Holy horsepoop Batman...

Discussion in 'Hardware' started by cloasters, Oct 5, 2018.

  1. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
  2. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    Just spent a good 1/2 hour reading and listening to this report.
    Are we completely asleep at the switch?
    How hard can it be to closely examine a mother board? If we can build them, design them, we should be competent to inspect them...no?

    Who here did they bribe to make this happen?
  3. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    It's a tiny SMC that can easily be seen as a simple capacitor or resistor. Then again, it appears to have four "legs," but you really have to look hard to see that.

    Am I trying to let Big Biz/Big Gov off of the hook? Never! Was just a simple comment.

    Long ago, Supermicro made mighty fine consumer motherboards. Shoulda known that it was staffed with how to put it delicately... well I can't. Wait, I don't know what their "team" looked like many years ago. Looks a bit Red Chinese nowadays.
    I'm not really against China. But it may be too late to realize(duuuuuuuh!) that we're rather easily outsmarted by... well, there are so many to choose from.

    Bribed....Us? Never ever.
    Last edited: Oct 6, 2018
  4. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,285
    Likes Received:
    174
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    This whole story smells, IMO. Full disclosure though; I have a LOT of SuperMicro servers deployed, so one could argue that I have a vested interest here.

    OK, sure, we can write off SuperMicro's denials: they have already lost a great deal and stand to lose a great deal more. Even if this story proves to be categorically false in every detail, SuperMicro are basically ruined already, even though it seems unlikely they actually participated in this directly.

    But Apple? Amazon? They have an out. They can always say "We didn't know the servers we got were compromised". Or they can make some kind of mealy-mouthed non-denial denial because of NSA gag orders. Or they can say "We cannot comment on an ongoing investigation." Yet the denials are quite explicit and emphatic, and against a company with the reputation and resources of Bloomberg. If it turns out that Bloomberg's story is accurate, they will take a hit as well.

    Bloomberg also stand a lot to lose if they've gotten the story wrong; a news agency's credibility is a critical thing, not to mention the serious financial liabilities they could be opening themselves up for.

    Finally, pretty much everyone in the tech community looks at this and goes "eh, what?". Sure, the ATTACK is POSSIBLE. But being possible and being PRACTICAL are very different things. The U.S. has engaged in modification of hardware when attacking SPECIFIC targets, but that was always a small number of systems, not entire factories. In addition, the environments that targeted systems are intended for would be isolated from open Internet communication in all but the most juvenile of installations. Further, the compromise, in order to work, would require intimate knowledge of the operating system being run.

    Just how many different versions of Windows and Linux are in production systems right now, and being installed? Anyone want to take a guess? It's AT LEAST DOZENS, if not HUNDREDS. Building an attack system, as described, capable of compromising all or at least most of those systems just doesn't seem practical, at least not in the way described.

    It seems like the best way for this attack vector to work is by modifying the BMC firmware as it is downloaded by the BMC. This is certainly possible, as you would at least have knowledge of the OS (the firmware) being installed, so you could make your attack work. If you've compromised the factory, then you can also make sure the same firmware gets loaded on every system, and that you are made aware of firmware changes. HOWEVER, if the user loads a different firmware when they get they system (and most IT shops will update to the latest firmware available, which is typically at least one, if not several revs newer than the factory provided version). Once that happens, your attack is boned again, UNLESS you have managed to update your attack code with the modifications necessary to attack the new BMC firmware.

    Seems like an AWFUL lot of work, when it would be easier to just directly compromise the BMC firmware. I mean, you've already got control of the factory. Just have them load the firmware you want. Once you've got the firmware you want, you can then have it act like it has taken a new download, even when it hasn't, and you can do all kinds of things to hide the presence of your firmware; things which, frankly, would be essentially impossible to detect without actually removing the firmware chip from the suspect system, installing it in a diagnostic cart, and downloading the contents.

    No, I don't think this story adds up, as described. There's something missing here. I'm sure the details are going to come out eventually.

    Also, it's worth pointing out that I work for a major ISP, and as I said above, I have a LOT of SuperMicro servers. While I won't claim to know all of the political machinations that occur within the organization, I think it rather likely that if the several thousand servers we have were compromised, I'd at least have heard SOMETHING about this.

    The question in my mind right now is "Who stands to gain the most from this report?".
  5. Kaitain

    Kaitain Active Member

    Joined:
    Jul 24, 2016
    Messages:
    373
    Likes Received:
    34
    Trophy Points:
    28
    El-Reg posted their analysis of the whole sorry tale.
  6. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    Naturally I can't speak to any of the tech aspects of this story. But as I see it Bloomberg is hugely invested in getting the story right in detail.

    Whereas Apple and Amazon are equally invested discounting or completely denigrating it. How hard could it be to get hands on with one of the suspected motherboards.?
    Thanks everyone great series of posts!
  7. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Now that I've learned more about the issue. It is way over my head, tbh.
  8. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    Thanks K!
    This guy is one sharp cookie. He took me to school. Thanks for the introduction.
    It's no easy thing to write on highly technical subjects in a manner that actually interests a non tech. reader such as myself. If you can gain our interest the battle is half won.

    My biggest question remains unanswered.
    How is it that Bloomberg hasn't acquired a 'fixed' mother board with which to prove at lest some of it's assertions? How is it that they can't say exactly how the hardware hack was carried out? But do assert that it was?

    An actual "proof of concept" board sporting such tech would go a long way towards pointing a finger at who what and where.

    They spent a year on this story. Huge huge investment for any news org. Yet many seem to feel that there are missing pieces...Why?

    Yet as Kieren McCarthy delineates both Apples and Amazon's denials are short by far of being absolute.

    Everyone sees that there's something going on here..out side of the contending parties, nobody seems sure just what that is?

    Interesting times...
  9. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Heaven forbid that a spade be called a spade! The majority of present day journalism as a-scared of telling the truth about almost everything. Why? Who signs their paychecks? Why just six corporations share that GREAT HONOR.

    Corporations have a very well defined goal, with very few exceptions. No collusion is necessary.
    IMHO? Of course!
  10. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    Sorry but I have to call bullshit on this one George. Journalist around the world are disappearing at frighting rate. They are disappearing because they told the truth as best they knew it.
    In this country they are enduring a slander never before seen. The press is all that is holding our democracy together.

    Or would you prefer getting your news from trummy? There are very well funded efforts to discredit and abuse the press. Why not add your abuse?

    Because doing so lessens our democracy's chances of survival. A Free press is the necessary prerequisite to having a free election, a free country.

    Any one who takes time to watch the news quickly learns that many points of view and many points of news origination are available. Most within the realm of the real.

    Propaganda has always been with us. That's why we must support and maintain news organizations that report reality.

    It doesn't help to brand all sources of news "Fake" or "corrupt" or "inaccurate"....unless you want a populous divorced from the real.

    Of course the news is owned by someone. But if you want to be a respected news out let you just can't get it wrong very often.

    How many news outlets do you see actually supporting trummmy???

    Your wrong George and your wrong in what I consider to be a very dangerous way.
    When we no longer trust the veracity of the press, not on a single story but across the board

    Then Trummy news has won.

    There are real, devoted and extremely hard working reporters out there. Most of what we know of trummy prior to his run for office we know thanks to the NY times. News papers will bring tummy down.
    TV news shows Trummy to be a fool and a moron every day.

    EVERYTHING You think you know about public events you got from one news source or another.

    Is it your sources you doubt or just mine?

    I ask as mine have been extremely accurate over most of my life time.

    Show me a major story everyone got wrong. How do you know they got it wrong? Because they TELL US when they get it wrong. At lest all of my sources do.

    Stay in the middle where the truth is born and where the truth can nourish us.
    I think you would take heart if you realized how many reporters , editors and entire news organizations are NOT FOR SALE.

    Who take their duty to be to properly inform you of what is going on in our world.

    If you can't tell the good from the purely evil...well that's on you isn't it?
    Both are available. Fox bullshit aside, good accurate news isn't at all hard to find.

    Why are they so accurate? Because there are literately a thousand reporters out there to tell you and each other when someone gets sloppy or lazy with the facts. They self regulate! They report on the press!

    There is good and bad in every field of human endeavor. We the people must put in the effort to discern between the two. I have always found the Good to be well served by the news.

    Our war in Asia changed our news quite a bit. We no longer believe a thing because pols tell us to. or at lest we no longer have to. The news no longer accepts government hand outs with out examination.

    You can find criticism of every gov. function. It remains with the reader to decide whose point of view in most reality based.
    We must hold to the truth that just because we don't agree doesn't mean the news is false or slanted.
    And just because we like it doesn't make it true.

    We may not know today, but almost of a certainty we will know what is what tomorrow..
    Last edited: Oct 8, 2018
  11. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Good points, Daniel~. I support, as in send money to sources that I trust. These are not NBC, MSNBC, ABC, PBS, or most sadly, CBS. They were the last of the big time news sources to join the George does not agree with much of what they broadcast team. Just because I don't trust these sycophantic ""sources"" doesn't mean that millions do not still trust them.
    Fer goodness sake, Trump as a news source is beyond ridiculous.

    ~~"The news no longer accepts government news handouts as reliable?" Puhlease!
  12. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    I will attempt to leave my political arguments out of our board. Daniel and I have decidedly different viewpoints. No reason to keep the argument going. My apologies!
  13. Kaitain

    Kaitain Active Member

    Joined:
    Jul 24, 2016
    Messages:
    373
    Likes Received:
    34
    Trophy Points:
    28
    Actually I think cloasters had a point - at least as far as domestic political reporting goes.

    There are certainly journalists out there with great integrity, who are prepared to suffer any consequence (including their own death) to get the truth out. You've got people reporting despite the risk from various war zones and oppressive regimes, or investigating powerful individuals and corporations at all levels of society, from local activists to international affairs. I have a great deal of respect for these reporters.

    I have a lot less respect for editorial writers and political pundits. These guys will quite happily follow their paper's chosen political affiliation and make any old crap up to support it. Unfortunately, when it comes to political reporting, most people only read the editorials. As Facebook's algorithm neatly demonstrated, people actively avoid editorials that challenge their own prejudices.

    This sort of content requires little checking and can be bought - witness the carnage a bought editor or bought owners can do to the quality of reporting in a paper (yes, Barclay brothers, Murdoch, etc. I'm pointing at you.) I've long held the view that if you really want to know what's going on in your own country, you need to read the "world news" section of other countries' papers.

    So yes, press freedom - it's important, but it's also important to remember that a free press is not necessarily an unbiased, balanced, or even truthful press.
  14. Kaitain

    Kaitain Active Member

    Joined:
    Jul 24, 2016
    Messages:
    373
    Likes Received:
    34
    Trophy Points:
    28
    Back to topic: in the latest update from our friends at El Reg, the three and four letter agencies have backed the statements from Amazon, Apple etc. without actually addressing the accusations themselves. That said, Apple have pretty unambiguously denied the report.

    So how did Bloomberg get it wrong? Assuming they did get it wrong and these statements weren't written by people trying to avoid a stay in the basement of a nondescript building near Langley... here's a little work of fiction:

    Say you're a three letter agency, your competitor is all over you, your budget is about to be cut... and you're an expert on information warfare. Say you hold a little soiree to describe an attack that's both highly plausible and almost impossible to prove. Say you have assets in major tech firms prepared to feed the lines you feed them. Is that enough to string a couple of journalists along, asking the right questions and never quite having enough to publish? But the very fact they're questioning keeps the interest, and your budget, going.

    If indeed the story started at a cosy infosec soiree hosted by a three letter agency, then the Bloomberg journalists will have done their job and started researching it. Each of these organisations is huge, with enough employees that it's statistically guaranteed to have a number of them in the pay of one or more three letter agency, as a side-gig.

    Now say the elections come and go, and the new commander in chief of your entire military and intelligence structure happens to like picking fights with major trading partners, and has a stated policy of wanting to bring industry back home. Say said leader managed to get somebody who could talk in whole sentences to explain that it would be nice if some of these tech firms brought their work, their workers, their assembly lines and their IP home, to "make America great again." How much effort would it take to have a few more "disgruntled workers" in your pay to come forward and build a case?

    So now you're feeding disinformation to legitimate journalists, who build a legitimate story and publish it through a well-respected outlet.

    All of the above... I've made it up, it's bollocks. But vaguely plausible bollocks. It'll be interesting to see how the rest of this story plays out...
  15. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Maybe it's just better to read all statements from Our Natural Shekurity Ajencys as the lies they most probably are?

    "Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely."

    Why trust word one from these sleazy up to no good boogers?

    Yes, it's only my opinion, but I'm disinclined to believe a thing said from people proven to have abundant evil and very little good. IMHO.
  16. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Another politically inclined post from me. Sheeeeite!
  17. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,285
    Likes Received:
    174
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    This thought has crossed my mind also. I didn't mention it because it seemed just a bit too tin-foil-hat-brigade to me, but it seems more likely than any other scenario I've been able to concoct.
  18. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    [quote="cloasters, post:

    ~~"The news no longer accepts government news handouts as reliable?" Puhlease![/quote]

    If you don't watch these sources...how do you know?

    I watch those sources you mentioned regularly. I don't feel that much happens that takes me by surprise.
    Tummy vulgarity aside, my news stories generally have a beginning a middle and an end..
    I watch them develop

    My news stories are almost always covered by at least several sources and several publications.
    My news stories are verified as much as possible and rarely do they need to retract...When they need to they do.

    I wish I could say the same for you and I and people in general. How is it that you think that leaving the middle you will find truth in the extreme?

    I never have. Almost always the news follow the facts and facts,not opinion are the news. The rest is just editorial...which I freely admit I quite of often benefit from.

    News is highly competitive. it is rare that one source follows what the rest do not. One source often breaks a story , once a story breaks they all take a look if it's a big story.

    George they report the facts. If someone gets it wrong the rest of the press are all over it.

    Being obscure does not make a story or a reporter right. Being obscure just makes them less widely known.
    Being in the middle being checked by everyone else who dwells in the middle does!

    Theses precious truths you find in obscurity...who fact checks them? If they were out front with the news they would be followed by the rest of the press and far less obscure.

    There is no reason that the popular press should not know and report on far more than the obscure press.
    No reason that they can not assign far more resources than the obscure.

    The obscure can and does "sometimes" break a story. Here's how that works. A small news out let gets a break and breaks a story, say a big story. What happens?

    I'll tell you , the big guys in news take a look. If they see something in the story they assign assign assign.
    They often spend a small fortune investigating. And the small out let?Well for a week or so they are given credit. But then the story is moved past the discoverer by the big boys. Who have the resources to cover it.

    What is found in obscurity can not be trusted...Not until the middle has verified it. What good to have the news first if unverified?

    Obscurity is useless without verification from the middle...it just remains obscure. to be obscure is to be unverified and there fore mere assertion.

    Finally it is not until the press as a whole looks at a thing that we can get a clear reliable view of what's going on. Many sources reveal truth. One obscure source may get there first, but will remain obscure unless the rest of the press picks it up and investigates the facts exactly can we the public be said to know a god damn thing.

    Obscurity, is no more true than than what is broadly disseminated. Obscurity can break a story. But being obscure needs verification as does ALL news.

    The obscure by definition is unverified. No press outlet stands alone...except the obscure, all others relie upon, Need, other out lets to verify. This the obscure can do only under unusual conditions as the obscure has but a very few resources

    In short I'll take the widely reported and verified over the obscure any day.
  19. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    All true. Yet there's something I feel needs to be examined further
    An editorial can be bought. But let's take a look. What is an editorial. It's opinion and unless backed by facts must there for remain obscure. a lone voice calling out to others of like mind.
    Obscurity in this case means if comes from one source and can not often be verified...so editorials can never be the news. Must, unless broadly excepted remain in obscurity.

    The very essence of the news is to bring information out of obscurity and into the public consciousness.

    What remains in obscurity rarely has an impact. rarely needs to be widely known.

    I have spent my life upon what is obscure. The I-Ching is thousands of years old and intensely studied by millions...in nearly complete obscurity.":O}

    Not all that is obscure wants to be revealed. Some actually seek obscurity.
    Some for a higher goal some for criminal advantage, most simply to avoid conflict.

    Obscurity keeps the deer and -antelopes above ground.
    Keeps me from becoming the target of rabble-rousers.":O}

    When many proclaim a thing it does not on that account become true, but when many offer evidence it should not escape our notice.

    How are you doing K?

    It would be no exzaeration to say that I have missed you often.And as often wish you were here to set me straight.
  20. Daniel~

    Daniel~ Chief BBS Administrator Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    11,354
    Likes Received:
    170
    Trophy Points:
    63
    Location:
    Greenwater WA
    Home page:
    No reason to fear political argument. Democracy requires that we do so. In politcal argument there's no need to apologize just because your wrong. LOL

Share This Page