Asus Recovery DVD scandal: How it happened
For those who haven’t already heard, the PC OEM company Asus was involved in a major scandal where a directory on the recovery DVD and inside c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program, software serial numbers, a resume (presumably for a now-jobless Asus employee), an internal Asus powerpoint describing “known compatibility issues”, Asus source code, and even an OEM issued Microsoft document, which mainly says “do not distribute DR-DOS with any computers”.
We now know from an OEM source how exactly the files got where they did in the first place, and it isn’t very surprising.
An Asus representative said they would be investigating the matter, and while someone is still going to lose their job over this just so Asus can say so, the way the files made it to thousands of PCs is pretty common.
An OEM employee (name not mentioned here) discussing the matter said that during the vista installs, the generic vista disc installing the OS looks for an XML file (unattend.xml) on a flash drive, and upon finding it the installation parses it and runs the XML code as installation instructions so nobody has to go through the installation menu for the hundreds of synchronous installations (hence the unattend).
BUT… there is another twist: If a certain tag or attribute is present, all files other than unattend.xml itself on the flash drive will be copied to c:\windows\configsetroot – see the connection?
So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few ‘harmless’ keygens and serials on it as well, in his defence in case maybe he lost the serial to winrar or other programs. Apparently the same employee used the flash drive to store or back up confidential Asus documents and source code, as well.
So if the Asus internally distributed unattend.xml file was copied to this unnamed (and jobless) employee’s personal flash drive, and included the xml tag/attribute to copy over everything to the system root and, therefore, recovery DVD as well, then voila! Then the only way somebody could come under fire because of this is because of oh, I don’t know, not checking the installation root once everything was installed!
So now we know HOW exactly this whole ordeal was started, and there is a lesson to be learned here…. somewhere.