Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT Technology

The Long Hack: How China Exploited a U.S. Tech Supplier (bloomberg.com) 104

Supermicro chips and software were tampered with by Chinese operatives in the past decade, Bloomberg reported Friday, doubling down on its 2018 report that was widely disputed by several tech giants and government agencies. Today's report says that U.S. security and defense officials knew of the hack but kept it secret in an effort to learn more about China's hacking capabilities. From the report: Bloomberg Businessweek first reported on China's meddling with Supermicro products in October 2018, in an article that focused on accounts of added malicious chips found on server motherboards in 2015. That story said Apple and Amazon.com had discovered the chips on equipment they'd purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed the article.

With additional reporting, it's now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China's repeated manipulation of Supermicro's products. Throughout, government officials kept their findings from the general public. Supermicro itself wasn't told about the FBI's counterintelligence investigation, according to three former U.S. officials. The secrecy lifted occasionally, as the bureau and other government agencies warned a select group of companies and sought help from outside experts.
Some stories from 2018 that capture the reaction of the industry to Bloomberg's earlier piece:

Amazon Has Pulled Ads From Bloomberg Over Controversial 'Big Hack' Chinese Spy Story; Apple Has Not Invited Outlet's Reporters To a Product Event;
In an Unprecedented Move, Apple CEO Tim Cook Calls For Bloomberg To Retract Its Chinese Spy Chip Story;
Bloomberg is Still Reporting on Challenged Story Regarding China Hardware Hack.
This discussion has been archived. No new comments can be posted.

The Long Hack: How China Exploited a U.S. Tech Supplier

Comments Filter:
  • More like: (Score:1, Insightful)

    by Anonymous Coward

    How the US tech supplier fucked itself chasing easy money and now wants someone else to foot the bill of fighting better competition.

  • by Anonymous Coward on Friday February 12, 2021 @08:56AM (#61055610)

    If the hack is true, then basically it looked like China tried to apply pressure via Apple.

    And if that is true, it shows you *exactly* the kind of company Apple actually is.

    • by Guspaz ( 556486 ) on Friday February 12, 2021 @09:31AM (#61055732)

      Bloomberg never provided any evidence that it was true, and as far as I know, nobody has backed them up on it. Meanwhile, the companies themselves and the US government have basically refuted it. Bloomberg lost a lot of credibility over refusing to admit they might be wrong.

      • Yeah, this is what I came here to say.

        I'm willing to believe the report, but only after I see some evidence.

        So far, zero evidence of this supposed hack has been presented to the public, and until I see some, I'm going to consider this to be a snowjob. Put up or shut up, Bloomberg.

        • by XXongo ( 3986865 ) on Friday February 12, 2021 @12:05PM (#61056336) Homepage

          So far, zero evidence of this supposed hack has been presented to the public, and until I see some, I'm going to consider this to be a snowjob. Put up or shut up, Bloomberg.

          Did you actually read the article [bloomberg.com] ? Or are you commenting on just the summary?

          This quote was interesting:

          Another Pentagon supplier that received attention was China’s Lenovo Group Ltd. In 2008, U.S. investigators found that military units in Iraq were using Lenovo laptops in which the hardware had been altered. The discovery surfaced later in little-noticed testimony during a U.S. criminal case—a rare public description of a Chinese hardware hack.

          The link is to the court record. The testimony in question starts on page 71. https://assets.bwbx.io/documen... [assets.bwbx.io]

          The article also quotes a large number of people. Some of these are "name withheld", but quite a few of the people were willing to go on record and were quoted by name.

          • by Guspaz ( 556486 )

            Nobody's saying this thing isn't happening as a concept, just that the Supermicro case appears to be bunk.

            I haven't read the Bloomberg article because it's paywalled. I'm not going to pay Bloomberg to read their unfounded conspiracy theories.

            • I haven't read the Bloomberg article because it's paywalled. I'm not going to pay Bloomberg to read their unfounded conspiracy theories.

              Odd, I just clicked the link [bloomberg.com] and it opened.

              When it opened, text did show up at the bottom of the article saying "you have 7 free articles left." Looks like you've been reading a lot of Bloomberg, odd considering how you think they print "unfounded conspiracy theories".

              • I haven't been to Bloomberg in ages, and when I tried to read the article I was presented with a paywall. This is probably because I have ublock, noscript etc. However, I'm not only not going to pay Bloomberg to read their shit, I'm also not going to trust them to run code on my computer.

              • by Guspaz ( 556486 )

                I've not read an article on Bloomberg in recent memory. It's possible that an extension like ublock is interfering. I don't think I trust an organization that deals in sketchy conspiracy theories to run without some basic protections like that. Or maybe it's that I'm in Canada. Or maybe it's that I have a pseudo-static IP, and used up the free allocation a long time ago. Who knows, not my problem. Nobody takes them seriously anymore anyhow.

                • I've not read an article on Bloomberg in recent memory.

                  In that case, you need to add the words "I am completely ignorant since I haven't read the subject we are talking about, but my uninformed opinion is" before your statement

                  the Supermicro case appears to be bunk.

          • "A large amount of Lenovolaptops were sold to the US military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China."

            So how do you "encrypt" a chip on a motherboard? I wasn't taught that at uni. /sarcasm

            • The Supermicro chips from the original Bloomberg article looked like capacitors. So if the Chinese have managed to breed intelligent capacitors then they can obviously also encrypt chips. Go Bloomberg!
      • by Anubis IV ( 1279820 ) on Friday February 12, 2021 @10:11AM (#61055880)

        Exactly this. Extraordinary claims require extraordinary evidence, but Bloomberg never provided any evidence of any kind.

        Their original article was based on unnamed and unidentified sources. Amazon and Apple were claimed to have had their cloud infrastructure hacked via compromised Supermicro boards, but one company confirmed they had never even had Supermicro boards in use in their data centers, while the other confirmed that their last Supermicro boards had been phased out for unrelated reasons a few years prior to the date that the alleged hack began. (One of?) the only named sources in the article whose interview was used to outline potential hacking possibilities publicly reamed Bloomberg after the article was published because they misused his quotes to make it sound like the hypotheticals he was discussing were reality. Virtually every other major news outlet published reports indicating that they were unable to confirm any of the information via their own sources.

        Perhaps most concerning, tens of thousands of these hacked boards supposedly exist and were delivered to numerous companies, yet not one person or company has ever produced the smoking gun or gone on the public record to say that they exist.

        Bloomberg got taken for a ride, refused to retract the reporting, and now they’re doubling down on this increasingly outlandish conspiracy theory.

        • by cusco ( 717999 )

          Those Supermicro boards were installed in the DVRs of the world's largest security hardware/software company (Lenel), which manages security for among other places the Pentagon (product now discontinued because of the move to IP video). Rather difficult to believe it would have been allowed.

        • Exactly this. Extraordinary claims require extraordinary evidence, but Bloomberg never provided any evidence of any kind.

          Not to stoke the tinfoil hat crowd, but this is what you'd expect if two of the largest nation-states were involved, one being the instigator and the other being the victim/investigator. The US and China wield immense economic power over companies like Supermicro, Apple, etc. Likewise, if the US wanted to keep a counterintelligence op secret, any domestic sources going on the record risk arrest. It's the perfect storm for trying to present evidence. You can easily imagine a scenario where China threaten

          • Not saying this is what's going on, only that if it was going on, it would look exactly like this.

            Absence of evidence is not evidence of presence.

            • Not saying this is what's going on, only that if it was going on, it would look exactly like this.

              Absence of evidence is not evidence of presence.

              If you go back and read what I posted you'll note I did not claim "evidence of presence." That's a fabrication on your part. I stated quite clearly that if China was involved in supply chain attacks, and if the US was actively working to keep it quiet, both parties would behave in ways to create the exact situation we find ourselves in. It's not a declaration; it's a hypothesis. Learn the difference.

        • Perhaps most concerning, tens of thousands of these hacked boards supposedly exist and were delivered to numerous companies, yet not one person or company has ever produced the smoking gun or gone on the public record to say that they exist.

          Don't know where you saw that. Bloomberg made no claims at all about the scale of the alleged hack. From the timescales involved, my assumption was there were only a tiny handful of compromised boards produced, targeted for delivery to specific OEM customers. There's no reason at all to believe that an entire production run of some board model was compromised. Bloomberg claimed a sophisticated nation-state level hack. The time and expense required to pull a handful of boards off the line and manually i

          • by Guspaz ( 556486 )

            How would the factory making a Supermicro board for a generic Supermicro product know who was going to buy that board down the line? That board could go to Joe's Home Server Farm just as easily as it goes to Apple or Amazon.

      • by AmiMoJo ( 196126 ) on Friday February 12, 2021 @10:27AM (#61055960) Homepage Journal

        Their claims are at least believable - the Chinese are basically accused of what the NSA was doing at the exact same time. Board level malware, hard to detect and difficult to remove. Supply chain attacks. Infected software updates. GCHQ was in on the act as well.

        On the one hand there is zero evidence. On the other, it would be surprising if the Chinese, and the Russians, and the Israelis, and the Japanese, and the French and everyone else were not doing it.

        Let's also not forget that this was during the time when an NSA contractor was able to walk off with large amounts of classified information. Apparently security was less than stellar.

        • Quick note : we both have lower user id's so we might have read the same stuff in our youth ( your ID dates you about 1998-2000 mine is 1999 or 2000, I forget with age LOL )

          Anyway, In the mid 80's the Sci-Fi magazine Analog publishes a multiple part series that exactly covered this.

          I am rather confident that outside of the public persona of Apple's top brass, when it comes to a hack on the main platform, Apple, will do whatever it takes to abolish the aberration-abnormality ( and I say those words with the

          • by src04c ( 1612593 )
            It would make sense for Apple, even from a business standpoint to deny it and maintain plausible deniability. Admitting it would have a direct effect on trust, which is a core component of some of their success (and to be fair, they make security/privacy fairly easy and straightforward for someone unwilling to invest the time needed to DIY it). Their diefiance to the FBI for even things like the San Bernadino shooters iPhone gained them trust int heir security, and an admittance like this would move that op
        • by Guspaz ( 556486 )

          My understanding is that the NSA was intercepting already manufactured products that were making their way through the mail system and modifying them (which can be extremely targeted), while in this case the claim was that Supermicro boards were being compromised in the factory before they were even sent to Supermicro (which less less targeted). It's not quite the same.

          • by AmiMoJo ( 196126 )

            The NSA sabotaged encryption standards, and it's widely believed that things like AES instructions and RNGs in CPUs were compromised by them at the design stage.

      • by sjames ( 1099 ) on Friday February 12, 2021 @11:16AM (#61056168) Homepage Journal

        THIS! Also, in the 2018 article, they tried to make it more convincing by showing us pictures of the so-called spy chip that were actually just a common surface mount resistor pack that didn't have connections to anything that would even make the supposed spying actions possible. They even included "quotes" from experts who explicitly denied they had said any such thing.

        Now they're doubling down, and even though they should know that there is a huge self-created credibility gap, they present their accusations again without a single shred of evidence to back it up. This time they claim it's malicious code implanted into a BIOS update. That's more credible by itself, but it should be easy enough to point to a particular BIOS update containing the malware and a disassembly of that malware. Perhaps a hexdump of the so-called beacon data. If it's really happening, they should be able to show us that.

        Meanwhile, TFA doesn't even show an understanding that what they're claiming now is NOT the same things as they were claiming in 2018.

        • by prisoner-of-enigma ( 535770 ) on Friday February 12, 2021 @11:50AM (#61056292) Homepage

          THIS! Also, in the 2018 article, they tried to make it more convincing by showing us pictures of the so-called spy chip that were actually just a common surface mount resistor pack that didn't have connections to anything that would even make the supposed spying actions possible. They even included "quotes" from experts who explicitly denied they had said any such thing.

          Again, not to get all tinfoil hatty here, but it's totally possible to conceal a malicious device inside a package that looks identical to a surface mount resistor pack. Without testing the traces or doing an x-ray of the device in question, it could be anything. Indeed, a covert malicious device would be designed to look innocuous on purpose.

          Likewise, if Bloomberg quoted an expert and that expert later declared "I said no such thing!" then something really weird is going on. Bloomberg is not some tabloid rag. To make up a quote on such a high-profile, sensitive topic would be extremely risky for them...and for what gain? A few more clicks? While it's not outside the realm of possibility, it would be incredibly irresponsible and risk a devastating blowback. While it may be possible, I don't see Bloomberg acting that stupidly. Another explanation is pressure was put on the "experts" to recant, and that's completely believable in the context of the current article, namely that China pressured Apple/etc. to deny any Chinese shenanigans and the US pressured domestic outlets to deny/suppress or risk uncovering a counterintelligence op. I wouldn't put such tactics beyond either the US or China.

          • by sjames ( 1099 )

            Again, not to get all tinfoil hatty here, but it's totally possible to conceal a malicious device inside a package that looks identical to a surface mount resistor pack. Without testing the traces or doing an x-ray of the device in question, it could be anything. Indeed, a covert malicious device would be designed to look innocuous on purpose.

            Sure, but if it's supposed purpose is to inject malware, it would need to be connected to the data lines. Given the small number of connections on a credible resistor pack, about the only place to stick it for code injection would be the LPC ISA bus.

            Given such an explosive claim, it's odd that it was denied by all parties including the experts interviewed and nobody anywhere corroberated the story with a photo of the actual spy device" in-situ or anything. Nobody came out with a hexdump of unauthorized data

            • Re: (Score:3, Informative)

              Sure, but if it's supposed purpose is to inject malware, it would need to be connected to the data lines. Given the small number of connections on a credible resistor pack, about the only place to stick it for code injection would be the LPC ISA bus.

              I agree...mostly. It's impossible to say definitively that a surface-mount device is only connected to what you see on the surface when you're dealing with a multilayer motherboard. While it would be an engineering challenge, the possibility of traces below the surface layer cannot be discounted. A full disassembly of the motherboard would reveal this, one way or the other. Yes, putting hidden traces on a motherboard would be a very involved process, but look at it this way: China has the means (both ec

              • by sjames ( 1099 )

                If they had an actual board in hand, they could easily get someone to do the examination. You could potentially mount a chip directly on vias or better, tuck the vias under the chip, but that would easily be revealed with a hot air gun and a strong flashlight. No need for a big expensive setup, many hobbyists have a sufficient workbench to do the analysis.

                You wouldn't even have to trace the connections all the way back, just place an interposer between the board and the chip and see if a digital scope shows

            • Some systems permit boot loading via I2C FLASH ROMs. Depending on what you are trying to attack, you only need access to 2 pins.

              Also, the nuances of a story can get lost in journalists simplifications.

              It could be that the BIOS ROMs contained the actual malware. The hardware modification may have enabled delayed payload activation. Thus, the computers would not be detected as compromised when being first installed. The chip would make the computer wait for a preset number of reboots, or for when a part

              • by sjames ( 1099 )

                But PC style hardware attaches the FLASH via LPC ISA. If I wanted delayed activation, I would put the counter in the main flash so I wouldn't have to add suspicious extra hardware. Flash can only be erased in blocks, but you can change a 1 bit to a zero bit by bit. For a counter, just use a block of addresses and use 0 bits as tally marks.

                The flaws in the 2018 story weren't nuances. It was a snow job using pictures of common components with deceptive captions to lend fake credibility.

          • Without testing the traces or doing an x-ray of the device in question, it could be anything.

            Then they should have done the trace and x-ray. Neither is difficult.

            Circuit board x-ray machines are common. They are used to verify the proper soldering of BGAs.

            Following the traces is even easier. Just delaminate the board and look at them under a 30x scope. Or use a cheap continuity probe.

            Even easier, remove the resistor pack from the board with a $5 soldering iron, then test it with a $10 ohm-meter to see if it really is a resistor pack.

            Or use a 5 cent sheet of sandpaper to remove the top of the pac

    • by Freischutz ( 4776131 ) on Friday February 12, 2021 @09:51AM (#61055798)

      If the hack is true, then basically it looked like China tried to apply pressure via Apple.

      And if that is true, it shows you *exactly* the kind of company Apple actually is.

      Well, to quote the Spartan ephors in their letter to Philip of Macedon: "IF" ... Where did you get that information? From a Q-Anon post? When they discovered these spy chips as the summary states, Apple & Amazon would have reported them to US intelligence because that's what they are required to do by US law. US signals intelligence people then decided to allow this Chinese signals intelligence operation to continue for intelligence gathering purposes. Monitoring and manipulating hostile intelligence operations rather than breaking them up is standard intelligence gathering procedure and has been since at least the Bronze Age. If Apple and Amazon issued denials I'll bet you cash money that they did so at the behest of US signals intelligence and not, as you are insinuating, because Apple and Amazon (which you omitted from your accusations for some curious reason) are in league with the Chinese Communist Party.

      • by cusco ( 717999 )

        Well, considering that Amazon doesn't have any Supermicro boards installed in their data centers I think it's unlikely that any other denial would have been necessary on their part, and undermines Bloomberg's credibility.

        • Well, considering that Amazon doesn't have any Supermicro boards installed in their data centers...

          Can you back that authoritative claim up with some actual evidence or is this another nugget you found in a Q-Anon post?

          • by cusco ( 717999 )

            AWS runs custom hardware in its servers, the doesn't buy commodity boards on the open market. That might not be common knowledge even though they've gone to lengths to publicize the fact.

            https://www.geekwire.com/2017/... [geekwire.com]

            • You realize that makes Amazon really easy to target, right?

              You know the equipment is going to Amazon because it's custom, so it's a great place to put your $EVIL_CHIP.

              • You realize that makes Amazon really easy to target, right?

                You know the equipment is going to Amazon because it's custom, so it's a great place to put your $EVIL_CHIP.

                Cuz ... Q-Anon says so!!!

                • The claim is "They're safe because it's custom hardware!!!", not that this story has the best sourcing.

            • Reading carefully I can see when a nation state could do mischief. And the reason is rather simple. Even the biggest of companies rely on outside suppliers. AWS bought an Israeli company for some of it. But there's a lot of hardware that makes up a cloud. Even wiring. Security as I'm reminded is the victim getting it right every time. While the enemy gets it right once.

              • by cusco ( 717999 )

                The goal of security is not to prevent every attack, since that's impossible. It's to make an attack inconvenient/expensive enough to discourage attackers, and to set systems up in such a manner that a successful attack is detected. (That's probably not what executives and the public think, but that's the practice for those of us who actually make our living in the field.)

      • Once the first hints of the Bloomberg story came out it was all over anyway.
        It's funny that anyone would think China would be stupid enough to believe they hadn't been caught red handed and still continue trusting the data.
        Why would the people who planted the devices, believe the denials? They'd already know it's not true.
        Anyone good enough to do what is claimed. Obviously would be keeping a close eye out for exactly this kind of thing, so they know if they have been discovered yet. It makes absolutely
    • Re: (Score:3, Insightful)

      by Anonymous Coward
      US Big Business simply cannot decide- To back China, or not to back China.

      Backing China has been the default, obvious stance for decades. Limitless cheap labor and an iron-clad fixed exchange rate meant that outsourcing US jobs overseas was a no brainer. No more pesky high wages and labor rights. Communist China can do away with all that, and as time went by the quality of their swelling industrial base outclassed the rotting remains of US manufacturing.

      But now Washington is sending out mixed messages
      • Re: (Score:1, Insightful)

        Excellent points. There's a lot of contradictory forces at work here. Trump and the neocons both supported Cold War v2 against China, but Trump actually tried to pull back from the neocon's disastrous endless wars.

        Most Dems bought the Bountygate stories (despite the total lack of proof), putting them on the side of neocons and endless warriors. Biden is making noise about China's human rights violations, but if he's truly the status quo leader he wants us to believe he is, then he will look the other way a

        • ROFL. So Trumpers are interested in "proof" all of a sudden.

          • Bit of a self-own that you read my comment and immediately rush to defending the Dems' credulity and willingness to be played by the endless warriors/military-industrial complex/deep state/whatever you want to call them. Liz Cheney, is that you?

    • Comment removed based on user account deletion
  • Huawei (Score:4, Insightful)

    by awwshit ( 6214476 ) on Friday February 12, 2021 @09:51AM (#61055796)

    Kinda of explains why the US Government is so against Huawei and other Chinese manufacturers. I always figured they had some knowledge that they were not sharing. Seems China has become good at supply chain attacks.

    • by cusco ( 717999 )

      It seems more likely that since Huawei is miles ahead of Cisco and the US telecoms, is eating their business, created much of the 5G standards, and is laying the groundwork for 6G that the ossified Old Tech in the US is doing the only thing they can to try to maintain their market share; bribe government officials.

      • That's all true, which doesn't negate that the situation creates an almost insurmountable network security problem for us (the US).
    • Kinda of explains why the US Government is so against Huawei and other Chinese manufacturers. I always figured they had some knowledge that they were not sharing. Seems China has become good at supply chain attacks.

      When you own the entire supply chain, it would be difficult not to be good at attacking it.

  • Show me the money (Score:5, Insightful)

    by Pinky's Brain ( 1158667 ) on Friday February 12, 2021 @09:55AM (#61055812)

    Just tell us which chip to decap and compare to untampered ones.

    • Just tell us which chip to decap and compare to untampered ones.

      Looks like Bloomberg has decided that if you've already shot off one foot, you might as well reload, blow off the other foot, and hope you'll end up levitating.

      The idea of China putting "spy chips" onto motherboards has never made one ounce of sense. Why should they use hardware that provides a perfect smoking gun pointing right back to them, when they have been so incredibly successful getting what they want by other means? As the recent Sol

  • And the US does exactly the same to other countries, so what's new? Hell, it's even known that a lot of US made hardware has backdoors for the NSA, but still no proof of any hardware from Huawei, for instance, that it would have a backdoor. Reason why the US doesn't want Huawei used is not because of possible Chinese backdoors, but because the US cannot hack the hardware and doesn't have an option for a backdoor.. THAT's the reason why they don't want Huawei hardware in other countries.
    • That's why to be truly secure, you need a chain of firewalls, Huawei to block the NSA backdoors, Cisco to block the CCP backdoors, etc...etc...

      • by cusco ( 717999 )

        Cisco built the original Great Firewall of China. When I was in college in the '90s everyone laughed when China declared they were going to spend $4 billion to upgrade their creaking antiquated telecom infrastructure, it wasn't even clear at the time where they were going to get that much foreign exchange dollars to spend. They loaned Cisco money (through cut outs in Hong Kong and IIRC London) to expand their manufacturing capability, and in exchange Cisco built a factory in China and sold them all the ha

    • by guruevi ( 827432 )

      Can you point to any US-based countries creating backdoors for the NSA? Not saying they don't exist, but whether they do is just speculation at this point and many systems that you may point at are open source as well.

      Huawei on the other hand has been caught red-handed (https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment)

      • Have you actually read the article, it's talking about vulnerabilities (as in bugs). And just do a google on Cisco and you'll find enough evidence of actually having put in real backdoors for NSA,not bugs that made it possible.
  • Fear, Uncertainty & doubt. And it's spread to Hauwei.
    • Oh yeah, SolarWinds was complete FUD, right?

      Its more than just Huawei. Are you going to deny issues with Dahua and Hikvision too?

      • SolarWinds was Russia, not China.

        I appreciate that someone from the USA has difficulty with the concept that there are other nations in the world, but do try.

        • Yes, yes, its all FUD. Great to meet you, Chen.

          https://www.reuters.com/articl... [reuters.com]

          • The sources, who spoke on condition of anonymity

            Yep, as FUD-dy as it gets.

            • Of course anonymous sources have never said anything remotely true, right? And China has nothing to gain, right?

              • Of course anonymous sources have never said anything remotely true, right?

                Correct, "anonymous sources" from the gubbermint are the most often used way to push a narrative, which is typically 99.9% of the time and 99.99% in the content pure FUD. Also correct, anything that is only "remotely true" is FUD by definition.

                And China has nothing to gain, right?

                I'm not sure I understand you. What has China got to gain from the FUD anonymous US government sources are spreading about it, and why does it matter?

                • Explain why I should trust China. Other than call everything FUD, you've provided no reason why I should trust China. Are you saying that China has nothing to gain by spying on the US?

                  • Explain why should I explain anything about "teh Chinar", when the discussion is about a specific piece of disinformation completely devoid of evidence and obviously generated by the US Government lies machine.

                    You claim what your link says is true without a shred of hard evidence.

                    Incidentally, also true of the "Russian ackers" alleged "involvement" in the SolarWinds bug debacle.

                    • I'm saying there is motive, there is capability, there is willingness. Frequently, there is information but you don't reveal your hand. The details will come out in time.

                    • Yes, bro, ALL will be REVEALED in GOOD TIME!

                      Here, have some more Kool-Aid.

  • Not only did show a photo with arrow to common chip claiming it was secret evil thing in Super Micro servers while spinning their tale with zero actual proof, they themselves were found to be a Super Micro customer. The retardation at Bloomberg just won't quit.

    • by cusco ( 717999 )

      Project Mockingbird is alive and well.

    • show a photo with arrow to common chip claiming it was secret evil thing

      Given that you can conceal quite a lot in something very small, how do you know it's not what they say? I'm not saying that proves it's an evil device but neither can you disprove by saying "hey, this two-millimeter cube on my motherboard looks legit so it must be harmless!" You can't tell a damn thing about it by just looking at it. You'd need to x-ray the chip, disassemble the motherboard layer by later and trace the contacts, and carefully look at all traffic to/from the device to make a definitive ru

      • They coupled their silly picture with zero actual proof or sources.

        I could write the same thing, "OMG American bathrooms have evil chinese spy cams", with picture having arrow to toilet's shut off valve.

      • Comment removed based on user account deletion
  • On the one hand, this time around Bloomberg actually has people with names willing to step up and say that there might be something here. That's a big improvement from their previous article

    On the other, they still have no concrete proof. A single motherboard with the malicious chip/BIOS would be evidence enough, yet they apparently can't get their hands on one?

    On yet another, if this is true, it makes sense that the US spying agencies would want to sit on it.

    But on yet another, if this is true, it makes no

    • I just don't know. Certainly this is a viable attack vector for a nation-state, and it kinda blows my mind that US military isn't exclusively using hardware made in the USA. While I'm all for globalization, you gotta balance costs with national security...

      The supply chain is much too complex to make blanket purchasing decisions like "no Supermicro gear" have the desired effect. What if the motherboard is assembled in the US but using parts sourced overseas? What if the chip fab is in China, but packaged in the Netherlands, resold by a wholesaler in Germany, shipped via a South African freighter, put on a Mexican trucking line for delivery to a factory in Texas for final assembly? And that's just one example of a relatively simple global supply chain. Som

    • it makes no sense that US military would still be allowed to purchase hardware from potentially compromised manufacturers.

      Equipment from certain manufacturers are banned on some US classified networks. For example, Lenovo was banned in 2006. [defense.gov]

      (Skip to the bottom of page 7, aka the 17th page of the PDF, for a paragraph that summarizes the situation)

    • Comment removed based on user account deletion
  • Once upon a time (Score:4, Interesting)

    by nehumanuscrede ( 624750 ) on Friday February 12, 2021 @12:13PM (#61056370)

    We used to laugh and make fun of the tin-foil hat crowd that pushed all sorts of crazy conspiracies out.

    Then along came Mr. Snowden, the revelations about room 641A, what the NSA's TAO team was doing, Vault 7 and probably an entire list of things I can't recall. ( And an even longer list of things we're not even privy to yet. )

    The moral of this story is this:

    Don't be quite so quick to discount or discredit what used to reside within conspiracy theory territority.
    If we've learned nothing else, an uncanny amount of truth is coming out of what used to be tabloid worthy material.

    • We used to laugh and make fun of the tin-foil hat crowd that pushed all sorts of crazy conspiracies out.

      Still do. Anyone know where I can get a crashed UFO?

  • standard spycraft (Score:5, Interesting)

    by hdyoung ( 5182939 ) on Friday February 12, 2021 @12:19PM (#61056392)
    This all sounds like standard spy-vs-spy stuff, just updated for this century. Of course China would try to do this. When (not if) the US found out about it, of course they would keep it secret, in order to take advantage of the knowledge. You know, maybe feed China false info. Of course the press would get a leak, because secrets are never secret for long. If course the government would keep the company in the dark, because informing anyone except the CEO and maybe 1 or 2 others (under threat of prison for disclosing) would result in prematurely blown cover. The government was just playing for time.

    I know that this sounds like I'm a conspiracy theorist, but in this case OF COURSE EVERYONE INVOLVED EXCEPT THE PRESS WILL DENY. This is run-of-the-mill espionage.
  • The bloomberg piece certainly looked like a bunch of BS when it first showed up. And then all the big boys started leaning on them, demanding a retraction. That was awhile ago. Now they're at it again with the same.

    Why haven't Apple and Amazon just sued them to force a retraction at this point? Don't tell me its because they're to busy or broke to sue.

    • by clovis ( 4684 )

      Why haven't Apple and Amazon just sued them to force a retraction at this point? Don't tell me its because they're to busy or broke to sue.

      Corporate mouthpieces can say almost anything they want to journalists (outside of violating SEC rules and things like that).
      Lying to the journalist isn't a crime, but lying in a depostiion is.
      When you sue someone, you give their lawyers the right of discovery.
      Another is that although the Bloomberg article may be wrong in some details, it is right in some of the things they said. Apple/Amazon/etc don't want those things proved in court testimony.
      Apple/Amazon/Supermicro may have found a problem and solved it

  • I don't have time to dig through the messages, but at a glance only two are particularly worthwhile: hdyoung, "standard spycraft," and XXongo, "Did you actually read the article?" Most of the rest merely demonstrate the validity of Mao's famous comment, "The Capitalists will buy the rope we use to hang them and put it around their own necks."

    The Bloomberg article is as extraordinary as claiming that a brick fell when someone dropped it. Beijing's intel community takes advantage of every opportunity others g

  • I appreciate the novelty of the supposed HW vector but it would be probably only be useful in very select high-value targets ie military, etc. Something like this that leaves such a clear footprint and is easily reversible is already abandonded due to the large surface area of Windows machines to code attacks. I read that people were complaining about spending $2 on 3 billion passswords, saying some of the data was corrupt. Plus with the busy work of several well known apt groups china already has m

Genius is ten percent inspiration and fifty percent capital gains.

Working...