Wednesday, July 21, 2010

Dell Needs a PSIRT

It's clear to me that Dell needs a Product Security Incident Response Team, or PSIRT. Their response to the malware shipping with R410 replacement motherboards is not what I would like to see from a company of their size and stature.

Take a look at this Dell Community thread to see what I mean. It's almost comical.

These are a few problems I see:

  1. They are informing the public of this malware problem using phone calls, not a posting on a Web site. A customer thinks he's being scammed and posts a question to a support forum. Someone named "DELL-Matt M" replies:

    "The service phone call you received was in fact legitimate... We have assembled a customer list and are directly contacting customers like you through a call campaign. On the call, you should be provided a phone number to call if you have additional questions. Hopefully you received this on your call. If not, let me know and we’ll get it to you as soon as possible so you have all of the follow-up information needed."

    Another customer rightfully asks: "So why is there no information in the recall links or other readily obvious place on the site?"

  2. The next information about the problem is another post to the same thread from "DELL-Matt M".

    "We will continue to update this forum as new information becomes available or questions arise."

    This story is making the news and Dell will update customers in a forum thread?!?

  3. One customer then questions whether 'DELL-Matt M" works for Dell!

    "Will you please post your employee number? In a phone call to Dell this morning I was told that no Dell employee wrote this...."

  4. "DELL-Matt M" replies:

    "Yes Art, I am a Dell employee and the information I posted is accurate. If you need specific information, please contact

    Thanks, Matt"

    Still no link to an official Dell story.

  5. Try searching for "Dell PSIRT" or "Dell security". You get nothing about the security of Dell products.

Dell needs to step up its game. It's shipping products to customers with malware, and it's "handling" the issue through a support forum.

I think my post Every Software Vendor Must Read and Heed referencing Matt Olney's recommendations is a good place to start, Dell!


Motorrad said...

It would be extremely helpful if product vendors like Dell not only create PSIRTs, as you suggest, but also join organizations that link PSIRTs together, such as FIRST.Org.

Having a PSIRT is a good first step, but if you don't have networking with other incident responders you're probably working in the dark (or, worse still, blindly following the guidance of corporate PR, who likely have no relevant experience in this particular area).

Joe said...

Dude you got a virus!

Sorry, couldn't resist.

Andy H. said...

More to the point Dell states in their response

"4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer’s operating system."

Then why were they not checking all motherboards or have process in place to do so with "industry-standard antivirus programs?