From what I read in "Bad Blood" (the book about the Theranos fiasco) of what WSJ does before publishing investigative reports, you can be 100% that they did.
They have a photograph of the chip and scores of (unfortunately anonymous) sources.
It sounds like some researcher found weird traffic, eventually found there is a chip on some of these servers that wasn't in the original gerber files, and this chip is doing something, and beyond that a lot of people are speculating about who and what.
Apple and Amazon deny that the story is correct. That doesn't mean that there isn't a chip there and they now know what it is doing but are prohibited from saying much beyond the story as a published whole is not true.
Was there a picture of the chip released? I have been trying to follow and last I seen was it seemed the pictures in the article was likely an artists representation of the chip. Did an actual picture get released or was there confirmation the picture they released was the real chip? Thank you
In any case, someone who can make a malicious IC die look like a balun could just as easily add their die to the EEPROM package that's intended to be there.
It makes no sense for state-level bad guys to create disguised packages and add them to boards at the assembly house. There are any number of other links in the supply chain where they could accomplish the same goal with an actual nonzero chance of getting away with it.
The key benefit of injecting at the assembly house is that it means you can target the injections based on the final customer. This reduces the footprint of the attack, which reduces the chances of your exploit being publicly exposed, and reduces the risks inherent in scaling up a highly specialised top secret supply chain.
That’s fair enough, I don’t think that process would work here though?
I also don’t understand why you would do that. Given the ceramic part in question doesn’t look like anything that would be on a motherboard, and has been identified as an RF component.
> “It isn’t news unless it’s true. At Bloomberg News, the most important news is actionable. That means we strive to be first to report surprises in markets that change behaviour and we put a premium on reporting that reveals the biggest changes in relative value across all assets.”
Are you suggesting the reporters turned in a story they knew to be false, in pursuit of a bonus? However large the bonus Bloomberg pays, it is surely paltry in comparison to a reporter's reputation.
Bloomberg says they did a year of reporting, and over 100 interviews, and have around 17 sources. It's hard to believe all those sources conspired to fabricate this story, along with the evidence, and conned the reporters. Bloomberg clearly found something, but if Apple and Amazon are right (I wouldn't assume that; aggressive denials are par for the course), what did they find?
Then again, Bloomberg's details are really only vague hints.
To me these are currently only allegations from one source. When a board is given out to security researchers to publish an independent analysis I'll believe it.
The perfect way to be credible to me would be to give a talk at some security conference.
There's no investigation of the supply chain, which would have been quite interesting.
But the more I think about it, the more I think that all of this, if true, would be much too serious to even publish, really.
Considering the article points fingers at China, I wonder if their evidence was manufactured by someone. Without proof (like a board) or the names of actual witnesses or hard documents or something, its basically unverifiable, like claiming Area 51 has aliens. Without proof it's indistinguishable from fiction.
It would be like claiming Area 51 has aliens after over 100 interviews with 17 people familiar with the aliens, including two at Lockheed Martin and three at Boeing.
> Considering the article points fingers at China, I wonder if their evidence was manufactured by someone.
What is the connection?
> Without proof (like a board) or the names of actual witnesses or hard documents or something, its basically unverifiable, like claiming Area 51 has aliens.
A Bloomberg article based on a year of reporting, 100 interviews, etc. is as likely as aliens? Hmmm ... I feel I can distinguish it pretty easily.
It reminds me of Genoa on newsroom. I won't spoil it for those who haven't seen the show, and highly recommend watching it if you haven't. You don't even have to be into the news or politics, I haven't watched the news or read a newspaper in over 5 years and I very much enjoyed the show.
Who has what incentive here? The US has an incentive to damage China'a reputation, but not so much if it takes down Apple and Amazon with it. Apple and Amazon have an incentive to limit or hide information suggesting they're leaking data - is that enough smoke?
Otherwise, if Bloomberg have been misled by a concocted story, who has the ability to generate enough false sources/etc to engineer it? Seems like the scale puts it beyond a solid PR effort from a competitor?
17 sources who may all be drawing from the same source, or at least (inadvertently) confirming each other (e.g. source 2 has heard vague information from source 4 and 6, and reports that to Bloomberg, source 5 has then heard vague information from source 2 and 4, and reports that to Bloomberg). Without more information, I'm not sure we can really say it's more than one source (Bloomberg).
That's theoretical; it could be said about any group of sources on any story. Is there anything to back it up here? Do their descriptions of the sources support that theory, as a small (but still very insufficient) start?
Bold claims from newspaper is also par for the course, and Bloomberg benefits from the attention, especially if in the end they can just say “the problem was insignificant, but we were in good faith, we’re not engineers after all”
If we want to disregard what Apple’s denial, we can also disregard Bloomberg’s claim until someone sues someone else and an investigation brings out actual facts.
This whole business reminds me of the Newsweek reporter who was sure that Satoshi Nakamoto was some random Japanese guy in the Bay Area that she apparently found by looking up "Satoshi Nakamoto" in a phone book. The guy she found was a retired EE who had held a security clearance at Lockheed or someplace like that. He was an elderly recluse whose English skills weren't the best, so when he thought she was asking about classified material, he muttered something like, "I don't work on that anymore," and shut the door in her face. Jackpot, right?
In the old days an editor would step in at some point to save these ink-stained wretches from themselves, but that's pre-Internet thinking.
In the case if newsweek, it was still wild speculations. Bloomberg mentions sources in the intelligence community and provides a lot of details. I am as much in the dark as anyone else but it doesn't feel nearly as wild as the newsweek story.
All this assertion / denial stuff is getting tiresome. If this compromise was implemented at a significant scale, and people in-the-know have figured out how it functions, it shouldn't be too hard to get hold of one and provide a demo.
No need to have somebody hand over a server. If the implant happened in two segments of the supply chain as the article claims, it shouldn't be very difficult to find one.
The burden's on Bloomberg for accusing China of implanting the devices, or it's on the tech companies accusing Bloomberg of being full of --it, though? Looks like a standoff until we hear more
And now I'm angry at myself for not thinking of this. So much of this story was sitting like a grain of sand in my brain, but I couldn't put my finger on it
The scale being claimed is a mere four factories, subcontractors of Supermicro's actual contractors, who were only used when demand exceeded those contractors' own capabilities.
> Does bloomberg have a compromised motherboard so we can independently verify the claim?
It's unreasonable to expect that they would. Bloomberg News is full of journalists, not security researchers. They gather testimony and documents, not physical evidence.
Furthermore, the servers in question would have been owned by others: Apple, Amazon, the US Government. It's very unlikely that whatever sources Bloomberg talked to would have had the authorization to legally hand over the servers in question.
It probably comes down to how common the alleged problem boards are. If these devices only ended up in a small percentages of boards produced it might be very difficult to find a board that even had it.
Surely if something was compromised, you'd end the relationship with that supplier? You wouldn't have much incentive, especially cross-border, to bust them in action.
Busting them in action wouldn't be of any worth, feeding them false or misleading information would be. Never underestimate governments and their desire to know as much as possible about their friends and enemies and feed them with information.
Most brilliant. These people can conjuring up a fancy spy story while having no idea how a chip is made at all. And is very amusing to see mass acceptance.
It could be the whole thing is FUD being sowed by someone with an interest in trolling US companies. Russia, for example, for whatever reasons which are beyond me.
68 comments
[ 4.7 ms ] story [ 113 ms ] threadIt sounds like some researcher found weird traffic, eventually found there is a chip on some of these servers that wasn't in the original gerber files, and this chip is doing something, and beyond that a lot of people are speculating about who and what.
Apple and Amazon deny that the story is correct. That doesn't mean that there isn't a chip there and they now know what it is doing but are prohibited from saying much beyond the story as a published whole is not true.
It’s embedded in ceramic. Such devices need to be fired at very high temperatures which a semiconductor wouldn’t be able to withstand.
It makes no sense for state-level bad guys to create disguised packages and add them to boards at the assembly house. There are any number of other links in the supply chain where they could accomplish the same goal with an actual nonzero chance of getting away with it.
I'm pointing out an advantage in putting the exploit into the supply chain as late as possible, such that it can be selected for based on customer.
Compromising the motherboard may be a good approach if the boards have some amount of customisation for each customer.
You could absolutely use a novel manufacturing technique to make something that looks like the picture in the article.
It wouldn’t make much sense to do so, because that part doesn’t even belong on a computer motherboard, it’s an RF component.
https://www.dhresource.com/0x0s/f2-albu-g5-M01-4D-13-rBVaJFl...
I also don’t understand why you would do that. Given the ceramic part in question doesn’t look like anything that would be on a motherboard, and has been identified as an RF component.
https://news.ycombinator.com/item?id=18162440
Bonus for moving markets -> Incentive to report on highest possible value stories.
High value stories -> Bloomberg gains reputation/highest possible value to stock holders.
To me these are currently only allegations from one source. When a board is given out to security researchers to publish an independent analysis I'll believe it. The perfect way to be credible to me would be to give a talk at some security conference. There's no investigation of the supply chain, which would have been quite interesting.
But the more I think about it, the more I think that all of this, if true, would be much too serious to even publish, really.
What is the connection?
> Without proof (like a board) or the names of actual witnesses or hard documents or something, its basically unverifiable, like claiming Area 51 has aliens.
A Bloomberg article based on a year of reporting, 100 interviews, etc. is as likely as aliens? Hmmm ... I feel I can distinguish it pretty easily.
Otherwise, if Bloomberg have been misled by a concocted story, who has the ability to generate enough false sources/etc to engineer it? Seems like the scale puts it beyond a solid PR effort from a competitor?
Aggressive denials yes, but not at the level of specificity that Apple and Amazon have gone to.
If we want to disregard what Apple’s denial, we can also disregard Bloomberg’s claim until someone sues someone else and an investigation brings out actual facts.
In the old days an editor would step in at some point to save these ink-stained wretches from themselves, but that's pre-Internet thinking.
https://www.dhs.gov/news/2018/10/06/statement-dhs-press-secr...
* https://news.ycombinator.com/item?id=18148811
It's unreasonable to expect that they would. Bloomberg News is full of journalists, not security researchers. They gather testimony and documents, not physical evidence.
Furthermore, the servers in question would have been owned by others: Apple, Amazon, the US Government. It's very unlikely that whatever sources Bloomberg talked to would have had the authorization to legally hand over the servers in question.
Is there something I'm missing that makes this difficult?
BUT you KNEW that they were compromised BEFORE you put them into service,
and you made changes that allowed you to spy back on the spyers..
you would deny that the assets had been compromised in the first place.