Slashdot Mirror
Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting (techcrunch.com)
TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.
Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."
"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."
"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
This is easily proven or disproven, take a server in question, or perhaps a random sampling of the supposedly hacked equipment and see if it has the "chip" they claim is there.
I'll have some stuff to say once I get my talking points from the God Emperor. #MAGA
Great, please go away until then. In fact, you can be gone even longer.
Consider how much AWS and Apple touch. AWS powers 1% of the Internet. It is critical infrastructure now. Apple is the go-to laptop for so many people in positions of power in industry.
A large segment of the public is growing restless and backing Trump on issues like social media. This goes a step further, it's like finding out that SV companies were so greedy and cavalier that they told no one to notice that homes and corporate offices were being bugged (or being rigged for bugging). All for maximizing profits.
Look at 2016. What do you see? If you see "muh raycisss, muh sexisss" instead of a class revolt by the Republican party that is a little closer to Jacobin than Ayn Rand, you need to put down the Kool Aid. If this turns out to be true, Trump will have all but a mandate to nationalize much of SV and flip corporate control into a "patriotic direction" that puts the nation before profit.
The problem with the discovery of the extra chip is the need to use the internet to send back the data.
Advanced AV and firewalls along with really skilled staff selected on merit are going to notice that "extra" data moving out from deep in their secure networks.
Thats why most advanced nations have resort to different methods to collect their data.
1. Short distance data transmission thats not on the internet.
2. Staff/visitors/friends/a person with split loyalty on the inside to collect data later in a way that's never detected as an outgoing internet connection.
3. The use of a PRISM like big brand understanding to move the data out.
What could have happened?
1. NSA and GCHQ found the chips early and often and then created vast amounts of junk information to see how the networks and chips sent the junk data out.
2. The clandestine services found the chip and have been using it for their own missions but did not stop it as it was a free spying tool.
3. Very different and unexpected nations found the chips and have been using it as a free spy tool.
4. Criminals, faith groups, cults, ex and former clandestine services staff and groups doing industrial espionage have found the chip and used it for their own data collection?
5. National police forces found the chips and wanted to try a way to get around crypto.
The real fail with this is having to use the internet and never get detected.
Smart people with real skills will notice extra data on their secure networks.
Domestic spying is now "Benign Information Gathering"
.. for an expert to analyze and understand the chip in question
I haven't read a detailed technical analysis yet
doomsday on a chip script is not new.. cease fire stand down.. some still calling this 'weather'?
China's Communist Party designed education system is so restrictive, tightly scripted and based on rote-learning that even "educated" Chinese simply cannot excel at creative tasks like disruptive innovation, R&D and creating original product ideas or designs. When Chinese students go to universities abroad in the UK, U.S. and other Western countries, they tend to work very hard, but fail woefully at tasks that involve critical thinking, questioning established methods or developing original approaches to tackling problems old and new. China has money to burn, a workforce that works cheap and hard, thousands of factories that can make almost anything, but is not, at present, capable of pulling off American-style innovation and inventing because of its lousy education system. So China has to look abroad for "ideas" - it has to steal them from where they are most plentiful. The concept of Intellectual Property Rights is also woefully underdeveloped in China - culturally, this country has no problem whatsoever copying or stealing the fruits of someone else's labor. This is why nobody even bothers to patent ideas in China - a patent provides no protection whatsoever in China. So yes, the "rogue chips on motherboards" story sounds exactly like something the Chinese government would do. Amazon and Apple are probably terrified of losing tens of billions of Dollars in future product sales in China, so they are flat out denying that any such "rogue chips" were ever found. The rogue chips probably do exist, and are designed to do exactly what Bloomberg claims - steal ideas.
I like the analysis going on over here:https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
As a hardware designer, it's an interesting idea to think of attack vectors through "NO STUFF" parts of the BOM. Most PCBs have "NO STUFF" parts of some sort - either for legacy or prototyping reasons.
The idea of some nefarious third party reverse engineering a "NO STUFF" and forming an attack vector with that is well, news to me. I can easily understand a thing like this slipping through a QC check
It would certainly be a difficult attack to construct. But many of todays "software" attacks are quite complicated. Certainly not outside the scope of a state-entity IMHO.
Interesting times in any event, and something to think about.
or the U.S. has done the same and Chia has copied it?
Apple and Amazon are probably accurate in their responses that none of their information was ever at risk. I'm sure none of their development work uses these servers in question. These are servers that process general internet traffic.
... the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report:
It little behooves the best of us to comment on the rest of us.
It's "disputing", or "contradicting", not "refuting".
"To refute" means "to prove something incorrect", not "to claim something is incorrect".
If you say "Apple refuted Bloomberg's claims", that means that Apple presented such clear evidence that you personally are convinced that Bloomberg is wrong.
FUCKING STOP IT.
Nobody in their right mind would "hide" a secret chip visibly on a motherboard. They would hide their circuitry inside a common chip. This story smells of deliberate misinformation designed to both malign China and to detract from where such chips are actually usually planted.
Nobody can know what is really inside the chips on a board. That China could do something like this, and get away with it domestically, means we need to be very careful in dealing with them.
The main thing that stops this happening too much in the west is internal leaks. But there will not be any leaks from China.
It's fairly trivial to exfiltrate data *slowly* from a server.
For example, TCP sequence numbers are supposed to be random, as are emphereal ports. Nobody is expecting those to follow certain rules. Nobody stick your data in the third bit of any of those random numbers and nobody will ever know. You can exfiltrate one bit per connection. On a busy server, that's like having a dial up ssh connection with root access to the machine.
You may have heard about the network-based Spectre variant that was recently released. Like all Spectre variants, it's based on detecting tiny changes in the average time something takes - the average response time to a network request, in that case.
With server grade gigabit and ten gigabit Ethernet cards having TCP offload on board, an attacker with BMC access can manipulate the existing TCP traffic in ways that the machine's own kernel can't even see.
You don't want to download gigabytes of data this way (unless you can hide it in thousands of gigabytes of legitimate traffic), but you only need 2048 bits to exfiltrate the private key that gives you everything.
n/t
Truth isn't Truth - Guliani
...the chinese stopped at amazon,apple,supermicro?
naive?
if you motherboard came from china, it's 90%+ chance infected. what's needed is a proggie to detect the spy chips.
Who conceived and exploited? Perhaps it was CIA that knew ZTE would ship these to Iran set it up? Yes ridiculous conjecture. Another conspiracy theory this was a setup to justify yanking supply chain from foes. It is an eye opener for various topics such as reporting and security.
It was full of "haxx0rz! haxx1n!" and so not worth the read. Fix that and you'll have a better time explaining what you're on about.
Yes, this is a problem endemic in the security industry and any reporting around it: The fundamental lack of substance.
Mod parent up. -PCP
Having not read the Bloomberg article, because I've been busy this week, is Bloomberg just reporting on what sources have said?
That isn't investigative journalism. That's just reporting gossip.
Can't Bloomberg just grab a device, open it up, and pay someone reputable to actually have a look and then confirm this whole thing? Why am I left needing to trust anonymous-source reporting? Go make it nonymous! Any nonymous will do.
Well, I remember Diablo Daisywheel printers carrying a payload before USB sticks were invented and HP Laserjets network cards also copping payload capability.
Video cards have interesting DMA access, before ME came along. Serial hard drives are also suspect. Even network connected photocopiers can have a good storage reserve. Connecting TCP/IP destop phones in series with the desktop computer another security risk. Even the brandname security chip on the toner/ink cartridge has carried a payload out. Love recycling.
Mobos tend to have lots of hardware revisions. Leaving out power smoothing capacitors
is a way to save money. Sure it was not a revison?
It's a lonely Friday night, so grab a beer and let me tell you a story. It's not like there is anything left to hide.
Back at the turn of the century when I was hired fresh out of university, I thought I could do the assignment in a weekend. My boss laughed at me. Said "Kid, you got a month!". The assignment was simple (or so I thought), how to break into a running Linux kernel with 100k of gates, 5mW budget, and a single mosfet to ground on one of the data pins (my choice).
It took much longer than a weekend just to find the right pin. Had to run countless simulations, trying a spread of combinations, pairing down the list by removing the ones that would just eat up to many gates, and then finally finding it.
Now some would say that it would be impossible to do. Let me say in return that it is relatively easy, once the answer was known. It does require some prerequisites, like having a specific user application being executed by the OS. The little 80k gate (final rev) engine looks for the key sequence this app generates on the data pin, and then when it is switched out and brought back in by the OS, it's privileged state mysteriously changes. Looking at it on the scope you would see the data being written to as a 1, but it reads back a 0 (well, not quite 0, those DDR drivers have some punch!).
Needless to say I got a promotion, and well here I am managing a field op for our "customers". The pay is great, and the challenges are very rewarding. It's interesting to see how the other side of the deal occurs. The sting on the PCB manufacturer's shipping clerk. He got us the gerbers and the BOM last month. I went to work, did my thing. Last night we made the swap. He had the palet waiting there, recent build of PCBs ready to be shipped to the contract manufacturers. Swapped with our pallet of recently built PCBs, effectively indistinguishable with the others, except for .. well the tech has come a long way let me say. Bloomberg might have broken the story, but the tech they are leaking is really old stuff, stuff I worked on when I first started. Hmmm, how the world is played. Time for another beer, time to celebrate.
How exactly do you hide the wires? I get that the chip is supposed to be super small, but it it must be wired in somehow. A chip to intercept a gigabit ethernet and you're 8 wires in, 8 wires out, and power and ground, so we're looking at 18 unexplained traces on the circuit board. If its sniff to the processor, we're looking at hundreds, (128 bit data path/64 bit address etc.). Perhaps it's USB chip, but then how does it get network access.
How exactly do you hide the heat? This thing is supposedly running like a processor examining data, how the f*** does it dissipate the heat. Espcially when its 'between' layers on a circuit board as claimed in the original story.
How would it be explained? If this is a US designed motherboard that's been sent off to China for manufacture, how would you explain these extra connections and extra chip to the designers? How would it pass QA? "Oh we added a signal conditioner" wouldn't pass the smell test for them. If it was a Chinese designed motherboard, why is it being imported by an In-Q-tel (CIA) funded company?
If it was a Chinese designed motherboard, wouldn't the spy stuff be stuck into existing chips? e.g. some code in the Southbridge.
How was knowledge of this kept secret? The story claims lots of big server companies knew about it, and yet it only leaks now and by Bloomberg? Really?
Why isn't there a million photographs of supermicro motherboards with suspicious chips flagged, ten minutes after the article came out 2 days ago. I imagine if you owned a supermicro motherboard and read that, the first thing you'd do it photograph any suspicious chips and say "is this the spy chip?" on the internet.
Why would it be a separate chip and not a module on a SOC chip? Or in microcode.
The idea of the Chinese spying on servers sounds VERY plausible/likely, just not the way this article says they did.
I can Occam Razor an alternative explanation. China is in a trade war with USA, USA wants to demonize China to justify the trade war. Makes false claim using CIA funded company to a non-tech outlet that doesn't know the questions to ask.
I reserve judgement till I see the actual chips myself. If it was iFixit doing xRay scans and analysis of the chip my view would change....
The same goes for opposed mandated government backdoors, which nobody would ever be able to trust for exactly the same reasons, ..!