Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Who's your money on? Bloomberg's sources? Apple? Amazon? Super Micro?


Denials starting to making sense

Both of those things happened in the right timeframe for it to be a direct result of such an investigation. But Apple claims that the decision to ditch Super Micro was over malware that had been inadvertently fetched from Super Micro's customer portal: a downloadable network interface driver had been infected with a software nasty by Chinese hackers in 2015, and accidentally installed on an internal Apple Windows-based development machine, it is claimed. Facebook also may have fetched the dodgy driver for the Super Micro boxes it had in its lab. The malware apparently attempted to spy on network traffic. There was another issue with the server motherboards' network cards: they shipped with outdated firmware that had a known security hole in it, we're told.

Amazon says its sale to Sinnet was a "transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China," and had nothing to do with discovering any spy chips.

Up to this point, you could be forgiven for believing Bloomberg's story in its entirely and discounting Amazon, Apple and Super Micro's denials for trying to cover their backs while refusing to acknowledge understandably confidential national security investigations.

Except the denials are far more precise and concrete than typical non-denial denials. It remains very unlikely that public companies would issue outright falsehoods, even in the current political climate, due to the market and regulatory ramifications if they were found to be outright lying to investors. Usually, assessing whether a company is telling the truth comprises of carefully parsing statements and seeing what aspects of a story they don't address.

Typical giveaways are when such statements are over-the-top, using emotive but imprecise language, or when a denial is either overly specific – such that it walks past the main allegation – or is unnecessarily vague – so it sounds like a denial but actually isn't.

And there are examples of those in the various statements put out by the companies. For example, Amazon brings up in its response to Bloomberg the old canard "there are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count," which is a classic way of casting doubt without actually tackling the issues substantively.

It also calls the suggestion that it sold off its Beijing data center to step away from compromised servers as "absurd" – a strong, emotive word but such a decision would not be absurd at all if the story is true.

Parsing

But Amazon also says: "It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware."

You can parse this. For example the key element in the first denial is "when acquiring Elemental." What timeframe does that encompass? And how do you define "AWS"? Did the security people making the decision work for AWS, or another arm of Amazon?

If Amazon wanted to outright deny the story, it could have said something like: "AWS and Amazon deny any knowledge of supply chain compromise, an issue with malicious chips, or hardware modifications with respect to Elemental or Super Micro beyond the assertions made to us by Bloomberg."

In a second denial, the wording gets a little stronger: "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government."

This is a much harder denial to parse. It seems like a pretty straight-up denial. There is one possible parsing escape route – the use of "we" – as in "at no time have we ever found." Strictly speaking, it wasn't Amazon but the third-party security company that it asked to carry out the audit. But things are definitely growing a little thin at this point.

Amazon's denial goes on to detail other issues it had with Super Micro motherboards – the implication being that Bloomberg has got the wrong end of the stick. But other problems with the boards don't preclude the spy-chip explanation and could in fact be manifestations of the fact that third-parties are able to install whatever they want on the motherboards through such a chip.

Typical Apple

Apple's denial is typical Apple. Reflecting its superiority complex, it mocks the news organization: "Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them."

It also talks about how "deeply disappointed" it is in the reporters because they were "not open to the possibility that they or their sources might be wrong or misinformed." And even suggests they may have got confused with a "previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs."

So far, so Apple. But it also makes a strong denial that deserves attention: "On this we can be very clear: Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement."

Whichever way you parse that, it remains a strong denial. If it turns out the Bloomberg report is true, it would be hard to paint that sentence as anything but a lie.

It is also worth noting that neither Amazon nor Apple went for the usual "we do not discuss any national security or law enforcement issues as a matter of policy" – which is the most common tacit way of acknowledging something happened without saying what.

As for Super Micro, it denies knowing anything about any investigations – which is likely entirely true – but does not impact the story at all. No one is suggesting that Super Micro knowingly compromised its own products. The server maker ultimately "strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems."


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Amazon fears it could run out of US warehouse workers by 2024
    Internal research says the hiring pool has already dried up in a number of locations stateside

    Jeff Bezos once believed that Amazon's low-skill worker churn was a good thing as a long-term workforce would mean a "march to mediocrity." He may have to eat his words if an internal memo is accurate.

    First reported by Recode, the company's 2021 research rather bluntly says: "If we continue business as usual, Amazon will deplete the available labor supply in the US network by 2024."

    Some locations will be hit much earlier, with the Phoenix metro area in Arizona expected to exhaust its available labor pool by the end of 2021. The Inland Empire region of California could reach breaking point by the close of this year, according to the research.

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • Apple's guy in charge of stopping insider trading guilty of … insider trading
    He had one job

    One of Apple's most senior legal executives, whom the iGiant trusted to prevent insider trading, has admitted to insider trading.

    Gene Levoff pleaded guilty to six counts of security fraud stemming from a February 2019 complaint, according to a Thursday announcement from the US Department of Justice on Thursday.

    Levoff used non-public information about Apple's financial results to inform his trades on Apple stock, earning himself $227,000 and avoiding $377,000 of losses. He was able to access the information as he served as co-chairman of Apple's Disclosure Committee, which reviewed the company's quarterly draft, annual report and Securities and Exchange Commission (SEC) filings.

    Continue reading

Biting the hand that feeds IT © 1998–2022