Google Reducing Trust In Symantec Certificates Following Numerous Slip-Ups

An anonymous Slashdot reader writes from a report via BleepingComputer: Google Chrome engineers announced plans to gradually remove trust in old Symantec SSL certificates and intent to reduce the accepted validity period of newly issued Symantec certificates, following repeated slip-ups on the part of Symantec. Google's decision comes after the conclusion of an investigation that started on January 19, which unearthed several problems with Symantec's certificate issuance process, such as 30,000 misused certificates. In September 2015, Google also discovered that Symantec issued SSL certificates for Google.com without authorization. Symantec blamed the incident on three rogue employees, whom it later fired. This move from Google will force all owners of older Symantec certificates to request a new one. Google hopes that by that point, Symantec would have revamped its infrastructure and will be following the rules agreed upon by all the other CAs and browser makers.

Pass the blame

Symantec need to grow the fuck up and take responsibility rather than passing blame to rogue employees.
They are a major security platform of the world whose processes apparently suck as bad as the TLA's of USA.

Norton

What would Peter Norton say?

Re: Norton

"Fligglity smiggles!"

Please Mr. Norton, you need to take your needs.

"Snogglty floppers!"

Re:Norton

[Z00L00K]

More important is that this further highlights that the "trust" system as it is designed today is broken.

The trust system is based on that you get a default trust of a few CAs in the top, and if one is compromised the house of card suffers severely. And what happens if a CA is ordered by a government to provide false certificates? We can't know if that's the case or not because it will look identical to a real certificate unless it's inspected on a very low level and compared with the certificates assigned to the company using them.

Re: Norton

I guess he should take his needs.

Re:Norton

[Billly+Gates]

Fine. You have a better solution? Active Directory on corporate networks work the same way with trusts on other domains. DNS root servers too have trusts before they replicate.

Re:Norton

[AmiMoJo]

The only defence we have is that if a CA was forced to issue a cert and it was discovered in the wild, it would destroy the CA. Well, that and certificate pinning for important sites. Even if a government did get a cert for google.com, Chrome would not accept it because the google.com cert is pinned.

Re:Norton

Fine. You have a better solution?

Step one: Any browser that cares about security MUST stop regarding https with CA certificates as any more trustworthy that self-signed certificates or plain http.

If that doesn't happen immediately[1], we can't trust the browser makers, and starting over with a new certificate system will not be enough, we will also have to replace the browsers with new browsers made by trustworthy people.

[1] That is, immediately after the Bluecoat fiasco was discovered and this failed to result in Symantecs root certificates being revoked.

Re:Norton

The only defence we have is that if a CA was forced to issue a cert and it was discovered in the wild, it would destroy the CA.

You mean the same way that the Bluecoat certificate fiasco destroyed Symantec, and only horribly insecure browsers like Chrome, Firefox, Internet Explorer and Opera still trust their certificates?

Re:Norton

[TheRaven64]

Step one: Any browser that cares about security MUST stop regarding https with CA certificates as any more trustworthy that self-signed certificates or plain http.

Why? Plain HTTP can be compromised by anyone on a hop between you and your destination. HTTPS with a self-signed certificate can be compromised by anyone on a hop between you and your destination, but can be detected if you do certificate pinning or certificate transparency. HTTPS with a signed cert can only be compromised with cooperation from a CA. The set of people that can compromise signed HTTPS is significantly lower than the set that can compromise self-signed HTTPS.

Re:Norton

[Billly+Gates]

Step one: Any browser that cares about security MUST stop regarding https with CA certificates as any more trustworthy that self-signed certificates or plain http.

Why? Plain HTTP can be compromised by anyone on a hop between you and your destination. HTTPS with a self-signed certificate can be compromised by anyone on a hop between you and your destination, but can be detected if you do certificate pinning or certificate transparency. HTTPS with a signed cert can only be compromised with cooperation from a CA. The set of people that can compromise signed HTTPS is significantly lower than the set that can compromise self-signed HTTPS.

I remember in the days of IE 6 and me opening questionable porn in my youth I would get slow or weird responses from HTTP websites. I do an ipconfig of the name of the site. I then disconnect and then reboot and or sometimes do a ipconfig /release and VIOLA now when I do an ipconfig it points to a different IP address.

MITM was quite on occurrence in the old days. Of course if my DNS is pointing to somewhere else it means my PC was probably compromised but my point is changing something and a ipconfig /release fixes it shows it is easy to spoof before MS took security more seriously as it does today.

Re:Norton

[Z00L00K]

The difference now is that many hackers have developed tools for MITM attacks on https.

And it still doesn't validate that sites running https are seen as more trustworthy and allows the browser to do more.

In addition to that - realize that with increased number of parties involved the security issues increases. I would prefer that my bank signed their own certificates and sent a keycard to me with the certificate that I should use combined with the CA certificate for the bank. That way only two parts are involved in the channel and the certificates can be validated both ways. At least as long as neither of the end systems are compromised.

Re:Norton

[TheRaven64]

The difference now is that many hackers have developed tools for MITM attacks on https.

Yes and the same tools work with a self-signed cert or with HTTP. To make them work with HTTPS and a signed cert, you need to have a compromised CA signing cert. This is still currently mostly limited to nation-state adversaries.

Re:Norton

Saying a cert can be only a little bit untrusted is like saying someone can be only a little bit pregnant.

If it's not trusted, it's not trusted, period.

Re:Norton

[Z00L00K]

No, you don't understand that - if you have three involved in a certificate management you have a higher risk than if you have two involved where you have exchanged the certificate validation only between those two parts. A certificate created where one of the parts is a private CA is what you need for best security, and that's essentially what a self-signed certificate is.

But if you don't validate the certificate at either end to ensure that the signer is a valid signer you have a MITM attack possibility, and if the CA is a third part you have a higher risk of a MITM situation - like the Symantec CA.

The reasoning that self-signed certificates are less secure is based on that they aren't validated, but if they are properly validated at both ends they are more secure. But that's not something the popular CAs want to inform you about since that would be bad for their business.

And how many really validates the certificates of a https connection anyway?

Re:Norton

You clearly don't know how self-signed works. They are no crypologically weaker than CA signed certs. BobSmithsCertSigner.exe may use parameters from 1995 but OpenSSL can and does generate entire CAs.

There is ZERO special sauce in CA certs except their root(read self-signed) cert is explicitly trusted by Chrome/Windows/et al then they use their self-signed cert to sign other peoples certs.

If i physically hand you a self-signed cert on a thumb drive and you install it in your trust store you can be 100% assured that your connection to my web server is secure when the browser validates it based on the cert you installed in the trust store that I physically handed you. With a Verisign signed cert you just trust that they say I am who I say I am and that they would never give away private key data to 3rd parties because their cert came preinstalled.

Re: Norton

I never realized you were dumb until this post. So much stupid in one post.

Re: Norton

I would. NEVER say she is "a lot" pregnant!

Re:Norton

May I add to your point that one part of the problem is that today's scheme mixes two different problems : identity proof and privacy.
Talking privately (ie in encrypted form to prevent eavesdropping) has nothing to do with ensuring who you are talking with.

Objective Case

[kamapuaa]

Are editors asleep at the wheel? Google fired the employees, so the employees should be addressed in the objective case. Whom it later fired, not who.

Re:Objective Case

[whoever57]

I would say "you must be new here", but I see from your ID that you have been reading Slashdot for many years.

Re: Objective Case

[Zero__Kelvin]

A low ID indicates the account was created a long time ago. It doesn't say anything about how long he has been actually reading Slashduh articles.

Re:Objective Case

[bill_mcgonigle]

Objectively, it was Symantec that fired the employees.

Re:Objective Case

If you hired a law firm and obtained the services of a specific lawyer who was extremely negligent and completely threw your case to the wolves, do you find fault with the specific lawyer, or the law firm that you actually have the contract through? It's similar here - you do not buy your Symantec SSL cert from one of those three rogue employees, but rather from Symantec itself. It is the entire company that bears the burden of the misdeeds of any of its employees.

Re:Objective Case

[Desler]

You do realize that this site has always been accessible and viewable all without an account, right?

Re:Objective Case

[Desler]

Google fired Symantec's employees? lolwut?

Re: Objective Case

[BronsCon]

Indeed, this is true. I've been reading /. practically since day 1, yet I have a high 6 digit ID.

Nuclear option, tactical only...

Google went full nuclear, but the tactical nuke variety rather than full scorched earth.

Not entirely clear if this covers only EV, or what the fallout for DV cert owners will be.

Bluecoat

They issued root faking ability to bluecoat. Their certs are untrustable at this point.

Re: Bluecoat

[bsDaemon]

Also, they straight bought out BC, meaning a major root CA owns a major SSL/TLS intercept platform as well. But of course, we can trust them...

Re:Bluecoat

[mysidia]

They issued root faking ability to bluecoat. Their certs are untrustable at this point.

Cool. Can we get someone who owns one of the Bluecoat appliances to extract the private key that it's using to sign the SSL intercept certs with?

Re:Bluecoat

[phayes]

The root certs in question were not widely deployed and were revoked long ago not that that excuses the CA from issuing them.

Re: Bluecoat

And the company where I work recently put in Blue Coat to spy on employees. They are probably reading this right now.

Re:Bluecoat

Better Idea.

Google buys off few Bluecoat users for security audits( or offers some big sites help)
This way Google can burn them again, while locking down forgeries.

It seems obvious huge BC users WANT and demand MITM spying, and from work at home via Citrix.
Say NO - or issue a certificate under the table for .gov site. I think money comes first.

Re:Bluecoat

[Mr0bvious]

Symantec, really... Symantec...

You mean they once had trust?

What a strange world we live in.

And you're trying to tell me we're *not* living in a simulation?

Re: Bluecoat

And the company where I work recently put in Blue Coat to spy on employees. They are probably reading this right now.

GET A NEW JOB!

Re:Bluecoat

[mysidia]

The root certs in question were not widely deployed and were revoked long ago not that that excuses the CA from issuing them.

It could still be useful if someone were to extract them on one of the few deployments in existence.....
Just because the cert has been "Revoked", does not mean people are not still running around with hardware or software that will trust it. Because many applications don't even bother to check for revocation, example: Firefox doesn't check CRLs, instead they have their own proprietary CRL service that only bothers with high-profile site names --- too much latency would be re-introduced by turning proper revocation checks back on.

Re:Bluecoat

[Aussiewebmaster]

Namecheap and Comodo are replacing these SSLs for free https://www.namecheap.com/secu...

Outsourcing

That's what you get for outsourcing security (and trust).

Re:Yes.. because with only a 49% stake in ownershi

Symantec sold their share of the joint venture in 2012.

Trust but verify

Personally, I don't trust any of the CA's in my browser after the Digi-Notar problems

The Dying Days of the Certificate industry

[rahvin112]

If there is one thing the certificate industry has proven it's that you can't trust any of them. The only solution is the automated solutions like the non-profit Let's encrypt have built. You know it's a good cert because only the person in control of the domain could get it. And I'll tell you what even with it's warts I trust it way more than I trust these damn companies that have 4 year olds signing off on certificate procedures and handing certificates to anyone with the cash.

Ultimately it's going to be movements like Let's Encrypt that fix this trust issue by taking it out of the hands of people trying to make a buck on "trust" when none of them could be trusted.

Re:The Dying Days of the Certificate industry

[skids]

You know it's a good cert because only the person in control of the domain could get it.

...or anyone p0wning enough of their services at any particular time.

Re:The Dying Days of the Certificate industry

And?

If somebody is capable of getting into the system far enough that they can spoof the authentication methods Let's Encrypt uses to verify ownership/control of the domain, they can also, in all likelihood, gain access to the private key as well.

If they can gain access to the private key, then that's it: game over. Doesn't matter what you do, TLS is not going to save your customers' hides. The only way to deal with that problem is to lock down the server so they can't get back in, and create a new certificate, revoking the old one.

TLS is not a panacea for poor server-side security - it's an adjunct to it. If server security has been broken, TLS can't fix it.

Re:The Dying Days of the Certificate industry

[Billly+Gates]

You have a better solution? You want the US government deciding instead like ICAAN in addition to being a central point of exploit?

If you let others self sign that means you risk having the private keys known and it's game over. Let's encrypt has same problem in which they can screw up and hand out extra certificates. Also if they are hacked and private key is leaked then game over the Internet is done as we know it. This makes me not want lots of players on the CA space

Re:The Dying Days of the Certificate industry

[AmiMoJo]

Let's Encrypt doesn't verify identity, which is one of the major functions of the certificate system. The certs that Let's Encrypt offer are enough to enable HTTPS, but not to confirm the identity of the organization running the web site. Such a cert won't give you confidence that randombank.com is actually being run by Random Bank Inc.

Put another way, if you managed to register gooogle.com you could get a Let's Encrypt cert for it. What certificate authorities are supposed to do is verify that the person requesting the certificate is actually who they say they are, and refuse to offer a cert for "gooogle.com" that says it belongs to "Google Inc."

Re:The Dying Days of the Certificate industry

I concur. I've used Let's Encrypt quite extensively and based on my own research on the subject I find their model to be the most trustworthy. The exposure of the key(s) is extremely small compared to other methods of acquiring a TLS certificate, and you know indeed that the owner of the domain is the only one who could acquire their certs.

Some people are saying of course that anyone who "pwns" a server can acquire those certs. True, but it doesn't matter since the system is already pwnt and they can do anything they want with all the data in the system directly. MITM at that point is absurd.

What I'd like to see is the Let's Encrypt's model get more popular among other CAs too, supplemented by a "peer review" system. A system where individual users or other third parties constantly verify all certificates they come across and notify if e.g. the issuer is different for you than the others. This would be an effective approach in rooting out rogue certs used for MITM attacks.

Re: The Dying Days of the Certificate industry

That's right. Just as we fixed the crooked financial industry by starting our own distributed currency, Bitcoin, which has never had any problem.

Re:The Dying Days of the Certificate industry

Lets Encrypt combines the worst parts of SSL cert management, and adds its fail. Anyone can get _a_ cert, and they do so by running a pile of someone else's code on their server, meaning you have really clueless admins suddenly being "secure".

Hint: SSL is not hard to do, you just have to focus, learn a few concepts, and know how your gear works. Running script kiddie code and then thinking #security is the worst possible outcome.

Re:The Dying Days of the Certificate industry

[skids]

There are various attack vectors that allow spoofing of those creds without access to the private key.

What such an attacker can't likely do is answer an on-premises phone call from an extended validation CA to get a new cert for the domain in question.

Don't get me wrong -- letsencrypt is a good thing for encouraging at least the possibility of security among those who cannot afford a real CA. But no fully automated system will ever be able to offer better guarantees than a staffed-up CA (not that all staffed-up CAs actually add much value, but some do). Nor are they necessarily less likely to do what Symantec did... an internal actor could issue certs willy nilly. Breakdowns in internal checks and balances in any organization can occur. CAs will succeed or fail based on their ability to prevent them.

Re: The Dying Days of the Certificate industry

Being able to register google.com and prove you have control of the domain is validation enough.

I would say it's more important that the one who registered and controls the domain is more important than the company name. Example, nissan.com.

Re:The Dying Days of the Certificate industry

DANE is the solution. The need for CAs then dries up.

Symantec's take on security

[Plocmstart]

I met a marketing exec at the Freescale Technology Forum in Austin last May. Their take on things was the good 'ol way was still the best way. I need to find his business card since he said he'd buy me lunch if Bitcoin was still around a year later.

Re:Symantec's take on security

Bitcoin is around.. If you're Chinese. :)

Why do we need CAs at all?

Can someone explain to me why domains don't just include a public key in their DNS record (signed all the way up to a root authority), and to verify the site you're connecting to is indeed that site, you ask that site to sign a random number with their matching private key?

Why, exactly, are we still fucking around with certificate authorities, decades after having the knowledge, ability, and incentive, of being able to implement something like the above?

Re:Why do we need CAs at all?

[jonwil]

What you suggest exists. Its called DANE.
However browser vendors (like Google and Mozilla) have been reluctant to implement it because there are many real-world cases where DNS servers of various sorts simply dont support DNSSEC and DANE and also because DNSSEC and DANE use weaker 1024 bit keys in some places (chosen to keep bandwidth usage lower).

Re:Why do we need CAs at all?

[chihowa]

Browser vendors like (Google, Mozilla, Microsoft, and Apple) don't support DANE because they're big enough to each run their own trusted (by the other browsers) CA and so they don't feel the pain of having to buy certificates and "trust" third parties. They're fully invested in the CA model: sometimes charging for continued inclusion on their root CA lists and other times proposing standards that further cement the mandatory role of CAs (Certificate Transparency).

Just like you'll never see laws that are genuinely beneficial to the people come from our autocratic politicians, you'll never see support for a (more-) decentralized trust system like DANE come from the self-declared "trusted" Certificate Authorities.

Poor Symantec

[freeze128]

Poor Symantec. Google is making their CA business worthless. Microsoft is making their antivirus business worthless.

What's left? VPN?

Let's Encrypt

Just switch to Let's Encrypt and be done with it. It's better and it's free.

Re:Let's Encrypt

[campuscodi]

No it's not. Let's Encrypt is even a bigger offender. Example: Let's Encrypt issued over 15,000 certificates for domains containing PayPal in their name (obvious phishing sites): https://crt.sh/?identity=paypa...

Re:Let's Encrypt

I don't see any certs in that list issued for "paypal.com" however.

Unless you can show that the owner of any of those domains was not the one(s) to have the certificate issued for that domain, then Let's Encrypt has done their part of the job in full.

For example, the cert issued for "www.paypal-securepyment.flu.cc" is and only ever was intended to ensure that you are speaking to the server under the same name.

Class 1 certs are not and never were intended to go further, and make no claims that domain/cert/server/etc are related to the company name "paypal"

EV certs are in theory meant to do that, but as Let's Encrypt doesn't issue such certs at all (can they even?), that's moot for your point.
Even for other CAs that can, EV certs will make your browser show the issued-to company name to inform you specifically of that fact.

Certificates only address encryption and identification, and your examples prove that's exactly what they are doing.

They do not address the issue of a human failing to care about which server they are going to, only addressing the server they instructed the browser to go to us the one the server was identified as.

Now you may very well think that function is useless because it doesn't go above and beyond its goal. And that's fine.
But the actual function they perform is still very important and very much desired by those of us that don't have expectations beyond what is offered. And that should be fine with you too instead of trying to argue a useful tool be taken away from us.

Sorry if that sounds elitist, but it's hard not to when those of us that know how to use a tool are speaking to those that don't understand why the tool even exists let alone how to use it.

Still, I don't trust "Google"

Still, I don't trust "Google", or whatever their name is nowadays.

That explains the "not entirely secure" note on

[sabbede]

the Treasury department's Inspector General's page that I used to report an IRS phishing call.

"Signed all the way". That's just a different CA

[raymorris]

> Can someone explain to me why domains don't just include a public key in their DNS record (signed all the way up to a root authority) ...
> Why, exactly, are we still fucking around with certificate authorities

Okay, so the DNS record would have a signed certificate. You'd have "the root authority" sign certificates? You would trust this authority for certificates, and this "certificate signing authority" would be better than having a certificate authority?

What you've suggested can be said more succinctly as follows:
Why aren't the people who run DNS also certificate authorities?

You still have CA, you've just decided that the CA needs to be the same people who run DNS, because ... well no good reason that I can think of. What does that gain you?

Re:Yes.. because with only a 49% stake in ownershi

[syn3rg]

From the link;
Huawei Symantec and Symantec Corporation are two separate entities.

Trust gone due to slipups by advertisers?

See subject: Especially ones infecting/tracking/slowing us? Stop ads via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have built into the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

True. Anyone who has ever called a locksmith knows

[raymorris]

What you've said is exactly right. Anyone who has ever called a locksmith because they were locked out of their house or car understands two things:

1) They weren't able to get in without the key - it was secure.
2) The locksmith got in without a key, probably in under 2 minutes. It was not secure.

Security is a quantitative thing, not a binary thing. You can ask HOW secure something is. Asking "is it secure, yes or no?" is folly.

Standard TLS (https) is much more secure than plain text (http).

Standard TLS connections are useful in the same way that physical locks are useful - they make it unlikely that anyone will in fact defeat your security. Both *can* be defeated by a skilled person using the right tools, given they invest enough time in doing so. Both are more secure than leaving stuff wide open for any passerby to take.

Self-signed certificates are slightly more secure than plain text on a *technical* level, but because they may create an illusion of strong security where none exists, they may be less secure in practice.

We have customers using self-signed certs (without pinning) who mistakenly think the self-signed certs prevent MITM attacks, so they send sensitive data over these connections, "secured" by TLS using self-signed certs. They'd arguably be more secure overall if they understood they have no protection on those connections, so they wouldn't use them for sensitive data (or would encrypt the data before sending it over the non-secured connection). A misunderstanding of the "protection" offered by self-signed certs leads them to do something foolish.

In this regard, there is a counterpoint to what I said above about it being folly to ask "is it secure?" as a yes or no question. It may be wise to try to create a binary secure/non-secure label in order to ease understanding. Weak security can fool users into thinking it's "secure", so it may be better to either secure something strongly or not at all, so users can easily tell that it's obviously not secured.

Re:"Signed all the way". That's just a different C

[JesseMcDonald]

You still have CA, you've just decided that the CA needs to be the same people who run DNS, because ... well no good reason that I can think of. What does that gain you?

First, this is for Domain Validation certificates only. The normal CA process would still apply if you wanted an EV certificate—though you could restrict your domain to a specific EV certificate for additional security.

If someone has control over your domain records they can already obtain a DV certificate for your domain from just about any CA by redirecting the domain to their own servers. What DANE buys you is all the security you would get with Domain Validation minus the need to deal with two different CAs, one for DNSSEC and another for TLS.

As a bonus, with DANE records for a site "example.com." there are only three entities you need to trust: the domain administrator for "example.com.", the registrar for "com.", and the root authority. In the traditional CA system any CA can issue a certificate for any domain, so you're forced to trust dozens (if not hundreds) of CAs both to maintain the security of their signing keys and to refrain from issuing an unauthorized certificate for your domain. A breach at any one of those CAs can compromise the security of your site.

There are 900 .com registrars

[raymorris]

> there are only three entities you need to trust: the domain administrator for "example.com.", the registrar for "com.", and the root authority.

There are 900 registrars handling .com, any of which can issue a transfer and change the root DNS servers for any .com domain.

Re:There are 900 .com registrars

[JesseMcDonald]

There are 900 registrars handling .com, any of which can issue a transfer and change the root DNS servers for any .com domain.

So they don't keep track of which registrars are responsible for which domains? That does seem a bit messed up, if true. My impression was that there was a formal process registrars had to go through to transfer control over a domain name—or does that only restrict domain owners, and not registrars? If the control over .com domains is really as chaotic as you say then that is a separate issue that ought to be addressed independent of DANE or DNSSEC.

Even so, DANE still gives you the benefit of domain validation without the need to deal with a traditional CA as well as your DNSSEC trust chain. You also have the option of choosing a TLD with saner access controls than simply granting 900 separate entities global write access.

Re:There are 900 .com registrars

[chihowa]

The registrar doesn't sign the TLD, the administrator for that TLD does. So for .com, it's Verisign.

Re:There are 900 .com registrars

[JesseMcDonald]

Right, but if Verisign allows any registrar to update DS records for any domain, and not just the ones they're individually responsible for, then a registrar other than your own could push a malicious DS record for your domain into the TLD where it would be duly signed by Verisign, and you're back to trusting 900 separate registrars rather than just your own authorized registrar and Verisign. The TLD should only allow one registrar to update any given domain.

Re: Pass the security

[slashrio]

If your security depends on trust in private companies then you really are in trouble.

Re: Pass the security

If your security depends on trust in private companies then you really are in trouble.

You are probably 100% right but;

• our processors, which have 100% control of everything, come from ARM, Intel and AMD, private companies
• Our memory, where we work on all our data, come from Micron, Samsung, Hynix, and Toshiba, private companies
• Those memory chips are mounted in modules by a random range of smallish companies dotted around Taiwan and the rest of the world
• Our storage, where we store all our data ... you get the picture

If you are right then almost everybody is fucked.