[attrition] Announcing Errata: Certified Pre-owned (CPO)

security curmudgeon jericho at attrition.org
Tue Oct 28 04:04:04 UTC 2008


http://attrition.org/errata/cpo/

Vendor FAIL - Certified Pre-Owned (CPO)
How vendors screw up their own products and leave YOU holding the virtual bag

Certified Pre-0wned For reasons unknown, vendors occasionally fail to 
maintain quality control over the media they ship. Whether it is CD-ROM, 
DVD, USB or some other form of media, it may contain viruses, trojans or 
even drug-runner music. When this happens, the software you receive 
obviously can't be trusted in any fashion, and installing software from 
already compromised media immediately puts your system's integrity in 
question. This page serves to keep a record of such incidents and remind 
vendors that shipping "pre-0wned" software is deplorable. This list is 
designed to capture consumer related exposures, specifically malware or 
other items of interest. This list will not include incidents of vendors 
shipping vulnerable software as that list would be extensive. In addition, 
it will not track targeted malware attacks against specific targets, such 
as the "Farewell Dossier". For an interesting historical perspective of 
such incidents until 1996, consult McDonald's list. Some of these 
incidents are integrated in the CPO list depending on the information 
available.

[..]

This list is not complete, yet it should make you realize that nothing is 
safe. Every piece of electronics you buy and every piece of software you 
install may come with malware pre-installed. Rather than manufacturers 
introducing a higher set of quality controls to prevent such incidents, we 
will no doubt see companies produce new products that will help keep you 
"safe" from such threats. These "controls" would no-doubt be another 
bandaid on top of bandaids that make up a lucrative market, which is sad 
commentary about how customers perceive and receive "electronic security".


More information about the attrition mailing list