So basically Apple stated that they have not found anything and are not aware of FBI investigation and DHS confirmed Apple has not found anything and is not aware of FBI investigation. There is no statement that DHS has not found anything. The rest of the statement is water about DHS taking it's job seriously.
> Information and communications technology supply chain security is core to DHS’s cybersecurity mission
How true is this? I know US-CERT is within DHS, but what else does DHS do in this area?
I did a bit of searching and found https://fcw.com/articles/2018/02/14/dhs-supply-chain-securit..., which seems to imply that until 8 months ago, DHS wasn't doing much (or anything) in this area. If that's the case, I don't see how a statement from them regarding supply chain security can carry any weight. You don't go from nothing to being an expert in 8 months.
The DOD and the IC broadly have been very focused on Supply Chain Risk Management for a long time. Unfortunately the way the SCRM process works inside the govt is that it's legally focused and limited to primarily defense products, specifically things like hardware used in missiles, planes and equipment.
The major shift over the last decade or two to the commercial world being the source of a lot of risk vectors that impact the govt, means that govt capabilities to have oversight and control, or even warning, is severely limited. This case is a great example of that, as more and more threats to the govt are coming through commercial and personal devices.
Said another way, foreign adversaries don't need to target military equipment to have major capacity to spy on, or impact US government activities and policies. Private companies have to request support from DHS when there isn't a known risk to military supply chain. 99% of companies don't do this because 1. They don't want to, 2. The govt makes it hard to do and 3. It's not advertised well.
The US Govt is not structured to handle this at scale and there is no real solution without making a HUGE shift in private sector oversight that would be incredibly unconstitutional.
The Bloomberg report talked about how investigators tracked phone calls inside China, presumably by hacking and compromising Chinese telecom infrastructure. I don't see how, even if true, the US government would own up to something like that, esp. when it is accusing China of hacking. Imagine the headlines that would generate if the Chinese admitted to doing the same to the US (tapping US calls without a court order and with the potential power to shut down the infrastructure in time of conflict). It would be a bigger deal than planting chips on a few motherboards. The whole story smells of fog of war.
Folks reading this: Please tread with caution, don't take stock advice from HN. Especially for OTC stock. While the story may be false, it's very likely they may never recover.
- Their product is fungible, folks on the front line buying motherboards may just chose to avoid SuperMicro to avoid awkward conversations with their boss.
- They were having financial issues before, had some shady accounting and got delisted from Nasdaq. They're now traded over the counter.
- Last quarter their net earnings were $17M; that'll most likely be wiped and they'll go in the red.
- They've got $120M in the bank and $700M in quarterly operating expenses.
- The market can stay irrational longer than you can stay liquid.
Many companies are now likely auditing their systems for mystery chips. Many companies have learned of the hacked firmware distributed to Apple. Many in-progress orders may have been halted.
@awake: Let's assume that the story is false and then ask yourself some questions:
What is the story about?; Why was it released?; Is the timing significant?; Who are and will continue to be SM's customers? ...prospects for future customers? ...prospects for current and future earnings?
If you like the answers to those questions (and those are just the ones I could think of in 30 secs), you know what to do.
Best of luck to you, but be careful, you may be left holding the bag of a soon-to-be bankrupt company. See my comment above, and take a look at their financials.
A case of a malicious driver update served by Supermicro has already been publicly confirmed by at least two former customers. Even if the hardware hack allegation is conclusively proven false, they will have a tough time acquiring and keeping customers.
In this day and age it’s quite ironic for any country to say that they don’t hack other countries. China will hack, Russia will hack, japan will hack and USA will definitely hack.
It’s not just about control. It’s about corporate advantage as well.
If a real supply chain attack was actually happening sponsored by a foreign government, the US would flag it top secret and never release the details. I find it highly incredulous for DHS, or any US government agency, to publicly denounce such attacks as a non-issue... If anything, the report by Bloomberg is confirming what alot of people already suspected would happen or has already happened.
Put pics and facts here anonymously. Alternatively mail a computer security company or FBI - folks are hungry for examples. Or mail me and I will help. Or Bruce Schneier or Krebs or...
If any box on your network is establishing outbound connetions to machines in china, that would be suspect... Firewalls and IDS at least detect/block this activity.
It’s basically an “artist’s representation”. The chip in the image on the Bloomberg cover looks like typical 3-pin oscillator package, and absolutely not a thing that would be placed on a bus with data going through it.
It's not a micro, but there are microcontrollers that are comparable in size. An AVR ATtiny20 is available in a 1.5mm x 1.4mm package. That's just about a 2mm^2 footprint, it's totally insane.
And not just itty ATtinys, for example MAX32660 is full fat ARM M4F core in 1.6x1.6 mm package. It is the sort of thing you could hide pretty much anywhere.
So, both the British and US governments are on the record confirming Apple and Amazon's statements. The next step should be Bloomberg's internal investigation so they can figure out how that story got published without any corroborating evidence. Supermicro's stock took a beating and now they will have a legal case against Bloomberg.
There's still too many weasel words in the statement. They didn't confirm that the article is wrong, the said "we have no reason to doubt the statements from the companies named in the story". That could just be another way of saying "we have no reason to doubt that Apple and Amazon weren't aware of the issue." It could also just be DHS trying to cover their ass. They say that supply chain security is core to their mission, so having an article come out alleging that the most valuable company in the world and the primary supplier of government cloud infrastructure were affected by a compromised supply chain would be pretty embarrasing for DHS.
At any other moment in history there might be a possibility but I strongly believe that Trump would be more than willing to announce it to the world if this is even under a bit of a doubt. Simply because we haven’t seen any tweets complaining yet I believe that no such thing happened.
But it is still possible that DHS is just not aware of CIA/NSA discoveries and activities.
There were suspicious events that signal that something is up, like when Apple completely switched from Supermicro to other vendors or when they started to develop processes to prevent supply chain hardware attack around time when CIA supposedly found the bug (2015-2016).
iPhone is also switched from Qualcomm modem to US designed and fabricated by Intel.
Switching from one vendor to another could come from any number of reasons.
Also, their work on supply-chain security is also at the same time that Apple was more publicly promoting the security of their own hardware. So those two things could be entirely co-incidental.
That said, short of a release of internal documents, I don't think anyone outside has a decent idea of what's going on.
Actually they said they have 'no reason to doubt' them, which would imply that if something damning was found they could then just say 'ah well now we have reason to doubt.'
> Supermicro's stock took a beating and now they will have a legal case against Bloomberg.
Under the First Amendment Supermicro would have to prove actual malice—that is that Bloomberg knee its reporting was false or acted with reckless disregard for the truth. That’s a very difficult standard to meet.
The answer is complicated but boils down to: probably not. Both California and New York (the two most plausible jurisdictions for such a suit) have shield laws that create a qualified reporter’s privilege. That’s in addition to the constitutional news gathering privilege, if any (it’s an area where the case law is not entirely settled.)
IANAL, but this website mentions Chobani sued Alex Jones / InfoWars over allegedly defamatory, fictitious statements. [0] Perhaps Bloomberg can be sued for defamation by Supermicro if discovery can turn up evidence that the story was both malicious and intentional.
