[stevehawk]

What has truly surprised me in all of this is the skepticism expressed about this being plausible. Most nerd sites are rife with thoughts on how insecure things are and hypothetical ideas on how something could be compromised but all of a sudden this one isn't possible? We know the US Gov't has done it in transit but it's ridiculous to think a state owned manufacturer wouldn't do it on the factory line?

We know this very state does it to laptops brought into the country by corporate execs (https://www.securityinfowatch.com/blog/10861870/keeping-secr...) but again, there's no way they'd do it on a factory line?

I don't get it. Are we so confident that Amazon, Google, and Apple wouldn't fall for this that we refuse to believe it? I know everyone is saying "show us a compromised board!" but it's very likely that the our Gov't would ask that either (a) those boards be left in place or put in a honeypot so the enemy doesn't know that we know or (b) get handed over to them for forensics, etc and probably destroyed.

For the most part in my nerd circle of friends I've noticed that the only ones that believe the Bloomberg story are the ones that were or currently are in the intelligence community. Everyone else thinks it's Bloomberg being dumb because of that whole "they pay journalists based on how they change stock prices" article.

[creeble]

I don't hear skepticism on plausibility.

I just hear skepticism based on lack of actual evidence, as there has been, to date, exactly zero. For a hardware back that could only have been done at a large scale.

[kickopotomus]

This is why I am skeptical. I will not presume to know how Supermicro and Elemental operate but I find it unlikely that this would go unnoticed by both of them. The guys I work with raise hell if CRCs on firmware images don't match, much less a BOM change. There are a lot of QA breakdowns that have to happen after manufacturing for this sort of attack to be successful. Could it happen? Sure, but there should be some sort of available evidence. What about the rest of Elemental's customers? Did the government manage to quietly take all of their servers as well?

[bdamm]

Eh... it's not quite that simple. Checking the firmware before it goes into the device is not the issue. It's after the firmware is in the (integrated) device that it's an issue. How do you check that? You have to boot the device to calculate the CRC. Now assume that the device's bootloader is compromised and that the device actually has more internal storage than you thought. Now what? Ensuring correctness of firmware to verify the device won't do something you've never seen it do is quite difficult.

[kickopotomus]

I just brought up the CRCs as an example of due diligence. This attack, as I understand it, hinges on a design and BOM change to the board. So my question is how did that change manage to make it past both Supermicro and Elemental?

[stevehawk]

Simply put, they never checked?

[vel0city]

Depending on what the chip did, the CRC on a firmware image may not actually change. If the chip was just listening to the SPI lines to the BMC's load, it could just inject additional data into the stream. The flash chip on the board could be 100% legit, but the final image loaded on to the BMC might be malicious. Do you really CRC the entire BMC environment after boot, or just check the image when you go to update the BMC?

[tracker1]

I think that most rational people hold a state of natural disbelief to conspiracies in general. For example, 10 years ago, the thought of a government slurping up all network communications into large collections of data storage for later analysis seemed so unlikely. The cost of storage, the expanse, the inability to make any effective querying against the data... just made it seem highly unlikely.

Then you come to find out it's actually happening. It just seems like such a huge thing that's hard to comprehend. I, personally believe it's entirely plausible.

[newuser12344]

Yes! I am amazed at the general attitude of skepticism expressed in response to the Bloomberg article.

BTW, Amazon doesn't know anything about security. Every day I observe examples of people who work there, wittingly or unwittingly, doing things to erode any security that might happen to be in place. It's almost entirely run by below average people scrapped up and recruited from the dregs of third world countries.