Doesn’t mean they’re not after you

I occasionally have to procure and setup new laptops and workstations for new employees for my various clients. As happened today. I drove into the office this morning to wait for FedEx to deliver a laptop that was ordered on Friday, and I didn’t even have to unpack my gear as the delivery was waiting for me when I got to the reception desk. I grabbed it and immediately drove back home, without even five minutes at the office. Got a good hour of my podcasts in on the round trip. Wasn’t even any slowdowns. Not bad for a Monday.

I got home and went to unpack the laptop, and noticed that the box had been opened. Usually Dell has a small round plastic sticker that goes over the cardboard tab that locks the lid to the box. But it and the cardboard around it had been ripped clean off. Weird, I thought. I removed the laptop, and opened it up, and there was a small piece of orange, plastic tape crumpled and stuck to the case. Double weird. I went to turn the machine on. Dead. Usually they ship with enough charge to run them for a few minutes. Triple weird.

Now I’m not usually paranoid, but this just seemed to rub me the wrong way this morning. Nothing looked damaged, so I plugged in the charger and told my boss about it. We had ordered this thing for an employee that was starting tomorrow, so if we needed to go through the trouble of returning it to our distributor, then we needed to act fast. I called the distributor, they said that the box wouldn’t have gone out opened — they don’t accept opened returns — so it probably happened during shipping. The sales rep said they would send a new one out for a return, but I was torn about our timeline and said I would think about it and make a decision soon.

I was concerned about this mainly for an operational security perspective. What if the machine had been compromised? What if someone had opened it, installed malware, then sealed the box back up? What was the risk? What was the likelihood. I told my boss I was going to call the client and see what they wanted to do. As soon as I got the client on the phone and started to explain I realized that this was a mistake. I told them that I didn’t think there were any problems, but that I wanted full transparency. I probably rambled on for about five minutes before we agreed to let it go.

Since the machine didn’t show any obvious signs of tampering besides the box, I wasn’t worried about physical damage or anything like that. I was worried about the device being compromised. A rootkit, or other piece of malware that would lead to a security breach. This laptop had shipped with a smart-card reader, so it was obviously going to be used in a secure environment. What were the chances that the device had been compromised in the warehouse by an employee? What if my client was being targeted?

I went ahead and set the machine up, and made sure our antivirus deployed. Not that I have any illusions about any vendor solution out there that can catch a properly customized virus payload. A sufficiently determined adversary, if you will. One of our neighbors at my office is a team of ex-Special Forces personnel that specialize in security assessment and tactical training. Physical intrusion, surveillance, all that kind of government/military engagement stuff. I hear enough background chatter from them in the office next door to know that they have access to some crazy shit. And of course Twitter has been all about the DEFCON conference last week. My feed has been full of USB cables that contain all kinds of hidden components that will steal and exfiltrate your data. If had enough proximity to this kind of spook-level stuff in my career to know that it’s out there.

Eventually, what gave me piece of mind enough to forget it about it was that I saw the seal ripped off the box. If it was government or corporate espionage, they sure were sloppy. Must have just been something else, a more plausible, unexplained occurrence.

Nothing to worry about. Right?