Dell Ships Infected Motherboards

An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."

To paraphrase Ghostbusters

[MonsterTrimble]

I have not studied computer science, firmware trojans nor antivirus. Could someone explain to me:
1) How do firmware trojans work?
2) Are they OS independent?
3) What information can they send and/or damage can they do to a system?

Re:Wow, Dell...

[gorzek]

Just because you have a third party manufacture your hardware doesn't mean you shouldn't do your own QA. After all, it's your reputation on the line, not that of the nameless sweatshop contractor.

So, yeah, this is thoroughly Dell's fault for not caring about their brand or reputation.

Re:Made in China

[hedwards]

It's worse than that. Even those of us that do realize it are kind of stuck. The model that saw out sourcing to China as the solution to pretty much everything more or less obliterated the midrange category for many items. It's really hard to find things these days that are midranged in price and quality. I don't generally need to go top of the line on things, but thanks to the outsourcing there isn't a whole lot of choice, I can cheap out which usually isn't a good idea or buy high end.

The free market really doesn't handle the situation where there's a nascent market for something which investors are ignoring.

systematic attack?

[rebmemeR]

many parts are sourced from china. would it not be distinctly possible for that government to experiment with such trojans? most likely the evidence trail would be hard to track.

Re:What did you expect?

[Anonymous Coward]

Yes because barely literate people working in sweat shops have the technical expertise to plant a virus in hardware.

Re:It's not a hardware trojan

[Lumpy]

Incorrect. It's firmware, meaning it's software in a FLASH or EEPROM on rare occasions. That means it can be re-written by applications that know how to talk to it. Writing to a FLASH is not hard or a secret, in fact I wrote a self destruct years ago to screw with a kid that kept trying to break into our dial up server. It was called "Router Passwords.exe" and it simply tried to write FF FF FF to the beginning of the Bios flash chip for several different common motherboards.

it worked, the kid never tried to connect again after he downloaded that bomb.

If it was a ROM, my trick would not work as you can not update or write to ROM's.

Inexcusable

[mlts]

There are some issues where malware winds up in places, and that is something beyond the vendor's control. However, having the motherboard's BIOS infected is just plain not excusable. How can people have any guarantee of security if a maker's QA process allows this stuff to happen? Even if they offshore it to another contractor, the buck stops at the company whose name is on the machine. How can we be sure that replacing the management software and/or a BIOS reflash will take care of the problem?

At least there are plenty of vendors to choose from in the x86 server market. IBM has some very good machines. HP always has had quality offerings. Oracle sells x86 and SPARC hardware, Cisco sells x86 servers that are decent. Even Apple has a top quality 1U server that can both work in a server room as well as a musician's rack.

Re:What did you expect?

[Anonymous Coward]

I know an assembly line in Tennessee that's full of Mexicans.

Re:What did you expect?

[evildarkdeathclicheo]

Is there even an option to purchase a "high quality" motherboard, or any computer components for that matter? Cheap mass-produced goods abound in many types of products, however there are usually options. I can buy a cheap Korean car or guitar, but I might choose not to, paying a premium for an item designed and assembled in Germany, the US, or even Japan. I realize that it's very expensive to produce electronics in the US, and environmental laws make it highly unlikely to happen here, but it seems there would be a strong niche market for "computerphile" goods given how damned cheap the mass produced junk is these days. I'd rather pay a premium for a high-quality home-produced video card based on last years model, then pay a premium for the "latest and greatest" mass produced piece of Chinese junk. Am I alone here?

Re:What did you expect?

[Tom]

No we haven't, and no they weren't forced.

Dell decided to produce cheaper, in order to compete on price. They could have decided to compete on, say, quality, service, security, or any other area. They didn't.

The "we the customer" meme should be shot on sight. It's from the 50s when we had something resembling free markets. Quick, how many major computer hardware manufacturers are there? So what are your choices, really? What are the choices of the general public, who know very little about computers or what goes into them?

There's no such thing as customer decision. If at all, there is customer choice, among the products that are offered. The people who decide what kinds of products are available to be chosen from aren't the customers, it's some dudes in the marketing and product management departments.

Don't make it too easy for them to avoid the blame. Nobody forced them to outsource to China. They decided to do it, because it would improve their bottom line. There are some - not many, but they exist - companies who made a different choice. Just because everyone else does it does not mean you have to do it - it just gives a manager with little interest beyond his yearly bonus a very easy excuse.

Re:What did you expect?

[kimvette]

Dell was not forced to lower their price, they choose to compete on price alone.

That is true of some of their desktops and low-end laptops - they're cheap in terms of both price and build quality, and the failure rate is abysmal.

When you move up to the Precision line, everything changes. I bought a Precision M6400 notebook for the build quality, full keyboard, performance, and parts availability. It uses a desktop chipset, has a Quadro video card, more ports than pretty much any other notebook (plus ExpressCard and Cardbus/PCMCIA), and the best screen I could find (glosst 1080p with an RGB-LED backlight). I know the notebook will still be running three years from now, and if I need a part in five years, there's a 99% chance Dell will be able to provide the part I need. (and yeah, calling a mobile workstation a "notebook" is a stretch, I know - this thing weighs in at almost 10 lbs)

Their servers - they're not bad at all, but proprietary wherever Dell can possibly make them proprietary, and even rebadged RAID cards which you would think are fairly standard, have firmware which makes them proprietary (their Perc line). I like their PowerVaults - the first time I set one up in a Windows cluster it was a royal pain in the ass though, because the jumper and DIP switch setting documentation was completely wrong, technical support had it just as backwards, so I was on my own. The chassis build quality was great though - almost up to anything from Chenbro or SuperMicro. If you price out any of the enterprise-quality servers, Dell is certainly not competing on price alone - in fact they are more costly than others. They compete based on their support contracts and their next-day parts or service delivery.

They engage in predatory business practices though. If you are a Dell reseller and are quoting a number of servers or large number of desktops for a client, Dell will attempt an end-around and sell directly to your client.

Also, the form factors they use are proprietary, locking you into Dell when it comes to upgrades, and - oops, you can't upgrade the motherboard in that server, guess you will have to buy a whole new server!

Downmarket they compete on price. Upmarket they compete on service contracts and vendor lock-in.

Re:What did you expect?

[Low Ranked Craig]

People can choose to take all things into consideration when making a purchase, or not. Look at the current "green" movement. People are buying things labeled as green even thought they cost more, don't offer any additional benefit to the user, in many cases probably work worse, and in reality don't really help the environment all that much.

Re:What did you expect?

[Skuld-Chan]

That's a myth - the biggest reason companies outsource manufacturing to 3rd world countries is a greater return on profit. Instead of making 150 dollars per machine you might make 20 or 30.

Good example of this - up until very recently Dell's corporate desktops (Optiplex line - in fact I'm typing this on a 745 that has a "Assembled in the USA" sticker on it) were made right here in the USA, and didn't cost all that much more than Vostro machines which are made in China. These are rock solid machines (haven't had to replace a single major component on any one of the 200 or so I'm responsible for).

My brother used to work for an importer of Chinese goods (pens/no name tv's [I see them at fry's all the time]/toys) you wouldn't believe the markup some of these goods have. Pens that sell for a dollar for instance they were buying for as little as 5 cents. 5 cents - think about how far they traveled, and how much effort it takes to make a ballpoint pen than you can make 95 cents profit off of. A lot of these 5 cent pens were toys on the side as well (light up, or have an etch-a-sketch attachment on the end - stuff like that) that sold for 2-3 dollars.

Re:What did you expect?

[Pharmboy]

I can't speak for China, but I know that Moldova (the poorest country in Europe) is the cheapest place to build in Europe yet a large portion of the population has some college or a full degree, and an overall literacy rate that rivals the US. Perhaps due in part to being a former SSR. Poverty is not caused only by a lack of education.

Re:What did you expect?

[Anonymous Coward]

One problem is that, while computer design and production have been thoroughly "nativized" to the consumer market as commodities, there seems to be no consumer review or advocacy group that can evaluate hardware quality issues where they live.

As a result, computer reviewers talk a lot about features, pricing, and the marketing plans of chipmakers, plus items like keyboard feel and fit and finish, but don't discuss matters like the quality of the capacitors in the power supply, the firmware in the BIOS, or other issues having to do with the quality of electronic components and other matters that are too far "under the hood" to be discovered by benchmark testing or subjective door-slamming and tire-kicking.

Is it realistic to suggest that somebody or some bodies could fill this niche and actually evaluate consumer computer quality in some depth--or are we just asking for information that's not available to be evaluated?

Re:What did you expect?

[Waffle Iron]

Are you aware that rational choice / homo economicus is one of the basic assumptions economists use to build their models and theories because it makes it mathematically tractable?

Yes, and somehow free-market infatuated economists come to the exact opposite conclusion that I pointed out. They claim that the free market finds the optimal solutions when it obviously can't.

What's worse, they assume that the results of adding up a bunch of individual decisions can be modeled with simple linear mathematics and can be used to fine tune policy. Then when their models are driven into a nonlinear or chaotic zone and spectacularly blow up every few years, they just shrug it off and keep doing the same thing. But incredibly, people keep buying the snake oil peddled by these cargo cult "scientists".

Re:Blown WAY out of proportion

[sjames]

It's not THAT big a leap. It can intercept system functions in the background leaving NO evidence at all on the actual server. It doesn't matter what OS you install or how much AV software you run. You can ever check the system BIOS if you're extra paranoid and still not even touch the spyware hidden in the system.

It may not be literally in the hardware but it's considerably deeper embedded into the server than any virus reported up to this has ever been.