Will our tech even work if ever we have a confrontation?

[Ed P]

This Bloomberg report is really scary. For perhaps as long as twelve years most of the West’s most secure servers had a built-in Chinese hacking device. There could even be one on board HMS White Efflump if the CIA omitted to warn us that a top US ‘made’ mobo was compromised.

That security hole has been plugged, but how many have we missed?

[The Duke]

I was reading about this earlier ed. Apparently Apple and others will to talk on record have been swapping oun the known effected servers over the last couple of years. At trh time apple at least blamed the swaps on upgrades, and contract endings. Apparently the cia, doj and fbi have also been using infected hardware too.

Though I’d bet this story is just the top of the iceberg.  tbh what does anyone expect. You use the Chinese to build the most advanced parts produced, then we all act shocked when they turn said tech against us.

Always going to happen. This isn’t the first and won’t be the last.

[Ed P]

Interestingly everyone denies it ever happened. Maybe it was NSA spyware and everyone is now doing a hush-up!

There are also reports that the firmware for the rogue chip was even updated – link

[Ed P]

It gets even more interesting in that Bloomberg refute the denials! link

The companies involved also state that they are not under any gag/compulsion orders, so one assumes that they honestly believe their side of the story.

To summarize:

a) A bunch of ‘intelligence’ spooks leaked the revelation to a Bloomberg tech reporter in sufficient detail to identify the apparently rogue chip.

b) Bloomberg have at least one report  by Facebook of firmware updates for the rogue that triggered alarms.

c) The three major tech companies were identified who ought to know their product inside-out. They deny the reports.

d) Bloomberg confirm the veracity of their reports.

Your theories are as good as mine, either Bloomberg are wrong or an unprecedented cover-up is going on.

 

[PlaneMan]

Tin foil hat time again!!!.

If my hands stop hurting long enough I’ll make designer ones. Oh, no need for my hands to work, I’ll just get a few zero hour workers from Sports Direct, just need a pick up so I can wait outside and herd them in, waving a fiver.

[Ed P]

For what it is worth a Cambridge University Senior Associate has made an assessment of the Bloomberg story, and states that from a technical standpoint it is very plausible.

In other words such a chip attack could be made and it would work. This then leaves the ‘conspiracy’ of just why tech companies would deny it.

Assuming the story is true the only reason would be collusion while a technical solution could be found to the problem of replacing thousands of vulnerable servers. (a bit like their concealing of the Meltdown vulnerability for as long as possible.)

If the story is wrong we can all breathe a sigh of relief at not having to worry about an army of script kiddies writing SPI code and exploiting the thousands of severs we use every day.

[Dave Rice]

Read the comments from the real world, they are the bit that makes sense to me as to it’s feasibility or not. Also the story relies on anonymous sources and no physical evidence.

Sorry but I’ve seen at first hand the doing down of Hikvision by competitors claiming just such tricks. They turned out to be total borax but Hikvision now have everything certified by third parties.

Given the current trade wars with China and the “reds under the bed” sentiment being whipped I’d take this with a pinch of salt until real evidence comes to light. Supermicro boards aren’t exactly rare, you can go and buy one yourself right now from many vendors.

It’s easy to inspect every packet on your network and to implement firewalls and VLANs. If anything is “phoning home” you can detect it. As mentioned you run your servers in different networks to your clients, it’s a simple precaution that has been common for decades, it’s how we stopped the olde fashioned port attacks.

This all smacks of propaganda to me.

[Ed P]

While I agree regular communication would likely be detected, a ‘Crash & Burn’ scenario a la Stuxnet would only need a couple of incoming double words to act as an authorising activation signal to set off the self destruct code for the board. For example. a recursive delete on the board’s Linux.boot code, but as quoted this hypothetical chip has full access to the memory space for the board so just adding a little random operating ‘noise’ would generate the nightmare of intermittent faults.

[Richard]

This is a truly wonderful story that has the great advantage that either side of the great divide can, with equal sincerity say, ‘Of course they would say that’. lo and behold that is what has been happening. The alleged ‘victims’ claim no knowledge so that theorist chant ‘of course they would say that that’. If it all happened a little while back and if it failed the way that the third party witnesses say it all fits so wonderfully well with Trumps current timing and message of, ‘Don’t trust the thieving/murdering/raping* foreigner. (*Delete or add to as required.)

So who has gained?

The story alleges that out of hundreds of items churned out a few made their way to some specific customers, suggesting stock management that must be the envy of almost all organisations not subject to recent communist rule!

Already FUD is starting to rule.

Should we trust Chinese makers?

Should we trust those who purchase from those who use Chinese makers, (e.g. Apple who are mysteriously getting a current free pass from Trump’s tariffs an odd one that)?

Will the defence sector have been blown with these dodgy goods in their network?

The FUD industry is now on double time and what did it cost?

Perhaps a few dodgy hotel rooms, or were the alleged meeting every held? Perhaps a few dodgy actors and a story that is being embellished daily by all sides as the theory polishers and theory tarnish makers get to work.

On a personal  note I do find it odd that industry is being trusted in an increasingly imperialistic expansionist China to make building blocks on which others rely for vital defence services. Bloomberg has for years been trusted by many though for some, their stories do not always quite ring out as balanced and without some shielded motive.

Still, if the financial impacts are to be a measure of reactions, perhaps the story has achieved its FUD aim. Perhaps the value of off shoring has been reduced. Perhaps its costs been inflated in the minds of those pulling purse strings.

Oh and were my recent  grocery orders and miscellaneous goods requests leaked to some inscrutable team who are building up a profile of my activity. Perhaps, after seeing my Google tracks from my Chinese built phone and Google managed data services, they are wondering why I am not wandering a field along a bridleway yesterday or today. They answer is easy, no dog sitting, so no dog walking and clearly no dead letter drops either. Rather I did visit another town which may be able to offer some very expensive accommodation and training for a disabled relative.

[Ed P]

Richard, following Stuxnet, and Snowden’s revelations I am willing to believe that nation states are inclined to do anything they think could gain them advantages even if it means possibly  hitting the innocent as well. For example the side-effects of  Stuxnet, and the NSA hacking tools and maybe even the Intel Management Engine (IME) ….

It is a published ‘fact’ that the NSA has intercepted hardware during its shipment to bug it  As the Chinese have access at the point of manufacture it is much easier to taint a manufacturing ‘batch’ destined for large target orders, if a few also get out into the wild, so be it. It depends very much  on the function of the chip. In a ‘Crash & Burn’ application, collateral victims are acceptable. In a Command & Control/Communications situation I would accept that a more fine-grained distribution is needed. Certainly one of the NSA tools (IME?) can be used in a malign ‘Crash & Burn’ mode (Snowden), it would be foolish to overrule similar hardware devices.

[Wheels-Of-Fire]

I would be inclined to ignore Bloomberg on this one as they made little attempt to say what this chip may be or what it may do. Some vague reference to network card firmware was as far as they went.

 

[Ed P]

@Graham the Bloomberg report is light on tech details but it isn’t a tech mag. Try the Cambridge Uni assessment for more detailed chip tech assumptions. Having referred you to the link, I would say that actual mobos with identified  rogue chips seem to be significant in their absence. So a fair summary would be that  tainted mobos are  technically feasible; but as yet unproven to exist .

Incidentally from the tech description, tainted GPUs would be the way to go!

Meanwhile Supermicro stock is down 30%.

[Dave Rice]

Meanwhile Supermicro stock is down 30%.

I think this is what the story is really all about. As I said I have seen Hikvision have the same treatment and salesman from their competitors tried it on me in the space of 2 minutes after meeting them. Our kit is made in Korea, not China etc. etc.

If there is one nation we need to be worried about spying on us it is the USA closely followed by ourselves. The recent Russian attempts in the Netherlands was a laugh. Their car park interception of wireless traffic would only have worked on unsecured network and so the fault of the targets admins, but that wasn’t mentioned. It is always that the bad guys have some sort of secret sauce unknown to the West that magically unlocks our networks. As we know the tools used in the wild are written by our own side who therefore must be up to exactly the same tricks themselves.

Now let me see, to be sure I must buy CCTV cameras manufactured wholly in Europe or the USA.  Most of the big US brands now purchase their equipment from a factory in China. With the “The Big Three” Chinese manufacturers: Hikvision, Dahua, and TVT making about 90% of IP cameras on the market.

[Wheels-Of-Fire]

Well I suppose it could be possible if the BMC firmware was deliberately compromised during manufacture but no one has yet seen that happen. Bloomberg point to an extra serial memory chip found on some Supermicro boards but they dont actually say it had anything nasty on it.

[Wheels-Of-Fire]

Sorry Cambridge Uni point to the chip.

[The Duke]

I’m sort of with Dave, the US is full out attack mode agaist Chinese trade, untill the deals get sorted (or the world ends), there is going to be alot of calateral damage.

I don’t trust any media outlet, Especally the American ones, so the whole story could just be some sort of smear campaign. Though I’m not sure why, as it smears the effected (point of contact) companies just as much as th manufacturing one.

The US gov has all but banned Huawei and xiaomi. maybe it’s a play to bring back production to the USA. Try and stop the apples of the world using chines oems. Tbh I can’t keep up with trumps games. I don’t think he can. Imagine being his pa.

[Ed P]

Having just read how Bloomberg rewards its reporters maybe there is a degree of self-interest in the way the SuperMicro article was pitched.

Bloomberg Reporters Bonus Calculation

[The Duke]

That has to be illegal. If not unefical as shit. That’s dicusting. And jus backs up, capitalises and underlines my view on the media. BB should and will be avoided by me from now on, if this is true. And from that report it is.

But how credible it this company they reporting this. I wonder if the writer here gets a bonus if BB takes a dive.

I’m looking forward to the hardware back door story to hit mainstream, usally takes a week or so after we hear it, I bet this side of the story doesn’t feature. If that comes true, we will also get to see what other news outlets are broken.

 

Lots not just us nerds that gets heads up on news, my wife love the gossip crap, and she is always telling me crap about people I don’t care about a week before it breaks as news. She has been following the Ronaldo rape aligations  for a good week before it hit the main stream. And given the number of girls alleged involvement, and distances apart (iirc my wife a number from Spain, UK and USA) and the span of yeas, the girls have very similar tales of what he said to them.

Added to that, he has apparently amited to a couple on record and has also paid off Atleast one lady. With all this potential evidence floating aroind, I’m amazed when the new finally broke, it’s was so small. Like a mouse darting in the wind.

I often watch a comedidian called jim Jeffery and he has told a gag witxh has a chart about how much a celeb can get away with, and ‘correlates it’ to the more your liked the more you get away with. The likes of kl Jimmy Saville, Micheal Jason, and Bill Cosby top the list. I’m getting the feeling ronny is getting social leaniancy, untill proven guilty by the press. If this was an unlocked player like diago Costa, he would be getting hammered by the media.

[Ed P]

I think if there WAS any market manipulation, US law will take care of them for a long time!

I must admit that other than watching ‘Billion’s on Sky, market manipulation investigations are a bit of a Black Box to me. If (say) someone spotted something awry 24 months ago and look out a long-term short, and later tipped off a reporter, would market investigators pick it up, or do they only look at recent trades?

[The Duke]

I’m not sure ed, I suppose you’d have to either prove it was pre planned or prove that someone connected was buying or selling in an unusual manner at the time.

I don’t think the is any insider laws for press, they would get to hide under the “safe harbour” rules. Ie you can’t be prosecuted forvatlctions that happen (or happened) after or before you published.

So than you’d have to circle back to my first two points. Someone connected to you (or yourself) would have to directly gain from your news. Bit probably ony if your news was fake.

So in short, I doubt it ed.

[Author]

Posts