The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

[mouser]

Nice long cool article: "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies"

In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video...
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers... During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

https://www.bloomber...rica-s-top-companies

[wraith808]

None of that has been proven though.  It's going to be a big problem- Bloomberg is not giving out sources, and no one is confirming.  Could end up with egg (and the SEC) on Bloomberg's face if this is proven to be false.

[NetRunner]

Could end up with egg (and the SEC) on Bloomberg's face if this is proven to be false.

-wraith808 (October 04, 2018, 11:27 PM)

If a joke cost Elon Musk 20KK, I wonder how much that would turn up to be.

[YannickDa]

Bloomberg now spreading "fake news" : where are the proofs ?

Looks like a conspiracy theory to me.

Mass-media headlines to throw the people into psychosis; now there are the "Good conspiracy theories" and the wrong ones...

"Russians plot to destabilize the U.S.A. !!!" -> Good conspiracy theory
"Chinese hackers penetrating D.O.D. servers !!!" -> Good conspiracy theory

But N.S.A. spying on everyone turns out to be "fake news" leaked by traitor E. Snowden being a russian asset working for the Kremlin.
Ha ! "Wrong conspiracy theory" ! You're a sick nut if you believe that ! 

[wraith808]

Bloomberg now spreading "fake news" : where are the proofs ?

-YannickDa (October 05, 2018, 12:04 PM)

I wouldn't go so far as to label it fake at this time.  But I definitely have a hard time believing it without proof or corroboration, and the government isn't going to corroborate the vector by which they were hacked if indeed they were.  It's a hard place to be in, journalistically.

[mouser]

Interesting quora post from someone who thinks the article is wrong:
https://www.quora.co...answer/David-Seidman

[IainB]

Nah. We all know them pesky Russkies rilly the ones wot dun it, eh?

[wraith808]

Interesting quora post from someone who thinks the article is wrong:
https://www.quora.co...answer/David-Seidman

-mouser (October 06, 2018, 05:51 AM)

Thanks!  That was really interesting, and he made points there that I'd not considered, and think are completely salient to the situation, e.g.

Apple's statement[2] is really quite extraordinary. They unequivocally deny the entire story and strongly criticize Bloomberg. You just absolutely couldn't do that if you weren't telling the full truth. It would completely destroy your credibility when the truth came out, which it definitely would. Your lawyers would not let you make a materially false statement. And your auditors would demand access to verify your public statement, as I imagine they are indeed currently doing.

Leading to:

Apple's statement isn't full of weasel words. They flatly state that everything about the article is false and deny several specific allegations individually. Our lawyers were reluctant to let us make flat denials even when we were 100% right.

Leading to:

Lying to investors about a breach of this magnitude is a “go out of business” level offense, and the officers of the company would go to jail.

...

... getting hacked like this doesn't put you out of business. In most cases it doesn't even hurt very much. Nobody expects Apple to be perfectly secure against a government, and that's good because it's not possible. Every single big tech company has been breached at some point.

That line of reasoning about those at Apple and the weight of the possible consequences... It just makes sense.

[Shades]

A chip the size of a grain of rice, cannot have too many different connectors on it. Which makes me think that it may be able to do one or two of the suggested breaches, but not all of them.

The servers in question were of the blade server model. That means highly densed motherboards, which in turn leads to motherboards that consist of multiple layers of etched electronic pathways to get all the electronics connected properly.

From what I understood the chip was planted on the top of the mainboard, meaning that getting it connected to all necessary pathways will be difficult, even with equipment.

In short, I have my doubts about the capabilities of such a small chip and proper connectivity to be able to the proposed breaches seems highly unlikely. Size limitations being the main problem here. I would assume that it would be easier to replace one of the standard electronic chips with an altered one and solder that back. Requires less equipment to do, can be done by lesser technical hands and will not draw (immediate) attention.

[Deozaan]

I'm just starting to read the article (and will read the quora post after) but the doubts cast on it in this thread alone make me wonder if this will be another "Rolling Stone incident."

[Deozaan]

Other things came up and delayed my reading of the article and the quora post. I just finished. Very interesting story.

Reading Apple's statement on the matter, I couldn't help but think "of course they would deny it if the government forced them to" and then I came to this:

Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.

-https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

[wraith808]

At this point, someone is going to be in a lot of trouble.

https://www.engadget...upermicro-tampering/

In a letter to Congress, Apple reiterated that it found no evidence of microchip-based server tampering by Chinese agents that was reported by Bloomberg Businessweek. The company, along with Amazon and server manufacturer Super Micro, had previously released forceful denials of suspicions that its servers contained malicious components. The US Department of Homeland Security (DHS) and UK cybersecurity officials had also chimed in, saying they have no reason to doubt Amazon and Apple's denials.

Apple VP for IT security Goerge Stathakopoulos sent letters to both the US House and Senate Commerce Committees, according to a Reuters report. "Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity," it stated. "Nothing was ever found."

The letter also repeated press statements from Apple that it never discovered any backdoor components that could compromise user security. Apple originally said that it "conducted rigorous internal investigations based on [Bloomberg's] inquiries and each time we have found absolutely no evidence to support any of them." The company also noted that the story was based on 17 anonymous sources, with some allegations based on even fewer unnamed sources.

As a reminder, Bloomberg's report stated that Amazon and Apple found suspicious chips on widely used Super Micro servers that could relay information to foreign agents, who could then possibly initiate more intrusive attacks. Since publication, however, the companies involved have forcefully pushed back. Bloomberg said the investigation was "top secret" and that it stood by the article.

[IainB]

Maybe there's a silver lining here. I mean, for example, supposing that the market value of Amazon and Apple stock had just tanked on a lack of confidence, based on the news of the Chinese hack published in good faith by Breitbart, and that stockholders had been subsequently unloading it like the plague before it fell even lower. Suppose that someone had decided to buy a lot of it at the currently lower bargain price levels and then the "convincing" news that it's not a hack after all coincidentally meant that the stock just bought would be worth a lot more overnight as confidence was restored. That someone wouldn't even need to settle on the purchase before selling it at a clear windfall profit.
Wouldn't that be a lucky thing!?   

These things can be just "lucky coincidences" for some and "opportunities" for those imbued with good investment foresight. And it's not like something similar hasn't happened before - is it?

For example:

• Tesla: the report in the news that Tesla likely to face SEC investigation following Musk tweets amid debate of market manipulation. It seems that the CEO of Tesla apparently could have inadvertently probably caused a temporary spike in the continuum of Tesla stock value by Tweeting what turned out to be an apparently incorrect/untrue statement about funding being available for a private buyout, or something. This apparently could have run counter to SEC rules, in retrospect.
• Intel (Spectre/Meltdown): a  while back I read somewhere that the CEO of Intel had apparently/reportedly unloaded a lot of stock shortly before the Spectre/Meltdown "security flaws" were so systematically published and likely to cause a temporary spike in the continuum of Intel stock value. (I don't recall reading whether this could have run counter to SEC rules in retrospect, or whatever.)

I recall reading of a big investment funds manager in the UK in the '70s called Jim Slater, who seemed to be perpetually having that kind of luck - he seemed to have really good foresight; apparently made millions by it. He was apparently put into clink and did time - I don't recall the full details - but he was recognised as being a good investment adviser.   

[wraith808]

Well, the pressure is mounting:

https://www.engadget...eillance-retraction/