By: David Hess (davidwhess.delete@this.gmail.com), October 4, 2018 11:03 am
Room: Moderated Discussions
dmcq (dmcq.delete@this.fano.co.uk) on October 4, 2018 10:31 am wrote:
>
> Too many people monitor their internet traffic for
> this sort of thing to remain hidden for very long, and the possible economic negatives are just too
> great. There's far easier and more deniable ways of doing it.
Do you mean the economic negatives to the companies involved and especially Supermicro or the economic negatives to China?
I think the traffic monitoring aspect is irrelevant. More and more systems phone home whether it is needed or not concealing surreptitious traffic making this an increasingly difficult problem.
Eventually someone was going to be stupid or desperate enough to try modifying hardware in this way and get caught no matter what the consequences. Altering chip masks would be much more difficult and modifying firmware or software is easier to detect despite being more deniable.
As far damage from blowback, the NSA has made this same mistake several times now tarnishing companies like RSA, their own security division, NIST, and various committees involved with security standards.
> If anything like this happened people will
> soon find a way of identifying the compromised boards and show them generally. It is about possible
> to make something that small but they would also need to reroute a bit to get the right tracks.
There was a limited window where this could happen but changing the board layout is trivial compared to changing a mask or firmware. In the future where it matters, x-ray inspection could verify the fidelity of the boards even if the chips are added between layers.
>
> Too many people monitor their internet traffic for
> this sort of thing to remain hidden for very long, and the possible economic negatives are just too
> great. There's far easier and more deniable ways of doing it.
Do you mean the economic negatives to the companies involved and especially Supermicro or the economic negatives to China?
I think the traffic monitoring aspect is irrelevant. More and more systems phone home whether it is needed or not concealing surreptitious traffic making this an increasingly difficult problem.
Eventually someone was going to be stupid or desperate enough to try modifying hardware in this way and get caught no matter what the consequences. Altering chip masks would be much more difficult and modifying firmware or software is easier to detect despite being more deniable.
As far damage from blowback, the NSA has made this same mistake several times now tarnishing companies like RSA, their own security division, NIST, and various committees involved with security standards.
> If anything like this happened people will
> soon find a way of identifying the compromised boards and show them generally. It is about possible
> to make something that small but they would also need to reroute a bit to get the right tracks.
There was a limited window where this could happen but changing the board layout is trivial compared to changing a mask or firmware. In the future where it matters, x-ray inspection could verify the fidelity of the boards even if the chips are added between layers.
Topic | Posted By | Date |
---|---|---|
Supply chains and trust | David Kanter | 2018/10/04 07:23 AM |
Supply chains and trust | Maynard Handley | 2018/10/04 08:57 AM |
Supply chains and trust | Maynard Handley | 2018/10/04 09:01 AM |
Supply chains and trust | wumpus | 2018/10/04 03:35 PM |
Supply chains and trust | Robert Williams | 2018/10/08 05:30 PM |
Supply chains and trust | Maynard Handley | 2018/10/08 06:21 PM |
Supply chains and trust | Robert Williams | 2018/10/09 08:03 AM |
Supply chains and trust | Robert Williams | 2018/10/09 08:08 AM |
Supply chains and trust | Maynard Handley | 2018/10/09 08:27 AM |
Supply chains and trust | dmcq | 2018/10/04 09:31 AM |
Supply chains and trust | Gabriele Svelto | 2018/10/04 10:32 AM |
Supply chains and trust | Brett | 2018/10/04 10:52 AM |
Supply chains and trust | Maynard Handley | 2018/10/04 11:08 AM |
Supply chains and trust | Adrian | 2018/10/04 11:36 AM |
Supply chains and trust | Maynard Handley | 2018/10/04 11:51 AM |
Supply chains and trust | Rob Thorpe | 2018/10/04 12:09 PM |
Supply chains and trust | David Hess | 2018/10/04 11:38 AM |
Supply chains and trust | Brett | 2018/10/04 11:52 AM |
Supply chains and trust | Doug S | 2018/10/04 12:33 PM |
Supply chains and trust | David Hess | 2018/10/04 11:09 AM |
Supply chains and trust | David Hess | 2018/10/04 11:03 AM |
Supply chains and trust | Doug S | 2018/10/04 12:45 PM |
Supply chains and trust | Gabriele Svelto | 2018/10/05 12:53 AM |
Supply chains and trust | dmcq | 2018/10/05 02:51 AM |
Supply chains and trust | Gabriele Svelto | 2018/10/05 03:34 AM |
Supply chains and trust | Doug S | 2018/10/05 11:46 AM |
Supply chains and trust | Gabriele Svelto | 2018/10/06 01:59 PM |
Supply chains and trust | David Hess | 2018/10/06 03:12 PM |
Supply chains and trust | J | 2018/10/04 09:24 PM |
Supply chains and trust | Andrew Clough | 2018/10/05 05:38 AM |
Supply chains and trust | David Hess | 2018/10/06 03:16 PM |
Supply chains and trust | Maxwell | 2018/10/06 03:37 PM |
Hit job on Super Micro? | Maxwell | 2018/10/04 09:46 PM |
Hit job on Super Micro? | Brett | 2018/10/04 11:55 PM |
Hit job on Super Micro? | David Hess | 2018/10/06 03:15 PM |
Supply chains and trust | Kevin G | 2018/10/04 12:47 PM |
Raptor Engineering's Raptor | Gabriele Svelto | 2018/10/05 03:42 AM |
Supply chains and trust | Groo | 2018/10/06 05:49 AM |
Supply chains and trust | David Kanter | 2018/10/06 08:04 AM |
Supply chains and trust | Groo | 2018/10/06 02:42 PM |
Supply chains and trust | David Kanter | 2018/10/06 02:46 PM |
SuperMicro boards are not made in USA | Adrian | 2018/10/06 11:08 PM |
SuperMicro boards are not made in USA | Adrian | 2018/10/06 11:28 PM |
Supply chains and trust | juanrga | 2018/10/07 06:12 AM |
Supply chains and trust | David Hess | 2018/10/06 03:24 PM |
Supply chains and trust | Wes Felter | 2018/10/07 02:35 PM |
What did the BOM entry look like? | Mark Roulo | 2018/10/04 01:21 PM |
Supply chains and trust | Maynard Handley | 2018/10/04 03:01 PM |
Supply chains and trust | dmcq | 2018/10/05 12:27 AM |
Here's what I think happened | Doug S | 2018/10/05 11:56 AM |
Here's what I think happened | Brett | 2018/10/05 03:17 PM |
FBI wants to be your first contact | ex-apple | 2018/10/05 03:41 PM |
Here's what I think happened | Doug S | 2018/10/05 09:59 PM |
Why call CIA? | David Kanter | 2018/10/06 08:01 AM |
Why call CIA? | Doug S | 2018/10/06 08:33 AM |
Why call CIA? | David Kanter | 2018/10/06 02:43 PM |
Here's what I think happened | Maynard Handley | 2018/10/05 03:23 PM |
Here's what I think happened | dmcq | 2018/10/06 03:52 AM |
Supply chains and trust | David Hess | 2018/10/06 03:34 PM |
Supply chains and trust | Groo | 2018/10/06 06:01 AM |
Supply chains and trust | etudiant | 2018/10/07 03:36 AM |