Dell Ships Infected Motherboards

← Back to Stories (view on slashdot.org)

Dell Ships Infected Motherboards

Posted by CmdrTaco on Wednesday July 21, 2010 @02:23AM from the scanners-do-nothing dept.

An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."

17 of 326 comments (clear)

Min score:

Reason:

Sort:

why spend millions when you can spend billions? by roman_mir · 2010-07-21 02:27 · Score: 3, Insightful

The Pentagon is spending millions on research designed to ensure it can trust the microchips in critical systems, especially those made outside the US.
- I think the only true way to be sure is to manufacture the microchips yourself, of-course this costs much more than millions.
This comes down to the old question raised by Ken Thompson of Trusting Trust.

--
You can't handle the truth.
1. Re:why spend millions when you can spend billions? by roman_mir · 2010-07-21 02:40 · Score: 5, Insightful
  
  Ken Thompson would show you how you'd fail in this anyway. You'd THINK you flashed the chips, but there would be some other code somewhere in the chip that would contain a Trojan. Unless you are in the loop 100% of the time and nobody can inject any modifications into any manufacturing processes, you can't be certain that nothing at all was modified.
  
  --
  You can't handle the truth.
It's not a hardware trojan by lseltzer · 2010-07-21 02:30 · Score: 5, Insightful

It's firmware, meaning software in a ROM. It's only slightly unconventional.
And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.
What did you expect? by Chas · 2010-07-21 02:34 · Score: 5, Insightful

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.
How the hell would they know if someone decided to pull a dick move like this?
And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

--

Chas - The one, the only.
THANK GOD!!!
1. Re:What did you expect? by Elbowgeek · 2010-07-21 02:42 · Score: 5, Insightful
  
  You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.
  
  --
  Who is this delectable creature with an insatiable love of the dead?
2. Re:What did you expect? by Taco+Cowboy · 2010-07-21 02:46 · Score: 4, Insightful
  
  Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.
  Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?
  
  --
  Muchas Gracias, Señor Edward Snowden !
3. Re:What did you expect? by Bill_the_Engineer · 2010-07-21 03:09 · Score: 4, Insightful
  
  *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell.
  Half truth. Dell did not add any value to their products and decided to compete on price. In order to lower their prices and retain their profit margins they outsourced their assembly to countries with lower labor costs. Dell was not forced to lower their price, they choose to compete on price alone.
  *We* the consumer did not demand cheap prices, instead we purchased whatever gave us the better value. Which for some means the cheapest machine that runs stock Windows 7 for home, but for others features and/or better components may be deciding factor (eq. Apple, Alienware, Voodoo PC, Sony, etc.)
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
4. Re:What did you expect? by somersault · 2010-07-21 03:21 · Score: 3, Insightful
  
  So it's our fault for being prudent with our spending? I guess we should all pay over the odds for our electronics to make sure that all these international businesses aren't feeling the pinch too much in their profit margins! Let's buy from someone like Apple who we know are making a hefty profit on their products! Oh wait, Apple do their manufacturing in China too.. hmm.
  
  --
  which is totally what she said
5. Re:What did you expect? by mwvdlee · 2010-07-21 03:26 · Score: 4, Insightful
  
  Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe
  So if those people would be willing to pay more, the products would be manufactured in more expensive countries instead of the companies continuing cheap labor manufacturing and simply making a bigger profit?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
6. Re:What did you expect? by twoallbeefpatties · 2010-07-21 03:36 · Score: 3, Insightful
  
  People talk about Detroit autoworkers exactly the same way. Doesn't mean much, really.
  
  Actually, we say that Detroit autoworkers were overpaid and got way too many benefits for their unskilled labor due to inflexible, corrupt unions - sort of the opposite thing to what we're saying about offshored labor. But who's counting?
  
  --
  Libertarians somehow believe that private businesses should be stronger than governments but weaker than individuals.
7. Re:What did you expect? by Waffle+Iron · 2010-07-21 04:02 · Score: 5, Insightful
  
  The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.
  The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect". In this case, it means buying cheap imported crap at Wal Mart. If you don't defect, most others continue to do so, and you just end up being a sucker.
  Complaining about individuals' choices is going to accomplish nothing, because they're all making the most rational individual decisions. The only way to change the situation is to include the external costs of cheap offshore production into the retail price, which alters the individual's most rational choice. The most obvious way to do that is slap a tariff on the goods.
8. Re:What did you expect? by Mister+Whirly · 2010-07-21 04:38 · Score: 3, Insightful
  
  Actually, I would consider being able to read as the criteria for "literacy". What does McDonalds have to do with literacy rates? Nice strawman though - we aren't talking about obesity, nutrition, or anything food-related in this conversation.
  
  --
  "But this one goes to 11!"
9. Re:What did you expect? by innocent_white_lamb · 2010-07-21 04:52 · Score: 3, Insightful
  
  Good example of this - ... I'm typing this on a 745 that has a "Assembled in the USA" sticker on it)
  
  I don't know if your example is all that good.
  
  You do realize that there is a huge difference between "Assembled in the USA" and "Made in the USA", right?
  
  --
  If you're a zombie and you know it, bite your friend!
10. Re:What did you expect? by blackraven14250 · 2010-07-21 04:52 · Score: 3, Insightful
  
  Just because they don't know how to put the words together coherently into sentences following proper grammatical structures doesn't mean they can't write. It means they're not going to be writing research papers.
  
  Also, if you think the criteria for India and China's literacy rates is different or inherently superior to the US, you'd be sorely mistaken.
Re:Bad Article by fuzzyfuzzyfungus · 2010-07-21 02:41 · Score: 4, Insightful

Arguably the IPMI is one step easier than just the motheboard firmware. Those suckers are basically little embedded computers, typically running linux or vxworks, with their own processor and everything. They happen to be physically coupled to the motherboards of larger devices; but, architecturally, they are basically the same as any of the "little bitty plastic box" style embedded network appliances.

Given the fact that embedded appliances frequently have security made of pure shit, and servers are rather high value targets, the only real surprise is that they aren't targeted more often. Especially, if you are super lucky, the IPMI card will be connected to the oh-so-special-and-physically-separate-for-security "management network", which is where all the juicy; but often vulnerable, management interfaces live. Nice place to have an attack platform silently embedded...
Re:Wow, Dell... by Richard_at_work · 2010-07-21 02:43 · Score: 4, Insightful

Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.
Re:To paraphrase Ghostbusters by bannable · 2010-07-21 02:57 · Score: 4, Insightful

Why is this modded flamebait? It seems like a legitimate question for someone unfamiliar with why this is interesting.

--
"If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."