In other news:
9 Million Vulnerable IOT Devices
Bug or feature?
Cheers,
Earl
Didnât VAXEN use to have a well(ish)-known field service password?
I believe so. But those were simpler times.
Cheers,
Earl
1 Like
More from Ars Technica.
The second paragraph of the second section (âBy Bloombergâs account âŚâ) is consistent with a third party op. There would be no need for anybody to masquerade if it was a Chinese govt. op.
Cheers,
Earl
1 Like
so is it fake news or what?
Beats me.
Cheers,
Earl
1 Like
Here is one from FP magazine, same subject, broader view.
Excellent summary of just how deep in the doo-doo we are, done by a well respected observer in the field:
Brian Krebs on Supply Chain Security.
Earl
1 Like
Thatâs a good article.
I thought this was interesting:
Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.
This article has summary of a longer article, sheds some doubts about Bloomberg claims based on technical details
From Boing Boing: A detailed technical rebuttal of Bloombergâs âbackdoored serversâ article
The longer article is here: Investigating Implausible Bloomberg Supermicro Stories [Patrick Kennedy/Serve The Home]
Good catch. The author does a fine job of demolishing Bloombergâs elaborate, mechanistic description of the supposed âbackdoor.â
What the author does not consider is that the Bloomberg article may have been a garbled recounting by nontechnical individuals of a supply chain attack on the Baseboard Management Controller (BMC) on these (or somebody elseâs) boards.
BMCs, because they combine maximum privilege with minimum computing power, are and always have been a security nightmare. The industry has attempted (as the author describes) to compensate for that weakness by wrapping the device in doctrine, and we all know how well that works.
Professionals donât put âbackdoorsâ in hardware, they make tiny modifications that insert vulnerabilities, which are then exploited from the outside. Which is why my first reaction to the story was that the exploit looked amateurish.
Cheers,
Earl
1 Like
Interesting thread, read it a bit late. My only question is, does this chip question also have any relevance to SIM Cards that many mariners purchase from chandlers around the world. I have a quad freq Android and do not need to buy a SIM Card in every port I go to, but as for the cell phone users that do not have quad frequency capability, I have often wondered how easy it would be for the Chicoms or other nefarious parties to place a rogue chip in a SIM card and create data feeds which may prove very useful in identifying vessel types vessel locations and cargo, intentions and to infect phones with a virus. Any insights?
Oh, indeed. Here are two overviews of how itâs done without giving you a bad card:
And a somewhat fevered narratative from the victimâs point of view:
Giving you a subverted card would just make it easier. SIM attacks, of whatever form, are more likely to occur as an element of a larger campaign, e.g., getting a password and spoofing two-factor authentication to gain access to a network.
Itâs a jungle out there 
Earl
1 Like
2 factor to the same device is fundamentally floored