You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
There is nothing to see at the moment. Extraordinary claims require at least some evidence. It’s all words and farts.
Windows however, and I’m quoting here “hammers the fucking shit out of the firewall even though we turn all the switches off”.
I think we’re prioritising risk vectors incorrectly here.
Personally I’m more worried about the nasty American monopoliser’s vampiric tendency and addiction to telemetry and activation data. Imagine the GDPR hell if some of that data contains PII one day due to a bug like the .Net core CLR telemetry logger logging command lines fully...
Very easy. That would force Bloomberg to reveal their sources or pay up. This could be quite a scandal ultimately resulting in Bloomberg being accused of market manipulation.
Very easy. That would force Bloomberg to reveal their sources or pay up. This could be quite a scandal ultimately resulting in Bloomberg being accused of market manipulation.
As Bloomberg is not that stupid to pull this kind of stunt.
What interesting now is to see if companies like Supermicro will take legal action, ... or maybe not at all, which is expected too.
The whole newstory is a hoax/fake news in my opinion.
If China wants to spy on servers/computers/laptops/tablets/mobile phones, they could just put the required software hidden inside the firmware of the respective devices, for instance inside the IC managing the ethernet/mobile/wifi communication.
It beats me why someone would imagine China to solder a monitoring IC into an existing motherboard, when it could simply do it by software.
And no, doing it by software, changing the firmware and eventually even signing it again, is certainly not more difficlult than:
- developing a custom IC that is miniature for what it has to do in terms of processing power
- finding a way to connect it to the correct data lines
- finding a way to communicate with the outside world
Sorry, that simply doesn't make any sense!
Regards,
Vitor
Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.
"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.
Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.
It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.
THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.
Again, it would seem much simpler to just change the firmware or, heck, replace the whole chip they target with a hacked one.
..., so it's not as though one can just quickly send a few hundred packets unnoticed.
I remember an example at a partner company to where I worked where data was transmitted by issuing DNS queries from a compromised system using the DNS infrastructure as a very slow semaphore.
The whole newstory is a hoax/fake news in my opinion.
If China wants to spy on servers/computers/laptops/tablets/mobile phones, they could just put the required software hidden inside the firmware of the respective devices, for instance inside the IC managing the ethernet/mobile/wifi communication.
It beats me why someone would imagine China to solder a monitoring IC into an existing motherboard, when it could simply do it by software.
And no, doing it by software, changing the firmware and eventually even signing it again, is certainly not more difficlult than:
- developing a custom IC that is miniature for what it has to do in terms of processing power
- finding a way to connect it to the correct data lines
- finding a way to communicate with the outside world
Sorry, that simply doesn't make any sense!
Regards,
Vitor
Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.
"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.
Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.
It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.
THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.Blah blah blah… again, nobody here has said it's impossible. We are saying it's improbable and implausible, because a) it doesn't make sense to take this approach, and b) there's no evidence that it happened as described.
And your conspiracy theorist tone of "you have blinders on, while I'm awoke!" doesn't make you seem more enlightened, it makes you seem like, well, a classic conspiracy theorist, complete with the "I want to believe!" poster on the wall that you stole from Mulder's office.
That's easy. You have private DNS, your DNS doesn't forward past the local DNS resolver and you log the NXDOMAIN responses.
All your users go via authenticated proxy (squid) or aren't on the public internet.
You can run the same in AWS. Your instances don't have to be internet facing. Just don't have an NGW on your VPC and VPN yourself into it with a VPN GW.
These kind of chips are known in the console world as "mod chips". They will inject the appropriate data to surpass the protection mechanism.
Still, they do require a lot of computing power to "just" swap a few bits...
I could not imagine a chip as small as the one presented in the news to have enought CPU power and memory to do a useful hack based on as litte as 6(?) pins.
Also, I don't understand how they could implement that chip without having to solder any wires... It would be a miracle to have a point on the board that had the right traces on one spot where you could solder the IC.
Again, it would seem much simpler to just change the firmware or, heck, replace the whole chip they target with a hacked one.
Regards,
Vitor
An article taking a rather more down-to-earth look at the Bloomberg motherboard hacking claim from the ElectronicDesign site...
https://www.electronicdesign.com/embedded-revolution/how-hack-server-motherboard
There have been more details revealed lately and it appears that the motherboard circuit board did not have to be modified. Likewise, the additional chip may simply be a standard serial memory chip that was added to a location designed for the chip and left unpopulated. This is a common design approach to provide more options. For example, a TPM security chip is often an option for a server motherboard. The chip is simply left out if the motherboard will not provide that option.
...
The hack was supposedly caught, not by observing the changes to the motherboard, but by network traffic that was abnormal. A more sophisticated implementation might delay compromised communication until much later making it much harder to detect.
Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.
"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.
Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.
It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.
THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.
You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."
I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."
mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.Blah blah blah… again, nobody here has said it's impossible. We are saying it's improbable and implausible, because a) it doesn't make sense to take this approach, and b) there's no evidence that it happened as described.
And your conspiracy theorist tone of "you have blinders on, while I'm awoke!" doesn't make you seem more enlightened, it makes you seem like, well, a classic conspiracy theorist, complete with the "I want to believe!" poster on the wall that you stole from Mulder's office.
"Blah, blah, blah..." you said it yourself.
Who is more the fool? The one who considers conspiracy theories and attempts to find the grain of truth behind them, or the one who cavalierly dismisses real evil, corruption and conspiracy going on all around that is so blatant it is happening right out in the open for all to see?
Calling willful ignorance "the scientific method" is just another lie, only it's the lie you tell yourself to have an excuse for that ignorance.
True "scientific method" investigates, records, and DOES NOT PRESUME ANYTHING.
It certainly does not assume that because we haven't proven a thing yet, it isn't so. It is in fact the polar OPPOSITE of that assumption.
mnem
Follow. The. Money.
You did not understand my comment. You’re going off on another condescending cuckoo conspiracy theorist “I’m more aware than you!” rant/sermon, and about evil and your idea of “scientific method” and whatnot, and meanwhile you don’t even realize what I did (and didn’t) say.
No need to reply, I’ve added you to my ignore list. I don’t need the temptation of getting into arguments with conspiracy nuts.
So the tiny filter package thing may have been completely wrong, which threw a lot of people off.