I'm now wondering if someone found an NSA implant and misreported it as Chinese. We're going to end up in the stupid situation where people are afraid to report foreign intelligence attacks because it's illegal to report an attack by US intelligence agencies, aren't we?
A named source, but not a named victim, in this case. I would not call this verification.
This is a really hard story to know what to think about. On the one hand, yes, hardware implants are a major risk. And having so many of our electronics manufactured in a country with massive state control over its economy and with which we have an adversarial political relationship is definitely a big concern.
On the other hand, the denials from the companies cited in the first article are remarkably strong. And again this article fails to give relevant details. It just cites a security contractor who says he had a client who had this issue.
But Bloomberg is a serious news organization and they are holding strong on this story as well. So what to think?
It strikes me that if your goal was to ramp up tension between the US and China at multiple levels, then planting this sort of story would be a great way to accomplish it. Politicians can cite national security. Wary consumers are triggered over privacy. Corporations become more and more gunshy of investing in China and partnering with Chinese manufacturers.
I hate to dream up conspiracy theories. And yet, we live in a world where many states, politicians, organized crime groups, political groups, and corporations are all intentionally spreading disinformation of all sorts all the time designed precisely to ratchet up tension and suspicion.
I don't really believe that's what's going on just yet. But I also don't believe it's as straightforward as the Bloomberg stories make it out to be, either. Something very strange is going on.
Yeah - when I add to it that, as a non-American, I can (annectodaly) observe a rise in different kinds of news that involve China in a negative context for the last 6m especially, it's hard to form an opinion.
In terms of security concerns also - come on, we know by now to which lengths the US goes in this area, and they're surely doing worse stuff than this, I'd expect no one would doubt it any more. So, either they are genuinely surprised by this, which would be silly (a politically adversarial nation using an obvious opportunity - cheaper stuff being produced there for decades - and doing the same), or it's a part of a broader narrative that's being built.
And, to be clear, I don't think we (the world outside China) shouldn't be a bit worried given in what position _we've_ put China and how strong they are now - it's just that this kind of mass-manipulation and propaganda is the most-detested way of doing it for me...
> I don't think we (the world outside China) shouldn't be a bit worried given in what position _we've_ put China and how strong they are now
At least China won't be as dangerous as the US or the Soviet Union in that it has absolutely no interest in enforcing its political ideals on other places or becoming a world police. I see no real reason why people should be worried about the rise of China as if this will turn the whole world Orweillian. China has its own way of organizing the vast and complex country and it's hard to come up with better practical solutions. Still if one doesn't like it they can just live somewhere else, and the authorities don't care, as long as it doesn't hurt Chinese business.
You should, but China rarely cares about people beyond its own boarders. They don't have the power of the U.S. to reach for anyone across the globe, so I think NSA doing this is a tad more worrisome.
I think the main difference between the US and China, the Chinese have no mission to convert every country to their thinking. Not that they influence countries through their investments, see Greece as an example.
Ummm other than Silk Road pulling tons of countries into their sphere, using it to push new Chinese standards for people to switch towards, making HK/Taiwan/Tibet fully incorporated and culturally homogenous, taking islands away from other countries across SE Asia and calling it all china’s sea, etc etc.
They’re just more subtle, until they’re not. They have a very long term outlook on their efforts.
China does have ambitions, sure, but they're mostly local ones. I was mainly talking about cases like Kim Dotcom, where the U.S. reached all the way to NZ. China doesn't have Five Eyes, has not attacked a foreign country etc. It does not mean this cannot change, but I get the feeling China strives for a more local "sphere of influence" strategy, (hence the things like you mentioned), whereas the US strives to maintain "global dominance". As someone sitting in Western Europe, I don't think China has that much interest to dominate here.
You need to be a citizen of a nation neighbouring China to know the severe pressure that China exerts on borders, trade and geo-politics. You just don't hear about it much in the world-news as it doesn't affect the US.
This claim seems like a big dilemma for US white-hat security researchers:
1. As a white-hat security researcher, you have an ethical responsibility to publicly disclose vulnerabilities after doing the necessary due diligence (informing the affected parties privately, and giving them the necessary time to respond, investigate, and come up with an acceptable solution).
2. As a US citizen, you can't report attacks carried out by US intelligence agencies.
I can definitely see the responsibility that patriotic duty would entail, but a citizen with no links to their country's intelligence agency being held responsible for the said agency's failure in maintaining operational discretion doesn't seem sensible to me.
> As a US citizen, you can't report attacks carried out by US intelligence agencies.
Who says? Unless you've received a National Security Letter, a gag order from a court, or have a pre-existing relationship with the government that governs disclosure (e.g. security clearance), there's nothing preventing a researcher from disclosing lawfully obtained information. Stumbling upon a secret investigation doesn't make the information unlawfully obtained, even if you suspect it might be a secret investigation.
Are you sure that the Espionage Act (1917) doesn't cover this? In Australia we have many recent laws that completely restrict our ability to whistleblow on any government issue (though it's not illegal if we ensure that non-Australian nationals know about it -- which is obviously an impossible and stupid standard).
It might (particularly subsections (d) and (e))[1], but only because the wording is so broad. Whether such an application would be legal is another matter. I suspect it would not absent specific intent (i.e. you're deliberately seeking out secrets to share) or a duty (security clearance).
I suppose intent could be there if you share information about a device that says, "Warning: national defense injured if you disclose". But absent a duty I don't think a court would impute intent, especially considering the Free Speech issues (somewhat peculiar to the U.S.).
Notice that nobody has seriously suggested (AFAIK) that the journalists who assisted Snowden should be charged under the Espionage Act, even though their acts would seem to fit multiple provisions. I think that's because unlike Snowden they had no duty, which means the bar for the requisite intent and knowledge (i.e. whether something is really going to harm national defense) is incredibly high.
But who knows? It's a good point and it poses a ton of questions. Still, personally if I found a spying device on something I wouldn't hesitate to disclose it if it seemed noteworthy. I wouldn't feel chilled by the Espionage Act. The same law in some other country? Probably would think twice.
> As a US citizen, you can't report attacks carried out by US intelligence agencies.
Sure you can. Short of a gag order (and maybe not even then) you can report intrusions all you like.
In any event, how does one determine the nationality of hardware that shouldn't be there? It's not like there's going to be a snarky "Designed by the NSA in Fort Meade" logo on the chips in question.
If (IF!) you hold a civilian or military clearance, then you have a legal Duty to Report (DTR). That holds true whether its data in your clearance level or not.
You also abide by a whole slew of laws regarding sensitive, secret, top secret, or SCIF information. If I knowingly, or even suspect, some information if classified, and I transmit it to anyone else than my federal assigned contact, I'm breaking major federal laws.
A lot of security professionals in the US have such clearances. So finding a NSA implant or such proof makes it dangerous to talk about by default.
To be fair, Clover Trail had all sorts of driver issues that never got resolved. I personally had to deal with the shitty GPU drivers for work. I can't speak to the power management since we were using the chip in a place where power management didn't matter, but I can see those being shit too.
I think the issue is that they're a serious news organization about some subjects, and a dumpster fire for others. It's hard for the general public to recall which subjects they are authoritative on and which not.
> But Bloomberg is a serious news organization and they are holding strong on this story as well. So what to think?
When the articles published by those "serious news organizations" concerns China, disinformation / lack of evidence are really common place if you carefully examine their source. I used to do so from time to time but grew tired of that
If information, ideas, knowledge were shared openly we wouldnt have these kinds of ridoculous events. This kind of news is what keeps nations siloed and prevents collaboration. At the same time maybe this will also force us to abandon trust all together and move towards verifying.
No conspiracy theory needed, traditional media is dying, and in their last gasps of air they are destroying their credibility for the sake of clickbait articles without proper facts and coberation. They are being deceptive, because they know outrage and politically dividing stories are still working.
It's really said, but transparent. No way, Apple officially writes that rebuttle on their website if the story is true.
German telecom employee here. I've seen a number of sneaky backdoors and intercepting devices at all levels in my career. The most interesting thing was a server where TCP connections that were about to close (TCP FIN) were suddenly intercepted to dump additional (encrypted) data that was't part of the original flow. Obviously there was something out there that was seeing both sides of the flow and intercepted parts of it. We successfully confirmed the problem was on our (in)side by booting the affected server on a USB stick and made it generate controlled traffic to controlled destinations on the internet that were synchronized using a LFSR. The server was decommissioned and the issue was escalated above my paygrade with clear instructions not to talk about it. I won't give an exact year for this incident but it happened in this decade but before Snowden.
Personally I'm confident Bloomberg's reporting is accurate to a high degree. Based on prior experience with investigative journalism there's no way they would go all in with a story like this if they weren't standing on firm ground. Every single sentence would've been vetted. For each statement made there would be someone whose job would be to reject it unless you could back it up properly. This is also why you don't see these entities defending their story against random criticism that pops up. Most if not all decisions have already been made by the time it goes public.
The fact that there's now a second story on the same topic is a good sign. The reporting of these things are usually followed up by additional pieces to increase the impact (and revenue of course).
They claim they have 17 independent sources. That's pretty impressive in itself. It also means that they probably worked real hard verifying their sources' claims and inputs. I find it unlikely that they would've acquired all those sources unless the thing was real.
> Based on prior experience with investigative journalism there's no way they would go all in with a story like this if they weren't standing on firm ground. Every single sentence would've been vetted.
And based on my prior experience I would make the exact opposite conclusion. Technical writers are rarely technical, and they seem to be happy to make stuff up and mislead - even if unintentionally - so long as they make their deadlines.
Every tech article written about a subject I was directly involved in has not even gotten the spirit of the topic remotely accurate, much less minute technical details such as what chip is used where.
That said - I fully believe supply chains are entirely compromised. I just don't think in this case I'd really put much stock into this specific reporting - they've already been caught blatantly misleading their readers by putting up a photo of a stock Mouser part and not denoting it as such.
I agree that technical details sometimes gets misrepresented or come out plain wrong. That's my observation as well and it's annoying when you're knowledgeable in the subject and try to make sense of what you've read (or read between the lines).
I think a contributing factor is that it's generally hard to write about things you don't fully understand with the correct nomenclature. Especially when you might not be able to talk/ask for help about specifics with people more knowledgeable because of the secretive process.
Things could've been dumbed down, intentionally or unintentionally, by those involved. It wouldn't be hard to imagine a conversation like: "-So it was sort of a coupler thing? -You could say that, yes". Or what if the technical detail came from a Chinese source and Google translate mangled it?
The coupler thing is dumb and so is the picture (assuming it was a random product picture) but at least they might serve as a way of communicating the big picture: a hard to spot electronic "coupler" thing.
Not in this case. One of the sources was interviewed and said the technical details were only suggestive: https://risky.biz/RB517_feature/
Maybe there is something there, and/or there is a reason to talk/substitute in vague terms, but insofar as the explicit technical details are concerned, they don't appear credible. Then you're left with an empty allegation that you will have to decide to believe or not based on no other ground than potentiality.
Interesting experience and thank you for the first-hand perspective!
I do have to disagree about the competency of Bloomberg, though, they publish a lot of speculative, low-tech AI/ML scare articles that can be described at best as "inaccurate" and, more realistically, as "making stuff up". They used to have a good reputation, probably from their financial journalism, but their tech work is not good but any reasonable measure, in my personal opinion.
There is a big difference between claiming 17 sources, a claiming all 17 sources corroborate the full story. The Apple letter to Congress highlight that Bloomberg is relying on a single source for the specific claims about compromised servers being found at Apple.
I am not sure if you're just a German telecom employee based out of US or an actual native German working for this German telecom company in Germany. If latter, your english is extraordinarily above and beyond what I've generally exhibited with a lot of my personal German friends. Just a naive observation so please don't take this in any wrong or defamatory manner.
The lack of (publicly available) evidence is annoying, since there are a lot of people who'd love to check their own servers. As this is an attack directed at high profile targets it's unlikely the average size company will have ended up with one of those, but it's still a fun exercise IMO.
It would also be great to know what the attribution is based on. Just the fact that they're manufactured in China? Who else might get their hands on these devices in the shipping chain? What kind of traffic did they monitor? I guess just observing it's talking to a Chinese address doesn't tell much. I mean, just take an S3 bucket and dump your stuff in there. Setting up your own server in your home country pretty much screams "we're here!"
> I'm now wondering if someone found an NSA implant and misreported it as Chinese. We're going to end up in the stupid situation where people are afraid to report foreign intelligence attacks because it's illegal to report an attack by US intelligence agencies, aren't we?
That's pretty tinfoily, but it'd be a cool way to still report on it. "Whoopsie, I totally thought it wasn't you guys, sorry for disclosing"
"Who else might get their hands on these devices in the shipping chain?"
From the original Businessweek article:
"Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China."
"Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China."
That's interesting. As someone who has bought hundreds of thousands of dollars of gear from Supermicro (and has been a huge fan of their products and designs) I always thought their chassis were their core product.
Recently SM started to go down the "you can't buy our JBOD chassis without buying them full of our qualified drives" ... I knew that was the end of the golden age (of SM).
Luckily this coincided with the introduction of the 60bay HGST JBOD chassis. We haven't looked back.
> Luckily this coincided with the introduction of the 60bay HGST JBOD chassis. We haven't looked back.
Yes, these units are stellar and anyone buying Supermicro JBOD units should be looking into these as much better replacements. If you have volume they can be even more competitive than Supermicro if you push.
One very, very small gripe is that the HGST JBODs have no power switch. You power them on and off by inserting or yanking the power cables. Not my favorite SOP ...
Is that a real thing? Holy cow, I'm shocked (bad pun intended). What about adding an inline switch in the cord? Unless they expect everyone to be using a managed power system where each plug can be turned on/off, this just seems very odd decision to make.
As someone that flipped the power switch on a rack mounted machine by accident before, I could see how a power button or switch would be consitered a liability more than a benefit, especially when the solution (pull the power cable) is simple, foolproof, and doesn't happen that often to warrant optimizing!
I have to assume we'll start to see a rise in American high tech manufacturing for security purposes alone. Some of these companies may want to manufacturer these critical components themselves, maybe even hand deliver them from their US factory to their customers in the US too.
I know that some refineries do direct delivery for some of their large customers, especially industrial lubricants and other by-products. If the order is big enough, or someone wants to pay the premium, then direct delivery could be very feasible for tech too.
It's
odd to me to assume that people should trust US-based supply chains. We
know that the NSA has done supply chain attacks in the past[1], while in
this case we only have allegations of China doing the same (don't get
me wrong, I wouldn't be surprised if China did this, I'm just saying we
have more evidence for the NSA doing it).
Personally, as someone outside the US, I would gladly trust alleged
Chinese malware over known NSA malware. Or even better, literally any
other country outside the 5-eyes.
Is there any way to solve this problem without needing a "trusted manufacturer"?
I know it won't probably won't apply to general purpose motherboards or devices, but is there a way to design or build some components or devices in a way that you can verify that they can perform their purpose and nothing more?
If we start with that concept, and slowly build up "verifiably secure" components, they can be the islands of security that we can build off of without having to worry if the manufacturing plant left their door open one day and some random person was able to sneak in.
What happens when your attacker knows how your safeguards work and can route around your door though the windows?
For a motivated and well funded attacker who has an ability to manufacture a replacement chip with an additional coprocessor that can siphon or modify data from the main processors, network cards, and baseband modems, short of decapping every chip and component that comes through your assembly line your resources would be better spent on establishing trust mechanisms with your suppliers and the transportation couriers touching your devices before the end user acquires it.
My thought was it would be something that would get more secure the more knew about it, similar to math proofs or cryptography code.
A way to verify a chip is working as expected in a way that it can't be gamed without breaking multiple fundamental proofs, so that you won't need to worry as much about who makes it, just that it "passes the tests". (and you'd probably need a system to validate the validators, but splitting up the people involved means it is significantly harder to hack multiple products to all have them falsely verify each other)
Obviously I have no idea what I'm talking about and am just kind of musing at the idea, but trying to secure the whole supply chain from digging materials out of the ground all the way until it is in the hands of the consumer seems like an exercise in futility. You'll never be able to secure it in all cases, and like you said a truly motivated attacker is going to be able to break the chain (even if it means threatening a handful of people with death so you can get 5 minutes alone with a board).
I've been looking in detail at three different Supermicro motherboards but so far have not been able to spot anything. Even against a backlight there is no sign of tampering between the layers.
The most compelling explanation I've heard is that the BMC chip could be programmed by two distinct flash chips, one for factory programming and one for some other purpose. In some SKUs, the latter isn't populated but it has a higher priority than the first chip.
Since there are many flash chips fitting the same pin out, all it took was soldering a compromised flash chip (with firmware for the BMC chip) onto pads that are already part of the design to compromise the whole system without any obvious sign that the board was tampered with (because in some SKUs, both chips were populated).
The BMCs on the newest Supermicro servers are from ASPEED. The X10 models have the AST2400 [0] and the X11 models have the AST2500 [1]. They have ARM CPUs and run, basically, an embedded Linux.
If you wanted to "backdoor" motherboards that shipped with these BMCs, wouldn't it would be much easier to just install your own "customized" version of the firmware on them? It certainly seems that it'd be much more difficult to incorporate another device into the system.
If I'm right, that's exactly what they did. When the BMC chip boots, it checks two flash chips for firmware so the attacker just uploaded their own code to one of a million standard SPI flash chips and plopped it onto the board. They didn't have to incorporate another device into the system, the system was already designed for two flash memory chips. However, to save money on some SKUs, the manufacturer left one of the positions on the board open.
Normally this wouldn't be worth talking about because most active chips are too complicated and too design/supplier specific to carry out an attack like this, but SPI flash is about as standard a footprint/protocol as you can get in EE short of transistors so if you ship a product that could be reprogrammed from unpopulated pads, you're opening yourself up to a large attack surface.
Honestly, after I read the latest BMC chip theory I was like: "Oh, shit. Have I done that?"
If possible, it is better to have separate hardware that can continuously compromise the firmware. That way your exploit continues to exist even if valid firmware is flashed directly onto the memory module.
By explanation do you mean theory or is it coming from somebody who has special knowledge of the situation?
I'm not trying to be adversarial, even if it's only a theory it's an interesting one, but given the amount of conflicting information we have regarding this whole mess I think it's important to be clear about what's pure speculation and what's been reported by people supposedly in the know.
That raises an interesting question about just how targeted this kind of attack could be. At manufacture time, do the folks on the assembly line (so to speak) know who a particular board is going to? If not, they would have to add the extra chip to all outgoing boards, which means there should be plenty of them in the wild, no?
If the motherboards were customized for a particular customer, you'd know exactly who they're going to. That would eliminate the problem of letting the exploit travel too widely as well.
Right, but does that happen? I honestly don't know. Clearly a company like Amazon or Apple buys in large enough volume that they could be asking for customized MB's, but does anybody know if that actually happens? If it does, then that would definitely moot the question I was posing above...
Seems more problematic though. You'd have to manufacture the doctored boards, extract them from the normal shipping process, keep them hidden somewhere, then swap them out for the ones destined for the target customer(s). I guess it could be done, but it seems risky.
Couldn't it be done on-demand? Apple orders X hundred boards, motherboard manufacturer makes their small modification(s) to a line that is currently producing the same models of motherboard as Apple ordered, they produce a handful, then they revert and mix in a few of those modified boards into the real order. I don't really know the exact scale, so maybe they make a few hundred / the entire order with chips in them, but economic cost isn't a big deal for things like this, so even losing money making the modified boards wouldn't be the end of the world (and presumably they get a hefty sum of money for whoever is paying them to do this).
I thought China was famous for extremely short turnarounds for industrial engineering edits, so it seems plausible that they could manufacture the boards in a reactionary way and not need to do much in the way of logistics to get them to their targets.
If I was a high value target (and knew about it) I would definitely not let you know, if I was a high value target and did not know about it I would not be able to tell if I was or if I wasn't. So any high value target and anybody else would not be able to tell you they were a high value target.
Same here. I have four different Supermicro motherboards purchased in May for servers in my home. I'm sure there exist people and organizations in the world capable of putting malicious hardware on one of these such that I can't detect them. But insofar as I've personally examined them and the available evidence from Bloomberg, color me skeptical...
I really want to see someone on here with access to one of their recent boards try and report on this. I'd try it, but I sold my last Supermicro board years ago.
Back around 2014-2015 supermicro had this bug that would not let you flash the main firmware. Would not happen on every machine maybe 25%. Had to derack and send a number of machines back.
The supposed infiltrated part is a six terminal RF device. Not something that would ordinarily show up on a server motherboard. In any case, Joe Fitzpatrick has already disclosed that he used the part merely as an example and Jordan Robertson expanded that into a work of fiction.
The original source is Joe Fitzpatrick's interview with the Risky Business infosec podcast. Apple Insider is just summarizing some of the points from that interview:
There were quite a few pictures of what is supposed to be the device in the Bloomberg article. Knowing what they say it looks like and knowing roughly where to look I'm 99.9% sure that none of the boards I have here have that device on them.
I don't have the reference handy but someone claimed to be a source and they pointed to a generic item on digikey / mouser as an example. I imagine that it got extrapolated by Bloomberg into that.
They really have no idea what they are talking about at this time and it's probably fluff.
I'm not sure why you're downvoted, except the lack of citation. Your recollection is correct, it's from the Joe Fitzpatrick interview with Risky Business, which was quoted by Apple Insider. (Fitzpatrick was named as a source in the original Bloomberg article.)
Long story short, that photo does not show the device involved.
"Robertson was unable to produce photographic evidence of the chips in question, saying they were described to him by protected sources. Indeed, Robertson in September asked Fitzpatrick what a "signal amplifier or coupler" looks like, suggesting the publication narrowed the attack package down to that particular component. Fitzpatrick sent Robertson a link to a very small signal coupler sold by Mouser Electronics. "Turns out that's the exact coupler in all the images in the story," Fitzpatrick said.
The image caption on the bloomberg story reads "Microchips found on altered motherboards in some cases looked like signal conditioning couplers". They didn't claim "that's the chip"
It has more terminals that a resistor, it's a pretty unusual package and it would stand out enough for me to spot it knowing that it is there. The area of the PCB that you could expect that thing to live in is about 5x5 cm square.
Well, that depends on your definition of tampering, but if you want to exclude manufacturing something that is not what was specced then I am fine with that but please do supply a new term.
I would definitely spot that device if it were on these boards because it was described in detail and there were some pictures of what it supposedly looked like.
A device like that is not on either side of the board and it isn't in between the outer board layers (where it would be much harder to spot, especially if the cavity would be covered by a ground plane on one side).
I am not saying it is impossible, it is just very hard to hide something like that once you know it is there. The only candidate spots left that I can not check without destruction is underneath some of the devices or inside some of the devices. That would be a different level of sophistication than the original article alluded to.
> I would definitely spot that device if it were on these boards because it was described in detail and there were some pictures of what it supposedly looked like.
In case you missed it, there is an article posted today [0] that has this quote from "Hardware security expert Joe Fitzpatrick", one of the Bloomberg sources, regarding "the supposed spy chip":
> In September when he asked me like, “Okay, hey, we think it looks like a signal amplifier or a coupler. What’s a coupler? What does it look like?” […] I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story.
Oh, that's interesting. So they basically took one guys hypothetical and turned that into a news item positively seeded with images of the hypothetical, rather than an actual device.
The original article has now dropped into the real of SF for me until they show a detailed shot of an actual board with a parasitic device on it. Until then this is a wild goose chase.
My understanding is that certain parts on the PCB were swapped out for malicous parts. If that's the case, it's probably not something that could be uncovered by a purley visual inspection. The 'spy' chips were likely made to look identical to the original parts.
I don't think you'll find this in a board that doesn't otherwise normally have lots of other buried components ... The added cost of that extra process (using buried components) is so way higher than normal and such a board is going to look noticeably different from a normal board ... I'm tempted to think that someone told the Bloomberg guys that it was possible and the took it that it had happened
> ...doesn't "attack" american companies with covert implants.
Specific example aside, it's worth talking about why this does happen. "Black bag jobs" can mean "we didn't get a warrant", but they can also mean "we got a warrant and still aren't telling".
Even given a court order, there's still a possibility that employing surveillance by fiat will cause somebody to leak, or modify how they handle data, or simply reveal information about what sort of surveillance tools a given agency employs. Given that a FISA order can be obtained without a defendant, getting a court order and then doing the thing secretly anyway gives a sort of "bowling with bumpers" advantage where the project is approved if it gets revealed, but also done without revealing anything if it isn't.
More disturbingly, there's also substantial evidence that the NSA attacks companies covertly in places where they couldn't get a court order. Taking a specific device out of the supply chain and adding surveillance before it's shipped to the destination is a warrant-worthy project. Setting up systematic physical vulnerabilities with a use case of "turn it on some time in the future to get something interesting" isn't in the purview of a FISA order, so if the NSA did do that it would have to be without an order.
Wasn't PRISM all about attacking American companies with covert implants? For instance tapping into Google region to region data transfers, after which Google started encrypting everything.
I thought PRISM wasn't covert. Companies were compelled to allow them to install their sniffing hardware, it was all above-board. Snowden even leaked an internal slideshow with a nice timeline of when each tech company joined the program.
Parts of that whole expose were covert. In the case of Google we know by tapping fiber connections that they had between data centers (as sseth mentioned, using foreign intelligence peers to do an end run around legal protections), which was on Google owned fiber, theoretically entirely "in-house", so Google transferred it unencrypted. I believe they called this operation "Muscular". After the fiasco Google started assuming everything was hostile.
The program for tapping data center links had the internal code name MUSCULAR and was a partnership with the British GCHQ, who actually did the intercepting.
PRISM was at first reported as some sort of direct access to the servers of certain American companies, but it turned out to be the code name for a joint program with the FBI for using FISA warrants to request data from those companies.
I used to work in engineering at one of the big wireless telecoms. The impression that I got was that many of the outsourced services were compromised. For instance, we had zero control over our voice mail systems, they were outsourced to Amdocs.
You can see how this benefits the NSA; if the voice mail is outsourced to a foreign company, and the NSA buys intel from that company, it's technically not spying on US citizens, particularly if they're getting metadata.
..for insider trading. You are implying that he went to prison because of the NSA. He went to prison because he sold $52 million in stock after the intelligence community said they would no longer consider Qwest for classified government contracts because of his refusal to cooperate with the NSA.
He went to prison because he sold stock based on insider information. Regardless of the reasons for his trade, it was still insider information.
I find these attempts to distinguish between different state sponsored criminals to be a diversion and subterfuge.
Whether China or the US re-allocates your IP, you can expect a competing product made in China. That you might have a relationship with one of them probably doesn't change anything unless they actually think your firm is the best one for the job of maximizing the results on their tax base.
I mean maybe I'm wrong; would it make any sense that these Republics take private corporate property more seriously other parts of their Constitutions they have violated at least until caught?
The US makes the claim China does not and former president and CIA head George Bush floated corporate espionage as THE plan for handling the absurd costs of "intelligence" criminals after the cold war..
I'm always astounded that working in a competitive market seems to blind people to significant stated facts of the environment their market is operating in.
In nature, it might make sense to just outrun the weakest, after all, a bear has a limited appetite. But superpowers have unlimited apetites and will collapse like the USSR if they should ever expand slower than cancer.
Is it illegal to report an intelligence attack that is perceived to be foreign? If not, why not have all attack reports assume they are foreign to begin with? This would give the reporter credible deniability, and put the burden on the US government to argue otherwise. Regardless, the report is released without the reporter getting in hot water. Or am I missing something?
Incentive for a company to say "No" when the FBI offers to "fix" the problem quietly either by going up the chain of command internally to get answers and stop a blown attack on a US owned and operated business or use contacts within the US security infrastructure to stop the foreign criminal or state adversary.
Most of these attacks never leave the room at corporate HQ where they are discovered unless an engineer wants to permanently screw themselves out of a career.
I once tried to leave a linkedin recommendation for a friend I'd worked with on a high profile project where he discovered Chinese state actors performing corporate espionage and we stopped it. The FBI came in and carted off the servers, we switched data centers, re-deployed, and that was that. We would never have been the wiser if he weren't closely monitoring network characteristics. 3 years and 2 job changes later he messaged me back to say, "Thank you for the rec. but don't mention that shit!"
IANAL, but New York Times Co. v. United States is a famous precedent for the first amendment protecting the press' right to publish classified government documents.
> it's illegal to report an attack by US intelligence agencies
Is this true? I mean outside a specific gag order or working under a clearance, you could find an issue with a piece of equipment, publicly talk about it and then be arrested because it turned out it was the US government who caused the issue?
Interesting. This one seems to rely on the presence of the USB connectors for powering. So, basically, any ethernet port with only Ethernet connectors should be safe from this kind of attack? The only powering option there should be PoE but I have yet to see someone buy PoE switches for a datacenter...
"any ethernet port with only Ethernet connectors should be safe from this kind of attack? "
I know that some IPMI implementations can control/use the on board ethernet. There might be some hole there. Similar for the built in management on some Intel processors and nics.
IANASecurityExpert but one one the named sources of the original claim also came out to say that the 'original attack' was a conceptual idea he had but that doesn't even make sense to apply in practice (considering better alternatives) http://appleinsider.com/articles/18/10/08/security-researche...
If you diagram out that sentence, you'll find it wasn't the wondering I was "demanding to cease".
I mean, sure, it could be NSA. Let's wonder! The fact that no one in public has seen one of those things isn't supporting evidence for that theory. It's even less grounded than the Chinese one.
Who knows... but it is funny that healthy skepticism can transform into this kind of acceptance. First disbelief, then, well ok, maybe but if it is, it’s probably not the suspected entity, but an altogether different entity... it’s like multiplying probabilities but thinking it increases likelihood.
Conspiracy theories do love the combination of the whataboutism and the competitive debate strategy of "spreading" where you make lots of weak (or better yet, completely unsubstantiated) points, and if your opponent fails to refute everyone, you win.
Just about anyone on Google's Project Zero team, off the top of my head. They would probably be both competent and enthusiastic.
Beyond that Apple, Microsoft, Tesla and probably Amazon have sufficiently capable public (or past public) researchers working for them. But I doubt many would want the publicity one way or the other.
I've seen several comments regarding whether or not Apple, Amazon etc. would deny the hacking if its true and if that is fraud or not. I work at Amazon now and previously was in the Navy, holding a TS/SCI. My firm belief is if such a hack happened, it would not be disclosed to anyone without a clearance, and the organizations that are denying it have no knowledge that it occurred. Furthermore if there truly was a compromise by a foreign nation it would be classified as a national security threat and subsequently classified and kept from public knowledge. Anyone who disclosed the truth would be at risk of loosing their clearance, job, and could end up getting the snowden treatment.
> the organizations that are denying it have no knowledge that it occurred
Are you saying that Steve Schmidt, the AWS chief infosec officer didn't know about the hack? Or that his article [0] was published to purposely hide it?
If only one person in Amazon knew about it, it would be Schmidt. And if Schmidt knew, I don't think he'd write an article so strongly claiming Amazon doesn't know anything about it. The only thing in my mind that lends credence to Schmidt covering it up purposely is that $10B contract the Pentagon is putting out- perhaps they've told him to play ball as part of getting the contract. But even then it seems a stretch.
CISO is not the most likely point of crossover, the most likely point is the general counsel's office. Companies don't talk to the Feds without a lawyer, and they also don't issue high profile statements without a lawyer. And unlike the CISO, conversations with your lawyer are privileged.
Whoever directly oversees it and acts as the stakeholder for GovCloud should be, sure, but there's no reason for the person above the direct overseer to be cleared. Otherwise by that logic Bezos should be cleared as well.
The Bloomberg article specifically claimed that Apple themselves discovered the chip in a random spot check. If an Apple employee discovered it, it would have been communicated all the way up to the executive level prior to notifying anyone outside the company (such as the FBI), which means you can't just chalk this up to a handful of lower-level Apple employees being covered by a gag order and the executives not knowing.
It also claimed Apple removed 7000 SuperMicro servers in a few weeks. That seems especially unlikely to happen without at least some explanations to upper management. Sure, they could lie to management about why but either way management can’t then claim no servers were removed without lying themselves.
unless the NSA or another intelligence agency has an insider that could catch that before it made it up high enough to cause trouble. conceivably, someone below the insider could leak to Bloomberg realizing that they have limited options.
That seems like a lot of work. What would be the point of that?
If Amazon is being spied on by foreign intelligence, wouldn't the NSA want Amazon to know about it? Particularly since government data is hosted on Amazon's servers.
Because now the NSA has a strategic foothold. If they acknowledge the hack, then the adversary will move on to something else. If they don't acknowledge it, they can secretly mitigate it, by feeding false data, for example, and waste the adversary's time.
> Furthermore if there truly was a compromise by a foreign nation it would be classified as a national security threat and subsequently classified and kept from public knowledge.
This is exactly what I think. Anyone confirming such a case publicly could cause a huge international confrontation between two largest economies in the world. It's not about tech or business – it's about national security and international politics.
I can see where the Navy/Military/Government could compartmentalize a hack like this. How could a company like Apple or Amazon keep this under wraps? How could they keep the knowledge of such a hack within the TS/SCI employees?
The cleared department is handled the same way as in the military in terms of security. Amazon has SCIF's etc. So unless a disgruntled employee steps forward who doesn't care about there life, I imagine its easily contained (and symptoms of an employee being disgruntled are highly monitored when they hold a clearance)
I’m thinking about the non cleared data center folk, the sys admins and developers who use the servers for their applications.
How do a bunch of Supermicro servers vanish wintout anyone noticing? I’d expect quite a few people would be involved that do not have any clearances. Apple is known for their secrecy but a few other companies named are not.
At the scale their datacenter are, they must be replacing a full rack of servers every single day, just to follow a standard 3 years depreciation policy.
Servers practically vanish every single day. Add a few more supermicro and it's not even noticeable. Business as usual.
I knew a dozen people working on Amazon Go for like 4 years before it launched. Not one person leaked, even internally, what the hell they were building. Just that it was awesome and I should come join their team.
Somehow, Amazon is really good at keeping secrets.
They might actually know for much longer: if your spying devices suddenly stop communicating to you, that's likely you've been discovered.
If that story is true (and I personnaly think it has a high probability to be), what would a gov or a large org do? Investigate, confirm they have been compromised but then.... leave the hw in place and data flowing back to the alien mothership? Unlikely.
I don't necessarily agree with the below, but one could argue that classification is necessary to prevent mass panic/prevent attempted vigilante justice/protect the government's image/buy the government time to investigate/respond appropriately.
Things get voted on and positions change so I have no idea what you're referring to with "the below," but it's much simpler than trying to protect "the government's image."
If you're attempting to hack me or steal data from me and I know you're trying (specifically as would be the case with this chip if the story holds up) then I'm in a much better position to try to figure out how, or provide misinformation, or try to turn someone in the chain of custody if anything needs to be physically handled. Or at the very least, if it's an espionage or military situation, it makes it easier to know who to kill.
All of that goes out the window if you immediately disclose every threat. Whoever is attacking you will simply use the means you haven't discovered yet and stop using the ones you have.
Ignorance is not a defense, especially for a director of security. Lying about knowing how the organization you lead operates is a bad as directly lying about how your organization operates.
OK so this is a different hack than Bloomberg reported before: ethernet jack piggyback instead of bmc. I'm not sure this adds credibility to the allegations in the other story.
The details that Bloomberg related previously are so different that this couldnt be what they originally were reporting on. This adds to the China hacking server board narrative, but it does nothing to prove the Bloomberg reporting actually true.
It does cast doubt on the denials made previously.
It seems this story isn't totally smoke and mirrors as Apple, Amazon and Super Micro seem to want us to believe.
Read it more carefully. The ethernet jack is a tactic used by US intelligence years ago. That was mentioned in the story to explain the history of supply chain attacks.
With the current political climate, that might be the intention. If you undermine international trade though marketing you don't have to fight a tariff war.
Seems like all US conflicts are now an excuse to race to the bottom with whoever our "enemy" is. We imported torture from the middle east and now state run news and corporations from China.
SM boards with dedi and shared phy for ipmi are usually defaulted to auto mode. I think first interface it can arp for the gateway on wins (or maybe dedi then shared).
Bloomberg only has second hand sources, and all the exploit details are based on speculation from security researchers -- not from insiders.
It looks like Bloomberg heard several rumors of supply chain manipulations, mixed that up with plausible scenarios thought up by security researchers, added a few photos from random electronic parts, and voila you have a compelling story to tell.
This "new evidence" talks about a completely different type of attack than the original article. It corroborates nothing. It just shows how misleading the original story was.
I think the most damning part was the use of so many misleading photos and illustrations. All photos were pure speculation (this is what this chip might look like, this is where it would make sense to put the chip). But neither the captions nor the text made that clear.
The only thing I believe about the story is that they have a couple of sources who have vague, second hand rumors about supply chain manipulation.
1) Bloomberg has a number of sources that are mistaken/misinformed, but this is not necessarily a made-up story, or
2) Bloomberg is nearly correct (minus some technical details) but the US government is forcing these companies to respond as if the story is wrong - possibly because of diplomatic reasons.
What is the likelihood that #2 is correct?
(there are other alternatives, but I believe that the likelihood that this is 100% or at least majorly fabricated by Bloomberg is near enough to zero)
Taking the writer's statements as truth, 6 out of 17 sources for the original Bloomberg story were government. Presuming the information was classified, each one of those individuals is risking losing their job and going to prison for talking about it.
What kind of conclusions the writers made from talking to the other 11 sources, what seniority they had, or even what companies they were from besides 3 from Apple, are anyone's guess.
I always am suspect when a government official or employee releases classified information. In some cases extreme moral outrage seems very plausible (Manning, Snowden.) The information is so startling the leaker decides they can handle spending much of the rest of their life in prison. In a much larger number of cases it is for political reasons (Libby, countless other stories where the source is never identified.) Many times, however, I suspect, the information is made up and then no laws have been broken, as far as I understand it.
The US cannot force those companies to lie. They can force them to stay silent, in which case they'd just say "No comments". If those companies are lying, they are committing security fraud.
Not only would they have to force the engineers to tell nothing, they'd have to force all capable engineers to vehemently deny it to their bosses who ask or ask them to look again.
You have it backwards. The government can't force them to put out "no comment" press releases. They can force them not to reveal certain information. Maybe that means the only logical thing to do is to say "no comment", but it certainly doesn't prevent a company from commenting as long as they don't reveal the gagged info.
> The US cannot force those companies to lie. They can force them to stay silent, in which case they'd just say "No comments". If those companies are lying, they are committing security fraud.
Would the US government have to force these companies to lie? It's quite possible that the denials were the result of voluntary cooperation.
A public company issuing such strongly-worded denials that turn out to be untrue would be leaving themselves at risk of an investigation by the SEC and/or a shareholder lawsuit.
The SEC prides itself on its independence; I don't think it would have any problem taking on a company that lied on behalf of some other agency of the federal government.
Now, a court order would indeed be something different, but I find it hard to conceive of a judge compelling a company to lie.
If they didn't have to lie and there was no legal order but voluntary cooperation, as the grandparent post suggests, then such voluntary misinformation can easily be a violation of SEC requirements; and one part of the government certainly can prosecute you for doing something that another part of the government suggested (but didn't/couldn't legally require), it wouldn't be the first time.
You are right and you are wrong. Legally, you are right. Practically, there is evidence that various elements in the US Government have at times coerced people into making untrue statements.
Is it really so clear-cut what the US can do? Maybe this so significant (it may well be if the allegations are correct) that they're running a campaign to really try to make people believe that this story is false.
The companies may have a strong incentive to cooperate in this campaign too, both to save face and government relations.
Unfortunately all of Bloomberg's allegations don't hold much water either, even though it'd be so easy for them to make the story credible with some details.
Well, the story just came out a few days ago. I wouldn't rule it out in the future, nor would I leap to the conclusion that an absence of such a move means there's truth to the story.
There could be other arrangements made with Bloomberg that would be jeopardized by that course of action. EG... you find a serious piece of news that can destroy me, so I pay you or make another arrangement to prevent that. If I later turn around and sue you, our backroom deal could blow up in my face. Too much is unknown right now.
or 3) Bloomberg is vaguely correct, but wrong in the specifics, including naming Apple and Amazon.
I.e., They get credible reports of SuperMicro servers having been compromised, they know that Apple and Amazon are customers. They find 1 over eager source willing to say Apple and or Amazon received compromised servers.
My take on this is that it's been fairly obvious for a long time that these kinds of attacks are possible (if not easy) with today's technology. One could design a microcontroller, for example, that was disguised as an 0805 capacitor and functioned like an 0805 capacitor, but also had other functionality.
So why is this suddenly breaking news? It bears resemblance to most of the propaganda stories we have seen in recent years:
- it is based on truth. Supply chain attacks are known to exist
- the US government has a goal of escalating with China over trade and IP practices.
- national security threats justify nearly any form of government action in today's world.
- the story turns out to have been leaked through foreign sources. This is typically the pattern we see because of concerns about propaganda coming directly from US government officials to US news outlets. There is typically a middle layer that is outside of the US where the allegations can originate from until they are broadly accepted as fact.
So Apple and Google are not really lying. Chances are there has not been any sort of major security breach in either of those companies due to supply chain attacks. It is possible that they have been barred from revealing information about it for national security reasons (in this case propaganda reasons).
So I think we can expect the following next steps:
- The story will continue to hover in this slow reveal format until enough laypeople come to understand the key concepts -- circuit assembly, components, trojan horse components, QC processes, subcontractors, etc. Once the stage has been set there will be more revelations and leaks from major companies that corroborate the story.
The goal is to make China the crisis in the buildup to the 2020 election. It's not a coincidence that this strategy is getting underway right after the midterm elections in the US.
Our president has already been attacking China with rhetoric and trade sanctions, and this story is meant to turn public opinion broadly against China.
The supply chain attacks do not have to have been significant (or successful) to make this happen. The very idea that "sneaky" Chinese intelligence agencies and firms would be able to slip this by US firms' quality control measures is enough to inflict paranoia on Americans and help them start to view China as a terrifying adversary that must be stopped.
China's military outnumbers the US military by 20:1 in terms of the number of active duty fighters, and China's economy is approaching first world standards in major cities far faster than the US had ever expected. China dominates scientific publications in the hard sciences, and its top universities are 10x more competitive (or more) than top US universities.
So hawks in the US realize that this may be the last opportunity for some sort of power projection or military driven containment of China's ambitions.
This is foolhardy, because China is led by a group of highly rational people whose policy responses to the administration's trade threats have been masterful and precise, and have conveyed with no uncertainty that China will not be bullied.
So what we're seeing is a short time horizon strategy by the US which is meant to have electoral consequences in 2020 and pave the way for some degree of hostile escalation with China. US weapons systems are still significantly more advanced, but China has likely weaponized many aspects of US infrastructure via these sorts of supply chain attacks. My guess is that the US Government is not aware of many of these, and will panic when they are discovered.
Fortunately for us all, China's leadership is calm and not prone to knee-jerk responses. China is rising to world prominence faster than expected, and the US will not take that lying down. However it is probably too late at this point, as China has a tremendous amount of soft power stemming from its importance to the US supply chain. Because of this there is still much hope for a peaceful, trade-driven equilibrium to emerge.
> Our president has already been attacking China with rhetoric and trade sanctions, and this story is meant to turn public opinion broadly against China.
Ah yes, Bloomberg, well-known for protectionist rhetoric and support for Trump.
> top universities are 10x more competitive (or more) than top US universities.
A citation would be very helpful here. And no, number of paper's published isn
> This is foolhardy, because China is led by a group of highly rational people whose policy responses to the administration's trade threats have been masterful and precise, and have conveyed with no uncertainty that China will not be bullied.
Citation also needed. They're so rational, they just detained the president of Interpol, have committed mass internment of Muslim citizens, and can't go six months without trying to ram NATO ships in international waters.
> but China has likely weaponized many aspects of US infrastructure via these sorts of supply chain attacks
Wait, what? So doesn't that mean the hawks were right to be suspicious? And that this really should be a national security concern? "This is all just a pretense to make people afraid of the PRC! By the way, you should be afraid of the PRC."
> Ah yes, Bloomberg, well-known for protectionist rhetoric and support for Trump.
To be fair, many of Bloomberg's sources were government, so the government could easily have said "we'll leak this to Bloomberg." It doesn't require Bloomberg to have a protectionist agenda more than being a pawn.
I agree with you on the rest though; "masterful and precise" in particular seems pretty farfetched and ridiculous, and many parts of China's economy look like a house of cards.
You're conflating rationality with propriety. China wanted Meng Hongwei to make it easier to use Interpol to track down Chinese dissidents, directly in conflict with the Interpol charter; and merely two years later they kidnap, disappear him, and charge him with disloyalty to the Chinese Communist Party. He was supposed to be their stooge pigeon, but was clearly ineffective. Again from their point of view, entirely rational to have him removed because he wasn't doing what was expected. And that's what's so conspicuous, they openly admit China was his master, not Interpol.
China, Xi, and the Party are in a sense all one in the same thing. There is nothing more important than loyalty to the one Party, and the concept of one Party rule. And Uighurs are a threat to that, so they're labeled terrorists. If you accept the idea that one party rule is necessary, it's entirely rational to aggressively, perhaps even violently, ban all possible opposition. That's the nature of any autocracy.
>One could design a microcontroller, for example, that was disguised as an 0805 capacitor and functioned like an 0805 capacitor, but also had other functionality.
Don't you think it's going to be suspicious when you see a capacitor with 6 pins? Don't you think anyone that inspects the motherboard is going to wonder why a capacitor has 4 additional lines going to a critical flash chip? Seriously.... The entire article here is around replacing entire components. Adding new traces to a finished PCB is impossible without using wire that will be suspicious to anyone doing a visual inspection. Most sabotage will probably just program the flash chips with malicious software without changing the hardware or swap big components that use standardised footprints like QFN with a nearly identical part. Adding a small capacitor sized micro controller where it doesn't belong and on top of that connect it to existing chips in comparison is extremely hard. At that point you might as well design the backdoor into the PCB itself and embed it between the individual layers of the PCB.
It would not have to have more than two leads, depending on its use in the circuit. It was an example meant to illustrate how the dramatically different levels of miniaturization can make it hard to reason about attack vectors.
Consider what a state actor could do with access to modern microprocessor level fabrication.
I'd expect that we'd see features such as the following:
- sophisticated intra-chip communication
- long periods of total dormancy of the exploits
- circuitry capable of receiving a "it's safe to begin the attack" message
- surprising communications vectors for exfiltration
- technology to make malicious parts appear under x-ray to be normal
- fallback to awaiting the message to perform DoS if more sophisticated attack vectors are not possible
I agree with your suggestion about using the existing footprint, etc. There is likely some very sophisticated tech for making malicious parts x-ray and test as normal in every respect.
The network connector exploit described in the article would be easily detectable by temperature dissipation measurements. So distributed methodologies are likely in use.
I'd also estimate that a large number of mobile devices have built-in hardware compromises that are dormant and can be used if necessary. These would be the simplest attacks to carry out and would have extremely high yield. Things like:
- phones suddenly jamming the 4G and WiFi network simultaneously
- hardware implants to help detect whether a device is being used by a high value target. Such an attack could be created using a tiny bit of silicon and would be dormant in most cases.
The biggest risk to a state actor doing these kinds of attacks is being detected, so firmware based attacks are potentially more risky than hardware attacks, since we are better at detecting a checksum mismatch than we are at testing hardware across the spectrum of possible input conditions that might trigger unusual behavior.
So I think we'd see state actors dipping their toe in slowly to these kinds of attacks, first establishing the supply chain hacks without anything malicious going on, and then gradually phasing in actual malicious hardware once the relevant parameters for the attack are better understood.
> China's leadership is calm and not prone to knee-jerk responses
Communist China is ruled by a genocidal mafia with a well-known penchant for sudden outbursts of violence.
From its bloody inception, through the Great Leap Forward, the TianAnMen Massacre, the persecution of FaLunGong followers and recently Muslims — the regime has shown it's completely incapable of serving its people. When times get tough they invariably turn to intimidation and murder.
I guess I'm projecting some semblance of humanity onto them. I'd assume even the most evil would usually want to hold off murder till nothing else works. Hopefully karma is about to catch up.
POTUS has also explicitly stated China is meddling in the 2018 election, against him and Republicans, and assigned a motive.
“They do not want me or us to win because I am the first president ever to challenge China on trade,”
And converse to the calm of China, he is impulsive and has floated the idea of selective defaults on Treasury securities. And he has ample experience with this himself. It is in the realm of ridiculous conspiracy theories, but POTUS is a walking pile of ridiculous conspiracies theories, so why is defaulting on only Chinese owned securities more ridiculous than nuking Pyongyong? (Of course, only one of those can actually be contained.)
That story is a bit odd, still -- normally behind the connector there is optionally magnetics, and at least a PHY... being able to integrate the magnetics in the connector exists allright, but adding the phy /as well/ must make it a marvel of integration regular manufacturers would dream of... especially at Gb speed!
Also, you can't really 'piggyback' ethernet easily, for the same reasons; you would need TWO phy in there to decode/reencode...
Even if you'd want to 'piggyback' on the link itself, it would be very, very difficult to say the least -- Gb ethernet is definitely not a gimme to synthesise, let alone piggyback.
So, color me dubious -- the SPI 'chip' of last week was a but dubious but doable (given not just a custom chip, but a custom PCB) but this ethernet story makes even less sense!
If you look at that illustration, you see that it's not just one ethernet connector, it's one of these massive connector stack with one ethernet and 2 USB, also, it adds quite a bit of depth to the connector; it must have been made with one particular brand/type of motherboard in mind.
Still, if these are in the wild, then perhaps our chinese friends might have reduced the footprint even more to the size of one connector.
I know the connectors with integrated magnetics are quite a bit 'longer' and 'beefier' than the passive ones.
And you don't think such a device could be made quite a bit smaller today, with better manufacturing support?
I'm thinking it's entirely plausible that such devices exist, and are broadly in the wild. Mostly targeted. That said, our own govt (US) is not innocent. Neither are China, Russia and many others. It's what government espionage actors do.
I think it's a fault of many that US mfg has fallen off as much as it has, and that critical infrastructure would allow foreign mfg in general. Or at least final inspection and assembly internally. Not just the US, but most countries.
> Also, you can't really 'piggyback' ethernet easily, for the same reasons; you would need TWO phy in there to decode/reencode...
Pretty much every BMC in existence (well, the ones that comply with the Data Center Manageability Interface, at least) can "piggyback" on top of an onboard Ethernet interface.
Ironically, China might have done more to bring back manufacturing to the US than Trump and Obama combined.
Regardless of if this is actually true, and so far that's debatable, clearly the rest of the world needs to retrieve ownership of their supply chains for mission critical computer systems.
It's hard to see how this doesn't embolden Trump to take more action against China. and to be fair at this point, its hard to disagree with him that China is taking advantage of the rest of the world.
Poor Super Micro. There time as a public company is probably measured in months now:(
> Appleboum said that he's consulted with intelligence agencies outside the U.S. that have told him they've been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
I'd imagine at this point everyone who has the ability to do deep inspection of their hardware is working as fast as possible to resweep their servers.
You know this whole time I’ve been wondering that if this is true, I see some manufacturing coming back to the US. But I completely missed the part where China also makes stuff for the rest of the world and other countries might also be pulling manufacturing back to their home countries. Sometimes it’s just easy to stay focused in. Your comment made me take a step back and look at the bigger picture.
If Super Micro goes under and we discover this story was massively incorrect, can they sue for the lost market value? If so, this may cost bloomberg billions.
If it's correct, it's highly likely that most cloud vendors are in the same boat. Imagine Google or AWS, who each have multiple millions of servers: even if they build their own motherboards, there are so many 3rd party components there's no way to vet all the boards. Their IDS will catch some, but not all.
One might imagine a cloud vendor is constantly the target from multiple state actors, foreign and domestic, all vying for universal access.
X-ray won't catch substitute chips: they will have the same package and same markings but a few extra functions on their silicon. Good luck eyeballing that one. I think you're right though: they should examine a sample of the boards at lest.
In addition--layering defense--one would imagine simply putting a motherboard on a quarantine LAN, simulating their production network, and watching its network traffic for phoning home.
The real implants might be waiting for a specific situation, like a date or a string on the bus, so you never really know if you got them all.
Given Amazon's scale, I would be very surprised if they're not either leveraging Open Compute designs or doing something similar with custom designs similar to open compute. Supermicro makes nice motherboards and servers, but they definitely are addressing general purposes, and something tuned more towards the specific needs of Amazon could be a lot more cost effective; even if that just means getting hardware that runs OpenBMC so the BMC firmware isn't complete trash.
They don’t say what the hack was and definitely do not say it was one of their pins. Probably some truth here, but as hard as they try, does not seem supportive of their “chinese pin” theory. Very suspicious that this is related, I’m guessing they’re trying to do anything to cover their asses.
That's my take as well. They quote many "experts" and report many incidents but they seem hard pressed to come with details and pictures. I can believe that these attacks occur but are they really at the scale implied by these stories? Why can they only report hearsay instead of showcasing even a single backdoored motherboard found in the wild? Haven't these experts taken pictures? Can we see them? Can we have some details on the components used?
This story is incredibly weird, nothing makes sense to me. I can't believe that Bloomberg would willingly report fake news. The fact that they decided to go with it even though Apple and others told them several time using unambiguous language that they were not aware of such an attack means that they must have really trusted their sources since they're effectively saying "Apple is blatantly lying about such a critical issue".
But then why would Apple be lying like that? Seems like it can only backfire for them when the truth is eventually exposed.
Sounds like the Ethernet connector module was not from the, ahem, correct manufacturer: “Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.”
I'm not sure I believe this one as much, just based on the part you quoted. I can see a chip manipulating the BMC/IPMI flash to make it do things it shouldn't. I don't see how an ethernet port could be modified to be interesting. They're typically after the magnetics, or contain the magnetics themselves, so the only source of power would be the activity LEDs, or something, or maybe we assume a custom PCB as well. You've then also got to have it doing gigabit ethernet, or otherwise tampering with data it got from that interface, which feels unlikely. Maybe it's just the same as the last implant story, hidden in a less easy to find place? Hard to know without something even approaching technical information.
It could just be a sort of beacon to help identify where hardware went after the manufacturing process. If the same company is building the same hardware, the agent can slip in something more nefarious to make sure they target the right company. Servers are commodity products but they aren't manufactured in mass quantities like phones are. If a company orders thousands of them, that's likely thousands that will need to be made. A chinese manufacturing plant gets contracted to spin up production and an implant is slipped into some of the first boards just to see where they go. You don't want an expensive hardware trojan to end up in a Fortnite server; you want to hit Apple, Google, Lockheed Martin, Spacex, anyone with valuable IP or information. The more beacon implants you throw out there, the more likely someone will find one and you don't want to get caught too early in the game. Once those implants come online and phone home, you have a better idea where the remaining boards are going and slip in the real deal implants, the ones that will actually get you a backdoor.
How would such a beacon work though? As RL_Quine points out there's only so much you can do at this point, especially if you want to be super stealthy. If you wanted to send a ping to an external server you'd have to craft an ethernet frame with the right target MAC address containing an IP datagram with the right IP address to be routed correctly in the datacenter and through the public firewall. You better make sure that your packet looks legit otherwise you're sure to trip anything looking for suspicious activity. "Hey look, our servers send weird packets to this suspicious IP, what gives?"
And you have to do all that with a very low power device running from within the port itself. Seems like a very high bar to me, especially when there seems to be so many easier ways to backdoor a motherboard.
But maybe the component is only hosted in the ethernet port but is actually connected to other signals on the motherboard.
You can sniff the right target MAC and source IP from the traffic flowing through the port itself. (Just assume the machine itself has internet access and use its source IP and the target MAC it uses for public addresses.)
As to the beacon itself… DNS is pretty good. Just send an innocuous DNS request to a machine you control (say a NIST time server), if you think an iterative request won't show up on radar. Or send a recursive DNS request along a path you've wiretapped. (I'd be surprised if the NSA doesn't have a feed of all DNS requests to 8.8.8.8.)
Of course you will want to wait to see whether the bugged machine itself sends any such packets out first, to ensure that yours can hide in the noise. Bad idea to send a DNS beacon from a machine that doesn't ever make DNS requests.
Actually on second thought, given the above capabilities, you don't even need to inject packets at all. Just mangle existing DNS queries in such a way that you can identify them in a wiretap. Say, for all DNS requests with a specific hash, mangle the ID field so that it matches some orthogonal hash (and unmangle it on the way back of course). Very unlikely to be noticed by an IPS, and you can statistically determine that machines sending more than expected packets whose ID field matches this second hash are successfully bugged.
Or, why even send packets? Instead, drop all DNS request packets matching some specific hash. They'll eventually get retried with a new server or new ID. Again, statistics applied to wiretapped data can determine whom you've bugged. You don't even need store+forward capability here; just emit noise over the tail of the packet and the switch will drop it for you.
I've never seen an onboard Ethernet jack that doesn't have metal sides. The only places I've seen all-plastic Ethernet jacks are consumer networking gear and really ancient add-on cards. That makes me wonder if their source actually knows what he's talking about, especially given the lack of technical details about how this works.
This seems different than the extra chip attack according to the article.
"subsequent physical inspection revealed an implant built into the server’s Ethernet connector"
This feels like piling some more to cover up the weak premise of the previous article.
It doesn't mean it's false, it just means Bloomberg already cried wolf and couldn't show it. At this point it feels more like taking shots at Supermicro than professional reporting.
What is the chinese pin theory?
Is this the name being used for the supposedly embedded on the PCB layers chip?
Or the one that attaches on unpopulated pins/pads near the BMC memory area?
What context are you using the word ‘pin’ here? I’m having some trouble follow your comment as ‘pin’ doenst line up with anything I’d contextually assume you to be referring to.
I find it hard to believe, that Bloomberg would publish an extremely detailed story involving some of the largest public companies in the world, knowing that it is entirely false. The cost of reputation is just too high.
Isn't that the question, though. I don't think anyone is accusing them of publishing information that they know to be false. It seems more likely that their sources are just not as good as believed and possibly have reinforced the details and information through an echo chamber. If these sources are within the same subsection of the industry and regularly exchange information, it may just be that they've been regurgitating information between themselves that somehow coalesced into a "real" story.
Not to be tin-foily, but it is also possible that Bloomberg has been deliberately fed or seeded with "bad" information -- it doesn't have to be an organic echo chamber. But no, I don't think Bloomberg itself set out to deliberately make a false story.
Of course it's possible. Foreign states have fed much less believable information to work against US interests and a good chunk of the population believes it wholesale.
You can read this story as a CYA because they overstepped in the first story. The have good details here. But in the Apple rebuttal, they note Bloomberg only had a single source for the Apple claims.
The podcast is an interview with Joe Fitzpatrick, one of the named sources. It's an impartial and mature discussion that left me with the same feeling of unease that Joe says he had when he first read the story. Basically, Joe would describe a theoretical hardware exploit to the Bloomberg journalist and the journo's sources would then confirm exactly that as a real world exploit.
Some real doublethink going on here, with Bloomberg continuing to insist that supply chain attacks are real, yet seemingly accepting the denials of each company involved. I am really not sure what to make of this.
This is just a suggestion, but it might be useful to stop thinking about news reports as "the news report says X is real and true", because that's not what most news reports actually say. The text used usually reads like: "An unnamed source says blah blah", and "Joe Smith, a retied auto-worker, says blah blah blah", or "In response, a spokesman for Large Company, Inc. says blah blah blah blah", and so forth. Bloomberg (probably) isn't insisting that the story or the denial is true or false. They repeat the facts that other people have said. Often those facts are true; often those facts are false.
Thinking about it this way helps me make sense of the topic. Maybe I'm weird.
It is not that cut and dry though. By publishing this story, they are asserting that the hack happened. They are not saying the attack is possible. They are saying it happened and that halved SMCI's market value. If they are wrong, Bloomberg is going to pay through the teeth for this one.
I've been wondering if Google and Google Cloud is affected by this? Does anyone know who Google uses to build the custom motherboards that they use? Also how does something like the Titan Chip [0] help protect against such attack?
I'm curious to understand if theres anything that can protect against this?
I wonder what evidence caused them to claim the embedded "bug" is planted by China or its operatives -- how can they prove the source of the unauthorized modification? Are they just assuming?
> Based on his inspection of the device, Appleboum determined that the telecom company's server was modified at the factory where it was manufactured.
Any further evidence to support that claim? How can they be so sure that the boards weren't tampered with after they were manufactured and shipped to the states? Anyone with a little soldering experience could easily replace an ethernet port.
Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.
How uncommon are metal vs plastic ethernet connector sleeves?
This seems like a clue that even non-experts could use to track down an implant.
I don't recall seeing a board-mounted Ethernet jack that didn't have metal sides.
Reasons for an Ethernet jack to include a small metal enclosure:
1. The jack is subject to physical strain as we insert, remove, and tug on the cables. Most components are affixed to the board using only solder on the signal leads, but these do not provide significant mechanical strength. If you've ever had a bad headphone jack on personal electronics you are familiar with this phenomenon. So the little metal box has additional metal tabs that fit snugly in holes or slots on the board, and provide a stronger mechanical fit and a much larger surface area for solder adhesion.
2. Electromagnetic interference compliance. While Ethernet by definition involves pumping gigahertz signals out a long wire, these signals are carefully shaped and the cables pairs twisted to reduce leakage. But the designer of the jack doesn't know how much EM is flying around inside the case into which the port will be fitted. A metal box around the jack minimizes the size of the unshielded opening in the case. If you've installed a PC motherboard, you know the springy metal fingers on the backplate that seal against the block of external ports.
Is it possible the article is talking about an Ethernet cable plug? I have occasionally seen those with metal sides. But they are not normally supplied as part of a motherboard or server.
So it is a compromised ethernet adapter. Nobody question the ability of Chinese spies to plant such a thing, but the "Big Hack" story implies that this is used as a mass infiltration tool, which I still find very improbable and lacks any evidence.
The way I interpret it is: since it's being introduced at the manufacturing plant, those installing the devices have no idea where the finished product will end up. Thus, these are not targetted attacks; they could wind up in the servers of a Fortune 500 company, or just as easily in some hobbyist's home lab. You'd need to compromise a large percentage of the products to increase the chances of landing a juicy target. The scattergun manner is what they're playing up here.
Considering that large scale internet companies like Amazon and Apple buy enormous amounts of hardware, it's not an insane strategy. If you compromise 1 of every 1,000 pieces of hardware (or even one of every 10,000) odds are you'll end up in a major datacenter pretty quickly.
It may soon be that the only companies who can sell hardware outside of their own country are those who sell Open Source Hardware which can be 100% verified as true to its published design.
> It may soon be that the only companies who can sell hardware outside of their own country are those who sell Open Source Hardware which can be 100% verified as true to its published design.
That would be a very, very good outcome, IMHO. Use espionage fears to push forward other objectives, like open source.
This gets me thinking - what if this issue (assuming this is genuine and I'm starting to believe it is), is not limited to server hardware and more pervasive? What if this affects mobile phones as well? I'm looking suspiciously at my Nexus 6p made by Huawei.
I'm not sure it matters to me whether the original article is 100% correct. What I think the original article points out correctly is that the Chinese supply chain is possibly a pretty easy vector for hardware based hacks. I would suspect most nation states have the pull to bribe/blackmail contractors to make malicious modifications. Though the chinese gov. would be the most likely culprit.
It also seems plausible the NSA would prefer techies not to look too closely at their hardware *removes tinfoil hat
Accidentally, all of this starts happening when trade war between USA and China is raging and when some countries decided to not follow USA orders to reduce business with China...
All secrets eventually leak. All secrets. No exceptions. Not even nation-state players with unlimited budgets can prevent leaks. This is reality.
What's a hacker (in the original sense: programmer, not cybercreep) to do?
Our task as custodians of secrets for our end-users is to reduce the attack surfaces on our systems, slow down those leaks and mitigate the effects of leaks when they happen. We must do these things to the best of our ability. We must do them whether we rig systems for large organizations or for our grandmothers.
Who's trustworthy?
Apple? Probably. They're pushing security as a major component of their brand.
AWS? Possibly. They have a lot to lose if they're compromised.
Microsoft? Possibly. They too have a lot to lose.
Seventeen well-placed but unnamed sources in the US security apparatus, babbling to journalists? Possibly.
Journalists? Their trustworthiness is eroding.
Cryptographers Whit Diffie, Martin Hellman, Ralph Merkle, Bruce Scheier, Ron Rivest and colleagues? Likely.
Motherboard vendors? Probably not.
Router / switch / firewall vendors? Probably not.
Nation-states? No. (They could change this by abolishing "security by obscurity" in their work, but that would require major changes in mindset.)
The article says: "The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013."
So the US doesn't exactly have clean hands. Here's a theory:
1. The US wants to have more ability to spy
2. With most manufacturing in China, this is hard
3. Implicating Supermicro might cause their customers to switch suppliers. It has already caused Supermicro stock to go down 41% then 27% again.
4. The US / Sepio Systems / former Mossad / former CIA officials come to the rescue with a company manufacturing "secure servers" not made in China. Or more likely, still made in China, only under different control.
5. Result: profit, increase US ability to spy, "bring manufacturing back to US companies"
IMO, governments - all governments - have no ethics and will do whatever they want to further their agenda.
> The security expert, Yossi Appleboum, provided documents, analysis and other evidence
> ... said Appleboum, who accompanied them for a visual inspection of the machine.
So can we at least get some photos of tampered hardware from these "evidence"?
What if the bloomberg article was a sort of false flag?
The Trump administration has been consistently escalating retoric against the Chinese, and it's not hard to imagine the CIA/NSA/etc intentionally leaking facts to bloomberg that would make China look like a national security threat. This could even be done in a way where the security agencies don't leak anything actually false, but let the non-phds at bloomberg run wild with speculation to create a sensationalist story that's not really true. A recent WSJ article [1] has called particular attention to the Trump administration's escalating anti-Chinese rhetoric, calling it the start of a "second cold war". We know for a fact that these sorts of operations happened during the first cold war [2], so it's not at all hard to imagine they would happen now.
A false flag attack fits with all the information we have so far about the event: There's no direct evidence of the attack, and if the bloomberg article is ever proven to be false, then only a small number of security researchers (and HNers) will ever learn about the retraction. The vast majority of Americans will only remember reading about how "China hacked major US companies" and create an anti-Chinese atmosphere that will help fuel future anti-Chinese policies.
It's interesting to note that the organization supposedly at the center of the investigation of this tampering of Supermicro servers—the FBI—has never issued a statement on the veracity of the story. Strange silence...
In the U.S., there is a very high bar to accuse defamation. You not only need to prove the report is false, you also need to prove the reporter knew it was false and had bad intention to cause damage.
For clearing libel, all you have to prove is that the statement was presented as fact, was false, and caused harm.
At least in the US, I don't think this is true. Defamation is a broader class that includes libel, and always requires proving that the publisher was at least "negligent" in publishing the false statement: https://www.law.cornell.edu/wex/defamation
You either have to know the fact is false, or act with reckless disregard as to whether it's false or not. 17 sources suggests that they did care whether it was true; if they didn't care, they would not have gone to all the effort.
This saga is fascinating I really have no doubt of the hardware existing. Thought the original picture from the article and description made it hard for me to imagine the connectivity.
is it connected to the SPI of the BMC flash/OS storage? Why would software integrity checks like making sure the image is signed and not tampered wouldn't capture it?
(Answer to this one sounds easy bad security practices regarding firmware process)
Yes I read it. seems they added another device to the network/ethernet interface which they detected sending network packets.
Curious how this one affected the server or did compare to the original article.
This one seems more benign considering it won't be able to mess around like the BMC has access to things like secure boot and other system busses like the PCI.
Is no one going to mention that the named source is ex-Israeli Unit 8200, whose alumni themselves have a long record of espionage in the US telecom sector?
Questions to ask when making up your own mind on this issue: AMDOCS billing customer list includes how many major US telcos? How much customer data is required to generate a bill? How much billing is executed in real or near-real time? How much is hosted off-site on non telco infrastructure? How many non-billing services? (Someone elsewhere here already mentioned 100% of voicemail is now outsourced to AMDOCS at one telco). Incidentally, the source for this article is also conveniently based in Maryland.
So I have bought Supermicro motherboards in quantity in the past. We went through a distributor and shipping was not direct from China.
So I'm having doubts that Supermicro's Chinese CM has any idea who the end customer of any of their boards is. Maybe it's different for really huge customer, but I still have doubts- it implies they are building to order and have no inventory.
This implies that the CM installs the Chinese Spy Chip on every board, or a random sampling of boards (so they should show up in the wild) or the tampering happens later in the supply chain- in the US.
Also I have further doubts about embedding a chip in a middle layer of a PCB. I doubt the CM is going to add that much extra expense when it's easier to add a chip to the surface. You don't really buy much secrecy from embedding a chip given that it's easy to x-ray a board, so why bother?
Anyway, there are devices called optical comparators. Supermicro could buy some security by providing comparison images that allow customers to perform an incoming inspection. I'm thinking they should do this now to add assurance / help their stock price.
And to think a couple of weeks ago I was called a lunatic for saying that backdoors are purposefully put into hardware by government actors: https://news.ycombinator.com/item?id=17736721
Even if Bloomberg would be incorrect, the good thing will be that everyone starts looking now and in the end it might become a self fulfilling prophecy. It's unlikely that something like this wasn't already done. Scale and targets could differ though
maybe its just me but this seems all too familiar. we've seen it happen with iraq, reputable media outputs sensational hostile state actions, immediately faces criticism, but more importantly the timing after announcing China tried meddling with elections.
i dont know sometimes i like reading into the big picture, what is the purpose of this bloomberg article for those outside HN? it won't invoke feelings of calm but rather moral panic. now half the americans are riled up to think china is attacking usa, and we remember they need just teh right amount of support.
also as the noose is tightening around trump, a war or a limited military conflict would be the perfect distraction.
Could be due to losses in "translation", but this paragraph seems odd:
> Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.
Ideas what they mean? I'd be surprised if mainboards etc exposed power consumption of random periphery parts. Maybe sleep/link states of the actual NIC that get influenced?
If you look at the activity in the frequency domain, you might find a clock that's present in adulterated hardware that's missing in the nominal hardware.
> exposed power consumption of random periphery parts
Sampling these analog signals is done outside of the computer itself. Even if it were exposed via i2c, you couldn't trust anything that it would tell you.
I think it's probably also a software solution that the company whose CEO was the sole source for this article is trying to promote, judging from this marketing brochure for them: https://twitter.com/securelyfitz/status/1049725014075830272 The claims in that certainly look every part as improbable.
Sampling the EM profile of a large number of boards PHY signals could lead you to a deviation that indicate an anomaly
Whetever that anomaly has to be forwarded to maintenance or to security can be discussed however: is the EM profile "wrong" because of tampering or because some capacitor is about to blow up?
If both are going over the same physical interface, there could be tiny voltage drops to power the chip itself. The vague-as-ever article gives no indication as to how the chip would be powered, but such a small implant could conceivably leech off the legitimate ethernet interface.
My consumer board exposes that information.
There is a tab called system information with hardly readable text which lists all voltages etc by component
I've never actually checked in the bios of any server, as that information was never relevant to me, but they probably have that as well
Might be off topic, but can Bloomberg even consistently use punctuation? I see mixes of dumb quotes and smart quotes in the same paragraph and the same sentence. And the backtick as well. It is those details that reveal to me the article is rushed, possibly very little care has been afforded to the article.
my guess is that the NSA, spy agencies from China, Bloomberg, SuperMicro, Apple, Amazon and anyone else involved are carefully watching HN comments to see who interprets the story correctly so they can seek that person out and hire
This is not the first nor the last time we see reports about hardware manufactured in China being suspect of tampering like this. It will continue to happen. China steals technology and then manufacturers it for itself.
If anything, the fog of war here shows the costs that have been incurred alongside the massive efficiency gains from outsourcing/subcontracting in the global economy.
I want to mention a. political side of the argument- M Bloomberg himself is very pro open trade and has strongly hinted at running in 2020. Also, newspapers don't usually hurt your owners' candidacy, even for explosive stories. Bloomberg isn't just putting it's reputation on stake here, it's legitimized Trump presidency further. I would say there is definitely something behind this story.
You've got to be kidding. There's no way of validating anything about modern hardware, it's packed with independent systems running various firmware, software that's decades old, parts nobody can even identify unless you're the OEM. You can get to "that probably does this" level easily, but that doesn't tell you anything about its actual security or authenticity.
The "trojan ethernet connector" paragraph mentions similarity to an NSA implant, which appears to be this: https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS...
I'm now wondering if someone found an NSA implant and misreported it as Chinese. We're going to end up in the stupid situation where people are afraid to report foreign intelligence attacks because it's illegal to report an attack by US intelligence agencies, aren't we?