Reader Comments (rss)

(Flattened / Threaded)

1.  

   The fun part

   

   Anonymous Coward, Mar 12th, 2010 @ 6:43am

   
   

   Is that you don't need the proper drivers to draw energy from a usb port.

   [ reply to this | link to this | view in thread ]

2.  

   Re: The fun part

   

   :Lobo Santo (profile), Mar 12th, 2010 @ 6:45am

   
   

   Correct! Man, people are just such suckers.

   [ reply to this | link to this | view in thread ]

3.  

   

   Anonymous Coward, Mar 12th, 2010 @ 6:49am

   
   

   I think it's a case of the installer being infected, rather than intentionally put there by the company. It's not that Energizer wants to use their charger software to control your computer, it's that they're completely incompetent and got infected in production. "Never attribute to malice that which can be adequately explained by stupidity."
   
   More interesting, is the malevolent DLL (Arucer.dll) is almost an anagram of "Duracell"

   [ reply to this | link to this | view in thread ]

4.  

   

   Anonymous Coward, Mar 12th, 2010 @ 6:53am

   
   

   I wonder if this battery has a hidden camera that can be remotely activated?

   [ reply to this | link to this | view in thread ]

5.  

   now think about rsa power cracking

   

   NAMELESS.ONE, Mar 12th, 2010 @ 7:03am

   
   

   hrmmmm

   [ reply to this | link to this | view in thread ]

6.  

   

   senshikaze (profile), Mar 12th, 2010 @ 7:07am

   
   

   why?
   i mean, WHY?
   
   What the fuck is the point in this? are companies full of damned idiots?

   [ reply to this | link to this | view in thread ]

7.  

   

   Spaceman Spiff (profile), Mar 12th, 2010 @ 7:14am

   
   

   @senshikaze
   "What the fuck is the point in this? are companies full of damned idiots?"
   
   The short answer? Yes.

   [ reply to this | link to this | view in thread ]

8.  

   Re: "full of idiots?"

   

   :Lobo Santo (profile), Mar 12th, 2010 @ 7:17am

   
   

   Yeah, gotta agree with you there.
   
   Certainly there are a few bright, reliable, well-intentioned talented individuals who do good work repeatedly; but they are a definite minority.

   [ reply to this | link to this | view in thread ]

9.  

   Re:

   

   A Dan (profile), Mar 12th, 2010 @ 7:19am

   
   

   The devices themselves aren't infected. This infection is in the driver package that you can (could?) download from the website. From the article:
   
   "We also saw from the manufacturer’s website that the software is not distributed with the physical USB charger itself and instead it must be downloaded separately from the site"

   [ reply to this | link to this | view in thread ]

10.  

    Ugh. The Techdirt decline continues.

    

    Brooks (profile), Mar 12th, 2010 @ 7:21am

    
    

    Ok, I can deal with the constant breathless outrage over the stupid things media companies do. And I can deal with the sometimes over-clever hindsightical analysis of PR blunders that lawyers and companies make.
    
    But this? Really? A quality control and PR disaster for Energizer, sure. A lesson in the dangers of outsourcing software development? Sure.
    
    But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?
    
    That's just flat out dishonest, Mike. Either produce some evidence that it was intentional, which nobody but you has suggested, or take a deep breath and consider the possibility that not every corporate mistake is with malicious intent.

    [ reply to this | link to this | view in thread ]

11.  

    

    Anonymous Coward, Mar 12th, 2010 @ 7:22am

    
    

    What evidence is there that this was intentional on the part of Energizer? I have seen none and the article linked doesn't seem to assign blame.

    [ reply to this | link to this | view in thread ]

12.  

    

    Anonymous Coward, Mar 12th, 2010 @ 7:25am

    
    

    I don't think thats a "root kit" sounds more like a TROJAN to me. I'd at least like to think that a technology site at least knew how to classify their malicious software. This is old news btw.

    [ reply to this | link to this | view in thread ]

13.  

    Re: Ugh. The Techdirt decline continues.

    

    PaulT (profile), Mar 12th, 2010 @ 7:27am

    
    

    Please explain. You said:
    
    "But an intentionally nefarious move designed to mess with consumers?"
    
    The article you're responding to says (backed up by the linked article):
    
    "This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer."
    
    How in blue f*ck is it not intentionally nefarious? What other possible reason could there be for remote command execution capability in a driver for a device that does not actively need to interact with the computer?

    [ reply to this | link to this | view in thread ]

14.  

    Re: Ugh. The Techdirt decline continues.

    

    rpk!!, Mar 12th, 2010 @ 7:28am

    
    

    Is accidental release of a rootkit that much better? I don't enegizer as an innocent bystander whether the release was intentional or not! Don't they have some sort of obligation (if not moral, then an interest in not losing customers) to make sure their products are safe to use?

    [ reply to this | link to this | view in thread ]

15.  

    Belkin - Bad

    

    Steve R. (profile), Mar 12th, 2010 @ 7:30am

    
    

    We had a Belkin UPS that went bad. The good news is that Belkin honored its warranty and replaced the unit. The BAD news, Belkin had modified the (new) UPS model so that you would have to use THEIR software instead of the regular windows power management software.
    
    It took several hours of frustrating tweaking before I figured it out. Of course the UPS documentation never mentioned the little detail that the ability of the UPS to work directly with Windows was "disabled".

    [ reply to this | link to this | view in thread ]

16.  

    Re: Re: Ugh. The Techdirt decline continues.

    

    sysadmn, Mar 12th, 2010 @ 7:33am

    
    

    The "intentionally nefarious" refers to Energizer's intentions. It doesn't seem likely that they slipped the trojan dll into the package. Sure, they're responsible, since they are distributing it, but there is a difference between negligence and "intentionally nefarious".

    [ reply to this | link to this | view in thread ]

17.  

    Re: Ugh. The Techdirt decline continues.

    

    Technopolitical (profile), Mar 12th, 2010 @ 7:49am

    
    

    "But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?"
    
    Not the point of Mike's post as i see it .
    
    The point as stated in the source article:
    "I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location."
    
    That is the big deal.

    [ reply to this | link to this | view in thread ]

18.  

    Re: Re: Re: Ugh. The Techdirt decline continues.

    

    RD, Mar 12th, 2010 @ 7:55am

    
    

    Sure, they're responsible, since they are distributing it, but there is a difference between negligence and "intentionally nefarious".
    
    Not from the perspective of the CONSUMER. To the consumer, who got this thing FROM Energizer, whether it was "intentional" or not is irrelevant. Its got a rootkit, it comes from Energizer itself, therefore its nefarious/unwanted/unneeded/bad. We can argue about how this happened, but its still Energizers FAULT from the point of view of the consumer.
    
    Period.
    
    Full stop.
    
    End of line.
    
    QED.

    [ reply to this | link to this | view in thread ]

19.  

    I stumbled upon this the other day

    

    Chronno S. Trigger (profile), Mar 12th, 2010 @ 8:04am

    
    

    I'll probably never find the article again so you can chose to believe or disbelieve anything I say.
    
    From what I read, the root kit wasn't suppose to be there, it was a hack and was only on a select few of the chargers. They have recalled the affected lots and will be replacing them with working ones. This was from a representative of Energizer, so I doubt it's the full truth, if any at all.

    [ reply to this | link to this | view in thread ]

20.  

    

    Anonymous Coward, Mar 12th, 2010 @ 8:04am

    
    

    So is this from one of those useless software CD that comes in the package. Never ever, ever install any software from a hardware product! never!

    [ reply to this | link to this | view in thread ]

21.  

    

    Lion XL, Mar 12th, 2010 @ 8:06am

    
    

    To be clear, the article makes no assertion that was a rootkit. It calls it what it is,a Trojan. Rootkit's and Trojans are very different, as everyone here should know by now.
    
    Mike are you reading???.....
    
    Not to say Energizer isn't a cluster fuck of company, for letting this out. But shit happens....

    [ reply to this | link to this | view in thread ]

22.  

    Not intentional

    

    Neil (SM), Mar 12th, 2010 @ 8:13am

    
    

    This appears to be the work of a rogue employee somewhere along the parts chain. Energizer is recalling the devices and claims to have had no idea about problem.
    
    http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle&ID=1399675 &highlight=
    
    http://consumerist.com/2010/03/energizer-duo-exploit.html

    [ reply to this | link to this | view in thread ]

23.  

    Sorry guys, you can't get one as a gift for your boss. It's discontinued :-(

    

    Anonymous Coward, Mar 12th, 2010 @ 8:22am

    
    

    Energizer discontinued the device earlier this month. Still, it was introduced in 2007, and you have to think there may be a lot of vulnerable systems out there.
    
    http://www.prnewswire.com/news-releases/energizer-announces-duo-charger-and-usb-charger-so ftware-problem-86672072.html
    
    I'm off to eBay...

    [ reply to this | link to this | view in thread ]

24.  

    Who Owns Your Computer?

    

    lavi d (profile), Mar 12th, 2010 @ 8:29am

    
    

    ...you don't need the proper drivers to draw energy from a usb port.
    
    As a long time Linux user, I've never used the software that comes with USB devices - camera, printer, MP3 player.
    
    I was amused to find that every one of these applications, when properly installed on Windows machines, finds some way to spam the user. In the case of Kodak, it sends every picture the user emails wrapped in a big advertisement for Kodak products.
    
    Nice...

    [ reply to this | link to this | view in thread ]

25.  

    Re:

    

    interval, Mar 12th, 2010 @ 8:31am

    
    

    The exploit is a trojan, this story first appeared on /.
    
    You don't need the software to use the recharger. I don't really know much other than that; for an "informed opinion" I would guess that it went down like this: Energizer is populated with pre-internet execs; some bright star in the R&D group said "Hey, why don't pop out this usb recharger, it will cost almost nothing to develop, and we can include in all kinds of special projects, giveaways, promotions, etc." The execs said "Sure, anything that promotes Energizer is good." Then a sales man from a third party got involved with this "new project" from Energizer and said "Hey! We'd like to produce software for your new little dongle thingy there." And the execs thought "USB == pc == software. We need software for this new product. Ok." So the third part sniffed around E. Europe or Asia for anything they could quickly pack into the package because this particular dongle DOESN'T REQUIRE ANY. Doesn't matter what the software does. All they needed to do was deilver "software" to Energizer to make a buck. This bundle was no doubt in my mind almost 100% profit for them. Energizer, not being a software company, probably gave the bundle little (if any) QA, and viola! Trojan delivery system.

    [ reply to this | link to this | view in thread ]

26.  

    Re:

    

    Jon B., Mar 12th, 2010 @ 8:50am

    
    

    It is an anagram of Duracell®

    [ reply to this | link to this | view in thread ]

27.  

    Re: Re: Ugh. The Techdirt decline continues.

    

    Brooks (profile), Mar 12th, 2010 @ 8:53am

    
    

    As others have noted, while Energizer shipped the software, nobody thinks for a second that the inclusion of the rootkit was intentional or corporate policy. That's in contrast to Sony and other DRM abuse cases which were clearly designed and implemented as policy.
    
    The *rootkit* is malicious, of course. Energizer, as a company, was the victim of a sloppy or malicious contractor as well as their own negligence. Surely you can see the distinction there?

    [ reply to this | link to this | view in thread ]

28.  

    Re: Re: Re: Re: Ugh. The Techdirt decline continues.

    

    Brooks (profile), Mar 12th, 2010 @ 8:58am

    
    

    Nobody but you is talking about FAULT. This entire post (read it again) is about intent, and Mike ascribes intentionality ("you would think legit companies would have learned") where there is only negligence and clumsiness. It's sloppy thinking at best, and more than a little dishonest.

    [ reply to this | link to this | view in thread ]

29.  

    Re: Re: Ugh. The Techdirt decline continues.

    

    Anonymous Coward, Mar 12th, 2010 @ 9:05am

    
    

    Finding malicious code isn't as easy as many people would like to believe. If you're building it yourself there are steps you can take (peer review, version control, etc) to minimize the chances of something slipping in, but this DLL was bought from someone else, which isn't surprising considering that Energizer isn't in the software business. And finding it afterwards is really hard -- there's a whole Industry built around doing just that. Energizer is responsible for alerting customers and removing the offending code (which they've done), but it's hard to even fault them with negligence here.

    [ reply to this | link to this | view in thread ]

30.  

    Re:

    

    cwbutler, Mar 12th, 2010 @ 9:10am

    
    

    @senhikaze - why yes, yes they are.

    [ reply to this | link to this | view in thread ]

31.  

    Disappointed

    

    SomeGuy (profile), Mar 12th, 2010 @ 9:17am

    
    

    I have to say I'm really disappointed in this post, Mike, mostly because of the reference to the Sony Rootkit. With Sony, they intentionally placed software on their CDs to enforce DRM, and then hid it with a rootkit. Sony was fully aware of what they did and fully intended the software to function as it did. In Energizer's case, they've been the victim of a disgruntled or rogue employee (or a shady company, I'm not clear on that detail) and were unknowingly saddled with malicious code. Whether that code was "necessary" to run the device or not (it wasn't) is a moot point, Energizer is essentially innocent here, and is responsible only for alerting their customers and removing the offending code, which they've done.
    
    There was no malicious intention with Energizer, and missing that point (and in fact strongly implying otherwise) hurts your credibility.

    [ reply to this | link to this | view in thread ]

32.  

    Updated

    

    Mike Masnick (profile), Mar 12th, 2010 @ 9:58am

    
    

    Hey guys, added an update explaining that it was not Energizer's official doing. Apologies for implying otherwise.

    [ reply to this | link to this | view in thread ]

33.  

    I looked at this device.

    

    ECA (profile), Mar 12th, 2010 @ 10:18am

    
    

    1. the program is supposed to tell you when the Batteries are charged.
    2. Thats nothing, as its TIMED, not really a charge CONTROL program as you cant Vary the voltage or check tha battery.
    3. GET A REAL SMART CHARGER, they are $30 at amazon from La Crosse Tech..
    4. ANY of the chargers at the store are CRAP. They work on a timer for the charge. They cant even tell you if the battery is ALREADY charged.

    [ reply to this | link to this | view in thread ]

34.  

    

    Pontifex (profile), Mar 12th, 2010 @ 10:41am

    
    

    The Symantec page mentioned that the name "Liu Hong" appeared several times in relation to the DLL; it's possible that this is the name of the person who wrote it. Or the name of someone they don't like.

    [ reply to this | link to this | view in thread ]

35.  

    Re: I looked at this device.

    

    Mr. Ambiguous, Mar 12th, 2010 @ 10:52am

    
    

    5. Don't buy rechargeable batteries from Energizer. I have quite a few that won't take a charge anymore. All my Eneloops still work perfectly.

    [ reply to this | link to this | view in thread ]

36.  

    Re: The fun part

    

    ChimpBush McHitlerBurton, Mar 12th, 2010 @ 11:07am

    
    

    PEOPLE:
    
    SANDBOXIE.COM
    
    CHECK IT BEFORE YOU WRECK IT.
    
    ROOTKIT SHMOOTKIT.
    
    CBMHB

    [ reply to this | link to this | view in thread ]

37.  

    Re: Updated

    

    Anonymous Coward, Mar 12th, 2010 @ 11:28am

    
    

    ...Now if we could get you to stop calling it a Rootkit just to create a catchy title and make the association with Sony.
    
    It's not a rootkit. Hell, the word "rootkit" doesn't even appear on the page you linked to. It's simply a Trojan.
    
    Yes, there is a difference and it does matter. I guess it's just not as easy to link Energizer with the Sony rootkit with an accurate title like "Energizer lets malware slip into its software".

    [ reply to this | link to this | view in thread ]

38.  

    Re: Updated

    

    Anonymous Coward, Mar 12th, 2010 @ 11:32am

    
    

    Your article also implies that the USB device itself launches malware, which is incorrect. The software was not contained on the USB device, and is not necessary to use the product.
    
    Also very misleading.

    [ reply to this | link to this | view in thread ]

39.  

    Ultimate responsibility

    

    Spaceman Spiff (profile), Mar 12th, 2010 @ 11:40am

    
    

    Whether or not this was done purposely by Energizer, they are ultimately responsible for this fiasco, and should pay the price in cleanup of users' computers that got infected with this kit, and provide some tangible benefit (free batteries) for causing their customers to become at risk of serious security breaches.

    [ reply to this | link to this | view in thread ]

40.  

    Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.

    

    Anonymous Coward, Mar 12th, 2010 @ 1:49pm

    
    

    The problem is that then any action done by any corporation can be deemed "sloppy behavior" by employees and not the corporation itself. How do we determine the difference?

    [ reply to this | link to this | view in thread ]

41.  

    Re: Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.

    

    Anonymous Coward, Mar 12th, 2010 @ 1:54pm

    
    

    Where do we draw the line between, "it's the employees" vs "it's the corporation itself." Isn't the corporation composed of employees? I understand that sometimes employees do wrong things and that one shouldn't always directly criminalize top management for the actions of employees (and it's even worse to criminalize Google executives for the actions of their users), provided that management took reasonable steps to ensure malicious behavior isn't a problem and didn't contribute or encourage such behavior, but where do we draw the line between the corporation and its members? When the stock holders do something wrong? When the CEO? The CFO? When 5 percent of the corporation makes act maliciously towards their customers? 10 percent? Where exactly?

    [ reply to this | link to this | view in thread ]

42.  

    Re: Re: The fun part

    

    7ru7h, Mar 13th, 2010 @ 5:05pm

    
    

    That's all well and good if you have a 32bit system, but those of us with 64bit systems are SOL in that regard...

    [ reply to this | link to this | view in thread ]

43.  

    Re: Who Owns Your Computer?

    

    enrolled agent, Mar 13th, 2010 @ 5:42pm

    
    

    Is this true? I've used the Kodak EasyShare software myself in the past. I haven't noticed this though.

    [ reply to this | link to this | view in thread ]

44.  

    

    Anonymous Coward, Apr 2nd, 2010 @ 9:21am

    
    

    It's them damn chinese, they have been hacking-cloning-and stealing technology since way back!!

    [ reply to this | link to this | view in thread ]

45.  

    

    Anonymous Coward, Apr 2nd, 2010 @ 9:23am

    
    

    Hi Mom (grins real big)

    [ reply to this | link to this | view in thread ]

Add Your Comment