Supply chains and trust

By: dmcq (dmcq.delete@this.fano.co.uk), October 4, 2018 10:31 am
Room: Moderated Discussions
Maynard Handley (name99.delete@this.name99.org) on October 4, 2018 9:57 am wrote:
> David Kanter (dkanter.delete@this.realworldtech.com) on October 4, 2018 8:23 am wrote:
> > Bloomberg released a fantastic report on Chinese intelligence inserting malicious
> > HW into supply chains for servers: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies?srnd=premium
> >
> > It sure gives a different angle to the move to a hardware root-of-trust by the industry. In reality though,
> > I'm not sure if HW RoT is sufficient. You can always sniff capacitance across an exposed wire!
> >
> > David
>
> IF it's true...
>
> Compare
> "Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd
> network activity and firmware problems, according to a person familiar with the timeline. Two of the senior
> Apple insiders say the company reported the incident to the FBI but kept details about what it had detected
> tightly held, even internally. Government investigators were still chasing clues on their own when Amazon
> made its discovery and gave them access to sabotaged hardware, according to one U.S. official. This created
> an invaluable opportunity for intelligence agencies and the FBI—by then running a full investigation led
> by its cyber- and counterintelligence teams—to see what the chips looked like and how they worked.
> "
>
> with
>
> ""On this we can be very clear: Apple has never found malicious chips, "hardware manipulations"
> or vulnerabilities purposely planted in any server," Apple said in a statement. "Apple never
> had any contact with the FBI or any other agency about such an incident.""
> from
> https://www.businessinsider.com/supermicro-share-price-crushed-by-report-it-sold-servers-compromised-by-chinese-spies-2018-10
>
> So we have Bloomberg claiming a bunch of details about what Apple knew and did, and
> talking to the FBI, and Apple categorically denying this. Whom do we believe?
>
> Well, I obviously have no specific insight into the matter. However I DO know the following background facts
> - it is a tradition of the seedier parts of the US political establishment to feed lies to reporters
> - the same Republicans who have been thoroughly compromised by Russia are doing everything they
> can to paint China as America's new enemy ("We have always been at war with EastAsia" indeed)
> - if your greatest negotiating tactics ever, beautiful negotiating tactics, against China
> have failed to win you glory, time for a plan B, a Reichstag fire or Ems Telegram

The story does smell a bit as far as I'm concerned. Too many people monitor their internet traffic for this sort of thing to remain hidden for very long, and the possible economic negatives are just too great. There's far easier and more deniable ways of doing it. Unless one is Putin and wants people to know they should be scared you try to cover your tracks. If anything like this happened people will soon find a way of identifying the compromised boards and show them generally. It is about possible to make something that small but they would also need to reroute a bit to get the right tracks.

Count me as somebody who needs a lot more evidence.
< Previous Post in ThreadNext Post in Thread >
TopicPosted ByDate
Supply chains and trustDavid Kanter2018/10/04 08:23 AM
  Supply chains and trustMaynard Handley2018/10/04 09:57 AM
    Supply chains and trustMaynard Handley2018/10/04 10:01 AM
      Supply chains and trustwumpus2018/10/04 04:35 PM
      Supply chains and trustRobert Williams2018/10/08 06:30 PM
        Supply chains and trustMaynard Handley2018/10/08 07:21 PM
          Supply chains and trustRobert Williams2018/10/09 09:03 AM
            Supply chains and trustRobert Williams2018/10/09 09:08 AM
              Supply chains and trustMaynard Handley2018/10/09 09:27 AM
    Supply chains and trustdmcq2018/10/04 10:31 AM
      Supply chains and trustGabriele Svelto2018/10/04 11:32 AM
        Supply chains and trustBrett2018/10/04 11:52 AM
          Supply chains and trustMaynard Handley2018/10/04 12:08 PM
            Supply chains and trustAdrian2018/10/04 12:36 PM
              Supply chains and trustMaynard Handley2018/10/04 12:51 PM
              Supply chains and trustRob Thorpe2018/10/04 01:09 PM
            Supply chains and trustDavid Hess2018/10/04 12:38 PM
            Supply chains and trustBrett2018/10/04 12:52 PM
          Supply chains and trustDoug S2018/10/04 01:33 PM
        Supply chains and trustDavid Hess2018/10/04 12:09 PM
      Supply chains and trustDavid Hess2018/10/04 12:03 PM
    Supply chains and trustDoug S2018/10/04 01:45 PM
      Supply chains and trustGabriele Svelto2018/10/05 01:53 AM
        Supply chains and trustdmcq2018/10/05 03:51 AM
          Supply chains and trustGabriele Svelto2018/10/05 04:34 AM
        Supply chains and trustDoug S2018/10/05 12:46 PM
          Supply chains and trustGabriele Svelto2018/10/06 02:59 PM
            Supply chains and trustDavid Hess2018/10/06 04:12 PM
    Supply chains and trustJ2018/10/04 10:24 PM
      Supply chains and trustAndrew Clough2018/10/05 06:38 AM
        Supply chains and trustDavid Hess2018/10/06 04:16 PM
        Supply chains and trustMaxwell2018/10/06 04:37 PM
    Hit job on Super Micro?Maxwell2018/10/04 10:46 PM
      Hit job on Super Micro?Brett2018/10/05 12:55 AM
        Hit job on Super Micro?David Hess2018/10/06 04:15 PM
  Supply chains and trustKevin G2018/10/04 01:47 PM
    Raptor Engineering's RaptorGabriele Svelto2018/10/05 04:42 AM
    Supply chains and trustGroo2018/10/06 06:49 AM
      Supply chains and trustDavid Kanter2018/10/06 09:04 AM
        Supply chains and trustGroo2018/10/06 03:42 PM
          Supply chains and trustDavid Kanter2018/10/06 03:46 PM
            SuperMicro boards are not made in USAAdrian2018/10/07 12:08 AM
              SuperMicro boards are not made in USAAdrian2018/10/07 12:28 AM
          Supply chains and trustjuanrga2018/10/07 07:12 AM
        Supply chains and trustDavid Hess2018/10/06 04:24 PM
      Supply chains and trustWes Felter2018/10/07 03:35 PM
  What did the BOM entry look like?Mark Roulo2018/10/04 02:21 PM
  Supply chains and trustMaynard Handley2018/10/04 04:01 PM
    Supply chains and trustdmcq2018/10/05 01:27 AM
      Here's what I think happenedDoug S2018/10/05 12:56 PM
        Here's what I think happenedBrett2018/10/05 04:17 PM
          FBI wants to be your first contactex-apple2018/10/05 04:41 PM
          Here's what I think happenedDoug S2018/10/05 10:59 PM
            Why call CIA?David Kanter2018/10/06 09:01 AM
              Why call CIA?Doug S2018/10/06 09:33 AM
                Why call CIA?David Kanter2018/10/06 03:43 PM
        Here's what I think happenedMaynard Handley2018/10/05 04:23 PM
          Here's what I think happeneddmcq2018/10/06 04:52 AM
    Supply chains and trustDavid Hess2018/10/06 04:34 PM
  Supply chains and trustGroo2018/10/06 07:01 AM
    Supply chains and trustetudiant2018/10/07 04:36 AM
Reply to this Topic
Name:
Email:
Topic:
Body: No Text
How do you spell green?