HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

In case anyone wonders

[initialE]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

Re:

[MBCook]

That makes sense. But why would I want a flash drive built into it also?

If I want a flash drive, I want it to be smaller than a floppy drive.

If I want a floppy drive, then I'm using floppies and don't need the flash storage.

Re:In case anyone wonders

[Qzukk]

But why would I want a flash drive built into it also

Because it makes the thing useful when you're not installing windows.

Re:

[Rob the Bold]

That makes sense. But why would I want a flash drive built into it also?

One less thing to lose. Twice the utility. Half as many things to plug in. I don't think you care too much that a flash drive designed for servers is too large to easily stuff in a pocket, it's just gonna be sitting in a drawer in the server room, right? Besides, I've got a toaster/oven. HP sells scanner/fax/printer/copiers, why not a floppy/flash? Nash Amphicar?

Re:

[archen]

I don't put floppies into machines, however I DO need them to install old os drivers from time to time. With this I could put the driers onto it with the regular flash interface, then disconnect it and put it into the target machine temporarily during the installation.

I hope you just need to reformat these things because I've been looking for exactly this type of device for a long time (and haven't found any).

Re:

[rickb928]

I've had success in the past using HP's USB tools to create floppy-formatted USB keys and install drivers with that. It's worked on several ProLiant servers... Well before this particular gaffe, and not HP-branded keys. The servers passed all their security checks 2 years ago.

You can do it without the HP keys, just use their software to prep the stick.

Re:

[couchslug]

Those HP tools are also popular for prepping USB sticks to boot DOS, Linux, and BartPE.

Re:In case anyone wonders

[MBCook]

OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

That's actually a very smart idea.

With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.

Re:In case anyone wonders

[utopianfiat]

Does anyone here have a problem with the fact that HP is clearly not checking the contents of their drives before they leave the factory? Because I think that's pretty important.

Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.

Re:In case anyone wonders (OT II)

[Anonymous Coward]

Someone's going to reply "blah blah chain of supply blah blah limited liability"

Naw, I'm just going to reply 'offtopic' since your post had nothing to do with GP's comment...

Re:

[Workaphobia]

I would think the fact that malware even made it on there at all is indicative of a failure at the same point where they would do such checking, unless they specifically design an extra stage into the process. In any case, I don't think anyone's arguing that HP isn't responsible, liability wise, but that doesn't mean they need to adjust their process to incorporate such checks. Let them decide how to handle changes to their system after they're sued; it may be easier to simply eliminate whatever rogue eleme

Re:

[Bat Country]

You read the article?

Turn in your Slashdot user id and get out now.

Re:

[Nwallins]

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

This past weekend I had to flash the BIOS on a Tyan server mobo (K8SRE). I have no floppy and the current (and new, as well) BIOS won't boot off USB. What to do? Ensure grub and syslinux are installed. Have a floppy image ready (http://bootdisk.com/bootdisk.htm, or Ubuntu CD)

1. copy floppy.img to, say, /boot/dos/
2. copy memdisk (executable) to /boot/dos/
3. add grub entry:

title Floppy Image
kernel /boot/dos/memdisk
initrd /boot/dos/floppy.img

Now, when the floppy image loads, I will only have access

Re:

[Actually, I do RTFA]

I thought you could use any USB drive to install mass storage drivers. It's been a while since I installed XP, but I remember that the installer saw my USB key.

Re:In case anyone wonders

[initialE]

What you were probably seeing was an emulation layer provided by your motherboard. HP has that even in it's lower end servers now, except that they use it to provide virtual floppies over the network, through their ILO interface. Also handy for doing remote shutdowns and startups. The idea must not have caught on, that's why they're selling these.

Re:In case anyone wonders

[Cheesey]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine!

Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

Re:In case anyone wonders

[cyanid3]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine! Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

You can slipstream your storage drivers into your Windows installation media with nLite (www.nliteos.com). Just add them as textmode drivers and the setup will pick up your storage controllers without any fuss. Vista, otoh, allows you to supply drivers via USB drives too.

Re:

[Cheesey]

Good suggestion. I did try doing this, but could not make it work. After a few attempts, I got my modified Windows CD to boot, but it didn't pick up the new drivers. In the end it was easier to buy a box of floppy disks.

Re:

[couchslug]

When you have problems with such stuff, it wouldn't hurt to list the hardware involved. Chances are high someone else has had and solved the same problem. I've never had slipstreaming problems, but I throw all the likely drivers I can find on the CD the first time to improve my odds.

Re:

[toddestan]

I got it to work, pretty much had no choice as it was a laptop so I couldn't add a floppy if I wanted to. Ended up with about 6 coasters plus the one disk that finally worked. Turns out you need to add the driver twice - once so the installer picks it up, then again so the installer knows to copy it to the harddisk. Otherwise, the first part of the install will run fine, then it will totally fail to load after the first reboot.

Re:

[Amouth]

to be honest if you are installing windows on servers in a data center.. you build the required rivers into the install image.. sure it takes a bit of work to set up .. but it makes life far far far easier in the long run..

if it is 1 machine to install then sure put a floppy in .. if it is 10+ build your own install image

You should use the Driver Packs on your XP Disk

[Joe The Dragon]

You should use the Driver Packs on your XP Disk
http://driverpacks.net/DriverPacks/ [driverpacks.net]

Re:

[Digital Vomit]

It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead.

Why is this not rated +5 Funny?

Re:

[Hal_Porter]

Why not just slipstream them? You usually want to put in a extra SP too, so you might as well put in the mass storage drivers too.

In fact mass storage drivers is a bit of mismomer. I think most of the time theproblem is that the Bios on a new machine puts the SATA controller in AHCI mode instead of of legacy compatible mode. XP doesn't include AHCI drivers.

So it's sort of handy to put the Intel MaAHCI drivers on your slipstreamed XP+SP2 CD. I know it works on boards with an Intel SATA countroller in AHCI mo

Only on WinPE 1.x

[SEMW]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

IIRC, Only on Windows installers that use WinPE 1.x. That includes 2003 Server, but not 2008 Server (which uses WinPE 2.1). So hopefully now floppies should actually become a thing of the past.

Not, of course, that that in any way absolves MS -- it's still shocking that floppies were sometimes needed for a server OS released a mere half decade ago! Although at least you could always install remotely over a network using RIS [wikipedia.org] or WDS and avoid the issue entirely, which is I suppose what most enterprises

Re:

[dave420]

Most shops use slipstreamed Windows CDs with all necessary drivers pre-installed, not floppy disks.

Re:

[msromike]

Uh, I guess that's one way (if you like the retro approach.) Another way is with a USB hard drive, USB pen drive, CD Rom, DVD, etc.

Also iun the news

[Project2501a]

Unattended Windows 2k3 installs with slipstreamed drivers (from DVD) and/or Windows Deployment Services.

I've never seen a "welcome to such and such" screen in over a year

Security improvements

[headkase]

Although still in a woeful overall state, Vista has one critical security difference from XP that helps here. By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No and then format the sucker. This default is something Microsoft should seriously back-port to XP.

Re:

[Raineer]

Totally agree, good thoughts. I still don't like their response that it is "obviously a targeted attack", how the hell does an attack start at the FACTORY?

Where's the factory?

[absurdist]

China?

Perhaps it's a test run.

Re:

[Dr. Cody]

I've purchased/received three MP3/video players during trips to China, and both of them had viruses on them. China is the next big market for botnets, I suppose.

Re:

[Dr. Cody]

grrrr "All three," that is.

Re:Security improvements

[Lxy]

There's an option in Group Policy to disable autorun on all drives.

Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives

You're right, this should be default, but at least there's a fix.

Re:

[140Mandak262Jamuna]

Thanks. This is precisely the info I was seeking. Would have modded parent +1 informative if I had mod points.

Re:

[creepynut]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

In addition, it's nice to have the autorun. Having a dialog asking permission is a nice balance I find.

Re:Security improvements

[SEMW]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

Who in their right mind would have XP Home edition installed on an HP ProLiant Server?

Re:

[Nimey]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


We're deploying that here to stop Autorun viruses that can start via just opening the drive (or right-clicking on Explore, etc.). Nasty things enabled by a Windows design flaw reminiscent of Outlook Express 4 opening attachments automatically.

Re:Security improvements

[Actually, I do RTFA]

Computer Configuration --> Administrative Templates --> System --> Turn of Autoplay

Re:

[PRMan]

Or you could just hold down Shift...

Oops, Switchfoot nearly got sued by Sony for mentioning that...

Re:

[TheGratefulNet]

with xp-pro its easy to find the group policy GUI tool and click on autoplay and autorun and DISABLE THAT CRAP.

I agree it should come disabled! but then, bill was trying to play catchup with the mac. remember, the mac had been polling floppies so that the user could just insert the floppy and not have to click an 'open' box (oh, so much work for poor mac users!).

that must be the reason why MS thought 'auto media detect' was a good idea.

but its the dumbest idea from a security POV. just another illustrati

Re:

[nicklott]

Great, but who puts either Vista or XP on a proliant server?

Re:

[jimbobborg]

Exactly. And it doesn't state whether it affects only Windows servers. Anyone running Unix or Linux on their Proliants and getting hit with this?

Re:

[headkase]

The general situation is that you're plugging new removable media into your system. Getting into specifics it applies less but the general rule remains.

Re:

[Actually, I do RTFA]

Great, but who puts either Vista or XP on a proliant server?

Right, I use Win98. The occassionally having to reboot (every 28 days or so) is made up for by the fact that I know I won't every get bothered with 'updates' again.

Re:

[Fast Thick Pants]

I've always kept this "noautorun.reg" file around as part of my standard 2k/XP installation:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

Supposed to turn off autorun for all possible drive types, an

Re:

[Fast Thick Pants]

BTW, the "outlandish solution" I linked to is the same one suggested by Nimey a couple posts above.

Re:

[blincoln]

By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun.

Maybe that's true if you have the User Account Control incessant popups enabled. If you turn that off, then it will autorun USB storage devices just like XP, which is stupid. There is no good reason to autorun R/W media. I would argue there's no good reason to autorun read-only media either, but it's definitely true for R/W.

I accidentally infected my PC with what appeared to be a factory-installed worm

Strange (as insider activity?)

[nweaver]

The speculation that it was deliberate activity does strike me a little strange:

If you are going to get your malcode onto this, why do something old and crufty when you could do something new.

IIRC, this is used for BIOS updating as well as windows driver schlepping. So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

Re:

[Thelasko]

So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

How do you know they haven't?

Re:

[apoc.famine]

Because if they had, they wouldn't draw attention to this security issue with an easily identified worm. At least, if I were them, I wouldn't call attention to my rootkit like that.

More than likely, it was some low-payed worked who was given a few weeks wages by someone looking for a quick buck, not some super-skilled haxor out for world domination.

Re:

[Dr. Cody]

Their Chinese suppliers outsourced the malware the US.

Re:

[Thelasko]

The malcode that was caught may be "old-n-crufty" but what about the code that wasn't caught? This could be an oversight by a more sophisticated attacker, or a script kiddie replicating something seen elsewhere.

Most likely it's a crime of opportunity. Like stealing a car that had the keys left in it.

Software on these drives? Use Linux to format.

[deragon]

I do not understand it. Do these USB drives are meant to come with software? I believe they are just formated. If such is the case, then they should use some non Windows machines such as Linux to format them with Windows filesystems. I fail to grasp how on a factory floor where drives only need to be formated, worms have an actual chance to jump on the drives. This can only happen if they are using web connected and unsecured Windows machines to format them.

Re:

[anss123]

The malware has not necessary infected the factory. The flash disks probably comes with some software tools, and it might be these tools which got infected.

Could also have been a disgruntled worker.

Re:Software on these drives? RANT!!

[h.ross.perot]

Possibly; the big 3 do deliver support tools on customer facing media. I would gander the following guess: This is what you funk-tards get for outsourcing; keep it in house OR keep the Quality control persons on YOUR payroll. That way you can fire them when things run afoul. (Soapbox mode OFF)

Re:

[Pascoea]

This can only happen if they are using web connected and unsecured Windows machines to format them.

All you have to do is throw in the human element. The first factory worker that plugs his ipod or flash drive full of music into the computer he is using to test/verify/format these devices you are finished.

I've worked as a technician in an electronics manufacturer, the human element is a huge one to contend with.

Re:

[Intron]

Most likely some employee was using the work equipment for his/her own project and accidentally infected the system. Deliberately targeted does seem unlikely.

So where's the recall?

[Animats]

Here's the HP HP security notice. [hp.com] This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon [amazon.com], for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Because...

[Anonymous Coward]

HP's recall supply chain will dump the recalled product to shady asset recovery firms and it will just end up on Ebay and not destroyed.

(Where do you think recalled Dell batteries went?)

Anonymous for a reason.

Re:

[mgblst]

Good, all they need is a reformat, then they will work again. I hope they don't get destroyed just because they have some bad data on them.

Re:

[snowful]

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

All their recall resources are probably still being used in the HP/Compaq laptop mainboard replacement fiasco. Just had mine done.

Re:

[_KiTA_]

Here's the HP
HP security notice. [hp.com] This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon [amazon.com], for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Is it a 100% Infection Rate? Is it a specific site that's infecting them? A specific QA tester's machine? Is it Possible for them to just replace the ones that are out but unsold, reformat the returned ones, and reship them?

These are important questions that I would be willing to wager HP's asking themselves in private.

What about BIOSes?

[Anonymous Coward]

What stops those who were able to put viruses in USB sticks from installing viruses in BIOSes directly in the factory?

Dear Smart People,

[publicopinion5]

I'm one of those people who doesn't really belong on slashdot due to my outrageously inadequate computer skills. I just appreciate the actually intelligent discussion devoid of complete morons that I couldn't find anywhere else. But question for the people who do belong here: how is deliberately infecting your own products even close to a good idea? I can't imagine this is going to get half the press it deserves, but if this somehow got out past computernerdland (no offense meant), wouldn't that turn millio

Re:

[Silver Sloth]

intelligent discussion devoid of complete morons

Sorry, this is /. you're talking about, isn't it. Ah, you must be from Bizarro world.

Re:Dear Smart People,

[SEMW]

No-one's suggesting that this was a deliberate policy decision by HP; the suggestion is that it was a disgruntled worker or somesuch that did it deliberately for some unknown ends.

Corporate Response Missing

[CambodiaSam]

Neither articles indicate that HP is planning on making changes at the factory floor level to prevent further infection. If their only response is to scan and clean it myself, then I might be motivated as a consumer to purchase my flash drives with a big "Gauranteed Fully Formatted" on the box. Plus, this seems REALLY sloppy to me. If HP is allowing this type of software to slip into flash drives, what other types of defects, errors, and all around laziness is going on with other products?

Let me guess

[Malevolent Tester]

Made in China?

Re:

[Digestromath]

I think the dead giveaway was on their feature list.

Your hybrid flash drive is protected from high energy EM radiation by a healthy and brightly coloured coating of heavy lead paint!

Flash/BluetoothThumbdrive?

[Doc Ruby]

Has anyone seen a single thumbdrive that includes Flash storage and a Bluetooth antenna, all in one little (and hopefully cheap) device? Perfect would be a Bluetooth dongle with an SDIO, MemoryStick, or CompactFlash slot for detachable memory, but just some permanently bundled Flash on the Bluetooth would be good.

Proliant diag. CDs don't recognize other drives...

[ramirez]

An intersesting things about this is that HP ships diagnostics CDs with their Proliants (PSP "Proliant Support Pack"). The offline hardware diagnostics CD can provide a lot of data, which needs to be provided to HP to get support (sometimes). The diagnostics software has the option to write the data to a USB device. I've tried 3 different types of USB drives and none of them were recognized by the software... I was told by HP support that the USB floppy drive that they provide would work.

Fortunately, we

Advisory's recommendion is braindead

[vic-traill]

From the advisory:

If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.

Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.

Doesn't suprise me

[Bryansix]

This doesn't surprise me. HP is also partnered with a company called Presto that says in a radio ad that computers are "Expensive (and) hard to use".

This is an ugly situation

[erroneus]

But it is not without precedent. I have heard of device driver floppies and CDs shipping with viruses and the like in the past... as long ago as 10 or more years in fact. The sad thing isn't that it happens. The sad thing is how telling it is of their product QA standards.

They should have clean and isolated systems in place for development and manufacture that isn't connected to the public internet in any way. Furthermore, anything that reaches the public should first be inspected through tight QA standards. The public expects that of high profile manufacturers... worse, the public presumes high QA standards.

This takes me back to a point I was attempting to make in another discussion about the differences that often exist between public expectations and what a company actually delivers. Often times the public never notices the difference, but some times, those differences slap people in the face rather rudely at inopportune times.

I'm not sure when it started to become more common practice to move away from fulfilling public consumer expectations occurred. But the public consumer isn't aware that this shift has occurred yet. But evidence of the quiet shift has been placed in every EULA as far back as anyone can remember that contains disclaimers that their product is suitable for any purpose at all. The laws of some countries and states of the U.S. do not permit the enforcement of some of these disclaimers, but it never stops them from trying to put it past the consumer just the same. But the ugly reality is that 'legal standards' trump quality standards every day that appears on the calendar.

How does it happen?

[KingPrad]

How did they not catch this? Surely every 1000 of these, they pull one off the line and plug it into a computer to check that it actually works, right? Or every 10,000? Don't manufacturers do any kind of continuous QA of the actual product?

Wouldn't an alert from a virus scanner make someone think "that's not right..."?

So basically they didn't bother sparing 5 minutes once a day or week to check one of these things? Nice.

Who made them? What country? What are HP QCs?

[dickmc]

What is notably left out is: Who made them and in what country? What are normal HP quality controls? What is HP planning on changing to prevent this in the future?

china...

[hesaigo999ca]

Its simple , the infection happened when they outsourced to China to build the flash drives, and do not have a quality control set in the middle as it arrives into our country without delivering directly to store warehouses...problem and i speak from experience with the textiles importing industry based out of china, is that when you have no quality control in place to review this stuff, such as a drive verificator that you would plug all drives into before sending out, and letting that be in the hands of the Chinese, who are at the root of the cyber attack problem against the states right now, is that they could be putting anything on those drives and we don't check...

Coincidence?

[rickb928]

I see a story about Hannaford Bros (supermarket chain in the Northeast U.S.) servers being pwned, sending credit card numbers all over. And they passed PCI, seeming to be secure enough for the card industry. Darn, pwnage is so sucky, especially when your SERVERS are compromised.

Now I see this story about HP accidentally selling branded keys with worms pre-installed. Darn, selling malware is so sucky, especially when you sell it to your favorite customers, for example server customers.

Any chance not just Hannaford, but other HP customers are nailed by this?

The takeaway from this episode, for those of you who aren't quite getting this:

- When you buy a USB key, be sure your machine(s) have functional antivirus and antispyware running,and it's updated.

- Look around for instructions on keeping stuff like USB keys from autorunning. Make it so.

- Format that rascal USB key immediately. Immediately. IMMEDIATELY.

- Don't buy USB keys cause they have cool software preloaded. Pointless to CHOOSE to risk infection. make the manufacturers pay for this by avoiding/refusing this crap. Just sell me a simple key, ok? Sheesh...

And trust no one and no thing.

Amazing, is all I can say. And yes, I wonder if these were manufactured and loaded in China. Bet they are.

We are in so much trouble. Mark my words, soon, 'Made in China' will really mean 'Pwned by China'. If ti doesn't already.

Re:

[toddestan]

So, do you also plug the USB drive first into some computer you don't care about just in case it dead shorts the power leads or something like that too?

Re:

[rickb928]

No, silly. You take the reasonable precaution of formatting unknown media. You don't really know where it's been.

And I haven't fried anything with a bad USB-whatever in my career. I may live a sheltered life, but usually USB ports survive really bad stuff plugged into them, with spectacular exceptions I'm sure.

It's just not prudent to believe your new storage media is clean as whistle. Even hard drives.

Re:

[narf]

Hannaford tried that. Didn't work out so well.

Re:

[rickb928]

Easy for you to spew.

Surprisingly, much of the software Hannaford settled on using is jut plain Windows. They did use some Sun for certain things, but the store servers were almost all Windows.

I'm unaware of any settlement software available for *nix. There must be some, but I haven't look so hard for it. And Hannaford isn't unique in the industry for using Windows.

It wasn't long ago that Blockbuster used Alpha-based servers at the stores, running customized SCO SysV. nasty, but it worked really well.

Re:

[Anonymous Coward]

HP has a really big internal network. HP has a lot of people who take their work laptops home and dial VPN into the HP network.
So when your laptop is at home, you go on the internet, get infected. Then you dial into the VPN or bring your laptop back to work.
HP also has a culture of keeping bad news quiet. Got to find the leakers! Who let that information out to the public?!?

I personally witnessed a major worm outbreak at HP some years ago. Of course, it was never disclosed publicly.

People who think tha

It wasn't me...it was the one armed HP server!

[insanemime]

See Honey, it's HP's fault that porn was on our computer! All 3 terrabytes of it...nasty bugs. *whistles innocently*

But it's a server...

[Shuntros]

What kind of idiot runs a workstation OS on a SERVER? Last time I looked, proper server operating systems didn't "autorun" things, especially w32 executables!

HP software is malware *anyway*

[joe_n_bloe]

Anyone who has ever installed an HP scanner or All-in-one knows that the consumerware/bloatware that HP deliberately installs is truly awful. The print monitor behaves strangely, faceless apps hang and get respawned without the existing processes being killed, all kinds of crap is installed that is difficult to remove, and et cetera. If you don't seek out and install the thin "enterprise driver," and find alternative helper apps, you wind up with all this junk.

So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*

"pre-infected" means not infected

[EllynGeek]

The important points that are actually pertinent to the article have already been addressed by other slashdotters, so I will take on the thankless but heroic job of grammar nitpicker. The drives were infected. They were not pre-infected. (hey, I had nothing else to do for five minutes. and the poor old "pre" prefix is almost as shamefully abused as "loose/lose".) Literally, pre-infected means before infection, or not infected. Trust the words, grasshoppers- they aren't improved by adding useless or incorrec

Re:

[EllynGeek]

Ha, you're a notorious non-tipper anyway!

While we're talking naïvety

[xouumalperxe]

From the summary:

"I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois

I think it's also pretty naïve to assume that it is a targeted attack, as such an assumption shifts the blame enormously. While a targeted attack is arguably more dangerous and more worrisome for a certain group of people, such an attack could happen at any number of stages of fabrication, so the fabrication process itself isn't to blame. Reversely, if a random infection makes it to a device sold as a server accessory, that puts both fabrication and quality assurance at fault, the former allowing the infection, the latter for not detecting it. If that's what happens to enterprise products, one has to wonder how much crud gets through in consumer stuff.

I've seen this kind of thing before

[Whuffo]

Products shipping with unplanned "additions" has been going on for years. I remember well when a software company I worked at had something like this come up - the install floppy in our shrink-wrapped packages had a boot sector virus on it.

After digging into what happened it was found that the duplication house where our disks were being duplicated had a QC station where each one was tested to verify a good recording. The operator of that station faced a brain-numbing job; insert disk, hit enter, remove disk, repeat. Of course, that job was filled by the production manager's son - who filled in his free minutes by playing a "free" copy of a game that he got from "someone" on the QC machine.

We had to recall all the packages and ship free disinfecting software to everyone who had bought one; fun times. The duplication house (grudgingly) paid the cost of cleaning up the mess, then we found a different duplication house to use in the future. This time we checked their procedures out a little more closely before signing up.

Something like this is probably what happened to HP. The factory where those drives were made had some worms / viruses loose on their network and when the new drives were plugged in for testing / formatting the malware automatically copied itself over. This would happen after the format / test was complete; the operator wouldn't even know it happened.

Sloppy security practices at the factory was most likely the "source" of the problem. They weren't evil, just stupid. But for HP to know about this and wait for 3 months before letting their customers know - that's criminal. At least it should be...

HP loaded the gun, but who pulled the trigger?

[rharkins]

I'm not trying to diminish HP's responsibility for this mess, but if any server admin admitted that they had picked up one of these worms from any other vector, the commenters here would have spitted and roasted said admin for gross incompetence. Any systems vulnerable to this crap are likely to have much bigger problems in store.