Reply to post: I reckon this is a cautionary tale

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Malcolm Weir Silver badge

I reckon this is a cautionary tale

As others have noted, where are the modified boards? Why are seeing pictures showing some random small thing next to a pencils/pennies? How do we reconcile the denials against the story?

As has been pointed out, an attack like this is plausible. It could be done. It might have worked if it was done. But it alternatively might have been detected early, and that detection resulted in nothing happening.

So my working hypothesis is that this is a cautionary tale: beware of your supply chain.

And for that, it doesn't matter (to the teller of the tale) whether all the details are 100% factual, because they're just there to jazz up the story. Apple, Amazon, a bank, CIA spy videos... even Supermicro. The point of the story is not that Something Happened (to Apple/Amazon/the bank/whoever), but that Something Could Have Happened.

Consider this: is it plausible that *if* China was surreptitiously tinkering with a motherboard that they would have succeeded first time out? Why does the Bloomberg article talk about various different types of spy device, without ever explaining why there are the variations?

So we have a report of several generations of spy chip with no explanation of what the second and subsequent ones were for (they can't still be for the Amazon boards) and how they were identified, and we have no exhibits of the compromised items even though there are several generations of spies implying several generations of targets.

And we have NO information about the "phone home" mechanism which is, apparently, teh whole point of the spy chip. And I'm not just talking about the absence from the Bloomberg article: NO ONE has publicly reported and described suspicious activity resulting from the nefariousness. No security notices have been released suggesting a list of IP addresses to block. And, err, there are non-public infosec channels that exist to disseminate advice to people in the US defense industrial base, and if there was corroboration, I'd expect it to leak.

So I think this is a hypothetical attack being reported as an actual attack at the behest of the US government as part of an effort to help prevent actual attacks using this sort of technology.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019