back to article Forgotten that Chinese spy chip story? We haven't – it's still wrong, Super Micro tells SEC

The computer server maker at the center of a dramatic secret Chinese spy-chip story has again insisted the yarn is wrong, and called the whole thing "technically implausible." US-headquartered Super Micro sent a note to its customers late last week denying all claims in a recent Bloomberg BusinessWeek article that the Chinese …

Page:

  1. Mark 85

    The simplest answer is usually the right answer...

    Normally that's true, but in the spy-vs-spy world maybe not so much. Another saying goes: "Every answer begats two more questions". It would seem someone is/has been shoveling the pile, the questions are "who" and "why"?

    From the article: Although a better explanation may be that it accurately reported a misinformation campaign put together by some part of the intelligence services.

    That seems a simple explanation but I'll reserve judgment as there's still too much politics, etc. from the agencies to really know. If its a misinformation campaign to discredit the Chinese, then Super Micro is taking a huge hit in credibiity in a variation of a drive-by shooting and the company and the IT industry will suffer.

    IF there's been mods to the board than why haven't any been produced for independent inspection? At this point, that would point back to the TLA's and "national security" excuses. The Rabbit Hole is getting deeper the longer this goes on.

    1. Gene Cash Silver badge

      Re: The simplest answer is usually the right answer...

      > IF there's been mods to the board than why haven't any been produced for independent inspection

      Bingo. Why isn't Super Micro going "look, no sekrit chippies here!"?

      1. JohnFen

        Re: The simplest answer is usually the right answer...

        "Why isn't Super Micro going "look, no sekrit chippies here!"?"

        You can't prove a negative. Super Micro could trot out boards all day long and show them to by spychip-free, and it wouldn't mean a thing in terms of demonstrating that the boards in question are spychip-free.

        The flip side of that is that the burden of proof is on the one making that positive claim. It's up to the ones saying there are spy chips on the boards to produce one as evidence. That would be meaningful.

        1. Anonymous Coward
          Anonymous Coward

          Re: The simplest answer is usually the right answer...

          The flip side of that is that the burden of proof is on the one making that positive claim. It's up to the ones saying there are spy chips on the boards to produce one as evidence. That would be meaningful.

          Which is Bloomberg's problem. If this did happen, as soon as it became apparent all suspect boards would have been replaced, rounded up and taken away by the Feds to a very secure location and destroyed other than a few retained for spooks to play with. All concerned (including China) are best served by a strategy of outright denial.

          Personally, I tend to side with Bloomberg, because if I were part of the Chinese intelligence service, that's certainly something I'd try. If the Chinese haven't tried this, it begs the question why not? Even before this they were still subject to the assumption of guilt and backdoors, with sales restrictions on certain kit and the like.

          I'm not sure that the logic is strong, doubting the story because the big DC businesses have advanced traffic monitoring which would have detected suspect traffic. For starters, maybe they did work, and that's how all the affected boards were rounded up. Maybe they didn't work - all the evidence of data leaks since big data existed suggests these tools have limited effectiveness. And in either case the Chinese would know that there's a risk of traffic detection - so would plan the attack and data exfiltration accordingly. No point exfiltrating several terabytes of low value data, when potentially the really valuable stuff is a handful of gigabytes that can be snuck out over a period of time - the potential benefits of the (reportedly) targeted attack, and the resources to execute it would not be risked with a vast and obvious data grab, or connections to obvious C&C servers. That's how I'd approach it. Then I'd expect that the PLA spooks would be far better at their tradecraft than some random commentard - if we agree on that, then they'd have an even lighter touch than I'm suggesting, because the trick only works until discovered, so it is vital that it goes undiscovered for long enough to get the really vital stuff.

          1. iron Silver badge

            Re: The simplest answer is usually the right answer...

            "If the Chinese haven't tried this, it begs the question why not?"

            Because it would be extremely difficult, expensive and once caught all that investment would be lost. It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals.

            1. Doctor Syntax Silver badge

              Re: The simplest answer is usually the right answer...

              "It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals."

              If you were doing that it would be handy to plant a story like this to misdirect attention.

              1. Anonymous Coward
                Anonymous Coward

                Re: The simplest answer is usually the right answer...

                "It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals."

                If you were doing that it would be handy to plant a story like this to misdirect attention.

                The problem I have with the alleged modification is that my experience suggests it isn't just a matter of some extra small chips - other than when they trigger something else, far bigger, that is already there.

                I may be behind in my electronics, but to get a stack that AND extracts meaningful data from storage (because that bypasses the need to add to the complexity of breaching a higher level OS of which you never know type, version and patch level in advance) AND communicates meaningfully across a routed IP network whilst evading detection from NIDS et al - sorry, I don't see that fit in a chip that small. If China was capable of doing that they would not have the "creatively acquire" IP et al, it would lock the door and never permit that chip to cross their borders to protect that sort of own IP from discovery instead (and the Americans would be falling over themselves to obtain it in any manner possible, including the illegal options).

                Ergo, either this leads to something far more sinister (which I am not buying), or Bloomberg has been fed BS and is still figuring out how that was possible (it has plenty to lose here - it does have a reputation to defend). The latter is IMHO far more likely, but I lack the creativity to come up with a plausible motive for doing this to Bloomberg other than to harm their credibility.

                Whatever it was, it must have been very sophisticated. Bloomberg is not a novice in the news industry - but maybe the journalists were..

            2. Anonymous Coward
              Anonymous Coward

              Re: The simplest answer is usually the right answer...

              Because it would be extremely difficult, expensive...

              And you're seriously proposing that worries China, or any other large national security agency? Where there's a good prize, budgets are limitless - look at the probable cost the US incurred for Glomar Explorer many decades back - around $4bn in current prices. This possible hardware backdoor would be a lot cheaper than that type of effort - probably an end to end project cost similar in magnitude to Stuxnet, of the order of $200m. So on balance difficulty and expense don't come into it.

              once caught all that investment would be lost

              For this particular version yes. But if the data stolen is valuable enough, that doesn't matter. And even if that was not the plan, there's plenty of really useful lessons that can be learned from any US response. Moreover, this is spooks we're talking about. This could have been intended to come to light, either as a distraction from something else the originators are doing, or simply as a message. And maybe it was simply a message - if China had found a hardware backdoor in a US technology import (ie US spooks planning to target China), then this could be simply a formal response from one TLA to another: "Don't screw with us, we found your toy, and we'd like to remind you that we own the majority of your tech supply chain". Look at the risks and high diplomatic costs recently incurred by both Russia and Saudi to send simple messages to specific groups - the Russians knew they'd be caught, and even wanted to be caught - the message worked best when everybody knows who did what to whom and why. The Saudis seem to have been under the impression they might get away with simply denying it, but regardless believe that their money will protect them from the consequences.

              It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals.

              Except that they are known to all the TLAs and big tech, so relatively easy to mitigate against. Great against poorly hardened targets like your average corporation or private individuals. But poor at messaging.

              1. Robert Helpmann??
                Headmaster

                Re: The simplest answer is usually the right answer...

                Look at the risks and high diplomatic costs recently incurred by both Russia and Saudi to send simple messages to specific groups...

                Not to detract from the conversation, but this usage is just wrong. "Saudi" is a noun if you are talking about a person group of people ("She is a Saudi," or "The Saudis all got on a plane.") and an adjective elsewhere ("I ate way too much Saudi food!"). The combination used here is the equivalent of "New Zealand and British" or "Venezuela and Persian". Why is this confusing?

                1. Anonymous Coward
                  Anonymous Coward

                  Re: The simplest answer is usually the right answer...

                  Not to detract from the conversation,

                  Not at all - no offence is taken, and the correction duly noted.

                  And I doff my hat to you: In the Reg forums there is no higher badge of honour than to be called a pedant.

            3. Anonymous Coward
              Anonymous Coward

              Re: The simplest answer is usually the right answer...

              Because it would be extremely difficult, expensive and once caught all that investment would be lost.

              Exactly, this strikes me as one of those super fantasy spy things where they're basically using stealth fighter technology to steal the latest in fly swatter tech. It doesn't make sense.

        2. John Brown (no body) Silver badge
          Joke

          Re: The simplest answer is usually the right answer...

          "The flip side of that is that the burden of proof is on the one making that positive claim. It's up to the ones saying there are spy chips on the boards to produce one as evidence. That would be meaningful."

          Or it's an elaborate stock swindle. Is anyone buying SuperMicro stock right now?

    2. ShortLegs

      Re: The simplest answer is usually the right answer...

      And the simplest answer is "if didn't happen"

      The article refers to previous carefully spun press releases from large corporations, but in Apple's case last week Tim Cook was very, very emphatic; this did not happen. Not "did not happen as reported" or any other carefully constructed and ambiguous denial, but a flat outright rejection.

    3. Rol

      Re: The simplest answer is usually the right answer...

      The fact that denials by several organisations were almost immediate, suggests they hadn't bothered to examine the allegations, which in itself tells a story.

      I have a sneaking suspicion that someone in the industry will come to Bloomberg's aid. Not waving a compromised Super Micro board from one of the named companies, but waving another brand of server board.

      A run of the mill server board that they had spare and piqued by the story, started to investigate out of curiosity.

      What I fear, and if true, what our intelligence agencies are now fearing, is that the world will be presented with proof that motherboards used in many servers have had the secret chip treatment.

      And seeing as our very own agencies will be looking very sheepish once that revelation comes to light, is it any wonder denials are coming thick and fast from all quarters.

    4. unscarred

      Re: The simplest answer is usually the right answer...

      More likely a misinformation campaign started by the Chinese secret services.

      It creates FUD in the West, and supports the panopticon effect that China likes to use to repress activism at home.

    5. Anonymous Coward
      Anonymous Coward

      Re: someone benefits.

      Is it just for the media attention, the share price dealings, or political standings or eventually misinformation for data collection services/agencies?

      Who knows, lots of people with fingers in the pot there.

    6. big_D Silver badge

      Re: The simplest answer is usually the right answer...

      It's easy, Bloomberg just has to show off one of the affected mainboards, with embedded chip.

      Then the story holds water. If there are so many affected mainboards out there, it should be relatively easy for them to get hold of one.

  2. Will Godfrey Silver badge
    Angel

    Conspiracy theory?

    Is it possible that the entire story was invented by some people wanting to depress the value of Super Micro - some aggressive investor maybe. Although Icant think of anyone who'd want to do that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy theory?

      There are far less public ways to knock down the stock price of a target. Much better to start rumors of some type of earnings restatement being required, rather than weave a story that includes both the FBI and the two largest publicly traded companies in the world. There's no way any trading to take advantage of the stock price fall (or subsequent rise if/when the story is retracted) would not be looked at very closely by the SEC given this has received so much publicity.

      1. streaky
        Terminator

        Re: Conspiracy theory?

        There are far less public ways to knock down the stock price of a target.

        Not many *that* effective though. This did more relative damage to the SMC price than happened to Equifax in the aftermath of their massive incompetence.

        My theory is more that somebody has made up this story to either dupe Bloomberg as an attack on Bloomberg or to hit SMC stock so they can buy it cheap. Either way Bloomberg has a serious problem. Nobody in the industry is taking this story seriously because as reported it's completely absurd. Not that it's impossible but the technical claims just aren't right. Think I said elsewhere for China to pull this [specifically what Bloomberg have claimed] off they'd have to be far more technically advanced than any other country in the world and not for nothing people would notice so why try to do it anyway.

        Option C is it's an attack on China and given the involvement of security services that's not implausible either.

        Bloomberg is a dupe, and how hard it's standing by its story doesn't end well. Course we shouldn't feel sorry for them - SMC can't sue Bloomberg because if somebody produces a hacked motherboard no matter the provenance or capabilities of the board SMC basically automatically lose. If this was a UK publication regulated by IPSO I'd personally have seen to it by now there was an IPSO complaint in there. I don't know what the SEC rules are but I'd be interested generally and especially if I was SMC what the rules about this kind of thing are; there's a point Bloomberg either have to produce *any* evidence (and we should be clear there's zero evidence right now) or retract and apologise very publicly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy theory?

      Bloomberg is a business oriented new site and the editors would have had to know this story would have had a major impact on the shares. It is hard to see they would have opened themselves up for a major court case because someone just wanted to depress the value of one company. They live by their business reputation and this could have a major impact.

      The fake diaries published by Newsweek had a long lasting impact on their credibility.

      1. a_yank_lurker

        Re: Conspiracy theory?

        @AC - I would expect that Bloomberg in this scenario is a dupe. Feed some journalists a juicy enough story that sounds plausible to someone not familiar with manufacturing and QA inspections through a source that appears to have ties to a TLA. Done right the reporters and editors might bite very hard. When the story breaks be ready to short someone for a few hours or days. It would be hard to unravel unless the reporters turnover the notes and sources to the ferals.

        This is a plausible scenario, that a group who wants to short someone like Super Micro cook plant the story and hopes someone reputable bites. Probably tried many times but someone smelled a rat and did push the story.

      2. Santa from Exeter

        Re: Conspiracy theory? @ AC

        One of the issues here is that these particular Bloomberg journos seem to have form in the bullshit stakes https://twitter.com/RobertMLee/status/1049617855396933632.

        Bloomberg stood by them in this as well.

        The reason I distrust Bloomberg is that as was stated in an earlier Reg piece, the reporters are regarded by how much their reporting influences stock proces. To my mind that's just another way of saying Bloomberg manupilates the markets.

        1. DCFusor

          Re: Conspiracy theory? @ AC

          Yeah, having been a market player myself, I note Bloomberg does NOT in any way represent any sort of "gold" standard to anyone who pays attention to what they do. They of course please the seriously left-leaning non-financially in-the-know people like um...some here who don't know about the financial facts but love the hard-left opinions constantly expressed on Bloomberg. Many consider their reporting quite slanted - you can not tell lies but still fail to tell enough truth .... telling only one side of a multifaceted story is not telling the whole truth. In fact, it's propaganda and deception 101.

          They're in the same business as the other sharks and snakes, people, and play it the same as any of the other not-too-honest market participants. They make money from turmoil, even if they didn't short this stock first themselves directly (oh, there are so many ways...that don't leave much of a trail). They sell data, and the crazier things get, the more money they make. EG, simplest theory follows from Cui Bono.

          A well setup outfit could indeed do such a plant on a board, there's no technical or financial reason not to, and there are such things as "silent assets" for "last resorts" in the military and spy communities, but lacking even one proven sample...the fact that it's possible is only one leg of the stool.

    3. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy theory?

      Is it possible that someone might want to tarnish the credibility of one of the most respected main stream media publications?

      1. Anonymous Coward
        Anonymous Coward

        Re: Conspiracy theory?

        Yes I wasn't suggesting that if the story is untrue Bloomberg knew about it. It would take some fairly sophisticated people to fool the writers and editors at Bloomberg. Not saying it would take a nation state, but definitely more than a 400 lb guy sitting on a bed somewhere.

    4. bombastic bob Silver badge
      Black Helicopters

      Re: Conspiracy theory?

      "some people wanting to depress the value of Super Micro" "some aggressive investor maybe"

      I recall a well-known investor that once "broke the bank of England" through currency manipulation, etc. [and has done so in other cases as well]. This guy's billionaire rich, too, and interferes in politics a LOT, indirectly sponsoring MOBS of people that disrupt, etc. via well known 'charities'. No names mentioned, of course [probably don't need to]. And as I recall he was once known to have collaborated with Nazis during WW2. Yeah, THAT guy.

      Yet, I'd hope that Bloomberg reporters would be smart enough NOT to fall for a plot hatched by THAT guy.

      Selling short on Super Micro could've gotten a 30% or better return, maybe. I don't think he's been known to have manipulated STOCKS, though. But if he did, there's probably a record of it somewhere.

      It's back to that old journalistic trope, "follow the money".

      1. Anonymous Coward
        Anonymous Coward

        Re: Conspiracy theory?

        And as I recall he was once known to have collaborated with Nazis during WW2.

        Don't bring your alt-right boogieman fantasies on to here.

      2. streaky

        Re: Conspiracy theory?

        @Bob - George Soros has his fingers in enough corruption pies we don't need to implicate him in things there's no evidence of. I'm not even sure Soros knows what a computer even is anyway..

  3. Anonymous Coward
    Anonymous Coward

    Not confirmed?

    > Super Micro stresses that no one has come to the support of Bloomberg's article

    Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, confirmed Bloomberg?

    1. whitepines

      Re: Not confirmed?

      Do you have a link to that? Haven't heard of it before.

      1. Norman Nescio Silver badge

        Re: Not confirmed?

        >> Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, confirmed Bloomberg?

        > Do you have a link to that? Haven't heard of it before.

        VG: Storavis: Hevder Kina installerte spionverktøy i maskinvare

        VG: Forsvarsdepartementet kjøpte utstyr for 533.000 – droppes etter Kina-avsløring

        Google Translate can probably help. In the first article, Mona Strøm Arnøy, the Communications Director for the Norwegian National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is quoted as saying:

        "We have known this since June," says Strøm Arnøy, who does not want to elaborate on where they have the information from.

        NN

        1. Anonymous Coward
          Anonymous Coward

          Re: Not confirmed?

          Not sure if you can actually read Norwegian or if you are just relying on google translate or are just being selective on what you pick (just like the reporting). In the VG articles the comments are all about how the Norwegian government have known that Supermicro could have been compromised, not that they have been compromised. They could not not confirm or deny the information in the Bloomberg article.

          The rest of the article is a rehash of the Bloomberg article.

          1. Norman Nescio Silver badge

            Re: Not confirmed?

            I was trying to be helpful and find the link to a statement by the relevant Norwegian Authorities on the Supermicro case. Essentially, putting "Supermicro Bloomberg site:no" into a search engine, and finding the relevant results, as I have a passing knowledge of Scandinavian.

            The odd thing about it is the public statement on knowing about the case on a specific date before the Bloomberg article was published. Obviously supply chain security is an issue that national information security authorities would be expected to know about, so that is not news. The question is, why put a date on it? It wasn't necessary in the context of the article - all that was needed is the non-committal 'neither confirm nor deny' statement. It is an oddly specific fact.

            However, I am not a tinfoil hat wearer, and I don't wish to try and blow this up into something with any more significance. The relevant text from the article is below, and I hope I'm not cherry picking. I wish I hadn't bothered looking for the reference now. As they say, no good deed goes unpunished.

            Original text:

            Kjente til saken i juni

            Nasjonal sikkerhetsmyndighet (NSM) kjenner til problemstillingen knyttet til Supermicro.

            – Vi kjenner til dette, men kan hverken avkrefte eller bekrefte at dette stemmer. Vi registrerer at dette benektes av selskapene, sier Mona Strøm Arnøy, kommunikasjonsdirektør i NSM til VG.

            NSM har imidlertid vært klar over at Supermicro kan ha vært kompromittert, lenge før Bloombergs artikkel.

            – Vi har kjent til dette siden juni, sier Strøm Arnøy, som ikke ønsker å utdype hvor de har informasjonen fra.

            Google Translation:

            Known for the case in June

            The National Security Authority (NSM) is familiar with the issue of Supermicro.

            - We know this, but can not confirm or confirm that this is correct. We register that this is denied by the companies, "says Mona Strøm Arnøy, Communications Director at NSM to VG.

            However, NSM has been aware that Supermicro may have been compromised long before Bloomberg's article.

            "We have known this since June," says Strøm Arnøy, who does not want to elaborate on where they have the information from.

            1. Doctor Syntax Silver badge

              Re: Not confirmed?

              "The odd thing about it is the public statement on knowing about the case on a specific date before the Bloomberg article was published."

              A. Bloomberg's reporters had asked them. B. Whoever planted the story planted it with them. What seems to emerge from the translation is that they'd heard of it but have no direct information themselves.

          2. Anonymous Coward
            Anonymous Coward

            Re: Not confirmed?

            > Not sure if you can actually read Norwegian or if you are just relying on google translate or are just being selective on what you pick (just like the reporting).

            I am Norwegian, the articles are written in my own language so I am not being selective here. The links provided here, thanks to NN, have also been provided earlier in the previous debates so where the down votes are coming from now is unclear. Norway is a fairly open country so this has been debated openly and widely.

            I am also puzzled I got down voted for suggesting to go to NSM, the only governmental organisation I know of that has confirmed Supermicro servers are problematic. NSM work on national security. They are expected to know what they are talking about, and having been informed in June it is evident they had been tipped off from someone else.

            1. Trygve

              Re: Not confirmed?

              You are getting downvoted because its obvious that you are either desperately seeking confirmation of your own biases or just a bloody idiot

              "kan ha vært kompromittert" - that's confirmation of absolutely nothing.

              Would you be happy sending someone to prison because they "kan ha vært skyldig"? If your doctor told you that your tumour "kan ha vært kurert" would you happily cancel all your future visits and stop taking the medication?

              1. Norman Nescio Silver badge

                Re: Not confirmed?

                Hello Trygve,

                Just to make clear, 'Anonymous Coward' above is not me (NN). I (NN) am not Norwegian, and I have a policy of posting under my handle (Norman Nescio) rather than as Anonymous Coward.

                I am also, apparently either desperately seeking confirmation of [my] own biases or just a bloody idiot.

                - I'll admit to being an idiot.

                I hope that clears up any confusion.

                NN

              2. Anonymous Coward
                Anonymous Coward

                Re: Not confirmed?

                >You are getting downvoted because its obvious that you are either desperately seeking confirmation of your own biases or just a bloody idiot

                You are projecting. I am participating in a discussion, and simply having a view that differs from yours should never be seen as desperation or idiocy. That would be seriously bad faith on your part.

                >"kan ha vært kompromittert" - that's confirmation of absolutely nothing.

                You are selective. The point is that they confirm they have been aware of an issue in June. And if you are Norwegian you should also have known that Digi reported that "Forsvarsdepartementet skroter utstyr etter spionavsløring", or in my translation "Norwegian Department of Defence Scraps Equipment after Espionage Disclosure".

                >Would you be happy sending someone to prison because they "kan ha vært skyldig"? If your doctor told you that your tumour "kan ha vært kurert" would you happily cancel all your future visits and stop taking the medication?

                Well done, you have succeeded in turning the issue upside down. Rather it is like a doctor stating there might be cancer so we will make a thorough check.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Not confirmed?

                  >"Well done, you have succeeded in turning the issue upside down. Rather it is like a doctor stating >there might be cancer so we will make a thorough check."

                  that is not the same as:

                  >"Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, >confirmed Bloomberg?"

                  You are saying that they have confirmed it, no they haven't. They have confirmed that they have known about the possibility of a compromise, That is the problem Trygve appears to be having with what has been said (me too). A compromise hasn't been confirmed, just that they new of the possibility (probably due to them being contacted in June before the Bloomberg article was release).

                  If you work in a sensitive sector (which I do), when you receive information on a possible compromise, you investigate. If you believe that it is a credible threat, you isolate / remove said threat. Upon the conclusion of the investigation, depending on the result being proved or disproved, you then can reinstate or carry on course with the removal of systems if you believe that its a possible future threat.

                  Forsvaret will be doing exactly this, they have scraped 1 or 2 supermicro servers that they were testing (~533000kr in servers), In the sector that I am working, we have purchase multiple supermicro servers, each of which cost close to that price.

                  Everything in the VG article can be 100% true, each statement printed can be exactly what was said, and likely is, otherwise they would be stupid. But what is printed isn't everything that is said and can in what context.

                  What should be printed is the complete transcript of the conversation.

                  > "You are selective. The point is that they confirm they have been aware of an issue in June. "

                  And there it is again, the context. What is the issue they have been aware of? Have they been aware of a compromise, have they been aware that there could have been a compromise, have they been aware of the issues Bloomberg were going to bring up in the article since June?

                  That last one of mine can be interpreted 2 ways also, they knew about the problems before they knew about the article, they knew about the issues Bloomberg were going to public as they had been told what was in the article.

            2. Anonymous Coward
              Anonymous Coward

              Re: Not confirmed?

              AC you are replying to.

              I am not Norwegian, but have lived in Norway for many years. So I also speak / understand Norwegian.

  4. Brian Miller

    No trace of spying!

    It's very odd that the journalists were not presented with any real evidence. Really, is it so difficult to sniff the glue that holds the ethernet together?

    If there was odd network traffic, then it would be nearly child's play to get a packet dump, and show world+dog the data. "Look, here's the data! That's our server IP, that's the other end point, and that's the data." No problem. How many of us do that on a daily basis?

    Even if the journalists couldn't understand the data themselves, there are plenty of people who do. Trust me, we'd all love to see that trace.

    1. Pascal Monett Silver badge
      Flame

      Re: No trace of spying!

      Not to mention a pic of "compromised" motherboard. Why isn't there a single pic ? Produce that and all the doubters will have to shut up.

      Instead, we have this endless continuing of a useless argument, useless because nobody can prove anything either way.

      Show me the goods or get out of the room.

  5. Anonymous Coward
    Anonymous Coward

    You have more chance of finding rocking horse shit than these chips.

  6. vtcodger Silver badge

    More questions

    Some good questions in this thread.

    1. Where are examples of the altered boards?

    2. Or at least of the purported chips

    Plus

    3. Is it even possible to create a spy chip? (Probably yes?)

    4. How would it get power, access to memory, data buses, clock, control buses? (Dunno. Maybe doable. But probably very difficult to do)

    5. How the heck would one talk to it and control it without getting root or microcode access to the machine? If you have root/microcode access, why do you need a spy chip?

    6. Assuming that you can somehow insert altered boards into the manufacturing stream, how do you route them to your target customers? (I suspect that's nowhere near as easy as it sounds).

    7. Assuming that you have state resource behind you and can interfere in the manufacturing/shipping process at will, wouldn't it be easier to grab a board destined for a target destination for an hour or three and alter the on board microcode?

    1. JohnFen

      Re: More questions

      "Is it even possible to create a spy chip? (Probably yes?)"

      Well, the US did it to some Cisco routers being shipped to an entity they were interested in, so yes.

      1. Anonymous Coward
        Anonymous Coward

        Re: More questions

        I thought it was done to all Cisco routers and then remote activated against targets of interest

        1. rmason

          Re: More questions

          @AC

          No, it was (according to snowden et al) literally a man or three in the back of a delivery truck while the cisco gear were on a part of their journey.

      2. Doctor Syntax Silver badge

        Re: More questions

        "Well, the US did it to some Cisco routers being shipped to an entity they were interested in, so yes."

        Wasn't that a case of planting something in the firmware?

        1. streaky

          Re: More questions

          It was firmware. Wasn't in a truck. There are photos of this happening.

          If bloomberg were claiming firmware it'd be another thing entirely, but they're not.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like