Dell Ships Infected Motherboards

An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."

It's not a hardware trojan

[lseltzer]

It's firmware, meaning software in a ROM. It's only slightly unconventional.

And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.

What did you expect?

[Chas]

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.

How the hell would they know if someone decided to pull a dick move like this?
And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

Re:What did you expect?

[Elbowgeek]

You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

Re:What did you expect?

[Taco+Cowboy]

Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.

Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?

Re:What did you expect?

[Bill_the_Engineer]

*We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell.

Half truth. Dell did not add any value to their products and decided to compete on price. In order to lower their prices and retain their profit margins they outsourced their assembly to countries with lower labor costs. Dell was not forced to lower their price, they choose to compete on price alone.

*We* the consumer did not demand cheap prices, instead we purchased whatever gave us the better value. Which for some means the cheapest machine that runs stock Windows 7 for home, but for others features and/or better components may be deciding factor (eq. Apple, Alienware, Voodoo PC, Sony, etc.)

Re:What did you expect?

[mwvdlee]

Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe

So if those people would be willing to pay more, the products would be manufactured in more expensive countries instead of the companies continuing cheap labor manufacturing and simply making a bigger profit?

Re:What did you expect?

[Waffle+Iron]

The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.

The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect". In this case, it means buying cheap imported crap at Wal Mart. If you don't defect, most others continue to do so, and you just end up being a sucker.

Complaining about individuals' choices is going to accomplish nothing, because they're all making the most rational individual decisions. The only way to change the situation is to include the external costs of cheap offshore production into the retail price, which alters the individual's most rational choice. The most obvious way to do that is slap a tariff on the goods.

Re:why spend millions when you can spend billions?

[roman_mir]

Ken Thompson would show you how you'd fail in this anyway. You'd THINK you flashed the chips, but there would be some other code somewhere in the chip that would contain a Trojan. Unless you are in the loop 100% of the time and nobody can inject any modifications into any manufacturing processes, you can't be certain that nothing at all was modified.

Re:Bad Article

[fuzzyfuzzyfungus]

Arguably the IPMI is one step easier than just the motheboard firmware. Those suckers are basically little embedded computers, typically running linux or vxworks, with their own processor and everything. They happen to be physically coupled to the motherboards of larger devices; but, architecturally, they are basically the same as any of the "little bitty plastic box" style embedded network appliances.

Given the fact that embedded appliances frequently have security made of pure shit, and servers are rather high value targets, the only real surprise is that they aren't targeted more often. Especially, if you are super lucky, the IPMI card will be connected to the oh-so-special-and-physically-separate-for-security "management network", which is where all the juicy; but often vulnerable, management interfaces live. Nice place to have an attack platform silently embedded...

Re:Wow, Dell...

[Richard_at_work]

Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.

Re:To paraphrase Ghostbusters

[bannable]

Why is this modded flamebait? It seems like a legitimate question for someone unfamiliar with why this is interesting.