Skip to comments.One of Bloomberg’s sources told them Chinese spy chip story “didn’t make sense”
Posted on 10/09/2018 10:51:07 AM PDT by Swordmaker
Bloomberg said that its sources were key to its decision to run the Chinese spy chip story, the site writing that 17 people confirmed the manipulation of Supermicros hardware and other elements of the attacks.
However, one of the named sources a security researcher who seemingly backed the claims has said that his comment was taken out of context, and he actually told the site that what it was describing to him didnt make sense
Hardware security expert Joe Fitzpatrick was quoted in the piece saying the hardware opens whatever door it wants. But speaking on the podcast Risky Business, he painted a very different picture.
Fitzpatrick says that he spent a lot of time explaining to Bloomberg how such attacks could, in principle, be carried out. When the piece was published, he was expecting to read about how this specific hack was achieved. Instead, he said, Bloomberg appeared to be parroting the precise theory he had outlined.
I spent a lot of time going back and forth explaining how hardware implants worked. And as any researcher is excited to talk about their work, I was delighted to have someone who seemed interested to actually learn about how things worked as opposed to only looking for the buzzword byline that you wanted to throw into a story [ ]
But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked [ ]
It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.
He said the same was true of the image Bloomberg provided of the supposed spy chip.
In September when he asked me like, Okay, hey, we think it looks like a signal amplifier or a coupler. Whats a coupler? What does it look like? [ ] I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out thats the exact coupler in all the images in the story.
When reporter Jordan Robertson outlined more of the story he planned to run, he told them it didnt make sense.
So late August was the first time Jordan disclosed to me some of the attackers in the story. I heard the story and It didnt make sense to me. And thats what I said. I said wow I dont have any more information for you, but this doesnt make sense. Im a hardware person. My business is teaching people how to secure hardware. Spreading hardware fear, uncertainty and doubt is entirely in my financial gain. But it doesnt make sense because there are so many easier ways to do this. There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. Its not logical. Its not how I would do it. Or how anyone I know would do it.
[He wrote to Robertson] Are you sure there is actually an additional hardware component [ ] Its trivial to modify the firmware of most BMC and many of them are trivial to exploit remotely because of the poor quality outdated software they run. The attack you describe could easily be implemented in BMC firmware. Would be just as stealthy and far less costly to design and implement. If they were really implants, are you sure they were malicious?
Fitzpatrick explained to Robertson several more likely theories for what the sites sources were claiming to have seen, all of them perfectly normal.
For example putting two pieces of silicone in a single package makes sense when one of them is flash storage and the other is a micro controller. But an experienced observer could easily jump to the conclusion that its a hardware implant. Likewise, lots of small components are actually several component manufactured into a single package for an ease of use.
He also explained the context of the one-line quote Bloomberg used.
You put hardware in a device to help you persist the software, the malware. You dont put hardware in a device to do the whole attack, you put hardware in the device to unlock the keys, to elevate the privileges on the shell, to open the network port and then you take a software or remote approach to do the rest of the work. And I think thats the context of that quote.
His overall take on the piece is that the technical details are jumbled and theyre not outright wrong, but they are theoretical [ ] I definitely have my doubts on this one.
So lets make that not five or nine reasons to doubt the story, but ten
If you want on or off the Mac Ping List, Freepmail me.
I don't know anything about this issue but ignorance has never stopped me from weighing in before. Why would the Chinese take the easiest way to plant spying capability if they wanted it to go undetected? They certainly use those other techniques but why assume they would never do something more complex but better disguised?
Because the easier ways ARE better disguised. . . and a hell of a lot cheaper to do than redesign an entire motherboard from scratch that will be as obvious as all hell because it sits out there for everyone to find, sticking out like an unwelcome wart on a nose. As the security expert in the article pointed out, it would be trivial to hide an extra circuit on a flash memory drive or even hidden in a memory chip which did the malicious operations while still functioning as designed. The only way to tell it had the malicious section would be to put it under a scanning electron microscope and find the extra circuitry. It would not be obviously sticking out on a circuit board. This was a stupid approach.
Another is to hid it in firmware. . . software that tells the existing processor how to do its work. . . and just use the ordinary hardware already existing on the computer to do something extra during idle time. Cheap, effective. Extremely hard to find.
Was probably Feinsteins Chinese spy driver
Another independent analyst found more of them.
The story was written by an amateur.
But anyone who thinks the Chinese haven’t been deep up our rectums on servers, cable modems, and ethernet cards, call me, I have a bridge you can buy real cheap.
On “spy stuff” it’s best to just not believe amything public. Not the claims, not the denials; there are too many good reasons for everyone to lie.
Source? One. BLOOMBERG again! . . . and, no, it's not the same, it's supposedly something hidden elsewhere, this time in the Ethernet connector on one server out of thousands! They can't even keep the story straight. Like Christine Blasey Ford, Bloomberg needs to get one theory and stick to it, instead of changing their story with each retelling. Other companies using the SAME SYSTEM FOUND NOTHING AMISS where this guy claimed to find "something" in the Ethernet connector!!!
Please tell us how the Ethernet connector on a STREAMING VIDEO SERVER is going to compromise critical data on the device's storage? The original article was bogus and this one is again citing someone who is talking about something he claims happened three years ago! WHERE ARE THE CRITICAL INCIDENT REPORTS? They don't exist!
As I said in other postings, there are far easier and cheaper ways, not to mention far less detectible, ways to accomplish this same result using the existing hardware than trying to add additional hardware that will be easy to find. To quote REAL EXPERTS THAT BLOOMBERG'S WRITERS QUOTED OUT OF CONTEXT, "THIS MAKES NO SENSE!"
We are still working with a single source news source who has a history of publishing FAKE NEWS, and again, no corroborating evidence! It's some nobody with an anecdote about an unnamed US telecom company, by someone who wants his fifteen minutes of fame, for which he has ZERO photos, zero hardware, and just his claims.
The Bloomberg story doesn't identify the telecommunications company "due to Appleboum's nondisclosure agreement with the client."[. . .]
Yossi told Bloomberg he's seen similar manipulations in other vendors' hardware made by contractors in China. He also told Bloomberg there are countless points in the supply chain in China where hacked hardware can be introduced.
His statement alone is a violation of a nondisclosure agreement. I've signed such nondisclosures and I am not even permitted to reveal WHAT I worked on, WHAT I found, I'm not permitted to say I even worked there. . . unless it is specifically allowed. This bozo names the brand of server. . . IMPERMISSIBLE AS ALL HELL! He says why he was called in, what he found and where???? Yet we're supposed to believe the ONLY thing in the NDA is the name of the company? If you believe that, I've got five trainloads of Christine Blasey Ford's Kavanaugh's Senate Testimony to sell you cheap. . . you'll believe anything!
One other thing I find extremely suspicious is his claim that an unnamed "major telecom company" would bring in a less than two-year old start-up company to "scan their servers" for something amiss. These major telecom businesses have top quality security people WORKING FOR THEM completely capable of doing that, in fact, capable of writing the code to do it and monitor the outgoing traffic! They aren't going to hire some start-up with a few employees and no real track record to have any access to their servers. Ain't gonna happen. No way!
Yossi's unqualified statement about "similar manipulations in other vendors' hardware" is a blatant generalized nonsense throwaway line from someone with an agenda. If he's seen this manipulated hardware, where are the critical incident reports he and his company have made on them? CRICKETS! I can't find them. They don't exist!
Look, BTerclinger, one of the so-called sources in the ORIGINAL Bloomberg article has already called them out for misquoting him and taking his theoretical explanations of how it could be done and mischaracterizing them as how it IS BEING DONE, and attributing it to him, when he actually told them their theory "Made no sense!"
This one doesn't either.
Oh ho. . . Bloomberg Businessnews is hyping Sepio Systems. . . and guess what Sepio System sells? Software to supposedly mitigate against malicious supply chain hardware insertion issues! And guess who works for Sepio Systems? Yossi Applebaum. . . who is the source of this current finding, and I bet their previous article. Guess when Sepio Systems was founded. . . 2016. . .
This is EXACTLY the same as news appearing announcing new malicious malware being discovered just as an anti-malware company is launching a new product. . . the great disappearing Macbot hoax from 2014 comes to mind when Dr.Web was announcing its first Mac Business Antivirus and claimed they found a 600,000 member Macbot. . . except not a single infected Mac was ever found in the wild, but their honeypot was reporting SSIDs of Macs that were not even sold yet, or in some instances had yet to even be manufactured, or others that did not have JAVA (a prerequisite for infection) installed on them. . . and the numbers reported as infected on the honeypot server kept shrinking over a three week period until they disappeared completely. . . meanwhile the media had a feeding frenzy. . . just as in this case. . . and people like you, BTerclinger were chortling about how Apple Macs were finally getting infected like Windows PCs. Except it was a hoax marketing ploy.
This was EXACTLY the type of FAKE NEWS Bloomberg has been found to print in the past, news that in some way benefitted a business the were hyping or trying to knock down!
You obviously did not bother to read the articles involved if you think anyone has found any at all.
"I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out thats the exact coupler in all the images in the story."
That's one of the points I was making. . . no legitimate photos of the malicious chip, no malicious chip exists.
You cite an article about "more of them" . . . but that's NOT what your linked article claims. . . it claims the self-identified and self-announced hero of the BLOOMBERG sourced announcement (again) found ONE (1) Supermicro server, out of what appears to be thousands at an unnamed "major telecom company" that had an "implant built into an Ethernet connector" that was doing something hinky. . . but didn't say what. . . and in fact. doesn't know.
Try reading for comprehension. That means more than the headlines.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.