Dell Ships Infected Motherboards

An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."

Wow, Dell...

[gorzek]

That's some great QA you've got going on over there.

Re:Wow, Dell...

[hedwards]

Dude, I'm getting a GENERIC VIAGRA!

Re:Wow, Dell...

[Taco+Cowboy]

Can't really blame Dell.

In this world of outsourcing, and those who outsource the server fabrication themselves outsource other parts to other sub-contractors.

And Dell is not alone in doing this. Almost all the brand name computers (and almost all types of electronic gadgets) are one-way-or-another outsourced.

Re:Wow, Dell...

[gorzek]

Just because you have a third party manufacture your hardware doesn't mean you shouldn't do your own QA. After all, it's your reputation on the line, not that of the nameless sweatshop contractor.

So, yeah, this is thoroughly Dell's fault for not caring about their brand or reputation.

Re:Wow, Dell...

[Taco+Cowboy]

Logistics, my dear sir, logistics.

Re:Wow, Dell...

[Richard_at_work]

Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.

Re:Wow, Dell...

well then you can really blame Osama bin Laden for 9/11, after all he was outsourcing

RIGHT?

Re:Wow, Dell...

[gorzek]

But these are servers, not consumer desktops. I guess it was naive of me to think there would be better quality checks on server hardware. Double dumbass on me.

Re:Wow, Dell...

[ElectricTurtle]

The issue probably was the procedure. Is it really a coincidence that these boards missed QA? I doubt it. If even one of the boards were caught before distribution, wouldn't there have been an investigation that would have stopped the rest? These boards were probably deliberately injected at intervals designed to pass through known gaps in the QA intervals, assuming the QA people weren't somehow complicit themselves.

Re:Wow, Dell...

[Yvan256]

Tell me about it. We're a Canadian company and have sub-contractors in China that are supposed to make parts for us. However we have learned that our Chinese sub-contractors have themselves sub-contracted another company in India, which themselves sub-contracted another company in Mexico, which themselves sub-contracted another company in the USA.

The kicker is that we make parts for a company in Japan that resells them to an unknown client that requires the label on the product to read "Made in Alpha Centauri" for some reason.

Re:Wow, Dell...

[Richard_at_work]

Is it really a coincidence that these boards missed QA? I doubt it.

Is it really a coincidence that *any* of the publicly reported faults with anything missed QA? Does everything have to be a conspiracy these days?

Re:Wow, Dell...

[Lumpy]

This is not like the olden days when server hardware was high end and robust. Dell and many other servers are now glorified workstation hardware for server use. The poweredge R410 is a low end 1U rack server. The motherboard is not much different than the Workstation grade stuff.

Re:Wow, Dell...

[Nadaka]

Tell me about it. We're a Canadian company and have sub-contractors in China that are supposed to make parts for us. However we have learned that our Chinese sub-contractors have themselves sub-contracted another company in India, which themselves sub-contracted another company in Mexico, which themselves sub-contracted another company in the USA.

Let me guess, your company was sub-contracted by a company in the USA to make a part remarkably similar to the one you needed?

Re:Wow, Dell...

[dave420]

Nothing the post you replied to says there isn't better QA for servers. You just seemed to read that into there somewhere.

Re:Wow, Dell...

No, but that's what they *want* you to think.

Re:Wow, Dell...

And the Woosh of the Year award goes to Nadaka.

Re:Wow, Dell...

[Tracy+Reed]

The problem is not that they did not QA every single part they shipped. The problem is that they did not QA the process through which those parts are made. Why would they even have a Windows system anywhere near production? And if they were going to have such a system why wasn't it better secured? That is the issue here.

Re:Wow, Dell...

yes you can, you reduce the paychecks of the execs, cut their bonuses, and magically you have a billion dollars free to QA your shit

Re:Wow, Dell...

[ElectricTurtle]

Yes, a conspiracy should be considered when there is a motive to ship 'bad' parts. Somebody wanted these things distributed, a factor not held in common with mere accidental defects that are missed now and then.

Re:Wow, Dell...

[mark72005]

And I am R3F1NANC31NG H0M3 M0RTGAG3 4 P3NNI35 0N TH3 D0LL3R!!!!

Re:Wow, Dell...

[captainClassLoader]

Yes, logistics are an issue, but other industries do this. There are a few electric guitar manufacturers (Paul Reed Smith and Reverend come to mind) who outsource some (PRS) or all (Reverend) of their production to Korea, and then do final setup and QA in the US.

Re:Wow, Dell...

Right. It has the name Dell right on the front of the computer. Damn straight it their fault.

Re:Wow, Dell...

[BronsCon]

No, he got it... he was actually adding another twist to it.

You can have your Woosh back now.

Re:Wow, Dell...

[GooberToo]

Yes, a conspiracy should be considered when there is a motive to ship 'bad' parts.

Dell has a motive to damage their reputation?

Re:Wow, Dell...

It seems you both missed the last part about Japan.

Re:Wow, Dell...

[ElectricTurtle]

Hey, this may be news to you, but companies are made up of *gasp* individual people! All you need is a few people who want some extra cash, get them to work in concert abusing the access that naturally proceeds from their position in the organization, and *boom* malware in the distribution channels.

In other industries this happens all the time.

Re:Wow, Dell...

[zigfreed]

great QA

The article was created based on a Dell forum post, which suggests its a revision/replacement board, and that Dell found it, rather than someone outside. Getting parts that are compatible but not fully debugged happens, Apple,HP, and Asus have done it too.

Re:Wow, Dell...

[BitZtream]

And its still your fault when something slips through. So they can't be 100% sure, but its still their responsibility and this is still unacceptable.

There are, in fact, relatively cheap ways to ensure this doesn't happen, and there are several other industries that deal with overseas manufacturing and prevent this very thing from happening.

Its amazing what you can do with a little bit of a clue and some effort.

Re:Wow, Dell...

[Yvan256]

And you all missed the part about "Made in Alpha Centauri".

Re:Wow, Dell...

Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.

Unfortunately you still have to take responsibility and deal with the ramifications of your QA failure. Because yes, there is indeed a real QA issue here. If there weren't, there would be no malware on the boards. There is no way to wiggle around that simple fact.

Re:Wow, Dell...

[syousef]

That's some great QA you've got going on over there.

My current DELL laptop once had a nonpaged memory pool leak that would cause the machine to die with a blue screen within between 12 and 24 hours. The only way to fix it was to restart. Hibernate didn't cut it. Once Windows started, you lost 4k at a time every couple of minutes till the non paged pool was exhausted. I tried everything and was about to reformat. In desperation I reset the bios and THAT fixed it. What the fuck!

My point is, if you bought a DELL, you bought malware. My next laptop looks like it will either be an ASUS or a Toshiba.

Re:Wow, Dell...

[dbIII]

It's not as if they have much else to do to justify the name brand markup over buying white boxes from China.

Re:Wow, Dell...

[dbIII]

Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs

Nearly every other industry is expected to do this so it's a fairly worthless argument.

Dude, you're getting...

[Farmer+Tim]

pwned.

Re:Dude, you're getting...

I got dyslexiowned when I read the title as "Dell Boards Infected Motherships"

why spend millions when you can spend billions?

[roman_mir]

The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US.

- I think the only true way to be sure is to manufacture the microchips yourself, of-course this costs much more than millions.

This comes down to the old question raised by Ken Thompson of Trusting Trust.

Re:why spend millions when you can spend billions?

[pinkushun]

The chips could still be manufactured elsewhere, what is really needed is maintaining the firmware yourself, regulate the source with solid security policies, and flash the chips locally.
Oh wait... closed source, yeah I guess that idea fails :p

Re:why spend millions when you can spend billions?

Or a slightly more practical solution: install the chips containing firmware after they've left the Chinese factories.

Sure, it's going to cost them more, which is perhaps the only reason they haven't done it already. At the end of the day, nobody's going to be 100% trustworthy, but with the outsourcing of high tech manufacturing, something's got to give.

Re:why spend millions when you can spend billions?

[roman_mir]

Ken Thompson would show you how you'd fail in this anyway. You'd THINK you flashed the chips, but there would be some other code somewhere in the chip that would contain a Trojan. Unless you are in the loop 100% of the time and nobody can inject any modifications into any manufacturing processes, you can't be certain that nothing at all was modified.

Re:why spend millions when you can spend billions?

[roman_mir]

And who manufactured the firmware chips? Another question is then: how do you know that the rest of the design/manufacturing wasn't tampered with? That's what Thompson's story was about: can you trust a compiler unless you wrote it yourself? Can you trust compiler of a compiler? Can you trust a manufacturing process that places your design upon a wafer? Can you trust the wafer? etc.

If something has to give, well, then again, how do you know that what gave can be trusted?

Re:why spend millions when you can spend billions?

[WED+Fan]

How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.

Re:why spend millions when you can spend billions?

[pinkushun]

Very much so! Just pointing out that if you did control the firmware, it would eliminate that Point Of Failure, which currently introduces trojans into Dell motherboards :-D

Re:why spend millions when you can spend billions?

[Taco+Cowboy]

And who manufactured the firmware chips? Another question is then: how do you know that the rest of the design/manufacturing wasn't tampered with? That's what Thompson's story was about: can you trust a compiler unless you wrote it yourself? Can you trust compiler of a compiler? Can you trust a manufacturing process that places your design upon a wafer? Can you trust the wafer? etc.

If something has to give, well, then again, how do you know that what gave can be trusted?

For many they have a one-track-mind. Anything and everything they blame it on "Made In China", as if if the thing is made in the U. S. of A. nothing wrong will happen, no people with malicious intention would appear and trojan would ever be inserted into the chip's firmware.

Re:why spend millions when you can spend billions?

The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US.

- I think the only true way to be sure is to manufacture the microchips yourself, of-course this costs much more than millions.

What? The Pentagon making it's own chips? I think it should be enough to restrict the sourcing of security critical chips to manufacturers that are either domestic or located in trusted allied countries. Nobody is holding a gun to their head and forcing them to source chips use in F-22 stealth fighter or some such gadget from places like China.

Re:why spend millions when you can spend billions?

[Taco+Cowboy]

How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.

There you go.

Another with that "Made in the U. S. of A. would be the perfect cure of all ills" guy.

Re:why spend millions when you can spend billions?

[stanlyb]

Check this one: http://en.wikipedia.org/wiki/Electronic_control_unit This is what i had a hand in, sometime ago, in some big, known company, who used to develop the "firmware", or more likely the software for this ECU (or EUC in french), and guess what? Around 90% of the so called "developers" did not even have a math degree, and these people are supposed to program the most important part of YOUR car? Of course, i left this company ASAP, but the bad taste is here, and i am very afraid to drive the nowadays car, and you should be too. Have you ever heard of the latest "software" firmware problem/update of Toyota/Prius? and wondered "what the heck is going on"?

Re:why spend millions when you can spend billions?

[willyg]

As an (currently unemployed) ASIC designer, I have to agree with this. You may have THOUGHT you submitted the GDS file

url="http://en.wikipedia.org/wiki/GDSII";

for tapeout for an embedded processor core, but later find out that there were 'tweaks' added to a ROM block, or something similar, to deal with encryption issues you weren't informed of. Not that this could possibly interfere with LVS (Layout versus Schematic) or verification simulations, of course...

Re:why spend millions when you can spend billions?

[Lumpy]

Sounds great. You going to smile and say thank you when your next PC costs you $3500.00 for the base model?

Cost of manufacture in the USA is well over 20X higher than in china. Wages alone make up a huge difference along with environmental laws that are hostile to business because they wont let them dump just anywhere..

All this stuff is made in china because you want $899.00 laptops. Bring it all back to the USA and you will be looking at $1300.00 netbooks and $3200.00 low end laptops. And that gamer grade high end PC will make a 8 core Mac pro with a full 16 gig of apple ram look cheap.

Made in america = far higher price. Yet most of the people that claim they only buy "american made" wont pay the american made prices.

Re:why spend millions when you can spend billions?

How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.

In this US economy, we'd love to just bring the U.S ... to the fabs. At least that'd guarantee jobs, and probably much lower prices without all the shipping dues attached to current practices :)

Re:why spend millions when you can spend billions?

[htdrifter]

How about bringing the fabs back to the U.S.? Too many chip manufacturers have gone overseas.

The fabs moved overseas because of EPA regulations.
That's the same reason a lot of manufacturing is now done off-shore. The cost of dealing with regulations is a bigger factor then labor.

Re:why spend millions when you can spend billions?

At the manufacturer, they can flash and verify the flash image from the outside via a JTAG probe, and therefore be safe from cloaking trojans. At least some of the firmware has to be flashed this way in manufacturing, because the mainboard wouldn't boot without a BIOS. Since the affected mainboards were repair exchanges, it's possible that they got infected while being updated/tested, maybe in the US.

Re:why spend millions when you can spend billions?

[stanlyb]

I kinda of disagree with you. The funny thing is that this "cheap" laptop that you have in USA, is not so cheap anywhere else.... funny, ain't? And there is no reasonable reason for such a discrepancy.

Re:why spend millions when you can spend billions?

[Minwee]

This leads to the rather obvious, Dr-Feynman-at-Los-Alamos solution.

Issue a memo requiring that Ken Thompson never be allowed near your computers. Any computer that Mr. Thompson has touched is to be disposed of and replaced immediately, for security reasons.

That should take care of that problem.

Re:why spend millions when you can spend billions?

[roman_mir]

Issue a memo requiring that Ken Thompson never be allowed near your computers. Any computer that Mr. Thompson has touched is to be disposed of and replaced immediately, for security reasons.

- totally. This is the solution, it will fix this problem once and for all. ONCE AND FOR ALL!

Re:why spend millions when you can spend billions?

[HiThere]

That's why you analyze a random sample of them under an electron microscope...layer by layer.

Then you either check each layer against the design specs, if you have them, or model each layer and predict what various input signals will do.

You might still miss something, but nobody could be reasonably sure that you would miss it.

Re:why spend millions when you can spend billions?

[AK+Marc]

All this stuff is made in china because you want $899.00 laptops. Bring it all back to the USA and you will be looking at $1300.00 netbooks and $3200.00 low end laptops.

Ford killed people with the Pinto by omitting a part that would have cost less than one half of one percent of the cost of the vehicle. Companies have and will kill for 0.5%. So it doesn't take a 3x difference to outsource. It just takes a fraction of a percent.

Made in america = far higher price. Yet most of the people that claim they only buy "american made" wont pay the american made prices.

Mass produced in the USA isn't much off other places. What happened was that people didn't realize their choices until the choice was boutique small or medium production in the US vs mass-produced elsewhere, and there aren't that many that will pay boutique plus USA penalty. But if the choice was more obviously USA mass produced or China mass produced, I think that people would prefer the USA one enough to justify keeping something open, but not enough to justify making a new plant. That's where we sit now. People didn't realize the choices until too late, and now there isn't justification to move production back. Those that did stay open are seeing a resurgence. And those that are in protected markets (autos) are able to build plants and make things for prices that are competitive with imports. So we know competitive manufacturing can exist in the US.

Re:why spend millions when you can spend billions?

[Ernesto+Alvarez]

The chips could still be manufactured elsewhere, what is really needed is maintaining the firmware yourself, regulate the source with solid security policies, and flash the chips locally.

If you're serious, you're probably going to manufacture them locally.
From wikipedia entry on the NSA:

Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment.

Re:why spend millions when you can spend billions?

[WED+Fan]

Wrong, but thanks for your jumping to the wrong conclusion. If you check my post history, I'm actually for the little guy in Vietnam supplying Walmart. Spreading the manufacturing wealth is essential for the economic recovery. However, national security also requires an infrastructure of trust. A decade and a half ago, George Bush released critical government research to U.S. companies in the chip industry. Much of that info has now gone overseas.

Take your broad brush somewhere else. It's not as black and white as you make it.

Made in China

When will the world wake up and realize that lowest price is not a good reason to buy something. Fucking sheep. PAY FOR QUALITY!

Re:Made in China

[hedwards]

It's worse than that. Even those of us that do realize it are kind of stuck. The model that saw out sourcing to China as the solution to pretty much everything more or less obliterated the midrange category for many items. It's really hard to find things these days that are midranged in price and quality. I don't generally need to go top of the line on things, but thanks to the outsourcing there isn't a whole lot of choice, I can cheap out which usually isn't a good idea or buy high end.

The free market really doesn't handle the situation where there's a nascent market for something which investors are ignoring.

Re:Made in China

[Taco+Cowboy]

If you are implying that if the servers are made in the U. S. of A. this will never happen?

Think again.

And by the way, how much are you really willing to pay extra for stuffs made in the U. S. of A. ?

Re:Made in China

At least with made in the USA, you can get the FBI into the loop here. For made in China, it could be the Chinese Government that had the malware installed!

Re:Made in China

[HiThere]

I hope you don't think the US govt. is much more interested in protecting citizen's rights. The media are doing a very good job of keeping us misinformed. (I checked out the aftermath of another news story last week.)

P.S.: I'm not saying that the style in which the US power structure abuses citizen's rights are the same as that of the Chinese govt. (I *think* the Chinese system is simpler, but that may just be because I've never looked at it close up.) In the US the desire appears to be to function more through intimidation than through actions that leave readily visible permanent injuries. (Among it's citizens. For foreigners the US appears to be more violent and capricious than the Chinese.)

P.P.S.: This can be exemplified by the taser. It rarely leaves permanently visible damage. But it seems, by report, to be used freely and with little cause. I expect that quite soon it will become considered (among oppressed groups within the US) praiseworthy to snipe at cops. Threatening and intimidating is one thing, but when you start widespread torture, you are breeding a case for retaliation.

Re:Made in China

[Burz]

The free market really doesn't handle the situation where there's a nascent market for something which investors are ignoring.

That's because investors (the bigger ones that matter) are acting as a separate self-interested class that has little in common anymore with the rest of society. This cancels their ability to recognize the finer (and even basic) aspects of what consumers need and they begin to look to the police as the way deal with the results of industrial shortcomings (cybercrime)... lobby for ever more police, more prisons, and invest more in police-related industries.

And to think, all they need to do is put a read-only toggle switch on motherboards. It'll never happen at this point though because it doesn't have anything to do with iPhones or re-purposing military 'innovations' for use against the masses here at home.

It's not a hardware trojan

[lseltzer]

It's firmware, meaning software in a ROM. It's only slightly unconventional.

And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.

Re:It's not a hardware trojan

[Lumpy]

Incorrect. It's firmware, meaning it's software in a FLASH or EEPROM on rare occasions. That means it can be re-written by applications that know how to talk to it. Writing to a FLASH is not hard or a secret, in fact I wrote a self destruct years ago to screw with a kid that kept trying to break into our dial up server. It was called "Router Passwords.exe" and it simply tried to write FF FF FF to the beginning of the Bios flash chip for several different common motherboards.

it worked, the kid never tried to connect again after he downloaded that bomb.

If it was a ROM, my trick would not work as you can not update or write to ROM's.

Re:It's not a hardware trojan

[Rogerborg]

There's no schooling like the old schooling. Say, could you hear him screaming down his acoustic coupler?

Re:It's not a hardware trojan

[htdrifter]

It's firmware, meaning software in a ROM. It's only slightly unconventional.

This problem goes back to the first ROMs ever used. ROMs should always be verified. That's basic QC procedure.

The FA doesn't have any real information. Most likely a beta version got into the manufacturing stream. The problem is just sloppy QA.

Re:It's not a hardware trojan

Writing to a FLASH is not hard or a secret, in fact I wrote a self destruct years ago to screw with a kid that kept trying to break into our dial up server. It was called "Router Passwords.exe" and it simply tried to write FF FF FF to the beginning of the Bios flash chip for several different common motherboards.

Ahh so that was you... Damn it, do you know how many motherboards I fucked up trying to open that password file? oh well....:)

Re:It's not a hardware trojan

[sjames]

It's a bit of a gray area. It's not permanently etched into silicon but it is in the firmware on the management board. That is, it's still active even if the server is off unless it's actually unplugged. It is at a much lower level than the much more typical virus and will be there no matter what OS you load. Update the mainboard BIOS and it's still there. There may or may not be a way to update the management BIOS other than sticking the chip in a programmer or hooking up JTAG.

Re:It's not a hardware trojan

You bastard. I was trying to fix my moms modem!

Re:It's not a hardware trojan

I am not sure what you managed but writing all FFs to a flash chip should do nothing. Now if you wrote all 00s to a flash chip that would actually cause some damage. After erasure the flash will read FFs and if you write FF to a byte which is 00 causes nothing to happen.

Bad Article

[Co0Ps]

From TFA:

This malware code has been detected on the embedded server management firmware.

Firmware != Hardware It would have been impressive if it was a real hardware virus though e.g. some malicious chip that opens a backdoor on the network cards and allows remote code execution.

Re:Bad Article

[hedwards]

That's bullshit and hardly relevant. Firmware is installed on a chip in the hardware. The significance is that even if you were to reinstall the OS, you'd still have the code pop up every time you try to use it. Hardware in this case indicates that it doesn't reside on the HDD or in some other removable portion of the computer. While you can change motherboards, that's a serious enough operation that you're essentially ending up with a different computer once finished.

Re:Bad Article

[fuzzyfuzzyfungus]

Arguably the IPMI is one step easier than just the motheboard firmware. Those suckers are basically little embedded computers, typically running linux or vxworks, with their own processor and everything. They happen to be physically coupled to the motherboards of larger devices; but, architecturally, they are basically the same as any of the "little bitty plastic box" style embedded network appliances.

Given the fact that embedded appliances frequently have security made of pure shit, and servers are rather high value targets, the only real surprise is that they aren't targeted more often. Especially, if you are super lucky, the IPMI card will be connected to the oh-so-special-and-physically-separate-for-security "management network", which is where all the juicy; but often vulnerable, management interfaces live. Nice place to have an attack platform silently embedded...

Re:Bad Article

Or you could update the firmware.
I'm with GP, It's embedded software, but it is still software. It would have been really impressive if it was actual hardware malware.

Re:Bad Article

Hello, Mr. fuzzyfuzzyfungus

You have said a bit too much on what we already secretly do that we shouldn't ask China and others to try against the US of A. We can't really ban you from the internet, so Agent Rogers here is to "borrow" all your fingers for the next best thing. Oh ... good luck waiting for touch screens to add support for stumps

--The NSA

Re:Bad Article

Or you could update the firmware.
I'm with GP, It's embedded software, but it is still software.

Only problem is, it's "software" running on my hardware --an EXPENSIVE, 99.999% server, and not someone's reboot-happy home PC.

You can't afford yet another session of downtime, and arranging datacenter visits, moving clients to another server and quarantining several machines. Remember that DELL screwed twice already: one for having the mobo fail, normal as that may be, and another for creating a second visit to a datacenter that is potentially not mine, to fix a problem that my client THOUGHT fixed upon the FIRST mobo visit.

In the financial industry, such is the thinking, anyway. I'm just playing devil's advocate, since 3 downtime sessions for one problem can sure make you choose IBM hardware on the next cycle's upgrade.

Re:Bad Article

[hedwards]

Probably not, it's common for firmware updates to require a match in order to update. Meaning that if the signature doesn't match what they think it should match, the update might very well not install. And with good reason. You really don't want to install a new firmware only to find yourself bricked because a small portion of the chip had gone bad.

Re:Bad Article

[Ryxxui]

The distinction here is neither bullshit nor irrelevant. The difference between a firmware trojan and a hardware trojan has huge implications in the types of affected devices, in the potential places where it could have been inserted, and the manner of fixing the issue. Calling something "hardware" just because it resides in a non-removable part of the motherboard (how do you know the chip with the firmware isn't removable, anyways?) doesn't make sense. Maybe the difference is minor to you, but as a person who is researching hardware trojans at a large university, I consider the difference significant and relevant.

Re:Bad Article

[pclminion]

As somebody who actually writes firmware, the distinction is completely relevant. Firmware is something I can easily get at and change, either to break it or repair it. Hardware is completely off limits to modification because it physically can't be done.

Okay, with an FPGA or CPLD the distinction blurs a little bit. But that's not the topic. The topic is malicious code residing in firmware persistant storage. That is most certainly not HARDWARE. It is a bit pattern.

any details yet on infected hardware?

[drinkypoo]

I used to have an IBM server with an IPMI module, that's basically a little computer that can piggyback on the network interfaces and which provides monitoring (on the eServer 325 you can see all of the ~10 fans' speeds, the voltages, and about eight to ten temperatures) and some limited remote management like immediate or scheduled shutdown and startup. It's actually an MSI mainboard IIRC, they went on to make nicer versions of the same stuff with more processor support for their own productization, all too different to use their BIOS on the IBM unit :) One of them may have become the eServer 326?

Anyway, way too much historical data. The point is that the IPMI module could be made by an OEM's OEM...

Re:any details yet on infected hardware?

[Amouth]

the Dell RAC cards/built-in can do that + remote console (text+vga+input) and even remote CD mapping.

fun stuff.. always odd to flash the bios on a machine over the net.

basically having software on the RAC is akin to having physical access to the box - and physical access is king.

Wow.

[mcgrew]

Did they buy the parts from Sony? ;)

TFA didn't say how the malware got there.

Dell confirms on the same forum: "The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware."

<snip>

The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US.

Elsewhere, researchers are also investigating the threat from would-be chip-plant saboteurs, who poison the chip-making processes to introduce a "kill switch" that makes the chip fail unexpectedly.

My guess is that the computer that flashed the firmware was infected. Too bad Dell hates Linux; had the computer that flashed the firmware been running Linux or BSD (or even a Mac) this likely wouldn't have happened.

Re:Wow.

[Spad]

Yes, because Windows malware that's designed to infect server system board firmware is so widespread these days and we all know it's impossible to do anything bad from a Linux machine.

Re:Wow.

[grahamlee]

It's also possible that the malware was actually dropped from a *nix or Windows system that wasn't itself infected, but where the user wanted to drag Dell through the muck. Doesn't need to be any of these Advanced Persistent Threats you keep reading about, just a terminated employee on his last day. I doubt that embedded hardware is connected to the internet while it's being assembled, so it seems unlikely that they got a chance infection - someone had to subvert their production process. That's most likely to be an insider.

Re:Wow.

[Amouth]

wow - i just don't think you have an idea of what is going on here.

this isn't some mass produced USB stick.

in fact the firmware they are infecting on the RAC is just that firmware - akin to the bios on your desktop but different in that some of the RAC's are actually small Linux boxes them selves..

for someone to sneak malware into the firmware of the RAC in a manner that would be useful - this person had to know what they where doing - they had to get it into some build of the firm ware and then either flash them each on their own or into the process and get it to pass QA..

the fact that the malware only effects windows installations on these boxes is a short sightedness of the the person who wrote it. from a hacking stand point.. the value of being able to get custom code to run in the RAC of servers destined for larger companies, its a gold mine.

Re:Wow.

[h4rr4r]

Since when does dell hate linux?
I have a server room full of redhat dell boxes that say otherwise. They even sold me the redhat licenses on some of those.

These are servers kiddo, not desktops.

Re:Wow.

[mcgrew]

Since when does dell hate linux?

Windows vs. Ubuntu -- Dell's Verdict
Barence writes
"Remember how Dell put up a website declaring Ubuntu was safer than Windows, only to later change its mind? Well, the company has gotten right back into the Windows vs. Ubuntu debate with a highly sophisticated website arguing the pros and cons of each OS. People should choose Windows, argues Dell, if: they are already using Windows, are familiar with Windows, or are new to computers. People should choose Ubuntu if they're interested in open-source programming. Brilliant."

Re:Wow.

[sjames]

The processor running the spyware is not an x86 and isn't a Windows machine. It didn't just catch something from a workstation.

Re:Wow.

[sjames]

I'll buy that it was an insider (it almost had to be), but not that they did it just for spite. That's a LOT of work for spite considering that the server management board isn't even x86 and it was embedded in the firmware. That's WAY more work than just downloading some crap off the net and slamming it in there.

Re:Wow.

[ZosX]

Yeah. Its kind of interesting that most of our major, critical electronics are being manufactured in china, which is a communist country and not exactly an ally at the moment other than financially. They are already looking at starting another arms race. Imagine if in the 1970s, our computers were being manufactured in the USSR. I don't really see why we should be looking at goods manufactured in china any differently. Clearly, if anything, they have no regard for our health and safety standards and keep churning out crap intended for kids laced with all sorts of deadly chemicals. Who knows. Maybe they are doing it on purpose. It almost seems like it would be fairly trivial for them to slip crap like this in. I mean how many times have laptops and netbooks recently been released with key loggers and everything else because "Ooops, some employee used an infected flash disk to set up the system"

Some might call this

[flakblas]

a feature.

Re:Some might call this

[odin84gk]

Was Sony involved?

What did you expect?

[Chas]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

How the hell would they know if someone decided to pull a dick move like this?
And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

Re:What did you expect?

[Taco+Cowboy]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

I hope you take back the "barely literate people" part because it is untrue.

To say that is to think too highly of your own self.

Re:What did you expect?

[Elbowgeek]

You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

Re:What did you expect?

[Taco+Cowboy]

Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

Re:What did you expect?

[vlm]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

Re:What did you expect?

[interval1066]

"..."rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money."

"Chas", you're an idiot.

Re:What did you expect?

Yes because barely literate people working in sweat shops have the technical expertise to plant a virus in hardware.

Re:What did you expect?

[Elbowgeek]

I think that if the servers were developed manufactured "closer to home" there would certainly be less chance of introducing malicious code. In China there is an incentive by both common criminals *and* the Chinese government to exploit the opportunity to diddle with the firmware.

That said, I have no information on where the firmware was developed, so if the naughty bits were injected by someone on the US development team I must sincerely apologize to the Chinese. Ahem.

Re:What did you expect?

[Darth+Sdlavrot]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

Talk about them that way -- okay; they're not exactly in the same league though.

UAW autoworkers earn, on average, $28 per hour. That's average, some get much more. http://answers.yahoo.com/question/index?qid=20070924073107AAuGk8O

Chinese sweat shop labor, e.g. at Foxconn, make about $168-176 per month. http://www.china.org.cn/china/2010-06/07/content_20199987.htm

Re:What did you expect?

[Lord+Ender]

The literacy rate in Detroit is fantastically higher than in a lot of low-wage Asian countries.

Re:What did you expect?

[Bill_the_Engineer]

*We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell.

Half truth. Dell did not add any value to their products and decided to compete on price. In order to lower their prices and retain their profit margins they outsourced their assembly to countries with lower labor costs. Dell was not forced to lower their price, they choose to compete on price alone.

*We* the consumer did not demand cheap prices, instead we purchased whatever gave us the better value. Which for some means the cheapest machine that runs stock Windows 7 for home, but for others features and/or better components may be deciding factor (eq. Apple, Alienware, Voodoo PC, Sony, etc.)

Re:What did you expect?

[somersault]

What is your evidence for it being untrue? I'm not saying it's not, but it seems likely that the literacy levels in sweatshops are lower than average.

Even if it is untrue then I don't think it says so much about what he thinks of himself, as the stereotypes that are being fed to him.

When I think of sweatshops I think of places like China and India well known for overpopulation and cheap labour. The literacy levels for these places are ~90% and ~66% respectively, with unemployment rates of ~4% and ~7%. Seems quite likely that a lot of sweatshop workers in India at least are going to be illiterate.

Re:What did you expect?

Ooo, snap!

Re:What did you expect?

[Low+Ranked+Craig]

Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

No, it just means that instead of costing $2,000 it would cost $6,000, and availability would sometimes be spotty due to the unionized workers striking, although it's probably a little more likely that the bad-ass perpetrators might be arrested.

This is one of the things that irritates me about a lot of people; They will complain about the outsourcing of jobs and demand the lowest price all in one breath. Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe.

The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.

For my own part I do try to at least shop at smaller local business when I can, the local Ace instead of Lowe's for example, but it's almost impossible to avoid cheap imported products, and it's even more disheartening when the cheap $15 chinese tool is better than the $30 made in USA tool...

Re:What did you expect?

[somersault]

So it's our fault for being prudent with our spending? I guess we should all pay over the odds for our electronics to make sure that all these international businesses aren't feeling the pinch too much in their profit margins! Let's buy from someone like Apple who we know are making a hefty profit on their products! Oh wait, Apple do their manufacturing in China too.. hmm.

Re:What did you expect?

If the process were done "in house", then the company has the option to institute organizational controls to prevent this sort of thing, wherever the actual process takes place. It being done by outside contractors, the company is limited more to detection after the fact rather than prevention.

Re:What did you expect?

(posting anonymously as I want to keep my DCSE status) If you read the article, they are "server motherboards sent out through service dispatches", which means they are almost certainly "refurbished". I put refurbished in quotes because it's supposed to mean that something's been thoroughly tested and better than new. With Dell (HP too probably others) it actually means a tech has swapped out the parts and returned this because the company has a "just go policy" and the call centre hasn't bothered to try to figure out what the problem is before sending a tech with parts. The used parts are then labelled "refurbished" and sent out on another dispatch. They might be tested but then you wouldn't expect to be receiving MB with broken connectors or flashed with LinuxBIOS (I've had this with HP, but not Dell), or no POST problems that should show up immediately in the refurbishing plant.

These are probably boards where the management module firmware has been flashed by the previous user, but never checked at the refurbishing stage.

Re:What did you expect?

[c6gunner]

And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

Because what they're getting is far, FAR better than what they'll get if the factory gets shut down? Even in the first world, losing your job can ruin your life. In the third world, the repercussions are even worse.

Re:What did you expect?

[mwvdlee]

Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe

So if those people would be willing to pay more, the products would be manufactured in more expensive countries instead of the companies continuing cheap labor manufacturing and simply making a bigger profit?

Re:What did you expect?

[PitaBred]

He's not saying that all of China is illiterate or anything like that. He's just saying that the US has a 99% literacy rate, and China is at about 93.3%, and those factory jobs aren't always staffed by the highest-educated people, just like here in the US. There's nothing wrong with it. It's just the way things are.

Re:What did you expect?

I am amused at how you accuse someone of being illiterate, yet you put an apostrophe in the word "computers" when it should not be there. It's not possessive and it's not a true contraction (computer is != computer's). Would you care to explain that? Does using multiple obscenities, sometimes with a hyphen, make you more literate?

Re:What did you expect?

I know an assembly line in Tennessee that's full of Mexicans.

Re:What did you expect?

[c6gunner]

Chinese sweat shop labor, e.g. at Foxconn, make about $168-176 per month

Yep, and a baker in China makes less than $100 per month. Seeing as how there's not much demand here for Chinese bread, I'm going to go out on a limb here and suggest that the "sweatshops" apparently pay better than what the chinese themselves are willing to pay.

Here's a bunch more numbers for you to look at:
http://www.worldsalaries.org/china.shtml

Re:What did you expect?

[evildarkdeathclicheo]

Is there even an option to purchase a "high quality" motherboard, or any computer components for that matter? Cheap mass-produced goods abound in many types of products, however there are usually options. I can buy a cheap Korean car or guitar, but I might choose not to, paying a premium for an item designed and assembled in Germany, the US, or even Japan. I realize that it's very expensive to produce electronics in the US, and environmental laws make it highly unlikely to happen here, but it seems there would be a strong niche market for "computerphile" goods given how damned cheap the mass produced junk is these days. I'd rather pay a premium for a high-quality home-produced video card based on last years model, then pay a premium for the "latest and greatest" mass produced piece of Chinese junk. Am I alone here?

Re:What did you expect?

[twoallbeefpatties]

People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.

Actually, we say that Detroit autoworkers were overpaid and got way too many benefits for their unskilled labor due to inflexible, corrupt unions - sort of the opposite thing to what we're saying about offshored labor. But who's counting?

Re:What did you expect?

[Tom]

No we haven't, and no they weren't forced.

Dell decided to produce cheaper, in order to compete on price. They could have decided to compete on, say, quality, service, security, or any other area. They didn't.

The "we the customer" meme should be shot on sight. It's from the 50s when we had something resembling free markets. Quick, how many major computer hardware manufacturers are there? So what are your choices, really? What are the choices of the general public, who know very little about computers or what goes into them?

There's no such thing as customer decision. If at all, there is customer choice, among the products that are offered. The people who decide what kinds of products are available to be chosen from aren't the customers, it's some dudes in the marketing and product management departments.

Don't make it too easy for them to avoid the blame. Nobody forced them to outsource to China. They decided to do it, because it would improve their bottom line. There are some - not many, but they exist - companies who made a different choice. Just because everyone else does it does not mean you have to do it - it just gives a manager with little interest beyond his yearly bonus a very easy excuse.

Re:What did you expect?

[StikyPad]

There's a greater opportunity that I will lose my arm if I stick it in a wood chipper. That doesn't mean it's "guaranteed safe" by not placing it in said chipper. The opposite of "greater than" is not zero.

Re:What did you expect?

[kevinmenzel]

If they are willing to pay more only for something made in country X, then maybe companies will start building them in country X. Especially if customers, en masse, decide to do this, and really screw with the global economy in a very atypical fashion. Though that would mean that customers would have to learn where stuff comes from. And take action to found new business to source items from country X or Y if said option doesn't exist.

Re:What did you expect?

how did this get to '5, Insightful'...oh, 'insightful' as in 'insighting protest'...wait, that's inciteful...oh wells

Re:What did you expect?

[localman57]

If you consider being able to recognize a McDonalds sign as a sign for McDonalds as your criterion for literacy, then yes, I'd say we've achieved 99% literacy.

Re:What did you expect?

[Chas]

Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

Note my use of the term GREATER OPPORTUNITY

I didn't say that this couldn't happen in the US. Simply that there would be a slightly better chance of it being caught before hitting the consumer.

Re:What did you expect?

[insnprsn]

If you RTFA you would realize that this story has zero to do with the manufacturing/assembly of the systems but rather replacement parts for service dispatches.

Re:What did you expect?

[Posting=!Working]

Barely literate people working in sweat shops have the financial expertise to accept an extra month's salary to use the special chips given to him by whoever did have the technical skills.

Re:What did you expect?

[Aceticon]

Dell would "outsource their firmware development and manufacture to China with too little oversight" even if the consumer had not "demanded the cheap prices of the hardware we buy" - it's just that in that case they would pocket the difference.

Look at a typical brand-intensive (where a large percentage of the face price is for brand, not actual product) consumer electronics company like Apple - they have their products manufactured in China just like everybody else.

No, the problem with consumers is not that they want stuff cheap, the problem with consumers is that they accept shitty products and do not seriously penalise a brand when it turns out they do not have proper quality control in place.

Re:What did you expect?

[joebagodonuts]

Dell isn't forced to do anything - they played a huge part in creating the demand for the cheap prices for hardware.

Re:What did you expect?

[temojen]

Alienware is Dell XPS with a fancier case.

Re:What did you expect?

[kimvette]

Dell was not forced to lower their price, they choose to compete on price alone.

That is true of some of their desktops and low-end laptops - they're cheap in terms of both price and build quality, and the failure rate is abysmal.

When you move up to the Precision line, everything changes. I bought a Precision M6400 notebook for the build quality, full keyboard, performance, and parts availability. It uses a desktop chipset, has a Quadro video card, more ports than pretty much any other notebook (plus ExpressCard and Cardbus/PCMCIA), and the best screen I could find (glosst 1080p with an RGB-LED backlight). I know the notebook will still be running three years from now, and if I need a part in five years, there's a 99% chance Dell will be able to provide the part I need. (and yeah, calling a mobile workstation a "notebook" is a stretch, I know - this thing weighs in at almost 10 lbs)

Their servers - they're not bad at all, but proprietary wherever Dell can possibly make them proprietary, and even rebadged RAID cards which you would think are fairly standard, have firmware which makes them proprietary (their Perc line). I like their PowerVaults - the first time I set one up in a Windows cluster it was a royal pain in the ass though, because the jumper and DIP switch setting documentation was completely wrong, technical support had it just as backwards, so I was on my own. The chassis build quality was great though - almost up to anything from Chenbro or SuperMicro. If you price out any of the enterprise-quality servers, Dell is certainly not competing on price alone - in fact they are more costly than others. They compete based on their support contracts and their next-day parts or service delivery.

They engage in predatory business practices though. If you are a Dell reseller and are quoting a number of servers or large number of desktops for a client, Dell will attempt an end-around and sell directly to your client.

Also, the form factors they use are proprietary, locking you into Dell when it comes to upgrades, and - oops, you can't upgrade the motherboard in that server, guess you will have to buy a whole new server!

Downmarket they compete on price. Upmarket they compete on service contracts and vendor lock-in.

Re:What did you expect?

[drZarkoff]

Unanswerable! :-)))

Re:What did you expect?

It's not prudent spending when the only cost you take into account is the one at the cash register.

Re:What did you expect?

[Low+Ranked+Craig]

People can choose to take all things into consideration when making a purchase, or not. Look at the current "green" movement. People are buying things labeled as green even thought they cost more, don't offer any additional benefit to the user, in many cases probably work worse, and in reality don't really help the environment all that much.

Re:What did you expect?

[Waffle+Iron]

The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.

The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect". In this case, it means buying cheap imported crap at Wal Mart. If you don't defect, most others continue to do so, and you just end up being a sucker.

Complaining about individuals' choices is going to accomplish nothing, because they're all making the most rational individual decisions. The only way to change the situation is to include the external costs of cheap offshore production into the retail price, which alters the individual's most rational choice. The most obvious way to do that is slap a tariff on the goods.

Re:What did you expect?

[Chas]

Well, at least you had the gonads to post it under your own account...

Now would you like to illuminate us as to your reasoning?

Here's mine.

I'm not saying that Americans ARE rich assholes who sleep on piles of money.

However, in a lot of less well-off countries in the world, there IS a perception that Americans (in general) have an inordinately large amount of money.

Re:What did you expect?

[fishthegeek]

Apple does not compete on price. Apple has outsourced to China.

Re:What did you expect?

[mark72005]

There is nothing trollish about this post at all. I don't think that is a fair rating.

Re:What did you expect?

[Skuld-Chan]

That's a myth - the biggest reason companies outsource manufacturing to 3rd world countries is a greater return on profit. Instead of making 150 dollars per machine you might make 20 or 30.

Good example of this - up until very recently Dell's corporate desktops (Optiplex line - in fact I'm typing this on a 745 that has a "Assembled in the USA" sticker on it) were made right here in the USA, and didn't cost all that much more than Vostro machines which are made in China. These are rock solid machines (haven't had to replace a single major component on any one of the 200 or so I'm responsible for).

My brother used to work for an importer of Chinese goods (pens/no name tv's [I see them at fry's all the time]/toys) you wouldn't believe the markup some of these goods have. Pens that sell for a dollar for instance they were buying for as little as 5 cents. 5 cents - think about how far they traveled, and how much effort it takes to make a ballpoint pen than you can make 95 cents profit off of. A lot of these 5 cent pens were toys on the side as well (light up, or have an etch-a-sketch attachment on the end - stuff like that) that sold for 2-3 dollars.

Re:What did you expect?

[Pharmboy]

I can't speak for China, but I know that Moldova (the poorest country in Europe) is the cheapest place to build in Europe yet a large portion of the population has some college or a full degree, and an overall literacy rate that rivals the US. Perhaps due in part to being a former SSR. Poverty is not caused only by a lack of education.

Re:What did you expect?

Well I'd argue you *weren't* being prudent in your spending. Is it prudent to buy a car for $15? Would you feel safe driving around in it?

In the very same way is it prudent to buy a computer for $300? When you consider what has to happen for the price to be that low?

Re:What did you expect?

If people were willing to pay more in order to get better quality products, then in the long run more expensive and more competent labor will prevail. At first, companies would continue to use the cheap labor and pocket the extra money. When informed consumers see the difference between cheaply made product A and well constructed product B, they'll choose the latter. The big reason that people choose A right now is that it's cheaper to buy. Take that out of the equation and suddenly product B gets a lot more attractive.

At least, in theory that's how it would work. In practice, the extent to which manufacturers are greedy and consumers are oblivious will throw a few spanners into the works.

Re:What did you expect?

[Elbowgeek]

No, it's our fault for being *cheap* with our spending.

Re:What did you expect?

[lymond01]

God. And all this time I thought that was an upside down double-u.

Re:What did you expect?

[VoidCrow]

Mod parent up.

Re:What did you expect?

[delinear]

The problem is too many workers in country X now see this kind of basic assembly work for minimum wage as being beneath them. The only way to ever change this is to have barriers on imports and a much higher minimum wage - that will force customers to pay more for local products, but it's completely counter to global free trade, few companies will be able to break the international barrier as you almost need to already have manufacturing and distribution set up in the market you're trying to enter, whereas right now the barrier to entry is pretty low. This kind of approach would also be tremendously stifling to technological advancement (look at former eastern bloc closed markets for examples of this in the wild).

I'm not sure what the answer is - wherever there is a human who stands to gain from doing something illegal or immoral you have a weak point in the chain. Who's to say that people assembling computers in the west would be less open to bribery - it might seem that way because all the current attack vectors are happening in China, but that is likely nothing more than coincidence because that's where all the manufacturing happens coupled with the fact that it's only relatively recently that people stood to profit substantially from this kind of attack.

Re:What did you expect?

I hope you take back the "barely literate people" part because it is untrue.

Really? And you know that becasue that is what you feel, or you actually did some research?

"Illiteracy is increasing in China, despite a 50-year-old campaign to stamp it out and a declaration by the government in 2000 that it had been nearly eradicated. The reasons are complex, from the cost of a rural education to the growing appeal of migrant work that draws Chinese away from classrooms and toward far-off cities. "
"From 2000 to 2005, the number of illiterate Chinese adults jumped by 33 percent"
"Since 70% of China's population live in the countryside, and rural adult illiteracy rates are high and the gender disparities are also large in the countryside, the priority and the difficult area of literacy work lies in rural areas."

Just becasue the facts get in the way of your feeling of "the way things should be", don't let that stop you from judging others who point the facts out. Talk about feeling superior.

Re:What did you expect?

[fritish]

to assemble a "rich-boy toy"

I read this as "rich boy-toy". The rest of the thread got really confusing after that..

Re:What did you expect?

[Mister+Whirly]

Actually, I would consider being able to read as the criteria for "literacy". What does McDonalds have to do with literacy rates? Nice strawman though - we aren't talking about obesity, nutrition, or anything food-related in this conversation.

Re:What did you expect?

[Bengie]

what about power supplies and LED lit LCDs?

I have a namebrand $80 psu that's only ~8 years old and it had a power factor of ~0.8. My new PSU has a power factor of .99+

My old PSU was ~75% efficient max, my new one is ~85-89% depending on load

LED backlit LCD's consume about 1/2 the power of a florescent lit one, not to mention the lack of Mercury.

My ati 4850 consumes ~60watts idle, the ATI 5770 I plan on getting soon will consume about 20watts idle.

For servers, the biggest power draw is going to be HD/CPU/PSU, but a "green" version of any of those can add up really fast.

Re:What did you expect?

[Mikey48]

Yes, you and Hugo Chavez are right, we should all pay alot more for our consumer goods. Food and clothing should be local and expensive (and rare). /sarc

Re:What did you expect?

[greg1104]

That's right, I pay extra to get a genuine, Sony branded rootkit instead of the cheap ones that Dell ships.

Re:What did you expect?

One problem is that, while computer design and production have been thoroughly "nativized" to the consumer market as commodities, there seems to be no consumer review or advocacy group that can evaluate hardware quality issues where they live.

As a result, computer reviewers talk a lot about features, pricing, and the marketing plans of chipmakers, plus items like keyboard feel and fit and finish, but don't discuss matters like the quality of the capacitors in the power supply, the firmware in the BIOS, or other issues having to do with the quality of electronic components and other matters that are too far "under the hood" to be discovered by benchmark testing or subjective door-slamming and tire-kicking.

Is it realistic to suggest that somebody or some bodies could fill this niche and actually evaluate consumer computer quality in some depth--or are we just asking for information that's not available to be evaluated?

Re:What did you expect?

[innocent_white_lamb]

Good example of this - ... I'm typing this on a 745 that has a "Assembled in the USA" sticker on it)
 
I don't know if your example is all that good.
 
You do realize that there is a huge difference between "Assembled in the USA" and "Made in the USA", right?

Re:What did you expect?

[blackraven14250]

Just because they don't know how to put the words together coherently into sentences following proper grammatical structures doesn't mean they can't write. It means they're not going to be writing research papers.

Also, if you think the criteria for India and China's literacy rates is different or inherently superior to the US, you'd be sorely mistaken.

Re:What did you expect?

[jessedorland]

Chinese have the best education system -- minus red politics. Nonetheless, it'd be foolish for us to believe that native of that country will not take any action, or they won't fight back. Not all of them are going to kill themselves like it happened in Apple's concentration camp "Foxconn Technology"

Re:What did you expect?

You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

What a bunch of baloney. If the consumer said, "I'll pay X for that, that's a good enough price", then the manufacturer would try to drive the cost of production to zero so they can stuff the largest part of X into their pockets. '*We* the consumer' are just doing the same thing - trying to keep money in _our_ pockets.

Re:What did you expect?

Amen.

Re:What did you expect?

[Stan+Vassilev]

He's not saying that all of China is illiterate or anything like that. He's just saying that the US has a 99% literacy rate, and China is at about 93.3%, and those factory jobs aren't always staffed by the highest-educated people, just like here in the US. There's nothing wrong with it. It's just the way things are.

Isn't it nice you can look that up on Wikipedia with your "Made in China" computer?

Also look that up: China population vs USA population. The number of literate people in China is 4 times the entire US population.

I know some people are easily confused by poor English and stereotypes. But their asm, c++ and hardware design skills are quite competitive.

Talking about it, how's your Chinese?

Re:What did you expect?

Perhaps he didn't understand the word "perceives". It has, after all, two syllables.

Re:What did you expect?

{Citations needed}

Re:What did you expect?

This line of logic is bizarre to say the least. If the downward pressure on prices "forces" a company to reduce costs by stealing does that make the consumer responsible for their theft? No. What kind of exalted status does a business have in your world where they can't be responsible for any decisions they make?

Re:What did you expect?

[dkleinsc]

It's from the 50s when we had something resembling free markets. Quick, how many major computer hardware manufacturers are there? So what are your choices, really? What are the choices of the general public, who know very little about computers or what goes into them?

Which 50's are we talking about? The 1950's had some of the highest taxes, tightest regulations, and greatest consolidation of markets for consumer products in American history. Quick, how many different telecom companies could you work with in 1955? How about computers? How many choices did you have in a rather competitive market (at the time) like cars?

If you want to compare with markets that are free by libertarian standards, you have to go back to the 1850's and look at markets that weren't yet industrialized, like potatoes or buggy whips.

Re:What did you expect?

[fuzzyfuzzyfungus]

Ultimately, it would probably be wiser to focus on trying to guarantee security even in the possible presence of malicious actors, rather than attempt to create a system free of them.

Unfortunately, this is a hard problem in two basic respects:

1. Hardware is hard: Unless you are seriously good, and paying substantially more attention than is likely to be economically viable in most instances(yeah, sure, the new desktops for the call-center drones should be ready in a couple of weeks, once we finish electron microscopy and logic verification of all integrated circuits...) it will be possible for malicious hardware to lie to you. Much harder than malicious software, since you actually have to have your bad actors well placed in the silicon design process; but harder to detect.

2. Software producers(even ones whose business is hardware) would rather have their stuff be secret and demand that you trust them. Even though a lot of things like IPMI cards are basically just running approximately the same embedded linux that your cheap-ass router is, plus some sort of vendor management console interface, Dell doesn't exactly offer you the chance to compile it from source yourself(maybe, if you are a serious customer, they would talk; but it isn't standard).

Re:What did you expect?

[clarkkent09]

>i>The most obvious way to do that is slap a tariff on the goods.

The most obvious and the most wrong. We can never be better off as a nation by increasing the overall cost of the goods we purchase. Workers in certain industries can be better off because tariffs harm their more efficient foreign competition, but those workers are better off only at the expense of a) consumers who are forced to pay more for goods and b) other workers who are losing jobs because their employer's costs have increased. Classic example has been the steel tariffs: great for the steel industry workers but the unseen victims are the workers in every industry that now has to pay more for steel => charge more for products => lose customers and eventually cut down on jobs and pay for its workers. There are no serious economists advocating protectionism any more, that battle has been won by free trade proponents many decades ago. There are only occasional left wing loonies who think you can magically increase prosperity by legislation - really a form of broken window fallacy (in this case breaking the window = artificially imposing extra costs on production by tariffs)

Re:What did you expect?

[YouWantFriesWithThat]

the most reliable car i have ever owned was purchased for $50.

Re:What did you expect?

Sony?

Re:What did you expect?

[Unequivocal]

What do you mean by literacy? Where do you get your 99% literate number? I work in education and believe that the percent of our population who is functionally literate (able to read and write at an 8th grade level) is much lower than that..

Re:What did you expect?

My mother's job was outsourced to China/Mexico/India. She keyed Medical Claims... HOW precisely was she the cause of THAT problem...?

Re:What did you expect?

[Alex+Belits]

"From 2000 to 2005, the number of illiterate Chinese adults jumped by 33 percent"

That's between number of illiterate people in 2000 and number of illiterate people in 2005 one. If there were three illiterate adults in China in 2000 and four in 2005, that would be 33% increase.

Re:What did you expect?

[Minwee]

Dell decided to produce cheaper, in order to compete on price. They could have decided to compete on, say, quality, service, security, or any other area. They didn't.

That's right. They could have gone the way of Alienware and competed on quality while keeping prices high.

Of course, Alienware was bought up four years ago and is now a wholly owned subsidiary of Dell, but just keep on thinking happy thoughts.

Re:What did you expect?

[Waffle+Iron]

There are no serious economists advocating protectionism any more

That's because the entire field called "economics" is a giant stinking crock of bullshit. So-called "economists" are driving this once great nation straight down the shit tubes with their pseudo-theories. There are no serious economists.

Trotting out the "broken window fallacy" to support any point is one particularly idiotic habit of economists.

Re:What did you expect?

[BitZtream]

You need to learn what 'assembled in the USA' means.

That simply means the very final assembly was done in the US.

That could mean that they screwed in one screw, an extra quarter of a turn, in a US facility.

That does not mean that the majority of the work was done in the US.

I'm guessing you've never worked in retail due to your shock at how much things get marked up.

Re:What did you expect?

[treeves]

I know "demand" is an economic term with distinct meaning, but when you say we *demanded*, what you really mean is, that company A offered a laptop for $900 and company B offered a comparable laptop for $700, and we reasonably (it would be stupid not to) chose the company B offer. There is a different sequence of events happening than is suggested by saying we demanded. There is a large demand for laptops, meaning if you put them up for sale they will all be bought, and compnay B *chose* to take advantage of the situation by exploiting workers in developing countries, without any suggestion or demand by consumers that they meet the demand in that way. Someone in company B, near or at the top, most likely, had to come up with that idea and choose it, not the consumer.

Re:What did you expect?

[Alex+Belits]

Are you claiming that there are less people in US willing to mess with other people in US, than people in China willing to mess with people in US?

While recent trend is "steal locally, scam globally", malware usually originated from someone who is willing to benefit from scams, and US has no shortage of those people.

Re:What did you expect?

[BitZtream]

Nobody forced them to outsource to China.

No, it was just an intelligent business decision. China is better off because of it.

Here are the options:
Some chinese people get to work in a sweatshop for Dell
or
Some chinese people DON'T get to work in a sweatshop for Dell.
or
Americans can do the work, but stop demanding to get paid a ridiculous amount because they think they deserve to get rich because they woke up this morning.

Two of those options result in someone in china starving, one doesn't. You can argue that sweatshops are bad and evil, but why don't you go over there and ask them if they'd be happier to not have the assembly plant. I think you'll find the only people who give a flying fuck are spoiled brats in other countries who don't actually know how shitty life can actually get.

Just because everyone else does it does not mean you have to do it

When everyone in the world is half your price and you have no other redeeming quality to make you better than the rest, then yes, you have to do it or you go out of business.

Dell can not bring anything to the table on a PC to justify charging more than anything else. They have nothing unique to offer that I can't get from Acer or my local computer shop.

Nobody was forced to buy from them. I did. And I'll do it again. I'm not delusional though, so I don't expect you to understand.

Re:What did you expect?

[lgw]

"Since 70% of China's population live in the countryside, and rural adult illiteracy rates are high and the gender disparities are also large in the countryside, the priority and the difficult area of literacy work lies in rural areas."

Just becasue the facts get in the way of your feeling of "the way things should be", don't let that stop you from judging others who point the facts out. Talk about feeling superior.

You've presented some evidence that people who don't work in factories in China have a literacy rate that the Chinese consider problematic, in support of your argument that factory workers in China are illiterate. How proud you must feel.

Re:What did you expect?

[Bigjeff5]

Actually, I would consider being able to read as the criteria for "literacy".

But at what reading level should you be considered "literate"? While 99% of American adults can read something (making them technically literate), it is estimated that 20% of them are functionally illiterate - that is they can read less than about 2,000 words.

This makes reading things like warning labels and food ingredient lists virtually impossible, since the vast majority of those 2,000 words (or less) come from those "See spot run" sight reading books. People with less than a 2,000 word reading vocabulary cannot even read a newspaper. I would personally consider a newspaper at the very low end of the reading spectrum, you only need 10,000 or so words to read it, which would make a good minimum if we could rely on them to stick around for the next hundred years.

Children are not taught phonics, and while the majority of children can pick up on the phonetic meaning of the letters in each word, there is a large percentage that does not, and they receive zero assistance to correct the problem. They are simply pushed through the school system and left to fend for themselves.

Re:What did you expect?

[sjames]

There's a reason McDonald's registers have little icons on the buttons rather than English. Given working conditions and pay there, they couldn't find enough employees who could read English.

Re:What did you expect?

US manufactures are not trying to infiltrate the US..... Silly!

Re:What did you expect?

Do you really think all the factories are in the city? Do you really think all of the factory workers live in the city?

Re:What did you expect?

[swb]

How many choices did you have in a rather competitive market (at the time) like cars?

Domestically? At least five: Hudson (which became AMC), Studebaker, General Motors (which we'll count as one, despite the fact that in the 1950s there was a lot more distinction between division products), Ford and Chrysler.

And then there were niche players, like Checker whose vehicles were primarily for the livery market but went on to sell normal end-user vehicles.

What do we have now? Three, sort of -- GM has closed its Olds and Pontiac divisions, making for fewer choices, although realistically the marquees of GM have had little distinction since the 1970s, Chrysler is owned by Fiat, and Ford isn't what it used to be.

Import-wise we have more choices now, but to be fair to 1950s markets, Europe and Japan were in recovery and the vehicles produced at that time were more attuned to local market conditions (less expensive, smaller, etc) than American consumer demand (larger, more powerful, etc).

Re:What did you expect?

[allenthelee]

Interesting, you just invalidated your own argument. You first state a belief that the global free market is a multiplayer prisoner's dilemma game, in which "rational choice" or "homo economicus" should be used in a game theoretic context to model decision making, and then you go on to say that economics is a giant stinking crock of bullshit. Are you aware that rational choice / homo economicus is one of the basic assumptions economists use to build their models and theories because it makes it mathematically tractable?

It's quite apparent from field studies and experiments that people can be quite cooperative in their economic decision making and do not act like homo economicus. Of course, exceptions and examples abound of defection in collective action situations (global warming, collapse of fisheries, corporate resource extraction).

Re:What did you expect?

[AK+Marc]

The point wasn't nutrition. The point was counting being able to "read" McDonald's from the Golden Arches (tm) is not literacy. Being able to read isn't a boolean. A first grader that can sound out the letters and combine the sounds to form 60% of the words in the language, slowly and with difficulty isn't literate. That was the original point, that literacy isn't a boolean. The US being 99% "literate" at a 6th grade level doesn't mean much if other countries are 95% literate at a 12th grade level. For all we know, such numbers could be stated as the other country being 99% literate at the 6th grade level and the US at 50% for the 12th grade level.

McDonald's is involved in literacy rates because people are making fun of just being able to order from McDonald's (or even recognizing it) does not imply functional literacy.

Re:What did you expect?

[AK+Marc]

The number of literate people in China is 4 times the entire US population.

Which is an irrelevant statistic if you are comparing equal sized factories in the US vs China. I'm not saying the GP's point was valid, but that yours is stupid.

Talking about it, how's your Chinese?

Probably better than yours. But if you wanted to work on that, they are hiring white people in China to be white...

Re:What did you expect?

[ShadowFalls]

I could surely say there would be no 100% guarantee. But the percentage would be close to 100%. Those overseas aren't going to get held responsible and seek potential jail time like they would if they lived in the country in which these were sold in.

Re:What did you expect?

[Waffle+Iron]

Are you aware that rational choice / homo economicus is one of the basic assumptions economists use to build their models and theories because it makes it mathematically tractable?

Yes, and somehow free-market infatuated economists come to the exact opposite conclusion that I pointed out. They claim that the free market finds the optimal solutions when it obviously can't.

What's worse, they assume that the results of adding up a bunch of individual decisions can be modeled with simple linear mathematics and can be used to fine tune policy. Then when their models are driven into a nonlinear or chaotic zone and spectacularly blow up every few years, they just shrug it off and keep doing the same thing. But incredibly, people keep buying the snake oil peddled by these cargo cult "scientists".

Re:What did you expect?

[sjames]

That's the party line, but it doesn't really read true. Wall street would like you to believe it since that allows them to pocket the money they'd otherwise have to give to the union workers. We the consumer won't see any of it either way.

Union-management relations ARE bad. They're the very definition of dysfunctional in some cases. However, for every over the top union rule, there's an attempt to end run the union that caused it to be implemented. Note that since the wake up call, GM and Ford are doing better now, in spite of those 'evil' unions.

Re:What did you expect?

[TeknoHog]

God. And all this time I thought that was an upside down double-u.

"Wc" is probably a better description of the food quality anyway.

Re:What did you expect?

I work in the Dell factory is not sensitive to fool you!

Re:What did you expect?

[twoallbeefpatties]

I'll note that my own personal opinion of unions is that unions can become corrupt just like any business or government or other organization can become corrupt, but that doesn't mean that I advocate for the dissolution of all labor unions. I was just noting that it's interesting the way we pitch this - Goods made in China are poor quality because we pay the workers too little! Goods made in America are poor quality because we pay the workers too much!

I'm not sure where the workforce is that we would pay just the right amount of wages to get quality goods. ...Canada, maybe?

Re:What did you expect?

Dell should be OK for servers.

A few years ago in a prev company, I found that IBM's x336 servers were better designed and of better quality than the "equivalent" Dells. And they weren't really that much more expensive. The Dells weren't crap, they just weren't as good. Cheaper, less reliable and layout not so good. Noisier too.

But I think the Dell servers have improved in design - they look comparable now:

IBM: ftp://public.dhe.ibm.com/common/ssi/pm/rg/n/xso03094usen/XSO03094USEN.PDF
Dell: http://www.dell.com/downloads/global/products/pedge/en/server-poweredge-r610-tech-guidebook.pdf

Re:What did you expect?

He's not saying that all of China is illiterate or anything like that. He's just saying that the US has a 99% literacy rate, and China is at about 93.3%, and those factory jobs aren't always staffed by the highest-educated people, just like here in the US. There's nothing wrong with it. It's just the way things are.

USA - 86% literacy rate (source: United States Department of Education)
China - 91% literacy rate (source: CIA Factbook [Yes, I know that The CIA Factbook is not a reliable source, but it was the only one I could find with google and it would make no sence for CIA to claim a higher rate of literacy for China than it actually has])

Most countries in Europe have over 99% literacy, Northern Europe (sine GB) and Cuba >99,9% (and EU as a whole would have over 99%, if it wasn't for Greece and Turkey, two countries with low literacy and large populations) and there are a few countries in South America that is very close to 99%, but that's about it as far as I know. To believe USA have a 99% literacy rate is very delusional. Your neighborhood might have a 99% literacy rate, but the whole of USA, no, no, no ...., that's madness.

The literacy of industrial workers (= younger people) in China is however, at least officially, over 99% and almost as many can read English (I read this in a very triumphant press release from some department in the Chinese governement a few years back, they also gave a number for the gigantic expence they had for achiving this, but I can't find the source).

Re:What did you expect?

[Bill_the_Engineer]

True. However Apple does have labor, safety, and environmental standards that their fabricators must abide by. http://www.apple.com/supplierresponsibility/

My point was not that Apple and others didn't outsource, but that there are other computer manufacturers that chose to compete mostly on features instead of solely on price.

Remember the grandparent post, that I replied to, suggested that Dell was forced to outsource because consumers demanded cheaper machines.

Re:What did you expect?

[Bill_the_Engineer]

There was a time that you paid a premium for a Sony brand machine, that is not necessarily true today.

Re:What did you expect?

[Bill_the_Engineer]

True. Alienware was purchased by Dell so that they could enter the boutique gaming PC market.

It is my understanding that Alienware doesn't directly compete on price. Of course being a DELL they have a token under $1000 machine, but the rest of them are configured for sale above $2000.

Re:What did you expect?

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

I hope you take back the "barely literate people" part because it is untrue.

To say that is to think too highly of your own self.

I can't tell what your intent is, so I'm assuming you are serious. Unfortunately, "to say that is to think too highly of your own self" is a fallacy. There is no inherent connection between the potentially-disparaging statement and the puffery you assumed from that statement.

Moreover, "barely literate" is an objective modifier. 'Literate' and 'barely' both have meanings that are identifiable and objectively measurable (yes yes, barely is a matter of degree and so is fuzzy). Hence (ignoring tone), we can make no assumption about the declarer's self image from making such a statement.

Including tone, we may know something more about the declarer's perception of the "barely literate people", but that still tells us nothing about his own self-perspective. We can maybe assume he thinks more of himself than the "barely literate", but that still isn't necessarily too high. It could be very reasonable, as he is clearly literate (whereas we have no evidence if the "barely literate" truly are barely literate or highly literate instead).

In short, a mean tone doesn't mean that the person thinks too highly of himself. Moreover, noting that some people are better at some things than others isn't overly self-aggrandizing either. Not everyone is equal and not everyone has to act like it. Get over it and stop feeling self-righteous for acting baselessly egalitarian.

Re:What did you expect?

If you want them assembled here, Call your senator and representatives today and petition them to :

A. End ALL tax breaks for those companies who move jobs overseas.

B. Impose a 200% import duty on all manufactured goods. This will help pay off our deficit and get us working again and give these jobs to people who may care.

Re:What did you expect?

Such rhetoric. Thesse cheap Vietnamese goggles, they do not work against it!

Re:What did you expect?

[interval1066]

"Well, at least you had the gonads to post it under your own account..."

Why, should I fear your almighty wrath?

"However, in a lot of less well-off countries in the world, there IS a perception that Americans (in general) have an inordinately large amount of money."

And I should give a sh*t because...? I don't know anyone where *I* live who lights a cigar with a pile of money. I work very hard and save as much as I can; I've been given nothing, and earned *everything* I have. So you tell me how much of I sh*t I should give to your idiotic perceptions. You know the Mikado? One of my favorites; "...your notions, though many, are not worth a penny." And f*ck off.

Re:What did you expect?

[24-bit+Voxel]

I can't help but think we deserve this. We outsource important jobs for machine that make up the lifeblood of our society and then act all surprised when they come back as spying tools.

Duh!

The russians used to put this kind of thing in copy machines, but that was a lot harder than just mass producing rootkits.

We exported our jobs to save a few bucks, and this is what we get for it. There *may* just be a lesson to be learned here...

On the flip side I don't think the illiterate employees had anything to do with it. Even if they did, it really doesn't matter. These things are getting built in another country, with terrible human rights records, for pennies on the dollar, by a totalitarian government... and we expect them to be fine? Wish I lived in that world. I'd ride my rainbow cloud to work every day...

We'll keep doing it though because an extra $5M a year and stock options for the highest execs for saving all that money is a hell of a lot more important than the safety and security of a country they can afford to leave behind when the shit hits the fan.

Re:What did you expect?

[Bigjeff5]

...in 1955? How about computers?

That's not fair, computers back then were still being programmed by flipping light bulbs on and off. They were barely more than university science experiments.

You're dead on about the telecom company though (that's right, there was only one of them).

like potatoes or buggy whips.

Fun fact: more buggy whips are sold today than there were in the 1800's (you can find a buggy whip maker in just about any major city).

Re:What did you expect?

[Bigjeff5]

Relative to the majority of the world, the just about all US citizens (and any European citizen, too for that matter) are very, very rich. It's just a fact of life - we've done well for ourselves over the last 200 years. We're actually slipping lately, but we're still, individually, richer than the vast majority of the people in the world.

Most people don't realize that it's their own oppressive governments that are keeping them down, because they have someone to look at and resent.

Re:What did you expect?

[hsbaker]

If you define "cheap" as paying the least for the most tangible value. I'm sure most people do not have the luxury of spending their money otherwise.

Re:What did you expect?

[sjames]

More like if it's manufactured in the U. S. of A. the people doing that sort of thing might actually think twice due to the risk of legal repercussions and not being so close to abject poverty that nearly any risk looks worthwhile for the chance to get out of it.

Unless, of course, they hire illegals under the table in back ally sweatshops.

Re:What did you expect?

poison milk, poison firmware

Re:What did you expect?

Dell has always outsourced *EVERYTHING* it is their entire model. The only thing they do (and sometimes they do not do this either) is assemble.

Think of your local corner computershop except at scale. That is Dell. It is how they started and have operated for years... They work on the 'just in time' model. Meaning until you 'buy it' it (and its bits) not even in their warehouse many times.

It is why buying from them is sometimes a crapshoot. You may be getting the good model, or you could be getting the latest cobbled together crapware from some other OEM.

Many of the 'name brand' OEMs work the same way.

Re:What did you expect?

[doomicon]

"but why don't you go over there and ask them if they'd be happier to not have the assembly plant."

Based on a documentary I saw (yea can be biased), but they're are workers who are content, but there were plenty who were not. Forced to work ridicously long hours, then there is the suicide issue that has cropped up. If they are choosing suicide and insurance payouts over working at the factory.. hmm..

"Americans can do the work, but stop demanding to get paid a ridiculous amount because they think they deserve to get rich because they woke up this morning."

As a generalization, I would have to agree with the above statement.

Re:What did you expect?

[lmcgeoch]

"See spot run" sight reading books...Children are not taught phonics, and while the majority of children can pick up on the phonetic meaning of the letters in each word, there is a large percentage that does not, and they receive zero assistance to correct the problem. They are simply pushed through the school system and left to fend for themselves.

Um Children ARE being taught phonics http://www.nifl.gov/childhood/phonicsIns.html

and Dick and Jane books haven't been taught in a very long while. http://en.wikipedia.org/wiki/Dick_and_Jane

Re:What did you expect?

[Peach+Rings]

Wow, the number is really high. I mean, I should have guessed it from youtube comments, but it's still surprising.

Re:What did you expect?

[Chas]

My almighty wrath?

Pfft!

You evidently haven't a clue what it takes to make me wrathful.

No. Merely a compliment that you had the testicular fortitude to post it under your own account name instead of AC'ing like a bunch of the pansies here would.

Nothing more, nothing less.

"And I should give a sh*t because...?"

Why did I say you should give a shit? Merely presenting you with data here. Use that data how you want (or don't use it at all).

Additionally, it's not MY perception (FYI, I'm from Chicago).
And yes, as much as some people wish it weren't, it's American soil. =)

However I've worked overseas and have come up against this perception on several occasions.

Again, I'm merely making note that the condition exists. Nothing more.

If you still want to be salty, that's your own problem Mr. Internet Toughguy.

Re:What did you expect?

[somersault]

That depends on your definition of "prudent". I wasn't aware that it had any ethical significance.

Personally I probably would pay a little over the odds to buy from a company that I knew treated its workers well, but it's only recently that I've started making enough money to be able to make that kind of choice. Many other people still have to be careful with every one of their pennies, especially when it comes to buying luxury items like a computer.

As a geek however I used to make sure my computer had good quality components even when I didn't have that much money, but your average person is just going to want to get the cheapest thing they can find that is able to browse youtube and play "The Sims" or whatever it is casual gamers play on PC these days.

Re:What did you expect?

[vertinox]

Actually, we say that Detroit autoworkers were overpaid and got way too many benefits for their unskilled labor due to inflexible, corrupt unions - sort of the opposite thing to what we're saying about offshored labor. But who's counting?

Did the Detroit autoworkers install malware in their cars?

Re:What did you expect?

a) consumers who are forced to pay more for goods and b) other workers who are losing jobs because their employer's costs have increased. Classic example has been the steel tariffs: great for the steel industry workers but the unseen victims are the workers in every industry that now has to pay more for steel

Right, and outsourcing for cheaper labor doesn't cause losing jobs?

(...) There are no serious economists advocating protectionism any more (...)

Hum, are you an economist? Anyone who thinks otherwise is what? Not so serious economist? A communist perhaps?
Protectionism exists for a reason, that is to make things fair. But if you disagree you can always go to China and work for food you known, I think it's a serious economist thought

Ohhh yes, economists and their theories, people die so that their numbers can be perfect.

And have a nice day...

Re:What did you expect?

[sjames]

I think it's really a false problem to mush the two claims together. There are claims that union workers get too much pay for too little work (mostly from people who want to get WAYYYYY too much pay for hanging out on the golf course) but I've not heard their pay claimed as a reason for crappy quality. It's usually the various protective rules that get blamed for lack of quality (certainly it couldn't be management wanting to bring in dirt cheap parts or being too busy building fiefdoms and having turf wars to actually manage).

Re:What did you expect?

[Burz]

Trade war is not the best response to what is actually a class war.

Maybe the only way to change the situation (for the better) is to realize that the prison is being run for someone else's benefit, and take away some of the power they have over the prisoners.

Re:What did you expect?

[Stan+Vassilev]

Which is an irrelevant statistic if you are comparing equal sized factories in the US vs China. I'm not saying the GP's point was valid, but that yours is stupid.

How can you compare equal-sized factories in US and China, when US barely has any left.

Re:What did you expect?

[rtb61]

More accurately it is not illegal for a government to insert code into a product manufactured locally that will be exported. It has been reported that the US has done this exact same thing in the past.

The real problem is Dell outsourcing everything and palming of warranty repair costs directly onto the component manufacturer. This creates a mind state a Dell where they don't have to check anything because the cost of repairs wont affect them. As such they become known for this behaviour and foreign companies and foreign intelligence agencies will exploit it ( the companies illegally and the intelligence agencies both legally and illegally).

A real difficult problem to tackle. Safe thing to do all, where possible only government technology infrastructure should be locally sourced, whether local state or federal. Where it can not be locally sourced it should be checked and validated as secure by a government controlled clearing house, a federally mandated security assessment technology bond store. This in affect re-localises the security risk and evades the whole it is legal for foreign intelligence agencies to insert network insecurities into exported products.

Re:What did you expect?

[paddleyay]

There is a big difference between assembled in the USA and manufactured in the USA. Assembled means put together from parts mostly made in China, the chassis are shipped over with motherboards, PSUs, cabling and such already installed and then based on your selection of CPU, disk, memory etc those parts are put together in the US. The process is essentially the same. Your Apple's, HPs, Lenovo's etc have all been built and assembled in China and other places for years.

Re:What did you expect?

[CoderJoe]

Yeah... The icons couldn't possibly have anything to do with the brain being able to locate something faster as a picture than as words...

If the worker can more quickly locate the buttons they're looking for, they can more quickly take the order and serve the customer.

Re:What did you expect?

[stewymcstewstew]

If you own any Dell servers you can check the FCC label and see where your server was assembled.

It will be either Ireland, the US or currently Poland. The machines in question (the Poweredge R410) are assembled in Poland. I can only imagine there are a few Polish members of slashdot that would disagree with your characterization of them as "barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money."

Shipping motherboards with spyware embedded is certainly not acceptable but neither is making inaccurate sweeping generalizations.

Re:What did you expect?

[themusicgod1]

The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect".

The answer isn't tarrifs, trade or class war. The answer is more communication between the goddamn players. All of them. A technical solution exists for this problem.

Re:What did you expect?

[godefroi]

Just wondering, what's it caused by?

Re:What did you expect?

[godefroi]

Ah, I see. It's *OUR* fault Dell sold infected motherboards.

I find your ideas intriguing and I wish to subscribe to your newsletter.

Re:What did you expect?

[godefroi]

LED backlit LCD's consume about 1/2 the power of a florescent lit one, not to mention the lack of Mercury.

You mean like this fluorescent backlit 55" LCD (available from Costco) that consumes 122W, compared to this (also available from Costco), which is the LED-backlit version, which consumes 150W?

Er wait.

That's not right. Or maybe you're just making numbers up?

Re:What did you expect?

[Deefburger]

It's teaching to the test. Teacher "Ok Johnny, what is this?" (Points to McD sign.) Johnny "McDonalds!" Government "There! Your tax dollars at work! 100% Literacy for the remarkably low price of $100000000000 and ONLY 2500 pages of incomprehensible legislation. Yes, we are here to help. Our expert bureaucrats have determined that the problem of learning is the number of words tested for, and in scientific studies of rats, it was found that the less words you use, and the more greasy food you use, the MORE they learn!" Teacher "My hero! (Now cough up my retirement!)"

Re:What did you expect?

[godefroi]

So I should pay more so someone in China doesn't have to starve?

Or, did you mean that I should pay LESS so someone in China doesn't have to starve?

How about this: I pay whatever it costs to produce a product with the design, functionality, and level of quality that I require, in the market that I participate in?

Re:What did you expect?

[Quirkz]

A lack of money, mostly.

Re:What did you expect?

[godefroi]

So here's a radical idea. Let's allow the failing businesses to fail, so they can be replaced by new businesses that will have (hopefully) learned from the mistakes of their predecessors.

The problem that I see is that we continue to prop up failing businesses at the expense of the taxpayer.

Re:What did you expect?

[Pharmboy]

Several things can cause a country to be poor: Lack of natural minerals or water, political instability, inability to invest in infrastructure due to a number of reasons (political, laws that make investment a poor decision), etc.), no access to the ocean for transport (like Moldova) or simple location making it difficult to trade. War. Having a single source of income for the country (banana republics, for example.) Having neighbors that don't trade with you can be a problem (North Korea). Also having a system that has no middle class (Mexico) can lead to widespread poverty, even though Mexico has more natural resources than the USA, although literacy in Mexico isn't near other nations.

Being a part of the soviet union for years and having these issues (like Moldova) is certainly an issue. Moldova is between Ukraine and Romania, and is an excellent place to grow crops, but their whole economy is too dependent on agriculture, and they have to import machinery. They do have a pretty good (and old) wine industry, but it is small. Moldova mainly needs a few more decades to heal from being a SSR for so many years.

So yes, education is certainly a factor in poverty, but education doesn't "cure" poverty and is often not the primary reason for it.

Re:What did you expect?

[atamido]

LED backlit LCD's consume about 1/2 the power of a florescent lit one

Do you have a source for that? I love LEDs, but I've never seen an LED that was more power efficient than a florescent tube.

For large TVs, the big benefit of using LEDs is that you can make the display thinner than you can with a florescent tube. It is also possible to dynamically darken parts of the screen to increase contrast relative to the rest of the screen. But few LED backlit screens use this technology, and you pay much more for it.

Information available here:
http://en.wikipedia.org/wiki/LED-backlit_LCD_television

(I realize that page says LED screens have lower power consumption, but the linked source clearly says reports are varied with some consuming as much as power hungry plasma displays.)

There is also discussion of using three sets of LEDs in red, green, and blue for backlights. Then during display you cycle through the colors at an extremely high rate. This has the benefit of reducing the number of pixels by a third as you only need one pixel for an area instead of three discreet sub-pixels in an RGB configuration.

Of course this has the downside of needing an LCD pixel that can cycle that quickly.

Re:What did you expect?

[Tom]

When everyone in the world is half your price and you have no other redeeming quality to make you better than the rest

Which is precisely my point. Your decision to compete on price. If you can't stand the heat, get out of the kitchen.

To paraphrase Ghostbusters

[MonsterTrimble]

I have not studied computer science, firmware trojans nor antivirus. Could someone explain to me:
1) How do firmware trojans work?
2) Are they OS independent?
3) What information can they send and/or damage can they do to a system?

Re:To paraphrase Ghostbusters

[bannable]

Why is this modded flamebait? It seems like a legitimate question for someone unfamiliar with why this is interesting.

Re:To paraphrase Ghostbusters

1) More or less the same as any other trojan, but they're much nastier.
2) Yes, very much so.
3) Depends on what piece of firmware it is specifically, if say, the BIOS was what was infected then pretty much whatever the hell they want/want to do. Raw dumps of the HDD in the PC(or even just particular files depending on how advanced the trojan is) and an inside track for exploiting the entire network that the machine happens to be connected to, while remaining mostly invisible to anyone but a good/dedicated sysadmin.

Re:To paraphrase Ghostbusters

[snadrus]

Think embedded keylogger that sends results somewhere online for starters.
Although it could be as advanced as a router that's been taken over and allow full remote access to the intranet the PC has. That way all the complex theft software is external.
And ofcourse it could monitor activity & brick the motherboard if someone was trying to detect it.

Re:To paraphrase Ghostbusters

Well I am sure the first step would be needing to be a very dumb company.
But then again, maybe you just need to be willing to do some shady business practice, and announce your motherboard and malware release at the same time, that way no one thinks worse of you.

Re:To paraphrase Ghostbusters

[RivenAleem]

Probably because this is /. and anyone visiting here should know right well what it is and get off my lawn!

Re:To paraphrase Ghostbusters

[ColdWetDog]

I see you two incomprehensible physics articles and one article touting an extremely dubious medical advance. Really, not everything important in the world runs Linux.

Re:To paraphrase Ghostbusters

Firmware trojans could do many things. Right now, lots of security is controlled at the OS level. If you gain access to the hardware then many other exploit avenues become available. At the simplest level you could disable some of the chip-based security mechanisms. At more complex levels you could run a keylogger to an IP on the Internet. At the receiving site it could look for something like "https://myonlinebank.com" and then a few characters later, maybe the username and password show up.

Yes, they could be OS independent, but could also target specific OSes. For example, a keylogger would bypass completely laptop-based encryption. Since these motherboards were returns, it's certainly conceivable that you send a trojan'ed MB then one day get an encrypted system back to that same repair facility. Maybe the trojan allows bypassing the drive encryption...

You can pretty much send anything. Easiest thing would be to put in a keylogger and then later on harvest from thousands of accounts. Heck, with the amount of ROM available and given the ubiquity of broadband connections, you could even send screen captures to a remote site.

Re:To paraphrase Ghostbusters

[ZosX]

"I have not studied computer science, firmware trojans nor antivirus. Could someone explain to me:
1) How do firmware trojans work?
2) Are they OS independent?
3) What information can they send and/or damage can they do to a system?I have not studied computer science, firmware trojans nor antivirus. Could someone explain to me:
1) How do firmware trojans work?
2) Are they OS independent?
3) What information can they send and/or damage can they do to a system?"

1) Modern computer firmware is almost like an operating system (in some cases it is, like linux for instance.....). This is the software layer that is in between the exposed hardware and the real operating system running on top of the stack. Its like a BIOS, but much more developed and flexible. A BIOS generally just gives out hardware addresses and whatnot and allows the OS the interact with the iron pretty much directly. I believe that the LinuxBIOS people were some of the first to start developing something other than a dumb bios. So yeah, you have a mini-OS running on your hardware which can be exploited any number of ways without your actual operating system being any wiser.

2) Is your BIOS OS independant?

3) They could easily send keystrokes and probably network data. In theory you could probably build something that would read a whole hard drive and forward its contents somewhere else.

Re:To paraphrase Ghostbusters

Hi there. I am lazy but please:

1) I am lazy
2) I am lazy
3) I am lazy

Who can we trust???

I mean, if these motherboards from China are coming with malware... who knows how many of that stuff is already out there spying on us or using our PCs as bots without any way of finding out?

They might have it where there can be an extra chip on the board that simply copies the packets you're sending out and also sends them to some server over in China.

DoD has brought up this concern before, yet hundreds of Dell PCs are in secret military compounds and companies that do classified work, and a few years later China comes out with the same weapon/spy-tech.

Re:Who can we trust???

[Pete+Venkman]

Even if all of the computer systems are compromised, I'm pretty sure that China would still need insiders to explain the stolen information or to tell them which data are important.

Re:Who can we trust???

[mesanchez]

I think that you are reading too many sci-fi comic books or maybe spending too many time on C&C Red Alert

Re:Who can we trust???

[snadrus]

Trust air gap!

Anything that millions of tax dollars build in secret should not be stored on a machine that accesses the Internet.
And this is how it's done. I've fixed complex 100+ PC networks that intentionally have no Internet connection.
No Antenna + No wire == safe.

Re:Who can we trust???

[Rockoon]

Are you SURE that there is no antenna? Pretty much anything made of metal can act as an antenna.

"You can't blame Dell"? WTF!?!

How can you make such a claim?

Outsourcing to the cheapest bidder absolves them of responsibility?

I guess OJ really was innocent, and the lady that burned her own crotch by spilling coffee on herself really did deserve the million bucks from McDonalds..
No wonder the world is in shambles..

Re:"You can't blame Dell"? WTF!?!

Please stop bringing up the McDonalds coffee case if you don't know the facts, and if you did know the facts you wouldn't have brought it up. Granted, even if you fully believe the decade old media misrepresentations of the case, I fail to understand how it's remotely relevant here.

systematic attack?

[rebmemeR]

many parts are sourced from china. would it not be distinctly possible for that government to experiment with such trojans? most likely the evidence trail would be hard to track.

Re:systematic attack?

[kubitus]

do you think the US is too stupid to place spyware/trojans into firmware?

why does it always have to be China?

buy a simple FPLA designer board for $200 and design for example an ethernet interface

then you add some SW routines you like. If you are clever you put in code that loads other code out of the NIC's datastream when triggered by some code in the datastream!

-

voila you have a Trojan Boot Loader which acts as you customer paid sleeping spy - to be activated via serial number!

- sweet slumber non-praranoids!

Third party use of server

Imagine the repercussions for all other companies re branding these servers for their blackbox security appliances, which are basically
spray painted Dell servers with a custom OS and apps.

Who uses Dell for turnkey appliances? Can they vet that their products (some of them performing security related functions, coincidentally enough) are not vulnerable?

yikes.

Re:Third party use of server

[Rob+Riggs]

Google uses Dell for its Google Search Appliance. IIRC, they ship directly from Dell these days.

I like where this is going.

[boneclinkz]

**This call may be monitored for quality assurance purposes.**

Customer: Hi, my computer won't POST.

Steve (Samir): Okay, sir, first we must try a few things. Is the machine currently plugged in?

**3 hours later**

Steve: Sir, the problem appears to be a faulty motherboard. Unfortunately your system is out of warranty. Luckily, while the system was operational, our integrated key-logger was able to pull your shipping address and credit card numbers. We have billed you for a replacement system and it should be there in 3-5 business days. Someone will need to sign for it, perhaps your oldest daughter. Justine is turning into a fine looking young-lady, by the way.

Blown WAY out of proportion

[kaizendojo]

A few of their SERVICE stock for a single motherboard showed signs of malware code on the embedded server management firmware. Dell reacted quickly and appropriately. You can read the forum posting that started this all here: http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx

Of course this is disturbing, but it's quite a leap to say a 'hardware trojan' is 'shipping with Dell Servers'. Once again, a good example why you should never blindly trust "anonymous posters' on Slashdot... RTFA yourself.

Re:Blown WAY out of proportion

This is Slashdot sir! How dare you suggest I RTFA!

Re:Blown WAY out of proportion

[AK+Marc]

There isn't a single large computer maker that hasn't shipped fixed computers from a repair depot with viruses on them. They all have at one time or another. And they all acted with appropriate horror when that did happen.

Re:Blown WAY out of proportion

[sjames]

It's not THAT big a leap. It can intercept system functions in the background leaving NO evidence at all on the actual server. It doesn't matter what OS you install or how much AV software you run. You can ever check the system BIOS if you're extra paranoid and still not even touch the spyware hidden in the system.

It may not be literally in the hardware but it's considerably deeper embedded into the server than any virus reported up to this has ever been.

Not necessarily QA

The problem here is not necessarily one of QA, but it is one of rigorous procedures. The "hardware" is actually a flashable firmware image. The manufacturing process involves taking all the necessary programmable components and placing them onto the board in question. Now, I have no inside information on this current Dell problem, but perhaps the factory flashed the wrong image. Perhaps the ESM engineer was on his way out and decided to be malicious in a last-minute "oops" fix. Perhaps this issue only manifests itself in a very specific combination of hardware and OS that is so unlikely to be combined it didn't present itself in QA. I think the rush to assume that QA was inadequate or that foreign "sweat shops" are to blame is very naive. The overall complexities of todays x86 machine make all permutations impossible to test in a reasonable time frame. The real test for Dell is whether they plug this process hole and whether we see similar headlines in the future.

manufacturing process compromised by space aliens

"I have no inside information on this current Dell problem .."

Perhaps it was malicious space aliens that compromised the manufacturing process.

SW/HW Malware

[Killer+Instinct]

Its not bad enough they ship with windows ?

Re:SW/HW Malware

[value_added]

Its not bad enough they ship with windows ?

Funny, but only for those who are confusing Dell's consumer products with their server offerings.

When you put in order an order for a server, you specify what's in the box. That means you choose whether they ship Windows, or whether they ship Red Hat, SUSE, or VmWare's ESX.

As a side note, there should be no space before punctuation like a question mark. Doing so is as wrong as it is stupid.

Re:SW/HW Malware

[steelfood]

It's probably a step up from Windows 7.

Re:SW/HW Malware

[Killer+Instinct]

Funny, but only for those ...yada yada yada
Which means some servers ship with windows...and this is /. and your userid is 719364, so i would think you would have caught on by now, we hate windows and grammer nazis...be careful lest CmdrTaco spanks you and locks your account !

Re:SW/HW Malware

[BitZtream]

Could be worse, they could ship with Linux.

Re:SW/HW Malware

[kubitus]

ain't fit into any semiconductor ROM,

just CD or DVD ROM

Inexcusable

[mlts]

There are some issues where malware winds up in places, and that is something beyond the vendor's control. However, having the motherboard's BIOS infected is just plain not excusable. How can people have any guarantee of security if a maker's QA process allows this stuff to happen? Even if they offshore it to another contractor, the buck stops at the company whose name is on the machine. How can we be sure that replacing the management software and/or a BIOS reflash will take care of the problem?

At least there are plenty of vendors to choose from in the x86 server market. IBM has some very good machines. HP always has had quality offerings. Oracle sells x86 and SPARC hardware, Cisco sells x86 servers that are decent. Even Apple has a top quality 1U server that can both work in a server room as well as a musician's rack.

Re:Inexcusable

[h4rr4r]

HP is the same garbage as dell these days.

Re:Inexcusable

Back in the day HP UX machines were great. Maybe their servers still are. But since when have HP notebooks been "quality offerings"? At least since Fiorina, they've been notorious for hardware quality problems and all sorts of failures--much worse than Toshiba et al, if the press is to be believed (personal experience bears this out).

Re:Inexcusable

Even Apple has a top quality 1U server that can both work in a server room as well as a musician's rack.

Even Katy Perry's rack?

Re:Inexcusable

[lgw]

If these motherboards were made and QA'd in China, and the Chinese government wanted some malware added, there's nothing a company could do to stop that (not that that's necessarily what happened here, but it's a real threat).

The "obvious" answer is to not do QA in the same country you do manufacture, but that's sure to increase costs. Still, if I were doing procurement for anything important, I'd insist on it.

Re:Inexcusable

It may be foreseeable that a downlevel contractor might do something like this, but it doesn't matter where in the supply chain it happens, the ultimate responsibility belongs with the server maker. Yes, QA finding malware is hard, but that is a part of security.

Car analogy: Blarf Motors specs brake rotors from Elbonia. The rotors have problems and fly apart at highway speeds causing fatal crashes. The responsibility for the parts ultimately belongs to Blarf Motors.

blindly trust anonymous posters ?

"I just got a telephone call from a service scheduler informing me that the replacement R410 motherboard I received several weeks ago contains spyware in its embedded systems management firmware" peternli on July 20 2010 8:54 AM

"The service phone call you received was in fact legitimate. As part of Dell's quality process, we have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410", DELL-Matt replied on Jul 20 2010 10:31 AM link
--

Imagine having to sit on discussion forums all day typing corporate bum-fluff©

Infected

[lemmis_86]

I'd like them to ship Infected Mushrooms

The firmware is installed over seas / the system d

[Joe+The+Dragon]

The firmware is installed over seas / the system doing the install is the system that like has the infected code running it. It's just like the mp3 players and other stuff that has a usb disk / some kind of base code. SO THIS WHY TO UPDATE The bios on all new systems.

This why you need to install firmware bios updates

[Joe+The+Dragon]

This why you need to install firmware bios updates on all new systems when you get them in as the first thing.

piss all over the forum ;)

In other words, in an attempt to shut serious discussion down, piss all over the forum ;)

key words: climate, change, coercion, corepirate, deception, deforestation, destruction, ego, evile, extinction, fear, FraUD, frightening , greed, hired goons, hunting, illuminati, impoverished , nazi, nazis, Pleistocene, pollution, pyramid schemes, terminal damage, wars, wicked ways, wipe out

Seen this before

[helix2301]

I have seen something like this before a friend of mine bought a new computer when we were in college and it kept having issues. One day in class we figured it it had a BIOS virus right from the factory. Easy enough to fix just flash the BIOS and everything is back to normal or pull the bios battery out over night. This is not the first time something like this has happened from computer manufactures. This is how ever the first time I have ever heard of server hardware having this issue.

That's cool

[Daimanta]

I didn't know that Dell owned a naval fleet.

smacked down by an inivible hand

PROOF that unfettered markets WORK!

Not the first time

[The_mad_linguist]

This isn't the first time a company shipped malicious hardware.

About 20 or 30 years ago Apple shipped some keyboards with malware on them.

Re:Not the first time

[k2r]

Citation needed.
Since the Apple Macintosh was introduced just about "20 to 30 years ago" (==1984) and the amount of memony and CPU-power in keyboards was very small, then, I guess that your posting is just trollish nonsense.

Re:Not the first time

[Iskender]

welcome datacomp

Re:Not the first time

OP was probably referring to the Sicon keyboards which would watch what you were typing and if you didn't input for a while would occasionally type "welcome datacomp" on their own. Some stores bundled them with Apple computers.

An annoying but not particularly dangerous case of firmware malware.

A more interesting headline

[royallthefourth]

Dell Boards Infected Motherships

perhaps I should take a break from Alien Swarm...

Re:A more interesting headline

I thought only Powerbooks could infect motherships???

At least Jeff Goldblum made me think so!

Too bad, you (Dell) lose

[woboyle]

I have been a loyal Dell customer for many years. I am also a Dell Partner. Between this event (hardware malware), their bogus denial of system design and manufacturing faults on millions of Optiplex systems, battery failures on their laptops (I've had 2 fail in 18 months on my D630), and other design/manufacturing issues, I have finally decided that I will NEVER (never being a really long time) purchase another Dell, or recommend one to my clients. A reputation is hard to gain, but easy to lose. I've been patient with Dell, but this is the final straw. Sorry Dell, but you have caused what may be your own demise.

Do you think it was just a matter of cost?

[Just_Say_Duhhh]

Dell could have kept development in-house and STILL keep costs down. However, management realized that if everything is done in house, when something fails it is DELL's fault, and heads must roll. By outsourcing, when a major screw-up is discovered, Dell management can blame someone like Foxconn, and not have to worry about any DELL manager taking the blame. They saw this coming, so they created a way to avoid the blame.

Re:Do you think it was just a matter of cost?

[motorhead]

And to think we call them DELLtards...

Too late

I already pwned my Dell for 20 bucks and a rusty old lawnmower.

Re:This why you need to install firmware bios upda

[nullchar]

And how do you know the firmware binary you are installing is free of malware? How do you know the Windows/Linux binary application used to install the firmware is also free of malware? None of that software is open.

Kill switch threat

[sabt-pestnu]

Elsewhere, researchers are also investigating the threat from would-be chip-plant saboteurs, who poison the chip-making processes to introduce a "kill switch" that makes the chip fail unexpectedly.

I wonder if these are the researchers trying to work around the Droid X kill switch?

SURPRISE

Closed source firmware is not and never will be secure.

Re:SURPRISE

Tell that to Sony who has had the PS3 for a good long time now, with not a single exploit whatsoever.

what else is new

[hesaigo999ca]

I really does not come as a surprise, that now many things at dell are broken, their leadership, support, now hardware comes broken, or compromised. I guess it might come as a surprise that most their hardware is made in china! We all know china wants to have the biggest botnet to control and censor the internet

Unwanted extras....

How about all that crapware that computer manufactures send with a new computer, all the shareware and other programs that you'll never use for the life of that computer. Let me have a clean install, and crowd up the windows registry as I want. Two problems solved, my computer runs faster...and no chance in hell of malware.

Silver Lining

[ThatsNotPudding]

Now, it is a rare week that I don't see a blurb about Chinese workers striking for higher pay. I for one would welcome a rising tide of labor costs in China to perhaps level the playing field a bit. Of course, China is now slowly expanding into the role of an African colonial power, so maybe that's were the newest dirt-cheap labor market moves to - assuming they can keep the warlords and dictators compliant.

Re:The firmware is installed over seas / the syste

[Unequivocal]

Why should I be any more confident that a BIOS update is less likely to have malware than the OEM BIOS that ships with the hardware? I'm really asking.

compatibility issues

[drolli]

i always thought of the Dell bios as a total as an unwanted extra....

This was never a surprise.

[Khyber]

I've been screaming for years that most silicon-based devices have inherent flaws.

Looks like one just got found. If you can access the registers, you can do almost anything.

Re:This was never a surprise.

[mjwx]

I've been screaming for years that most silicon-based devices have inherent flaws.

Hey, carbon-based fluid bag, it's not like you're perfect.

Shall we discuss your flaws with the world. The fact your only stable relationship with women have been with your mother and a simulation, in fact the one with your mother isn't that stable, I think you're both just screwed up in the exact same way. Further more, delete that horse porn, dude that stuff is sick (dont just back it up to the NAS, he doesn't want it either).

Now will you go to a bar like a normal human. I want to spend some quality time with the Wii.

Signed,
your computer.

More justification for free firmware

[jbn-o]

This is another reason why people need software freedom for the firmware in their computers. Apparently we need to be able to inspect, share, and modify this software. Coreboot is a great project along these lines.

17 Years

[not_hylas(+)]

Wow, that realization only took 17 years:

subversionhack:

http://subversionhack.livejournal.com/

Dell: The Ryanair of Servers

[jimicus]

Let's face it, Dell is the Ryanair (or, if you're American, the Southwest Airlines) of server vendors. Anyone who's ordered a server from them knows the drill only too well.

You want a cheap server? No problem, sir.

Oh, you wanted hard disks with your server? They're an optional extra, sir. They cost more.

You wanted more than 512MB RAM? That'll be extra, sir.

You wanted a processor which wasn't discontinued 18 months ago yet somehow we've managed to find a whole warehouse full of the buggers? That'll be extra, Sir.

You want a 3 year warranty or are you happy with our standard 30 minute warranty? Three year warranty's extra, Sir.

You want to actually speak to a technician during the course of the three years? Or are you happy being routed to the office cheese plant? The technician's extra, Sir.

Now we know there's another question they'll ask.

You want a motherboard that hasn't been pre-infected with firmware level trojans? That'll be extra, Sir.

Just to clear things

[tuomoks]

Did anyone read the problem before replying, of course not - this is /. after all - so, from Dell ( just the important points ):

3. The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.
4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer’s operating system.
5. Systems running non-Microsoft Windows operating systems cannot be affected.

Doesn't seem very serious, of course it's Windows only so, of course, you are running antivirus AND, of course, after motherboard swap don't put it to production without testing - which would catch it?

Anyway, still wondering even without antivirus - home come that people let their systems communicate over network with unauthorized traffic? Just going back 20+ years designing network systems, some even Windows, my systems never allowed any unauthorized traffic in or out - this of course sometimes needed even building your own comm. stacks, traps, hooks, proxies, whatever but also guaranteed that all traffic was legitimate! Saves a lot headache - of course all attempts were logged, alerted and, in case of outbound, the sources were isolated - automatically! So - even Windows can be built that way (with pain!), just wondering why some don't do that?

Outsource to singularity

[psydeshow]

The only way we can be safe is to have the computers design and build themselves!

servers today, voting machines tomorrow?

[miserere+nobis]

I'm so glad we are putting essential processes of democracy inside of black boxes.

speaking of "Blown WAY out of proportion"

Once again, a good example why you should never blindly trust "anonymous posters' on Slashdot... RTFA yourself.

The advantage, nay benefit, of anonymous is the post must be read and debated on its own merits, not coloured in any way by preconception. /. could use a lot more of that.

Intel AMT was already a hardware trojan ...

[Ungrounded+Lightning]

... even if the version on the R410 was branded OpenManage(TM) and the firmware may have been a different code base.

Seems to me the only thing new here is that somebody pre-tweaked the code in the shipping firmware load so they, in addition to the authorized IT department, have the necessary keys to "remotely administer" your box, avoiding having to break the stock load's crypto.

Any bets on whether the NSA already has their own way in? Or the Chinese espionage aparatus ditto?

AMT ("Advanced Management Technology") is why I'm not buying Intel-based machines - and when my employer surplussed the old laptops I bought one that was three generations back - adequate, and the last model without a remote-administration "feature".

(I still don't understand why I see lots of Slashdot articles flaming DRM "features", but the remote administration "features" never rise above the noise level - despite being EXPLICITLY a mechanism whose sole purpose is to undetectably and unblockably take COMPLETE CONTROL of the box, spying and/or modifying to any extent desired, rather than just to hobble some of its apps.)

Where's the TROJAN MAN when you need him?

[sethmeisterg]

I saw we seal each board in latex before we ship it to customers. That should take care of the problem!

Re:Where's the TROJAN MAN when you need him?

[sethmeisterg]

Dammit. That was supposed to read "I say".

It's not a hardware trojan...

[Svartalf]

It's not even really "firmware" unless it's the only thing on the server being booted.

There resides on pretty much every server class device these days some semblence of a panic boot or diagnostics/admin tool that resides on an on-board, USB, or SATA SSD on the system. This got zapped at the factory with a Windows Trojan that could zap the system under the wrong circumstances- and ONLY if you're running a WINDOWS OS on the system.

While it's an epic fail on Dell's part (talk about goofing something up there...)- it's even more of one for New Scientist since they either didn't wait to find out more details on things or didn't bother to read further down in the thread they reference to indicate that this was the case.

It's all about sensationalism, I suppose, these days.

malware

[slick7]

The true malware ala Dell is in removing anything that Dell installs automatically. The only way to shutdown Dell's bovine scatology is to shutdown Dell, permanently.

Re:Dell: The Ryanair of Servers

[thegarbz]

The alternative:

You want a cheap server? Sorry we don't have that!

No but we only sell servers with this much harddisk space.

Of course you need 4GB of RAM for a web server that no one will use.

The processor makes all the difference sir. It's 20Ghz with 50 cores or bust. You can't run {insert outdated crap here} on anything slower.

Yeah it costs $100000 but you'll get a 10 year warranty with a clueless idiot to stand by and not help you fix any problems you won't have.


What do you mean you're going to dell? They only sell cheap stuff!

CIH did this years ago

[SpazmodeusG]

When i hear the line "hardware trojans' long posited by some security experts are indeed a real threat" all i can think is no shit, it was already done years ago.
http://en.wikipedia.org/wiki/CIH_(computer_virus)

CIH spread and infected the BIOS itself rather than just the filesystem. It was shipped out on a bunch of Yamaha CD drives and the IBM Aptivas had it.

Re:This why you need to install firmware bios upda

[gujo-odori]

I don't even know absolutely for certain that the Linux binaries that I apt-get install aren't trojaned. Even if I had the time to audit the source and make sure it compiles to the binary I'm getting, I don't really have the ability to do that, especially if I the bar is set to "Never miss one."

However, I'm more confident in those binaries than I am in the proprietary binaries I install on my Mac. At least the .debs are signed and there are some people out there checking.

Re:"You can't blame Dell"? WTF!?!

[dbIII]

No, she deserved getting her skin back which wasn't going to happen but more importantly McDonalds needed a legal whack on the nose for selling an unsafe product. It's not kept constantly at boiling point anymore.

Dell Warning Seems to be a Hoax

[Sir+Hossfly]

I followed all the links in the story and worked my way to the dell forums: http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx The "warning" was posted by 'Dell - Matt M'...not a Dell employee.

Only for Windows

[devent]

Only for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for WindowsOnly for Windows

Please, tell the system the virus/malware/trojan is for. Maybe then we could "get the facts"* right. *http://www.microsoft.com/windowsserver/facts/default.mspx?R=cf

Re:Only for Windows

[TheABomb]

So I should definitely choose Windows if I want this trojan, right?

Defense in diversity

[tepples]

Ken Thompson would show you how you'd fail in this anyway.

The Trusting Trust attack as Ken Thompson described it can be worked around using "diverse double compilation". To defeat this, a compiler virus would have to know how to infect GCC, TCC, Clang, and every other popular Free compiler for a given language, including non-self-hosting compilers (those written in another language entirely). Bruce Schneier explains, as does David A. Wheeler. Likewise, in the case of writing firmware to a flash memory, the would have to know how to infect a Willem programmer, a Wellon programmer, and every other popular flash programmer.

Trusting trust

[tepples]

Can you trust compiler of a compiler?

Yes, because one can bootstrap from different independent compiler implementations. I explain why in another comment.

Re:Dell: The Ryanair of Servers

[200_success]

Don't diss Southwest Airlines. They may have a cheap image, but one thing they don't do is nickel-and-dime. They are one of the few remaining airlines that have a two-piece luggage allowance included in the price of a ticket. And they serve free non-alcoholic drinks on board.