China Used Tiny Chip in Hack That Infiltrated Amazon, Apple

Discussion in 'Security and Anti-Virus Software' started by hmscott, Oct 4, 2018.

  1. Kevin@GenTechPC

    Kevin@GenTechPC Company Representative

    Reputations:
    818
    Messages:
    7,491
    Likes Received:
    1,670
    Trophy Points:
    331
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,914
    Messages:
    17,264
    Likes Received:
    21,179
    Trophy Points:
    931
    You should re-read the links you posted, there is no accusation of nor admission of any such kind from Bloomburg or any of their sources.

    However, given the pressure to remain silent, those anonymous sources once found out, would most likely recant to save their jobs / skins. That is how it always works out in the end in situations where suppressing details is deemed necessary.

    That's why it's impossible to get solid verifiable confirmation of such incidents.

    On one hand the national security apparatus is warning us of such dangers, while at the same time they are gagged from providing supporting evidence for the same security reasons.

    Lol all you want, if that makes you feel better, secure in your ignorance once again. For further comfort, know that need to know is for those that need to know. Apparently you don't need to know. ;)

    "Update: A Bloomberg News spokesperson told us “As is typical journalistic practice, we reached out to many people who are subject matter experts to help us understand and describe technical aspects of the attack. The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware.

    Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear. Our reporters and editors thoroughly vet every story before publication, and this was no exception.”"

     
    Last edited: Oct 11, 2018 at 12:09 PM
    Kevin@GenTechPC likes this.
  3. Kevin@GenTechPC

    Kevin@GenTechPC Company Representative

    Reputations:
    818
    Messages:
    7,491
    Likes Received:
    1,670
    Trophy Points:
    331
    Chinese hackers do not need any chips to hack into our servers. Any of the existing exploits (whether documented or undocumented) are already available for them to take advantage of. Our national security relies on exercising the best practice to secure our systems. No matter how many angles we look at this topic again and again, it's one story by one media versus many security experts.

    If Bloomberg is right, that means everyone else is not (Apple, Amazon, Supermicro, etc).
    It's Bloomberg's word against several others.

    They don't need to reveal their sources, but at least they should elaborate on the details on the implant. It's shocking that no security experts today have yet to find out how the implants works after the story broke out a week ago.
     
    Last edited: Oct 11, 2018 at 12:41 PM
    hmscott likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,914
    Messages:
    17,264
    Likes Received:
    21,179
    Trophy Points:
    931
    Actually it's 17 sources, 30 companies, and Bloomberg vetting and cross checking the information, so it's not as you seem to imagine it is, as it isn't just one person's word against another.

    30 companies, 28 entities besides Apple and Amazon - those 2 from 2015 - going on 4 years since it began for them, and you expect unconnected "security experts" to jump in and give you specific details about the exact event(s)?

    Software becoming hardware, integration subsuming multiple functional components, are all the way of progression from software simulation to hardware implementation, and for any "application" that can be improved while access and detection being removed from scrutiny is all the better.

    It's not going to come out any more cleanly in explanation than it already has come out because the clamp down on disclosure was put on years ago, and I expect it is a constant point of vigilance moving forward.

    It's nice to get some kind of view into what's going on - even hazy ones like this. I wouldn't expect anyone in national security to volunteer anything but misinformation on this subject publicly.

    No one is going to give us the plain talk straight details any time soon, if ever.
     
  5. Kevin@GenTechPC

    Kevin@GenTechPC Company Representative

    Reputations:
    818
    Messages:
    7,491
    Likes Received:
    1,670
    Trophy Points:
    331
    Scott, we are all trying to keep our mind as open as possible (sure, anything is possible) but gotta do our due diligence to analyze the data, think about the logical reasoning behind it, etc.
    Even no details was disclosed, shouldn't someone by now had already discovered how this was done (eg: connected security experts)? It's not hard to inspect the design of the board with someone who is SME in that field, and it's not hard to inspect network traffic. Everyone tightens up the coil and waiting for the storm but all they see right now are thunder and flash. :)
     
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,914
    Messages:
    17,264
    Likes Received:
    21,179
    Trophy Points:
    931
    Bloomberg has spoken with them - the people with first hand knowledge - that can't talk about it in detail publicly - and given us what they can from their research.

    I would imagine that the Bloomberg investigators realized that they had gathered all the information that they are going to get, knew that they themselves were at an impasse, and didn't want what they had dug up to all go for naught, so they released what they had.

    Perhaps Bloomberg thought disclosure of what they have so far would help discover more information from more sources once the ball was putting into play.

    I've said all I can to help explain it from a realistic perspective, and I've tried to help you grasp the nature of the situation and why detailed public disclosure won't happen any more than it has... unless it does someday should a break occur in the story.

    Like the many national security infrastructure warnings without specific details - they need to get the warning out, but can't give the specific details. It all makes sense from their perspective.

    From my perspective I heed those warnings, and I don't demand what I know I can't get: detailed public disclosure of the specifics that would also aid the offending actors.

    Given the huge investment we have in our national security and military infrastructure, I'm going to operate under the assumption that they know what they are talking about - even if they won't tell us exactly what that is in detail.

    Sometimes the heads up information can't come in the form of public warnings, or private inter-agency warnings, and instead must come in vague aged form from side channel releases, like these, that are now too old for someone to dig into it and provide verifiable proof.

    A safe nondescript heads up is better than nothing.

    Like I said before, perhaps there are compromised servers sitting gathering dust in some forgotten storage room, having missed the recycling drives, that someone will discover... now that the word was put out by the Bloomberg article.

    It could happen. :)
     
    Kevin@GenTechPC likes this.
Loading...

Share This Page