In December 2006 Walmart sold an open-item Zune with porn on it. The porn was almost certainly from the previous owner. Walmart then resold the item without checking it. Upon realizing their error, Walmart went with the surefire “let’s blame Microsoft for our mistake” defense.
In reading Tyler Reguly’s blog over at computerdefense.org, I came across an interesting story. Tyler’s post is at http://www.computerdefense.org/?p=332. The story is a man purchased a wireless security camera and configured it to send the pictures it took to his email address. He decided that he didn’t like the camera and returned it to Staples for a refund. A family in Nova Scotia purchased the “open-item” camera, installed it, and started sending pictures to the previous owner. The Staples store neglected to reset the camera before reselling it. You can read the story at http://tinyurl.com/yskdz2. A retailer, presumably a Staples employee, disregarded Staples instructions to reset devices and blamed the previous owner, despite Staples claims that they instruct stores to reset the devices.
In September, 2006 Apple shipped infected Video iPods. This was a bit different case, but the flaw that allowed it to happen was conceptually identical to selling open-item goods. Apple’s manufacturer took some iPods off of the production line and put them in test machines. From a manufacturing standpoint these samples are “open-item” and need to been restored to factory condition. Apple still blames Microsoft for Apple’s QA problems.
Retailers and some manufacturers are not yet used to the security concepts surrounding devices with memory. This means that if you purchase an open-item electronic product you need to be aware of what it is capable of doing, make sure that it contains no unwanted content (except Windows WGA), and that is not already set to send or receive unwanted communications. These items include, but are not limited to, USB drives, Music/video devices, routers, any wireless device, and game consoles, to name a few.
As these mistakes claim more victims, retailers will learn that they have to provide some specific technology training to their employees if they are to sell technology and maintain consumer trust.
Not “open-item”, but in the past year or so we have also seen infected MP3 players from McDonalds. Some GPS systems from TomTom also shipped, but TomTom was too busy trying to pretend it didn’t happen to blame Microsoft.
Welcome to the era of the Attack Gadget!
Director of Technical Education
Author ESET Research, We Live Security