Dell Ships Infected Motherboards

An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."

why spend millions when you can spend billions?

[roman_mir]

The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US.

- I think the only true way to be sure is to manufacture the microchips yourself, of-course this costs much more than millions.

This comes down to the old question raised by Ken Thompson of Trusting Trust. [uwaterloo.ca]

It's not a hardware trojan

[lseltzer]

It's firmware, meaning software in a ROM. It's only slightly unconventional.

And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.

What did you expect?

[Chas]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

How the hell would they know if someone decided to pull a dick move like this?
And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

Re:Wow.

[grahamlee]

It's also possible that the malware was actually dropped from a *nix or Windows system that wasn't itself infected, but where the user wanted to drag Dell through the muck. Doesn't need to be any of these Advanced Persistent Threats you keep reading about, just a terminated employee on his last day. I doubt that embedded hardware is connected to the internet while it's being assembled, so it seems unlikely that they got a chance infection - someone had to subvert their production process. That's most likely to be an insider.

Re:why spend millions when you can spend billions?

[roman_mir]

Ken Thompson would show you how you'd fail in this anyway. You'd THINK you flashed the chips, but there would be some other code somewhere in the chip that would contain a Trojan. Unless you are in the loop 100% of the time and nobody can inject any modifications into any manufacturing processes, you can't be certain that nothing at all was modified.

Re:Bad Article

[fuzzyfuzzyfungus]

Arguably the IPMI is one step easier than just the motheboard firmware. Those suckers are basically little embedded computers, typically running linux or vxworks, with their own processor and everything. They happen to be physically coupled to the motherboards of larger devices; but, architecturally, they are basically the same as any of the "little bitty plastic box" style embedded network appliances.

Given the fact that embedded appliances frequently have security made of pure shit, and servers are rather high value targets, the only real surprise is that they aren't targeted more often. Especially, if you are super lucky, the IPMI card will be connected to the oh-so-special-and-physically-separate-for-security "management network", which is where all the juicy; but often vulnerable, management interfaces live. Nice place to have an attack platform silently embedded...

Re:What did you expect?

[Elbowgeek]

You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

Re:Wow, Dell...

[Richard_at_work]

Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.

"You can't blame Dell"? WTF!?!

[Anonymous Coward]

How can you make such a claim?

Outsourcing to the cheapest bidder absolves them of responsibility?

I guess OJ really was innocent, and the lady that burned her own crotch by spilling coffee on herself really did deserve the million bucks from McDonalds..
No wonder the world is in shambles..

Re:What did you expect?

[Taco Cowboy]

Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

Re:why spend millions when you can spend billions?

[WED Fan]

How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.

Re:What did you expect?

[vlm]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

Re:What did you expect?

[interval1066]

"..."rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money."

"Chas", you're an idiot.

Re:Wow, Dell...

[gorzek]

But these are servers, not consumer desktops. I guess it was naive of me to think there would be better quality checks on server hardware. Double dumbass on me.

Re:Wow, Dell...

[ElectricTurtle]

The issue probably was the procedure. Is it really a coincidence that these boards missed QA? I doubt it. If even one of the boards were caught before distribution, wouldn't there have been an investigation that would have stopped the rest? These boards were probably deliberately injected at intervals designed to pass through known gaps in the QA intervals, assuming the QA people weren't somehow complicit themselves.

Re:To paraphrase Ghostbusters

[bannable]

Why is this modded flamebait? It seems like a legitimate question for someone unfamiliar with why this is interesting.

Re:What did you expect?

[Bill_the_Engineer]

*We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell.

Half truth. Dell did not add any value to their products and decided to compete on price. In order to lower their prices and retain their profit margins they outsourced their assembly to countries with lower labor costs. Dell was not forced to lower their price, they choose to compete on price alone.

*We* the consumer did not demand cheap prices, instead we purchased whatever gave us the better value. Which for some means the cheapest machine that runs stock Windows 7 for home, but for others features and/or better components may be deciding factor (eq. Apple, Alienware, Voodoo PC, Sony, etc.)

Re:Bad Article

[Anonymous Coward]

Or you could update the firmware.
I'm with GP, It's embedded software, but it is still software. It would have been really impressive if it was actual hardware malware.

Re:What did you expect?

[Low Ranked Craig]

Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

No, it just means that instead of costing $2,000 it would cost $6,000, and availability would sometimes be spotty due to the unionized workers striking, although it's probably a little more likely that the bad-ass perpetrators might be arrested.

This is one of the things that irritates me about a lot of people; They will complain about the outsourcing of jobs and demand the lowest price all in one breath. Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe.

The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.

For my own part I do try to at least shop at smaller local business when I can, the local Ace instead of Lowe's for example, but it's almost impossible to avoid cheap imported products, and it's even more disheartening when the cheap $15 chinese tool is better than the $30 made in USA tool...

Re:What did you expect?

[somersault]

So it's our fault for being prudent with our spending? I guess we should all pay over the odds for our electronics to make sure that all these international businesses aren't feeling the pinch too much in their profit margins! Let's buy from someone like Apple who we know are making a hefty profit on their products! Oh wait, Apple do their manufacturing in China too.. hmm.

Re:What did you expect?

[Anonymous Coward]

If the process were done "in house", then the company has the option to institute organizational controls to prevent this sort of thing, wherever the actual process takes place. It being done by outside contractors, the company is limited more to detection after the fact rather than prevention.

Re:What did you expect?

[mwvdlee]

Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe

So if those people would be willing to pay more, the products would be manufactured in more expensive countries instead of the companies continuing cheap labor manufacturing and simply making a bigger profit?

Re:What did you expect?

[twoallbeefpatties]

People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

Actually, we say that Detroit autoworkers were overpaid and got way too many benefits for their unskilled labor due to inflexible, corrupt unions - sort of the opposite thing to what we're saying about offshored labor. But who's counting?

Re:What did you expect?

[Aceticon]

Dell would "outsource their firmware development and manufacture to China with too little oversight" even if the consumer had not "demanded the cheap prices of the hardware we buy" - it's just that in that case they would pocket the difference.

Look at a typical brand-intensive (where a large percentage of the face price is for brand, not actual product) consumer electronics company like Apple - they have their products manufactured in China just like everybody else.

No, the problem with consumers is not that they want stuff cheap, the problem with consumers is that they accept shitty products and do not seriously penalise a brand when it turns out they do not have proper quality control in place.

Re:What did you expect?

[joebagodonuts]

Dell isn't forced to do anything - they played a huge part in creating the demand for the cheap prices for hardware.

Re:What did you expect?

[Waffle Iron]

The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.

The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect". In this case, it means buying cheap imported crap at Wal Mart. If you don't defect, most others continue to do so, and you just end up being a sucker.

Complaining about individuals' choices is going to accomplish nothing, because they're all making the most rational individual decisions. The only way to change the situation is to include the external costs of cheap offshore production into the retail price, which alters the individual's most rational choice. The most obvious way to do that is slap a tariff on the goods.

Re:What did you expect?

[Mister Whirly]

Actually, I would consider being able to read as the criteria for "literacy". What does McDonalds have to do with literacy rates? Nice strawman though - we aren't talking about obesity, nutrition, or anything food-related in this conversation.

Re:What did you expect?

[Bengie]

what about power supplies and LED lit LCDs?

I have a namebrand $80 psu that's only ~8 years old and it had a power factor of ~0.8. My new PSU has a power factor of .99+

My old PSU was ~75% efficient max, my new one is ~85-89% depending on load

LED backlit LCD's consume about 1/2 the power of a florescent lit one, not to mention the lack of Mercury.

My ati 4850 consumes ~60watts idle, the ATI 5770 I plan on getting soon will consume about 20watts idle.

For servers, the biggest power draw is going to be HD/CPU/PSU, but a "green" version of any of those can add up really fast.

Re:What did you expect?

[innocent_white_lamb]

Good example of this - ... I'm typing this on a 745 that has a "Assembled in the USA" sticker on it)
 
I don't know if your example is all that good.
 
You do realize that there is a huge difference between "Assembled in the USA" and "Made in the USA", right?

Re:What did you expect?

[blackraven14250]

Just because they don't know how to put the words together coherently into sentences following proper grammatical structures doesn't mean they can't write. It means they're not going to be writing research papers.

Also, if you think the criteria for India and China's literacy rates is different or inherently superior to the US, you'd be sorely mistaken.

Re:What did you expect?

[swb]

How many choices did you have in a rather competitive market (at the time) like cars?

Domestically? At least five: Hudson (which became AMC), Studebaker, General Motors (which we'll count as one, despite the fact that in the 1950s there was a lot more distinction between division products), Ford and Chrysler.

And then there were niche players, like Checker whose vehicles were primarily for the livery market but went on to sell normal end-user vehicles.

What do we have now? Three, sort of -- GM has closed its Olds and Pontiac divisions, making for fewer choices, although realistically the marquees of GM have had little distinction since the 1970s, Chrysler is owned by Fiat, and Ford isn't what it used to be.

Import-wise we have more choices now, but to be fair to 1950s markets, Europe and Japan were in recovery and the vehicles produced at that time were more attuned to local market conditions (less expensive, smaller, etc) than American consumer demand (larger, more powerful, etc).

Dell: The Ryanair of Servers

[jimicus]

Let's face it, Dell is the Ryanair (or, if you're American, the Southwest Airlines) of server vendors. Anyone who's ordered a server from them knows the drill only too well.

You want a cheap server? No problem, sir.

Oh, you wanted hard disks with your server? They're an optional extra, sir. They cost more.

You wanted more than 512MB RAM? That'll be extra, sir.

You wanted a processor which wasn't discontinued 18 months ago yet somehow we've managed to find a whole warehouse full of the buggers? That'll be extra, Sir.

You want a 3 year warranty or are you happy with our standard 30 minute warranty? Three year warranty's extra, Sir.

You want to actually speak to a technician during the course of the three years? Or are you happy being routed to the office cheese plant? The technician's extra, Sir.

Now we know there's another question they'll ask.

You want a motherboard that hasn't been pre-infected with firmware level trojans? That'll be extra, Sir.