The Software Side of China's Supply Chain Attack (bloomberg.com) 63
Bloomberg BusinessWeek published a story on Thursday which claimed that data center equipments run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process. Both Amazon and Apple have vehemently refuted Bloomberg's reporting. Bloomberg's reporters, who have spent more than a year on the story and have cited 17 sources for the claims they make in it, have doubled down. In a new story, the news outlet reports that Supermicro was the target of at least two additional forms of attack. This report claims that Facebook was aware of these attacks, too, which has confirmed it. From the story: The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware -- software installed in hardware components -- meant to update their motherboards' network cards, key components that control communications between servers running in a data center. The code had been altered, allowing the attackers to secretly take over a server's communications, according to samples passed around at the time among a small group of Supermicro customers. One of these customers was Facebook.
"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach. Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.
"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach. Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.
Re: (Score:2)
It does looks like Bloomberg's story isn't complete and relies on anonymous sources.
"Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it’s not, and a lot of people screwed up." https://techcrunch.com/2018/10... [techcrunch.com]
Links from the Techcrunch article:
"The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “ma
Re: (Score:2)
Show us the chip; not marketing diagrams invented for reporting.
I remember way back in the 20th century you can get schematics that show the circuit, parts, etc. And if you can read schematics, you can also learn how things are put together and learn how to do stuff yourself. Places like Radio Shack will give you a better paying position besides just a clerk.
Come to think of it, it is a struggle to get actual schematics. And if you can get them, they are so densely packed with lines and many unclearly labeled boxes, not very useful.
Re: (Score:2)
Come to think of it, it is a struggle to get actual schematics. And if you can get them, they are so densely packed with lines and many unclearly labeled boxes, not very useful.
I used to work at a contract manufacturer, working on production failures for a certain network/security device company. (Not Cisco, one of the other big ones) Even getting detailed schematics, board layouts, signal functions, etc. was a giant pain in the ass. Those types of companies guard that shit like it's gold. What I don't understand, try and find a schematic/repair manual for any modern piece of sound equipment. Can't get them half the time, the other half the time they want to charge you $40 fo
Here comes an army of Chinese (Score:4, Informative)
To pretend there's no chinese espionage. And Tienneman square never happened.
Maybe if they post enough the government won't harvest their organs.
Who cares (Score:2, Insightful)
The Intel ME processor built into every Intel x86 chip can do all of this and more, yet nobody even bats an eye
Hell, it runs even when your computer is turned off
Remind me how free access for our enemies (Score:5, Interesting)
to our markets was supposed to be a grand benefit ?
And why we have a senator with a Chinese spy on her staff
https://www.washingtonpost.com... [washingtonpost.com]
Re:Remind me how free access for our enemies (Score:4, Interesting)
to our markets was supposed to be a grand benefit ?
We could outsource most of our well paying manufacturing jobs to them, save a ton of money, reduce the power of the middle class, and pay our rich even larger profits.
And why we have a senator with a Chinese spy on her staff
https://www.washingtonpost.com... [washingtonpost.com]
Feinstein is so pro-"government spying on its people" that she felt the need to hire an expert. FWIW, not even her own party wants her anymore: California Democratic Party Snubs Feinstein, Endorses Rival [usnews.com]
Re:Remind me how free access for our enemies (Score:4, Informative)
And why we have a senator with a Chinese spy on her staff
https://www.washingtonpost.com... [washingtonpost.com]
If you believe anything Marc Thiessen writes then you're as dumb as he is. Mr. Thiessen is the most disingenuous writer and greatest partisan hack I know besides Megan McArdle who is so insanely partisan that she argued in favor of insider trading [washingtonpost.com] after Republican Rep. Chris Collins was caught doing it!
Re: (Score:1)
See this? THIS is "Whatabboutism"!
It is an attempt to distract from the fact that Feinstein employed a Chinese spy by making attacks about entirely unrelated topics. McArdle's partisan behavior has NOTHING to do with Thiessen's honesty or lack of it.
You couldn't even be bothered to attack Thiessen directly, much less attempt to make an argument about his reporting. It's pretty bad when you can't even muster a straight up ad hominem fallacy.
If you have any evidence that Feinstein did NOT employ a Chinese
Re: (Score:2)
If you have conclusive evidence that she did, post it. Because the burden of proof is on those arguing that she did, not the other way around.
Unproven. [snopes.com]. Even after a better-than-Kavanaugh-quality FBI investigation, so you've just gotta take them at their word. Innocent until proven guilty, drivers will be drivers, blah blah blah...
Re: (Score:2)
I didn't think I would need to post every news story available on the internet about this.
Here's from the San Francisco CBS outlet https://sanfrancisco.cbslocal.... [cbslocal.com]
Here's a google search
https://www.google.com/search?... [google.com]
US wants to embargo itself (Score:2)
Re: (Score:2)
If the US really wants to embargo itself then so be it, you'll be left behind in every area of science and crawl back to trading as a junior partner within 5 years.
You mean the same way that happened during the cold war ?
Not laughing with you, just at you.
Re: (Score:2)
Re: (Score:2)
No, you don't have German scientists to steal this time.
We always have something to steal.
"refuted" (Score:4, Insightful)
Both Amazon and Apple have vehemently refuted Bloomberg's reporting.
They haven't "refuted" it, they've "denied" it. Or perhaps "rebutted" it.
Re: (Score:3)
Go read a dictionary. Refuted and denied are not synonyms.
Re:"refuted" (Score:5, Informative)
A thesaurus shows that they are not synonyms. A dictionary shows why not.
Re:"refuted" (Score:4, Funny)
Go read a dictionary.
Most tedious plot ever. Spoiler alert: The zebra did it.
applying the same logic... (Score:1)
Re: Russia did it! (Score:1)
Oh bless your heart, sweetie. You forgot to say "But Obama" while you were at it.
Cool.. (Score:1)
..looks like I'm going to be able to buy SuperMicro servers super cheap! I suspect the used server market is also about to be flooded..
Re: (Score:1)
The market was flooded with cheap SuperMicro servers in early 2016. Which could possibly co-inside with some big companies like FB/AMZN getting rid of them without telling anyone else why.
China learned this from the NSA (Score:2)
How many of us have hand carried blade servers to install in a data center? Interception of gear shipments and modifications in transit have been going on for decades. Dark silicon and closed source firmware are the norm now. The Chinese are amateurs...
SuperMicro is going to mean (Score:5, Funny)
SuperMicro is going to mean the number of customers they end up with.
Re:SuperMicro is going to mean (Score:4, Insightful)
Wait for the other shoe. It's not logical to think that the Chinese government ONLY had those outsource manufacturers alter Supermicro boards.
Many other brands are likely affected.
Seems pretty obvious (Score:4, Insightful)
A strong argument against our government agencies actively backdooring stuff (cisco hardware, AES, key escrow, etc) and passively maintaining an arsenal of zero day exploits is that these things will be leaked or discovered independently and used by adversarial states against our companies and citizens.
It's happened a bunch.
Now some companies catch China doing it. They protect themselves, turn over the details to three-letter-agencies, and deny it ever happened so that the exploit can be added to the national arsenal of weaponized vulnerabilities.
Good times.
Who should I believe? (Score:2)
Please freak out and put all of your Supermicro shit up on eBay.
I like Supermicro.
Re: (Score:2)
I like Supermicro.
Don't like security, eh? [webhostingtalk.com]
Re: (Score:2)
Don't like security, eh?
Nope hate it. Put this insecure shit up on eBay where it belongs and don't expect much in the way of resale value for such "insecure" "junk". Obviously totally irrelevant IPMI is trivially disabled.
Thank you for getting rid of your Supermicro gear.
Yup (Score:1)
this has been covered back in the 80's (Score:2)
FYI, Analog wrote a 3 part series of this back in the 80's, it had a title of corporate warfare I think.
but it's exactly that. 1 subsidiary installs the bug into the chip, another outfit installs the software that will trigger the chip to behave as coded, and another does the hack at the terminal to start the entire process of getting access into the systems.
update, it might be august 1977's story cold cash war ... wow, I never new I read so many of these http://www.analogsf.com/about-... [analogsf.com]
Re: (Score:2)
yep they even made a book https://en.wikipedia.org/wiki/... [wikipedia.org] ... it's the exact story enjoy you guys.
Fucking fake news (Score:1)
"In 2015, we were made aware of malicious manipulation of software"
Facebook confirmed nothing you fucking morons ...