Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security China Facebook Apple Technology

The Software Side of China's Supply Chain Attack (bloomberg.com) 63

Bloomberg BusinessWeek published a story on Thursday which claimed that data center equipments run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process. Both Amazon and Apple have vehemently refuted Bloomberg's reporting. Bloomberg's reporters, who have spent more than a year on the story and have cited 17 sources for the claims they make in it, have doubled down. In a new story, the news outlet reports that Supermicro was the target of at least two additional forms of attack. This report claims that Facebook was aware of these attacks, too, which has confirmed it. From the story: The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware -- software installed in hardware components -- meant to update their motherboards' network cards, key components that control communications between servers running in a data center. The code had been altered, allowing the attackers to secretly take over a server's communications, according to samples passed around at the time among a small group of Supermicro customers. One of these customers was Facebook.

"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach.
Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.
This discussion has been archived. No new comments can be posted.

The Software Side of China's Supply Chain Attack

Comments Filter:
  • by Anonymous Coward on Friday October 05, 2018 @11:07AM (#57431778)

    To pretend there's no chinese espionage. And Tienneman square never happened.

    Maybe if they post enough the government won't harvest their organs.

  • Who cares (Score:2, Insightful)

    by Anonymous Coward

    The Intel ME processor built into every Intel x86 chip can do all of this and more, yet nobody even bats an eye

    Hell, it runs even when your computer is turned off

  • by Crashmarik ( 635988 ) on Friday October 05, 2018 @11:21AM (#57431898)

    to our markets was supposed to be a grand benefit ?

    And why we have a senator with a Chinese spy on her staff
    https://www.washingtonpost.com... [washingtonpost.com]

    • by Anonymous Coward on Friday October 05, 2018 @11:36AM (#57432044)

      to our markets was supposed to be a grand benefit ?

      We could outsource most of our well paying manufacturing jobs to them, save a ton of money, reduce the power of the middle class, and pay our rich even larger profits.

      And why we have a senator with a Chinese spy on her staff
      https://www.washingtonpost.com... [washingtonpost.com]

      Feinstein is so pro-"government spying on its people" that she felt the need to hire an expert. FWIW, not even her own party wants her anymore: California Democratic Party Snubs Feinstein, Endorses Rival [usnews.com]

    • by Gravis Zero ( 934156 ) on Friday October 05, 2018 @11:58AM (#57432280)

      And why we have a senator with a Chinese spy on her staff
      https://www.washingtonpost.com... [washingtonpost.com]

      If you believe anything Marc Thiessen writes then you're as dumb as he is. Mr. Thiessen is the most disingenuous writer and greatest partisan hack I know besides Megan McArdle who is so insanely partisan that she argued in favor of insider trading [washingtonpost.com] after Republican Rep. Chris Collins was caught doing it!

      • by Anonymous Coward

        See this? THIS is "Whatabboutism"!

        It is an attempt to distract from the fact that Feinstein employed a Chinese spy by making attacks about entirely unrelated topics. McArdle's partisan behavior has NOTHING to do with Thiessen's honesty or lack of it.

        You couldn't even be bothered to attack Thiessen directly, much less attempt to make an argument about his reporting. It's pretty bad when you can't even muster a straight up ad hominem fallacy.

        If you have any evidence that Feinstein did NOT employ a Chinese

        • by DRJlaw ( 946416 )

          If you have any evidence that Feinstein did NOT employ a Chinese spy, feel free to post it

          If you have conclusive evidence that she did, post it. Because the burden of proof is on those arguing that she did, not the other way around.

          Unproven. [snopes.com]. Even after a better-than-Kavanaugh-quality FBI investigation, so you've just gotta take them at their word. Innocent until proven guilty, drivers will be drivers, blah blah blah...

    • I didn't think I would need to post every news story available on the internet about this.

      Here's from the San Francisco CBS outlet https://sanfrancisco.cbslocal.... [cbslocal.com]

      Here's a google search

      https://www.google.com/search?... [google.com]

    • If the US really wants to embargo itself then so be it, you'll be left behind in every area of science and crawl back to trading as a junior partner within 5 years.
      • If the US really wants to embargo itself then so be it, you'll be left behind in every area of science and crawl back to trading as a junior partner within 5 years.

        You mean the same way that happened during the cold war ?

        Not laughing with you, just at you.

  • "refuted" (Score:4, Insightful)

    by cascadingstylesheet ( 140919 ) on Friday October 05, 2018 @11:23AM (#57431926) Journal

    Both Amazon and Apple have vehemently refuted Bloomberg's reporting.

    They haven't "refuted" it, they've "denied" it. Or perhaps "rebutted" it.

  • Intel used not so tiny chip to allow people to hack your PC?
  • ..looks like I'm going to be able to buy SuperMicro servers super cheap! I suspect the used server market is also about to be flooded..

    • by Anonymous Coward

      The market was flooded with cheap SuperMicro servers in early 2016. Which could possibly co-inside with some big companies like FB/AMZN getting rid of them without telling anyone else why.

  • How many of us have hand carried blade servers to install in a data center? Interception of gear shipments and modifications in transit have been going on for decades. Dark silicon and closed source firmware are the norm now. The Chinese are amateurs...

  • by turp182 ( 1020263 ) on Friday October 05, 2018 @11:46AM (#57432148) Journal

    SuperMicro is going to mean the number of customers they end up with.

  • by llamalad ( 12917 ) on Friday October 05, 2018 @11:48AM (#57432170)

    A strong argument against our government agencies actively backdooring stuff (cisco hardware, AES, key escrow, etc) and passively maintaining an arsenal of zero day exploits is that these things will be leaked or discovered independently and used by adversarial states against our companies and citizens.

    It's happened a bunch.

    Now some companies catch China doing it. They protect themselves, turn over the details to three-letter-agencies, and deny it ever happened so that the exploit can be added to the national arsenal of weaponized vulnerabilities.

    Good times.

  • Please freak out and put all of your Supermicro shit up on eBay.

    I like Supermicro.

    • I like Supermicro.

      Don't like security, eh? [webhostingtalk.com]

      • Don't like security, eh?

        Nope hate it. Put this insecure shit up on eBay where it belongs and don't expect much in the way of resale value for such "insecure" "junk". Obviously totally irrelevant IPMI is trivially disabled.

        Thank you for getting rid of your Supermicro gear.

  • Time for China to be used only for resources, like Russia.
  • FYI, Analog wrote a 3 part series of this back in the 80's, it had a title of corporate warfare I think.

    but it's exactly that. 1 subsidiary installs the bug into the chip, another outfit installs the software that will trigger the chip to behave as coded, and another does the hack at the terminal to start the entire process of getting access into the systems.

    update, it might be august 1977's story cold cash war ... wow, I never new I read so many of these http://www.analogsf.com/about-... [analogsf.com]

  • "In 2015, we were made aware of malicious manipulation of software"

    Facebook confirmed nothing you fucking morons ...

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...