[adamconroy]

so the spoofer distributing these devices is going to all this trouble/expense/risk in the hope there is a http downloaded exe it can corrupt, then hopes the hashing doesn't fail on that corrupt exe, and hopes the user ignores the untrusted source warning so that it can install a trojan?

[Ajedi32]

How many users do you know of who manually check hashes on downloaded executables?

And of course the user is going to ignore the untrusted source warning on an executable they intentionally downloaded and are trying to run.

[pluc]

I think what he means is that it seems like a lot of trouble to hack someone who is not necessarily hackworthy? Like what kind of things would you expect to gain from someone who would be as computer illiterate as to allow all that to come to fruition?

[jeffmcjunkin]

I agree that $25 / month is more than the average bot is generating. That said, there's a lot of value to many people's computers if properly exploited: https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hac...

[Anarch157a]

I work on a software company. You would be amazed to know how many manager types, earning 6 figures, who are absolutely naive with regards to security. Those are prime targets for this kind of exploit.

[freeone3000]

You only have to set this up once, then flash it to each device you're sending out.

[CuriousCosmic]

These are the same users who connected an untrusted block of hardware directly to their router and presumably gave them a their Facebook login and password.

[deytempo]

If you download putty, it comes from an http link. Try it right now

[cromulent]

I was shocked, so I went and checked and it seems like it is https.

https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/...

has link

https://the.earth.li/~sgtatham/putty/0.70/w64/putty.exe

[AgentME]

It's ironic given that putty's entire purpose is for dealing with a securely encrypted protocol.