Domain: risky.biz
Stories and comments across the archive that link to risky.biz.
Comments · 8
-
Re:Plenty of evendince of this is real
I had SMCI stock in 2017 and sold it after reports that Apple dropped them when they found serious security issues with their servers.
Going by that, the timeline would be that these companies discovered malicious hardware in 2015, kept thousands of those servers in service for two or more years, and only then decommissioned them. Does that make any sense at all?
Instead, if you read their initial responses to what Bloomberg published, they actually say more than that "they have no idea what Bloomberg is talking about". For instance, Apple provides an alternative explanation for Bloomberg's confusion:
[...] Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
Apple dropped SuperMicro shortly after that incident, making it a much more likely cause for the falling out. Likewise, Amazon cites firmware issues with SuperMicro boards in their response, though you'll note that they were still using SuperMicro boards in 2018:
Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware. As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.
All of which is to say, nothing about Bloomberg's story makes any sense. The timeline makes no sense, none of the alleged victims has anything to gain by lying, one of their only named sources has come out saying he doubts the story, literally every company or agency allegedly involved has said it's untrue, and Apple has even gone so far as to formally inform Congress that inasmuch as the story pertains to them it's untrue, while additionally affirming via press releases that they are not under a gag order or anything else of the sort.
Someone's credibility is going to take a nosedive after the dust settles from this, and I expect that it will be Bloomberg's.
-
Re: Bloomberg! Bloomberg! Bloomberg!
but I also wouldn't put it past Bloomberg to publish rumors for page hits.
The Supermicro story is turning out to be a hoax.
The only person actually named in the original Bloomberg story about the Supermicro servers was a "hardware expert" named Joe Fitzpatrick. As it turns out, he' s not all that much of an expert, and he has now done an interview where he says that he doubts the accuracy of the story:
https://risky.biz/RB517_featur...
He was communicating with one of the authors of the Bloomberg story for a couple of months before the story was published. Then, the story came out and things that he had described as being hypothetically possible were in the story, but presented as facts that they had gotten from various anonymous sources
For example, the Bloomberg guy said to him "One of my sources said the chip might be a signal coupler. What does that look like?" So Joe Fitzpatrick sent him a link to a picture from a catalog. And, lo and behold, when the story was published it contained that exact picture, presented as "proof" of the chip that was implanted on the Supermicro motherboards.
-
Re:obey gravity...it's the law
What is with politicians today making nonsensical statements like this?
This article, "No encryption was harmed in the making of this intercept", may be clearer in what the Australian politicians meant: https://risky.biz/bannedmath/ There are solutions for companies outside breaking/weakening the crypto while still allowing law enforcement to follow through with warrants.
-
Re:I like
I listen to the following every week:
Security Now
I'll have to give that a shot. I really like Risky Business http://risky.biz/. The caster, Patrick Gray, brings in a lot of interesting guests, and really seems to have a good handle on what kinds of stories and things matter, and what is just smoke and mirrors.
-
Done properly in Australian government departments
PRESENTATION: BYOD in government, a high level talk
Handy talk for CIOs and CSOs...Start the discussion 0 Comments
May 23, 2013 --The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has to consider when allowing staff to use their own devices in a heavily regulated environment.
-
Was on Risky.biz a month ago...
I heard about this on the Risky Business Podcast a month ago. Patrick interviewed Tyler Nighswander and they talked about the Divide by 0 issue, as well as how many receivers are out in the middle of nowhere, and have other issues (easily guessable passwords)...
-
Re:Suppose you live in an appartment.
That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.
Let's make an honestly closer analogy:
When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.
I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?
The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?
Later on, the apartment manager sends a notice to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:
It has come to our attention that a resident of our building devised a way to open your door. Access to your apartment was limited and rectified immediately.
Please note: This incident was not the result of a targeted attempt to access your apartment. This resident alerted us to the ability to open your lock and advised that your door was only opened when testing the security of his own apartment. The member advised that he has not taken pictures of your apartment or taken any items.
And now they've sent me a letter telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.
Your darn tootin'! If this is the thanks I get! Some people!
-
Re:Hell, why aren't the banks cracked?
Because they are monitored and recovered.
Fraud happens all the time, but the banks have developed heuristics to stop it before too much money is lost. Often transactions can be rolled back and accounts frozen before the money disapears, but not always.
Banks do lose huge amounts of money however, much of it through credit card fraud. That's the reason credit card interest rates are as high as they are. Customers are willing to pay those rates for easy access to money, so there is no incentive for US banks to move to something more secure like chip&pin or other techniques. Also, much of the cost of fraud is pushed back on the merchants, who have virtually no say in the card security policies.
If you're interested in learning more, there's some great inforation that was presented to the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology as
“Do the Payment Card Industry Data Standards Reduce Cybercrime?” on Tuesday, March 31, 2009 from the perspective of both the merchants and the credit card industry.http://hsc.house.gov/Hearings/index.asp?ID=185
Some good selections from the talks can be heard on the Risky Business podcast, episode #102.
http://risky.biz/netcasts/risky-business/risky-business-102-washington-spanks-pci-dss