virus in product illustrates basic cybersec breakdown

I’ve seen a few recent reports about products being shipped that have some digital component to them, along with a stowaway: a virus.

No word from Best Buy yet on exactly which virus shipped with the frames, but the company claims it is an “older virus which is easily identified and removed by current anti-virus software.”

There are two possibilities here. First, with some of these devices supposedly made in China, there may be some grand conspiracy to incite doubt in products or attack Americans…using an old, easily identifiable virus. While conspiracy theories are fun, I really don’t think most of them are anything more than fanciful imaginations.

Second, someone is failing at the very basics of digital security.

When developers made and saved this code, where were the virus scanning tools that would catch such an old virus? Clearly they were disabled, badly out of date, misconfigured, or non-existent. And I doubt this tool was made in someone’s home office and just uploaded straight into production (although that is feasible). But still, where were the checks? How long, really, would it take to make one last malware scan and visual inspection for weird files (especially executable ones!)?

Yes, there is a lot of discussion ongoing and through recent years about the failings of signature-based tools and anti-virus apps. But even with their holes, they are still cheap and a basic building block for a security regimen, even if one’s paradigm on security is absolute security with zero holes (yes, lots of people take this stance, even when they don’t realize it!). Ok, so you save money by not protecting your endpoints and contractor systems and so on, but at least scan the internal file servers and actual products you ship!