iPod Some iPods ship with a Windows virus

[BillHarrison]

Actually, e-mail is a very likely method of getting a virus, considering that 75% of the population is stupid enough to open the attachment.

AV software a waste of time/money? you would rather spend 10 times as much time and money to fix a virus after it has destroyed your computer?
you should know from your own experience you just described that you can get a virus by doing practically nothing, especially when you never know what virus might be on a software disc or any hardware you add to your computer...

and AV software takes like maybe 10 minutes to install and configure, then it just runs on its own, and most AV software you only really have to buy once, Norton for instance, if you buy it, not only can you get it for cheap with a rebate on your initial purchase, as long as you buy it every year youc an get it for free with "upgraders" mail in rebates.

Put a sock in it. I have been running PC's with all versions of windows up to and including VISTA and NEVER run anti virus, and simply use common sense. I have NEVER, and I repeat, NEVER had a virus / trojan / worm. I keep my system updated, and run a Free online virus scan from trend micro about once a month.

 

[Snowy_River]

Put a sock in it. I have been running PC's with all versions of windows up to and including VISTA and NEVER run anti virus, and simply use common sense. I have NEVER, and I repeat, NEVER had a virus / trojan / worm. I keep my system updated, and run a Free online virus scan from trend micro about once a month.

Well, I must say that you're one of the few. I worked as a network administrator at an architectural firm for a while, and I had to deal with several viruses during my time there. The kicker was that the computers there all ran an AV software. Unfortunately, the AV software interfered with the CAD software in a way that cause the computers to crash (or so the architects kept insisting), so the users would turn the AV off while they were using CAD. The viruses that seemed to be able to get in during one of these times, then propagate through the network as computers' AV software was turned off. When the AV software was turned back on, it was too late, the virus had gone into hiding.

I had to turn all computers on the network off, then, one-by-one, turn them on and disinfect them. And this was with several different viruses. Some came in on floppy disks, some in email, some I never did determine how they got into the network.

Shortly before I left that job, I finally convinced the principals to buy a new, server level AV software package. The main seat ran on the server, with client seats running on the users' computers. The users could no longer turn off the AV software. Even that wasn't 100% successful, as I was called a month after I left when the new network admin had a question about the software because they had another virus on their network.

And, incidentally, if you're running the trend micro AV scanner, you are running AV software, even if it isn't running full time...

 

[KingYaba]

Appled effed up big time. I would be super pissed if my iPod came pre-loaded with a virus.

 

[balamw]

Microsoft replies

Microsoft fired back in a statement, saying the virus does not appear to take advantage of a Windows vulnerability.

"We encourage all third party vendors to follow best practices and help protect their users regardless of platform through careful scanning of the software they ship, so that they do not expose their customers to unnecessary risk from malicious software," the company said.

http://news.yahoo.com/s/nm/20061018/tc_nm/apple_ipod_dc_4

How does the virus/trojan propagate if not through a vulnerability?!? Microsoft's response is as lackong in substance as Apple's first salvo.

EDIT: More http://news.yahoo.com/s/infoworld/2...piL1JxU.3QA;_ylu=X3oDMTA2ZGZwam4yBHNlYwNmYw--

http://jonpoon.blogspot.com/

B

 

[matticus008]

Um, what? How, exactly, did this occur without a lax security policy and lack of due care in oversight of the manufacturing process?

Any number of possible circumstances: an antivirus client that had not been properly receiving updates from the server; an antivirus client which switched off realtime protection (Symantec products do this from time to time, but the AV service remains running, so there's no way to detect a problem), or the possibility that the file propagated through execution on an unprotected folder (one with frequent writes/rewrites which would be slowed down by realtime protection). The machine was not necessarily connected to an email server or to the Internet. Furthermore, the small number of affected cases suggests that the facility employs sufficiently robust security measures--a poor security model would have allowed this virus to bounce around and compromise other systems.

Apple negligently produced and sold an actively malicious product.

Prove negligence. Based on what's been reported, there's no cause to believe that policies or practices were not reasonable and sufficient to discourage this eventuality.

At the very least, determining negligence here is a matter for the jury.

Nonsense. Production of documents detailing a sufficient security policy, logs and/or records of due diligence being exercised in following that policy, and a historical track record free of similar blemishes would end the case in summary judgment. It wouldn't get to a jury, from the information that has been reported to this point.

Yeah, I'll take a lecture on privity from someone who keeps writing it as "privy."

I used the term once, and used it correctly. The customer is privy to the transaction with Apple, hence the customer's response is to Apple. Edit: If there's some other place I used it, please enlighten me, as I can't seem to find it.

 

[PygmySurfer]

This is one of the big changes with Vista - it has a much more Unix-like multi-user security model.

Actually, it just has an annoying "ask the user 28,753 times if he REALLY wants to do that"

UAC is so annoying I think people are either going to turn it off, or just click-through the warnings without reading them. Deleting an icon off your desktop pops up warnings. Creating a folder in the program files directory pops like 5 warnings. Just about every control panel applet pops up a warning just by opening it.

There's nothing UNIX-like at all in the security model.

NTFS ACLs are actually better than UNIX style permissions (much more fine-grained), and have been since NT 3.1. However, if everything has to run as administrator, the permissions on files don't do a damn thing.

It's kind of sad, really. Microsoft has long had a decent foundation to build upon. Everything they've layered on top has just been crap.

 

[schatten]

These things happen.

That's not even vaguely analgous. For a start a seatbelt is a piece of safety equipment installed in cars by the original manufacturer of said car by law. Anti-virus software is secondary to the iPod and the PC, not an integral part of either, and it is not a legal requirement to have anti-virus software installed on your PC.

I was referring more to the act of actaully using the seatbelt being analogous to using antivirus. My point is, if you use a computer that is prone to virus (and all computers are), then you should be prepared to get a virus at any time, from anywhere. Common sense prevails. No, AV isn't mandatory, but in many places neither is buckling your seatbelt.

Apple's EULA specifically states that they cannot be held responsible if their hardware or software causes loss to the user's existing software. Apple knows things like this can happen. This contingency covers data loss due to manufacturer defect. For example, if the hard drive in your new iMac fails & you lose your personal data, Apple will gladly replace the drive, but your data isn't their responsibility. Nor would they feel inclined to give you a free iMac.

How is this virus any different? It was, in effect, a manufacturer defect. The drives didn't ship as spec. Per EULA & Warranty guidelines, your data's safety isn't guarenteed.

Were I the technician who took the call on this, I'd apologize for the virus, offer to replace the iPod with a "clean" model -same specifications, no free upgrades or anything (though I'd offer to upgrade them to the 80GB model if they want to pay the difference in price), and maybe recommend some antivirus solutions available at your favorite retail computer store or for free on the web. I'd also offer to sell them an AppleCare Extended Warranty upgrade. and THAT would be going above & beyond. Per Warranty, all I'd really have to do is reformat the iPod & give it back to you.

 

[schatten]

And if the accident was caused by some hobo that Honda allowed to sleep in the backseat and who gnawed through the brake lines looking for a fix?

Again, no, I wouldn't expect a free car. Were I injured because I wasn't wearing my seatbelt because some Honda-Overlooked hobo gnawed out my brakes, I'd expect Honda to replace the damaged car (I'd still make my car payments as usual). My injuries would be my own responsibility (well, my insurance company's).

That's why I always wear my seatbelt, always thoroughly check my car for asian hobos, and always use antivirus on Windows machines.

 

[vga4life]

Any number of possible circumstances: an antivirus client that had not been properly receiving updates from the server; an antivirus client which switched off realtime protection (Symantec products do this from time to time, but the AV service remains running, so there's no way to detect a problem), or the possibility that the file propagated through execution on an unprotected folder (one with frequent writes/rewrites which would be slowed down by realtime protection). The machine was not necessarily connected to an email server or to the Internet. Furthermore, the small number of affected cases suggests that the facility employs sufficiently robust security measures--a poor security model would have allowed this virus to bounce around and compromise other systems.

All of these are suggestive of a policy failure: vulnerable systems on the production line. A sufficiently robust security model would not permit even the production of infected systems, much less letting them escape the building and end up in customer hands.

Prove negligence. Based on what's been reported, there's no cause to believe that policies or practices were not reasonable and sufficient to discourage this eventuality.

The fact that iPods loaded with actual malware were sold to customers *IS* evidence of either negligence or actual malice (i.e. deliberate sabotage by an employee or contractor). Like I said, God didn't put it there. It got on there either through deliberate action, or failure to exercise due care in manufacture. There is no situation in which it is reasonable or acceptable to ship malware, or where shipping malware would not indicate either negligence or malice of an employee or contractor.

Nonsense. Production of documents detailing a sufficient security policy, logs and/or records of due diligence being exercised in following that policy, and a historical track record free of similar blemishes would end the case in summary judgment. It wouldn't get to a jury, from the information that has been reported to this point.

What reasonable person would believe Apple does not owe a duty of care to customers to provide a product free of actively, intentionally malicious software?

You may be right about the action ending in summary judgement, though - in favor of the plaintiff. Arguably, Apple violated the law in shipping a trojan (intentionally or not). That would suffice as negligence per se, absolving the plaintiffs of the need to prove a breach of duty owed. As a matter of law, this would be for the judge to decide.

I used the term once, and used it correctly. The customer is privy to the transaction with Apple, hence the customer's response is to Apple. Edit: If there's some other place I used it, please enlighten me, as I can't seem to find it.

Sorry, I just checked. It was a different poster.

 

[matticus008]

All of these are suggestive of a policy failure: vulnerable systems on the production line. A sufficiently robust security model would not permit even the production of infected systems, much less letting them escape the building and end up in customer hands.

The iPods were compromised because they were connected to a single PC at the facility (likely a QC or asset management process, i.e. post production), with only a few dozen "bad" iPods--likely less than an hour's work. Out of the thousands of iPods manufactured during this time, a very small number were affected, which can only reflect otherwise adequate security. There is no such thing as 100% security, and out of 30 or 40 or however many million iPods shipped, this was bound to happen eventually. Also consider that this has happened at least three other times with other MP3 player companies, to say nothing of the dozens of times it's happened outside the MP3 player field over the past decade.

The fact that iPods loaded with actual malware were sold to customers *IS* evidence of either negligence or actual malice (i.e. deliberate sabotage by an employee or contractor). Like I said, God didn't put it there. It got on there either through deliberate action, or failure to exercise due care in manufacture.

Did you miss the part where this could be explained through option c) "stuff" happens? What proof do you have that the machine had insufficient security by design and that it wasn't a crashed or out-of-date AV client? What evidence or intuition suggests that there is no possibility that this was inevitable in practical terms? That is, are there more rigorous standards employed by anyone else, or failing that, are there more rigorous standards that can reasonably be expected?

What reasonable person would believe Apple does not owe a duty of care to customers to provide a product free of actively, intentionally malicious software?

That's not the issue. Every company produces faulty products from time to time. There is nothing to suggest that Apple could realistically be expected to do better. 25 iPods, or even 500 iPods, do not represent a failure in policy or practice simply because they exist. It is not possible to have a human monitoring every machine at all times to catch when Symantec disables realtime protection or when the client update didn't actually take, even though it reported success to the server.

Arguably, Apple violated the law in shipping a trojan (intentionally or not). That would suffice as negligence per se, absolving the plaintiffs of the need to prove a breach of duty owed.

What law was broken?

 

[gilgalad101]

Yeah, so my iPod's a new 80gb version. I saw RavMonE in the iPod folder and wondered what it was, but I didn't really think anything of it. Then, I get on Macrumors today and see this article. I feel kinda special to be part of the 20 or so people that are affected. Not really, but I'm glad I finally found out what it was.

 

[vga4life]

The iPods were compromised because they were connected to a single PC at the facility (likely a QC or asset management process, i.e. post production), with only a few dozen "bad" iPods--likely less than an hour's work. Out of the thousands of iPods manufactured during this time, a very small number were affected, which can only reflect otherwise adequate security. There is no such thing as 100% security, and out of 30 or 40 or however many million iPods shipped, this was bound to happen eventually. Also consider that this has happened at least three other times with other MP3 player companies, to say nothing of the dozens of times it's happened outside the MP3 player field over the past decade.

I don't hold Apple any more or less responsible in this case than I'd hold any other manufacturer responsible for shipping malicious software.

That's not the issue. Every company produces faulty products from time to time. There is nothing to suggest that Apple could realistically be expected to do better. 25 iPods, or even 500 iPods, do not represent a failure in policy or practice simply because they exist.

And Apple is not absolved from liability on the grounds that "it doesn't happen very often."

What law was broken?

I dunno. Pay my retainer and I'll get to work on a memorandum. (Disclaimer: I am probably not an attorney licensed in your jurisdiction and am not actually soliciting you.) It was just a thought that occurred to me in the moment - I'd have to go back to the code.

I still think there's a reasonable product liability case here, and colloquially, would love to see Apple take it up the pooper unless they offer immediate, substantial remedy to those affected. Shipping malware to customers is like shipping iron shards in a box of cheerios. It renders the product substantially unfit for use. Just because General Mills told you how to use a magnet to make your cheerios safe to eat doesn't mean they didn't ship a defective product and shouldn't have to pay for actual damages incurred.

 

[AidenShaw]

Yeah, so my iPod's a new 80gb version. I saw RavMonE in the iPod folder and wondered what it was, but I didn't really think anything of it. Then, I get on Macrumors today and see this article. I feel kinda special to be part of the 20 or so people that are affected. Not really, but I'm glad I finally found out what it was.

That was 25 or so "reports" - you are obviously part of a much larger group who have not reported Apple's QC lapse...

 

[EagerDragon]

No they should have been more careful and they need to take ownership for their mistakes.


It is most likely Apple's screw up and I agree with you, Apple is wrong for trying to take that crack at Windows when they do this.

Overall I agree, but the reality of this is that the iPod in this case is acting like any other removable USB device. It is just a carrier device. Other similar devices USB disk drive devices for example like you heard McDonald promotion one, can also contain viruses, it is just a small disk drive in this mode.
Yes they should remove all PC's from their plant to prevent this from happening again. Until Apples can get infected (not just carry), it makes sense to use avoidance. Some people may start believing that apple computers got infested and some may believe that Apple was doing a secret attack to make Micro$oft look bad by infecting the PCs. People believe all sorts of weird $h... Apple does not need a bad rap. Raise above the rest, lead by example.

 

[BenRoethig]

That was 25 or so "reports" - you are obviously part of a much larger group who have not reported Apple's QC lapse...

Plus it only takes one bad apple to spoil the whole bunch.

 

[matticus008]

I don't hold Apple any more or less responsible in this case than I'd hold any other manufacturer responsible for shipping malicious software.

There's a clear precedent established for companies not being liable for monetary damages for these incidents, so long as the company acted in good faith in stopping the situation as soon as possible and providing prompt notification and rectification to affected users. Apple has done both.

And Apple is not absolved from liability on the grounds that "it doesn't happen very often."

That wasn't the point. The point is that there is the possibility that Apple could not have been reasonably expected to take any further action, and that their practices and policies are at least as secure as the industry norm. The limited scope of the incident suggests that there is no endemic lack of security at the production facility in question. Their liability is duly limited by the fact that this event may not have been capable of being anticipated and acceptable and sufficient policies and specifications to contractors were in place at Apple. Apple must take the public heat, but it would be extremely difficult to pin Apple down for an at-fault complaint.

I still think there's a reasonable product liability case here, and colloquially, would love to see Apple take it up the pooper unless they offer immediate, substantial remedy to those affected.

The fix was issued promptly, and the only "substantial remedy" one might have a chance of collecting would be if someone's personal system were compromised by the iPod prior to public notification of the problem.

Shipping malware to customers is like shipping iron shards in a box of cheerios. It renders the product substantially unfit for use. Just because General Mills told you how to use a magnet to make your cheerios safe to eat doesn't mean they didn't ship a defective product and shouldn't have to pay for actual damages incurred.

Dingdingding! Enter Microsoft, with all its exploits, code vulnerabilities, and security problems. Here's the rub, though. Software vulnerabilities and malware are a fact of life--no software is secure and companies to date have not been held liable for vulnerabilities or malware associated with their product (unless the product was designed to include said malware). A brief perusal of Westlaw shows no case where a company has been successfully prosecuted for accidentally shipping malware or un-secure code.

 

[rahrens]

I still think there's a reasonable product liability case here, and colloquially, would love to see Apple take it up the pooper unless they offer immediate, substantial remedy to those affected. Shipping malware to customers is like shipping iron shards in a box of cheerios. It renders the product substantially unfit for use. Just because General Mills told you how to use a magnet to make your cheerios safe to eat doesn't mean they didn't ship a defective product and shouldn't have to pay for actual damages incurred.

I think you're making a mountain out of a molehill here.

The malware shipped on the iPods is a trojan that opens the firewall to allow outsiders to access the PC. By itself, it does no other harm. It does not self propagate, nor does it physically harm your iPod or PC.

A properly protected PC, which any PC today should reasonably be if connected to the Internet, would not be harmed by an intruder even if this trojan did infect their PC.

The iPod can be disinfected by simply being erased and reformatted using the reload function in iTunes, in accordance with Apple's instructions. Your music will reload upon the first sync, just as it normally would, so you lose no music.

Ok, now tell me where a consumer has been harmed to the level that any reasonable consumer protection law would require Apple to expend any cash or labor to repair. Take this to court, and the summary judgement will come five minutes after Apple presents it's case, and Apple wouldn't lose, if the court doesn't laugh you out in the beginning.

Yes, Apple screwed up, but all manufacturers do that at one time or another. They've admitted to the issue, found the error, put procedures in place to keep it from happening again, and reported this to the public, along with instructions on how to delete the trojan. Since this doesn't rise to the level of permanent harm, they aren't required to do anything else.

If you are really a lawyer, and are posting this BS to try to entice people to file suit, you should be investigated by your local bar. At the very least, you are guilty of stirring up trouble where it doesn't need to be.

In reality, I think you're just out to bang on Apple, given your ID.

 

[vga4life]

The fix was issued promptly, and the only "substantial remedy" one might have a chance of collecting would be if someone's personal system were compromised by the iPod prior to public notification of the problem.

Of course. I'm talking about people with actual damages having a case to recover from Apple. Apple ships about 2.5 million iPods/month these days. Let's assume that "less than 1%" means "0.5-0.95%." Say Apple realized this last week, so there was only 1 month's production affected. That'd be 12500 - 23750 trojan ipods shipped. About 80% of iPods are paired with Windows PC's so that's 10000 - 19000 infected iPods being connected to computers. If half that number got infected, and a cost of $250 per user to remediate could be established, we're at $1,250,000 - $2,375,000 in damages. I don't think this is an unrealistic back-of-the-envelope number, and is enough to get someone's attention.

Dingdingding! Enter Microsoft, with all its exploits, code vulnerabilities, and security problems. Here's the rub, though. Software vulnerabilities and malware are a fact of life--no software is secure and companies to date have not been held liable for vulnerabilities or malware associated with their product (unless the product was designed to include said malware). A brief perusal of Westlaw shows no case where a company has been successfully prosecuted for accidentally shipping malware or un-secure code.

No, but I'm not aware off hand of any precedent around accidentally shipping malware in a product for sale (as opposed to distribution as an ISP - I remember Green v. AOL in the 3rd circuit affirmed the statutory immunity provisions of 47 U.S.C. S 230). I'm not sure the time isn't ripe for such a case to arise, but I'm quite sure that it's a battle most companies are willing to stave off with settlements. I wouldn't be surprised at a quiet settlment here at all.

 

[jsw]

...we're at $1,250,000 - $2,375,000 in damages.

And who, pray tell, would benefit from that?

BTW, how is it that that people would be able to prove that they were infected by their iPods and were not previously infected?

 

[matticus008]

I'm not sure the time isn't ripe for such a case to arise, but I'm quite sure that it's a battle most companies are willing to stave off with settlements. I wouldn't be surprised at a quiet settlment here at all.

Oh I agree--I think now is the time to set this precedent. I worry about the number of technophobic (and just plain moronic) judges in the system these days. However, I wouldn't choose this case to make an explosive entry to the field--I'd choose a bigger target with a more immediate and tangible harm if I wanted to make a big splash here. I don't feel there's any merit to this case or that there's any unmet responsibility for which Apple is liable.

I doubt any meaningful legal action will arise from this particular situation--there are many cases which would be easier to win. I certainly wouldn't want to be working against the history of shipping malware on MP3 players (or media in general) where there has been no successful litigation. I'd much rather start from a fresh slate or start with a comparatively low-profile company. Control as many variables as possible, and so forth.

 

[FaLLen]

That was 25 or so "reports" - you are obviously part of a much larger group who have not reported Apple's QC lapse...

I guess there will be more than 25 infected , just some people will never notice it , because

Case1: They got a mac and dont care!
Case2: Their PC is protectet by an AV who instantly filters it
Case3: They see it , never click on it , and dont ask what it is and will never have an idea.

I guess most people never notice it , of course its a small weak spot for apple , where every apple critic or opponent will be hitting on for months !

 

[dgdosen]

No excuses...

This wasn't under Apple's direct control. Sure, the idea of a foreign OS is a great one. Even OS X would do. But Apple doesn't control the factories where they're made. So gripe about that, instead...

I believe the saying goes - "The buck stops here." Apple should go back and read that one.

 

[SiliconAddict]

Honestly I think someone or a few someones at Apple need to be fired. The very idea of quality control, in software and hardware, is basically nonexistent at Apple these days.

 

[morespce54]

Sure. Increase Apple's market share by taking down Windows PCs, one at a time.

LOL !!!!

 

[morespce54]

...By your logic, I could go after Microsoft for selling me a product that is prone to getting viruses simply because i didnt "expect" that any OS i buy would be susceptable to 40000+ viruses out of the box...

Actually, to be accurate, XP would have to be shipped WITH preloaded VIRUSES to suit the logic...