________________________________________________________________________________
The article mentions Bloomberg’s 2018 piece where they claimed to have evidence of an extra chip being inserted into a motherboard. From memory, Bloomberg’s actual evidence was shaky at best. Does anyone know if they ever actually showed the motherboard they claimed to have to anyone for verification?
Apple made an official statement that the claims were, well, bullshit and that no such chips have ever been found.
Amazon published a signed statement from its chief security officer saying that the Bloomberg article was “so full of inaccuracies ... that they’re hard to count” and that after their own security team and an external security team had gone into the claims in detail they found them to be untrue.
So, I have to ask, does anyone know if Bloomberg actually published the evidence they claimed they would release?
> So, I have to ask, does anyone know if Bloomberg actually published the evidence they claimed they would release?
In the first article, Bloomberg quoted Joe Fitzpatrick. 5 days later [0] he said his quotes were taken out of context.
In the second article, Bloomberg quoted Yossi Appleboum, who on the same day the article broke suggested that he was misrepresented. [1]
Apple, Amazon, Homeland Security, and others have all said there was no evidence at all, and called for a retraction.
As it stands... Bloomberg were talking about something they didn't understand. There were and are some theoretical problems in hardware security. But the story as they broke it is completely false.
[0]
https://risky.biz/RB517_feature/
[1]
https://www.servethehome.com/yossi-appleboum-disagrees-bloom...
It's worth noting that Apple and Amazon can't lie about their business without opening themselves up to potential criminal liability under securities laws. [1]
That means Apple and Amazon are more credible in this case, unless there is some super secret NatSec exception to securities law that we don't know about.
[1] Specifically, SEC Rule 14a-9 in conjunction with Section 32(a) of the Exchange Act.
> unless there is some super secret NatSec exception to securities law that we don't know about.
Did you not hear about the phonetapping business [0]? There is no way that a government-sponsored secret hardware backdoor would get any executives in trouble.
SEC rules are not a reasonable protection - or even consideration - when dealing with the US spying apparatus. If there was a hardware backdoor program:
(1) There would be a secret exemption to SEC rules.
(2) There would probably be a secret "we will end you" threat if the execs revealed details. Snowden & Assange would be mentioned.
(3) Even ignoring those two points, the rules would be ignored and changed later if there were any legal difficulties.
[0]
https://www.cnet.com/news/senate-endorses-retroactive-fisa-i...
If it was true, would they disclose, even if they could? It's not a secret exemption, it's all in the law, Section 505 of the PATRIOT Act.
Let me ask a question: it is possible? I think it is. Has the NSA / CIA / some other TLA done this? If it's possible, and it's useful for their 'mission' -- hard for me to believe they have NOT done this, or something like it. Paranoid? maybe; but I've seen too much, heard too much.
From random articles I once read (i.e. hardly authoritative) the US TLAs focused heavily on intercepting packages in transit, modifying them, then forwarding them on rather than rooting the entire production line. But obviously that's just the stuff that was publicized.
For a secret chip in a server to be useful, it needs to emit a signal, send data over the network, or be manually retrieved. If that were happening at any scale, someone would notice (especially in a data center).
If secret chips were going to be used, they'd be very targeted in nature (like a fake Comcast modem that they give to a specific target) rather than something general.
I wouldn't be so confident. If you have something running in the BMC, you can do literally anything.
In this case "anything" might mean transmitting a single bit of information that "this is an interesting box, come take a look".
From what I remember, the evidence wasn't shaky, it was non-existent.
I believe the matter is unsettled:
https://www.bloomberg.com/news/articles/2018-10-09/new-evide...
The named source in that one, like the named source in the one before, came out and said that the article was a misrepresentation of what they had said. In fact, in the article you've linked, they disagreed with it the same day the article broke.
[0]
https://www.servethehome.com/yossi-appleboum-disagrees-bloom...
Not directly relevant, but supply-chain security issues aren't unique to electronics. Counterfeit aircraft parts [0] and counterfeit medical equipment [1] also exist. I believe airlines buy parts directly from the aircraft manufacturer, to avoid this risk.
[0]
https://en.wikipedia.org/wiki/Unapproved_aircraft_part
[1]
https://www.health.gov.il/English/Topics/PharmAndCosmetics/p...
Better approaches to deal with counterfeiting issues are emerging
https://semiengineering.com/new-and-innovative-supply-chain-...
Interesting link, thanks. I get the impression though that there's not going to be any alternative to buying directly, for the foreseeable future.
I clicked through to the article on Physically Unclonable Functions (PUFs). [0] Neat idea. (I found the paper more readable than the article. [1]) Limited scope though. I don't imagine it's possible to use this approach for non-electronic items like medical-grade screws, for instance.
[0]
https://semiengineering.com/pufs-promise-better-security/
[1] (PDF)
https://spqrlab1.github.io/papers/holcomb_PUFs_date14.pdf
bunnie has some interesting talks about this stuff, his supply chain security one is probably most interesting:
https://www.bunniestudios.com/blog/?p=5519
Obviously the title is just wrong - the die is not "cast". The die is produced as a monocrystalline silicon ingot using a seed crystal, then sliced into wafers and fabricated via photolithography. A truly "cast" ingot would never work.
I'm not sure if you (or other readers) are familiar with the quote, but the title is a pun. When Caesar crossed the Rubicon river and marched on Rome to declare himself emperor he supposedly said "The die (like dice) is cast (thrown)" -- either he would become emperor or perish trying.
In the case of t article, the Rubicon has been crossed, and also features "cast" into the silicon can't be fixed (most of the time). But you're right, they aren't actually cast.
“_alea iacta est._”
How would you interpret the phrase "cast in stone"? It would be anomalous for someone to pour magma into a mold.
The ordinary view would be that "cast" refers generally to the making or composition of anything by any means. Compare a few senses from Merriam-Webster:
[v.t.] 3(a) to dispose or arrange into parts or into a suitable form or order - _I shall cast what I have to say under two principal heads._
[n.] 2(a) the form in which a thing is constructed
[n.] 10(a) shape; appearance - _the delicate cast of her features_
https://www.merriam-webster.com/dictionary/cast
Although some of the features _on_ the die are cast - material is heated until it becomes a fluid, then deposited into openings in the suface of the die.
Do you cast as the doubter here?
I've been really paranoid about this lately. At least at a store, it's hard to figure out what hardware is going where, but with a service like amazon, the stuff you buy, the route it takes, is all very well documented. With a military-type budget it wouldn't be very hard to replace that device in transit with another, similar device that is full of backdoors and malware.
It's hard to audit devices. At least with networks the communication aspect is an actual physical phenomenon which can be measured and analyzed. At the same time, the military has encrypted radios which can hop frequencies hundreds of times a second. How do I even detect that? I don't think I can.
This problem is why the Precursor device is so interesting because it tries to make it self easier to audit and then allow software and cryptography determine how your device works.
I am guessing for secure applications the approach of the precursor is going to become very common.
Technically, from tge end user perspective, several of these attscks already occured through injection of industry specified "secure computing" IC's into consumer grade jardware. Your GPC hides data from you not because you asked for it, but because trade groups decided they couldn't pass up on monetizing you, yet they needed to strongarm silicon manufacturers to enable adversarial integrations intended to firmly lock you out of the overall state space of your computer.
Call me an extremist if you want, but few manufactured goods have seen the level of anti-end user engineering effort put into them than computers. And that's a sad thing to see.
Intellectual property laws are what creates this discontinuity - your CPU runs licensed code that you don't own so it makes sense to develop technologies to enable stuff you don't own to live in the CPU but deny you access to it.
There's a lot of overextensions of the concept of IP that of course make sense to lawyers, judges, and people who have high net worth derived from leveraging this artifice, but the whole thing probably should be reformed at some point if anyone cares about things other than extending the concept of ownership to ideas.
For example, I'm still not clear how I can simultaneously own a media product, like a VCR tape or CD, and not have a "license" from the studio (a non-governmental entity) to publicly exhibit it.
I get the general idea that it's not normal for us not to have full access to the products we own, and I absolutely support it in spirit, and I believe it is an important right that we will have to fight for, lest we end up with more and more totalitarian control of our lives.
But I don't really see how you can compare this to an attack, unless you actually prove some measurable harm today. What exactly are they doing with your computer that harms you in any direct way?
I absolutely agree on your last point though. It is quite a tragedy when we think about the amount of human intelligence and hard work that has been thrown away on protecting systems from their own owners.
> What exactly are they doing with your computer that harms you in any direct way.
Remember the Sony root kit[1]?
So we agree that the measures were harmful in the past. Of course you wouldn’t ask if we were widely aware of current issues. I think we also agree that a lot of interesting things can be hidden from the user if you have access to the keys to the secured enclaves (or if you manage to break in). If this was ever exploited, we may know in a few years or never.
[1]
https://en.m.wikipedia.org/wiki/Sony_BMG_copy_protection_roo...
What is someone who plants a recording camera in your bathroom doing that harms you in any direct way?
Good. Hopefully hardware in us gets hacked.
Sorry, I just don't see anything new/interesting on this piece. Did I miss something? Those are just all very well known points.
I think the point of the article is to serve as a review of the current state of things, not present new findings.