Forgot your password?
typodupeerror
Security

Dell Ships Infected Motherboards 326

Posted by CmdrTaco
from the scanners-do-nothing dept.
An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."
This discussion has been archived. No new comments can be posted.

Dell Ships Infected Motherboards

Comments Filter:
  • by gorzek (647352) <gorzek@gmailREDHAT.com minus distro> on Wednesday July 21, 2010 @10:25AM (#32977528) Homepage Journal

    That's some great QA you've got going on over there.

    • by hedwards (940851) on Wednesday July 21, 2010 @10:26AM (#32977550)
      Dude, I'm getting a GENERIC VIAGRA!
    • by Chas (5144) on Wednesday July 21, 2010 @10:34AM (#32977658) Homepage Journal

      Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

      How the hell would they know if someone decided to pull a dick move like this?
      And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

      • Re: (Score:2, Informative)

        by Taco Cowboy (5327)

        Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

        I hope you take back the "barely literate people" part because it is untrue.

        To say that is to think too highly of your own self.

        • What is your evidence for it being untrue? I'm not saying it's not, but it seems likely that the literacy levels in sweatshops are lower than average.

          Even if it is untrue then I don't think it says so much about what he thinks of himself, as the stereotypes that are being fed to him.

          When I think of sweatshops I think of places like China and India well known for overpopulation and cheap labour. The literacy levels for these places are ~90% and ~66% respectively, with unemployment rates of ~4% and ~7%. Seems

          • Re: (Score:3, Interesting)

            by Pharmboy (216950)

            I can't speak for China, but I know that Moldova (the poorest country in Europe) is the cheapest place to build in Europe yet a large portion of the population has some college or a full degree, and an overall literacy rate that rivals the US. Perhaps due in part to being a former SSR. Poverty is not caused only by a lack of education.

        • by PitaBred (632671)

          He's not saying that all of China is illiterate or anything like that. He's just saying that the US has a 99% literacy rate, and China is at about 93.3%, and those factory jobs aren't always staffed by the highest-educated people, just like here in the US. There's nothing wrong with it. It's just the way things are.

      • by Elbowgeek (633324) on Wednesday July 21, 2010 @10:42AM (#32977770) Journal

        You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

        • by Taco Cowboy (5327) on Wednesday July 21, 2010 @10:46AM (#32977824) Journal

          Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

          Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

          • by Elbowgeek (633324)

            I think that if the servers were developed manufactured "closer to home" there would certainly be less chance of introducing malicious code. In China there is an incentive by both common criminals *and* the Chinese government to exploit the opportunity to diddle with the firmware.

            That said, I have no information on where the firmware was developed, so if the naughty bits were injected by someone on the US development team I must sincerely apologize to the Chinese. Ahem.

          • Re: (Score:2, Insightful)

            Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

            No, it just means that instead of costing $2,000 it would cost $6,000, and availability would sometimes be spotty due to the unionized workers striking, although it's probably a little more likely that the bad-ass perpetrators might be arrested.

            This is one of the things that irritates me about a lot of people; They will complain about the outsourcing of jobs and demand the lowest price all in one breath. Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that

            • by mwvdlee (775178) on Wednesday July 21, 2010 @11:26AM (#32978378) Homepage

              Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe

              So if those people would be willing to pay more, the products would be manufactured in more expensive countries instead of the companies continuing cheap labor manufacturing and simply making a bigger profit?

              • Re: (Score:3, Interesting)

                People can choose to take all things into consideration when making a purchase, or not. Look at the current "green" movement. People are buying things labeled as green even thought they cost more, don't offer any additional benefit to the user, in many cases probably work worse, and in reality don't really help the environment all that much.

                • Re: (Score:3, Insightful)

                  by Bengie (1121981)

                  what about power supplies and LED lit LCDs?

                  I have a namebrand $80 psu that's only ~8 years old and it had a power factor of ~0.8. My new PSU has a power factor of .99+

                  My old PSU was ~75% efficient max, my new one is ~85-89% depending on load

                  LED backlit LCD's consume about 1/2 the power of a florescent lit one, not to mention the lack of Mercury.

                  My ati 4850 consumes ~60watts idle, the ATI 5770 I plan on getting soon will consume about 20watts idle.

                  For servers, the biggest power draw is going to be HD/CPU/PSU

            • by Waffle Iron (339739) on Wednesday July 21, 2010 @12:02PM (#32978866)

              The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.

              The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect". In this case, it means buying cheap imported crap at Wal Mart. If you don't defect, most others continue to do so, and you just end up being a sucker.

              Complaining about individuals' choices is going to accomplish nothing, because they're all making the most rational individual decisions. The only way to change the situation is to include the external costs of cheap offshore production into the retail price, which alters the individual's most rational choice. The most obvious way to do that is slap a tariff on the goods.

              • Re: (Score:3, Informative)

                by clarkkent09 (1104833)
                >i>The most obvious way to do that is slap a tariff on the goods.

                The most obvious and the most wrong. We can never be better off as a nation by increasing the overall cost of the goods we purchase. Workers in certain industries can be better off because tariffs harm their more efficient foreign competition, but those workers are better off only at the expense of a) consumers who are forced to pay more for goods and b) other workers who are losing jobs because their employer's costs have increased. C
            • by Skuld-Chan (302449) on Wednesday July 21, 2010 @12:17PM (#32979072)

              That's a myth - the biggest reason companies outsource manufacturing to 3rd world countries is a greater return on profit. Instead of making 150 dollars per machine you might make 20 or 30.

              Good example of this - up until very recently Dell's corporate desktops (Optiplex line - in fact I'm typing this on a 745 that has a "Assembled in the USA" sticker on it) were made right here in the USA, and didn't cost all that much more than Vostro machines which are made in China. These are rock solid machines (haven't had to replace a single major component on any one of the 200 or so I'm responsible for).

              My brother used to work for an importer of Chinese goods (pens/no name tv's [I see them at fry's all the time]/toys) you wouldn't believe the markup some of these goods have. Pens that sell for a dollar for instance they were buying for as little as 5 cents. 5 cents - think about how far they traveled, and how much effort it takes to make a ballpoint pen than you can make 95 cents profit off of. A lot of these 5 cent pens were toys on the side as well (light up, or have an etch-a-sketch attachment on the end - stuff like that) that sold for 2-3 dollars.

              • Re: (Score:3, Insightful)

                Good example of this - ... I'm typing this on a 745 that has a "Assembled in the USA" sticker on it)
                 
                I don't know if your example is all that good.
                 
                You do realize that there is a huge difference between "Assembled in the USA" and "Made in the USA", right?

          • by StikyPad (445176)

            There's a greater opportunity that I will lose my arm if I stick it in a wood chipper. That doesn't mean it's "guaranteed safe" by not placing it in said chipper. The opposite of "greater than" is not zero.

          • by Chas (5144)

            Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

            Note my use of the term GREATER OPPORTUNITY

            I didn't say that this couldn't happen in the US. Simply that there would be a slightly better chance of it being caught before hitting the consumer.

        • by Bill_the_Engineer (772575) on Wednesday July 21, 2010 @11:09AM (#32978126)

          *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell.

          Half truth. Dell did not add any value to their products and decided to compete on price. In order to lower their prices and retain their profit margins they outsourced their assembly to countries with lower labor costs. Dell was not forced to lower their price, they choose to compete on price alone.

          *We* the consumer did not demand cheap prices, instead we purchased whatever gave us the better value. Which for some means the cheapest machine that runs stock Windows 7 for home, but for others features and/or better components may be deciding factor (eq. Apple, Alienware, Voodoo PC, Sony, etc.)

          • by temojen (678985)
            Alienware is Dell XPS with a fancier case.
          • Re: (Score:3, Interesting)

            by kimvette (919543)

            Dell was not forced to lower their price, they choose to compete on price alone.

            That is true of some of their desktops and low-end laptops - they're cheap in terms of both price and build quality, and the failure rate is abysmal.

            When you move up to the Precision line, everything changes. I bought a Precision M6400 notebook for the build quality, full keyboard, performance, and parts availability. It uses a desktop chipset, has a Quadro video card, more ports than pretty much any other notebook (plus Express

        • by somersault (912633) on Wednesday July 21, 2010 @11:21AM (#32978314) Homepage Journal

          So it's our fault for being prudent with our spending? I guess we should all pay over the odds for our electronics to make sure that all these international businesses aren't feeling the pinch too much in their profit margins! Let's buy from someone like Apple who we know are making a hefty profit on their products! Oh wait, Apple do their manufacturing in China too.. hmm.

        • by Tom (822) on Wednesday July 21, 2010 @11:36AM (#32978538) Homepage Journal

          No we haven't, and no they weren't forced.

          Dell decided to produce cheaper, in order to compete on price. They could have decided to compete on, say, quality, service, security, or any other area. They didn't.

          The "we the customer" meme should be shot on sight. It's from the 50s when we had something resembling free markets. Quick, how many major computer hardware manufacturers are there? So what are your choices, really? What are the choices of the general public, who know very little about computers or what goes into them?

          There's no such thing as customer decision. If at all, there is customer choice, among the products that are offered. The people who decide what kinds of products are available to be chosen from aren't the customers, it's some dudes in the marketing and product management departments.

          Don't make it too easy for them to avoid the blame. Nobody forced them to outsource to China. They decided to do it, because it would improve their bottom line. There are some - not many, but they exist - companies who made a different choice. Just because everyone else does it does not mean you have to do it - it just gives a manager with little interest beyond his yearly bonus a very easy excuse.

        • Re: (Score:3, Insightful)

          by Aceticon (140883)

          Dell would "outsource their firmware development and manufacture to China with too little oversight" even if the consumer had not "demanded the cheap prices of the hardware we buy" - it's just that in that case they would pocket the difference.

          Look at a typical brand-intensive (where a large percentage of the face price is for brand, not actual product) consumer electronics company like Apple - they have their products manufactured in China just like everybody else.

          No, the problem with consumers is not that

        • Re: (Score:3, Insightful)

          by joebagodonuts (561066)
          Dell isn't forced to do anything - they played a huge part in creating the demand for the cheap prices for hardware.
      • Re: (Score:3, Insightful)

        by vlm (69642)

        Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

        People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

        • Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

          People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

          Talk about them that way -- okay; they're not exactly in the same league though.

          UAW autoworkers earn, on average, $28 per hour. That's average, some get much more. http://answers.yahoo.com/question/index?qid=20070924073107AAuGk8O [yahoo.com]

          Chinese sweat shop labor, e.g. at Foxconn, make about $168-176 per month. http://www.china.org.cn/china/2010-06/07/content_20199987.htm [china.org.cn]

          • by c6gunner (950153)

            Chinese sweat shop labor, e.g. at Foxconn, make about $168-176 per month

            Yep, and a baker in China makes less than $100 per month. Seeing as how there's not much demand here for Chinese bread, I'm going to go out on a limb here and suggest that the "sweatshops" apparently pay better than what the chinese themselves are willing to pay.

            Here's a bunch more numbers for you to look at:
            http://www.worldsalaries.org/china.shtml [worldsalaries.org]

        • The literacy rate in Detroit is fantastically higher than in a lot of low-wage Asian countries.

        • by twoallbeefpatties (615632) on Wednesday July 21, 2010 @11:36AM (#32978528)
          People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

          Actually, we say that Detroit autoworkers were overpaid and got way too many benefits for their unskilled labor due to inflexible, corrupt unions - sort of the opposite thing to what we're saying about offshored labor. But who's counting?
      • Re: (Score:2, Insightful)

        by interval1066 (668936)

        "..."rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money."

        "Chas", you're an idiot.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Yes because barely literate people working in sweat shops have the technical expertise to plant a virus in hardware.

        • Barely literate people working in sweat shops have the financial expertise to accept an extra month's salary to use the special chips given to him by whoever did have the technical skills.

      • by c6gunner (950153)

        And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

        Because what they're getting is far, FAR better than what they'll get if the factory gets shut down? Even in the first world, losing your job can ruin your life. In the third world, the repercussions are even worse.

      • Re: (Score:3, Interesting)

        Is there even an option to purchase a "high quality" motherboard, or any computer components for that matter? Cheap mass-produced goods abound in many types of products, however there are usually options. I can buy a cheap Korean car or guitar, but I might choose not to, paying a premium for an item designed and assembled in Germany, the US, or even Japan. I realize that it's very expensive to produce electronics in the US, and environmental laws make it highly unlikely to happen here, but it seems ther
    • Re: (Score:2, Informative)

      by Taco Cowboy (5327)

      Can't really blame Dell.

      In this world of outsourcing, and those who outsource the server fabrication themselves outsource other parts to other sub-contractors.

      And Dell is not alone in doing this. Almost all the brand name computers (and almost all types of electronic gadgets) are one-way-or-another outsourced.

      • Re:Wow, Dell... (Score:5, Interesting)

        by gorzek (647352) <gorzek@gmailREDHAT.com minus distro> on Wednesday July 21, 2010 @10:36AM (#32977696) Homepage Journal

        Just because you have a third party manufacture your hardware doesn't mean you shouldn't do your own QA. After all, it's your reputation on the line, not that of the nameless sweatshop contractor.

        So, yeah, this is thoroughly Dell's fault for not caring about their brand or reputation.

        • by Taco Cowboy (5327)

          Logistics, my dear sir, logistics.

        • Re:Wow, Dell... (Score:5, Insightful)

          by Richard_at_work (517087) <<richardprice> <at> <gmail.com>> on Wednesday July 21, 2010 @10:43AM (#32977780)
          Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.
          • Re: (Score:3, Insightful)

            by gorzek (647352)

            But these are servers, not consumer desktops. I guess it was naive of me to think there would be better quality checks on server hardware. Double dumbass on me.

            • by dave420 (699308)
              Nothing the post you replied to says there isn't better QA for servers. You just seemed to read that into there somewhere.
          • Re: (Score:3, Insightful)

            The issue probably was the procedure. Is it really a coincidence that these boards missed QA? I doubt it. If even one of the boards were caught before distribution, wouldn't there have been an investigation that would have stopped the rest? These boards were probably deliberately injected at intervals designed to pass through known gaps in the QA intervals, assuming the QA people weren't somehow complicit themselves.
            • Is it really a coincidence that these boards missed QA? I doubt it.

              Is it really a coincidence that *any* of the publicly reported faults with anything missed QA? Does everything have to be a conspiracy these days?

            • by Lumpy (12016)

              This is not like the olden days when server hardware was high end and robust. Dell and many other servers are now glorified workstation hardware for server use. The poweredge R410 is a low end 1U rack server. The motherboard is not much different than the Workstation grade stuff.

      • by Anonymous Coward

        How can you make such a claim?

        Outsourcing to the cheapest bidder absolves them of responsibility?

        I guess OJ really was innocent, and the lady that burned her own crotch by spilling coffee on herself really did deserve the million bucks from McDonalds..
        No wonder the world is in shambles..

      • by Yvan256 (722131)

        Tell me about it. We're a Canadian company and have sub-contractors in China that are supposed to make parts for us. However we have learned that our Chinese sub-contractors have themselves sub-contracted another company in India, which themselves sub-contracted another company in Mexico, which themselves sub-contracted another company in the USA.

        The kicker is that we make parts for a company in Japan that resells them to an unknown client that requires the label on the product to read "Made in Alpha Centau

        • by Nadaka (224565)

          Tell me about it. We're a Canadian company and have sub-contractors in China that are supposed to make parts for us. However we have learned that our Chinese sub-contractors have themselves sub-contracted another company in India, which themselves sub-contracted another company in Mexico, which themselves sub-contracted another company in the USA.

          Let me guess, your company was sub-contracted by a company in the USA to make a part remarkably similar to the one you needed?

  • by Farmer Tim (530755) <roundfile.mindless@com> on Wednesday July 21, 2010 @10:26AM (#32977558) Journal

    pwned.

  • by roman_mir (125474) on Wednesday July 21, 2010 @10:27AM (#32977582) Homepage Journal

    The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US.

    - I think the only true way to be sure is to manufacture the microchips yourself, of-course this costs much more than millions.

    This comes down to the old question raised by Ken Thompson of Trusting Trust. [uwaterloo.ca]

    • The chips could still be manufactured elsewhere, what is really needed is maintaining the firmware yourself, regulate the source with solid security policies, and flash the chips locally.
      Oh wait... closed source, yeah I guess that idea fails :p

    • Re: (Score:3, Insightful)

      by WED Fan (911325)
      How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.
      • by Taco Cowboy (5327)

        How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.

        There you go.

        Another with that "Made in the U. S. of A. would be the perfect cure of all ills" guy.

      • by Lumpy (12016)

        Sounds great. You going to smile and say thank you when your next PC costs you $3500.00 for the base model?

        Cost of manufacture in the USA is well over 20X higher than in china. Wages alone make up a huge difference along with environmental laws that are hostile to business because they wont let them dump just anywhere..

        All this stuff is made in china because you want $899.00 laptops. Bring it all back to the USA and you will be looking at $1300.00 netbooks and $3200.00 low end laptops. And that gamer

  • by lseltzer (311306) on Wednesday July 21, 2010 @10:30AM (#32977616)

    It's firmware, meaning software in a ROM. It's only slightly unconventional.

    And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.

    • by Lumpy (12016) on Wednesday July 21, 2010 @11:22AM (#32978328) Homepage

      Incorrect. It's firmware, meaning it's software in a FLASH or EEPROM on rare occasions. That means it can be re-written by applications that know how to talk to it. Writing to a FLASH is not hard or a secret, in fact I wrote a self destruct years ago to screw with a kid that kept trying to break into our dial up server. It was called "Router Passwords.exe" and it simply tried to write FF FF FF to the beginning of the Bios flash chip for several different common motherboards.

      it worked, the kid never tried to connect again after he downloaded that bomb.

      If it was a ROM, my trick would not work as you can not update or write to ROM's.

  • Bad Article (Score:5, Informative)

    by Co0Ps (1539395) on Wednesday July 21, 2010 @10:30AM (#32977618)
    From TFA:

    This malware code has been detected on the embedded server management firmware.

    Firmware != Hardware It would have been impressive if it was a real hardware virus though e.g. some malicious chip that opens a backdoor on the network cards and allows remote code execution.

    • Re:Bad Article (Score:4, Informative)

      by hedwards (940851) on Wednesday July 21, 2010 @10:40AM (#32977742)
      That's bullshit and hardly relevant. Firmware is installed on a chip in the hardware. The significance is that even if you were to reinstall the OS, you'd still have the code pop up every time you try to use it. Hardware in this case indicates that it doesn't reside on the HDD or in some other removable portion of the computer. While you can change motherboards, that's a serious enough operation that you're essentially ending up with a different computer once finished.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Or you could update the firmware.
        I'm with GP, It's embedded software, but it is still software. It would have been really impressive if it was actual hardware malware.

    • Re:Bad Article (Score:5, Insightful)

      by fuzzyfuzzyfungus (1223518) on Wednesday July 21, 2010 @10:41AM (#32977760) Journal
      Arguably the IPMI is one step easier than just the motheboard firmware. Those suckers are basically little embedded computers, typically running linux or vxworks, with their own processor and everything. They happen to be physically coupled to the motherboards of larger devices; but, architecturally, they are basically the same as any of the "little bitty plastic box" style embedded network appliances.

      Given the fact that embedded appliances frequently have security made of pure shit, and servers are rather high value targets, the only real surprise is that they aren't targeted more often. Especially, if you are super lucky, the IPMI card will be connected to the oh-so-special-and-physically-separate-for-security "management network", which is where all the juicy; but often vulnerable, management interfaces live. Nice place to have an attack platform silently embedded...
  • I used to have an IBM server with an IPMI module, that's basically a little computer that can piggyback on the network interfaces and which provides monitoring (on the eServer 325 you can see all of the ~10 fans' speeds, the voltages, and about eight to ten temperatures) and some limited remote management like immediate or scheduled shutdown and startup. It's actually an MSI mainboard IIRC, they went on to make nicer versions of the same stuff with more processor support for their own productization, all to

    • by Amouth (879122)

      the Dell RAC cards/built-in can do that + remote console (text+vga+input) and even remote CD mapping.

      fun stuff.. always odd to flash the bios on a machine over the net.

      basically having software on the RAC is akin to having physical access to the box - and physical access is king.

  • a feature.
  • by MonsterTrimble (1205334) <.moc.liamtoh. .ta. .elbmirtretsnom.> on Wednesday July 21, 2010 @10:35AM (#32977678)
    I have not studied computer science, firmware trojans nor antivirus. Could someone explain to me:
    1) How do firmware trojans work?
    2) Are they OS independent?
    3) What information can they send and/or damage can they do to a system?
    • by bannable (1605677) on Wednesday July 21, 2010 @10:57AM (#32977970)
      Why is this modded flamebait? It seems like a legitimate question for someone unfamiliar with why this is interesting.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      1) More or less the same as any other trojan, but they're much nastier.
      2) Yes, very much so.
      3) Depends on what piece of firmware it is specifically, if say, the BIOS was what was infected then pretty much whatever the hell they want/want to do. Raw dumps of the HDD in the PC(or even just particular files depending on how advanced the trojan is) and an inside track for exploiting the entire network that the machine happens to be connected to, while remaining mostly invisible to anyone but a good/dedicated sy

    • by snadrus (930168) on Wednesday July 21, 2010 @11:01AM (#32978016) Homepage Journal
      Think embedded keylogger that sends results somewhere online for starters.
      Although it could be as advanced as a router that's been taken over and allow full remote access to the intranet the PC has. That way all the complex theft software is external.
      And ofcourse it could monitor activity & brick the motherboard if someone was trying to detect it.
  • systematic attack? (Score:2, Interesting)

    by rebmemeR (1056120)
    many parts are sourced from china. would it not be distinctly possible for that government to experiment with such trojans? most likely the evidence trail would be hard to track.
  • by boneclinkz (1284458) on Wednesday July 21, 2010 @11:00AM (#32978008)

    **This call may be monitored for quality assurance purposes.**

    Customer: Hi, my computer won't POST.

    Steve (Samir): Okay, sir, first we must try a few things. Is the machine currently plugged in?

    **3 hours later**

    Steve: Sir, the problem appears to be a faulty motherboard. Unfortunately your system is out of warranty. Luckily, while the system was operational, our integrated key-logger was able to pull your shipping address and credit card numbers. We have billed you for a replacement system and it should be there in 3-5 business days. Someone will need to sign for it, perhaps your oldest daughter. Justine is turning into a fine looking young-lady, by the way.

  • by kaizendojo (956951) on Wednesday July 21, 2010 @11:01AM (#32978022)
    A few of their SERVICE stock for a single motherboard showed signs of malware code on the embedded server management firmware. Dell reacted quickly and appropriately. You can read the forum posting that started this all here: http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx [dell.com]

    Of course this is disturbing, but it's quite a leap to say a 'hardware trojan' is 'shipping with Dell Servers'. Once again, a good example why you should never blindly trust "anonymous posters' on Slashdot... RTFA yourself.
    • Re: (Score:3, Interesting)

      by sjames (1099)

      It's not THAT big a leap. It can intercept system functions in the background leaving NO evidence at all on the actual server. It doesn't matter what OS you install or how much AV software you run. You can ever check the system BIOS if you're extra paranoid and still not even touch the spyware hidden in the system.

      It may not be literally in the hardware but it's considerably deeper embedded into the server than any virus reported up to this has ever been.

  • by Killer Instinct (851436) on Wednesday July 21, 2010 @11:17AM (#32978262) Journal
    Its not bad enough they ship with windows ?
  • Inexcusable (Score:3, Interesting)

    by mlts (1038732) * on Wednesday July 21, 2010 @11:22AM (#32978336)

    There are some issues where malware winds up in places, and that is something beyond the vendor's control. However, having the motherboard's BIOS infected is just plain not excusable. How can people have any guarantee of security if a maker's QA process allows this stuff to happen? Even if they offshore it to another contractor, the buck stops at the company whose name is on the machine. How can we be sure that replacing the management software and/or a BIOS reflash will take care of the problem?

    At least there are plenty of vendors to choose from in the x86 server market. IBM has some very good machines. HP always has had quality offerings. Oracle sells x86 and SPARC hardware, Cisco sells x86 servers that are decent. Even Apple has a top quality 1U server that can both work in a server room as well as a musician's rack.

  • This why you need to install firmware bios updates on all new systems when you get them in as the first thing.

  • I didn't know that Dell owned a naval fleet.

  • by jimicus (737525) on Wednesday July 21, 2010 @03:15PM (#32981790)

    Let's face it, Dell is the Ryanair (or, if you're American, the Southwest Airlines) of server vendors. Anyone who's ordered a server from them knows the drill only too well.

    You want a cheap server? No problem, sir.

    Oh, you wanted hard disks with your server? They're an optional extra, sir. They cost more.

    You wanted more than 512MB RAM? That'll be extra, sir.

    You wanted a processor which wasn't discontinued 18 months ago yet somehow we've managed to find a whole warehouse full of the buggers? That'll be extra, Sir.

    You want a 3 year warranty or are you happy with our standard 30 minute warranty? Three year warranty's extra, Sir.

    You want to actually speak to a technician during the course of the three years? Or are you happy being routed to the office cheese plant? The technician's extra, Sir.

    Now we know there's another question they'll ask.

    You want a motherboard that hasn't been pre-infected with firmware level trojans? That'll be extra, Sir.

  • Just to clear things (Score:3, Informative)

    by tuomoks (246421) <tuomo@descolada.com> on Wednesday July 21, 2010 @03:21PM (#32981854) Homepage

    Did anyone read the problem before replying, of course not - this is /. after all - so, from Dell ( just the important points ):

    3. The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.
    4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer’s operating system.
    5. Systems running non-Microsoft Windows operating systems cannot be affected.

    Doesn't seem very serious, of course it's Windows only so, of course, you are running antivirus AND, of course, after motherboard swap don't put it to production without testing - which would catch it?

    Anyway, still wondering even without antivirus - home come that people let their systems communicate over network with unauthorized traffic? Just going back 20+ years designing network systems, some even Windows, my systems never allowed any unauthorized traffic in or out - this of course sometimes needed even building your own comm. stacks, traps, hooks, proxies, whatever but also guaranteed that all traffic was legitimate! Saves a lot headache - of course all attempts were logged, alerted and, in case of outbound, the sources were isolated - automatically! So - even Windows can be built that way (with pain!), just wondering why some don't do that?

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...