41

布卢姆伯格的“大黑客”

Bloomberg Businessweek today published一个绝对令人难以置信的故事声称中国智能通过渗透供应链来阻碍数千个数据中心服务器,以在名为Supermicro的公司的主板上插入难以检测的流氓芯片。The entire report,由乔丹罗伯逊和迈克尔莱利,值得全面阅读。

Bloomberg alleges that Apple and Amazon were both among the companies that installed the compromised hardware. Apple and Amazon both vehemently deny the report. Someone is either wrong or lying. This cannot all be true.

来自Bloomberg的报告,关于亚马逊:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

关于苹果:

Apple是一个重要的超级客户,并计划在两年内订购超过30,000个服务器,以便为新的全球数据中心网络订购超过30,000个服务器。Apple的三位高级内部人士称,在2015年夏天,它也发现了Supermicro主板上的恶意筹码。苹果与次年与Supermicro的关系切断,因为它被描述为无关的原因。

And regarding both companies’ denials:

公司的拒绝是由六名现任和前任国家安全官员的责任,世卫组织 - 在奥巴马政府期间开始的谈话,并在特朗普政府下继续进行 - 详细发现芯片和政府调查。AWS内部的这些官员和两个人提供了广泛的信息,了解攻击如何在元素和亚马逊中播放;该官员和内部人员的一位人士还描述了亚马逊与政府调查的合作。除了三个苹果内部人士,六人中有四名美国官员中的四个证实,苹果是受害者。

然而,公司拒绝似乎是明确的。Apple’s statement to Bloomberg

在过去一年的过程中,彭博在苹果公司的索赔,有时含糊不清,有时详细说明的情况下已经多次联系了我们。每次,我们都根据他们的询问进行严格的内部调查,每次我们都发现绝对没有证据支持任何一个。我们反复持续地提供了事实回应,以记录,几乎驳斥了彭博故事与苹果的各个方面。

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

That statement is credited only to “Apple”, so presumably it was written by Apple PR. Amazon issued a similar statement to Bloomberg, but later published a full response, signed by Steve Schmidt, the company’s chief information security officer.Schmidt is adamant and clear

本文中有很多错误it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers.

我认为没有办法:彭博的报告显着错误,至少与亚马逊和苹果公司有关,或者苹果和亚马逊发出了公平的假拒绝。或许,你可以用苹果公司拒绝苹果公司的拒绝。我不认为这会发生这种情况,但假设这个问题可以被视为如此敏感 - 无论是在公司内还是国家安全问题 - 苹果公司的人民呈现给苹果公关的情况。但在我的经验中,Apple Pr不撒谎。他们是否以对公司有利的方式旋转真相?当然。这是他们的工作。但他们不撒谎,因为他们了解Apple的关键资产之一是其信誉。在他们撒谎之前,他们什么都不说。

施密特向亚马逊的回答签名他的名字更有说服力。据推测,亚马逊的任何人都会更熟悉这种违约的细节而不是施密特。

一种方式或其他方式,更多的是这个故事,以及彭博或苹果的可信度andAmazon, is going to take a significant hit. Currently those are the two most valuable公开交易companies in the world.

其他一些值得注意的花絮。来自Bloomberg的报告:

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

And then this from Amazon’s response:

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.

如果这些服务器没有接触到公共互联网,我不明白如何,他们可以将“HOME”到数据中心以外的中国服务器。

抛开技术细节,整个故事戒指的中央论文真正的 - 中国不能被信任为国家演员,但整个技术产业依赖中国供应链。它完全可信,中国工厂的管理人员易于贿赂和“检查”的威胁,这些植物将关闭他们的植物。来自Bloomberg的报告:

多十年来,尽管西方官员重复警告,但供应链的安全成为信仰。通过让其间谍干涉在其工厂中,中国不太可能危害中国作为世界讲习班的地位。这让决定在哪里建立在主要原因的商业系统最大,最便宜的地方。“一位前美国官员说:”你最终有一个经典的撒旦的讨价还价“。“您可以使用比您想要的供应更少,并保证它是安全的,或者您可以拥有您需要的供应,但会有风险。每个组织都接受了第二个命题。“

最后,无论报告的那种真实性,彭博都值得这句话的荣誉:

元素最大的早期客户中的两个是摩门教会,它利用该技术将Sermons束缚到世界各地的会众,而成人电影行业没有。

Update:Apple has issued a stronger denial of Bloomberg’s report