Bloomberg has turned into tabloid-level shock journalism when it comes to tech. All about the scares, not much substance. It doesn't surprise me at all that they might've screwed up their article this bad, but I hope it's a wake up call to the staff at Bloomberg (though I know it won't be).
-"and we fixed all critical issues before the acquisition closed" - How can you fix issues when the acquiring party is not yet under your control?
-"We further strengthen our security posture by implementing our own hardware designs for critical components such as processors [...]" - Own processor design by Amazon? They have the Alpine ARM-processor, but that type of processor is not the type of processor that runs on the allegedly compromised motherboards.
-What is Amazon exactly responding to? Amazon denies knowing of the hack ("was aware of") when acquiring the company. That's the same denial as in the BB article. But the main point in the BB-article is that is was Amazon that found out about the hack and notified US government. That doesn't mention any knowledge before the deal was struck? Only Apple clearly denies ever having found a malicious chip.
The Bloomberg-article just seems to well-sourced to be that easily denied. Not sure what kind of communication would be acceptable for Amazon and their law enforcement partners they are (still, according to BB) working with.
On your first point, I think that's pretty common in M&A. For example, let's say the audit revealed that the target did not enforce minimum password lengths for employee accounts. Amazon could simply say that needs to be re-mediated before Amazon is willing to close -- so the target can just implement that change, and certify it was done and/or have the audit firm confirm it.
[...] investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners.
Does this imply that they are checking every piece of hardware that goes into a data center including looking at it for any additional or replaced malicious components?
Just because you went looking for something and didn't find it does not mean it is not there. I couldn't find my car key this morning and had to use the spare, does that mean my normal key doesn't exist and never existed? No, it just means I didn't dedicate enough time to finding my normal key.
Hopefully this will encourage someone find an affected device in the wild. Wonder if any of Supermicros non-blade mobos would be affected? The graphic on Bloomberg indicated blade servers but journalists seem to take quite a bit of liberty with tech graphics.
It's got me curious as I've purchased a few supermicro servers off Ebay, and have no clue about where they were used prior.
According to BBG report, "the ensuing top-secret probe" "remains open more than three years later".
I find it extremely hard to believe that uncle Sam would let a state sponsored espionage of this scale silently continue for 3 years without warning the public and cut off the pipe.
If the alleged hacking were true, wouldn't it be 100x more important to stop the spyware immediately than collecting comprehensive evidence on who's behind it? At the end of the day, it's not like U.S. would start a nuclear war against China if the allegation is proven true.
13 comments
[ 3.3 ms ] story [ 42.8 ms ] threadSurely, organizations that don't have anything to hide are talking a peek by now.
If there aren't a lot of reports of these hacks in the wild in the next couple of days... then we'll know who's not telling the truth, right?
-"and we fixed all critical issues before the acquisition closed" - How can you fix issues when the acquiring party is not yet under your control?
-"We further strengthen our security posture by implementing our own hardware designs for critical components such as processors [...]" - Own processor design by Amazon? They have the Alpine ARM-processor, but that type of processor is not the type of processor that runs on the allegedly compromised motherboards.
-What is Amazon exactly responding to? Amazon denies knowing of the hack ("was aware of") when acquiring the company. That's the same denial as in the BB article. But the main point in the BB-article is that is was Amazon that found out about the hack and notified US government. That doesn't mention any knowledge before the deal was struck? Only Apple clearly denies ever having found a malicious chip.
The Bloomberg-article just seems to well-sourced to be that easily denied. Not sure what kind of communication would be acceptable for Amazon and their law enforcement partners they are (still, according to BB) working with.
Does this imply that they are checking every piece of hardware that goes into a data center including looking at it for any additional or replaced malicious components?
I find it extremely hard to believe that uncle Sam would let a state sponsored espionage of this scale silently continue for 3 years without warning the public and cut off the pipe.
If the alleged hacking were true, wouldn't it be 100x more important to stop the spyware immediately than collecting comprehensive evidence on who's behind it? At the end of the day, it's not like U.S. would start a nuclear war against China if the allegation is proven true.