Finger Pointing Over iPod Windows Virus

rs232 writes sent us some choice quotes in the finger pointing over the iPod's that recently shipped with a virus on them. "It's not a matter of which platform the virus originated [on]. The fact that it's found on the portable player means that there's an issue with how the quality checks, specifically the content check, was done," Poon wrote in a blog entry. and "Steve, if you need someone to advise on how to improve your quality checks, feel free to contact me 8)."

Who cares?

[NineNine]

Who cares how it happened? It's Apple's problem. It's Apple's fault. End of discussion. Apple's comment was childish and absolutely un-called for. Apple should apologize publically, announce that they will improved their QA, and move on.

Um, no

[Anonymous Coward]

Only a very small number of a specific model of iPod were affected by these Windows viruses. The entire blame rests with the factory making the iPods for Apple and putting the software image Apple prepared in advance not following good practices with respect to how they set up the empty drives before Apple's software went on them. The problem has been entirely fixed and you cannot even buy one of these infected iPods in the retail market today.

In other words, this is old news. And the size of the problem (the number of units affected) was so small, I would put good money down that we would not even know about the existence of this Windows virus problem if Apple had not disclosed it.

ill-advised comment, but not Apple's fault

[ummit]

Apple shouldn't have seemed to blame Microsoft, it's true. That's gotten the Windows partisans all riled up, although if you read what Apple wrote, they didn't explicitly blame Microsoft, just expressed annoyance -- and they expressed more annoyance with themselves for not noticing.

And everybody's blaming them for not noticing. But if you think about it, it was a pretty absurd thing for them to have had to "notice". As I understand it, the virus was implanted by one infected machine among a number of machines at a Chinese manufacturing shop they'd contracted iPod manufacture to. Apple said, "here's a thing that looks like an external disk: please put these bits on it for us". A simple and straightforward enough task, one would think -- but in a world where autorun exists and is or has been enabled by default, perhaps not so straightforward.

It's as if I had a letter to mail to 1000 of my customers, and I took one original down to my friendly print shop and asked them to make 1000 copies, and I or the print shop used an automated machine to fold the 1000 copies and stuff them in envelopes and mail them, and only after they were mailed out and opened by my customers did we start discovering that for some strange reason 1% of them had "FUCK YOU, ASSHOLE" overprinted on page 2. And then found out that the "strange reason" was that one of the copy machines at the print shop, among the several that the print shop divided my job among, was "infected" by a "virus".

If that happened to me, I'd be annoyed, too. (It'd be even more annoying if I were accused of ignorance for not having protected myself against this "obvious" threat, that evidently everybody else knows about and makes allowances for.) And I know my response would not be to ask the print shop to be more careful next time, or to run an "antivirus" soluton, or something. I'd take my business elsewhere, and more importantly insist that my future printing contractors use a different brand of copier, one that's not susceptible to preposterous failure modes like that, because even if there is some alleged way of papering over that particular flaw, who knows how many other equivalently egregious bizarre flaws it's got that haven't been discovered and papered over yet?

Re:Who cares?

[Anonymous Coward]

It is Apple's problem and was a bit childish, but that doesn't neutralize their point.

I've never had a virus on any personal machine, and the only ones I've ever had happen were 0-day expolits that were impossible to prepare for in a permissive network environment (i.e., where the ones transmitting viruses were folks I *HAD* to give permission to, or shut down the program in its entirety...and we have killed areas of our business where we couldn't provide the service AND securely provide for our clients).

At the same time, I now use entirely a Mac outside of work for personal use, and my side business runs on a few Linux servers. None of them have ever been compromised, and I do very little to secure them. At least in comparison to what I have to do with my Windows boxes. No tweaking the Firewall every few weeks, no having to fiddle with the virus checker -- especially when I find out the commercial product my employer uses site wide could easily be compromised to send viruses in the form of updates to every computer in the company -- no having to shut down vital services because even the OS Manufacturer can't figure out how to make them safe.

No, I don't have to deal with this fucking bullshit at home, and my T1 at home connected to my servers are open wide and I have logs showing thousands of attempts a day. The only reason I picked up a hardware firewall is because its much faster at discarding phoney requests than the other servers.

As such, many of us who don't have to deal with viruses on a daily basis laugh at those that do. I gotta say, the gain in productivity in not having to tweak shit made up for the price disadvantage of the Mac. I bring in my personal laptop to my day job and get far more...most of the time, my PC is shut off except when I need to offload a compile. And all the other developers laugh at me, except when the company is down to wipe everything and I'm still working. I've been known to throw out childish retorts as well and feel justified for them. You pick an inferior platform to base your life and business around, simply to save a few bucks and I'm going to laugh at you and make fun of you when you are inconvienced by something that can't effect me because I did my research and adjusted.

I'm sorry, but the more I think about it, Apple might have been shooting themselves in the foot with the comment, but they are absolutely right to say so and have no need to apologize to the sheep that goes with 'good enough'.

Re:Who cares?

[Anonymous Coward]

From www.apple.com/support/windowsvirus [apple.com]:

We recently discovered that a small number - less than 1% - of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus. This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it. So far we have seen less than 25 reports concerning this problem. The iPod nano, iPod shuffle and Mac OS X are not affected, and all Video iPods now shipping are virus free. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.

I don't see anything childish about that. Maybe if you selectively edit a quote from the above by removing it from its context, you can get something arguable. But in context, no.

For those that do not think Windows viruses are a big problem, consider my experience as a tech. I re-install Windows on clients computers due to viral infections at least once or twice a week. Generally these are older computers they have not had me work on and have failed to heed my advice w.r.t. needing anti-virus software on a Windows computer (same does not apply to the Mac OS X computers I work on). You know what really sucks, once the anti-viral software is installed and made effective (auto-scanning of every file that is touched) the whole system slows down. What could have been a relatively fast Windows computer is made slower just by having to have commercial anti-virus software (don't talk to me about OSS solutions, these installs have to be idiot proof with auto-scheduling, active scanning, and so on). Argh.

Reality check

[mattr]

It's not just the iPod, viruses on shipped hardware seem to be getting more common. For example see below. Can't give other documented articles, but remember similar cases this past year. Anyone? The swipe at Microsoft sounds a lot like Jobs, looks like his personality has infected the company too. But Apple could win this by instating new controls over subcontractors and making a PR campaign in which they force them to use Macs or otherwise emphasize steps they've taken to minimize infection from Microsoft-based hardware. :)

Quote from article [digitalmusicnews.com]:

Earlier, McDonald's and Coca-Cola faced a similar problem in Japan during an MP3 player giveaway, though the events are unconnected. The iPod virus only affects Windows machines, and does not alter the behavior of the portable device itself or Mac operating systems.

It's Microsoft's problem

[ajs318]

The blame for this lies entirely at the feet of Microsoft.

Who created the Operating System which will execute arbitrary code -- for that matter, arbitrary code which ought to require administrator privileges -- without the say-so of the user? Microsoft did.

That is the problem. For sure, they had a reason to do that -- they wanted to hide "difficult" decisions from the user in order to make their operating system beginner-friendly. Their model seems to be "Programmers know what they are doing, users don't." Unfortunately for everyone concerned, that has well and truly bitten them in the arse.

If Vista is more secure than Windows XP, then it will necessarily be harder to use. The only way it could be more secure than XP while remaining as easy to use, is if only certain trusted parties are allowed to write software for it. (Which is effectively what you've almost got with some OSes; anyone is allowed to write software, but software distributors -- who may well be independent of the software creators -- maintain a catalogue of what is "safe", based on their own judgement after reading the Source Code. Tech-savvy users can check the Source Code for themselves. Non-tech-savvy users know they can rely on the software distributor's judgement. Any distributor who does a bad job by distributing dangerous software loses custom.) But that would create a monopoly, or at best a cartel.

What's so bad about that quote?

[Anonymous Coward]

What's so bad about that quote? That it is nothing but truthful?

The fact of the matter is that Windows should be far more resilient to malicious software, regardless of whether the vector is a network, an email attachment, or a piece of Apple hardware.

Don't forget that there's nothing Apple can do but make such facts public knowledge. Considering how Microsoft limits access to the Windows source code and development process, there's basically nothing Apple could do to help improve the situation. If Microsoft's software is so readily vulnerable to exploits, then the only party to blame is Microsoft.

Re:For the same reason it's always happened...

[nine-times]

Apple, on the other hand, cuts down the quality of their hardware manufacturing processes. And with that decrease in quality, we see incidents like this happening.

This isn't a "hardware manufacturing" problem. The iPods got hooked to a Windows machine, probably during some QA process, and got infected. The hardware is fine.

Re:ill-advised comment, totally Apple's fault

[DingerX]

The buck stops with the label on the cover. Sorry, whoever you contract to do stuff with is your business; when you're selling something with your trademark on it, any problems are between YOU and the CUSTOMER. In Apple's case, their problems are between APPLE and the CUSTOMER. Blaming third-parties, whether those contracted to, or those completely uninvolved (Microsoft), is just unprofessional. I know Apple was itching to score points at an easy target like Microsoft, but guys: this is a screwup, APPLE's name is on the front, not whatever podunk assembly in the Hunan Province, and not Microsoft. Even a "minor" attack like, "Bad Microsoft, Worse Us" is out of place in PR copy. Leave that bit of trollwork to professionals, like Dvorak.

Re:OK, I have to ask

[__aajfby9338]

According to TFA, the infected Windows machine was used for compatibility testing. Do you work for Apple? How do you know what kind of machines they use in their iPod manufacturing process?

Re:What's so bad about that quote?

[piquadratCH]

What's so bad about that quote? That it is nothing but truthful?

It's truthful, but classless. Apple screws up big time, and they have no better idea than to insult Microsoft? Common, that's so cheap...

Re:Who cares?

[contrapunctus]

You're right, everybody should move on. And the rest of the sentence you refer to reads:
"...and even more upset with ourselves for not catching it." which should take care of the rest of your points.

Re:OK, I have to ask

[1u3hr]

It happened because even Apple needs Windows at some point to make their products.

It happens because Apple doesn't make their products. Subcontracters do. Apple doesn't have any factories.

Re:Who cares?

[NineNine]

Again: who cares? It doesn't matter what they use to make their products. The point is that the end product not only should work, but should NOT cause additional damage to other products that people already own.

Re:ill-advised comment, totally Apple's fault

[ummit]

The buck stops with the label on the cover... any problems are between YOU and the CUSTOMER.

Absolutely agree. So the remaining question is: aside from the ill-advised potshot, has Apple done right or wrong by those customers? Have they (a) disavowed all responsibility, told customers it's their problem, told them to go talk to the "podunk assembly plant in Hunan Province" if they need help, or (b) done everything they can to mitigate and prevent future recurrences of the problem?

Re:What's so bad about that quote?

[bealzabobs_youruncle]

Hardly a cheap shot really, if the OS wasn't such an open door this wouldn't be possible. I dock a poratble hard drive and get an exploit? Not a single prompt from the OS that something is going on? An application asserts itself as a start up process with zero sanity check? If Windows treated this properly it wouldn't try to manipulate files on removable media with no input from the user. If someone could craft an auto-executing file for other OSs, on OS X it would ask me for a password at least and name the process in question; Linux would do the same thing, or just fail silently. Doesn't happen on any other platform, it is a giant shortcoming of Windows as a platform. Stuff like this was supposed to be resolved in SP2.

Re:What's so bad about that quote?

[kubevubin]

So, by your logic, somebody who is shot and killed is immediately at fault because he/she isn't immortal? Oh, and the killer gets to insult the victim, too!

Re:What's so bad about that quote?

[thestudio_bob]

Why is this classless? I finally applaud a company coming out and stating the obvious! MS opererating system is horribably insecure and easy to exploit. Sure a person can make it stronger, but the problem is that 90% of the population doesn't know how to do this. You have to be an ./ to figure it out. Why can't MS patch the holes? I wish more companies would actually put some pressure on them to fix the thing already. And maybe this media attention will help do that. And how is this "screwing up big time"? It infected less than 1% of the iPods, that's "Big Time"? Where were you when sony was making their root kit?

Re:What's so bad about that quote?

[nutshell42]

If someone could craft an auto-executing file for other OSs, on OS X it would ask me for a password at least and name the process in question; Linux would do the same thing, or just fail silently.

#!/bin/sh
rm -rf ~

Considering that you can generally reinstall the OS in an hour or two, for most of us this would be just as devastating as a format c: (the exception being if you share your PC with like your omg daughter who just had to click on that link becuse the picture of the pony was sooo cute, or with your l33t hax0r err son who thought he was getting the latest warez); likewise trojans etc. installed as your user will do just as much damage as if installed as root.

Re:But how is it an insult?

[WilliamSChips]

Insults don't have to be false. Actually, in general, if they're clearly false they're rarely insults.

Re:ill-advised comment, totally Apple's fault

[Anonymous Coward]

As for the responsibility of the blunder, I absolutely agree with you. The buck stops at Apple. Whoever the fault it was, Apple did contract them and put their logo on the products as the approval and sell them as their own products. Did Apple refuse the responsibility? I can't find the evidence to the contrary. They admitted the problem, apologized and provided the way to neutralize the problem.

What people do have problems with is how Apple explained the incident. To me that's a bit unreasonable. Was Dell wrong when their laptops burst to fire and specifically attributed the problem to Sony's batteries or Ford to GoodYear tires? No. Both Sony's batteries and GoodYear tires were defective. Similarly, Microsoft Windows is defective. Companies do have the right to explain how a blunder happened when assuring the customers the steps being taken to prevent the same thing from happending again.

What's so different in those cases? Sony's batteries and GoodYear tires have no fanboys. I was tempted to say it's because both Apple and MS make OSes, but both Sony and Dell make laptops too.

Bad analogy

[Space cowboy]

That is like ford saying "A limited number of tires on Mustangs will spontaneously fail, causing a serious accident. As you might imagine, we are upset at drivers for not being more durable during such a crash, and even more upset at ourselves for not catching it"

Apple are *not* blaming the users of the ipod (the "drivers"), they are expressing some anger at the ultimate cause of how it happened ("the tire manufacturers"), and you better believe that if tires started randomly blowing out on cars, and there was an avenue of blame available, then Ford damn well would lay that blame firmly at the tire-manufacturers feet.

Since they're also volunteering this information, announcing a way for users to completely recover ("new body cloning device" ?), and expressing even more anger at themselves for not catching it, I don't really see the big deal.

Simon

Not the full quote

[RetiredMidn]

The full sentence on the Apple website as of now (leaving room for the possibility that they've modified it since the uproar) is:

"As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

(Emphasis mine.)

...the full interpretation being that they place more blame on themselves and/or hold themselves to a higher standard.

If the "more upset with ourselves" phrase was in the original quote and people left it out to make Apple look [more] arrogant [than they actually are], shame on them.

No, it's a cheap shot

[Jay Clay]

If I make a product that screws up something in a typical environment that it's supposed to be in, then it's my fault and no one else's, no matter how cruddy that environment is. This isn't like an unknown flaw or something that's unforseen. Windows is what it is, and if a known shortcoming isn't worked around by your product, then your product is at fault.

Re:What's so bad about that quote?

[e2d2]

Although it's true that windows has security flaws, this is true of most platforms. For instance if Apple had released a worm that exploited SSH instead, would we be arguing who's fault it was?

I'm sorry but as a developer myself I see this as extremely irresponsible. Admiting your faults is a core fundamental of software, you acknowledge and adjust. You don't finger point or make excuses for your own blunder, that's what amateurs do.

lame

[cosminn]

Common, your product gets infected because of some slopiness, and you blame another company??

If Jobs doesn't like it, then stop making the iPod work on Windows. How would he like it if all of a sudden the iPod would be "disabled" by MS? He'd sue the living hell out of them (and for good reason).

Take the responsability for the screw up and fix it.

Re:What's so bad about that quote?

[Anonymous Coward]

someone being shot and killed isn't exactly a great comparison to make to an operating system that resembles swiss cheese.

I would find someone at fault for getting shot if they ran in front of a firing range over and over, and then expected the people shooting to pay their medical bills every time they fixed the bullet holes.

maybe if microsoft wasn't just piling more wood onto the fire, their operating system wouldn't suck so much. sure, apple is being kind of smug with their choice of wording, but it really isn't their fault that windows is succeptable to a 5 year old virus.

the fact that so few (estimated about 25 units) were infected goes to show that it was probably ONE person who screwed up at the factory. its even possible that the person purposely implanted the virus on ipods in an attempt to get bad press for apple (its happened before -- remember the supposed macbook wireless security flaw, which actually turned out to be nothing related to the macbook or apple at all?)

apple took care of it immediately, and even went out of their way to post removal instructions. sure, they also snuck in a marketing quote "if you were on a mac, this wouldnt happen, wink winkn" -- but apple handled this 100 times better than microsoft, or even other top PC manufacturers (HP, sony, toshiba) handle their security flaws.

Re:Who cares?

[NineNine]

There will be problems, but you pay them the money for it, so it's their problem. If you buy a toaster, and it catches on fire, and the company says, "It's the fault of Taiwan Wire, Inc. who provided us with faulty wire", who is going to be blamed? It's the fault of the toaster company, because they used defective materials. In this case, it's the fault of Apple, because one of their vendors/manufacturers screwed up. People aren't concerned with the thousands of steps it takes to get to the iPod, nor should they be. That's what manufacturing companies do. They put together hundreds if not thousands of components together, and the final product is what you're buying. You're not buying wire, and an LCD screen and buttons and batteries and paint and plastic. You're not buying transporation from China to the US. You're not buying trucking services. You're not buying packaging. You're not buying pallets to put the cases of boxes on. You're not buying warehouse space. You're not buying ink to print the packaging. You're not buying silicon for the circuit boards. You're not buying iron to make the steel headphone jack. You're buying an iPod.

Re:What's so bad about that quote?

[Anonymous Coward]

In this instance, Apple really ought to be wearing their hardware manufacturer hat instead of their OS platform one. When cases like this occurred with other MP3 players, I do not recall the manufacturer blaming Microsoft for their own lapse in quality control. In fact I do not recall Microsoft even being mentioned. The manufacturer just apologised, put out an advisory, pulled the product quicksmart and revised their manufacturing quality checks. It would have been appropriate for Apple to have done the same, given that they fully support the Windows platform (which incidentally accounts for a massive chunk of their iPod customer base). Perhaps Apple feel that mentioning the laxness of Windows security is a convenient way to divert attention from their own responsibility as a hardware manufacturer. Perhaps it's even part of an elaborate spin campaign coordinated with the OS guys at Apple. Who knows? But basically if they genuinely feel the OS platform is such a problem then they really shouldn't have decided to support it in the first place. That's what they get for sleeping with the enemy.

Re:What's so bad about that quote?

[lilfields]

It doesn't matter what the operating system is; if it's XP, Vista, OSX, Linux, the next Windows or even the next, it's Apple's responsibility to put checks in place to prevent such things from happening. This is just as much Apple's fault (more so in my opinion) as it is Microsoft's. What if the reverse had been true? What if the Zune shipped with OSX viruses, I bet the tune of Apple would be completely different.

Re:ill-advised comment, totally Apple's fault

[DingerX]

The difference is that Dell's press releases don't mention Sony batteries, but _their_ batteries, which Sony happened to manufacture. Ford sold trucks with Goodyear-branded tires, and recalled same.

I repeat, for those fanboys who are hard of hearing: it's the job of the professional media trolls to place the blame. Apple coulda scored tons by just profusely apologizing for the Windows virus getting into their distribution system. There are plenty of press hacks who will "go the extra mile" and explain why Windows sucks. This has nothing to do with fanboys and everything to do with business sense. Sorry, Apple screwed up. Don't cry too much, or your tears might crack your G4 cube.

Re:It's a subtle bug, not obvious to solve

[1u3hr]

If you were about to suggest "well just use Linux" to format the drive

According to some quotes in TFA, the Windows machines are used to check for compatibility, as iPods can connect to Windows as well as Macs, not for the manufacturing process itself. Perhaps the low number of infections (said to be 5%) means only a few iPods were given that check (normal QC wouldn't require every one to be checked for a consumer item).

Re:What's so bad about that quote?

[MobileTatsu-NJG]

"...if the OS wasn't such an open door this wouldn't be possible."

If they had better QC in place, this wouldn't have happened. *Nix (including OSX) aren't 100% secure and never will be.

Re:Who cares?

[quanticle]

What!?

That's like saying, "Only a tiny percentage of criminals use guns. But one hundred percent of the cops they shoot will be injured or killed unless they have third-party protection (in the form of a bullet-proof vest). Therefore the fault lies with cops for not wearing bullet-proof vests."

It doesn't matter that Windows is vulnerable. Its still Apple's fault that they shipped a product that will damage the data on my PC. The responsibility lies on Apple's poor QA process that allowed this kind of damaging infection to get on their product.

Re:What's so bad about that quote?

[ummit]

"Microsoft has got nothing to do with this. Nothing!"

Nothing? Nothing at all? The fact that they invented a fundamentally insecure mechanism called autorun, and then made it enabled by default, played no part whatsoever in this scenario?

Let me guess, the "fb" stands for fanboy, right?

Re:Not the full quote

[Dun Malg]

The full sentence on the Apple website as of now (leaving room for the possibility that they've modified it since the uproar) is: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

The problem I have with that mea culpa is that the claim of being "upset at Windows" is little more than a backhanded way of saying "if our competition made a decent OS, this wouldn't have happened". The vulnerability of windows is well known and has existed for YEARS. It's like blaming your own spelling errors on the fact that the English language does not have a rational spelling system. This is the state of the world. Accept the blame and quit trying to make marketing hay out of fanciful statements of "if the world were somehow something different from what it is..." I am reminded of the scene at the beginning of Back to the Future where Biff is arguing with George after crashing George's car.

Biff: "I can't believe you'd loan me your car without telling me it had a blind spot."

Re:OK, I have to ask

[X0563511]

No, it wasn't a virus for the iPod. It's a windows virus sitting on the iPod's filesystem.

Completely different beast.

Re:What's so bad about that quote?

[GFree]

Don't people ever consider burning the installers onto a CD/DVD or onto another hard drive or partition, so that if Windows has to be blown away and reinstalled you can get your software back fairly quickly?

Even better, a Ghost Image? You make it sound so difficult.

Re:Not the full quote

[Guppy06]

"As in "even more upset with ourselves for not catching it?""

As in (e. g.) "we have only ourselves to blame." Apple simply cannot pretend they did not know the risks (they advertise their knowledge of the risk in 30 s televsion spots all the time), so it's way beyond too late to try to shift blame (even in part) back to Microsoft.

Consider. [sluggy.com]

Two words about brand responsibility recognition :

[DrYak]

SONY. BATTERIES.

Who got the blame ? Was it only Dell, Fujitsu and their friends ?