This originates out of Bloomberg and picked up by the news services. Those "hacked" (hardware violated by physical spyware installed in China on motherboards) deny the claim.. who's to believe?



This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China.

It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

HOW THE HACK WORKS
The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus.

The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

WHAT NOW?
Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

source (numerous) - https://hackaday.com/2018/10/04/malicious-component-found-on-server-motherboards-supplied-to-numerous-companies/

In what way is this surprising? I have suspected this sort of thing for a long while. Ever seen the size of components on a motherboard or any other high tech device? They are miniscule...

Apple, Amazon, China all deny the Bloomberg article entirely.

Is it corporate and state lies or just scare mongering fake news.

It's one or the other!

Remember when the NSA bugged Cisco servers sold ?

NSA intercepted and bugged Cisco routers

https://www.engadget.com/2014/05/16/nsa-bugged-cisco-routers/

China, USA ........ what a great bunch of Orwellian guys.

"Q" has mentioned compromised hardware. That could be where the idea came from, or it could be a confirmation that it's true.

Take your pick.

So maybe more of the users of the product need to say "it never happened !" (Schultz, I know nothing, nooooothing )

from:

https://boingboing.net/2018/10/04/baseboard-hacks.html?ref=hvper.com&utm_source=hvper.com&utm_medium=website


Joe FitzPatrick, founder of Hardware Security Resources LLC (https://hardwaresecurity.training/trainers/joefitz/), a company that trains cybersecurity professionals in hardware hacking techniques says this:

This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one.

An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users.

A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet.

Should some anomaly be noticed, it would likely be cast as an unexplained oddity.

How many companies, just Apple and Amazon? How about this??


US spies and large corporate IT departments have had an open secret for years: the servers supplied by US hardware giant Supermicro for Elemental, Inc were sometimes infected with tiny hardware backdoors by Chinese spies during their manufacture; these superminiature chips were wired into the systems' baseboard management system and were able to accept covert software patches that would allow Chinese spies to utterly compromise both the servers and the networks they were connected to.

Elemental had a formal partnership with In-Q-Tel, the CIA's investment arm, which gave it an air of trustworthiness that allowed it to sell billions of dollars' worth of hardware to US entities.

The list of compromised entities is terrifying: Apple, Amazon, the Pentagon, DoD drone operations, Navy battleships, NASA, Congress and the Senate, even Bloomberg itself.

All of these entities officially deny that they were ever compromised by the attack and claim that they have no knowledge of these hardware backdoors -- but Bloomberg's Jordan Robertson and Michael Riley cite multiple anonymous insiders and former insiders who say that the attack came to light in 2015 when Apple first discovered unusual traffic on its network and that in the years since, there have been mass teardowns of data-centers and divestments from Supermicro and Elemental.

The exception is Amazon, who actually acquired Elemental after they were made aware of the hack.

Going back to 2015.. Conspiracy you say?


US intelligence operatives were able to identify the two Supermicro subcontractors in China where the motherboards were doctored, and learned that the managers in these factories with bribed, and then threatened, by the People's Liberation Army.

and


Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. “Hardware attacks are about access,” as one former senior official puts it.

In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say.

This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU.

The implanted circuit (chip) was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Trust us ...


Elemental had a formal partnership with In-Q-Tel (https://www.iqt.org/elemental-technologies-secures-strategic-partnership-and-development-agreement-with-iqt/), the CIA's investment arm, which gave it an air of trustworthiness that allowed it to sell billions of dollars' worth of hardware to US entities. How it works: CIA identifies pressing problems, and In-Q-Tel provides the technology to address them...

well, we're profitable BUY US


Amazon, in 2015 actually acquired Elemental (https://techcrunch.com/2015/09/03/amazon-acquires-elemental-technologies-for-a-reported-500-million-in-cash/) after they were made aware of the hack. At $500 million, Elemental would represent one of Amazon’s five biggest acquisitions to date. The others include Zappos, acquired in 2009 for $1.2 billion; Twitch, acquired last year for $970 million; Kiva Systems, acquired in 2012 for $775 million; and Quidsi, acquired for $545 million in 2010.

Need for plausible deniability

Can one imagine the amount of lawsuits that those firms would have to deal with if they admitted that the customer's data, transactions, bank accounts, payment history, order history were "hacked" and made known to ____________ ??? (fill in the blank).. They would have to scurry to say "We no nothing, nothing ever happened, we no nothing"..

tongue in cheek:


https://youtu.be/UgcxGFmYyPs
http://www.youtube.com/watch?v=UgcxGFmYyPs

Here is how AWS Amazon rebuffed Bloomberg's article - fake news or what?


As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we ‎launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.

Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.

Security will always be our top priority.

AWS is trusted by many of the world’s most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else.

We are constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them whenever they are identified.

– Steve Schmidt, Chief Information Security Officer

Bloomberg's original article is here:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Bloomberg then reported this about SuperMicro:


Super Micro Computer Inc. (commonly known as Supermicro) plunged in Thursday trading after Bloomberg Businessweek reported that a Chinese hack infiltrated the U.S. technology supply chain by implanting tiny chips on motherboards supplied by the company.

Shares of other leading server and network-storage firms also fell. Apple Inc. and Amazon.com Inc. were among companies that found malicious microchips on Supermicro motherboards.

Those companies, as well as Supermicro and China’s Ministry of Foreign Affairs, denied the Businessweek report, which is based on more than a year of reporting and more than 100 interviews.

This is an extract from the original Bloomberg article: see https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom "Chinese hardware hack"

In the image below, look at the white circle. See anything? Zoom in your browser until you see the chip. Darned easy to miss.


The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.

One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation.

In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim.

In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

The ramifications of the attack continue to play out.

The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result.

Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.

How the Hack Worked, According to U.S. Officials

Illustrator: Scott Gelber


https://assets.bwbx.io/images/users/iqjWHBFdfxIU/iuMb2IgDb_zs/v0/-999x-999.gif

Back in 2006, three engineers in Oregon had a clever idea.

Demand for mobile video was about to explode, and they predicted that broadcasters would be desperate to transform programs designed to fit TV screens into the various formats needed for viewing on smartphones, laptops, and other devices.

To meet the anticipated demand, the engineers started Elemental Technologies, assembling what one former adviser to the company calls a genius team to write code that would adapt the superfast graphics chips being produced for high-end video-gaming machines. The resulting software dramatically reduced the time it took to process large video files. Elemental then loaded the software onto custom-built servers emblazoned with its leprechaun-green logos.

Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company.

Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.

Elemental also started working with American spy agencies.

In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government.

Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.

Supermicro had been an obvious choice to build Elemental’s servers.

Headquartered north of San Jose’s airport, up a smoggy stretch of Interstate 880, the company was founded by Charles Liang, a Taiwanese engineer who attended graduate school in Texas and then moved west to start Supermicro with his wife in 1993. Silicon Valley was then embracing outsourcing, forging a pathway from Taiwanese, and later Chinese, factories to American consumers, and Liang added a comforting advantage: Supermicro’s motherboards would be engineered mostly in San Jose, close to the company’s biggest clients, even if the products were manufactured overseas.

Today, Supermicro sells more server motherboards than almost anyone else.

It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems.

Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places.

Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

The company’s pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs.

The majority of its workforce in San Jose is Taiwanese or Chinese, and Mandarin is the preferred language, with hanzi filling the whiteboards, according to six former employees. Chinese pastries are delivered every week, and many routine calls are done twice, once for English-only workers and again in Mandarin. The latter are more productive, according to people who’ve been on both. These overseas ties, especially the widespread use of Mandarin, would have made it easier for China to gain an understanding of Supermicro’s operations and potentially to infiltrate the company. (A U.S. official says the government’s probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack.)

With more than 900 customers in 100 countries by 2015, Supermicro offered inroads to a bountiful collection of sensitive targets. “Think of Supermicro as the Microsoft of the hardware world,” says a former U.S. intelligence official who’s studied Supermicro and its business model. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet

Well before evidence of the attack surfaced inside the networks of U.S. companies, American intelligence sources were reporting that China’s spies had plans to introduce malicious microchips into the supply chain. The sources weren’t specific, according to a person familiar with the information they provided, and millions of motherboards are shipped into the U.S. annually. But in the first half of 2014, a different person briefed on high-level discussions says, intelligence officials went to the White House with something more concrete: China’s military was preparing to insert the chips into Supermicro motherboards bound for U.S. companies.

The specificity of the information was remarkable, but so were the challenges it posed. Issuing a broad warning to Supermicro’s customers could have crippled the company, a major American hardware maker, and it wasn’t clear from the intelligence whom the operation was targeting or what its ultimate aims were. Plus, without confirmation that anyone had been attacked, the FBI was limited in how it could respond. The White House requested periodic updates as information came in, the person familiar with the discussions says.

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally.

Government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one U.S. official.

This created an invaluable opportunity for intelligence agencies and the FBI—by then running a full investigation led by its cyber-and counterintelligence teams—to see what the chips looked like and how they worked.

The chips on Elemental servers were designed to be as inconspicuous as possible, according to one person who saw a detailed report prepared for Amazon by its third-party security contractor, as well as a second person who saw digital photos and X-ray images of the chips incorporated into a later report prepared by Amazon’s security team.

Gray or off-white in color, they looked more like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.

Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. “Hardware attacks are about access,” as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say.

This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto!

A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity. “The hardware opens whatever door it wants,” says Joe FitzPatrick, founder of Hardware Security Resources LLC, a company that trains cybersecurity professionals in hardware hacking techniques.

U.S. officials had caught China experimenting with hardware tampering before, but they’d never seen anything of this scale and ambition. The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet. What remained for investigators to learn was how the attackers had so thoroughly infiltrated Supermicro’s production process—and how many doors they’d opened into American targets.

Unlike software-based hacks, hardware manipulation creates a real-world trail. Components leave a wake of shipping manifests and invoices. Boards have serial numbers that trace to specific factories. To track the corrupted chips to their source, U.S. intelligence agencies began following Supermicro’s serpentine supply chain in reverse, a person briefed on evidence gathered during the probe says.

As recently as 2016, according to DigiTimes, a news site specializing in supply chain research, Supermicro had three primary manufacturers constructing its motherboards, two headquartered in Taiwan and one in Shanghai.

When such suppliers are choked with big orders, they sometimes parcel out work to subcontractors. In order to get further down the trail, U.S. spy agencies drew on the prodigious tools at their disposal.

They sifted through communications intercepts, tapped informants in Taiwan and China, even tracked key individuals through their phones, according to the person briefed on evidence gathered during the probe. Eventually, that person says, they traced the malicious chips to four subcontracting factories that had been building Supermicro motherboards for at least two years.

As the agents monitored interactions among Chinese officials, motherboard manufacturers, and middlemen, they glimpsed how the seeding process worked. In some cases, plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.

The investigators concluded that this intricate scheme was the work of a People’s Liberation Army unit specializing in hardware attacks, according to two people briefed on its activities. The existence of this group has never been revealed before, but one official says, “We’ve been tracking these guys for longer than we’d like to admit.”

The unit is believed to focus on high-priority targets, including advanced commercial technology and the computers of rival militaries.

In past attacks, it targeted the designs for high-performance computer chips and computing systems of large U.S. internet providers.

Provided details of Businessweek’s reporting, China’s Ministry of Foreign Affairs sent a statement that said “China is a resolute defender of cybersecurity.”

The ministry added that in 2011, China proposed international guarantees on hardware security along with other members of the Shanghai Cooperation Organization, a regional security body.

The statement concluded, “We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.”

The Supermicro attack was on another order entirely from earlier episodes attributed to the PLA. It threatened to have reached a dizzying array of end users, with some vital ones in the mix. Apple, for its part, has used Supermicro hardware in its data centers sporadically for years, but the relationship intensified after 2013, when Apple acquired a startup called Topsy Labs, which created superfast technology for indexing and searching vast troves of internet content.

By 2014, the startup was put to work building small data centers in or near major global cities. This project, known internally as Ledbelly, was designed to make the search function for Apple’s voice assistant, Siri, faster, according to the three senior Apple insiders.

Documents seen by Businessweek show that in 2014, Apple planned to order more than 6,000 Supermicro servers for installation in 17 locations, including Amsterdam, Chicago, Hong Kong, Los Angeles, New York, San Jose, Singapore, and Tokyo, plus 4,000 servers for its existing North Carolina and Oregon data centers.

Those orders were supposed to double, to 20,000, by 2015. Ledbelly made Apple an important Supermicro customer at the exact same time the PLA was found to be manipulating the vendor’s hardware.

Project delays and early performance problems meant that around 7,000 Supermicro servers were humming in Apple’s network by the time the company’s security team found the added chips. Because Apple didn’t, according to a U.S. official, provide government investigators with access to its facilities or the tampered hardware, the extent of the attack there remained outside their view.


Microchips found on altered motherboards in some cases looked like signal conditioning couplers.

American investigators eventually figured out who else had been hit.

Since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected. Although the investigators couldn’t be sure they’d found every victim, a person familiar with the U.S. probe says they ultimately concluded that the number was almost 30 companies.

That left the question of whom to notify and how.

U.S. officials had been warning for years that hardware made by two Chinese telecommunications giants, Huawei Corp. and ZTE Corp., was subject to Chinese government manipulation.

(Both Huawei and ZTE have said no such tampering has occurred.)

But a similar public alert regarding a U.S. company was out of the question. Instead, officials reached out to a small number of important Supermicro customers.

One executive of a large web-hosting company says the message he took away from the exchange was clear: Supermicro’s hardware couldn’t be trusted. “That’s been the nudge to everyone—get that crap out,” the person says.

Amazon, for its part, began acquisition talks with an Elemental competitor, but according to one person familiar with Amazon’s deliberations, it reversed course in the summer of 2015 after learning that Elemental’s board was nearing a deal with another buyer. Amazon announced its acquisition of Elemental in September 2015, in a transaction whose value one person familiar with the deal places at $350 million. Multiple sources say that Amazon intended to move Elemental’s software to AWS’s cloud, whose chips, motherboards, and servers are typically designed in-house and built by factories that Amazon contracts from directly.

A notable exception was AWS’s data centers inside China, which were filled with Supermicro-built servers, according to two people with knowledge of AWS’s operations there.

Mindful of the Elemental findings, Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips.

That generation of chips was smaller than a sharpened pencil tip, the person says. (Amazon denies that AWS knew of servers found in China containing malicious chips.)

China has long been known to monitor banks, manufacturers, and ordinary citizens on its own soil, and the main customers of AWS’s China cloud were domestic companies or foreign entities with operations there. Still, the fact that the country appeared to be conducting those operations inside Amazon’s cloud presented the company with a Gordian knot.

Its security team determined that it would be difficult to quietly remove the equipment and that, even if they could devise a way, doing so would alert the attackers that the chips had been found, according to a person familiar with the company’s probe.

Instead, the team developed a method of monitoring the chips.

In the ensuing months, they detected brief check-in communications between the attackers and the sabotaged servers but didn’t see any attempts to remove data. That likely meant either that the attackers were saving the chips for a later operation or that they’d infiltrated other parts of the network before the monitoring began. Neither possibility was reassuring.

When in 2016 the Chinese government was about to pass a new cybersecurity law—seen by many outside the country as a pretext to give authorities wider access to sensitive data—Amazon decided to act, the person familiar with the company’s probe says.

In August it transferred operational control of its Beijing data center to its local partner, Beijing Sinnet, a move the companies said was needed to comply with the incoming law.

The following November, Amazon sold the entire infrastructure to Beijing Sinnet for about $300 million. The person familiar with Amazon’s probe casts the sale as a choice to “hack off the diseased limb.”

As for Apple, one of the three senior insiders says that in the summer of 2015, a few weeks after it identified the malicious chips, the company started removing all Supermicro servers from its data centers, a process Apple referred to internally as “going to zero.” Every Supermicro server, all 7,000 or so, was replaced in a matter of weeks, the senior insider says. (Apple denies that any servers were removed.) In 2016, Apple informed Supermicro that it was severing their relationship entirely—a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident.

That August, Supermicro’s CEO, Liang, revealed that the company had lost two major customers. Although he didn’t name them, one was later identified in news reports as Apple. He blamed competition, but his explanation was vague. “When customers asked for lower price, our people did not respond quickly enough,” he said on a conference call with analysts. Hayes, the Supermicro spokesman, says the company has never been notified of the existence of malicious chips on its motherboards by either customers or U.S. law enforcement.

Concurrent with the illicit chips’ discovery in 2015 and the unfolding investigation, Supermicro has been plagued by an accounting problem, which the company characterizes as an issue related to the timing of certain revenue recognition. After missing two deadlines to file quarterly and annual reports required by regulators, Supermicro was delisted from the Nasdaq on Aug. 23 of this year. It marked an extraordinary stumble for a company whose annual revenue had risen sharply in the previous four years, from a reported $1.5 billion in 2014 to a projected $3.2 billion this year.

One Friday in late September 2015, President Barack Obama and Chinese President Xi Jinping appeared together at the White House for an hourlong press conference headlined by a landmark deal on cybersecurity. After months of negotiations, the U.S. had extracted from China a grand promise: It would no longer support the theft by hackers of U.S. intellectual property to benefit Chinese companies. Left out of those pronouncements, according to a person familiar with discussions among senior officials across the U.S. government, was the White House’s deep concern that China was willing to offer this concession because it was already developing far more advanced and surreptitious forms of hacking founded on its near monopoly of the technology supply chain.

In the weeks after the agreement was announced, the U.S. government quietly raised the alarm with several dozen tech executives and investors at a small, invite-only meeting in McLean, Va., organized by the Pentagon. According to someone who was present, Defense Department officials briefed the technologists on a recent attack and asked them to think about creating commercial products that could detect hardware implants. Attendees weren’t told the name of the hardware maker involved, but it was clear to at least some in the room that it was Supermicro, the person says.

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem.

“This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says.

“You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

Bloomberg LP has been a Supermicro customer. According to a Bloomberg LP spokesperson, the company has found no evidence to suggest that it has been affected by the hardware issues raised in the article.



Paul Harvey used to say, " and that folks is the rest of the story... " seems an awful lot and long drawn out investigation spanning many years to simply be "fake news" doncha think?

Obfuscation to key nations...

Here is an article on Ars-technica (2017) about APPLE getting rid of SuperMicro servers - https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/


A mid-2016 security incident led to Apple purging its data centers of servers built by Supermicro, including returning recently purchased systems, according to a report by The Information. Malware-infected firmware was reportedly detected in an internal development environment for Apple's App Store, as well as some production servers handling queries through Apple's Siri service.

An Apple spokesperson denied there was a security incident. However, Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased. An anonymous source was cited as the source of the information regarding infected Siri servers.

Apple has used a variety of other companies' server hardware—since the company got out of the server business itself and never used its own in datacenters—including servers from HP and storage from NetApp. A few years ago, Apple added Supermicro as a supplier for some of its development and data center computing infrastructure.

But Apple has been squeezing the cost of its data center supply chain and moving toward more custom hardware much like the other cloud giants. In August of 2016, Digitimes reported Apple was increasing its orders for full-rack systems from the integrator ZT Systems and adding the China-based Inspur as a server supplier.

Leng told The Information that Apple was the only company to report the firmware issue, and he said the servers are used by thousands of customers. He asserted that when his company asked Apple's engineers to provide information about the firmware, they gave an incorrect version number—and then refused to give further information.

Reports of major tech giants using the SuperMicro servers -


IBM has been known as a big customer of Supermicro, which supplied servers for its cloud business, formerly known as SoftLayer.

Last year, Intel was reported to have placed a massive Supermicro server order for one of its data centers.

Dedicated Server Hosting Provider, Hivelocity, is proud to announce the addition of Dell to its list of server hardware partners. Dell is known for producing some of the most soundly built and innovative server chassis in the industry. Customers of Hivelocity now have the option of choosing between both Dell and SuperMicro dedicated servers.

The Supermicro SuperStorage servers improve upon their existing extensive portfolio of modern solutions to drive IT transformation in the data center. Commvault has worked with Supermicro on three (3) different reference designs to support our customers’ diverse needs.

What hardware powers ETSY? We’re pretty much in love with this 2U Supermicro chassis which allows for 4x nodes that share two power supplies and 12 3.5″ disks on the front of the chassis

SUSE Enterprise storage - Get cost-effective, infinitely scalable data storage with SUSE Enterprise Storage and Supermicro servers.

Reliable hosting and domains that you can trust, mtc. - MTC Media - Our web-sites are hosted on high performance Supermicro servers

the Reston data-center configured IPMI on Supermicro servers

Arista and Supermicro partner on SDN servers

Mellanox Collaborates with Supermicro to Deliver CloudX-based Hyper-Converged..

Webzilla, one of the largest web hosting companies in the world.. SuperMicro H8QGi-F Motherboard G34 Quad Opteron with 4x Opteron 6128

The colocation data center Ilia Hamrah Kish in Tehran, Iran SuperMicro servers (CIA scores bigtime?)

4 Top Data Centers in the Mid-East - Equinix, IPTP, Mobily, Dubai Silicon Oasis - They offer a range of Supermicro servers that are pretested and ready for use..

Equinix (Australia) operates data centers - own proprietary IaaS built on enterprise-grade supermicro servers

source - internet search on keywords "data center" "co-hosting" SuperMicro

Looks like Facebook and Apple finally confirm, yes they were targets

from Mashable - https://mashable.com/article/chinese-malware-server-attack-bloomberg-facebook-apple/#hsR7XtrouGqq


The confirmation by both companies is still significant, however, because it confirms that Chinese actors have made attempts to compromise U.S. security.

This is something the Chinese government is denying, per Bloomberg.

What's unclear now is the extent of the breach and whether, or why, Amazon and Apple may have had reason to deny the chip attack.

The 64 million dollar question right now is, was this a sneaky trick apple was completely unaware of before it committed to merging with China?

The ten dollar question is, will it make any difference?

I suppose this begs us to question, exactly what IS in a component, a "chip" or part that the supply chain receives from let's say China, or Malaysia, or the Philippines.. Remember that airplane which disappeared somewhere in the Indian Ocean, with key chip manufacturing engineers on board?

If one believes with "certainty" that one's data buffer chip for instance is pure great ! BUT, a normal part expected to be part of the data chain for access to peripherals, or parts of the memory may actually contain a miniature microprocessor just waiting for a certain code sequence to appear in the data stream, then takes over, and does the "oh my gowd" level attack.. Do we know for sure?

How certain are we that our chips themselves from those Countries are actually what they say they are and not a trojan horse just waiting to be activated?

Begs one to take a very very long look at what is in the supply chain of the parts we all buy, worldwide.. hummmmm

---more thoughts from The Verge - https://www.theverge.com/2018/10/4/17937210/bloomberg-china-microchip-hack-supermicro-amazon-apple-servers


[..] a successful supply-chain attack would still be nearly impossible to mitigate with conventional security tools.

“If you cannot trust your hardware, you cannot trust anything that the hardware checks,” Hotz says. “Fundamentally, there is no way to check for this in software.”

If one wants to 'buy Chinese' or Malaysian, or Philippines to save a few pennies, are you sure your component is not just waiting to do some dastardly deed to your security, you bank accounts, your heart monitor, or pacemaker? Or your Jet Airplane navigation system?

Prior folks have thought that it was the complex computer which may have been taken over by remote commands due to some hole in the operating system software.. Apparently there was someone who leaked, well, it was done at the CHIP LEVEL.. And that again begs one to question, er.... those chips are in exactly WHAT electronics apparatus?

Possibly the biggest conspiracy of the Ages has just been cracked open.. fake news, methinks hardly.


https://img.alicdn.com/imgextra/i4/251339732/TB2I13VrohnpuFjSZFpXXcpuXXa_!!251339732.jpg

The 64 million dollar question right now is, was this a sneaky trick apple was completely unaware of before it committed to merging with China?

The ten dollar question is, will it make any difference?

The investigators counter hacked the command and control points on the internet & observed traffic (there is a possibility this is just a "red herring" but the report seems fairly certain on it)... we know who this benefited and it was not Apple (it was China).

This is a "shot over the bow" & I am interested in what the DOD's response will be; they did just stand up the new Cyber Command........

The 64 million dollar question right now is, was this a sneaky trick apple was completely unaware of before it committed to merging with China?

The ten dollar question is, will it make any difference?

The investigators counter hacked the command and control points on the internet & observed traffic (there is a possibility this is just a "red herring" but the report seems fairly certain on it)... we know who this benefited and it was not Apple (it was China).

This is a "shot over the bow" & I am interested in what the DOD's response will be; they did just stand up the new Cyber Command........

Apple's manufacturing base is in China, so they were very much over a barrel if China leaned on them to choose a side in the upcoming stand off.

Apple is SO big that the president, even, will have to tread carefully to avoid an economic bender. If the DOD isn't fully on top of this, they should be.

edit:

Is the outing of this story ( we are now hearing about it ) really a US move to give apple a legitimate "out" from whatever it has agreed to do with China ?

WIRED published an article which showed how (https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/) a hidden sabotaged function in a computer or electronic's CHIP could be designed. (These chips can contain billions of transistors, or circuits and are "integrated" into a small convenient package for cheap and easy mass production).

In FACT to prove that it can be done, the University of Michigan Computer Scientists showed this in operation in a custom chip they had built with the "hidden feature" in it.


https://media.wired.com/photos/5926f606cfe0d93c47431ee2/master/w_800,c_limit/Screen-Shot-2016-05-31-at-8.43.32-AM.png


"Detecting this with current techniques would be very, very challenging if not impossible," says Todd Austin, one of the computer science professors at the University of Michigan who led the research. "It's a needle in a mountain-sized haystack."

Or as Google engineer Yonatan Zunger wrote after reading the paper: "This is the most demonically clever computer security attack I've seen in years."



Blow your mind away with this type of evil insidiousness

Quoting from the article -


It's that it violates the security industry's most basic assumptions about a chip's digital functions and how they might be sabotaged.

Instead of a mere change to the "digital" properties of a chip—a tweak to the chip's logical computing functions—the researchers describe their backdoor as an "analog" one: a physical hack that takes advantage of how the actual electricity flowing through the chip's transistors can be hijacked to trigger an unexpected outcome. Hence the backdoor's name: A2, which stands for both Ann Arbor, the city where the University of Michigan is based, and "Analog Attack."

Here's how that analog hack works:

After the chip is fully designed and ready to be fabricated, a saboteur adds a single component to its "mask," the blueprint that governs its layout.

That single component or "cell"—of which there are hundreds of millions or even billions on a modern chip—is made out of the same basic building blocks as the rest of the processor: wires and transistors that act as the on-or-off switches that govern the chip's logical functions. But this cell is secretly designed to act as a capacitor, a component that temporarily stores electric charge.


Every time a malicious program—say, a script on a website you visit—runs a certain, obscure command, that capacitor cell "steals" a tiny amount of electric charge and stores it in the cell's wires without otherwise affecting the chip's functions.

With every repetition of that command, the capacitor gains a little more charge.

Only after the "trigger" command is sent many thousands of times does that charge hit a threshold where the cell switches on a logical function in the processor to give a malicious program the full operating system access it wasn't intended to have.

"It takes an attacker doing these strange, infrequent events in high frequency for a duration of time," says Austin. "And then finally the system shifts into a privileged state that lets the attacker do whatever they want."

That capacitor-based trigger design means it's nearly impossible for anyone testing the chip's security to stumble on the long, obscure series of commands to "open" the backdoor. And over time, the capacitor also leaks out its charge again, closing the backdoor so that it's even harder for any auditor to find the vulnerability.


by building a backdoor that exploits the unintended physical properties of a chip's components—their ability to "accidentally" accumulate and leak small amounts of charge—rather than their intended logical function, the researchers say their backdoor component can be a thousandth the size of previous attempts. And it would be far harder to detect with existing techniques like visual analysis of a chip or measuring its power use to spot anomalies.

"We take advantage of these rules 'outside of the Matrix' to perform a trick that would [otherwise] be very expensive and obvious," says Matthew Hicks, another of the University of Michigan researchers. "By following that different set of rules, we implement a much more stealthy attack."

The Michigan researchers went so far as to build their A2 backdoor into a simple open-source OR1200 processor to test out their attack.

Since the backdoor mechanism depends on the physical characteristics of the chip's wiring, they even tried their "trigger" sequence after heating or cooling the chip to a range of temperatures, from negative 13 degrees to 212 degrees Fahrenheit, and found that it still worked in every case.

and


... given that current defenses against detecting processor-level backdoors wouldn't spot their A2 attack, they argue that a new method is required:

Specifically, they say that modern chips need to have a trusted component that constantly checks that programs haven't been granted inappropriate operating-system-level privileges.

Ensuring the security of that component, perhaps by building it in secure facilities or making sure the design isn't tampered with before fabrication, would be far easier than ensuring the same level of trust for the entire chip.

Building in SECURE FACILITIES with each member of the supply chain fully security vetted, bonded, and trusted. The days of "cheap Chinese", or "cheap Japanese" or "cheap Malaysian, or Korean" (fill in the blank ____________________) chip manufacturer really SHOULD BE OVER if we want to know safety.

Alas though this may be currently an insurmountable issue to recover from. The Trojan Horses may already be here - this is no idle situation, modern integrated circuits, (chips) are in everything of our modern world.

source - https://www.documentcloud.org/documents/2849955-A2-Analog-Attack.html the full paper from Michigan University

==ps update==

Manufacturers or prototypers, or schools or industries wanting to cut some corners, and save some bux, 'hey, we have some surplus bargain over-flow chips from our recent manufacturing run, the end buyer says they can't buy any more, want to get some at a 90% discount?' Ever hear the expression Caveat Emptor (let the buyer be-ware)... What one may be buying may seem perfectly "functional" but one may be buying something more... (https://www.bunniestudios.com/blog/?p=208)

---I'm going to add one more 'food for mental thought' point - Watching the naysayers, saying naw China is our friend, they would never deliberately put spyware into key information systems (or internet connected cameras (https://www.bleepingcomputer.com/news/security/nearly-200-000-wifi-cameras-open-to-hacking-right-now/), or children's toys that spy (https://www.independent.co.uk/life-style/gadgets-and-tech/news/internet-connected-toys-spying-on-kids-fbi-ic3-camera-microphone-security-a7849241.html)..), watching the spook agencies trying to sway readers away from 'looking under the hood' so to speak..

If the focus is on the BOARD server sabotaging, let's not forget the CHIP level sabotage (as pointed out by the University of Michigan computer scientists...

So maybe in the future, when the smoke dies down, we don't see any added "chips" on the servers any more or on the motherboards, or in our iPHONES or Samsung Phones, etc.. so we don't see the 'extra parts'...

ARE OUR PARTS themselves quality controlled and certified as SAFE and SECURE?

Here is a current blip from UK - "trust us, we KNOW what we are talking about" says the spy agency...

UK’s top national cybersecurity agency GCHQ told Reuters on Friday that it didn’t see any reason to question the validity of Apple and Amazon’s denials that their servers were compromised following a meteoric report from Bloomberg on Thursday. The report claimed that Chinese spies were able to place microchips in the companies’ servers, allegedly giving the Chinese government backdoor access to some of the largest cloud platforms in the world.

The GCHQ, which is the UK’s equivalent to the US National Security Agency (NSA), didn’t call for an investigation into the claims, but it requested that anyone with information about the alleged attack reach out. In its response to Reuters, the GCHQ said, “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Centre, a unit of GCHQ.

It reminds me of the time that Iranian nuclear centrifuge plant was allegedly hacked and wrecked.

It is interesting. I read somewhere, I think somewhere on here that the emergency test was to 'weed out infected equipment' and on that topic my AT&T TV receiver literally went out of commission right after the emergency broadcast came across my phone. I got the alert on two Androids at about the same time. On the one with phone service connected through the cell network I clicked "OK" and the message cleared. The phone functioned fine even with the message up also.

On the other Android, my MOTO X and first one that does not have cell service any longer that I just use for storing pictures I also got the alert through my wireless receiver also from AT&T. The very second, the very moment I clicked OK on the emergency alert to clear that phone without cell service connected to my home service (by the by this Android MOTOX did lock up and would not function to open anything or work at all until I clicked "OK" unlike the other one. ) I clicked "OK" and the very second my phone cleared, and rebooted the TV receiver went off too. The phone rebooted then worked again. The TV receiver went out completely and gave messages I've never seen before. Something about conflicted equipment detected or there abouts. Then it had the number to contact to turn it in. AT&T seemed very interested in getting in their possession.

...


I wonder who gave them the idea... Re: CPU Security Holes affecting Intel and AMD CPUs (http://projectavalon.net/forum4/showthread.php?101184-CPU-Security-Holes-affecting-Intel-and-AMD-CPUs&p=1202618&viewfull=1#post1202618) ...


And, in Carmody's word:


I knew about purpose built cpu backdoors in 1993, approximately. Custom telecom chips.

I can tell you - that the situation was global. Yes, in the mid 1990's, it was fully global.

This is many times done with many a large scale chip, depending on intended usage. Same for complex software that runs said systems. A single piece of software for a backbone system might have the original programmer's secret back door (which any programmer worth their pay will make for themselves), the corporate backdoor system (which the corporation demanded) and then the NSA purpose built backdoor (that the NSA demanded). Each may be a derivative of the fundamental.

the more complex the chip and software the more likely the backdoor exists and that there may be multiple paths.

On Hack-a-day there was an article, that a device, a smart device such as a fax machine connected to one's in-home network, could be sent a PICTURE with embedded data code hidden within.. If you recall in olden days, Windows Media Player files, and PDF files even could have executables within.. (the fax described was a modern HP all-in-one fax machine, printer, scanner, etc..)

One's smart TV, connected to the internet.. sent a message, or for that matter a certain still image or a certain movie.. bang.. one's internet to home network infiltrated.. did the actual consumer product manufacturer know it's product could do that? Maybe, maybe not.. was it chip level, code level, firmware level, modified circuit board..

It's serious. Tip of the iceberg may be more like a hornet's nest has been opened.. how deep it goes? Will our security agencies work with us to solve it, or are they part of a cover-up? Big questions to ask..

for me this news is disclosure...who believe NSA compromise devices while china sit back doing nothing? every product have compromised.

.
Well, I'll be danged. I've been figuring that it would be practically impossible to insure that circuit boards did not have such tiny chips hidden in them, between two of the fiber glass layers, invisible to external optical inspection by ordinary human eyes.

Well, that may be, but there is a practical way to automatically detect such "enhancements" to the circuitry on a board.

Thanks to this article on [H]ardOCP (http://www.hardocp.com/news/2018/10/05/florida_engineers_automatically_verify_pcb_components/), I was led to this article: This Tech Would Have Spotted the Secret Chinese Chip in Seconds (https://spectrum.ieee.org/riskfactor/computing/hardware/this-tech-would-have-spotted-the-secret-chinese-chip-in-seconds).

~~~~~~~~~~~~~~~~~~~~~

This Tech Would Have Spotted the Secret Chinese Chip in Seconds

University of Florida engineers use X-rays, optical imaging, and AI to spot spy chips in computer systems

By Samuel K. Moore - 4 Oct 2018 | 20:48 GMT

According to Bloomberg Businessweek, spies in China managed to insert chips into computer systems (https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies) that would allow external control of those systems. Specialized servers purchased by Amazon, Apple, and others around 2015 and manufactured in China by San Jose–based Super Micro were reportedly at issue, as may have been systems built for the U.S. military.

Amazon, Apple, the Chinese government, and Super Micro (https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond) deny the incident ever happened. And some experts find it hard to believe a top-flight company like Apple could have initially missed something like this in their quality assurance process. However, other experts are convinced by Bloomberg’s reporting and the nature of the attack. One of those is Mark M. Tehranipoor (http://tehranipoor.ece.ufl.edu/), director of the Florida Institute for Cybersecurity Research (FICS) (http://www.fics-institute.org/). In fact, this is just the kind of attack his institute has been developing the technology to detect and counter.

The institute’s semiautomated system “could have identified this part in a matter of seconds to minutes,” says Tehranipoor, an IEEE Fellow. The system uses optical scans, microscopy, X-ray tomography, and artificial intelligence to compare a printed circuit board and its chips and components with the intended design.

It starts by taking high-resolution images of the front and back side of the circuit board, he explains. Machine learning and AI algorithms go through the images, tracing the interconnects and identifying the components. Then an X-ray tomography imager goes deeper, revealing interconnects and components buried within the circuit board. (According to Bloomberg, later versions of the attack involved burying the offending chip instead of having it sit on the surface.) That process takes a series of 2D images and automatically stitches them together to produce a layer-by-layer analysis that maps the interconnects and the chips and components they connect. The systems in question in the Bloomberg story probably had a dozen layers, Tehranipoor estimates.

All this information is then compared to the original designs to determine if something has been added, subtracted, or altered by the manufacturer.

Nearly all of the process is automated, and Tehranipoor’s group is working on completely removing the need for a human in the system. In addition, they are working on ways to identify much more subtle attacks. For example, an attacker could potentially alter the physical values of capacitors and resistors on the board or subtly change the dimensions of interconnects, making them susceptible to system-crippling electromigration.
~~~~~~~~~~~~~~~~~~~~~

Specialized servers purchased by Amazon, Apple, and others around 2015 and manufactured in China by San Jose–based Super Micro were reportedly at issue...
[...]
... some experts find it hard to believe a top-flight company like Apple could have initially missed something like this in their quality assurance process.
[...]
In fact, this is just the kind of attack his institute has been developing the technology to detect and counter.
With that emphasized last statement, one wonders who/what gave them the idea that someone, somewhere would think of it and produce it?

This, of course leads to that irritating idea that China simply produced circuits designed by DARPA or the Pentagon or the NSA or... to their very specification of components and circuitry....

What if these extraneous components are just decoys inserted to misdirect away from similars to Intel's spying chip built in within the main chip (http://projectavalon.net/forum4/showthread.php?101184-CPU-Security-Holes-affecting-Intel-and-AMD-CPUs&p=1203099&viewfull=1#post1203099)?

The A2 attack described in post 17 above shows the impossibility to use either X-Ray or optical comparison of proper images of boards and layers.

Who gave them the idea? Chinese espionage and science is well developed.

It has been known since the days of the H-bomb that it doesn't take a genius to install trusted people in the chain.

Is it a cooperative effort by spy groups and economic groups. Why not? Having back doors and keys into people's and businesses lives is what these folk live for. One moment a friendly face the next moment backstabbing and a financial edge or a new tech stolen.

By the way - see here: https://semiengineering.com/every-chip-can-be-hacked-with-this-tool/ it is an article about how a premade chip can be hacked, taken apart, it's secrets and or cryptology modified.. The article mentions it is next to impossible to prevent any group/company/country from finding out what is inside any "secure" chip, and then modifying that chip and potentially putting it back into the supply chain.

I could tell you stories of having experienced first hand Sony Digital's out of Japan technology espionage efforts, having been a victim of them personally in the '90s. In other words they all do it. For all we know another server manufacturer could have woo'd China to allow such modifications. After all the stocks took a big hit of the companies mentioned while folks making competitive products may well see a nice bonus for Christmas.

I say figure out how to verify what's inside the chips. Now that board level sabotage is the smokescreen for deeper embedded chip level modifications, the problem will and most likely does exist there.

After all the chips themselves LOOK like miniature versions of the motherboards. And there are hundreds of those in a modern electronic computer board.

That in my opinion is what is not being scrutinized adequately. Nor are the chip silicon developers being scrutinized, nor are mysterious disappearances of those developers being looked at.

To me it all points to the parts themselves. The chips, the semiconductors.

And about the Malaysia flight MH370 crash? And the disappearance/loss of 20 chip specialists. Strangely Freescale semiconductor said these people were headed to the manufacturing plants for a detailed review. Checking the silicon for odd discrepancies?

Freescale, a spinoff from Motorola Semiconductor, was responsible for some of the most secret military radar chips, parts in missiles/rockets, and medical devices.

Yea, I'm sure it's chip level, but I think the story is a political story so far. The stage is being set for something.

With that emphasized last statement, one wonders who/what gave them the idea that someone, somewhere would think of it and produce it?
Given that "taping out" boards is itself a complex process involving weeks of effort and two major engineering organizations (one design, and one manufacturing),
given that these circuit boards are quite complex, and
given that University efforts to automatically check software, circuits and hardware have long been a major research area,

therefore I find it not at all surprising that automated checking of the final manufactured board, to see that it matches the original design, would be an area of extended University research.

---

"taping out": transforming the engineers design from a painfully detailed document into an actual circuit, board or chip that manufacturing can reliably reproduce in quantity.

With that emphasized last statement, one wonders who/what gave them the idea that someone, somewhere would think of it and produce it?

[..]
therefore I find it not at all surprising that automated checking of the final manufactured board, to see that it matches the original design, would be an area of extended University research.
.

Any well established manufacturer of boards or the chips themselves should be using the optical comparator "machine vision inspection system". These are in full production and any reputable board factory for mass surface mount automated production should be using one or more of these. This system shown below does both x-Ray and optical inspection. It compares the proper assembly image with the live image of a board running through the scanner.



http://www.youtube.com/watch?v=CqSNe326lXs

The issues come up if these systems are not being used, or if the "original proper" board image and layers have had their master image hacked or corrupted.

It is impossible to use a simple (the x-ray process) method to check inside the silicon and analyze the layers within these chips themselves, because of the size of the "components" is too small, and too complex, and chips tend to be "layered" much like a modern complex circuit board.

A mask (like a photo-template) for such a computer chip containing billions of transistors if blown up to be "viewable" can be over 100 foot square.

Checking the chip silicon is usually done by taking a sample, and delayering the layers, and comparing such layer by layer, an extreme time consuming and costly process.

Here is a video of the taking apart step to get into a "chip" - it is costly time consuming and expensive:



http://www.youtube.com/watch?v=oQzF-di-JQo

IF such is demanded by the end buyer to check each chip and certify it as "original and safe" a new method needs to be developed to verify the circuitry on the silicon. If not we take our chances that the sampling process to investigate a "chip's integrity" was done honestly.

Here is a video looking at the nano-sized scales within a modern integrated circuit.. It was done using a scanning electron microscope.



http://www.youtube.com/watch?v=Fxv3JoS1uY8

Bloomberg reported today *9 october 2018 that the security firm that discovered the "chip" in the bus on the motherboard had an apparent COMPONENT LEVEL hack, this time with an embedded spyware device within the Ethernet Connector itself, that thing which one plugs the cable to tie into the net..

NSA is quite familiar with this type of hardware spyware, providing modified cables, a nice substitute, quickly plugged in by an agent and the server appears to not suffer any obvious tampering.. - It could be your USB cable, your Network cable, or your mouse, or keyboard..

https://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/ ---< This is a good read, don't pass it up

and

https://www.androidauthority.com/nsa-ant-328858/

Bloomberg's hacked "component" device is described as something like this:


https://cdn57.androidauthority.net/wp-content/uploads/2014/01/nsa-firewalk.jpg

NSA calls is FireWalk. What the Chinese call their's is indetermined at the moment.. but possibly they took their lead from the NSA..


But here is the really interesting part, the NSA has working spyware that implants itself into the BIOS of PCs. The BIOS is that bit that shows the graphic of your PC maker, or maybe some white text on a black background, that appear briefly before the Windows logo is displayed. It is the lowest level of software that runs on a PC and is stored on flash memory on the motherboard. From time to time motherboard makers release new versions of the BIOS software for their motherboards to fix bugs. This means that consumer level tools exist to replace the firmware with the latest version. So this is consumer level tech used in a nefarious way.

Now imagine a situation where the NSA sends in a undercover engineer to perform a BIOS upgrade on a PC with spyware pre-built into it. Or where the agency intercepts that new motherboard you just bought online and installs its own BIOS before repackaging it and posting it on to you. Or worse imagine a situation where the NSA has managed to alter the official BIOS of a motherboard, either by coercion, bribery or subterfuge, so that the official BIOS on a motherboard actually contains NSA spyware.

The bios implant was what the airfarce lt col dumped into my network machine when I caught her when I walked back unexpectedly into my sound studio. I trashed that computer rather than looking to see what modifications were done (if interested, see Hal turner's thread for more on that in Current News).

and here is the updated Bloomberg article - https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom?srnd=technology-vp

a small quote from the updated article:


Hardware implants are key tools used to create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

Multiple spyware components. In case one thought they found them all, look deeper, everything from the hard drives, the chips, the bios (firmware), layer after layer of spyware.. Buy Chinese? where else can we get machines which haven't been tampered with? So many of us say the operating vendors put in backdoors.. That is so much of the tip of the "obvious" iceberg, the smoke screen again, to divert us from digging deeper.. Sure, bash the OS developers .. focus there when the manufacturers and the NSA watch the show. Economic espionage is a big one. Getting the plans of foreign players, ambassadors, secrets of state can happen everywhere.. So called "air gap'd" machines may really not be secure, ready to experience an exploit from a simple human foible.

Steve Gibson, on his weekly Security Now broadcast (https://twit.tv/shows/security-now/episodes/684) with Leo Laporte, recommended the following paper by Theo Markettos of Light Blue Touchpaper (https://www.lightbluetouchpaper.org/) that describes this problem: Making sense of the Supermicro motherboard attack (https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/).

I've just read this paper now, and it does the best job I've seen of explaining just how this could be done, with specific details of the low level hardware and firmware on such server motherboards, and of the opportunities that this provides for fairly easily adding a tiny, six-pin, package to a certain set of already available, often unused, set of six connection points on the board, next to the Baseboard Management Controller (BMC), an ARM CPU running Linux, that is powered on and operational, even when the main system is powered off.

These BMC controllers are essential in server room environments, enabling fully remote control of each system. For example, I can power down, reboot into the BIOS, and reset my personal servers that are in some data center in Dallas (so I'm told; I've never been there), remotely over the Internet, using these controllers. Singlehop doesn't let me do that with the Avalon server, as they reserve access to the BMC controller on our Avalon server for their own use, but no doubt our Avalon server is some board, quite possibly a Supermicro board, in a rack somewhere, in the Phoenix Arizona data center operated by Singlehop.

This is of course only one of hundreds of potential ways that such complicated circuits, boards, and chips could be compromised, and only one of many thousands of ways that the incredibly complicated software (layer upon layer upon layer of complexity) running on that hardware could be compromised, if only we knew all the bugs and vulnerabilities in them, more of which are added every day.

There's a million (guessing wildly) programmers writing code on any day on this planet, and the average programmer writes ten lines of code per day, and one non-trivial bug per day ... that's a million new bugs each day (give or take several orders of magnitude.) Where there's a bug and a sufficiently persistent hacker, there's often a security vulnerability.

At the hardware level, there are hundreds of engineering, manufacturing and shipping teams and organizations, around the world, that would have been in a position to compromise, by mistake or sabotage, some key (security sensitive) logic within any computer, even mobile.

It's amazing it works at all :).

And some want us to connect our brains and bodies directly to the internet!!! Absolutely spooky. How about brain/body hijack by the Chinese through their motherboards. How about injected viruses, in our brain and body, if it is not already done (archon thinking here)

This is of course only one of hundreds of potential ways that such complicated circuits, boards, and chips could be compromised, and only one of many thousands of ways that the incredibly complicated software (layer upon layer upon layer of complexity) running on that hardware could be compromised, if only we knew all the bugs and vulnerabilities in them, more of which are added every day.
It's worse. It's as bad as we geeks who have worked at these levels of processor and system architecture suspected it might be.

One does not need added circuitry on the motherboard, nor some software bug in the BIOS, EFI, BMC, IPMI, kernel, compiler or some system service.

Any unprivileged process that is able to execute a particular sequence of a few dozen machine instructions has instant, full root, full privileged access to the entire system.

This is not a bug. It is designed into the x86 architecture. It is a total and deliberate and carefully hidden defeat of the security model used in x86 CPU's, that works independently of any choice of operating system (Windows, Mac, Linux, BSD, ...) or vendor (Dell, HP, Apple, ...)

A separate ARM processor running a RISC instruction set is built in to our CPU's. It can be enabled using a heretofore secret x86 instruction. This ARM processor can read and write key Ring 0 (kernel only) registers. Unprivileged user level code (Ring 3) can enable this ARM processor and feed it RISC instructions that totally compromise any system software running on the main x86 CPU. The proof-of-concept code demonstrated in this talk runs in unprivileged user space, and uses this ARM processor to reach into some structures in the Linux kernel its running over to give itself full root permissions.

The following presentation, two months ago now, at the Black Hat conference in Las Vegas, Nevada, USA, discloses this security compromise, for the particular case of a certain VIA C3 Nehemiah (https://en.wikipedia.org/wiki/VIA_C3) processor and a particular Linux kernel. However I have essentially zero doubt that variations of this compromise apply to all the major x86 CPU architectures of Intel and AMD, and likely to other popular RISC and ARM CPU architectures as well.

_eSAF_qT_FY

Game over.

You don't get to be a major political leader if you are not deeply compromised.

You don't get to be a major CPU architecture if you are not deeply compromised.

Here is the presentation material and overview (https://www.blackhat.com/us-18/briefings/schedule/#god-mode-unlocked---hardware-backdoors-in-x86-cpus-10194) for the above posted GOD MODE black hat video:

~~~~~~~~~~~~~~~~~~~~~~

GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs

Christopher Domas (https://www.blackhat.com/us-18/briefings/schedule/speakers.html#christopher-domas-32663) | Director of Research, Finite State
Location: South Pacific F
Date: Thursday, August 9 | 11:00am-11:50am
Format: 50-Minute Briefings
Tracks: Platform Security, Hardware/Embedded

Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.

Presentation Material

• Download Presentation Slides (http://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf)
• Download White Paper (http://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs-wp.pdf)
~~~~~~~~~~~~~~~~~~~~~~

Here is the rather bleak conclusion from the White Paper (http://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs-wp.pdf) linked in the previous post:

~~~~~~~~~~~

X. CONCLUSION

The rosenbridge backdoor provides a well-hidden,
devastating circumvention to the long-standing x86 ring
privilege model. In offering a knowledgeable attacker direct,
unrestricted access to the kernel from arbitrary unprivileged
code, the backdoor negates decades of progress on hardware
and software kernel security mechanisms. Research into this
backdoor is ongoing, and is presently being tracked under [CVE
pending]. While this specific vulnerability is not widespread, it
serves as a valuable case study into the feasibility and
implementation of processor backdoors.

In the wake of hardware backdoors, our existing security
models are nearly entirely broken. Decades of work on
software protection mechanisms do nothing to protect against
such a threat, and we are bleakly unprepared for what lies
ahead. In looking forward, we propose that, rather than panic
and speculate, a valuable near-term course of action is to
continue to develop tools to introspect and audit processors,
bringing control and insight back to the end users of a chip. To
this end, we previously released the sandsifter fuzzer for
resolving the secret instructions in an x86 ISA, and
examined the results on a wide variety of modern processors.
Building on this theme, in this paper, we introduced an
approach for auditing model-specific-registers through timing
analysis; this idea is discussed further in the related paper
Cracking Protected CPU Registers. Moving forward, the
authors intend to continue to define and explore techniques for
introspecting an untrusted processor, in order to discover and
break through new security boundaries in x86. To support this,
the research, tools, and data from this paper are open sourced as
project:rosenbridge at github.com/xoreaxeaxeax/rosenbridge.

~~~~~~~~~~~

One question

It is called a CLASS ACTION

Against those whom have built in the holes, the deliberate "features" into the CPU's, or the motherboards, or the components.

Isn't about time folks say NO to the infiltration, and hit them hard economically?

Who will support this, can in the US actually Congress start a select investigative committee to get directly INTO who has put such compromised defective product into Commerce?

Most certainly the President can issue orders to form a very massive all inclusive investigative committee.. this is BIG...

Isn't FTC into wanting to know who has compromised?

Isn't CERT wanting to know who has compromised?

With this much of a landslide revelation of the security compromises, saying "Russia hacked the election" is a flea on an elephant's butt type of drama... At least it seems to me a bunch of folks need to go and do something to the perps, hit them hard for fixes AT THEIR EXPENSE and then hit them for the damages.. Hmm seems to me that ugly word NATIONALIZATION comes to mind when the criminal activity is so great, to let such corporations run rampant across every walk of society and security..

Just read some military aerospace technical journals today, and they are picking up on this current level of "spyware", lending credibility (it's real Apple, Amazon.. etc.. and you cant' get away denying it..) and alerting the general executive staff in the Airforce/Army/Navy to be aware of the compromised parts, motherboards..

Where that leads could be interesting to watch if the military wakes up to the holes in security...

This Tech Would Have Spotted the Secret Chinese Chip in Seconds



I would have found it, right away (ok, with in a week or two of initial install).....

This only was able to happen because most of the US is still in the dark ages for IT security staff & methodologies...

I spend my most time analyzing "the wire" (traffic flow in and out of a network).

This small chip beaconed out to a random internet host,, that's an outside established connection from a major server (which, if done correctly; would be closely monitored). Some good security practices and a free installation of Security Onion (free software) would have caught this...

No need for Xrays...



Where that leads could be interesting to watch if the military wakes up to the holes in security...

I've been trained to catch something like this chip... just because it's a chip and not Malware doesn't change the attack vector, not really... just makes it more of a pain in the ass to fix.

we would have caught it, and; no doubt started feeding false information... the spy you know about is a very valuable resource for disinfo dissemination ;)

This small chip beaconed out to a random internet host,, that's an outside established connection from a major server
Then, if I were your adversary, I would see to it that my next generation "chip" (or equivalent logic, embedded directly in a x86, ARM or MIPS processor) did not beacon out until some other event that I controlled happened first.

It [military intelligence and secure computation and communication] is a cat and mouse game ... and from what I can tell, neither cats nor mice are in any risk of becoming extinct due to the other's efforts.

Then, if I were your adversary, I would see to it that my next generation "chip" (or equivalent logic, embedded directly in a x86, ARM or MIPS processor) did not beacon out until some other event that I controlled happened first.
Oh - and the Chinese have (guessing wildly) ten technically educated engineers/geeks/nerds/... for every one that the US has, and many of them have at least some modest competence in reading/writing technical English, whereas almost no European descendant engineer can tell Chinese writing from Egyptian hieroglyphics.

... and as we know ... our semiconductor manufacturing moved across the Pacific in the 1990's.

Ten hungry cats, one fat mouse. I wonder what's for dinner.

This small chip beaconed out to a random internet host,, that's an outside established connection from a major server
Then, if I were your adversary, I would see to it that my next generation "chip" (or equivalent logic, embedded directly in a x86, ARM or MIPS processor) did not beacon out until some other event that I controlled happened first.

It [military intelligence and secure computation and communication] is a cat and mouse game ... and from what I can tell, neither cats nor mice are in any risk of becoming extinct due to the other's efforts.

You can't have Command and Control with out a way to establish a connection, and good practices dictate that for certain assets, no outside initiated connections are allowed (or if they are, they are very TIGHTLY white listed).

Honestly this is way less sophisticated than the stuff that Malware Jake (https://www.renditioninfosec.com/people/) (recently outed by the Russians as an X-NSA hacker) does, zero days are a looming threat that is very difficult to anticipate and re-act to; but still, they establish a foot hold and an outside connection and if you are paying attention to what "normal" traffic is, this stuff will stand out like a sore thumb.

Data has to go over "the wire", attacks that use easily monitored ingress and egress will always be spotted by the observant security professional.

Things like physical network plants (https://shop.hak5.org/) with 2g/3g/4g connections are a bit more worry some, because it's hard to monitor ingress/egress when you don't even know it's there (and who would pick up on a random 2g/3g/4g connection, cellphones are always randomly connecting and disconnecting) that would be my move.... but it would take a physical aspect that is much harder to pull off.

Certainly we have heard of corrupted firmware in hard drives.. Corrupted hardware though as Paul says which would not go off until some controlled event happens.. And then systems which are not on the internet, or arpanet in-house.. If they've networked in-house, how soon before some other device is able to leak out what has been captured, in a non-obvious "networked" way? How about information destruction, where it takes a multitude of those "secure machines" doing an action where the sum total of the machines then creates the "deed", not just one machine with only a portion of the "code" to be carried out - distributed processing and distributed "activity".. an in-house viral network in other words, right in the middle of an ultra-secure (off the grid) military network..

Seems to me cat and mice and how rats and mazes and webs are created will define how deep it goes.

My point being the military IS circulating to all it's subscribers, that the argument from Apple and others thusly compromised is real, and to take Apple and other's poo poo'ing the attacks as mis-information fluff..

One "random" example of a partial means of constructing such a covert communication channel comes to my mind just now.

Setting up secure comm links between computers requires random numbers, from which secure keys are generated.

What happens if the random number generator uses a clever bit of stenography, to hide a few bits of information in the slightly less than really random numbers that it generates. Then some other hidden chip, or hidden logic on a processor chip, could watch the data traffic, observe those "not quite so random" public keys pass by, and decide that now was the time to do something, such as to tell some other "not so random" random number generator near to it to "send out" some response data.

Not one single bit, much less an entire packet, of unexpected data would show up to those watching for "uninvited traffic" on the wire, or in the air. Only an imperfect selection, or sequencing, of keys derived from not quite so random numbers would be visible, to those who knew what to look for.

One "random" example of a partial means of constructing such a covert communication channel comes to my mind just now.

Setting up secure comm links between computers requires random numbers, from which secure keys are generated.

What happens if the random number generator uses a clever bit of stenography, to hide a few bits of information in the slightly less than really random numbers that it generates.

It's still a connection, connections can be tracked, unless they have compromised both end points (two "known good" systems that are allowed to connected, this is a possibility for sure; just a lot more difficult).

I don't even really care what is in the Packets, I'm looking at Meta data (where is the packet going, is this a normal connection, what is the reason for the session etc...).

Just like obama said "we aren't listening to your phone calls, it's just meta data"... and then proceeds to launch hellfire missiles at targets because of meta data...




Then some other hidden chip, or hidden logic on a processor chip, could watch the data traffic, observe those "not quite so random" public keys pass by, and decide that now was the time to do something, such as to tell some other "not so random" random number generator near to it to "send out" some response data.

But there you have both ingress and egress which should be monitored and controlled; security Onion (the Bro aspect specifically) would catch this in a heartbeat with the correct rules set up.


Not one single bit, much less an entire packet, of unexpected data would show up to those watching for "uninvited traffic" on the wire, or in the air. Only an imperfect selection, or sequencing, of keys derived from not quite so random numbers would be visible, to those who knew what to look for.

Anything that enters or leaves is looked at, but not "listened to" it's mostly about meta data.

if you have a good understanding of what your network is suppose to be doing, it's very easy to catch when it's behaving aberrantly... we have gotten very good at this.

If you want a break down, I'll provide one; however the TCP/IP protocol is very well defined, nothing "gets around it" as of yet because the network devices in between wouldn't know what to do with anything that doesn't follow the standard (or at least mostly follow the standard, there are a few exceptions like malformed packets etc.. but they are still packets).

Traffic analysis & flow control, statefull packet inspection; but mostly traffic patterning and fingerprinting will prevent exfiltration of data, command and control channels.. pretty much everything.

I think this is why it's so easy to make money in IT security... once you know what your doing (and, it's a VAST amount of knowledge) it's fairly easy to be highly effective.

One "random" example of a partial means of constructing such a covert communication channel comes to my mind just now.

Setting up secure comm links between computers requires random numbers, from which secure keys are generated.

What happens if the random number generator uses a clever bit of stenography, to hide a few bits of information in the slightly less than really random numbers that it generates.

It's still a connection, connections can be tracked, unless they have compromised both end points (two "known good" systems that are allowed to connected, this is a possibility for sure; just a lot more difficult).

I don't even really care what is in the Packets, I'm looking at Meta data (where is the packet going, is this a normal connection, what is the reason for the session etc...).

Just like obama said "we aren't listening to your phone calls, it's just meta data"... and then proceeds to launch hellfire missiles at targets because of meta data...




Then some other hidden chip, or hidden logic on a processor chip, could watch the data traffic, observe those "not quite so random" public keys pass by, and decide that now was the time to do something, such as to tell some other "not so random" random number generator near to it to "send out" some response data.

But there you have both ingress and egress which should be monitored and controlled; security Onion (the Bro aspect specifically) would catch this in a heartbeat with the correct rules set up.


Not one single bit, much less an entire packet, of unexpected data would show up to those watching for "uninvited traffic" on the wire, or in the air. Only an imperfect selection, or sequencing, of keys derived from not quite so random numbers would be visible, to those who knew what to look for.

Anything that enters or leaves is looked at, but not "listened to" it's mostly about meta data.

if you have a good understanding of what your network is suppose to be doing, it's very easy to catch when it's behaving aberrantly... we have gotten very good at this.

If you want a break down, I'll provide one; however the TCP/IP protocol is very well defined, nothing "gets around it" as of yet because the network devices in between wouldn't know what to do with anything that doesn't follow the standard (or at least mostly follow the standard, there are a few exceptions like malformed packets etc.. but they are still packets).

Traffic analysis & flow control, statefull packet inspection; but mostly traffic patterning and fingerprinting will prevent exfiltration of data, command and control channels.. pretty much everything.

I think this is why it's so easy to make money in IT security... once you know what your doing (and, it's a VAST amount of knowledge) it's fairly easy to be highly effective.

Sooo interesting Target, thank you

As surprising as it may seem, this makes me think of neurolinguistic programming NLP.
NLP knowledge is based on languace usage. Following the patterns, you may infer, or deduce, the mind programming (neuro) of a person.
The keys are in the meta looking at language usage. Never in the content like it would be in regular psychotherapies. In therapies using NLP, you are not looking at the content because it is not necessary for intervention. You are looking at the ways language (linguistic) is used.

From there you can easily profile someone’s personnality and use the right meta keys to communicate or intervene.

You can do the same thing with groups although it is more complex, like the groups linguistic metadata used by -shish don’t remember his name - in his attempts to predict the future.

Very interesting.

But there you have both ingress and egress which should be monitored and controlled; security Onion (the Bro aspect specifically) would catch this in a heartbeat with the correct rules set up.
If there are zero additional bits or bytes sent or received, and if all information sent or received is exactly as expected and desired, except for subtle patterns in the random numbers used to generate keys, then such correct rules are impossible. There are no additional or malformed or specially formed packets to look for. There is nothing in the data contents of the packet to look for. None. Ever.

One would have to know how the random numbers were being specially selected to construct such a rule, which would be a challenge on the scale of Britain's cracking of Germany's Enigma code in World War II ... with much stronger mathematics on the side of those hiding their communications in the random number generator (which is becoming part of the chip logic.)

I've seen crypto keys cracked and I have used specifically injected pseudo random patterns, and it does not show up as a flag that can be seen.