Re: they should have simply swapped out the laptop
(Turns out they did after all).
30 posts • joined 13 Sep 2017
...because similar motherboards were in use "in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships."
Uhhhh, nope. Chinese-manufactured motherboards cannot be sold to US governement agencies, especially military or intelligence. Stuff has to come from one of a trusted list of countries called TAA (Trade Agreements Act, FAR 52.225-5). China is not on this list.
Just try to find a disk drive not made in China. Thailand maybe? Been there, had to find that. Did.
..."the middlemen would organize delivery of the chips to the factories."
Wow. Just wow. This is classic misdirection. The Intelligence folks are trying (and largely succeeding with Bloomberg, el Reg, WaPo, etc) to focus attention on one vulnerability, namely surreptitious factory modifications. But there are more, so many more. A few hints:
o Connectors. Yes, those boring black thingies with wires going in, and out. Embedding a chip within a connector requires no BMC changes, is difficult to check even with Xray, and completely unobservable. And since there is exactly one connector model that fits in exactly one place, no wastage. Profit!
o Firmware "adjustments" as many others have suggested. But where? Not just SMI flash but ... power supply flash. RAM controller firmware. CPU firmware. Or simply radio transcievers embedded in the board (or connector) that introduce firmware changes at boot time. (Where is the transmitter? Hmmm...maybe power supply RF emissions?)
o Known zero-day vulnerability in....CPU (obviously), BMC firmware (also obviously), but: Ethernet chips, memory controller chips (like RowHammer), PCI bridge chips, etc
o NSA black bag ops. However, at the scale of Amazon, Apple, etc, probably not cost effective. Except see my next point.
One thing not mentioned by El Reg, is the scale of procurement by Amazon, Apple, etc. Unless merely for development purposes, these companies purchase servers by the container-load (where the container is pre-loaded with racking, switches, power, servers, etc). Thousands of servers per container. The assembler might be persuaded to mung things up. It seems a remote possibility but the supply chain risks at this point (well after the motherboard factory) have not been addressed in the press that I can see.
+1 for El Reg and very well reported. Thanks.
"or present an imminent threat of"
Well. Google "phases of cyber" and you will find 5, 6 or even 7 phases. Let's take the shortest:
Item 6 would be "echo 1 > /sys/dev/reactor/meltdown/begin"
Item 4 would be evidence of an imminent threat. Would the Minister nuke the russkies for installing a backdoor?
The difference between cyber espionage and active cyber ops is a keystroke. Deal with it.
"Revenue reached US$1.222 billion, up ten per cent year-over-year.
CEO Greg Clark was pleased that the company’s annual enterprise sales crept up one per cent and happier still that consumer sales grew by six points..."
Ummmmm....if two segments are up 1 and 6, how does the total come up 10 percent?
I think some arithmetic is amiss.
Back in the days before rtfm was a word....
The boys in the project down the hall paid several kilobucks for an in-field upgrade of the VAX-11/780 to a dual processor '782. Downtime was about 4 or 5 days while the extra cabinet was bolted on.
And then came time to boot up. It didn't.
After a couple of days on the phone, tech support asked what version of VMS was installed. Oops, should have upgraded the software before doing the hardware! VMS 4.1 [iirc] doesn't support SMP! Meanwhile 10 programmers were stuck reading magazines and wandering the hallways.
[In those days, one CPU at 0.005 GHz could support 10 coders on their VT100s.]
The current tech can only precisely determine the distance to earth. The are 2 more dimensions needing to be measured. Instead, a few x-ray pulsars across the sky allow eventual precise determination of position. It might take a few days each (pulsar) to be sure of the timing.
And the detectors are only a few kg and half a metre across. Much smaller than the current antenna for comms back to earth. The AE-35 is not required.
On a higher level, this enables, or requires, a more autonomous spacecraft. AI, you know.
"I dread replacing my 25 year old Volvo with a current model. Too much technology for technology's sake."
The battery on my early 1990s BMW 535 lasted...12 years. It was quite the surprise at the dealership when they told me it was a factory original.
A friend with a recent X5 had to surf YouTube to find out how to log into his car's firmware to tell it that he was changing the battery.
YMMV. Your patience will vary too.
Have a read of the Equifax employee ethics standards (page 21 and page 22). A lot of corporate fluff about preserving IP and being careful not to expose confidential data and care with relations with customers. Paying customers, that is.
Absolutely nothing about the care and protection of personally-identifying-information. PII. Which is their whole business.
Bonus? Why? He gets $USD 18,477,100 for retirement. (According to the company 2017 proxy statement.) That is almost the least they can give him (it's $100k less if they actually terminated him but that is probably chump change compared to litigation costs).
There are also vested stock awards; unlikely, I think, that he will get much out of those.
>We pride ourselves on Biting The Hand That Feeds IT.
First task should be to rewrite the slogan. Some suggestions to get them started:
- Slighting the bland that gives two fleas
- Blaming the blight on B2B
- Making the slight seem all too wee
And so forth.
If the quality doesn't impress, pay them something.
Biting the hand that feeds IT © 1998–2018