsoft proudly bragged about their remote app "kill switch".

Let's not even talk about about CPU vendors embedding "anti-theft" solutions which are nothing more than RCE-as-a-service on a hardware/firmware level. Or hardware vendors bundling rootkits like Lenovo on some laptop series, and most phone manufacturers on all their devices.

Do you perhaps have a link about the story of amazon removing the 1984 book on all kindles? It sounds very interesting, partly because it seems so absurd.
https://www.pcworld.com/article/519855/amazon_kindle_1984_la...

That story is about a lawsuit from one of the people they took it from.

Amazon sold 1984 on the Kindle store without permission, and when they realized their error they deleted it from everyone's kindle and refunded their money.

That's really something entirely different than malware. You know that Amazon books on kindle are subject to that. It's not malware on the Kindle, it's their whole schtick.
The best way to fix malware is to refer to it as your business model.
> You know that Amazon books on kindle are subject to that.

Most people don't. And the few that do only know because of this scandal.

There's something profoundly unintuitive about it. When you buy 5$ a book in the bookstore, you can't wake up some day with the door open, 5$ on your table and the book gone from your library.

That's really something entirely different than malware. You know that Amazon books on kindle are subject to that. It's not malware on the Kindle, it's their whole schtick.

At the time it was suspected, but unknown. I remember the outrage, I'm not sure If I was lurking on here before I made an account, or I read it on slashdot or digg or something. Here are the HN comments from the time. https://news.ycombinator.com/item?id=710506

Interesting, but at least some people seem to have been aware.
China is next level though. If that bothers anyone, that’s understandable; it should.
Do any of them steal IP, as is alleged here, and has certainly happened in other cases involving Chinese, often state-controlled, companies?
Do companies hire/recruit (ex-)employees from competitors to re-implement the same features?

Yes.

Lots of IP between your ears. No point in the code/manuals/docs when you wrote them yourself. You’ll know they’re not exactly correct and may appreciate being able rewrite from the ground-up now knowing what you now know.

Sure, but if the employee brings along the architecture documents or the source code, that's theft. What's alleged here is that a CHinese company is exfiltrating actual PCB designs via PnP machine malware.
Do western artists and corporations borrow stuff from other cultures and competitors? All 20th century rock & roll, most of hollywood, and pretty much all of pre-90s Silicon Valley is based on that premise.

That you think it's theft is a debatable/controversial point of view on Internet forums, but if that is to be the case, many more people/corporations from USA should feel threatened, not just a few chinese scapegoats which help avoid the elephant in the room: why would anyone own ideas in the first place? Ideas are born out of other ideas and every one benefits from that. Restricting knowledge sharing can lead to disastrous outcomes as Jonathan Blow brilliantly argued in a talk called Preventing the collapse of Civilization which appears to pop up on HN every so often: https://www.youtube.com/watch?v=pW-SOdj4Kkk

Um, no, there's a very clear difference between 'borrowing' ideas, building on other people's achievements etc, and outright theft, when you copy someone's detailed designs wholesale, especially from secret proprietary plans obtained through illegal espionage.
This "very clear difference" is the center of many trials in Hollywood / Silicon Valley history so i wouldn't say it's that clearcut. I personally don't see copyright in any way as a mechanism to bring retribution to the creative minds (instead it serves to capture value into big corps and let the artists starve), but as long as we have to deal with it i'll keep publishing stuff as copyleft so that the capitalist vampires think twice before "borrowing" my code.
I was royally pissed off when I suspected my brand new Lenovo laptop was acting strange. The only in the end to stop it was to reinstall the OS, I then later found out it was the superfish issue

https://slate.com/technology/2015/02/lenovo-superfish-scanda...

I will never buy Lenovo again

The problem is more or less all hardware manufacturers do that. There's variations: some bundle only the Windows backdoor, some bundle Superfish, some bundle Intel/AMD's anti-theft and ME/PSP features. That society is ok with that is a huge problem to say the least.
I doubt you can compare superfish against bloatware antitheft "feature"
And yet my CPU runs its own operating system (Minix) behind my back and reacts to undocumented secret commands i'm unaware of. Is the comparison that irrelevant?
I'm not defending ME/PSP at all, i would happily burn the CPUs off, if I could. I totally agree completely on your statement

> That society is ok with that is a huge problem to say the least.

but you could compare any bad actor actions to ME/PSP and say it's the same or not as bad

it's bordering on Whataboutery

I personally find the two questions awfully related: i'm buying hardware that performs operations without my knowledge/consent and answers to someone else's commands. Now one may genuinely believe there are valid usecases for this (i don't), but it's not exactly "whataboutism" as i'm definitely not trying to refute the original argument that pre-bundled malware is bad.

Although i personally consider hardware/firmware-level malware more troubling than OS-level malware which you can just wipe away by setting up a fresh system (which i recommend anyone to do when they receive a new machine, for related reasons).

Talk to afraid.org, perhaps they'll take down the subdomain.
At this point how can they trust any installers they get from the company?

The risk the manufacturer bundling some "legitimate" remote access tool that won't show up as a virus seems high to me. Once burned twice shy.

Bought a system on Ali Express to save money, the parts don't match what they ordered, it is infected with a virus designed to steal their data and infect executables on any USB device plugged into it to spread the infection. Ali Express says computers with viruses on them aren't against terms of service. They for some reason continue to use the system and try to get it to work.

£4k GBP...relatively low cost compared to a branded competitor...We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address.

I can't read the article from here but attacking the supply chain isn't new. It is something that requires constant vigilance.
I remember I bought a few phones from Aliexpress once for one of my IoT projects. I was somewhat surprised they don't really hide the malware, it's preinstalled. These are not just the usual bloatware you can't install but also the main web browser already modified injecting random crap.
I bought an HP machine in the US with malware deployed from Windows Updates.
See? You don't have to install malware yourself - that's the service!
The story here is not the fact of the malware - it is the purpose of the malware: industrial espionage. China is well-known in industry for its sheer volume and brazenness of industrial espionage. A pick-and-place machine is especially well placed for this since it will, by necessity, have access to PCB designs and BOMs.
I have seen enough stories of supply-line sabotage to think that if you are going to build your infrastructure with Chinese hardware, air-gapping it is a necessity.

Probably a good idea to air-gap your pick and place machine even if it is not Chinese.

It's really tough to air-gap these days. Are you really going to set up a perimeter where every phone, watch, and computer is dropped off before entry?
A lot of places do have something like that, and even if you didn't, you could just make sure no official equipment has any wireless capability, and ban connecting any outside electronics to any official equipment.
Airgapping wouldn’t be enough here since it infects any USB device plugged in. You’ll have to run the USB through some antivirus any time you want to use a new design from a “good” computer.
You could go for overkill and establish a one-way data transfer methodology with built in crc/ecc. Receive-only optics on the destination side might be usable.
USBs exist that have physical write switches, and there's also old-school media like CD-Rs which can in theory be used too.

Hell, with a bit of fiddling, you could probably design a one-way RS232 serial system by simply not connecting the TX pin on a downstream device.

Then for good measure snap off the pin and block the corresponding socket's hole with superglue so the cable cannot be reversed.

There are also write protector devices which mirror a block storage device as read only, but will not issue a write, as used for forensics.

Hug of death probably so I cannot read the article.

Anyway that's the reason why I don't buy Chinese crap anymore. I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.

If something doesn't match the description send it back, if you find random executables that you cannot identify send it back, if you are asked to register on some weird Chinese website send it back, if you are asked to download a sketchy application with a Chinese readme send it back, etc...

After a while you'll notice you are sending everything back.

And it is not only Aliexpress or other Chinese marketplaces or websites, Amazon is full of Chinese crapware just the same.

edit: read the article from archive, well it just confirms to me what I wrote earlier.

> After a while you'll notice you are sending everything back.

What about shipping costs? When you're buying something the seller is usually paying for that in bulk and including it in the retail price to boast "0-cost shipping". Surely buyers can't possibly afford sending everything back.

> Surely buyers can't possibly afford sending everything back.

What country you live in with so poor online protections you can't return things within the return window without incurring extra costs for doing so? Sounds broken.

In France, for example, it's legal for the customer to be on the hook for return shipping. This is often the case with smaller merchants, but even bigger ones have this policy. Example: Darty [0]

So if you have to pay for the crap to be shipped all the way back to China, I can see how that may become expensive.

[0] Darty return policy, in French: https://www.darty.com/achat/services/retour-retractation/ind...

> What country you live in with so poor online protections you can't return things within the return window without incurring extra costs for doing so? Sounds broken.

The sellers are in China and the products are ordered internationally. The sellers don’t care about your local return laws.

Then the fix is simple. Buy it locally or from a company from there. They might not care but then the local seller (amazon for example) is on the hook (in any country with a proper customer protection at least).
Return shipping is usually up to the customer and shipping back to China is much more expensive than the initial China to the US charges. Sometimes it exceeds the cost of the item itself to try to send it back so it's just cheaper to eat the loss.
> Return shipping is usually up to the customer

Not for orders from Amazon or Wal Mart, the two biggest places you'd tend to buy cheap Chinese products from.

That's down to store policies though not any legal requirement. And in the case of Walmart you're not shipping back to China anyways you ship back to some distribution hub/return center in the US. Amazon too often the products are staged and returned to the US.
He offers a simple solution in the first paragraph.

>everyone should avoid Chinese crapware.

>I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.

If you spend just a small bit of effort, you can look for items not made in China. They are usually higher quality. Japanese companies (and increasingly large American ones) are moving / have moved their production elsewhere due to an increasingly hostile business environment in China.

Sony makes their phones in Thailand, speakers/headsets in Malaysia. Panasonic produces a lot of consumer electronics in Malaysia. Samsung makes some of their phones in Vietnam, and the high-end ones in Korea. Their fridges are also made in Thailand/Korea. Google makes their Nest line of products in Thailand/Vietnam now. Some Netgear Arlo products are made in Indonesia, (some?) Netgear switches are made in Thailand.

On the enterprise side, Cisco has moved production of a lot of lines to Thailand for example.

This trend is only going to accelerate after the SARS-COV-2 pandemic subsides.

Is there a reliable way to research non-Chinese manufactured products? I know to just look for the “made in” somewhere on the page or product, but it’s not as simple as including a search tag in a field, either.
I've noticed lately that in the Q&A section of the majority of the items I look at on Amazon, someone asks where the item was made.

That's helpful. I've always wanted to know where my stuff comes from, from my food to my gadgets. So I encourage other people do ask the same questions on Amazon. It helps other people.

If you buy a Sony product made in Thailand, what protects you from encountering crap like in the article is not that it's made in Thailand instead of China, but that Sony has a reputation to protect and the expertise to do proper quality control.

If you buy stuff directly from a Thai company that you never heard of before just because their product was the cheapest, you'll have to do your own testing and will likely discover some sharp edges.

A lot of Chinese company owners have moved production to Vietnam, Thailand. Laos, Cambodia, Indonesia, etc., specifically because they are aware of this changing preference in the West. Chinese owned business is not China-based business, but most Chinese-owned businesses are subject to CCP influences.

As you pointed out: manufacturing standards vary factory to factory and region to region, and quality issues abound in newer manufacturing regions that lack the crazy competitive environment China has (a thousand pots et al).

Counterfeit PPE really revealed a lot about boys these factories operate. Very hard to verify ownership reliably.

There's another, more capitalist reason: wages in most of those countries are lower than wages in China. It's not because of "changing preference".
That’s definitely part of it.

But for context I’m basing part of that opinion on conversations I had with factory owners I’ve done business with in some of those countries running import/export. Many Chinese manufacturers see the conflict between the US and China as bad for business and have optioned third party countries to continue doing business no matter what happens. They’re very smart people.

> but that Sony has a reputation to protect and the expertise to do proper quality control.

They don't, though. Sony, like many other companies, makes products for developing nations which are not sold in more affluent Western countries. ("World" products)

Trying to buy replacement Bluetooth earphones in India really opened my eyes on this one. The store I was buying from had a strict NO RETURNS policy, but still bent the rule when the headphones weren't iPhone compatible (scratchy distortion). After opening two more pairs of Sony with the same problem, they decided to stop and just gave my money back.

This wasn't a budget model - it's a model which you'll never see in the US or EU. Their products aren't just differentiated by country of manufacture, but by the intended market. Depending on brand name isn't enough.

Why are you being downvoted? Avoiding chinese products is a good thing. Thanks for the tips.
China is one of the most polluting nations in the world. I've started to think that avoiding trade with them is a responsibility.

Also, the book "Poorly made in China" is extremely interesting.

You should probably read the guidelines. If you know for sure that an account is a sockpuppet of another then feel free to mail hn@ycombinator.com, otherwise such comments are boring.
> Sony makes their phones in Thailand, speakers/headsets in Malaysia. Panasonic produces a lot of consumer electronics in Malaysia. Samsung makes some of their phones in Vietnam, and the high-end ones in Korea. Their fridges are also made in Thailand/Korea. Google makes their Nest line of products in Thailand/Vietnam now. Some Netgear Arlo products are made in Indonesia, (some?) Netgear switches are made in Thailand.

Made/Manufactured/Assembled in X country doesn't mean not using Made/Manufactured/Assembled parts from Y country in the process. Take the Cisco router manufactured in Thailand. Out of the thousands of individual components on the circuit boards, not a single IC within it was manufactured in China?

"Made in USA" has fairly strict rules. You can sneak some components in but it needs to be negligible and not misleading.
> If you spend just a small bit of effort, you can look for items not made in China. They are usually higher quality.

I try to do this when I can, and they're definitely higher quality, but for some products, finding a version not made in China is almost impossible, a problem that's exacerbated by stores like Amazon not being required to disclose where their products are made.

that's the reason why I don't buy Chinese crap anymore. I'm not saying that I don't buy anything made in China, almost everything is made in China, but everyone should avoid Chinese crapware.

This is one of the big reasons that Apple locked down its Lightning/USB ports so hard.

There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems. It was a huge topic in tech circles, and on HN, at the time. I even have a few "data condoms" leftover from those years. (If you don't remember, they're little dongles you put between your USB cable and the USB charger that only have the power lines connected.)

The fact that it also locked out bad cops was a bonus.

>There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems. It was a huge topic in tech circles, and on HN, at the time.

source? I've heard of fake charges being planted with exfiltration circuitry as part of a targeted attack (eg. by red teams or actual bad guys), but I haven't heard of aliexpress vendors shipping them out en-masse.

Given the vast financial incentive apple has for keeping its chargers proprietary, I find it difficult to believe Apple is doing this for the primary reason of benefitting their users.
I don't think phone chargers register even a blip in the financials of a trillion-dollar company.

But the bad press and bad customer experience from people having problems with "Apple" chargers probably does.

It's called protecting the brand.

Has Apple had any USB chargers prior to the USB C ones on recent macs? I think in the past it was all magsafe on macs and lightning or the 30 pin thing on iPhones.
> There were tons of fake Apple chargers flooding the market that contained exfiltration circuitry, among other problems.

I think you're conflating two separate issues. IIRC, I think the exfiltration concerns were more for "in place" chargers at places like airports. There's definitely a separate retail "fake Apple charger" problem, but that has more to do with safety and quality control.

It wouldn't make much sense for a retail fake Apple charter to have exfiltration circuitry, because then you run into the problem of how to exfiltrate some rando's data from some random charter. Also I'm guessing that stuff would be expensive. It really only makes sense to me for a thing like that to be a targeted attack (e.g. swap out some research scientist's charger at a conference, and place an exfiltration receiver near his hotel room).

> I even have a few "data condoms" leftover from those years. (If you don't remember, they're little dongles you put between your USB cable and the USB charger that only have the power lines connected.)

Those are useful for other things. For instance, I have some devices that deactivate and switch to transfer mode when they connect to data, so I use those for charging those devices while I'm still using them. Also, I think they can allow faster charging from a data-enabled port in some cases.

in ~2005 whilst I was the IT manager at Lckheed Martin's RFID division - we were implementing TLS on Exchange for all email... among other security measures...

We had a compromised machine (linux) and had to un-plug it...

BUT

On the security calls was an interesting conversation about the Chinese infiltration of Lockheed.

Lockheed, had at the time, only (3) three egress connects to the internet.

The chinese did the following:

1. They did phishing attacks on those who worked at Lockheed + plus their orbit who attended various conferences and events... giving them seemingly valid contact info (business cards and such) of their agents who also attended said events.

2. Would email the Lockheed Targets and in the emails contain links to military phishing links which would install malware on said target's machine...

3. Would trickle out data so as not to be exposed...

4. Would attack known international suppliers of Lockheed's sub-components through air-gap measures (meaning that Lockheed epoxied USB ports in machines and suppliers were (ironically) then required to transfer data via USB sticks... and China was infecting the machine which the supplier was loading the USB sticks with such to infect Lockheed employees once they received and connected said sticks...

How this was discovered:

Lockheed employees bitches about machine being slow. Investigation ensues and the trickle malware is discovered;

The chinese know they have been discovered and they open the floodgates on all their bots within Lockheed...

HUGE firehose...

Lockheed had to shut down all three egress until resolution...

Yeah, china is in EVERYTHING.

Hey, this is a really interesting anecdote, you should write it up and publish as a blog post or submit it to HN.
No thanks - the last time I did an anecdote about being on the design team to FB MLPW building and what they were doing WRT security - the legal team submitted a cease+desist order and threatened to ruin me, which they did and I have had a zero tech career since, per se...

There is so much dark in tech. Spying on all levels. Every single thing you say is now not only subject to legal action, but also dark pools of intel action...

Anyone ever notice that palantir has dropped off the HN map? Yeah...

Look at reddit driving the narratives these days... I have stories about exactly when and how reddit began to drive the negative narrative....

Fuck them all...

Reality is being coopted by ...

DO IPhones automatically trust things plugged into them? My Android mobiles and tablets always ask me before allowing anything other than charging.
I bought a bluetooth dongle on Amazon recently. didn't work out of the box, and the instruction booklet told me I had to download and install an unsigned device driver that I should download from a specific dropbox link.

I tried to write a measured review on Amazon explaining the problem, but Amazon rejected the review. I threw it away and composed an angsty tweet [1], but I really should have returned it.

[1] https://twitter.com/ojensen5115/status/1351598563751559169

I very rarely write negative reviews, but every time I have was for something of this magnitude and not once has any ever been left up on any platform.
Same.

What I don't get is that on Amazon I've purchased 10's to 100's of thousands in product (was an early user, business account admin etc). Of all the reviews that SHOULD have credibility, someone who doesn't review a lot and buys a TON of product - you think would be slightly credible?

Instead, for those (few) times I've posted a clearly negative review - gone for whatever reason. If you buy enough from Amazon, especially in last 5 years or so, you got some total absolute trash in there.

"Genuine" Apple products absolutely totally 100% fake trash. How amazon's supply chain thinks these are legit is mind boggling.

I've had such bad luck with "genuine" and "oem" battery replacements I've given up - most of these things are just crap scam stuff.

I'm actually curious how this even happens sometimes, some of the used crap was BADLY used, think of a bunch of electric pencil sharpeners for an office, all "new" that are filled with old pencil shavings, scratches etc etc. Product reviews that when you go back to understand how the piece of trash product got 5 stars you realize the reviews DO NOT EVEN RELATE TO THE PRODUCT you purchased. I mean, how does this even happen?

So you get out the review - hey, this things was garbage, and many of the 5 star reviews were for a knife set it looks like instead of a powerbank. Review rejected :)

I canceled Prime and stopped buying stuff on Amazon over 3 years ago for these sort of reasons. You cannot trust the product descriptions, you cannot trust the reviews, and you cannot trust that what you actually get is the same thing you thought you were buying.
> Product reviews that when you go back to understand how the piece of trash product got 5 stars you realize the reviews DO NOT EVEN RELATE TO THE PRODUCT you purchased. I mean, how does this even happen?

Several ways:

1. Repurposing product listings for something unrelated and keeping the old sales data and reviews

2. Merging product listings to aggregate unrelated sales data and reviews

3. Fake reviews that were unrelated to the product all along

> Several ways:

> 1. Repurposing product listings for something unrelated and keeping the old sales data and reviews

Sure - but this seems trivially solvable by Amazon - you can't tell that a product listing for a knife set is not a tech product??

> 2. Merging product listings to aggregate unrelated sales data and reviews

Again - def happens I think. But can't these go through some type of review? The ones I've seen are WAY off when you look deeper.

> 3. Fake reviews that were unrelated to the product all along

This is harder, I'd have 2 amazon staff review higher volume products.

"Why doesn't Amazon stop this from happening?" is a different question from "How does this happen?".

Any system Amazon puts in place will have a lot of false positives that require human review. And that is entirely aside from the fact that underhanded sellers will try to flood such a system with automated disputes until Amazon relents.

> The ones I've seen are WAY off when you look deeper.

You're assuming these disparate merges happen in a single step.

I tend to write something like, "Didnt work. 1 star" At least that stays up most of the time.
Reviews and the platforms they relate to should be separated from each other. And Yelp like strategies should be reason for major shunning.
> I tried to write a measured review on Amazon explaining the problem, but Amazon rejected the review.

This facet of the Big Tech censorship problem hardly ever gets any attention, but it's no less bad than YouTube and Twitter censoring their political opponents.

That's one of the things that's interesting about it being a private company and censoring things. The whole "free speech" vs "not free speech" issues. I certainly understand both sides of the aisle on that one but tend to lean against censorship.
A chinese USB-C to Ethernet adapter had instructions to download and install a macOS kernel extension for it to work. Thanks but no thanks. This was a product that was (presumably) vetted and retailed by an EU electronics retailer.
You cannot possibly blame the Chinese government or the people for the Corona virus. That's just insane.

Granted, the official response wasn't good. But a virus pandemic was ever only a question of time. It's unlikely it could have been prevented wherever it had started.

Is there a credible reason why SARS and COVID both came from the same country?

The right official response would've been to not start a cover up (and the rest of the world could've hopefully prepared better). Even the WHO was carrying water for China in Feb 2020.

Because that coronavirus in endemic to bat populations in that part of China. Covid19, for layman's purposes, is basically slightly mutated SARS, and is called SARS-CoV-2. That's why the virology lab is in Wuhan.
I don't think the dust has settled on whether this was manmade or not?
Even if it was manmade the responsibility for that should fall on the international scientific community rather than the Chinese government and even less so on the people.

The lab in Wuhan was not scientifically isolated, funding came from abroad. Similar research has been conducted elsewhere.

Of course it's still important to find out the truth on the matter.

> you want to live like that or remain free

Depends on how you define free. The US population is definitely not free either when seen from Scandinavia. The US is only more free if freedom is defined as Free to be unprotected from big business etc.

> You cannot possibly blame the Chinese government or the people for the Corona virus. That's just insane.

Insane is what they do to animals in their so-called "wet markets". Take a look at some footage if you still have any respect left for the CCP.

Sure we can blame them. They tried to cover it up in the beginning. It would be insane NOT to blame them for that. It’s also been debunked that the virus came from a wet market.
It's still a bit of an open question on the wet market.
I can 100% blame the Chinese government. If they enforced Western safety standards, COVID almost certainly would never have happened.
You can all downvote me all u want but my thoughts and the things I type/say on HN later show to be true.
I’d say it’s mostly pretty vanilla cookie-cutter conspiracy nonsense, which is rarely true.

Unless you’d like to take the time to specify the truths you’ve been saying and that everyone else has been ignoring?

none of it is conspiracy

Science always evolves so dont listen or jump on the early science bandwagon until year(s) down the road. The CDC has changed their guidance ... i was forced to get vaxed and i loathe it(past month ive had a metallic taste in my mouth wth). Got the flu shot after decades on the market already admin(ed) to millions over years time. Covid vaccines we already see the J&J shot isnt the one to get but the CDC said we should in March but said something different in December ... same with masks updating things. They don't have a true real clue about this or you think they know everything about it? IF so why do they keep updating the guidelines that we were told to follow early 2021?

Where is the conspiracy in what i just wrote? THat i don't believe and loathe early science... ever seen those hernia mesh lawsuit commercials i am victim to such as well an early drug damaged one of my organs. I live by experience not bias media political early science b.s.!

Personally I think china is the enemy to the world .. that's just an opinion. You can think they are friends to the world thats up to you .. your opinion.

Good to see a good number of the comments here feel the same ..lots of downvotes though on my posts but who is downvoting vs. who is openly commenting and majority agreeing with my opinion that China needs to be taken care of in many ways!
Buying from China, as a westerner, is akin to buying the rope that will hang you. Regardless of the quality or price of their products.

We should have never allowed them to become this powerful. Their ideology is toxic and incompatible with ours.

> We should have never allowed them

What does this mean?

Trade ban and sanctions in the early 2000s when it should have become clear their ambition and dirty tactics would put us on a collision course. Instead, we were blinded by the cheap cost and outsourced everything there. To a country that doesn't respect IP, or even basic human rights, and, on top of that, is now ready and able to export their world vision and order.

Now it's a bit too late to stop them. NATO/West id too preoccupied by Russia when, imo, China is the bigger threat, by far.

Sorry, but we did this to ourselves. We moved our manufacturing capability to China in a hundred thousand tiny transactions and a couple of smaller ones for better quarterly earnings, the kind of stuff that Wall Street drools over.
Trade deals, foreign investment, joint ventures, etc.

China got powerful by doing business with the rest of the world.

I think the person you're replying to meant that China should not have been allowed to join the World Trade Organisation without further requirements.
Or stay in it when it became clearly asymmetric.

I think the hopes were that China would benefit from trade and developed its own industries in a largely decentralized fashion (which happened). What didn’t follow was the assumption that this would cause them to become less authoritarian and more democratic.

Quite the gamble in the end; I don’t think those responsible over many decades realized what the consequences would be for getting this wrong. They all were championed by equally blind stock-market driven CEOs who wanted cheap labor, low/no environmental laws, no unions, a helpful and competent government, and new large markets who didn’t already have lots of stuff.

The US has gotten terrible at long term vision, while China has nothing but long term vision and long term memory.

The UN was also giving them subsidized shipping rates via the UPU. And as they exploited the subsidies in increasingly-vast numbers, domestic shipping had rates to be increased yet more to compensate. It was cheaper to ship from China than domestically in the US. Basically a tarriff on domestic goods. What do you expect businesses to do? Even if manfacturing wasn't cheaper, it would still be cheaper overall to manufacture there.

Trump finally withdrew from the UPU in 2018 and ended the subsidies.

"Their ideology is toxic and incompatible with ours."

But it's okay to buy Oil from regimes that kill gay people or cobalt mined by Child slave labour?

Lets place the blame where it actually belongs: our corporations will sell our values, our kidneys and the entire planet down the river id they can. China is just one of the few countries that beat them at their own game.

Yes, that's like Europeans signing contracts to buy natural gas from Russia. Amazingly short-sighted.
"If you find random executables that you cannot identify send it back, if you are asked to download a sketchy application"

That means I should send back laptops made by Sony and Dell too though?

Ideally. But life is short, so choose your battles.
(comment deleted)
(comment deleted)
Given that Windows 7 _Ultimate_ was installed on what is essentially an OEM machine, it's very likely that it's a pirated copy with a "home brewed" license key.

I think the most reasonable explanation is that either the OS was sourced already infected, or the crack tool they used was infected.

A bit off topic, but the last time I needed a Windows laptop for business reasons (a long time ago) I bought a laptop directly from Microsoft and it appeared to be secure and also not loaded with advertising junk. The price seemed OK, fairly competitive.
When buying a Windows machine, you can purchase "Signature Edition" versions through Microsoft which will come with only the crapware selected by Microsoft, and not by the manufacturer

https://www.microsoft.com/en-gd/store/b/signaturepcs

It looks like that isn't available for those in the US, since the redirect takes me to a 'not available' page. Are the 'Signature Edition' versions at all available in the US?
I had Surface 3 Pro and it was a nightmare. In the end, the SSD died and the way the machine is glued together, it's impossible to open without breaking the screen. Before its final death, it had problems with sleep/wake functions. A standard reinstall wouldn't fix it. Eventually had to take it back to Microsoft for a full re-image. That did the trick.
Or it's just malware that's "around" the company since nobody cares what they download, which USB keys they plug, etc

Autorun USB malware is very common

>Autorun USB malware is very common

that hasn't worked since windows xp sp2.

Doesn't mean machines with malware won't save files to attached USB drives
> Or it's just malware that's "around" the company since nobody cares what they download, which USB keys they plug

There's a fun story documented on Darknet Diaries (https://darknetdiaries.com/transcript/22/) about a wind farm that got hacked. The "malicious" actor had found his way into their infrastructure and installed some idle cryptominers. But he was also taking the time to maintain all the infrastructure; applying updates and patches on a regular basis in an effort to keep other would-be hackers out. The security consultant discloses all of this to the company. Well, the story ends with the company making a business decision to leave things as they are. They were effectively getting free IT.

You know what? I don't care anymore. When this type of thing happens it's almost always China. Whether it's intentional malware or a lack of QA, how could one tell? They have such a reputation for both I don't know why we still let their electronics into our countries.
> "efficient" MBA eloi outsourced everything to morlocks a long time ago.

This is the biggest weakness of the West - and it all stems back to "share holder value".

Companies, US ones, in particular, seem to have some absurd drive to pay endless dividends to shareholders, and drive 'value' via share price, by appearing to be profitable.

In other words, get stuff from the cheapest provider.

It didn't help that at the same time people like Carl Icahn came along and stripped a company that was cheap to buy, but also sat on a pile of cash. And again, if he could 'drive value' for the share holders, said company was a target.

Eventually state-level politics appear - artificially low-prices Chinese goods because the CCP fix the exchange rate, or subsidise an entire market to corner it globally.

Rinse repeat, and that's where we're at now.

People don't realize that the US defense budget is practically the only thing keeping American manufacturing alive.
Eh. Manufacturing has never gone down in GDP terms. It just seems to have gone down due to layoffs as a result of further mechanization of production.
Yup, and it's even more directed than that.

Western MBAs and politicians think they know that manufacturing is just a fungible commodity and think that we're exploiting cheap Chinese labor to 'drive shareholder value'.

While they have this myopic focus on quarterly results, the CCP has a 100- and 500-year plan, and is happily exploiting that myopia for strategic economic and military value, including subsidizing massive undercutting of entire industries in order to kill all but their own. The result is that they are gaining the deep know-how of manufacturing, the ability to compromise their adversaries' military gear at the component level, and the ability to choke off supply chains.

Although there is still barely time to repair this, it will go down as a strategic blunder of historic proportions.

This was the case some 10 years ago, but Chinese labor is no longer cheap. The wealth brought in by making China the factory of the world drove the income level of its middle class up and now there are few advantages in manufacturing your products in China.

Western manufacturers are constantly pulling their factories back from China, many having gained an ultimate net loss from moving in in the 90s and now relocating again.

Yes, they have made a net loss, and meanwhile transferred an insane amount of technology to China. But those managers got their bonuses and are long-gone...

And sure Chinese labor isn't as cheap, they've moved up the value chain some, but it is still cheap enough compared to US wages to make items and ship them here - particularly with China's lax environmental and labor laws.

The relocations to even cheaper labor-rate counties are still an improvement, as at least they aren't creating all levels of strategic disadvantage...

and it all stems back to "share holder value".

Which is just a business buzzphrase for "Greed."

The West is being eaten alive by its own greed, and the Chinese are just watching us do it.

Chinese are just as greedy and corrupt, make no mistake.
It wouldn't be so bad if we outsourced to countries that are ideologically compatible with the West. The problem is China. Not outsourcing itself.
(comment deleted)
it's because chinese goods are consistently good that anything bad is news. ironic isn't it

literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.

It seems critical thinking is rare among news outrage these days. The same comments were said of Japanese products back in the day, "IP thieves", "shitty quality", and here we are decades later praising Japanese products. Its hilarious at this point.

I don't recall the Japanese being accused of poor quality. Just imitating rather than innovating. Many Japanese products like swords, knives, cameras, have been known for surprisingly high quality for a long time. Centuries in some cases.

I'd say Chinese manufacturing is a little cheaper and a lot lower quality, and generally the price difference is not remotely sufficient to make up for the loss in performance. You need a company in the middle who cares about their reputation to be safe buying it.

> I don't recall the Japanese being accused of poor quality.

It was a different time: https://www.nytimes.com/1952/01/13/archives/japanese-machine... "The Japanese flair for imitating, but not equaling, the manufactures of occidental nations has caught up with her machine-tool industry, ..." (1952)

First it was imitating, but not equaling, then it was imitating with equal quality but a little cheaper, and a few generations later nobody remembers that "Made in Japan" ever meant anything but high quality.

most people won't remember it because it's really long ago, just after world war 2
> literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.

And that's why nowadays things like washing machines and refrigerators which used to last decades now break within the first year or two.

> The same comments were said of Japanese products back in the day, "IP thieves", "shitty quality", and here we are decades later praising Japanese products. Its hilarious at this point.

But these stereotypes lasted only for a decade tops! I have not seen the same commitment to quality that Japanese brands produced. I believe it is a cultural difference, Japanese take great pride in workmanship.

decade tops? it started from just after world war 2, and lasted until around the plaza accord.

Most people won't remember it because it's too long ago

> literally everything is made in china, if the quality is as bad as you say the world would have fallen apart.

no not literally everything. and who’s not annoyed by shopping on amazon and having to weed through all the cheap chinese “solutions”? The only time you get something quality from China is if some other company outside China is commissioning them to build their stuff with high standards. the rest of Chinese “innovation” is seeing how cheap they can make something before it does literally fall apart.

You'll be surprised how much stuff is made from china in america. Just take a look around your restaurants.
So most of this happens in products made where most of these products are made? Seems logically. Besides it doesn't seem any better in the US. By far the most backdoored internet equipment producer is Cisco.
> When this type of thing happens it's almost always China.

It could only happen in China - because the author bought dubious stuff from unknown third party on AliExpress. Craiglist scams happen mostly in US because people don't use it elsewhere.

Sort of like how you shoot the arrow first and then draw a target around it, 100% bullseye.

The malware described in the article is script kiddy stuff. Probably part of a ripped Win7.

Stuxnet, Pegasus, Vault 7 tech are far more dangerous with that capacity to cause real harm to actual people. Who developed these?

Alright let's think about this. If equipment was entering the US with pirated Windows licenses, wouldn't Microsoft ask customs enforcement to block them until the manufacturer stopped pirating?

Also why would Windows Ultimate indicate piracy? Wouldn't it be weird if "Windows Home" flashed up on the screen while booting an industrial machine? It's more likely to make sense that Windows Home isn't licensed for use on industrial machines.

> wouldn't Microsoft ask customs enforcement to block them until the manufacturer stopped pirating

Well, they would if they knew. I have purchased a variety of random computing hardware from Chinese suppliers and despite the product pages claiming they had no on-board OS installed, they came with cracked versions of Windows. They do it because customers want an OS but don't want to shell out for a license. It costs them nothing to pirate software (especially when they lie about it) and getting caught and actually blocked is very hard. This isn't like them intercepting a shipment of counterfeit purses where you can clearly tell by looking at the item. You'd have to boot the computers and then verify that they have an OS installed and then that it's properly licensed, which is well out of reach for a random customs officer.

> why would Windows Ultimate indicate piracy?

It's a very expensive license and, if you have any experience pirating Windows (I cough don't) that's usually what you find since if you're going to steal something, why steal the shittier, less featurefull version?

>why would Windows Ultimate indicate piracy?

Microsoft sells an embedded, stripped down version of Windows with extended support life for industrial machines like this. Ultimate is intended for workstations and power users.

I do wonder if this really was sabotage or if someone building these machines accidentally got their installer USB infected with some unrelated malware. If this was a targeted attack, I'd expect the manufacturer to ship the infection in the zip file with the replacement program as well.

The old components and the lack of modern drivers is a problem many industrial tools seem to suffer from. It's crap like the bad capture card that keeps Windows XP and 7 around. I don't expect there ever to be any modern drivers for an outdated capture platform unless a hobbyist writes their own open source version, so unless a compatible enough alternative card with modern drivers can be installed, I assume this machine is doomed to run Windows 7 for years to come.

Is that any kind of excuse? Supply Chain infection is a sidechannel way to infect YOUR network...what's your intellectual property worth? What's it worth if through the unintentional infection you find yourself figuring out how to get cash into bitcoin to pay a ransom?

Relying on an ancient card and drivers seems like a cop-out...they managed to create the solution once, they're obligated to do it again, lest your company's bottom line hinge on a house of cards an intern cobbled together for another company 12 years ago, that only works with the September 2008 drivers.

Of course intent matters. Accidents can happen and don't necessarily soil an entire brand name, but intent definitely does.

You'll be surprised how common these "house of cards an intern cobbled together for another company 12 years ago, that only works with the September 2008 drivers" situations really are when it comes to specialised hardware. As long as the machine keeps working, it can be sold, software security and maintenance be damned. There's a reason hospitals and factories pay Microsoft for the last few Windows 7 updates it'll release this year and it's not that management doesn't like the theme Microsoft put on Windows 10.

That's even more likely to be the case for industrial machines purchased off AliExpress, where hardware is often either old, second hand stuff or made as cheaply as possible from available parts. The standard of quality there is minimal, I'm surprised they risked buying this thing through AE in the first place.

> Presumably it would be a way to steal company information such as designs, accounts, and so on.

Does it collect user metrics like a lot of software does or does it actually steal designs? The report is absolutely not clear about this. I have not read many reports like this but are they all like the one they link to? Is that what a malware analysis looks like?

I'm completely behind the idea of calling every single software that collects user data and sends it off to a server malware but this is just not the case. We don't say Windows comes with malware, we in the West call it telemetry data to improve the user experience.

malware is any software that hides its existence from user.

The windows telemetry is on edge of being malwere, even if its of no consequence to you. You cant say it will always stay that way.

Why is it not malware? The Wikipedia definition of malware lists "steals data".

Last time I tried the amount of deep registry hacks to turn everything(?) of was silly.

Windows obviously ships with malware nowadays. I think you need enterprise edition for a supported way to turn all the BS off.

I'm going to broaden your definition to "malware is any software that hides its existence or its behaviour from the user". There's little value in knowing that a certain piece of software exists on your machine if you don't know what it's for.
> Does it collect user metrics like a lot of software does or does it actually steal designs?

The reports mark it as a Trojan/backdoor. This means it gives the company remote access to the machine. They can do whatever they want with it.

This isn’t anything like analytics reporting.

Anything with remote updates falls into that category.
If I have a choice I generally try to limit my purchases from “non free” countries.

It’s not always easy, the line is hardly easy to see, but it is a choice I will go out of my way to make.

(comment deleted)
I bought a laptop once. It came with windows pre-installed. And a bunch of bloatware. And 101 things that phoned home under the guise of checking that a driver was up to date. And Norton. The definition of malware is open to large interpretation.
The malware is a cherry on top, but the story before that is pretty awful already, and unfortunately seems to be representative of specialized software like that: proprietary (with constant risk of malware, indeed), awkward, poorly (if at all) documented, likely the protocols to speak to the hardware without it are kept in secret, and occasional shipment of Windows machines where just software would do (but probably it's written to just barely work on a given system, and won't run on others easily).

I think the main and annoying problem is those general practices, not just a single instance of malware.

Edit: Apparently some focus on the "Chinese" part, but I suspect that hardware being specialized and software being shipped by the hardware manufacturer are larger factors here: at least all the awkwardness before the malware part I've observed to be approximately similar with hardware+software produced by Chinese, European, and US companies.

> proprietary (with constant risk of malware, indeed)

being proprietary has nothing to do with risk of malware, indeed

To be precise, I had in mind closed-source software: the software you can't inspect with reasonable effort/time before running, to ensure that it's not malicious. And especially in case of specialized software, that wasn't inspected by others either. Though these terms seem to be used interchangeably quite commonly [1], likely because of a strong correlation.

[1] https://en.wikipedia.org/wiki/Proprietary_software

Edit: wording.

Proprietary or open sourced doesn't matter much if you're not verifying the checksums of all the binaries that come per-installed on your system. If the majority of tech savvy people can't be bothered to do it, then average joe is doomed.
>the software you can't inspect with reasonable effort/time before running, to ensure that it's not malicious.

And you cannot do that on open source either. Both cases require a chain of trust, and empirically, neither is significantly more secure.

For a whole computer stack, that's true enough.

Injecting malware in a single small widely distributed program and remaining stealthy for any length of time is a lot harder if it's open source.

I don't think that's true. Care to pick some metric to check it?

If anything, having source also makes it easier to auto scan for flaws at the source level and find holes.

I know from CVEs that OS projects has a significant number of high profile long standing holes in it.

> Injecting malware in a single small widely distributed program and remaining stealthy for any length of time is a lot harder if it's open source.

Case in point, the famous Borland InterBase backdoor that went unnoticed for about 7 years and 3 versions of the software but was discovered in 8 months by one developer after Borland released InterBase as Open Source.

https://www.zdnet.com/article/borland-interbase-backdoor-det...

I think the context somehow gets lost in this discussion. You indeed need a chain of trust in general, and can't inspect all the software alone even if it's FLOSS, but I'm talking about odd specialized programs shipped by hardware manufacturers (like the one TFA talks about) and similar one-off ones that come from an untrusted source: there's no trust there, no reliance on others inspecting it, but if you have the source code, it's often reasonable to read. Also occasionally desirable to fix or otherwise modify, to integrate into your overall system (that's what I tend to do pretty much each time when interacting with such sotfware+hardware, sometimes reverse engineering and reimplementing it, so maybe my view is a bit skewed). So FLOSS is good, closed source and proprietary is less trustworthy and less usable.
>I'm talking about odd specialized programs shipped by hardware manufacturers (like the one TFA talks about

In that case, open source rarely has even one possible replacement, so there's no comparison.

>but if you have the source code, it's often reasonable to read

As someone working in code daily, I disagree. I find lots of open source projects once you get out of the few big ones to be a massive mess of code.

And most programs of much use are simply too big to do any sort of audit. I have lots of friends in open source - I doubt a single one has ever read over the source for an entire program to inspect.

Have you honestly read over an entire open source program to check it? Or is this a myth that gets repeated but no one does it....

As to modification, I've reverse engineered many, many programs to add hooks and interoperability. It's not that terribly difficult once you've done a few and get to know how to do it.

So sure, nice clean code is good. But open source software I find to be crappy for all but the few big uses. GIMP vs photoshop? No real good OS CAD, or finance, or comparing Octave to Mathematica? Buggy video editor of the week to DaVinci Resolve? Tax software? Inkscape vs AI? So as a result of lacking quality in OS, I prefer closed source solutions since paying for them gets me vastly better quality for a lot of things I want software for.

And in the rare case I want to hack something, I still can and do.

Open source is honestly a you-get-what-you-paid-for solution for most stuff.

Sounds like we had quite a different experience, and picturing different things too.

> In that case, open source rarely has even one possible replacement, so there's no comparison.

There's usually just one program shipped by a vendor in these cases, and most of the time it's indeed closed-source -- that's what I started with.

Big and widely used FLOSS projects are far from these programs shipped by small hardware manufacturers, I wasn't talking about those. Just as the established and polished commercial projects are far from those: you're getting some buggy and unsupported programs from unknown hardware vendors, possibly even with malware as in TFA, not Photoshop.

> Have you honestly read over an entire open source program to check it?

I have, pretty sure that many others read those too, but haven't read entire sources of large projects like GIMP; plenty of programs and libraries are just a few KLOC (or even just hundreds of LOC) long, easy to skim.

> As to modification, I've reverse engineered many, many programs to add hooks and interoperability. It's not that terribly difficult once you've done a few and get to know how to do it.

I have rather hard time imagining these being any major modifications and considered easy with arbitrary compiled binaries, while suspecting merely reading sources being something mythical. But once again, you're probably picturing a hairy mess of a huge project's source code, and I picture integration tasks like turning a buggy Windows GUI program into a working multi-threaded Linux daemon -- where having source code makes it easier (and I'm certainly reading at least decompiled code when that's an option), as well as making it practical/easier to see what the program is doing.

Something as small as a few kloc I can reverse back to compilable source in a day, so things that trivially small are not difficult to edit to your hearts content.

Heck, I suspect Ghidra nowadays makes that a single click task.

And if it's that small, it's also trivial to write. I doubt too many companies fret over stuff that small.

> the software you can't inspect with reasonable effort/time before running

What was the last time you inspected any command or application you executed on your computer?

How would you spot malicious code? Are you a security expert who has knowledge of all of the programming languages that have been used to write the apps you are running?

You have absolutely unrealistic view on this subject. Btw. Apple and many companies have a trivial way of spotting malicious application by simple checksumming the executables.

I'm surprised how this discussion turns out: didn't expect those bits to be controversial at all, and sibling comments make it sound like it's almost better to not have access to sources.

> What was the last time you inspected any command or application you executed on your computer?

A few months ago, and didn't run new code from untrusted sources since.

> How would you spot malicious code? Are you a security expert who has knowledge of all of the programming languages that have been used to write the apps you are running?

So far I haven't run into languages I can't read. Spotting malicious code could indeed be tricky, a subtle but critical vulnerability would easily evade quick skimming, just as malware is still possible even when it comes from a somewhat trusted source. But I'm more certain that a program does what it says it does after skimming its code.

> Apple and many companies have a trivial way of spotting malicious application by simple checksumming the executables.

That's how basic antiviruses work, not specific to Apple. They have to first add that checksum into a database, which isn't viable when we're talking about a small hardware manufacturer shipping their custom software to dozens of clients.

Tbf, the focus on secrecy is probably because everything in China is at risk of being copied / ripped off by competitors at the drop of a hat. Being an IP wild west has its drawbacks.
The problem is this approaches tend to not really prevent the rip of as any of this obscuring methods tend to not hold against someone with expertise in subverting them. Which companies which do this kind of rip-offs tend to have...
A pick and place really is one of those things that would benefit from being open source--the vision algorithms are very annoying and require high technical skill while the motion algorithms are stupid simple.
I've bought systems off of Amazon that had pirated Windows licenses on them (otherwise a great little fanless box)

In a previous life I was an infosec consultant. We did some work for a hospital that found malware on the control hosts shipped with a brand new turnkey MRI system from a German manufacturer.

What did the malware do precisely? The definition is so broad and context-sensitive, that just saying malware doesn't really say anything. Some people would consider TPM and it's code malware, others would consider anything they don't like malware (like telemetry collection in Windows or whatever).
It was one of the big Microsoft worms from ~10 years ago plus a few random ones.
I've seen plenty of stick PCs on Amazon that definitely have pirated copies of Windows on them. I continue to be a bit surprised that Microsoft hasn't gone after Amazon for "aiding & abetting" this, but they probably have bigger fish to fry.
they dont make their money on Windows licenses anyway. they make it on all the crap they shove in your face when you use windows.

you've been able to pirate windows 10 using their "windows 7 free update" key even after they discontinued it. and everyone who got a free upgrade from 7->10 uses the same key so its not like you are gonna get caught.

The malware analysis report they've ordered (https://www.rmcybernetics.com/files/pdf/Malware-analysis-Fly...) is extremely light on details.

Yes, some things look suspicious (packing, lack of signatures, hardcoded IP addresses/hostnames, network traffic) - but I'm not seeing any clear-cut evidence that this is malware?

I have seen a (badly written?) router firmware that behaved suspiciously just like you describe, but the only provable thing was that they checked for updates from the vendor in a rather non-optimal way.

Until today, I am not sure whether this was malice (=malware) or incompetence (=hey, let us phone home every 5 seconds and go crazy if the connection fails for any reason).

Yeah that analysis is... not great.

It looks like an instance of 'xred': https://s.tencent.com/research/report/880.html

Which seemingly infects .exes (ie., is not just a worm), so it's totally possible that the OEM here isn't acting maliciously, but they just got infected themselves.

It's frustrating. I've seen anti malware software pick up anything that has a file name in Mandarin as malware. I used to use a great little program called Clover which was basically File Explorer for Windows but it allowed tabs. I stopped using it after a while because anti malware kept flagging it. Did it have malware? Maybe! I couldnt really get a good answer and I figured having tabs in file explorer isnt worth it.
I haven't thought about Clover in forever, but didn't it add tabs to your existing Explorer, versus being an Explorer clone plus tabs? The behavior required for the former probably looks a lot like malware to a heuristic detection engine.
Oh. You could be right. I don't remember, I just naively assumed because it had a different shortcut icon it was a different program.

Do you know of an alternative? I was partially hoping that when I mentioned it someone would say, "I did the same thing but now I use X."

I'm no expert, but I'm also not convinced that the device contained malware.

> We sent the file for proper malware analysis which did confirm that it did indeed contain malware. The malware would collect user data and send it to a remote address. Presumably it would be a way to steal company information such as designs, accounts, and so on. Pretty shady stuff!

Or, you know, it might be doing anything at all on the internet. A reasonable question is "why should this device access the internet?" Good point, but my LAN-controlled "smart plug" connects to an NTP server in France. Who knows.

From the report:

> When verifying the [executable] signature, it was identified that the malware did not have any signature assigned to it as shown in the figure below. It means that the file has a malicious activity.

Doesn't that mean that the image is not signed? Again, I'm not an expert, but to say "it means that the file has a malicious activity" smells like "I'll consider almost anything suspicious if it will convince you that this report is valuable." On the other hand, maybe that really is suspicious. I don't do this for a living.

> The process explorer and procmon helped to know that the malware created a child process and then killed the process. It was also identified that the file did not have the signature but had the company name, and the path, confirming that it is a suspicious file from a legitimate organization. The regshot helped in getting the two snapshots of the registry, one before execution and one after malware execution. Therefore, it can be concluded that the file analyzed contains a trojan spyware which creates a child process that kills the original file when run. The malware collects user information and sends it to http://freedns.afraid.org/.

Again, the conclusion does not follow from the premises. Maybe spawning a child and killing the parent is something that you wouldn't normally do unless you were malware. Maybe English is not the author's first language, fine, but it does look like a poorly edited template.

For all I know, it's totally malware built for corporate espionage originating from a country notorious for doing that, but I don't see any compelling evidence.

There's nothing in this analysis report which proves beyond doubt that this is malware.

There's plenty of software out there that behaves this way. I don't think they have solid ground for claiming they've been hit with malware here.

The next question is why are people defending China so hard here? Near 1/2 the posts here look like they’re from the $0.50 party.
Because claims need to be backed up by evidence, even if we love to proceed with prejudice.
So this means we promote the positive side of a gov that tramples daily on human rights? Are people on this forum literal robots?
Please, let's not go down that road. It's unnecessary to politicize everything and turn to hyperboles.

Nobody here is promoting anything when we're saying that from a purely technical perspective this report alone is not enough to justify the claims being made. Extraordinary claims require extraordinary evidence, but no evidence has been provided whatsoever, so it's perfectly fair to challenge the validity of the claims.

What extraordinary claims? And what evidence has not been provided unless you don’t watch the news? It’s quite public the atrocities the chinese gov has committed. So no, it’s very necessary to politicize this and using your own logic you’ve provided no evidence as to why we shouldn’t.
The malware now has 60/67 rating [1] on VT. Their analysis [2] is pretty good too.

[1]: https://www.virustotal.com/gui/file/1679b086f649d92456b2f600...

[2]: (PDF) https://www.rmcybernetics.com/files/pdf/Malware-analysis-Fly...

>Their analysis [2] is pretty good too.

seriously? It's rather poor.

>It was identified the malware is packed with Borland Delphi 6.0 - 7.0 as shown in the figure below

Borland Delphi is a compiler. It's not a packer. Saying that it's "packed with Borland Delphi" makes as much sense as "it's packed with visual c++".

>The strings of interest are as shown in the figure below

But if it's packed (as previously suggested), then any strings of interest won't be visible. All we see is a bunch of strings related to dynamically linked libraries. That also doesn't tell you much, because you can dynamically load libraries so all the evil APIs you use don't show up on the list.

The rest of the report seems to be reciting outputs from various reverse engineering tools, with little analysis added. The whole report gave the impression the author is a script kiddie.

I mean sure, the analysis isn't thorough and has some oopsies, but from my POV it's not a report written by malware analysts or experts (rather, by someone you wouldn't expect to analyse it at all), so I'm not setting the bar too high.
I am more than a little concerned that since the miniaturization and commoditization of spy hardware (miniature microphones, cameras, and wireless communication), that run-of-the-mill consumer electronics are being bugged by default. Given the cost is pennies or just a couple dollars, from an espionage perspective, it'd be worth it to spend a few hundred million or even billion putting bugs into literally everything and letting the market put them into the homes of all your political targets in other countries. Then the problem is just sifting the data, which is easy with the massive amount of computational power that every nation state has these days. That's a great dystopia.
We would find those in tear downs.

This caused quite the stir about a month ago: https://news.ycombinator.com/item?id=29555093

TikTok, Facebook (for the FBI/CIA), and other platforms are probably lower hanging fruit. People just accept the surveillance, and there's not much reverse engineering one can do to determine what's being done with your data.

What would the chips connect to in order to phone home? My protected home wifi? A random telecom carrier for which it will have to have, by chance, a valid prepaid sim card?
Hey, Alexa, please tell me what random devices in my house are connecting to the internets?

<waits for answer>

Hey, Roomba, did you download the latest firmware yet? Great! Now go clean the dining room, I have a top-secret meeting in there in 10 minutes.

Hey, Alexa, set the dining room lights to "top-secret meeting" mode.

quite the conspiracy. But I do suppose amazon sidewalk could be tapped into?
This has already happened: smartphones and wifi. People financed it themselves by buying the things. (Wifi can see you: "The next big Wi-Fi standard is for sensing, not communication" https://news.ycombinator.com/item?id=29901587 )

FWIW, I think whether we build a dystopia or utopia depends on whether or not we can make our rulers live under the same panopticon as the rest of us.

I don't disagree with the smartphones and WiFi, though the big 2 are highly motivated to at least secure the kernel and their own spyware. I am more thinking of these things targeting sensitive military installations or personnel.

> whether or not we can make our rulers live under the same panopticon as the rest of us.

Uh, nope. It's been "rules for thee and not for me" since the dawn of time.

> I am more thinking of these things targeting sensitive military installations or personnel.

Ah, yes, it sure would be nice to think that they're a bit more careful, but then I think of things like the OPM leak and I go cross-eyed. ( https://en.wikipedia.org/wiki/Office_of_Personnel_Management... - I'm sure you know what I'm talking about but I figured I'd add a link for anyone who didn't.)

> It's been "rules for thee and not for me" since the dawn of time.

Aye, but I think that's just what the panopticon could overturn, if we set it up that way. I'm not particularly hopeful, but maybe there's a possible future where we overcome our worser natures and use technology wisely. Star Trek vs. N. Korea.

FWIW I call this idea the "Tyranny of Mrs. Grundy": if everyone is on the lens-end of the cameras, including police and politicians, then no one escapes censure by Mrs. Grundy. ( https://en.wikipedia.org/wiki/Mrs_Grundy ) We're forced to create a "humane tyranny".

"Humane tyranny" sounds like an oxymoron from today's POV, but I think the challenge is to "de-oxymoron-icize" it. Due to the advancing tech, I don't think it's optional , the panopticon will happen (it arguably already has), so the challenge is to make it more-or-less livable.

I want to be hopeful about the future, but in the large there are too many negative trends. What I've learned is to be hopeful and optimistic about the things I can change. Just about to go watch an episode of TNG. Here's hoping that the long run is better than our current trajectory. Cheers!