
Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article - nnx
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/
======
wjnc
This looks like a somewhat hasty response:

-"and we fixed all critical issues before the acquisition closed" \- How can you fix issues when the acquiring party is not yet under your control?

-"We further strengthen our security posture by implementing our own hardware designs for critical components such as processors [...]" \- Own processor design by Amazon? They have the Alpine ARM-processor, but that type of processor is not the type of processor that runs on the allegedly compromised motherboards.

-What is Amazon exactly responding to? Amazon denies knowing of the hack ("was aware of") when acquiring the company. That's the same denial as in the BB article. But the main point in the BB-article is that is was Amazon that found out about the hack and notified US government. That doesn't mention any knowledge before the deal was struck? Only Apple clearly denies ever having found a malicious chip.

The Bloomberg-article just seems to well-sourced to be that easily denied. Not
sure what kind of communication would be acceptable for Amazon and their law
enforcement partners they are (still, according to BB) working with.

~~~
berberous
On your first point, I think that's pretty common in M&A. For example, let's
say the audit revealed that the target did not enforce minimum password
lengths for employee accounts. Amazon could simply say that needs to be re-
mediated before Amazon is willing to close -- so the target can just implement
that change, and certify it was done and/or have the audit firm confirm it.

------
crispyambulance
There are supermicro servers _everywhere_.

Surely, organizations that don't have anything to hide are talking a peek by
now.

If there aren't a lot of reports of these hacks in the wild in the next couple
of days... then we'll know who's not telling the truth, right?

------
jackconnor
Bloomberg has turned into tabloid-level shock journalism when it comes to
tech. All about the scares, not much substance. It doesn't surprise me at all
that they might've screwed up their article this bad, but I hope it's a wake
up call to the staff at Bloomberg (though I know it won't be).

------
tcelvis
According to BBG report, "the ensuing top-secret probe" "remains open more
than three years later".

I find it extremely hard to believe that uncle Sam would let a state sponsored
espionage of this scale silently continue for 3 years without warning the
public and cut off the pipe.

If the alleged hacking were true, wouldn't it be 100x more important to stop
the spyware immediately than collecting comprehensive evidence on who's behind
it? At the end of the day, it's not like U.S. would start a nuclear war
against China if the allegation is proven true.

------
83
Hopefully this will encourage someone find an affected device in the wild.
Wonder if any of Supermicros non-blade mobos would be affected? The graphic on
Bloomberg indicated blade servers but journalists seem to take quite a bit of
liberty with tech graphics. It's got me curious as I've purchased a few
supermicro servers off Ebay, and have no clue about where they were used
prior.

------
dmschulman
Amazon really feels the need to get in front of this story before their stock
falls any further, down almost 3% as of writing this comment.

~~~
IBM
The entire market is selling off.

------
danbruc
_[...] investigating all hardware and software prior to going into production
and performing regular security audits internally and with our supply chain
partners._

Does this imply that they are checking every piece of hardware that goes into
a data center including looking at it for any additional or replaced malicious
components?

------
jbob2000
Just because you went looking for something and didn't find it does not mean
it is not there. I couldn't find my car key this morning and had to use the
spare, does that mean my normal key doesn't exist and never existed? No, it
just means I didn't dedicate enough time to finding my normal key.

