It shouldn't be too hard for somebody to get their hands on one of the allegedly affected boards. There's millions of them.
Hopefully we hear something a bit more in depth/ reliable/ technical soon.
Both Amazon and Apple strongly refute Bloomberg's report.
However, Bloomberg's sources are adamant. "The companies' denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government's investigation." µ
Apple, Amazon deny report on Chinese use of tiny chips to hack into their networks
I don't buy this.
1. The attack is terribly easy to identify once in place.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
3. Just the supply chain and quantity of humans involved for these implant devices is huge and it's difficult to compartmentalise that number of people.
4. It requires extreme knowledge of the target design and ability to modify it so there is a huge infiltration identification risk.
5. Evidence is permanently left lying around after it is identified. No national entity would get away with being that brazen.
I'm calling either bullshit, propaganda or CYA here until I see a proper design analysis.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.Tampering with firmware is way easier to detect. And it's not that expensive compared to gains you can get, especially if you are Chinese government.
Tampering with firmware is way easier to detect. And it's not that expensive, especially if you are Chinese government.
If servers are going to be used by secret agencies, you can be pretty sure they'll check the firmware. Moreover they also receive source code from suppliers. These are not home PCs FFS.Tampering with firmware is way easier to detect. And it's not that expensive, especially if you are Chinese government.
Not really. All you need is access to the signing key and method which is a single simple attack vector (rubber hose).
Hell I've been entrusted to many "signing keys" and "master passwords" before and had to explain to large financial companies that no it's not ok shipping your EV keys on an unencrypted laptop one of your junior developers lugs to and from work on a tube.
Firmware tampering's only defence is competence and there isn't a lot of that around in the human race and I suspect most of it works at Apple or somewhere where they pay is better.
Tampering with firmware is way easier to detect. And it's not that expensive, especially if you are Chinese government.
Not really. All you need is access to the signing key and method which is a single simple attack vector (rubber hose).
Hell I've been entrusted to many "signing keys" and "master passwords" before and had to explain to large financial companies that no it's not ok shipping your EV keys on an unencrypted laptop one of your junior developers lugs to and from work on a tube.
Firmware tampering's only defence is competence and there isn't a lot of that around in the human race and I suspect most of it works at Apple or somewhere where they pay is better.
I don't buy this.
1. The attack is terribly easy to identify once in place.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
3. Just the supply chain and quantity of humans involved for these implant devices is huge and it's difficult to compartmentalise that number of people.
4. It requires extreme knowledge of the target design and ability to modify it so there is a huge infiltration identification risk.
5. Evidence is permanently left lying around after it is identified. No national entity would get away with being that brazen.
I'm calling either bullshit, propaganda or CYA here until I see a proper design analysis.
Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.
Let's apply Ockham here. Which is more likely:
1) China try a high cost, high probability of detection, low probability of success, exploit of limited applicability.
2) In a political climate of 'post truth' someone who wants to provoke a trade war with China 'leaks' propaganda. Everybody else (FBI, DNI, Apple, Amazon etc.) who ought to know about it denies that there is any veracity to it, including people who have the clout to tell the truth and damn anyone who tries to shut them up.
In the absence of verifiable evidence of this exploit, I think Ockham tends towards (2).
Its all for the quick bucks from the short sale on the affected companies stocks. Like the Trump did on Amazon, easy money. :-DD
Its all for the quick bucks from the short sale on the affected companies stocks. Like the Trump did on Amazon, easy money. :-DD
Not convinced, yes Supermicro's shares will take a hit and people will make money but longer term?
Yep: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
Although that shows the loading of compromised firmware rather than modifying the hardware. It's also interesting to note that the NSA intercepted packages bound for specific end users, whereas the approach described in the Bloomberg article is inherently indiscriminate; anyone who gets a particular model/production run is potentially compromised. Not making a moral judgement, it's just interesting to see the difference in approach.Intercepting specific packages in the US is much easier for the NSA.
Amazon AWS say it's bullshitAll the players involved deny, which under the current legislation unfortunately tell us exactly nothing.
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/
Let's apply Ockham here. Which is more likely:
1) China try a high cost, high probability of detection, low probability of success, exploit of limited applicability.
2) In a political climate of 'post truth' someone who wants to provoke a trade war with China 'leaks' propaganda. Everybody else (FBI, DNI, Apple, Amazon etc.) who ought to know about it denies that there is any veracity to it, including people who have the clout to tell the truth and damn anyone who tries to shut them up.
In the absence of verifiable evidence of this exploit, I think Ockham tends towards (2).
We live in interesting and dangerous times.
Now that the Mueller investigation is winding down and despite lots of accusations (including some meaningless indictments), no proof of Russian collusion or meaningful interference in the 2016 election has been provided.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
can i ask question?what would happen if someone tried remove that chip from board?would it brick full board?
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
How is it custom silicon, it could be an off the shelf micro in a custom package (which wouldn't be very expensive).
I call it unicorn shit until I've seen it and smelled it.Try reverse logic then.
It's not going to be just a micro. It would have to have a compatible bus interface as well or arbitration of it talks to something else.I could believe something related to the BMC/IPMI/console access stuff. After all they even share Ethernet controllers with the mainboard. Arbitration
How would this "American propaganda" about the chinese Supermicro server backdoor benefit the USA?
But what Bloomberg describes is, as you said, unicorns. Forcing the OS to do what? Which OS after all? BIOS, EFI and all that crap is not running when a proper OS is in execution.Then read this :palm: https://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/ (https://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/)
MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings.
How? MINIX can do all this because it runs at a fundamentally lower level.
x86-based computers run their software at different privilege levels or "rings". Your programs run at ring three, and they have the least access to the hardware. The lower the number your program runs at, the more access they have to the hardware. Rings two and one don't tend to be used. Operating systems run on ring zero. Bare-metal hypervisors, such as Xen, run on ring -1. Unified Extensible Firmware Interface (UEFI) runs on ring -2. MINIX? It runs on ring -3.
You can't see it. You can't control it. It's just humming away there, running your computer. The result, according to Minnich is "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared."
But what Bloomberg describes is, as you said, unicorns. Forcing the OS to do what? Which OS after all? BIOS, EFI and all that crap is not running when a proper OS is in execution.Then read this :palm: https://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/ (https://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/)QuoteMINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings.
But again two questions;I dunno if it's real or not but there are good reasons to do it. They cannot plant hacked firmware on a few devices for particular customer. They cannot intercept a few packages for particular customer and do it NSA style. If they do this in wide scale hoping it gets somewhere where they need, hacked firmware won't do. Too wide exposure and someone will find it. With such approach it needs to be something extremely difficult to find.
1. Why? There are much easier attack vectors.
2. Who? Supermicro stuff is designed in USA. Do they not do design validation on production runs and sampling?
But again two questions;I dunno if it's real or not but there are good reasons to do it. They cannot plant hacked firmware on a few devices for particular customer. They cannot intercept a few packages for particular customer and do it NSA style. If they do this in wide scale hoping it gets somewhere where they need, hacked firmware won't do. Too wide exposure and someone will find it. With such approach it needs to be something extremely difficult to find.
1. Why? There are much easier attack vectors.
2. Who? Supermicro stuff is designed in USA. Do they not do design validation on production runs and sampling?
"The majority of its workforce in San Jose is Taiwanese or Chinese"
The PCB assembler, was supplied modified PCB's and stuffed on the extra one little tiny part.
I can't think of a better or easier way to surreptitiously get a trojan into servers across the world.
But again two questions;I dunno if it's real or not but there are good reasons to do it. They cannot plant hacked firmware on a few devices for particular customer. They cannot intercept a few packages for particular customer and do it NSA style. If they do this in wide scale hoping it gets somewhere where they need, hacked firmware won't do. Too wide exposure and someone will find it. With such approach it needs to be something extremely difficult to find.
1. Why? There are much easier attack vectors.
2. Who? Supermicro stuff is designed in USA. Do they not do design validation on production runs and sampling?
That’s why software is the place to do it.
I suggest people read the following:
1. https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf (https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
2. https://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/ (https://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/)
Successful attacks leave no evidence and are plausibly deniable. Hardware is a massive steaming chunk of curly evidence."The majority of its workforce in San Jose is Taiwanese or Chinese"
The PCB assembler, was supplied modified PCB's and stuffed on the extra one little tiny part.
I can't think of a better or easier way to surreptitiously get a trojan into servers across the world.
Software.
Software.You can relatively easily find that software/firmware was altered. If it's a tiny innocent looking EMI filter, sleeping until comes time to do it's dirty job, it's way more difficult to figure it out.
Can you tell a malicious alteration from non malicious code?You can simply start verifying if data matches to what is supposed to be there. If something is off, it's a signal for further investigation.
Hell no. We’ve had auditors walk straight over stuff we threw in to trip them up and we’re not experts in that sort of thing (well not intentionally :-DD)
Can you tell a malicious alteration from non malicious code?
Hell no. We’ve had auditors walk straight over stuff we threw in to trip them up and we’re not experts in that sort of thing
china tries to recruit spies on linkedin. enough said
Can you tell a malicious alteration from non malicious code?You can simply start verifying if data matches to what is supposed to be there. If something is off, it's a signal for further investigation.
Hell no. We’ve had auditors walk straight over stuff we threw in to trip them up and we’re not experts in that sort of thing (well not intentionally :-DD)
Can you tell a malicious alteration from non malicious code?
Hell no. We’ve had auditors walk straight over stuff we threw in to trip them up and we’re not experts in that sort of thing
Hash values would be a quick and easy start.
If your auditors can't manage a basic thing like that, maybe you should reconsider who audits your gear.
That article reeks of bullshit and FUD to me.
Unfortunately written by someone who doesn't understand the tech, losing any details that might be informative.
Something inline with SPI flash is about the only thing I can guess based on the sparse info there, maybe even just disabling any write protection.
How would this "American propaganda" about the chinese Supermicro server backdoor benefit the USA?
To gain support for any war (cold or hot) you need the populace to believe that the "enemy" is threatening you. Why not baffle them with mysterious electronics jargon and a magical chip "the size of a grain of rice" that allows them to spy on us. (Almost as good as the omnipotent Russian hackers and social media trolls)
Geopolitics 101 - same as it ever was. There needs to be more than just a trade war to justify military spending.
A new cold war with China is in the making. (https://www.nytimes.com/2018/09/19/us/politics/trump-china-trade-war.html)
A vital element in keeping the peace is our military establishment. Our arms must be mighty, ready for instant action, so that no potential aggressor may be tempted to risk his own destruction...
This conjunction of an immense military establishment and a large arms industry is new in the American experience. The total influence—economic, political, even spiritual—is felt in every city, every statehouse, every office of the federal government. We recognize the imperative need for this development. Yet we must not fail to comprehend its grave implications. Our toil, resources and livelihood are all involved; so is the very structure of our society. In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military–industrial complex. The potential for the disastrous rise of misplaced power exists, and will persist. We must never let the weight of this combination endanger our liberties or democratic processes. We should take nothing for granted. Only an alert and knowledgeable citizenry can compel the proper meshing of the huge industrial and military machinery of defense with our peaceful methods and goals so that security and liberty may prosper together. [emphasis added]
Software.You can relatively easily find that software/firmware was altered. If it's a tiny innocent looking EMI filter, sleeping until comes time to do it's dirty job, it's way more difficult to figure it out.
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.
Doing this SuperMicro motherboard implant as a component retrofit (chip disguised as a decoupler or ESD protection or whatever) without it being obvious (cuts/bodge wires)
seems quite implausible.
Factory design engineered?
One other way to do it would be by the PCB supplier modifying the gerbers to add the part. But then the assembler has to be in on it too.
Supermicro are probably being gagged with a fear of losing contracts or whatever, as it would be easy for them to come out and prove it wasn't in their design and layout, and that's it was some manufacturing chain interdiction.
Has anyone with Supermicro hardware been able to locate this chip? What happens if you just desolder it?
Has anyone with Supermicro hardware been able to locate this chip? What happens if you just desolder it?
The major parties have responded:
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond (https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond)
Bloomberg got it wrong? Or CIA cover-up? 8)
Has anyone with Supermicro hardware been able to locate this chip? What happens if you just desolder it?
That will be the key to confirming or debunking this story. Someone is going to have to come forward with one of these chips found on their hardware and have it subjected to public analysis to convince me this it is real. If anyone out there finds one, send it to Dave or Mike or Shahriar for analysis.
I think the source and mission here has been very effective. Awaiting US political comment.I'm tending to agree with you. Doing the mental experiment of trying to pull that trick myself it gets more incredible by the minute. If that was possible it would be mostly limited to the IMPI/remote administration stuff. And with a properly filtered/isolated network it's unlikely that the machines could call home.
Also Bloomberg has puked out an opinion piece as well to stir discussion with a suitably facepalm title: https://www.bloomberg.com/view/articles/2018-10-04/computer-spies-hacked-reality (https://www.bloomberg.com/view/articles/2018-10-04/computer-spies-hacked-reality)
It certainly seems feasible (even if it didn't actually happen). The IPMI architecutre provides access to both the NIC + system memory. I don't see why you couldn't have something on either the I2C or SPI busses monitoring / modifying data.That article reeks of bullshit and FUD to me.
Unfortunately written by someone who doesn't understand the tech, losing any details that might be informative.
Something inline with SPI flash is about the only thing I can guess based on the sparse info there, maybe even just disabling any write protection.
Though one detail was mentioned: "The illicit chips could do all this because they were connected to the baseboard management controller". I find it plausible that they attacked WPCM450 (https://www.supermicro.com/manuals/other/Embedded_BMC_IPMI.pdf) and did it by putting their spy chip on SMBus.
Let's apply Ockham here. Which is more likely:
1) China try a high cost, high probability of detection, low probability of success, exploit of limited applicability.
2) In a political climate of 'post truth' someone who wants to provoke a trade war with China 'leaks' propaganda. Everybody else (FBI, DNI, Apple, Amazon etc.) who ought to know about it denies that there is any veracity to it, including people who have the clout to tell the truth and damn anyone who tries to shut them up.
In the absence of verifiable evidence of this exploit, I think Ockham tends towards (2).
But we can only guess until we know more facts.
This story sounds very fishy and doesn't seem to add up.
I get, very suspicious of the US Trump Administration. Especially as regards, honesty and integrity.
Recently, Trump has been VERY aggressive against China, at the UN and with Trumps massive trade war with China.
This makes me very suspicious the story is false (or exaggerated or something).
Where is the real evidence (i.e. hardware) ?
Let's see these spy chips and let independent organisation(s), investigate them and publish the results.
- China , its obvious, and with the recent addition for S-400 delivered by Russia, its just like pouring fuel in the fire .. >:D
.. so on.
If what you seem to be hinting/thinking/suggesting, is right. Then we are moving to a partly (as it has probably be done, lots of times before), new era, where the US (Trump Administration), creates bogus fake-news. Just to hurt countries/companies/individuals which it dislikes and/or wants to hurt.I think many countries in the recent and more distant past have done this. It's nothing new.
If that is the case, it is sad times ahead.
The old saying, goes something like "The first casualty of war is the TRUTH".
I think many countries in the recent and more distant past have done this. It's nothing new.
- China , its obvious, and with the recent addition for S-400 delivered by Russia, its just like pouring fuel in the fire .. >:D
.. so on.
If what you seem to be hinting/thinking/suggesting, is right. Then we are moving to a partly (as it has probably be done, lots of times before), new era, where the US (Trump Administration), creates bogus fake-news. Just to hurt countries/companies/individuals which it dislikes and/or wants to penalize.
If that is the case, it is sad times ahead.
The old saying, goes something like "The first casualty of war is the TRUTH".
Hopefully, we are just talking about "COLD" wars.
I think many countries in the recent and more distant past have done this. It's nothing new.
Yes, that is true.
But in the case of many countries, such as the UK.
It is only in times of actual war (e.g. world war 2), or when they are at war with another country. That the hypothetical department of misinformation, comes rolling into action.
But I agree, that political systems, including the UK. Seem to sometimes come up with "stories", to apparently manipulate things. Such as Brexit and the EU.
The "stories", are usually basically true. But the timing and creation/release of the story at just the **right/**wrong time, seems to be more than just a coincidence!
**=right time for the political party, initiating the news, and wrong time for the people the news is about.
Actually it's more complicated than this.
Tell a lie out loud in a sector where people are easily misled (tabloids), print an apology / rebuttal in small print somewhere else down the line.
People still remember the initial story.
The plot thickens. Apparently an ftp server of Supermicro got hacked a while back and served infected firmware. This was the reason Apple stopped working with Supermicro, according to Apple. Reports are that they initially denied any of this happening back then. Maybe their gag order ran out after a while?
https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/ (https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/)
Whether it is true or not about the fake capacitor, we all know Chinese communist government is the world's biggest crime syndicate.
For a start, the free world needs to confiscate all foreign properties, securities and loot smuggled abroad by the members and the families of the Central Committee of the Chinese Communist Party. The billions of dollars can be used to help pay some of the damage to western companies caused by China's rampant and shameless IP theft.
The plot thickens. Apparently an ftp server of Supermicro got hacked a while back and served infected firmware. This was the reason Apple stopped working with Supermicro, according to Apple. Reports are that they initially denied any of this happening back then. Maybe their gag order ran out after a while?
https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/ (https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/)
Really? Drop an entire vendor because one lab machine had infected firmware? And then deny that there was a security incident? And then come back and admit that they did find bad firmware?
I don't think we can really trust Apple at this point. If true, they'll deny this to the grave.
When you discover a security breach, why tell your shareholders when you can also not tell your shareholders?
The plot thickens. Apparently an ftp server of Supermicro got hacked a while back and served infected firmware. This was the reason Apple stopped working with Supermicro, according to Apple. Reports are that they initially denied any of this happening back then. Maybe their gag order ran out after a while?
https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/ (https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/)
Really? Drop an entire vendor because one lab machine had infected firmware? And then deny that there was a security incident? And then come back and admit that they did find bad firmware?
I don't think we can really trust Apple at this point. If true, they'll deny this to the grave.
When you discover a security breach, why tell your shareholders when you can also not tell your shareholders?
Apple have done that numerous times. They got a better deal elsewhere and used that as leverage to get out of the current one.
I guess someone at UK National Cyber Security Centre pissed off with Trump ... :-DD
https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html (https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html)
I guess someone at UK National Cyber Security Centre pissed off with Trump ... :-DD
https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html (https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html)
So how come they have become so sure about having no doubt that fast ?
I guess someone at UK National Cyber Security Centre pissed off with Trump ... :-DD
https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html (https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html)
So how come they have become so sure about having no doubt that fast ?
I guess someone at UK National Cyber Security Centre pissed off with Trump ... :-DD
https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html (https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html)
I guess someone at UK National Cyber Security Centre pissed off with Trump ... :-DD
https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html (https://www.cnbc.com/2018/10/05/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials.html)
30 "Unnamed sources". Yeah, I'm sure that we can trust that report. <sarcasm off>
In the Thermal Imaging sub forum a complete compromise of the E4 camera security was achieved by modifying just 1 bit of a cpu instruction code.ARM's conditional execution bit?
Let Apple and Amazon to testify before Congress. This seems to be America's favorite show this season,
Whether it is true or not about the fake capacitor, we all know Chinese communist government is the world's biggest crime syndicate.
For a start, the free world needs to confiscate all foreign properties, securities and loot smuggled abroad by the members and the families of the Central Committee of the Chinese Communist Party. The billions of dollars can be used to help pay some of the damage to western companies caused by China's rampant and shameless IP theft.
There are hi-res pictures on Twitter of the exact board with no suspicious/malicious chip installed. It's possible that only server boards headed to Apple, AWS, et al. got the special treatment. I'm sure an order from Apple warrants a standalone production run.Well, if you take the Bloomberg article at face value, virtually every chip components is potentially malicious. Without any information on the nature of the exploit, you can't even really narrow it down that far, other than making educated guesses. Even if you decap and analyze every single IC, and carefully inspect every chip component, and completely tear apart the PCB to look for embedded components, at best you could prove that the particular specimen was not compromised, but who knows how many different units from how many different production runs and design variants are out there. So if the article *is* FUD or propaganda, being so difficult to definitively disprove is certainly an advantage.
What China wants is not really that much. All we want is the west to leave us alone as long as we don't touch a NATO country.
And the west just will not. China will never be peaceful until the west stops policing near China.
In China, the government, not the people, owns he land.Actually, that is the same everywhere; only governments "owns" territory. Control is a perhaps a better word than own. Usually through military means, but sometimes also because of tradition. Each country have different rules of how they then divide the rights to use that land among their citizens though. If you "own" some property in e.g. Sweden or the USA, you are really just sort of leasing it; you have a contract with the government giving you a monopoly on using some part of the territory in certain ways, e.g. for farming or for mining or building a house, but there are limits to what you can do with it.
The billions of dollars can be used to help pay some of the damage to western companies caused by China's rampant and shameless IP theft.In the 1990s, China blatantly cloned entire designs....
China doesn't care about right or wrong, China only cares about power....
That is the ultimate free pass to dictatorship. The only thing that prevents Chinese government from physically suppressing its unrest people and its separatism states is the fear of being sanctioned by the west.
I agree the Chinese communist government cares only about power.
I bet you've never lived in China. Chinese government is corrupted as hell, but many Chinese people are way more corrupted.
Everyone in China, if has some sort of power, is corrupted. At least the government is being supervised and has to obey the law, at least to certain extent.
Farmers sell poisonous food to urban citizens, doctors prescribe unnecessary lab tests for making some cut, teachers give special attentions to students with rich dads, and the list goes on.
I bet if there is any power, even if just a little bit, that can change other people's living quality by just a tiny margin, the power will be monetized
Now in such a context, Chinese government is fairly clean, compared with the F*ed up society.
If the west stay out of human right issues of China and stop sanctioning China for suppressing separatists, China will not need to be excluded from ITAR list, and then China will not have to clone all western technologies if we have a steady, political-free supply of them.
Wow, so many conspiracy hypotheses here. The one thing that surprises me is, that from all the knowledgeable people here, not one has stumbled on the most plausible explanation.
It has been mentioned a couple of times that it is a very small, low pin count device.
That screams to me: PCB-RFID tag.
This is nothing unusual, a lot of companies place RFID tags on their PCBs and have done so for years as a replacement for bar codes.
It's for production tracking, inventory control, warranty tracking, product authenticity etc. Upside compared to bar codes is, you can read the tag without opening the box.
Here's an example: https://www.mouser.com/pdfdocs/magicstrap_application_guide.PDF (https://www.mouser.com/pdfdocs/magicstrap_application_guide.PDF)
It's got nothing to do with backdoors or spying.
A 6-pin device as "back door"? No way, José.2 power pins and 2-3 data pins are more than enough to compromise the system.
Luckily, we're likely to know the answer one way or the other in the coming days. If the Bloomberg story is true, there are thousands of compromised motherboards out there, and companies will be scouring their data centers for them. People have already identified the specific circuit board featured in the graphic at the top of the Bloomberg article, though it's not clear if this is a real photograph or a Bloomberg-made mockup. If the story is accurate, sooner or later someone will produce a compromised board and do a public teardown.
Sorry, but "half cocked" is what the Bloomberg article is. Allegations, allegations and not one hard fact. The article shows pictures of a miniscule 6-pin device, which is completely in line with an RFID chip and a ground plane slot antenna. It could even have been embedded during PCB manufacturing before assembly. This is in line with manufacturing tracking.
A 6-pin device as "back door"? No way, José.
Bloomberg claims .....
What Bloomberg trying to say is actually pretty simple..While true, it's historically been a rather reputable source. That's why many people take the stories quite seriously.
"Trust us on what we claimed, ask no more, just trust us ... "
Equally easily explained -- they are a business publication. If they have the technical details, it wouldn't do most of their readers any good. Just insult them and make them feel dumb for not understanding things. (If, say, Ars were breaking this story, I would expect them to share some technical info, and be suspicious if they didn't.)
...
Oh, one thing by the way, if this were unsupported -- if there were no actual facts here -- this would be defamation, and they'd be sued pretty damn quick for all the millions of dollars this is worth.
Disgree.... not the 1990's... now. There are exact copies of creative patented or copyrighted work by Australian companies and individuals which thieving pirates sell stuff blatantly around the world. IP theft is rampant. Not "copy watch" of the 1990's, but entire designs of high value items where you cannot tell the difference.
Weird. I don't see any of them. Examples please.
Let's make it clear. Since we are talking illegal blatant direct clones that hit the market, those don't count:
1. Cloning of ideas and patents don't count. Only cloning of actual reduction to practice counts.
2. Mimicking a genuine hardware device to illegally use the original software doesn't count.
3. Cloning under a license or a circumvented or successfully attacked IP (copyright under DMCA exemptions, patents with nullified claims, etc.) doesn't count.
4. Cloning at a small scale (mom and dad shop, personal projects or industrial products that're only intended to be used in-house, not to be sold) or for special purposes (government actions for defensive, governmental or policing applications) doesn't count.
5. Genuine development using pirate software/firmware o cloned tools doesn't count.
So anyone who wants to buy a Supermicro server boards and search the chip? Looks like they are getting cheaper at the moment at eBay :-DD
What about cloning an entire company?Or stealing an entire company
The billions of dollars can be used to help pay some of the damage to western companies caused by China's rampant and shameless IP theft.
And also your loss of employment insurance, if that's what you mean.
China is getting more and more innovative, as can be seen from history.
In the 1990s, China blatantly cloned entire designs.
In the 2000s, China cloned part of the designs and costed-down the designs by modifications.
In the 2010s, most Chinese designs are patent infringing, but the engineering is more or less independent.
China will keep stealing patents for many more years, but engineering will be more or less independent.
China doesn't care about right or wrong, China only cares about power.
Being able to engineer is a power to technological independence. Being able to invent is not.
China needs technological independence, as that frees China from potential sanction from the west.
That is the ultimate free pass to dictatorship. The only thing that prevents Chinese government from physically suppressing its unrest people and its separatism states is the fear of being sanctioned by the west.
What China wants is not really that much. All we want is the west to leave us alone as long as we don't touch a NATO country.
And the west just will not. China will never be peaceful until the west stops policing near China.
China wouldn't have to clone western technology, China wouldn't have to manipulate currency, and China wouldn't have to be a political enemy of the west, as long as the west gets their fuck out of Chinese politics.
Back in the days of print journalism, this is exactly where the editor would have put:
[sidebar from Dr. Expert goes here "What we found under the microscope"]
A sidebar lets you provide detail that the general reader will want to skip, but that allows you to "show your workings" so that people know you're not handwaving or hoodwinking them. This is especially necessary in this case given the gravity of the accusations. Moreover, business readers aren't insulted by being presented technical details in a sidebar - business people don't expect to understand all the technical details, they have people for that "John, read this article and tell me if the technical side makes sense to you".
Here I'm speaking as an ex-section editor of a business computer magazine. I wouldn't have put a story one tenth as volatile as this on the page without putting enough in print to make my case lawyer proof. Providing all the facts, as far as you can, may make a difference between a case for slander of goods* and no case to answer. In fact in defamation cases sometimes the most damaging thing you can do is to make accusations without producing your proof at the same time. At the very least it leads to legal bills and court appearances where, if you'd made a good case in print already, the plaintiff's lawyers would have said "don't bother".
We can only assume Bloomberg understands this better than any of us. They aren't exactly amateurs and have extensive experience in the business world, which isn't exactly an amateurish or forgiving environment.
We can only assume Bloomberg understands this better than any of us. They aren't exactly amateurs and have extensive experience in the business world, which isn't exactly an amateurish or forgiving environment.
Agree, and this means Bloomberg's reporter knows better than US DHS and UK NCSC, interesting time indeed.
Other option is just stock fraud or (unlikely) dumb defamation. We will see soon because investors are very unhappy - shares plunged 50%.
Counterintelligence is responsibility of CIA, not DHS or FBI.
We can only assume Bloomberg understands this better than any of us. They aren't exactly amateurs and have extensive experience in the business world, which isn't exactly an amateurish or forgiving environment.
That's so naive and gullible, it's almost touching. I suppose the fact that Bloomberg reporters get a bonus related to how much their stories affect the market would not affect your faith :-DDYou seem to have invented some kind of faith and subsequently attributed it to me. Interesting. Do elaborate.
One peace of nonsense you wrote here. CIA often exceeds what they are allowed to do, however they can operate legally within US. Just imagine how what you wrote would work in practice. They look after some spies who are outside US, those spies contact other spies within US. Nope, we cannot investigate those :palm:.Counterintelligence is responsibility of CIA, not DHS or FBI.
Nope, just fyi, CIA is illegal to operate domestically in US.
And this matter brought out by Bloomberg, is a domestic issue which legally should be handled by FBI and DHS.
For example counterintelligence like capturing foreign spy "inside US" is under FBI jurisdiction & power, not CIA, only outside US border.
We don't know the truth yet. It's kind of simmering, like when a big turd is going to hit the fan. Somebody is grossly wrong and the Internet is divided.but not one single plausible photo.
No comment from the FBI, CIA and NSA. Amazon and Apple deny it.
Bloomberg claims 17 people are confirming the H/W mods:
DHS says no reason to doubt firms' China hack denials: https://www.reuters.com/article/us-china-cyber-dhs/dhs-says-no-reason-to-doubt-firms-china-hack-denials-idUSKCN1MH00Y (https://www.reuters.com/article/us-china-cyber-dhs/dhs-says-no-reason-to-doubt-firms-china-hack-denials-idUSKCN1MH00Y)
Now we know the story is bogus, the question is how Bloomberg managed to make such a huge cock-up. Unquestioning conservative blogs are already using it as justification to increase the "war" with China, so maybe that provides the answer.
Agree, and this means Bloomberg's reporter knows better than US DHS and UK NCSC, interesting time indeed.
Counterintelligence is responsibility of CIA, not DHS or FBI. If this is true story, it can have "top secret" seal for decades. Other option is just stock fraud or (unlikely) dumb defamation. We will see soon because investors are very unhappy - shares plunged 50%.
The FBI is the lead agency for exposing, preventing, and investigating intelligence activities on U.S. soil, ...
Foster a fully synchronized, cohesive enterprise that integrates intelligence into operational functions and drives action through Mission Centers to mitigate all threats to the Homeland including-Counterintelligence, Counterterrorism, Cyber, Economic Security, and Transnational Organized Crime.
In 1947 Congress passed the National Security Act, which created the National Security Council (NSC) and, under its direction, the CIA. ..., the CIA was forbidden by law (the National Security Act) from conducting intelligence and counterintelligence operations on domestic soil.
One peace of nonsense you wrote here. CIA often exceeds what they are allowed to do, however they can operate legally within US. Just imagine how what you wrote would work in practice. They look after some spies who are outside US, those spies contact other spies within US. Nope, we cannot investigate those :palm:.
In 1947 Congress passed the National Security Act, which created the National Security Council (NSC) and, under its direction, the CIA. ..., the CIA was forbidden by law (the National Security Act) from conducting intelligence and counterintelligence operations on domestic soil.
I have purchased "ghost shift" products in the past. Some typical signs are 1.) the box and manual of the product do not carry the vendor's name, address, or logo, but the vendor logo is silkscreened onto the device itself; 2.) the manual appears to be a crudely laid-up Xerox copy of an existing document; 3.) the presence of China-market testing and recycling marks. The actual quality of the product may be the same, but you obviously should not expect vendor support.
I have purchased "ghost shift" products in the past. Some typical signs are 1.) the box and manual of the product do not carry the vendor's name, address, or logo, but the vendor logo is silkscreened onto the device itself; 2.) the manual appears to be a crudely laid-up Xerox copy of an existing document; 3.) the presence of China-market testing and recycling marks. The actual quality of the product may be the same, but you obviously should not expect vendor support.What you described in 99% of cases is counterfeit, not ghost shift. Also when you order from China, often they throw away original box. So it also could be a product for Chinese market which originally came with Chinese manual.
So who was writing a "peace[sic] of nonsense"? :palm: Y'all might want to check your facts before implying someone else is a fool.
This thread grows because posters are divided majorly into two camps only, as I stated previously, which are "want to believe" camp vs "the pudding" camp. :-DD
What about cloning an entire company (https://www.nytimes.com/2006/05/01/technology/01pirate.html)?
The other common type of cloning is when the production factory runs an extra undocumented shift.
Wow, great eye opener. Textbook MitM.
I wouldn't dismiss it completely just because of that. Historically it's been pretty common for different government intelligence agencies not knowing what the others are doing, and the us intelligence branch of government is absolutely enormous as far as I know (which admittedly isn't much).DHS says no reason to doubt firms' China hack denials: https://www.reuters.com/article/us-china-cyber-dhs/dhs-says-no-reason-to-doubt-firms-china-hack-denials-idUSKCN1MH00Y (https://www.reuters.com/article/us-china-cyber-dhs/dhs-says-no-reason-to-doubt-firms-china-hack-denials-idUSKCN1MH00Y)
I think that nails it dead, Bloomberg's story is fake news.
Counterintelligence is responsibility of CIA, not DHS or FBI. If this is true story, it can have "top secret" seal for decades. Other option is just stock fraud or (unlikely) dumb defamation. We will see soon because investors are very unhappy - shares plunged 50%.
Literally wrong on every fact.
Why would they cover for China when Trump seeks justification for his trade measures?Well, that is a motive for making up a story like this though. Wouldn't be the first time Trump comes up with "alternative facts" to suit his interests.
Counterintelligence is responsibility of CIA, not DHS or FBI. If this is true story, it can have "top secret" seal for decades. Other option is just stock fraud or (unlikely) dumb defamation. We will see soon because investors are very unhappy - shares plunged 50%.
Literally wrong on every fact.
Thank you for clarifying that DHS does Counterintelligence on US soil. Info you provided does not say anything about FBI Counterintelligence operations. So I can count only one fact I was wrong, maybe two, not every fact as you say.
Go and read it again, do a text search within the message if you have to for counterintelligence. All three points you made about the FBI, CIA and DHS in relation to counterintelligence are refuted from authoritative sources.
Eventually you reach the point where you start making rude remarks about the character, intelligence or educational attainment of the person who corrected you
Well, that is a motive for making up a story like this though. Wouldn't be the first time Trump comes up with "alternative facts" to suit his interests.I don't think think Trump could tell the NSA to activate 18 deep cover moles inside US companies to trick Bloomberg.
Go and read it again, do a text search within the message if you have to for counterintelligence. All three points you made about the FBI, CIA and DHS in relation to counterintelligence are refuted from authoritative sources.
Go and read my post again, show where I said "on domestic soil". Those suspect factories planting chips were located in the US or am I missing something?
QuoteEventually you reach the point where you start making rude remarks about the character, intelligence or educational attainment of the person who corrected you
You are stepping over the line here. Let's continue in PM and check our records of you versus me insulting others, with CC: moderator.
It would only take one, not particularly deep cover, mole in Bloomberg.Well, that is a motive for making up a story like this though. Wouldn't be the first time Trump comes up with "alternative facts" to suit his interests.I don't think think Trump could tell the NSA to activate 18 deep cover moles inside US companies to trick Bloomberg.
I think that nails it dead, Bloomberg's story is fake news. Reminds me of https://en.wikipedia.org/wiki/Hitler_Diaries (https://en.wikipedia.org/wiki/Hitler_Diaries)With the track record the various agencies have, why would this "nail the story dead"? If there's something like a gag order the DHS isn't going to spill the beans. It does put the pressure on Bloomberg to come up with something more tangible, although a more suspicious mind might wonder whether they'd be allowed to produce such proof at this point in time. It's obviously also nearly impossible to disprove the story.
Now we know the story is bogus, the question is how Bloomberg managed to make such a huge cock-up. Unquestioning conservative blogs are already using it as justification to increase the "war" with China, so maybe that provides the answer.
Here's the only Bloomberg pic, and we can all smell the bullshit in a 3-pin package...Er, no, there were other pics of said park, see initial post link. It looks like a 6 pin package, very similar to a balun:
I'd like to know a lot more about what is supposed to be in that very generic looking tiny part.Wasn't that the point, that it looked like a mundane and innocuous part?
It looks just like some small RF transformers and low pass filters that I have. I think they were made by either TDK or Murata.
Why would they cover for China when Trump seeks justification for his trade measures?Well, that is a motive for making up a story like this though. Wouldn't be the first time Trump comes up with "alternative facts" to suit his interests.
Why would they cover for China when Trump seeks justification for his trade measures?Well, that is a motive for making up a story like this though. Wouldn't be the first time Trump comes up with "alternative facts" to suit his interests.
This is not a Trump thing (and I'm no Trump fan).
This has been going of at least since the 1950s in the US (and other countries). See Operation Mocking Bird (https://en.wikipedia.org/wiki/Operation_Mockingbird)
Why would they cover for China when Trump seeks justification for his trade measures?Well, that is a motive for making up a story like this though. Wouldn't be the first time Trump comes up with "alternative facts" to suit his interests.
This is not a Trump thing (and I'm no Trump fan).
This has been going of at least since the 1950s in the US (and other countries). See Operation Mocking Bird (https://en.wikipedia.org/wiki/Operation_Mockingbird)
If this is true for bad mouthing China, the question is why they had to sacrifice "American" companies ?
They could just make & publicize it without mentioning specific company names. :-//
This is not a Trump thing (and I'm no Trump fan).The problem is the level of conspiracy necessary to keep evidence from any of the companies and from government from leaking if Bloomberg's report was true. Unless there's a mountain of National Security Letters out there keeping everyone involved living in fear I just don't see how it can be. That mountain of NSLs would mean it either goes to the top/Trump or the security agencies are playing traitor and keeping Trump out of the loop. Trump has no reason to keep this secret if he knows about it.
This has been going of at least since the 1950s in the US (and other countries). See Operation Mocking Bird (https://en.wikipedia.org/wiki/Operation_Mockingbird)
Also this was targeting servers. Servers have no RF capable parts on.Please note that the part I linked was just an example of a part that looks similarly. There are also SMD EMC filters that look the same. See:
Also this was targeting servers. Servers have no RF capable parts on.
Entrepreneurial, or just plain greedy?... http://www.abc.net.au/news/2018-04-26/daigou-chinese-personal-shopping-$1-billion-industry/9671012 (http://www.abc.net.au/news/2018-04-26/daigou-chinese-personal-shopping-$1-billion-industry/9671012)
If you think that's worst, then you are wrong. If it's within the boarder of China, those Daigou people will buy all stocks, even without orders, to bump up the price and sell them back to the people needing them the most...
He mentions a Chinese chip built into Internet-enabled printers for sending a copy of everything printed home. That was more than a decade ago.It would be interesting to troll them by hacking the printer to not actually print (save on paper), then keep sending it thousands of pages of what look like a one time pad.
The Register is basically the same as The Sun and The Daily Mail here. But with less tits. Other than the editor.
and running out other loyal American businesses is not really seen as that much of a friendly citizen, especially if their trying to avoid paying taxes.
and running out other loyal American businesses is not really seen as that much of a friendly citizen, especially if their trying to avoid paying taxes.
I am pretty sure US requires you to report income regardless of where the business is located and you still get taxed.
Then you find our Firefly was right and you’ll be speaking English but insulting each other in Cantonese :)Technically they were all supposed to speak as much Chinese as English (if not more), but for obvious reasons they were mainly speaking English but kept insults in Chinese as a way of getting around the US censorship.
Another empire falls. Then you find our Firefly was right and you’ll be speaking English but insulting each other in Cantonese :)
Also this was targeting servers. Servers have no RF capable parts on.^^^ this. I've been saying this since I read the article.
Actually I don’t have any Supermicro ones available to me but after scanning tens of high res motherboard pictures there’s nothing that looks even remotely like a balun on any server motherboards. There’s decoupling, power conversion, protection, identifiable ICs, transistors/MOSFETs/diodes, connectors and bugger all else. anything with enough pins is identifiable.
FWIW there are also EMI filters in similar package https://media.digikey.com/pdf/Data%20Sheets/Murata%20PDFs/NFA31C_Series(1206%20Size).pdf (https://media.digikey.com/pdf/Data%20Sheets/Murata%20PDFs/NFA31C_Series(1206%20Size).pdf)Also this was targeting servers. Servers have no RF capable parts on.^^^ this. I've been saying this since I read the article.
Actually I don’t have any Supermicro ones available to me but after scanning tens of high res motherboard pictures there’s nothing that looks even remotely like a balun on any server motherboards. There’s decoupling, power conversion, protection, identifiable ICs, transistors/MOSFETs/diodes, connectors and bugger all else. anything with enough pins is identifiable.
If you were going to camouflage a chip to covertly install it on a server mobo, you'd masquerade it as a component normally found on a server mobo! You would't make it look like an RF component, which has no place on a server board!! :palm: |O :-DD
There are so many issues with this alleged infiltration that I'm surprised anyone with half an ounce of technical savvy is giving it a second thought. There are just too many layers of too many organizations that you'd have to infiltrate in tandem, to maintain version control throughout design, manufacturing, and testing. It defies belief.
The Register has a good overview of thestory and the issues of competing credibility here:
https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/?page=1 (https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/?page=1)
FWIW there are also EMI filters in similar package https://media.digikey.com/pdf/Data%20Sheets/Murata%20PDFs/NFA31C_Series(1206%20Size).pdf (https://media.digikey.com/pdf/Data%20Sheets/Murata%20PDFs/NFA31C_Series(1206%20Size).pdf)They specifically said “signal conditioning coupler”, which a bit of googling showed to be RF devices.
As I said earlier, I dunno if this story has any truth in it. I just consider it technically feasible. IIRC article called rogue component disguised as "filter". Picture probably is just something they googled as filter.
Jeezus... you two come along and the IQ in here increases 50 points...That's about 25 points each.
mnem
And then I come along and... :palm:
They may simply be fancy feed through caps, i.e. bypass caps.. "fancy" name for which is now filter. (Maybe there is an inductor, i.e. spiral structure in there along with the capacitance.)According to who do they have that obligation? A company is to obey the law, in whichever form it locally comes up to and including gag orders and active cooperation.
Also, we're forgetting that with multinational public companies, they have a legal obligation to treat all countries the same. If they install a back door for one, they have to do it for all of them.
They are not allowed to discriminate on any basis other than money.
Whichever countries are their bigge$t customers come first.
Not exactly; IQ is by definition an average scale, as well as being weighted median. To make such a shift indicates a huge disparity between the groups in question. It was a deliberate play on a phrase recently popularized by Sherlock, "Don't talk out loud, you lower the IQ of the whole street."Jeezus... you two come along and the IQ in here increases 50 points...That's about 25 points each.
mnem
And then I come along and... :palm:
Not exactly; IQ is by definition an average scale, as well as being weighted median. To make such a shift indicates a huge disparity between the groups in question. It was a deliberate play on a phrase recently popularized by Sherlock, "Don't talk out loud, you lower the IQ of the whole street."https://www.youtube.com/watch?v=acI12jO0HSQ (https://www.youtube.com/watch?v=acI12jO0HSQ)
To wit, there is a lot of egregiously dumb shit flying around this thread.
mnem
*Anything I put here would not improve on silence*
Here is the thing: the best way on a server motherboard to hide a backdoor here is to ship the ASPEED chip with a compromised firmware. Putting suspicion on those small components seem to make no sense to me. The ASPEED chip has an internal bootloader for its ARM9 or ARM11 processor, through abusing this with just software any code can be hidden.
Jeezus... you two come along and the IQ in here increases 50 points...That's about 25 points each.
mnem
And then I come along and... :palm:
They may simply be fancy feed through caps, i.e. bypass caps.. "fancy" name for which is now filter. (Maybe there is an inductor, i.e. spiral structure in there along with the capacitance.)According to who do they have that obligation? A company is to obey the law, in whichever form it locally comes up to and including gag orders and active cooperation.
Also, we're forgetting that with multinational public companies, they have a legal obligation to treat all countries the same. If they install a back door for one, they have to do it for all of them.
They are not allowed to discriminate on any basis other than money.
Whichever countries are their bigge$t customers come first.
He's joking. Actually, I thought it was quite wry.Poe's Law and all.
https://www.documentcloud.org/documents/4995755-Apple-Bloomberg-Congressional-Letter.html (https://www.documentcloud.org/documents/4995755-Apple-Bloomberg-Congressional-Letter.html)This is an "Is true!" and "Nu-uh!" on international level. Did Bloomberg ever follow up on their initial claims?
The chip might have a reciever or some other trick circuit in it to use the SPI line as a antenna, so a van drives around and activates it after its installed. It's really small though.
https://www.documentcloud.org/documents/4995755-Apple-Bloomberg-Congressional-Letter.html (https://www.documentcloud.org/documents/4995755-Apple-Bloomberg-Congressional-Letter.html)
The chip might have a reciever or some other trick circuit in it to use the SPI line as a antenna, so a van drives around and activates it after its installed. It's really small though.
The mainboard is in a metal box called server. Multiple servers are in a metal rack (some might have a glass door) and there are tons of racks are in a data center. Not very RF friendly.
The current idea of the spy chip modifying the linux firmware (stored in a flash chip) for the BMC on the fly is not very convincing. It would be easier to modify the firmware directly. A firmware update would render both methods useless and no sane network design would allow the management port to access the Internet. A spy chip would leave physical evidence of tampering behind. I'd be more concerned about Meltdown, Spectre and Foreshadow.
LOL you've never been in a DC have you?
Even the shit ones have better security than the best MoD sites I've been on.
Realistic answers might include: Russia - detracts from the various investigations into their interference into US politics, plus they hate China. Domestic political groups - stir up righteous patriotic fervour with mid-terms coming (against: maybe rather too competent an operation for political rabble rousing). Israel - again, mid-terms, electing right wing pro-israeli candidates might make a little sense but not very much, but the Israelis have demonstrated in the past that they are prepared to do stupidly destructive things to gain a little advantage for themselves so it's not completely beyond reason. Any other sensibly plausible actors?
Massive dicks. Massive orange dicks. So much so that it ends in a dick waving contest. Lots of dicks. That's it.
Geopolitics isn't really anything to do with this thread though.
Neither is dicks.
Massive dicks. Massive orange dicks. So much so that it ends in a dick waving contest. Lots of dicks. That's it.
Geopolitics isn't really anything to do with this thread though.
Neither is dicks.
LOL, yes lots of dicks on the world geopolitical stage. Perhaps figuratively large ones but literally.....(My hands are not small!).
In any case, I would argue that it has everything to do with geopolitics, corporate power, money and the integrity of the current supply chain.
Citation for my last comment for reference. Someone had enough of their shit: https://themoscowtimes.com/news/infamous-st-petersburg-troll-farm-set-on-fire-63130
I think we should start with credibility. If it turns into geopolitics once we've established credibility then fine. But we haven't established credibility. There is one source and the source has been figuratively kicked in the face repeatedly over the last few days because they are silent on it and have put forward no sources. Even self-proclaimed sources said they got it wrong and extrapolated.
So probability and credibility before blame.
Interesting picture posted elsewhere...One problem with the story seems to be that many people don't seem to understand what is actually possible. Even many people here, and that this was possible years ago now.
(https://i.imgur.com/9xaussj.jpg)
https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom (https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom)
I dunno still sounds like "We heard from someone, somewhere, that something happened."
Yep. Shit or get off the pot.
I want to see evidence and analysis published.
It's possible but unlikely which is the thing. Look at the unit cost of that implant for the NSA. There's an Aspeed SoC on the server boards with an ARM core. Why the hell not just go for the firmware for that? Perhaps that is what happened and Bloomberg are just dumbasses (likey as the reporting is terrible so far).I'm not disagreeing with that, I'm just saying that people reach what's possible the right conclusion for the wrong reasons. They dismiss the possibilty because they don't consider it technologically viable. We have fairly convincing proof similar technology exists and may very well have been deployed. It's just questionable whether that happened here.
There's just no logic in any of this.
It's worth noting that the NSA chip in bd's post is much, much larger than the "grain of rice" sized chip claimed in the Bloomberg article. Of course that published NSA chip data is several years old now - so no doubt similar tech could be smaller now - but "grain of rice sized"?. Dunno.You could argue about that. As you say, the information we have is dated at this point and the budget is ridiculous. But I too simply don't know.
It's worth noting that the NSA chip in bd's post is much, much larger than the "grain of rice" sized chip claimed in the Bloomberg article. Of course that published NSA chip data is several years old now - so no doubt similar tech could be smaller now - but "grain of rice sized"?. Dunno.You could argue about that. As you say, the information we have is dated at this point and the budget is ridiculous. But I too simply don't know.
And then we just come back to the point that even if it is possible, is that the smartest way to achieve the goal? Why such an easily detectable and traceable tactic? If you're China, why jeopardize the technology supply chain that is the keystone to your economic power?If the technology is real, we still don't know whether it's actually China.
One problem with the story seems to be that many people don't seem to understand what is actually possible. Even many people here, and that this was possible years ago now.I don’t think anyone has claimed the technology isn’t available. What is not credible is the many layers of corporate bureaucracy that would have to be penetrated to alter so many corporate divisions simultaneously. For crying out loud, change management is hard in the best of times. Infiltrating that so that you can change the schematic, the PCB, the testing jigs and test routines, and the validation processes back at the home office in USA for the production samples that are pulled for spot testing? That simply does not sound possible to pull off. Such changes are hard enough when they’re legitimate; doing them covertly just defied credibility.
All without saying this story actually checks out.
I don’t think anyone has claimed the technology isn’t available. What is not credible is the many layers of corporate bureaucracy that would have to be penetrated to alter so many corporate divisions simultaneously. For crying out loud, change management is hard in the best of times. Infiltrating that so that you can change the schematic, the PCB, the testing jigs and test routines, and the validation processes back at the home office in USA for the production samples that are pulled for spot testing? That simply does not sound possible to pull off. Such changes are hard enough when they’re legitimate; doing them covertly just defied credibility.Many people seem incredulous for technological reasons, at least that's my impression. They may be right, but for the wrong reasons.
I don’t think anyone has claimed the technology isn’t available. What is not credible is the many layers of corporate bureaucracy that would have to be penetrated to alter so many corporate divisions simultaneously. For crying out loud, change management is hard in the best of times. Infiltrating that so that you can change the schematic, the PCB, the testing jigs and test routines, and the validation processes back at the home office in USA for the production samples that are pulled for spot testing? That simply does not sound possible to pull off. Such changes are hard enough when they’re legitimate; doing them covertly just defied credibility.
Thinking about it some more, there are actually some solid benefits to using a hardware implant rather than compromising the firmware or, say, a flash IC.IMO I doubt the practicality of cramming that much processing power and RF frontend in a chip of that size.
It's conceivable that there's some exploit that requires a fairly minimal modification of the firmware binary, and that the location of that modification is easily recognized within the binary by its surroundings. As long as that specific area of the binary was not changed (which could be unlikely unless that specific area of the codebase was changed), then the malicious device could be capable of compromising any new firmware version, even if the targeted area appears somewhere else within the binary. Not unlike the infamous Ken Thompson hack (http://wiki.c2.com/?TheKenThompsonHack). Even pulling the flash from the board and dumping it externally wouldn't reveal anything amiss. You'd have to directly sniff the traffic between the embedded controller and the interloper to capture the change to the binary, and even then it's conceivable that the interloper has some sort of context awareness to help avoid detection (not unlike the VW firmware that could detect emissions testing).
Also, somewhat ironically, the fact that almost everyone here is saying that it makes so much more sense to compromise the firmware or one of the existing ICs on the board is something of an argument for NOT doing it either of those ways--after all, it's exactly what anyone would expect! It would be far sneakier to make a fake passive component that pwns the board because that's such a ridiculous idea that no one would ever bother to do that sort of thing, right? Just like no one would try to cram a network traffic siphon with a built-in RF transceiver inside of a network jack. . . .
I also think a lot of people are overestimating how easily an extra component or two would be detected. I mean, I sure as hell wouldn't notice an extra couple of passives on one of my boards between finished a design and receiving the assembled thing, and my boards aren't nearly as complex as a server motherboard. Plus you would have teams of people working on those things, and no one person is going to know the entire board like the back of their hand. They're only going to start comparing the finished board to the assembly drawings if something doesn't work, and even then the discrepancy won't be caught if that work is happening at the contractor that installed the malicious parts in the first place. It all depends on how much of the work Super Micro is farming out, but I imagine that they have their design process down to such a science that it's very rare they have to do component-level debugging.
Of course without more information it's impossible to tell if these benefits likely outweighed the difficulty of implementing the exploit in the way that Bloomberg describes, but still, it's all plausible through a certain lens, which is what makes it so intriguing.
It's worth noting that the NSA chip in bd's post is much, much larger than the "grain of rice" sized chip claimed in the Bloomberg article. Of course that published NSA chip data is several years old now - so no doubt similar tech could be smaller now - but "grain of rice sized"?. Dunno.You could argue about that. As you say, the information we have is dated at this point and the budget is ridiculous. But I too simply don't know.
And then we just come back to the point that even if it is possible, is that the smartest way to achieve the goal? Why such an easily detectable and traceable tactic? If you're China, why jeopardize the technology supply chain that is the keystone to your economic power?
But as I said, testing and verification doesn’t stop there. Do you think the client (such as SuperMicro) of a contract manufacturer doesn’t look at production samples taken periodically? Do you think they don’t regularly visit their contract manufacturers’ facilities, especially during ramp-up of a new product?I don’t think anyone has claimed the technology isn’t available. What is not credible is the many layers of corporate bureaucracy that would have to be penetrated to alter so many corporate divisions simultaneously. For crying out loud, change management is hard in the best of times. Infiltrating that so that you can change the schematic, the PCB, the testing jigs and test routines, and the validation processes back at the home office in USA for the production samples that are pulled for spot testing? That simply does not sound possible to pull off. Such changes are hard enough when they’re legitimate; doing them covertly just defied credibility.
The article claims that this happened on boards that SuperMicro contract out, so that means you only have to compromise that narrow bottleneck where the two companies communicate. Say you compromise Super Micro's account manager at the subcontractor: He passes you SuperMicro's design package, you tweak it, and send it back, and he passes it on to engineering for validation, DFM review, and eventual production as if it came directly from his customer--and in fact, he very likely has an email from his contact at Super Micro saying "sorry, that design package wasn't the latest revision, please use this new one instead", because surely anyone who would commission such an exploit knows how to spoof emails. Easy peasy. In fact, since this purportedly happened at subcontractors to subcontractors, you have a further level of insulation, and excuse for delays in communication and misunderstandings that give you some leeway to operate.
"Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said."
Bingo
The sources aren't as obscured as they hoped.
https://risky.biz/RB517_feature/
That interview certainly makes it sound like the journalist who interviewed him was just looking for anything to make a sensational story. :-//Standard practice for journalists, you mean? There are people out there that try to write solid stories, but it's practically impossible to shield yourself from the pressure having to sell and of dwindling numbers.
That interview certainly makes it sound like the journalist who interviewed him was just looking for anything to make a sensational story. :-//Standard practice for journalists, you mean? There are people out there that try to write solid stories, but it's practically impossible to shield yourself from the pressure having to sell and of dwindling numbers.
To be fair to some journalists, and to some journals, there are journalists who will steadfastly refuse pressure to do anything but a proper job, and there are journals that work hard to create and keep a culture that resists the kind of pressures that you're describing. Although I'll grant that in many places ethics are noted more in the breach than the observance thereof, they do still exist in some places and people thankfully.Absolutely. There are a lot of people who write with a passion and many initiatives to encourage good journalism have sprung up. Unfortunately, many pay the price and nobody seems isolated from the realities of the market. Too few people seem to realise a properly functioning society hinges upon quality journalism, even if the latter is democratised by social media.
I still say it's an RFID tag (UHF with slot antenna) for production and product tracking. No mere, no less.
Bloomberg is completely out on a limb here.
The security of the Supermicro boards is really bad, like buffer overflow in the web interface of the boards, which allows to get root access, and storing the administrator password in plaintext. So it wouldn't make sense to implant a chip to do things you can do with a webbrowser without the chip. Details here:
https://arstechnica.com/information-technology/2018/10/supermicro-boards-were-so-bug-ridden-why-would-hackers-ever-need-implants/
The security of the Supermicro boards is really bad, like buffer overflow in the web interface of the boards, which allows to get root access, and storing the administrator password in plaintext. So it wouldn't make sense to implant a chip to do things you can do with a webbrowser without the chip. Details here:Yep. As the guy at the end of the article says: yes, it’s technically possible. But it’s not plausible.
https://arstechnica.com/information-technology/2018/10/supermicro-boards-were-so-bug-ridden-why-would-hackers-ever-need-implants/
why do only some boards have it then, and why was it not immediately elaborated on by the project manager?
If they use an inventory system in their company using RF then it would be widely known in the company.. did this company not take a financial hit immediately ?where is the PR?
response to a serious international scandal accusation takes more then a week? seriously?
that could be solved with 10 seconds on a telephone.
i call bullshit. and wired to a SPI line? come on. Companies stock prices dropping drastically, fucking senators demanding inquires and someones gonna try to chalk it up to a inventory control system that took a week to explain?
seriously??
"shenanigans..."
*Yaaawwwwnnnn*
Same old tautology... "There's nothing to see here, because I said there's nothing to see here."
欲加之罪,何患无辞。
one can always trump up a charge against sb Give a dog a bad name, then hang
*Yaaawwwwnnnn*
Same old tautology... "There's nothing to see here, because I said there's nothing to see here."
Sorry, I can't reply to you at the moment.
I heard a noise outside, and I'm investigating.
I can't go too far (or I'll fall off the edge of the flat Earth), be eaten by BigFoot, who is an Alien, From another time-zone. I can't injure him, because they will come back as a Ghost, and haunt me.
Also, it is NOT politically correct for me to criticize, BigFoot, because they are a minority.
Yes, your argument is precisely THAT infantile. Glad you understand this; now perhaps you could actually come up with something that demonstrates actual independent thought rather than simply parroting the same old "Fake news" mantra over and over again and attempting to marginalize those who actually bother to think.
It is that logic which allows all evil in the world to go first uninvestigated, then undiscussed, then allowed to prosper.
mnem
"All that is required for evil to flourish is that good men do nothing."
I already answered this; my point is, and always has been, that there is something here... maybe not exactly what was first presented, but clearly something.
Can you just shoot him? You’ve done it before :-DD (I joke but...)
[...] a white trash racist, rapist, misogynist, pathological liar career deadbeat sociopathic felon to squat in the White House and there's jack shit We The People can do about it [...]
Get over it, that's how democracy works *********************** >:D We The People are the ones who put him there.
(And don't do like bd139 says)
We’re certainly not dismissing it but at the moment it looks improbable until evidence suggests otherwise.
Answering every what if without evidence isn’t productive which is the problem. File it in the “keep an ear open for more info” drawer.
Can you just shoot him? You’ve done it before :-DD (I joke but...)
No, We the People did NOT. He was installed in the White House against the will of the American People by a cabal of ultra-wealthy.................
.........
1) Chinese manufacturers pwn!!! our supply chain. To them, altering hardware in a malicious manner is no harder, probably easier, actually, than hacking someone else's code... and much easier to keep the machine itself and those operating it from discovering the mod in normal operation, where FW and SW are CONSTANTLY being reviewed and scrutinized and upgraded.
No, We the People did NOT. He was installed in the White House against the will of the American People by a cabal of ultra-wealthy.................
.........
That is why, I believe (and I don't think, I'm alone), that evidence based, scientific/mathematical methods, are important.
Rather than just simply believing whatever, floats randomly into peoples heads, and whatever they "feel", is the reality. Completely ignoring the facts, science, logic and sometimes even the truth.
You may have noticed, from some of my previous posts, that I am NOT 100% entirely happy with Trump. (Possibly TINY understatement, here).
But, I have encountered, real life people who support him.
So unless there is rigorous proof, that his election, is a fraud. E.g. Russian fiddling.
He was at least, genuinely and fairly elected to be the president.
Anyway, we are straying badly off-topic, and turning this into a political (anti-Trump) thread.
We should be discussing the possible hardware hacked servers here, and NOT Trump.
Otherwise the thread could get locked, as has many others, before this one.
......................childish unwillingness to admit this still bears further investigation.
Indeed. On numerous occasions I have considered digging myself a nuclear bunker and hiding in it. There is some pretty scary shit out there in the wild.
This rant always sticks with me: https://www.stilldrinking.org/programming-sucks (https://www.stilldrinking.org/programming-sucks)
To back up my initial point, the internet is literally hanging by a thread most days. It’s lucky it even works. One router or BGP hijack away from end game. I’ve seen a company lose two days trade due to a router being fucked two hops away.
yet you conveniently ignore the bulk of my post to make the
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
There is nothing to see at the moment. Extraordinary claims require at least some evidence. It’s all words and farts.I agree, everything is just too vague.
Windows however, and I’m quoting here “hammers the fucking shit out of the firewall even though we turn all the switches off”.From incidents suffered by customers, you would be surprising at how often an asshole will use the browser on an extremely critical server (such as a NAS management controller) for that quick check of the news or the latest joke. With the additional problem that it's almost as unpatchable a machine as the typical industrial control system and due to its very nature it's extremely rare to even use AV software (not that it's a silver bullet!). The consequences are left as an exercise for the reader...
I think we’re prioritising risk vectors incorrectly here.
Personally I’m more worried about the nasty American monopoliser’s vampiric tendency and addiction to telemetry and activation data. Imagine the GDPR hell if some of that data contains PII one day due to a bug like the .Net core CLR telemetry logger logging command lines fully...Let's see if GDPR really applies, the latest Facebook crap will be a good test ;)
Very easy. That would force Bloomberg to reveal their sources or pay up. This could be quite a scandal ultimately resulting in Bloomberg being accused of market manipulation.
Very easy. That would force Bloomberg to reveal their sources or pay up. This could be quite a scandal ultimately resulting in Bloomberg being accused of market manipulation.
As Bloomberg is not that stupid to pull this kind of stunt.
What interesting now is to see if companies like Supermicro will take legal action, ... or maybe not at all, which is expected too. >:D
The whole newstory is a hoax/fake news in my opinion.That was kind of my point. That ASPEED chip is in a convenient location for processing power (ARM9 core,) access to system RAM (over PCIe) and access to outside world (through ILO Ethernet or through injecting malware into host RAM.) It is possible that there might be a hack chip, but the hack chip won't work on its own, instead it is located on a production test pin of the ASPEED chip, injecting code into hat chip on the fly. The hack chip is literally nothing more than a microcontroller with a firmware implementing the ASPEED production test protocol and a lot of Flash space for the ARM9 payload.
If China wants to spy on servers/computers/laptops/tablets/mobile phones, they could just put the required software hidden inside the firmware of the respective devices, for instance inside the IC managing the ethernet/mobile/wifi communication.
It beats me why someone would imagine China to solder a monitoring IC into an existing motherboard, when it could simply do it by software.
And no, doing it by software, changing the firmware and eventually even signing it again, is certainly not more difficlult than:
- developing a custom IC that is miniature for what it has to do in terms of processing power
- finding a way to connect it to the correct data lines
- finding a way to communicate with the outside world
Sorry, that simply doesn't make any sense!
Regards,
Vitor
Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.Blah blah blah… again, nobody here has said it's impossible. We are saying it's improbable and implausible, because a) it doesn't make sense to take this approach, and b) there's no evidence that it happened as described.
"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.
Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.
It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.
THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.
Again, it would seem much simpler to just change the firmware or, heck, replace the whole chip they target with a hacked one.To me, a much bigger piece of evidence (or rather, absence of evidence!) is that the supposedly affected companies haven't detected any suspicious traffic. Regardless of what method you use to compromise a server board, it has to be able to communicate its findings (or receive instructions) with the outside. And since such a covert chip couldn't possibly send and receive radio transmissions (through layers of metal enclosures and racks and cages) any useful distance at any useful speed, it means the data would have to flow through the NIC, and that's being monitored. Companies now routinely monitor traffic precisely to guard against attacks, so it's not as though one can just quickly send a few hundred packets unnoticed.
..., so it's not as though one can just quickly send a few hundred packets unnoticed.
I remember an example at a partner company to where I worked where data was transmitted by issuing DNS queries from a compromised system using the DNS infrastructure as a very slow semaphore.
The whole newstory is a hoax/fake news in my opinion.
If China wants to spy on servers/computers/laptops/tablets/mobile phones, they could just put the required software hidden inside the firmware of the respective devices, for instance inside the IC managing the ethernet/mobile/wifi communication.
It beats me why someone would imagine China to solder a monitoring IC into an existing motherboard, when it could simply do it by software.
And no, doing it by software, changing the firmware and eventually even signing it again, is certainly not more difficlult than:
- developing a custom IC that is miniature for what it has to do in terms of processing power
- finding a way to connect it to the correct data lines
- finding a way to communicate with the outside world
Sorry, that simply doesn't make any sense!
Regards,
Vitor
Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.Blah blah blah… again, nobody here has said it's impossible. We are saying it's improbable and implausible, because a) it doesn't make sense to take this approach, and b) there's no evidence that it happened as described.
"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.
Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.
It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.
THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.
And your conspiracy theorist tone of "you have blinders on, while I'm awoke!" doesn't make you seem more enlightened, it makes you seem like, well, a classic conspiracy theorist, complete with the "I want to believe!" poster on the wall that you stole from Mulder's office.
That's easy. You have private DNS, your DNS doesn't forward past the local DNS resolver and you log the NXDOMAIN responses.You can also log DNS activity and check for unusual activity. Like:
All your users go via authenticated proxy (squid) or aren't on the public internet.
You can run the same in AWS. Your instances don't have to be internet facing. Just don't have an NGW on your VPC and VPN yourself into it with a VPN GW.
These kind of chips are known in the console world as "mod chips". They will inject the appropriate data to surpass the protection mechanism.This is a lot simpler if the attacker can fab chips. An example attack:
Still, they do require a lot of computing power to "just" swap a few bits...
I could not imagine a chip as small as the one presented in the news to have enought CPU power and memory to do a useful hack based on as litte as 6(?) pins.
Also, I don't understand how they could implement that chip without having to solder any wires... It would be a miracle to have a point on the board that had the right traces on one spot where you could solder the IC.
Again, it would seem much simpler to just change the firmware or, heck, replace the whole chip they target with a hacked one.
Regards,
Vitor
An article taking a rather more down-to-earth look at the Bloomberg motherboard hacking claim from the ElectronicDesign site...
https://www.electronicdesign.com/embedded-revolution/how-hack-server-motherboard (https://www.electronicdesign.com/embedded-revolution/how-hack-server-motherboard)
There have been more details revealed lately and it appears that the motherboard circuit board did not have to be modified. Likewise, the additional chip may simply be a standard serial memory chip that was added to a location designed for the chip and left unpopulated. This is a common design approach to provide more options. For example, a TPM security chip is often an option for a server motherboard. The chip is simply left out if the motherboard will not provide that option.
...
The hack was supposedly caught, not by observing the changes to the motherboard, but by network traffic that was abnormal. A more sophisticated implementation might delay compromised communication until much later making it much harder to detect.
You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.Blah blah blah… again, nobody here has said it's impossible. We are saying it's improbable and implausible, because a) it doesn't make sense to take this approach, and b) there's no evidence that it happened as described.
"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.
Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.
It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.
THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.
And your conspiracy theorist tone of "you have blinders on, while I'm awoke!" doesn't make you seem more enlightened, it makes you seem like, well, a classic conspiracy theorist, complete with the "I want to believe!" poster on the wall that you stole from Mulder's office.
"Blah, blah, blah..." you said it yourself.
Who is more the fool? The one who considers conspiracy theories and attempts to find the grain of truth behind them, or the one who cavalierly dismisses real evil, corruption and conspiracy going on all around that is so blatant it is happening right out in the open for all to see?
Calling willful ignorance "the scientific method" is just another lie, only it's the lie you tell yourself to have an excuse for that ignorance.
True "scientific method" investigates, records, and DOES NOT PRESUME ANYTHING.
It certainly does not assume that because we haven't proven a thing yet, it isn't so. It is in fact the polar OPPOSITE of that assumption.
mnem
Follow. The. Money.
You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.No, I fully understood your comment. I called you out on it. You're the one who resorted to name calling, belittling and personal attacks; I'm just refusing to let you slide on a lie. Call it what you like, but it's still a lie.
No need to reply, I’ve added you to my ignore list. I don’t need the temptation of getting into arguments with conspiracy nuts.
So the tiny filter package thing may have been completely wrong, which threw a lot of people off.
We have open firmware. It is called OpenFirmware/OpenBoot.
Unfortunately most of our infrastructure is built on a house of cards from the late 1970s with hack after hack piled on top of it (x86). This mandates a pile of drunken arse shite to get the hardware aligned with reality so the OS doesn’t vomit when it finally gets to take over from the masturbating monkey in charge of the show.
Really need to bin x86 and start again.
We have open firmware. It is called OpenFirmware/OpenBoot.
Unfortunately most of our infrastructure is built on a house of cards from the late 1970s with hack after hack piled on top of it (x86). This mandates a pile of drunken arse shite to get the hardware aligned with reality so the OS doesn’t vomit when it finally gets to take over from the masturbating monkey in charge of the show.
Really need to bin x86 and start again.
POWER, SPARC, ARM. Anything but x86.Indeed. As we don't depend on Windows at all it wouldn't be a problem for us. Any tier-1 Linux/FreeBSD capable platform and we would feel right at home. We still have some 20 year old SPARC machines working, even!
Everyone has a price and IT industry has Stockholm syndrome.Yep, we have repeated the Windows mistake in hardware. And from all the choices the crappiest won.
We have virtually zero hardware diversity in professional computing. This is a massive risk. Heterogeny was the stupidest thing the IT industry ever did.
A lie? I said “it’s not impossible, it’s improbable and implausible”, which is what almost everyone is saying.You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.No, I fully understood your comment. I called you out on it. You're the one who resorted to name calling, belittling and personal attacks; I'm just refusing to let you slide on a lie. Call it what you like, but it's still a lie.
No need to reply, I’ve added you to my ignore list. I don’t need the temptation of getting into arguments with conspiracy nuts.
A lie? I said “it’s not impossible, it’s improbable and implausible”, which is what almost everyone is saying.You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.No, I fully understood your comment. I called you out on it. You're the one who resorted to name calling, belittling and personal attacks; I'm just refusing to let you slide on a lie. Call it what you like, but it's still a lie.
No need to reply, I’ve added you to my ignore list. I don’t need the temptation of getting into arguments with conspiracy nuts.
That you think that’s a lie (not to mention don’t understand that it does allow for the possibility of the purported exploit being true) only reinforces my opinion that you’re a conceited conspiracy theorist nut job.
A lie? I said “it’s not impossible, it’s improbable and implausible”, which is what almost everyone is saying.You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.No, I fully understood your comment. I called you out on it. You're the one who resorted to name calling, belittling and personal attacks; I'm just refusing to let you slide on a lie. Call it what you like, but it's still a lie.
No need to reply, I’ve added you to my ignore list. I don’t need the temptation of getting into arguments with conspiracy nuts.
That you think that’s a lie (not to mention don’t understand that it does allow for the possibility of the purported exploit being true) only reinforces my opinion that you’re a conceited conspiracy theorist nut job.
I think he means 'lie' in the sense of self-deception, not in the sense of dishonesty.
And please, lighten up on the insulting tone it's uncalled for and unseemly. I count both of you as two of the generally saner and more considered voices on here, most of the time.
Don't make me dust off my collection of gnome/chocolate/cuckoo-clock jokes. :)
Dude. Go back and read the thread. You are accusing me of saying things I DID NOT SAY. I think you didn’t realize, in the heat of responding, that I’m not the person who said anything about scientific method or anything!! Next to each post is the username; please go find the posts you responded to regarding scientific method. You’ll find they’re not from me.A lie? I said “it’s not impossible, it’s improbable and implausible”, which is what almost everyone is saying.You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.No, I fully understood your comment. I called you out on it. You're the one who resorted to name calling, belittling and personal attacks; I'm just refusing to let you slide on a lie. Call it what you like, but it's still a lie.
No need to reply, I’ve added you to my ignore list. I don’t need the temptation of getting into arguments with conspiracy nuts.
That you think that’s a lie (not to mention don’t understand that it does allow for the possibility of the purported exploit being true) only reinforces my opinion that you’re a conceited conspiracy theorist nut job.
The lie is the one you tell yourself about "scientific method" and assuming that because we haven't proven a thing, it isn't so. Go work with some people who ACTUALLY DO SCIENCE for a living; I have. They'll tell you the same thing I just told you; true scientific method is the polar opposite of assuming ANYTHING.
But hey, feel free to call me names, disparage my intellect, whatever helps you sleep at night. It's obvious you have little more to offer than insult.
Cheers,
mnem
*not before I finish my coffee*
The lie is the one you tell yourself about "scientific method" and assuming that because we haven't proven a thing, it isn't so. Go work with some people who ACTUALLY DO SCIENCE for a living; I have. They'll tell you the same thing I just told you; true scientific method is the polar opposite of assuming ANYTHING.Dude. Go back and read the thread. You are accusing me of saying things I DID NOT SAY. I think you didn’t realize, in the heat of responding, that I’m not the person who said anything about scientific method or anything!! Next to each post is the username; please go find the posts you responded to regarding scientific method. You’ll find they’re not from me.
But hey, feel free to call me names, disparage my intellect, whatever helps you sleep at night. It's obvious you have little more to offer than insult.
Cheers,
mnem
*not before I finish my coffee*
So stop painting me as an anti-science nut and condescendingly trying to explain the scientific method to me.
...But you DID step into our charlie-foxtrot without warning in support of his POV, ...
...But you DID step into our charlie-foxtrot without warning in support of his POV, ...
This joke continued from another topic/thread...
Maxim 54. The best way to win a one-on-one fight is to be the third to arrive.
that was MK14
1. I’m not “painting” you as a nut. You’re doing a jolly good job of that yourself. Your many comments on this thread read like the crazy ramblings on the back (and front, and sides) of a Dr. Bronner’s bottle.The lie is the one you tell yourself about "scientific method" and assuming that because we haven't proven a thing, it isn't so. Go work with some people who ACTUALLY DO SCIENCE for a living; I have. They'll tell you the same thing I just told you; true scientific method is the polar opposite of assuming ANYTHING.Dude. Go back and read the thread. You are accusing me of saying things I DID NOT SAY. I think you didn’t realize, in the heat of responding, that I’m not the person who said anything about scientific method or anything!! Next to each post is the username; please go find the posts you responded to regarding scientific method. You’ll find they’re not from me.
But hey, feel free to call me names, disparage my intellect, whatever helps you sleep at night. It's obvious you have little more to offer than insult.
Cheers,
mnem
*not before I finish my coffee*
So stop painting me as an anti-science nut and condescendingly trying to explain the scientific method to me.
YOU are the only one here painting anyone as any kind of nut. Period. Any "nuttiness" you're feeling is either projection or your own creation.
*Goes back and rereads*
A'aight... you didn't say the stuff about "scientific method"; that was MK14. But you DID step into our charlie-foxtrot without warning in support of his POV, and you were willfully personally insulting, while I tried very hard to stick to the philosophical points and keep personal attack out of it.
Sorry, but you earned your inclusion in that response.
Cheers,
mnem
*Lunch-ify*
Oh, FFS... it's like trying to talk philosophy with a rooster. :palm:that was MK14Actually, maybe you have a point with all the conspiracy theories.
I've been arguing with you the last 2 pages of posts, and I haven't even needed to post anything in this thread, to accomplish it. :-DD
Also, all these secret, special handshaking messages, with cryptic words/comics/pictures. There seems to be some kind of conversation going on, but my lack of knowledge/interest, in the right circles, means I largely don't understand what you are talking about.
I will assume that you have noticed that the forum server has been hacked by secret Chinese hackers. Hell bent on stopping Dave's EEVblog, from stopping the modern advancing Chinese army of Electronics Experts, from taking over the world.
Hence the secret/hidden messages, and handshakes.
Here's mine:(https://imgs.xkcd.com/comics/footprints_2x.png)
1. I’m not “painting” you as a nut. You’re doing a jolly good job of that yourself. Your many comments on this thread read like the crazy ramblings on the back (and front, and sides) of a Dr. Bronner’s bottle.
2. This is a public forum. I don’t need your permission (or “prior warning”) to reply to a discussion, never mind one I joined long before. Not that I feel any obligation to receive education on how to work the internet from someone who can’t even follow how a web forum works, and replies to people based on things they did not say.
3. You STILL did not understand my original reply. If you are seeing it as purely support for Mk14’s POV, then you haven’t understood it. My comment neither refuted nor confirmed either side: it simply explained that the Bloomberg story isn’t plausible. I didn’t say it’s impossible, and I didn’t say we should stop studying it!
4. Learn. To. Read. Carefully. You are repeatedly responding to arguments that are simply not there. You cannot interpolate things and then respond to your own interpolations. Just respond to what’s actually there.
5. Oh, you think you haven’t been employing personal attacks? You’ve been using them since long before my first reply to you. That you used them so liberally is why I have not held back with you. You forfeited the right to complain about name calling long ago.
it's like trying to talk philosophy with a rooster. :palm:
So now argument in favor of Bloomberg's story comes down to "There must be something out there, I just know it!" conspiracy theories and comic strips. :-DD
I agree though there should be an investigation. An investigation into how and why Bloomberg perpetrated a huge fraud on the public. Was it investor fraud? Journalistic overreach in pursuit of "scoop of the year"? Getting a fat bonus for moving markets? Got played by some political operatives? It's worth finding out.
In the US the press get carte blanche to print whatever lies they like, you know, "Elvis found on the Moon" etc. No one cares about tabloid stories, but Bloomberg really abuse their position and sully the reputation of serious news outlets with unfounded stories. I guess if every one else is publishing fake news, why shouldn't we...
Even the FBI, who have a policy of never confirming or denying, effectively said "the story is bunk". The NSA guy says we never heard anything about it, some of the sources Bloomberg used have said they were misquoted.
it's like trying to talk philosophy with a rooster. :palm:
SORRY!
I seem to have not explained myself very well.
The entire post, I made, which you are referring to.
Was, and is meant to be a complete JOKE.
Unfortunately, I have messed up, and not made it clear enough.
That is why I put the :-DD :-DD :-DD in it. (Although, there was only one, and it was only pointing to the first bit, not the entire post).
My fault, I should have realized that it could be misunderstood, that it was HUMOR.
EDIT:
On re-reading my post, just before this one. I can see and understand, why it can be misunderstood. I have put in big warnings, to hopefully avoid such misunderstandings in the future.
How could an organisation as big as Bloomberg be stupid enough to publish without something as basic as a photo of the alleged "implant" ?So now argument in favor of Bloomberg's story comes down to "There must be something out there, I just know it!" conspiracy theories and comic strips. :-DD
I agree though there should be an investigation. An investigation into how and why Bloomberg perpetrated a huge fraud on the public. Was it investor fraud? Journalistic overreach in pursuit of "scoop of the year"? Getting a fat bonus for moving markets? Got played by some political operatives? It's worth finding out.
In the US the press get carte blanche to print whatever lies they like, you know, "Elvis found on the Moon" etc. No one cares about tabloid stories, but Bloomberg really abuse their position and sully the reputation of serious news outlets with unfounded stories. I guess if every one else is publishing fake news, why shouldn't we...
Even the FBI, who have a policy of never confirming or denying, effectively said "the story is bunk". The NSA guy says we never heard anything about it, some of the sources Bloomberg used have said they were misquoted.
If you look at Bloomberg's history, there is every reason to believe this story is the result of serious journalism. They have a well-earned rep for eschewing tabloid content.
So for the sake of argument, lets say that Bloomberg really has these sources, that they really brought something shocking (real or not) to their attention, and that Bloomberg did in fact commit due diligence in the preparation of this article. They have everything to lose and little to gain by changing to tabloid format this late in the game; the market is already saturated with both tabloid journalism and real evil aplenty.
The questions that come to my mind are... was it a simple "comedy of errors" type chain of misinterpreted data? Was it the result of someone or several someones deliberately misleading them to create the story? Or, and admittedly confidence is not high on this one, but it must be considered, what if the story was all or in part 100% factual and has been successfully whitewashed by one business, government or external faction or another?
My opinion is that it is most likely it is a blend of two or more of the above... and probably a sprinkling of X-Files type joojoo just for flavor. ;)
I think they discovered SOMETHING. I also think that something was damaging to one or more of the enterprise players involved, or that possibly it came very close to something deemed by TPTB to be too close to something REALLY damaging, and that possibly there was some government pressure at play. POSSIBLY.
How the whole story... not just the article, but the story of the story... has unfolded over the last couple weeks just reeks of exactly that kind of ham-fisted circle-jerk media manipulation.
That's all I've got; because that's the only answer that satisfies all the questions I have. It's not much, and yeah, it's pretty conspiracy theory... but the alternative theory that Bloomberg deliberately concocted this whole thing knowing that it would likely destroy them... is actually far more "out there" than any of those theories.
But hey, all I've got to go on is a hunch; based on the fact I've lived long enough and paid attention to have seen just this kind of skullduggery happen over and over and over again.
mnem
Hmmmm... discussion. Yummmm.
Maybe my cynicism has reached critical mass, I dunno.
I was a part of this discussion long before you two started going at it. It’s a public forum, it didn’t magically become “your” discussion.1. I’m not “painting” you as a nut. You’re doing a jolly good job of that yourself. Your many comments on this thread read like the crazy ramblings on the back (and front, and sides) of a Dr. Bronner’s bottle.
2. This is a public forum. I don’t need your permission (or “prior warning”) to reply to a discussion, never mind one I joined long before. Not that I feel any obligation to receive education on how to work the internet from someone who can’t even follow how a web forum works, and replies to people based on things they did not say.
3. You STILL did not understand my original reply. If you are seeing it as purely support for Mk14’s POV, then you haven’t understood it. My comment neither refuted nor confirmed either side: it simply explained that the Bloomberg story isn’t plausible. I didn’t say it’s impossible, and I didn’t say we should stop studying it!
4. Learn. To. Read. Carefully. You are repeatedly responding to arguments that are simply not there. You cannot interpolate things and then respond to your own interpolations. Just respond to what’s actually there.
5. Oh, you think you haven’t been employing personal attacks? You’ve been using them since long before my first reply to you. That you used them so liberally is why I have not held back with you. You forfeited the right to complain about name calling long ago.
I have enough trouble dealing with the offenses I'm guilty of, and those I've already admitted to and tried to be fair. I refuse to be held responsible for the ones you've imagined. What you're saying amounts to this:
"I didn't shove the stick in the hornets nest, that was another guy. I was just passing by and tripped over it a little. Those hornets have no right to be pissed off at me!"
You led out of the gate calling me names and speaking in a belittling manner, and you did so while interjecting into a mostly polite disagreement between two other people.
Not only that, but you continue to do so, all the while blaming me for your belittling tone. Get over yourself, man.I don’t think you realize how patronizing your tone was long before I addressed you. As far as I’m concerned, you earned that tone and then some. Even more so after you proved that you weren’t even aware of who you were responding to.
You earned that response; suck it up buttercup. <~~~ See that right there? THAT was me being deliberately offensive, because you pissed me off.Ah yes, “suck it up, buttercup”: the rallying cry of the conservative right when it’s decided “I’m not going to attempt to be polite any more, and with this magic incantation, I can gaslight the recipient into thinking that they’re being oversensitive, rather than acknowledge that I’m wrong.”
You wouldn’t apologize even if you realized you were wrong.
And I'm NOT going to apologize for it, because you earned that one too. ;)
Ah yes, “suck it up, buttercup”: the rallying cry of the conservative right when it’s decided “I’m not going to attempt to be polite any more, and with this magic incantation, I can gaslight the recipient into thinking that they’re being oversensitive, rather than acknowledge that I’m wrong.”
It is in fact a worse kind of ignorance; the willful kind that permits a white trash racist, rapist, misogynist, pathological liar career deadbeat sociopathic felon to squat in the White House and there's jack shit We The People can do about it.
Maybe my cynicism has reached critical mass, I dunno.
I'm sorry if I seem too hostile, when people start mentioning (conspiracy ..) stuff. Some of which, might be right.
But, asilly(conspiracy ..) theory, can be created, in some 60 seconds,while not thinking straight,but it might take experts, many hours, days, weeks or even longer to robustly disprove those theories.
Which are likely to either be ignored or disbelieved by the creator(s) of the (conspiracy ..) theories.
Or they will just carry on, and 60 seconds later, produce even more (conspiracy ..) stuff.
MK14 saying about this:
"Conspiracy theories are like foolish people, who spend seconds starting crazy fires, which take firefighters, days to put out"
(SNIP Lots and lots of reiterations of the same exact shit over and over again-mnem)Quote from: mnementhAnd I'm NOT going to apologize for it, because you earned that one too. ;)You wouldn’t apologize even if you realized you were wrong.
Of course you’re so convinced that you know the truth and that everyone else is sheeple that you’ll never realize when you’re wrong.
mnem
Wait for it... wait for it...
A video on Computerphile. Nothing new, but the interesting idea that such a chip could be hidden inside the PCB itself between the layers. This would be really difficult to detect, if you don't x-ray the PCBs and carefully examine and compare the images.
MK14 saying about this:
"Conspiracy theories are like foolish people, who spend seconds starting crazy fires, which take firefighters, days to put out"
The world around us is full of real conspiracy. Every day we find real evidence of some business, celebrity, or politician (usually more than one) involved in some heinous act and trying to cover it up. It is far more dangerous in this age to think that just because something sounds like a conspiracy theory that it is nuttery than that there is some grain of truth to it. You do so at your own peril.
The question then becomes "just how assache are you willing to put into a specific theory". That of course is always a case by case basis; both the person and the theory involved. I try to give a LITTLE more latitude; but then, I enjoy the occasional mental exercise. And that, BTW, is why I came into this thread specifically devoted to a conspiracy theory. Again... This is THE PLACE for this kind of discussion. Why would you come in here and NOT expect people to want to discuss conspiracy theories?
Oh, BTW... (Raises hand) REAL firefighter here. (Retired) You wanna have a side conversation about Draeger Pacs and BLEVEs? I'm your guy. :-+
Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them::-+ :-+ You hit the nail on the head: signal to noise ratio. Love your analogy!
[snip]
So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.
A video on Computerphile. Nothing new, but the interesting idea that such a chip could be hidden inside the PCB itself between the layers. This would be really difficult to detect, if you don't x-ray the PCBs and carefully examine and compare the images.
Why bother putting something in between the flash and BMC? Just make your own flash chip instead. Designing the tiny interceptor and hiding it in the PCB is harder than just putting it directly in the flash IC.
Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them::-+ :-+ You hit the nail on the head: signal to noise ratio. Love your analogy!
[snip]
So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.
Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them::-+ :-+ You hit the nail on the head: signal to noise ratio. Love your analogy!
[snip]
So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.
Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them::-+ :-+ You hit the nail on the head: signal to noise ratio. Love your analogy!
[snip]
So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.
Thanks!
EDIT:
It is difficult putting a message here, because it will be read by everyone.
But, people who strongly believe in many/all conspiracy theories, (in my experience) tend to also be people, who extremely (impossibly) stubbornly, won't listen to logical/scientific/sensible/evidence. How ever long you patiently spend, trying to explain it to them.
So, don't get annoyed with them. I find they can be nice people, in other respects.
You do realize that you've just "discovered" a boorishly common analogy that literally dates back to UseNet and the days of dialup, right? :-DDSNR or the children? The analogy I was referring to is the involved analogy about children. Obviously SNR is a well established term, that IMHO isn’t reeeeally an analogy anyway.
I was probably using the term in alt.sci.repair when you lot were in diapers.Technically possible, but not terribly likely, since Usenet is slightly younger than I am, and I was only in diapers for a few short years as a baby. ;)
As the saying goes, keep an open mind, but not so open that your brains fall out.)
I remember an example at a partner company to where I worked where data was transmitted by issuing DNS queries from a compromised system using the DNS infrastructure as a very slow semaphore.
How was this detected? I guess if you fully control the server, you could monitor the internet traffic and then compare all internet traffic with the installed programs. But if it is something like an Amazon cloud server, you would need to analyze every customer application. So it would be impossible to detect hidden traffic, except by detecting the hidden program itself. This makes it again more plausible to install something in the hardware, which can initiate network traffic outside of the core CPUs itself, because hidden programs with high privilege, which has suspicious network traffic, might be easier to detect. Of course, would be much better to install a modified BMC chip instead of an extra chip, maybe with 2 layers, like running the transferred firmware in the normal layer, but one hidden layer above an additional spy firmware. But would be much more expensive, if they need to change the die for it.
Good article on this story from a Cambridge security researcher here: https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/ (https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/)
BTW I’ve spent most of my week trying to get hold of the proposed Supermicro B1DRI blades and I can’t get one anywhere. Thought it might be interesting. Boo hiss. Everyone is using HP or Dell blades and said “why would I buy Supermicro blades?”. Supermicro appears to have the niche of 1U shite pushing boxes and I doubt the bottom end boards are compromised. Doesn’t seem like a valuable target.
Yes to note I am trying to do this for £0 :-DDI'd be willing to chip in for a board, though absence of a part would prove nothing.
Macrofab Podcast published this podcast with a very interesting discussion on the state of hardware/supply chain security. Worth a listen!"There's a lot of Kabuki theater of denial going on about this, we just don't know if the story is real. But just look at it this way: Does it really matter if it's real? Because if it hasn't happened yet, how long do we have to wait until it does?"
https://macrofab.com/blog/mep-ep-142-supply-chain-conspiracy-securities/
The reason you say that is because you think like a westerner, where you have to pay a third party to make the hardware. They OWN the foundries where this stuff is forged; for them electronic hardware is as fluid and dynamic as the software used to create it. It is just the CUSTOMER who has to pay for changes, because revision is their stock in trade. ;)
A custom device, completely self-contained from the device it is monitoring, is the obvious choice from a security penetration standpoint, as EVERYTHING software that is supposed to be there has the potential to be reviewed while the device is IN USE.
And the use of such a device instantly allows deniability... it becomes much harder to track down where in the supply chain such a device was added; no way of knowing, or even guessing, whether the device was intercepted and the bug planted after the fact, or if it was contracted by one of the "Five Eyes, etc" groups to be produced in a "special run" of product that supposedly "never existed".
Really... you're thinking like a normal, sane person and attempting to apply LOGIC to the actions of government and enterprise BUREAUCRACY... that is why you can't imagine this. ;)
mnem
Follow. The. Money.
Not surprised Tim Cook isn't happy about the story, who would be. SuperMicro stock at $14 down from $25. If I was Charles Liang, CEO of SuperMicro, I wouldn't be happy either with a made up story about infiltrated supply chains. From a legal point of view I think Bloomberg are skating a very thin ice just to make news. Allegedly.
I wonder why SuperMicro doesn't sue Bloomberg for reputational damage or something. Usually these big companies have big legal departments and sue a lot, just see all the patent lawsuits.I am sure that SuperMicro has its lawyers drafting up the papers while their QA and engineering (and probably some outside contractors, for neutrality's sake) tear apart hundreds of boards with a microscope and x-ray machines to make sure they are correct. The last thing they want is to sue Bloomberg and it turns out Bloomberg was right. I don't think that's the case, but SuperMicro is going to make damned sure they have a case, and when they do, they're probably not going to approach it gingerly.
Time for the 3rd (4th?) Act in our little Kabuki Theater; I hear Kimiko is pregnant! :-DD
What is the latest law made from the bench (aka jurisprudence) on companies as public figures in the US? If Supermicro has to prove malice it's an uphill battle.
jurisprudence |ˌdʒʊərɪsˈpruːd(ə)ns|
noun [ mass noun ]
the theory or philosophy of law.
precedent
noun |ˈprɛsɪd(ə)nt|
an earlier event or action that is regarded as an example or guide to be considered in subsequent similar circumstances: there are substantial precedents for using interactive media in training.
• Law a previous case or legal decision that may be or (binding precedent) must be followed in subsequent similar cases: we hope to set a legal precedent to protect hundreds of miles of green lanes.
Yes, and a favorite theme of said comedy involves said dwagon dying (usually a victim of his own hubris) comically and ironically at the hands of an incompetent or child protagonist. :palm:Time for the 3rd (4th?) Act in our little Kabuki Theater; I hear Kimiko is pregnant! :-DDI think you'd be better off characterising it as Noh theatre. Everybody wears masks, there are five one act plays in a programme, with a comedy piece somewhere in the middle.
Given the origins, it's not impossible that the comedy piece could conceivably involve a dwagon. :)
What do you mean by "companies as public figures"? It's an odd phrase, and I can think of no particular relevance to defamation law.If the company counts as a public figure they have to prove malice, in this old case (http://californiadefamation.com/uncategorized/important-decision-on-public-figure-status-in-prominent-libel-case/) a company was not deemed one ... but times change and law is hard to google.
Interesting read:
https://www.businessinsider.com/bloomberg-reporters-compensation-2013-12?IR=T (https://www.businessinsider.com/bloomberg-reporters-compensation-2013-12?IR=T)
Journalism has ALWAYS functioned this way;
No, what you just said is total BS. They do NOT have a "History" of this; they have a history of aggressive journalism and usually pissing off powerful people. That is NOT the same as tabloid journalism, not by a long shot.Ummm, you can be aggressive journalism and piss off powerful people and still be writing a truthful story. (FWIW, my stepdad was a economics journalist who literally made a career of pissing off life insurance companies.)
Actually... I do believe they did publish a lemon... but I don't believe they set out to do so. I believe they found SOMETHING; still not sure what. Now whether the lemon was theirs; simply a matter of not digging deep enough, or was it a handoff from a third party to play them for fools, and why... that's the question.Well, as an investigative journalist, your job is to find out the truth. Here, regardless of who actually created the suspected untruths, Bloomberg did not discount questionable sources. On the contrary, it appears that Bloomberg stayed the course even as they got more and more indicators that the story was wrong.
I don't hold ANYTHING as impossible... I just find it much more likely, in this age of global deceit from all manner of enterprise and government agencies, that they would NOT deliberately choose this form of suicide, but were rather herded in that direction. Up to this point, I certainly trust their history of "journalistic integrity" (a relative term, for sure, especially compared to the journalism heroes of my youth) far more than ANY word that comes from our own government; ESPECIALLY this administration, "The House That Lies Built".Believing “ANYTHING” is possible is, well, crazy, and it must be exhausting. Some things are categorically impossible, and others are technically possible but incredibly implausible. Being able to filter out things that aren’t worth investigating is a critical skill, not a deficiency!!!!
The notion that they deliberately went full tabloid at this late stage of the game is VERY low on my list of likely scenarios for them; there's just no payoff in it for them, only for other people.Nobody said that it’s necessarily Bloomberg that invented the narrative. Please stop putting words in people’s mouths. What is indisputable is that Bloomberg published the story and has continued defending it. Whether the Bloomberg journalist invented the narrative himself, or was duped by others, is still unknown.
Actually... I do believe they did publish a lemon... but I don't believe they set out to do so. I believe they found SOMETHING; still not sure what. Now whether the lemon was theirs; simply a matter of not digging deep enough, or was it a handoff from a third party to play them for fools, and why... that's the question.The question is, what's that "SOMETHING"? I am pretty sure this scenario has been studied thoroughly by interested parties. Surely there have been proofs of concept.
Nobody said that it’s necessarily Bloomberg that invented the narrative. Please stop putting words in people’s mouths. What is indisputable is that Bloomberg published the story and has continued defending it. Whether the Bloomberg journalist invented the narrative himself, or was duped by others, is still unknown.YOU are the one putting words in people's mouths. You invent arguments I never made, and you post constantly about how wrong I am in those inventions.
YOU are the one putting words in people's mouths. You invent arguments I never made, and you post constantly about how wrong I am in those inventions.Oh, by ALL means, show me where I put words in your mouth.
I'm sick of your incessant nattering and demeaning tone. You STILL have yet to add anything constructive to the conversation; all your energy here of the last week has been spent tearing ME down rather than the actual subject of the thread. Get a life. It's not all about YOU. :palm:
mnem
"Never argue with a fool; first they drag you down to their level, then they beat you up with experience."
Government labs should be helping solve what happened or if anything happened here.
Government helping the public and industry use technology is something they can do and do successfully, IF they do it professionally. (and in the past they have done this very well, less so now)
They should sponsor research in technologies that may pay off in the future and with complicated issues like security, they should be there to help (not hurt) US manufacturers improve security, and do it in a trustworthy, not with a hidden agenda- and the information they make public should be reliably accurate and helpful - i.e. scientifically informed and literate, not thought-terminating - they should publish technical reports that in an intelligent way raise the overall level of knowledge on subjects, and avoid engaging in 'drama'.
Investigating Implausible Bloomberg Supermicro Stories: https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/ (https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/)
Government labs should be helping solve what happened or if anything happened here.
Government helping the public and industry use technology is something they can do and do successfully, IF they do it professionally. (and in the past they have done this very well, less so now)
They should sponsor research in technologies that may pay off in the future and with complicated issues like security, they should be there to help (not hurt) US manufacturers improve security, and do it in a trustworthy, not with a hidden agenda- and the information they make public should be reliably accurate and helpful - i.e. scientifically informed and literate, not thought-terminating - they should publish technical reports that in an intelligent way raise the overall level of knowledge on subjects, and avoid engaging in 'drama'.
Are these the same government labs which intercept shipments to add their own backdoor hardware and firmware, pay companies like RSA to implemented backdoored encryption products, and suborn NIST into implemented flawed security standards?
The government poisoned that well starting decades ago if not sooner.
It's in the government's interest to hand out decent quality guidance and security information and protect the country's interests.
is australia doing what I think it did?
is australia doing what I think it did?
The NHS is heavily privatised already. Most of the major organisations are shell companies / PFI / state run entirely backed with contractors, suppliers and permanent staff. There isn't really much of a public healthcare system, only the top level organisational stuff, property, data and logistics.
This has mostly been a positive progression however because the rationale behind it was to make parts of the NHS accountable to someone.Privatization does the exact opposite. And the globalization aspect of it is likely to make providers even more unaccountable.
A government 100% can't be accountable to itself and you can't realistically sue a government as an individual. If you spin the providers off then you can separate responsibility (hospitals and trusts) and quality (NHS England) which reduces corruption and increases standards (which is actually statistically evident since this restructuring).
Now that doesn't mean that healthcare has a cost or it is a free market, but it does mean that the companies have to be transparent to the government agencies.
Prior to this arrangement, quality was unknown, no one was accountable and many many lives were destroyed with no recourse.
I think people forgot the old British public sector energy, postal and transport systems and how absolutely bloody awful they were and how things have improved.
WTO has nothing to do with this either way.