
The Big Hack: The Software Side of China’s Supply Chain Attack - bitcuration
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attack
======
taurath
Well one can definitely say that the people at Bloomberg don’t doubt their
story. Is it at all possible that higher ups making statements from Apple or
Amazon didn’t know? Even if so, I don’t see any way for some sides credibility
to not be severely harmed by the end of this.

And Facebook now enters the fray, saying there was an attack (though doesn’t
seem to be claiming they were effected by the chip in previous article?)

Edit - I read the dates of the articles wrong, and thought this was a new one
this morning. It was posted alongside the original story, but main point of
comment still stands so keeping it up.

~~~
sparsely
Is it possible that only lower level Apple/Amazon employees were involved in
the investigation and that they are forbidden from telling anyone else, even
senior legal executives?

~~~
086421357909764
It's actually possible they have a National Security Gag order. If that's the
case they could only deny anyway.

~~~
okket
But they don't, they explicitly mentioned they are not under a gag order,
which is the first thing you are forbidden to mention when you are gagged.
That is the reason why "warrant canaries" exist.

[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)

~~~
usrusr
I think what GP was suggesting is that lower level employees might be under
individual gag order, keeping them from ever reporting the incident to their
higher ups (including those responsible for the warrant canary).

------
pskk
The Norwegian national security agency has confirmed that they were aware of
the allegations against SuperMicro since June, but they won't confirm if it's
true (nor are they denying it) and they noted that they are also aware that
Amazon/Apple are denying it.

As for why Apple/Amazon are denying it I wonder if it's because they don't
want to burn bridges. If they confirm the allegations, how would that play out
in the Chinese business world?

~~~
086421357909764
My guess is Gag order for the US govt.

~~~
wbl
A gag order cannot force you to say something. That would be government
compelled speech, which is generally frowned upon by courts, to put it mildly.

~~~
086421357909764
No, but a gag order can prohibit you from saying something specifically with
regard to national security issues.

So downvote away, but these documents do exist and these circumstances can and
will happen.

In fact, everyone impacted by Aurora, were strictly under gag orders during
the onset of that investigation too.

~~~
wbl
And what did they say then? They shut up didn't they?

------
mcqueenjordan
AWS Reply: [https://aws.amazon.com/blogs/security/setting-the-record-
str...](https://aws.amazon.com/blogs/security/setting-the-record-straight-on-
bloomberg-businessweeks-erroneous-article/)

~~~
FartyMcFarter
> We further strengthen our security posture by implementing our own hardware
> designs for critical components such as processors, (...)

Do they? I haven't heard about this before.

~~~
mcqueenjordan
Yes, AWS rolls its own hardware in some cases.

------
samspenc
> “In 2015, we were made aware of malicious manipulation of software related
> to Supermicro hardware from industry partners through our threat
> intelligence industry sharing programs,” Facebook said in an emailed
> statement. “While Facebook has purchased a limited number of Supermicro
> hardware for testing purposes confined to our labs, our investigations
> reveal that it has not been used in production, and we are in the process of
> removing them.”

Facebook confirmed this happened. But looks like Apple and Amazon are denying
it.

------
maerF0x0
This has been posted several times and there are tons of comments:

[1]:
[https://news.ycombinator.com/item?id=18146438](https://news.ycombinator.com/item?id=18146438)
[2]:
[https://news.ycombinator.com/item?id=18138328](https://news.ycombinator.com/item?id=18138328)
[3]:
[https://news.ycombinator.com/item?id=18145645](https://news.ycombinator.com/item?id=18145645)
[4]:
[https://news.ycombinator.com/item?id=18138990](https://news.ycombinator.com/item?id=18138990)
[5]:
[https://news.ycombinator.com/item?id=18141328](https://news.ycombinator.com/item?id=18141328)

------
donald123
This article just refers to some firmware vulnerabilities from Apple back in
2015, which is nothing uncommon, and Apple had taken proper measures to
mitigate that. Besides it has nothing to do with China's attack.

------
angled
Does this story have the potential to invalidate any CC assessments /
certifications?

eg, this one for Ubuntu from earlier this year that was assessed at EAL 2:
[https://fmv.se/Global/Bilder/Verksamhet/CSEC/Certification%2...](https://fmv.se/Global/Bilder/Verksamhet/CSEC/Certification%20Report%20Ubuntu%20LTS%2016.04.4.pdf)

------
hnzix
_" Playgrounds hung in space, castles hermetically sealed, the rarest rots of
old Europa, dead men sealed in little boxes, magic out of China..."_

------
reustle
Bloomberg is really doubling down on this story

