|
The TYPE of denials coming out is why I’m most skeptical from my non-expert perspective. When a company is evasive about something they know happened but don’t want to confirm the response isn’t as detailed as this.
|
# ? Oct 4, 2018 20:23 |
|
|
# ? May 27, 2024 09:40 |
|
Vahakyla posted:What kind of domestic capability does NATO have for motherboards and other computer parts in the event of the big whistle? ”A NATO member” and ”computer parts maker” feels like a non-existing Venn. Supply chains go through all sorts of countries, both NATO and non-NATO, but if push came to shove it's pretty much only the USA that would be in a position to build up that sort of domestic industry, ideally they'd still be able to lean on non-NATO treaty allies though like Japan and South Korea.
|
# ? Oct 4, 2018 20:33 |
|
The whole thing about Bloomberg basically ignoring Amazon, Apple and SuperMicros attempts to clarify any situation kind of made it a red flag for me. Sounds like something Bloomberg kind of willingly let blow out of proportion because they would get a lot of traction. But I’m completely open to the tiny microchip spying thing so I’m curious how this pans out.
|
# ? Oct 4, 2018 20:39 |
|
Fojar38 posted:Supply chains go through all sorts of countries, both NATO and non-NATO, but if push came to shove it's pretty much only the USA that would be in a position to build up that sort of domestic industry, ideally they'd still be able to lean on non-NATO treaty allies though like Japan and South Korea. Think of it more in terms of demanding domestic production for, say, a service rifle. There's a big space between having the technical capability to do it and commercial viability, and the sort of situation I think Vahakyla has in mind makes the latter more or less irrelevant. EDIT: Also which components and how good matters a lot. Standing up the industry to make high-end CPUs is orders of magnitude harder and more expensive than having to roll your own good-enough motherboards. Comrade Gorbash fucked around with this message at 20:44 on Oct 4, 2018 |
# ? Oct 4, 2018 20:39 |
|
Companies like Thales, Siemens, BAE are large, diverse, capable enough companies that they can spin that up given government budgets to do it so I don’t really think it be a problem. It wouldn’t happen overnight but its certainly not out of the realm of Possibility
|
# ? Oct 4, 2018 20:45 |
|
The fact that this was in Bloomberg makes me think someone is loaded up on out-of-the-money stock options and trying to manipulate the market. And also that it's all true because lol @ infosec
|
# ? Oct 4, 2018 20:51 |
|
Vahakyla posted:What kind of domestic capability does NATO have for motherboards and other computer parts in the event of the big whistle? ”A NATO member” and ”computer parts maker” feels like a non-existing Venn. The push towards COTS (not necessarily a bad thing) often results in key pieces of equipment being built around devices that realistically only come out of a TSMC fab. The real critical stuff like satellite TT&C crypto devices and GPS chipsets found in DAGR with military features like RAIM come out of domestic fabs in the US at ridiculously high costs. Places like Rockwell Collins and Honeywell I believe vertically integrate their fab capability. I’d bet NSA has some sweet capabilities for producing their implants too. Making PCBs themselves is commoditized and simple to do. Semiconductor packaging for commercial is concentrated in SEA, and most military devices require hermetic ceramic packages, which is done here. Though the package itself may be made outside of the US.
|
# ? Oct 4, 2018 20:54 |
|
priznat posted:I am having difficulty believing the PRC could get much of anything going in an IC that small. They are not cutting edge, they wait until western companies make something then reverse engineer it for domestic consumption, rinse and repeat. A Cortex M0 with a few k of ram/rom is readily available and can absolutely be made that small. Doesn't need to be a fancy custom ASIC or anything.
|
# ? Oct 4, 2018 20:57 |
|
Thanks for the cool answers again, definitely a field I have no clue of.
|
# ? Oct 4, 2018 21:09 |
|
shame on an IGA posted:The fact that this was in Bloomberg makes me think someone is loaded up on out-of-the-money stock options and trying to manipulate the market. And also that it's all true because lol @ infosec What Bloomberg describes sounds to me like a security audit found a component that wasn't in the original design spec, something that was being added at the factory and no one could immediately say why. Most likely this turned out to be a poorly documented or undocumented but entirely innocent change to ease manufacturing or correct a marginal defect that cropped up once the board hit the market. That sort of thing happens all the time. That's a pretty big risk all by itself, and this time frame also coincides with infosec becoming much more aware of and concerned with potential vulnerabilities created when individually secure hardware, firmware, and/or software interfaced. So it would be no surprise if the US then spun up an investigation to find out what someone might be able to do if they snuck a tiny component onto a board. Before long you'd have a red team putting out reports and demonstrations on different ways they - and thus a potential adversary - could use that threat vector to create and exploit vulnerabilities. It's not hard for someone who doesn't have a strong technical understanding to take that information, especially if they had reports that Chinese intelligence was messing around in the same space, and jump straight to "it happened." When the real conclusion was that it could happen. EDIT: Rereading the article, I realized the more likely scenario flipped the order of things. Comrade Gorbash fucked around with this message at 21:32 on Oct 4, 2018 |
# ? Oct 4, 2018 21:12 |
|
Whether it did or not, it's 100% going to.
|
# ? Oct 4, 2018 21:25 |
|
Fojar38 posted:Supply chains go through all sorts of countries, both NATO and non-NATO, but if push came to shove it's pretty much only the USA that would be in a position to build up that sort of domestic industry, ideally they'd still be able to lean on non-NATO treaty allies though like Japan and South Korea. Making motherboards is not nearly as hard as making the stuff that goes on them. You could make them in all sorts of places. They are also made in Taiwan, Japan, South Korea, and the US.
|
# ? Oct 4, 2018 21:35 |
|
shame on an IGA posted:Whether it did or not, it's 100% going to. Could someone try it, especially in the commercial space? Sure. But it's a lot of effort for uncertain pay off with a tremendous downside.
|
# ? Oct 4, 2018 21:52 |
|
Mortabis posted:Making motherboards is not nearly as hard as making the stuff that goes on them. You could make them in all sorts of places. They are also made in Taiwan, Japan, South Korea, and the US. As far as microchips there actually is a decent amount of production capacity in NATO countries. Companies like Micron still make a lot of stuff in the US, for example, with one of the chief reasons for it being that their technology is under constant threat of theft by Chinese companies/gov (often the same thing). Microchip manufacturing is a bit insulated from cheap Chinese labor sucking it all into China simply because no matter where you build the things you need to use the same machines to build and test them - you can't just throw a bunch of low-wage laborers at the problem to save cash. Making motherboards not so much.
|
# ? Oct 4, 2018 22:30 |
|
Mazz posted:Companies like Thales, Siemens, BAE are large, diverse, capable enough companies that they can spin that up given government budgets to do it so I don’t really think it be a problem. It wouldn’t happen overnight but its certainly not out of the realm of Possibility Don't forget about ST Microelectronics.
|
# ? Oct 4, 2018 22:48 |
|
The NSA has a history of intercepting shipments of computers to persons/places of interest. I'd imagine it'd be even simpler for the PRC to hijack shipments of computer hardware and compromise them, chalking up any delay as "it's China, el-oh-el." Case in point - if a shipment of Lenovo computers are going to the DC area, even if the US Govt. won't use them anymore, it'd be worthwhile to compromise them on the off-chance an end user with a clearance buys it for their personal use or it finds its way into a private sector environment where enforcement is more lax.
|
# ? Oct 4, 2018 22:51 |
|
feedmegin posted:A Cortex M0 with a few k of ram/rom is readily available and can absolutely be made that small. Doesn't need to be a fancy custom ASIC or anything. Yeah, I'd think they have access to the process and manufacturing technologies required. There is difficulty in making very deep sub-micron semiconductors, and then there is the difficulty of producing them with sufficient yields where you can actually make money on it. The second is what organizations like Intel, TSMC, GlobalFoundries, etc. spend millions upon millions of dollars trying to optimize. I'm having a really hard time constructing scenarios where this could be done "just right" without adding actual wires on the board / without having a footprint on the where a thing would go. There's a lot of things that are theoretically possible but so many things have to go just right for it to work. Cat Mattress posted:Don't forget about ST Microelectronics. They do a lot of the rad-hard devices for ESA, and as a result I would imagine European defense companies are also patrons of this particular offering. Hell, ASML (leading lithography vendor) is an European company (with some stake held by Intel).
|
# ? Oct 4, 2018 22:52 |
|
BIG HEADLINE posted:The NSA has a history of intercepting shipments of computers to persons/places of interest. I'd imagine it'd be even simpler for the PRC to hijack shipments of computer hardware and compromise them, chalking up any delay as "it's China, el-oh-el." Generally speaking government and corporate industry in China cooperate very closely. The government hands over stolen tech, keeps foreign rivals out of the domestic market, and maintains the lassie-faire environment the companies rely on to make giant bucketloads of money without any laws or worker problems to worry about. The companies provide a fuckload of money to everybody who's anybody in the CCP and do whatever government tells them to do (or else). I don't think the Chinese government would have to resort to intercepting computer shipments when they actually can just have them manufacture this run of motherboards through subcontractor X who manufactures a modified version. If anyone finds out about the modified boards they blame the subcontractor (who will disappear) and become a bit more careful in the future. Warbadger fucked around with this message at 16:54 on Oct 5, 2018 |
# ? Oct 4, 2018 23:11 |
|
Speaking of Putin and strage things happening. https://www.thedailybeast.com/russian-official-linked-to-natalia-veselnitskaya-the-trump-tower-lawyer-is-dead
|
# ? Oct 4, 2018 23:28 |
|
I'll just throw out that all the major FPGA and ASIC companies are implementing multiple methods to verify that their designs haven't been tampered with. Not only in static bench tests and factory inspections but also dynamically during operation. They have been working towards this for 5 or 6 years. So, whether or not the Bloomberg article is factually correct it is coming from a place of vulnerability that is believed to exist by all the major vendors.
|
# ? Oct 4, 2018 23:55 |
|
To the denials by Amazon and Apple - I tend to think they know a direct accusation of China would hurt future business in that country. Any acknowledgement will be retaliated against by the Chinese government. Also, of course China will do whatever it can to leverage its chip manufacturing position to gain a geostrategic advantage. They don't actually believe in the "rules based liberal order" crap spewed about at Davos and Ted talks. Inserting a hardware backdoor into motherboards sounds so obvious that, no matter the technological difficulties, it is worth a shot. Even if the attack can only be used once, e.g. as a remote kill-switch, it is still worthwhile. What are the tech firms going to do, return chip manufacturing to the West?
|
# ? Oct 5, 2018 01:10 |
|
Wow, I can never get away from work. While I'm skeptical at the specific claims made by that article for a variety of reasons, I don't think the broad strokes are too far out there mostly because of how private businesses and the PRC government are extremely close.
|
# ? Oct 5, 2018 02:20 |
|
In a country where your business can be expropriated or shut down by the government on a whim, and in which getting things through the government bureaucracy requires bribery, you bet private industry has a close relationship with the government. It's essential to survival. If this is true, then manufacturers will move their supply chains and companies will replace their equipment faster. Servers depreciate pretty quickly anyway, so replacing them early is nasty but not necessarily devastating. Mortabis fucked around with this message at 03:05 on Oct 5, 2018 |
# ? Oct 5, 2018 03:01 |
|
Mortabis posted:In a country where your business can be expropriated or shut down by the government on a whim, and in which getting things through the government bureaucracy requires bribery, you bet private industry has a close relationship with the government. It's essential to survival. Yeah but what about China?
|
# ? Oct 5, 2018 03:08 |
|
Calling it now. The Bloomberg story was planted by Russia.
|
# ? Oct 5, 2018 03:10 |
|
mllaneza posted:Calling it now. The Bloomberg story was planted by Russia.
|
# ? Oct 5, 2018 07:27 |
|
Carth Dookie posted:Yeah but what about China?
|
# ? Oct 5, 2018 08:56 |
|
Sperglord posted:To the denials by Amazon and Apple - I tend to think they know a direct accusation of China would hurt future business in that country. Any acknowledgement will be retaliated against by the Chinese government. There are denials of the vague, put-the-best-spin-on-it-but-don't-really-deny-anything sort, and then there denials of the "No, this is entirely loving wrong and it never happened sort." https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond quote:Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple. https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/ quote:Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations. And Amazon's statement is just as nonequivocal and is signed off on by Schmidt, their chief information security officer: quote:There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us). PR denials are usually not phrased in a way that would totally destroy the company's credibility if they're falsified. Hell, they're usually phrased in a non-falsifiable way for just that reason. These are hard and significant denials that are hard to square with the Bloomberg story being accurate. What the heck is a "signal conditioning coupler" in the context of a motherboard, anyway?
|
# ? Oct 5, 2018 13:33 |
|
Phanatic posted:What the heck is a "signal conditioning coupler" in the context of a motherboard, anyway? You flip it to “AUX” to stop the Chinese hack.
|
# ? Oct 5, 2018 13:42 |
|
I feel like trying to placate the Chinese at the expense of like a Congrssional hearing on esiponage would be a bad choice anyway.
|
# ? Oct 5, 2018 15:19 |
|
Platystemon posted:You flip it to “AUX” to stop the Chinese hack.
|
# ? Oct 5, 2018 15:35 |
|
Phanatic posted:
If its anything its a capacitor. Its entirely possible that this is true but Chinese intelligence only bugged a couple of carefully selected boards that went into critical areas. Bloomberg's error would be to assume that its a widespread thing that affects every board which is easily tested as Apple and Amazon have done.
|
# ? Oct 5, 2018 15:42 |
|
Mazz posted:I feel like trying to placate the Chinese at the expense of like a Congrssional hearing on esiponage would be a bad choice anyway. Have you been following congressional "la la la I can't hear you" on information security issues at all for....18 months? I'm not even talking about Rusrus or election security.
|
# ? Oct 5, 2018 15:45 |
|
https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/ One of the Registers path of speculation: There WAS a somewhat informal get together of national security and info sec from big tech companies. The risk of a similar attack was discussed because it’s definitely a possibility. Bloomberg doesn’t actually have the documents discussing the alleged attack, just people that saw them. So that leaves wiggle room of a well meaning person to interpret that as an attack that actually happened. They then start checking other sources that say “Yes we dropped them/made changes because of security vulnerabilities we saw.” Which were real though it wasn’t the actual one in the report. It relies on pretty sloppy reporting being involved but it’s a way neither side is actually lying. Still a big who knows unless the reports show or someone gets hands on a vulnerable board.
|
# ? Oct 5, 2018 16:13 |
|
That article brought up a point that was bugging me but I hadn't quite thought all the way through until now. If the implant chip is the size Bloomberg described and is also does what they say it does... that's some really impressive tech. Like, four to five years ahead of everyone else tech if you're in the deployment phase by 2015. It's not just that until now no one thought China had that capability - it's that until now there's been no evidence anyone could manufacture working devices at that scale when this was supposedly happening. IBM didn't have test chips at the necessary scales working in a lab until July of 2015, and they had Samsung, Global Foundries, SUNY Polytechnic helping out. Bloomberg is suggesting this chip was discovered in "late spring 2015," so at least a month or two before that. If China actually had that technology pre-2015, using it for this kind of spy game nonsense would have been among the least effective ways to make use of the capability. Hell the negative impact of that capability being exposed if/when the implant was discovered would have outweighed any possible gains even if the attack worked perfectly. It's still possibly Bloomberg does have a scoop on an actual attempted subversion of the supply chain, but at this point I have to view the methodology described in the article as science fiction. Comrade Gorbash fucked around with this message at 16:45 on Oct 5, 2018 |
# ? Oct 5, 2018 16:39 |
|
It could be the size described if its something very simple that somehow triggers an exploit in the management engine over spi/i2c. It needs far more details on the claims because they are pretty out there, but it seems vaguely within the realm of possibility.
|
# ? Oct 5, 2018 17:01 |
|
I always knew i2c was pure evil.
|
# ? Oct 5, 2018 17:06 |
|
Phanatic posted:What the heck is a "signal conditioning coupler" in the context of a motherboard, anyway? It’s not a thing strictly speaking. Could be an IC (you see them around eSATA ports or similar for redriving / retiming), resistor (termination as I mentioned earlier) or perhaps a capacitor as mentioned earlier (AC coupling, usually placed very close to transmitting device).
|
# ? Oct 5, 2018 17:10 |
|
Carth Dookie posted:Yeah but what about China? A lot of private corporations in China actually started out as government scams to make money. Early in the CCP->Capitalism era (after Mao died and they started moving to a more normal economy) the CCP was still very much against public officials making tons of money because it would be counter to their position and ideals. What they would do is have a friend (outside of the party power structure) who would be sold a mine, or an office, or given a lucrative contract for a ridiculously small sum. The idea being that that person/company would be guaranteed to be incredibly successful because they were essentially a (hush hush) CCP run company. The CCP officials who made it happen would then get their share of the spoils under the table so they could still have the illusion that they had no part in the scam. Basically they took a lot of cues from the us defence industry in how generals/politicians make a decision that benefits a company, then when they retire they get a nice cushy "job" at that company.
|
# ? Oct 5, 2018 17:59 |
|
|
# ? May 27, 2024 09:40 |
|
The PLA also apparently has tacit ownership in a lot of these enterprises making it possibly the largest criminal organization in the world, by most reasonable uses of the term.
|
# ? Oct 5, 2018 18:09 |