Slashdot Mirror
The Messy Truth About Infiltrating Computer Supply Chains (theintercept.com)
In October last year, Bloomberg Businessweek published an alarming story: Operatives working for China's People's Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro.
While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept.
From the report: U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer's hardware at the factory, threatening some of the U.S. government's most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence.
What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."
What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."
The NSA admits doing exactly this to target high-value individuals. Order a computer, they intercept the package, in a few hours it's opened and modified and packed back up with OEM stickers like new. You would never know.
China is just much more broad and bold with their attempts to catch up using 3rd party companies that are actually 1st party ChiCom Party owned entities.
Supermicro may or may not have been a real story - however, if it WAS REAL, the NSA and SECINT have no obligation to inform the public of that, only to mitigate it as they mitigate dozens of things we know nothing of.
The problem isn't that there's no evidence, the problem is that we have no legal authority to demand evidence if it exists to know either way. Journalism has to catch them red-handed by itself for us to find things out.
Hence Edward Snowden's revelations.
This might actually be a legitimate case for a national security tariff.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept.
While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, which contributes to fake news, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept.
(...bold mine...)
The result of any compromising is the same as what the CIA/NSA have done to foreign entities, if I may add.
Want to protect your supply chain from tariffs, spying, and other political crap? Diversify! Make components in as many countries as possible, and when one is compromised, shut it down and make it someplace else.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
That's a security through diffuse obscurity regime. Sorry.
All massive asscunts.
I wonder if China also constantly repeats propaganda about US hacking and infiltration.
And I don't mean propaganda in the sense of it not being a fact. But in the sense of generating hate against a bunch of people we have never met.
In any case: Neither the US nor Chinese people.
In fact, they desperately need to generate hate, or we'd start thinking for ourselves, team up and kick our dictators' asses.
Frankly, I'd rather have a foreign entitiy with no power over me spy on me, than a local entity with *all* the power over me.
Enforcing the latter sounds much more like a horror story than the former.
(Of course they are both not acceptable. But, you know what I mean.)
that China still calls their military the "China's People's Liberation Army". The people were "Liberated" a long time ago. It's just the army now.
I don't think it matters that we've handed so much manufacturing over to the Chinese. The folks running the show, what we usually call the Ruling Class, are global now. They might have the occasional spat here and there over who's yacht's bigger or who's the richest this week but they're not really fighting (and by extension the countries they run aren't fighting).
I suppose it's a good thing. A World War isn't the solution (though it's one way to kick your economy up a notch). But anything we're seeing here is at best a pissing match between billionaires.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
In the design of electronic voting machines, I've suggested that the machines need to not have wireless networking capabilities, not connect to networks, and...be sourced at least a year before any election in which they're used.
Hardware-level attacks aren't very effective when you don't know the exact software, data formats, and goals of your attack, and have no communication channel.
This is also why parallel testing and, yes, selling off a random sample of your stock after the elections is helpful. Even at a level of zero identifiable mechanisms for compromise, it'd be nice to get some of this stuff back out in the wild where tinkerers might actually discover the attempt. Federal government's assets (i.e. the NSA) are also useful here, only on the grounds that a larger conspiracy becomes more-difficult to conceal (i.e. you're most-likely to have State boards involved in attacks on our elections, therefor other States and the Federal government will be at opposition with them and will be unhappy with and loud about discovered attempts to tamper).
Besides that we're moving to electronic voting anyway, the unhappy truth nobody wants to admit is paper ballot voting is simply insecure. You place paper ballots on a truck with State-selected actors in the handling; your State may be corrupt, the people with the ballots can reverse seals with a paper clip and modify the ballots, and the ballots are the source-of-truth. That's a black box.
People talk about paper audit trails and bring up morphine pills. Thing is you have a log that says "500 Pills" at every hand-off. With paper ballots, you have 500 pills, and a log that says "Handed off" at every hand-off, and if you want to check the number of pills you open up the bottle and count and you have no real record of how many pills you had, so you just assume however many pills are there are the amount that you had when you left.
That doesn't hold up when you realize we counted the votes before we left...except we recount all the ballots, which means if the count is different we assume we counted them wrong the first time. Also, with ranked ballots, you actually need either a full duplicate of all the ballots or a strong hash, so...yeah. You can hijack non-ranked (and some types of ranked) elections by adding candidates to manipulate the outcome, and ranked elections will be critical to the next major advancement in democracies.
So what you have with paper ballots is a hole in a wall where you put ballots in, and then the benevolent election staff carries out a box that allegedly contains all the ballots the voters cast and counts them.
Providing for a computerized function with an untrusted supply chain became a critical task for me long ago. It only works when you don't need the computer networked, and when the computer's software and data are of unknown format to the supply chain attacker. If we're talking about servers plugged into the Internet, or cell phones, or anything else, there is no defense.
Support my political activism on Patreon.
'nuff said
From the chips on up, we need open designs that can be built by anyone. The Raspberry Pi is almost there, with the exception of the CPU (a big exception).
https://opensource.com/resources/raspberry-pi
Note how many competitors and clones there are.
The only other thing holding me back from using a Pi as my daily lapdock / desktop is the lack of SATA or an M2 port. Implement those two items, and governments around the world can go pound sand.
Cute propaganda piece that builds upon the shaky claims of the original bloomberg story.
We should prepare for a zero trust model with China. If the product can be compromised in a way that impacts the security of western interests, it should either not be produced in China, or a strict audit control practice should be imposed. Currently the threats are not causing any huge impact, but imagine a future in war time, or economic strife that increases the adversarial nature of relations with China. The U.S. and western allies would be wise to setup supply chains where threats to our economies and national interests are minimized with regard to Chinese influence. This means we need to have operational plants and foundries in the west that are capable of sustaining a secure supply chain for defense and for economic survive-ability. I would say the same irrespective of the Bloomberg report on Supermicro, that's one case, that whether legitimate or not illustrates the threat in clear terms.
Greedy suit-wearing McMansion-dwelling fat-bellied US bosses couldn't resist the temptation of outsourcing to China for cheap and now the rest of us have to pay for it.
This makes me think of the backstory to The War Against the Chtorr series by David Gerrold. After losing several devastating conflicts, the US is forced into giving up it's military might and provide reparations to other countries. Instead of money, it provides food and high tech goods, such as computers and electronics, making the world dependent on US technology. All of the ICs have Trojan Horses hardwired into them that are undetected, which can were used as kill switches. That comes in real handy when some of those countries decide to invade the US in order to "liberate" resources that they want.
Could something like this be used by China to cripple enemy economic and military might in a future conflict? We'd be fools not to consider this a very realistic possibility.
Beware of Sales Reps bearing gifts.
"warned about the threat in stark terms nearly a decade ago" Try two decades ago. I was there.
I inadvertently made a racist statement. Chinese Americans' government is the US government. I was unclear about that unintentionally but I correct myself.
The complete hypocrisy here is insane; the NSA is known to intercept supply chain of many countries, including US. On the other hand, the MSMs always have no issue with publishing articles with little to new evidences (or wrong as in the case of Bloomberg) to outright fabricating stories. And from some of the response here on / . at least a good portion of likely Americans are equally as ignorant and/or prejudiced.
https://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html
I worked in a company that created its own boards which were outsourced offshore. Every batch received in the plant where the devices were delivered had random inspections for quality. The company designed the boards and the offshore fabricators created the boards, populated them with chips (which contained company designed special purpose devices) and sent them to the plant. These custom boards were tested for QA and Government certification standards.
So the article suggests that SuperMicro did not, does not, could not do a simple chip count on a random sample to see if anything was "added" to their motherboards? Really?
So the Chinese are so f*u*king smart that they can alter the fundamental design of a mother board adding parts, signal paths, power consumption, etc. to a board designed in a foreign country and the original designer can not tell that the fundamental design has changed. Really?
Oh, add into this fallacy that the mother board functions perfectly to the eyes of its designers and its customers. And the boards are contacting the Chinese from data centers outside of the Chinese mainland, but the data centers can not detect these signals leaving their facility and targeting "some collection point" in China. Really?
And just who did you suggest this too?
Why would anything you say be taken seriously? Where are your bona fides?
Closed firmware... How is there not a class action lawsuit against Intel for this?
Anybody ever had a look inside a HP workstation. It does not stop there the software keyloggers are just as bad why the NSA need to do hardware and software is beyond me.
All foreign IC is suspect. And we can't trust imported food. And definitely not their unsafe cars...
In growth, the industry wants free trade. In a recession, they want protectionism. The form of government in which they have their way all the time is not democracy. It's fascism. And not one person living in an English speaking country and reading this post right now was born to a democratic regime.
Global warming will apply a fix for all of these problems ...
I inadvertently made a racist statement.
I also inadvertently made a homophobic statement, which is ironic because I'm a cocksucking FAGGOT myself.
Windbourne
Iran knows not to buy industrial controls from the U.S. (Stuxnet). And the U.S. should know not to buy computers and phones from China.
“Common sense is not so common.” — Voltaire
" I'm for human rights "
That's good. Too bad it's not the US government's or China's priority.
PS: The Chinese can write good rants against the US too, hell even Americans can.
Yes, in fact it is. Or to put it another way, don't keep your investment eggs all in one basket less the nuclear hammer smash them.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Sorry, you cannot justify black box voting. Paper is still the closest thing to secure that we have.