The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies


In other news:

9 Million Vulnerable IOT Devices

Bug or feature?




Didn’t VAXEN use to have a well(ish)-known field service password?


I believe so. But those were simpler times.




More from Ars Technica.

The second paragraph of the second section (“By Bloomberg’s account …”) is consistent with a third party op. There would be no need for anybody to masquerade if it was a Chinese govt. op.




so is it fake news or what?


Beats me.




Here is one from FP magazine, same subject, broader view.


Haven’t read the thread, but the Snowden Documents detail the NSA infiltration of Chinese servers back in 2014.


Apple demands a retraction.




Excellent summary of just how deep in the doo-doo we are, done by a well respected observer in the field:

Brian Krebs on Supply Chain Security.



That’s a good article.

I thought this was interesting:

Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.


This article has summary of a longer article, sheds some doubts about Bloomberg claims based on technical details

From Boing Boing: A detailed technical rebuttal of Bloomberg’s “backdoored servers” article

The longer article is here: Investigating Implausible Bloomberg Supermicro Stories [Patrick Kennedy/Serve The Home]


Good catch. The author does a fine job of demolishing Bloomberg’s elaborate, mechanistic description of the supposed “backdoor.”

What the author does not consider is that the Bloomberg article may have been a garbled recounting by nontechnical individuals of a supply chain attack on the Baseboard Management Controller (BMC) on these (or somebody else’s) boards.

BMCs, because they combine maximum privilege with minimum computing power, are and always have been a security nightmare. The industry has attempted (as the author describes) to compensate for that weakness by wrapping the device in doctrine, and we all know how well that works.

Professionals don’t put “backdoors” in hardware, they make tiny modifications that insert vulnerabilities, which are then exploited from the outside. Which is why my first reaction to the story was that the exploit looked amateurish.