
DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise - imwally
https://www.dhs.gov/news/2018/10/06/statement-dhs-press-secretary-recent-media-reports-potential-supply-chain-compromise
======
qaq
So basically Apple stated that they have not found anything and are not aware
of FBI investigation and DHS confirmed Apple has not found anything and is not
aware of FBI investigation. There is no statement that DHS has not found
anything. The rest of the statement is water about DHS taking it's job
seriously.

------
testplzignore
> Information and communications technology supply chain security is core to
> DHS’s cybersecurity mission

How true is this? I know US-CERT is within DHS, but what else does DHS do in
this area?

I did a bit of searching and found [https://fcw.com/articles/2018/02/14/dhs-
supply-chain-securit...](https://fcw.com/articles/2018/02/14/dhs-supply-chain-
security.aspx), which seems to imply that until 8 months ago, DHS wasn't doing
much (or anything) in this area. If that's the case, I don't see how a
statement from them regarding supply chain security can carry any weight. You
don't go from nothing to being an expert in 8 months.

~~~
AndrewKemendo
The DOD and the IC broadly have been very focused on Supply Chain Risk
Management for a long time. Unfortunately the way the SCRM process works
inside the govt is that it's legally focused and limited to primarily defense
products, specifically things like hardware used in missiles, planes and
equipment.

The major shift over the last decade or two to the commercial world being the
source of a lot of risk vectors that impact the govt, means that govt
capabilities to have oversight and control, or even warning, is severely
limited. This case is a great example of that, as more and more threats to the
govt are coming through commercial and personal devices.

Said another way, foreign adversaries don't need to target military equipment
to have major capacity to spy on, or impact US government activities and
policies. Private companies have to request support from DHS when there isn't
a known risk to military supply chain. 99% of companies don't do this because
1. They don't want to, 2. The govt makes it hard to do and 3. It's not
advertised well.

The US Govt is not structured to handle this at scale and there is no real
solution without making a HUGE shift in private sector oversight that would be
incredibly unconstitutional.

------
fspeech
The Bloomberg report talked about how investigators tracked phone calls inside
China, presumably by hacking and compromising Chinese telecom infrastructure.
I don't see how, even if true, the US government would own up to something
like that, esp. when it is accusing China of hacking. Imagine the headlines
that would generate if the Chinese admitted to doing the same to the US
(tapping US calls without a court order and with the potential power to shut
down the infrastructure in time of conflict). It would be a bigger deal than
planting chips on a few motherboards. The whole story smells of fog of war.

------
awake
What are people’s thoughts on investing in supermicro. If this story turns out
to be false are they undervalued at the moment?

~~~
AdamJacobMuller
Undervalued in general, stupidly undervalued after the drop in their stock
last week. I bought a considerable chunk on Thursday @ 11/share.

~~~
united893
Best of luck to you, but be careful, you may be left holding the bag of a
soon-to-be bankrupt company. See my comment above, and take a look at their
financials.

~~~
AdamJacobMuller
Not investing more than I can afford to loose.

------
askaboutit
In this day and age it’s quite ironic for any country to say that they don’t
hack other countries. China will hack, Russia will hack, japan will hack and
USA will definitely hack.

It’s not just about control. It’s about corporate advantage as well.

~~~
charlysl
Hacking is one thing, your main outsourcing partner planting hardware
backdoors by the millions is quite another.

These are companies that take your money and then hack you.

------
jijji
If a real supply chain attack was actually happening sponsored by a foreign
government, the US would flag it top secret and never release the details. I
find it highly incredulous for DHS, or any US government agency, to publicly
denounce such attacks as a non-issue... If anything, the report by Bloomberg
is confirming what alot of people already suspected would happen or has
already happened.

~~~
jschwartzi
Why would they do that? Surely it's to their advantage to actually tell the
targets of the supply chain attack about it?

What are you basing this on other than speculation?

------
anonandonandon
Suppose somebody had access to a potentially compromised motherboard
exhibiting strange behavior on the network.

How would one go about analyzing it?

Who would be on the so-called dream team?

Asking for a friend.

~~~
jijji
If any box on your network is establishing outbound connetions to machines in
china, that would be suspect... Firewalls and IDS at least detect/block this
activity.

~~~
Itsdijital
I feel like if you had the resources to implement something like this, you
would also have the resources to mask where you are phoning home to.

------
beaner
Not taking a side, what the heck is the chip in the photos if the story is
inaccurate?

~~~
Itsdijital
It's not a micro, but there are microcontrollers that are comparable in size.
An AVR ATtiny20 is available in a 1.5mm x 1.4mm package. That's just about a
2mm^2 footprint, it's totally insane.

~~~
zokier
And not just itty ATtinys, for example MAX32660 is full fat ARM M4F core in
1.6x1.6 mm package. It is the sort of thing you could hide pretty much
anywhere.

For reference here is a picture of similar package (called wlcsp or variation
of thereof):
[https://img.youtube.com/vi/edERx4x5eY0/maxresdefault.jpg](https://img.youtube.com/vi/edERx4x5eY0/maxresdefault.jpg)

------
Jerry2
So, both the British and US governments are on the record confirming Apple and
Amazon's statements. The next step should be Bloomberg's internal
investigation so they can figure out how that story got published without any
corroborating evidence. Supermicro's stock took a beating and now they will
have a legal case against Bloomberg.

~~~
coolspot
But it is still possible that DHS is just not aware of CIA/NSA discoveries and
activities.

There were suspicious events that signal that something is up, like when Apple
completely switched from Supermicro to other vendors or when they started to
develop processes to prevent supply chain hardware attack around time when CIA
supposedly found the bug (2015-2016).

iPhone is also switched from Qualcomm modem to US designed and fabricated by
Intel.

~~~
kccqzy
> iPhone is [sic] also switched from Qualcomm modem to US designed and
> fabricated by Intel.

Qualcomm is based in San Diego, CA.

~~~
coolspot
Supermicro is based in San Jose, CA . Qualcomm is fabless company,
manufacturing chips among others in Taiwan.

------
qrbLPHiKpiux
> “... [we] are committed to the security and integrity of the technology on
> which Americans and others around the world increasingly rely.”

Snowden showed us otherwise.

