Slashdot Mirror
The Software Side of China's Supply Chain Attack (bloomberg.com)
Bloomberg BusinessWeek published a story on Thursday which claimed that data center equipments run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process. Both Amazon and Apple have vehemently refuted Bloomberg's reporting. Bloomberg's reporters, who have spent more than a year on the story and have cited 17 sources for the claims they make in it, have doubled down. In a new story, the news outlet reports that Supermicro was the target of at least two additional forms of attack. This report claims that Facebook was aware of these attacks, too, which has confirmed it. From the story: The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware -- software installed in hardware components -- meant to update their motherboards' network cards, key components that control communications between servers running in a data center. The code had been altered, allowing the attackers to secretly take over a server's communications, according to samples passed around at the time among a small group of Supermicro customers. One of these customers was Facebook.
"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach. Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.
"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach. Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.
To pretend there's no chinese espionage. And Tienneman square never happened.
Maybe if they post enough the government won't harvest their organs.
The Intel ME processor built into every Intel x86 chip can do all of this and more, yet nobody even bats an eye
Hell, it runs even when your computer is turned off
Wow, Chinese government shills are quick on the draw today. Congratulations on your fp.
to our markets was supposed to be a grand benefit ?
And why we have a senator with a Chinese spy on her staff
https://www.washingtonpost.com...
Both Amazon and Apple have vehemently refuted Bloomberg's reporting.
They haven't "refuted" it, they've "denied" it. Or perhaps "rebutted" it.
Intel used not so tiny chip to allow people to hack your PC?
So they hack to compensate
Surely the Russians did this. They seem guilty of everything else these days...
..looks like I'm going to be able to buy SuperMicro servers super cheap! I suspect the used server market is also about to be flooded..
I do not belong to the church of the lowercase 'i'
How many of us have hand carried blade servers to install in a data center? Interception of gear shipments and modifications in transit have been going on for decades. Dark silicon and closed source firmware are the norm now. The Chinese are amateurs...
Extraordinary claims require extraordinary evidence, until someone publish a technical paper that can be peer reviewed
with detailed information of the chip and how its works, this is a misinformed article at best or a propaganda at worse.
SuperMicro is going to mean the number of customers they end up with.
BlameBillCosby.com
Da Comrade! Is very true. Next time though, try not to sound like a low rent Soviet extra in an 80s movie with your sentence structure. Putin will not be pleased to see you acting so transparently. Maybe he will invite you in for some polonium tea to talk about your performance....
A strong argument against our government agencies actively backdooring stuff (cisco hardware, AES, key escrow, etc) and passively maintaining an arsenal of zero day exploits is that these things will be leaked or discovered independently and used by adversarial states against our companies and citizens.
It's happened a bunch.
Now some companies catch China doing it. They protect themselves, turn over the details to three-letter-agencies, and deny it ever happened so that the exploit can be added to the national arsenal of weaponized vulnerabilities.
Good times.
Please freak out and put all of your Supermicro shit up on eBay.
I like Supermicro.
They are all aware of it. They all have known about it. They don't care as long as it stays out of the mainstream US media because they don't want to clean up the shit show.
Show us the chip; not marketing diagrams invented for reporting.
I remember way back in the 20th century you can get schematics that show the circuit, parts, etc. And if you can read schematics, you can also learn how things are put together and learn how to do stuff yourself. Places like Radio Shack will give you a better paying position besides just a clerk.
Come to think of it, it is a struggle to get actual schematics. And if you can get them, they are so densely packed with lines and many unclearly labeled boxes, not very useful.
mfwright@batnet.com
works for the Dept of Defense lost their job over this ?
I mean, motherboard from china, great, install it in the nuclear launch backup servers....
You want to see "seed" in action, check your mom.
If the US really wants to embargo itself then so be it, you'll be left behind in every area of science and crawl back to trading as a junior partner within 5 years.
Chips are in supermicro hardware deployed in china. what did you think? they'd export their best tech?
Come to think of it, it is a struggle to get actual schematics. And if you can get them, they are so densely packed with lines and many unclearly labeled boxes, not very useful.
I used to work at a contract manufacturer, working on production failures for a certain network/security device company. (Not Cisco, one of the other big ones) Even getting detailed schematics, board layouts, signal functions, etc. was a giant pain in the ass. Those types of companies guard that shit like it's gold. What I don't understand, try and find a schematic/repair manual for any modern piece of sound equipment. Can't get them half the time, the other half the time they want to charge you $40 for the PDF. Almost like they don't want you fixing their stuff, and would rather you buy a new one.
Time for China to be used only for resources, like Russia.
FYI, Analog wrote a 3 part series of this back in the 80's, it had a title of corporate warfare I think.
but it's exactly that. 1 subsidiary installs the bug into the chip, another outfit installs the software that will trigger the chip to behave as coded, and another does the hack at the terminal to start the entire process of getting access into the systems.
update, it might be august 1977's story cold cash war ... wow, I never new I read so many of these http://www.analogsf.com/about-...
if you see me, smile and say hello.
partially. Amazon and Apple deny any claims by this story. They also say thy are _not_ under any gag order about this.
It seems there's a lot of bullshit here, let's wait for Supermicro and others to weigh in.
Seems popular these days to invent blame on foreign governments, starting from Russians, now onto China.
"In 2015, we were made aware of malicious manipulation of software"
Facebook confirmed nothing you fucking morons ...
It's the only reasonable response those slant-eyed bastards will ever respect. Theyve poisoned the worlds opiate supply. They need to be put in their place.
NUKE CHINA.
Your zero thought post made a HUGE difference in everyones lives.
It does looks like Bloomberg's story isn't complete and relies on anonymous sources.
"Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it’s not, and a lot of people screwed up." https://techcrunch.com/2018/10...
Links from the Techcrunch article:
"The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims." https://www.apple.com/newsroom...
"Steve Schmidt, Chief Information Security Officer at Amazon Web Services stated, "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems." https://www.prnewswire.com/new...