[attrition] Announcing Errata: Certified Pre-owned (CPO)
security curmudgeon
jericho at attrition.org
Tue Oct 28 04:04:04 UTC 2008
http://attrition.org/errata/cpo/
Vendor FAIL - Certified Pre-Owned (CPO)
How vendors screw up their own products and leave YOU holding the virtual bag
Certified Pre-0wned For reasons unknown, vendors occasionally fail to
maintain quality control over the media they ship. Whether it is CD-ROM,
DVD, USB or some other form of media, it may contain viruses, trojans or
even drug-runner music. When this happens, the software you receive
obviously can't be trusted in any fashion, and installing software from
already compromised media immediately puts your system's integrity in
question. This page serves to keep a record of such incidents and remind
vendors that shipping "pre-0wned" software is deplorable. This list is
designed to capture consumer related exposures, specifically malware or
other items of interest. This list will not include incidents of vendors
shipping vulnerable software as that list would be extensive. In addition,
it will not track targeted malware attacks against specific targets, such
as the "Farewell Dossier". For an interesting historical perspective of
such incidents until 1996, consult McDonald's list. Some of these
incidents are integrated in the CPO list depending on the information
available.
[..]
This list is not complete, yet it should make you realize that nothing is
safe. Every piece of electronics you buy and every piece of software you
install may come with malware pre-installed. Rather than manufacturers
introducing a higher set of quality controls to prevent such incidents, we
will no doubt see companies produce new products that will help keep you
"safe" from such threats. These "controls" would no-doubt be another
bandaid on top of bandaids that make up a lucrative market, which is sad
commentary about how customers perceive and receive "electronic security".
More information about the attrition
mailing list