Paranoia, for the win…

Today, my team got an email from a local tech. The associate director for his site came to the IT department, saying he was concerned that one of his “tech friends” told him of a rootkit that was supposedly installed on all machines from $WeMakeComputers. And since his site (as well as almost all the other sites my team supports) was almost exclusively using computers from this company, he was worried that $WeMakeComputers could use this rootkit to hack into the facility and take over their computers.

I replied back, explaining to the associate director (by proxy) that, having done several IT equipment refreshes for several sites with contractors from $WeMakeComputers, there was almost no chance whatsoever that the contractors could have installed any such rootkit on the computers they installed while working with our teams in IT. For starters, none of the contractors were given accounts with anything remotely resembling administrative rights, meaning they couldn’t install a mouse on a computer, let alone a rootkit. Also, the software we used to push images to the computers did low-level formats of the hard drives prior to deploying the image onto each computer, which would destroy all traces of pre-installed software. Thirdly, the AV software we used, as well as the network scans, port security, and about two dozen other layers of security, meant that if such a rootkit was installed, it would’ve dealt with it rather quickly. Not to mention the fact that a number of employees and executives at $WeMakeComputers would have faced criminal charges and civil fines for putting such software on computers purchased by a federal government facility. Then there was the matter of the contract, which, among other things, forbade such software from being installed on the systems, meaning if such software was to be found, criminal charges aside, $WeMakeComputers would’ve been in violation of the contract, forcing them to refund us the entire value of the contract, a sizeable amount of their annual income, as well as the potential loss of income if such a story was ever made public, since I doubt many people would take kindly on a major corporation trying to spy on the government.

I also went on to say that I didn’t put much stock in people who heard things from their “tech friends”, because it invariably involved someone’s niece/nephew, grandchild, friend of a friend of a friend, random person they met somewhere in public or at a party, etc., whose credentials and experience in IT support were dubious at best. The irony is, trying to convince these people that the advice from their “tech friends” is wrong far more often than it’s right, or is nowhere near the problem it’s made out to be, is much easier said than done. All too often, such things they hear are based on solely on rumor, supposition, smear campaigns, and flat out lying, and there are no shortage of people out there who’ll believe anything they read on the Internet, and assume that anything written on the Internet MUST be true, because it’s on the Web.

I spent most of the time shaking my head and feeling bad for the local IT guy who emailed us because I’ve been in this local IT guy’s position more times than I could count, trying to correct someone who was a non-tech that heard something from their “tech friend” and assumed it HAD to be true, when this “tech friend” had little to no knowledge or actual experience in IT. It’s one of the more aggravating aspects of being an IT tech. It’s like trying to disprove Judy Patch, when there’s no concensus on whether dear Judy is even real…

4 thoughts on “Paranoia, for the win…

  1. Hiya! Dude heard “root” and off he went…it’s not a rootkit, Dell just fucked up and installed a root certificate AND the PK for it via Dell Foundation Services.

    So long as you either remove the Dell cert from the Windows cert store and the Dell Foundation Services component involved; or are running an image not based on the Dell-shipped image, you’re automatically fine.

    Reference for you: https://www.kb.cert.org/vuls/id/870761

    • Which we were from the beginning, since we did our own images from a base Windows install from at least as far back as ’03, well before we got the megacontract with Dell 🙂

      And I’m willing to bet good money that you’re not far off. Some kid who didn’t even rise to the level of a script kiddie heard the word “root” and Dell in the same paragraph, and assumed Dell was shipping rootkits in the PC’s because they heard the buzzword somewhere.

  2. But Lenovo apparently did include the basis of a rootkit — a software updater that could be taken over and had root abilities. That said, again, if the image came from somewhere other than Lenovo, you should be fine. And ISTR that the Feds are not buying from Lenovo anyway, it being a Chinese company now.

Leave a Reply