More evidence of massive Chinese hardware hack

Bloomberg has a new story out about China’s alleged tampering with the global hardware supply chain, revealing that an unnamed, major US telecom company discovered a malicious implant in a Supermicro server back in August. The source of the story seems credible (Bloomberg’s previous story on the Supermicro hacking did not name sources.)

If true, the scale of the potential damage from this hardware hacking is almost incomprehensible.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

Brian Krebs has an insightful post about the issue on his security blog. Of particular interest:

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

And he identifies the crux of the issue:

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States. […]

Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

The original Bloomberg piece, as he points out, also addresses what he calls “this elephant in the room.” Quote from that piece:

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories.

As time goes on, the evidence mounts that offshoring advanced manufacturing to low-cost countries in Asia was an epochal blunder by the US. Now the US is abjectly dependent on a hardware supply chain that may be deeply compromised and there is no obvious way to fix or even detect its vulnerabilities. However, to call this “an insurmountably hard problem” is an exaggeration; it is merely staggeringly hard.

The solution would almost certainly have to involve moving a large amount of high-tech production back to the US. This would be terrifyingly expensive, but the US may not have a choice, and the economic benefits of creating all those new jobs and factories could be enormous.

Anything that has been offshored can be reshored. Anything that was invented in the US can be made in the US. If I’m wrong, please explain how.

Spy fail

Burn After Reading GRU

Suspected GRU operative

The GRU, what happened to you?

It must go down as one of the most embarrassing months ever for Russia’s military intelligence.

In the 30 days since Theresa May revealed the cover identities of the Salisbury poison suspects, the secretive GRU (now GU) has been publicly exposed by rival intelligence agencies and online sleuths, with an assist from Russia’s own president.

Despite attempts to stonewall public inquiry, the GRU’s dissection has been clinical. The agency has always had a reputation for daring, bolstered by its affiliation with special forces commando units and agents who have seen live combat.

But in dispatching agents to the Netherlands who could, just using Google, be easily exposed as graduates of an elite GRU academy, the agency appears reckless and absurdly sloppy.

In response to the surreal interview with the Skripal poisoning suspects, I wrote: “I thought Russian intelligence operatives were supposed to be smart? What is going on here?” It gets worse:

[…] And then came Thursday’s bombshell: four men outed by Dutch investigators for attempting to hack into the Organisation for the Prohibition of Chemical Weapons (as well as Malaysia’s investigation into a downed jetliner).

The alleged spies were caught carrying enough telephones to fill an electronics store. Moreover, like all meticulous Russians on a business trip, they held on to their taxi receipts from GRU headquarters.

At a glance, it’s hard to square such ridiculous incompetence with the idea that Putin and his operatives are crafty enough to destroy Western democracy. In any case, the GRU’s epic fails do seem to indicate the declining value of human intelligence in the age of the internet.

US hardware supply chain compromised by Chinese spies

Supermicro

Holy moly, this is huge. A unit of the People’s Liberation Army secretly inserted tiny, malicious microchips into motherboards that were manufactured in Chinese factories for the US-based company Supermicro. These motherboards were used in expensive servers supplied to Amazon, Apple, the Department of Defense, the CIA, and the US Navy, among others. From a Bloomberg Businessweek investigation:

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

This is really bad.* Say goodbye to US reliance on Chinese components. It will take time to reorient the global supply chain, but the effort is already underway. This scandal, which has been known (of course) to the Obama and Trump administrations, will only strengthen the case for manufacturing sensitive technologies in the US.

[…] Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the meantime, Mike Pence accuses China of a host of sins including interfering in the US democratic process:

Vice President Mike Pence escalated Washington’s pressure campaign against Beijing on Thursday by accusing China of “malign” efforts to undermine President Donald Trump ahead of next month’s congressional elections and reckless military actions in the South China Sea.

In what was billed as a major policy address, Pence sought to build on Trump’s speech at the United Nations last week in which he alleged that China was trying to interfere in the pivotal Nov. 6 midterm elections. Neither Trump nor Pence provided hard evidence of Chinese meddling.

That’s not quite right, as Pence mentions, for example, the widely noted Chinese advertising supplement in Iowa. From the transcript:

And China is also directly appealing to the American voters. Last week, the Chinese government paid to have a multipage supplement inserted into the Des Moines Register –- the paper of record of the home state of our Ambassador to China, and a pivotal state in 2018 and 2020. The supplement, designed to look like the news articles, cast our trade policies as reckless and harmful to Iowans.

I pointed out this bit of propaganda on September 23, referencing a tweet by Bloomberg’s Jennifer Jacobs. Trump then tweeted about on September 26. Read my blog to see the future!

Pence also calls on Google to “immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers.” More about Dragonfly here.

===

*Only fair to link to Supermicro’s response to the Bloomberg piece:

SAN JOSE, Calif., October 4, 2018 — Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims […]

Google fails to not be evil

Google devil

“Google” by William Blake

Now we know why Google has scrubbed almost all mention of “Don’t be evil” from its code of conduct:

Google bosses have forced employees to delete a confidential memo circulating inside the company that revealed explosive details about a plan to launch a censored search engine in China, The Intercept has learned.

The memo, authored by a Google engineer who was asked to work on the project, disclosed that the search system, codenamed Dragonfly, would require users to log in to perform searches, track their location — and share the resulting history with a Chinese partner who would have “unilateral access” to the data. […]

The memo identifies at least 215 employees who appear to have been tasked with working full-time on Dragonfly, a number it says is “larger than many Google projects.” It says that source code associated with the project dates back to May 2017, and “many infrastructure parts predate” that. Moreover, screenshots of the app “show a project in a pretty advanced state,” the memo declares.

Most of the details about the project “have been secret from the start,” the memo says, adding that “after the existence of Dragonfly leaked, engineers working on the project were also quick to hide all of their code.”

It’s pretty simple, if you want to operate in China you have to play by the CPC’s rules. There is no way for Google to do that while successfully upholding the values it pretends to care about. Hence the secrecy.

The Internet of Dumbass Things (IoDT)

Big Brother Alexa is watching you

Writing in Forbes (a few years ago), Theo Priestley threw cold water on the “Internet of Things” craze:

This time last year Gartner said that by 2022 a typical family home, in a mature affluent market, could contain several hundred smart objects by 2022. Several hundred. […]

But if we examine the market as it is today apathy is rife because the current trend by OEM companies is to “stick a chip in it” in order to connect it to the internet, without any real value to the consumer. In fact, the only ones getting excited by the Internet of Things are the vendors.

Take Samsung’s offerings at the recent IFA exhibition. Samsung now have a new SmartThings hub to connect the many devices in your home. There were examples like;

  • The smart oven that waited for you to be on your way home before starting to heat your dinner.
  • The home that switched on lights as you approached.
  • Samsung also added a touch of personality to their SmartThings platform; you can start the morning by texting the app “good morning”, and your house will bid you farewell as you leave.

The immediate response to these was – Why ? (especially the last one!)

What software and hardware vendors fail to answer is why is their connected device necessary for a consumer to own and what value does it ultimately bring ? Consider the ‘smart oven’ above. It won’t actually prepare the food for you the night before. You have to do that. So the convenience is…. ?

I know of a family that has a cutting-edge Samsung microwave/oven combo that cannot even display the clock for more than 60 minutes at a time. Apparently, this is because the screen is actually a tablet computer that needs to sleep. In their disgust, the family has not even bothered to set the clock to the correct time. Also, as far as they can tell, the Wi-Fi connectivity is completely useless and adds no value to their cooking experience. In effect, then, their lavishly priced “smart” appliance is arguably rather stupid.

I thought of this when reading of Amazon’s latest efforts to create an omni-connected happy digital republic:

Amazon is using a surprise hardware event in Seattle today to introduce a bunch of new devices with its Alexa voice assistant built in.

Why it matters: Amazon is in a race with Google (and to a lesser degree Microsoft and Apple) to make its assistant as ubiquitous as possible.

So far, the company has announced, per CNBC:

  • Amazon Basic Microwave, which will cost $59.99.
  • Echo Wall Clock, at $30, to set timers and such.

[Etc…]

  • New Alexa capabilities. She’ll be able to tell when you’re whispering — and she’ll whisper back. She’ll also act on “hunches,” so if you tell her “good night,” she might turn off your lights and check if your doors are locked.

Creepy! More to the point, how does this invasive consumer technology actually benefit humanity? Are we really better off being able to whisper to our devices, or to control our kitchen lights from 100 miles away?

Entropy

The total entropy of an isolated system, such as the universe, can never decrease over time. This has some unfortunate consequences. For example, cleaning my room will decrease the level of disorder locally, but only by producing large amounts of waste heat that will increase the overall level of entropy (unavailable thermodynamic energy) in the universe.

Therefore, I have decided to help keep entropy at bay by sitting around today and doing nothing at all.

By my calculations, I have prolonged the life of the universe by approximately one googolth of a second.

You’re welcome.

*

PS: I thought this was my own idea, but here’s a good article exploring it in more depth.

Training

Every age has its rituals. In the Age of Google, we have the Ritual of the reCAPTCHA, a compulsory visual test that requires a carbon-based organism to prove its sentience to a computer by selecting squares that seem to contain grainy images of a specified object. The organism must do this correctly in order to demonstrate to the computer’s satisfaction that it (the organism) possesses the mental faculties of invariant recognition, segmentation, and parsing, in which attributes humans tend to excel over computers. If the organism passes the test, it is permitted to continue with its intended task on the website.

That problem is that many human beings who are more or less sentient find the average reCAPTCHA to be hard and frustrating, owing to the intentionally crappy quality of the images, poor visibility of the objects, as well as certain definitional problems that the average internet user is ill-equipped to deal with. For example, should the user, tasked with identifying “street signs,” click on a square that contains part of a sign post? Then there are questions of process. Does the user click Verify immediately after clicking all the relevant squares, or wait for new images to materialize in the squares that have been clicked? None of this is clear, none of it is explained. The user twists in a fog of doubt and confusion, and frequently fails the test.

Google reCAPTCHA evil

Choose wisely (Source)

The reCAPTCHA is the reductio ad absurdum of modern life, a grudging surrender of countless man-hours of labor (over 100 million reCAPTCHAs are displayed every day) to feed the ravenous maw of an emerging artificial superintelligence. Because, of course, by completing these image recognition tasks, the human user is training Google’s vast machine learning datasets. TechRadar thanks you for your service in helping develop self-driving cars.

But while we are training Google’s neural networks, the machines are simultaneously training us — teaching us to be more compliant, more deferential to the machines, and more conversant in machine logic… in short, remaking humanity in their own image. The future is a slouched hominid clicking on a fuzzy image of a taco shop — forever.

“These people are complete narcissists”

Google leadership seminar

Google leadership seminar (source)

I enjoyed this rant against Big Tech, which besides being funny, also contains the kernel of a very interesting idea for how to address the growing crisis around data privacy and ownership:

Bannon also added this gem about Tesla:

I do not have a dog in this fight, but Musk seems increasingly unhinged to me, and the little stunt he pulled with his abandoned buyout plan was undeniably shady. But… are you not entertained?

Hubble strikes again

Hubble GOODS-South

Part of the Hubble panorama

Hubble delivers another spectacular glimpse of the cosmos with a new composite photo:

These new mosaic images provide a panoramic view of around 15,000 galaxies, in the center of the fields observed by The Great Observatories Origins Deep Survey (GOODS). About 12,000 of these galaxies are in the star-formation stage, with some of the most distant spots (the reddest ones) dating back 11 billion years.

The images were born out of a program called the Hubble Deep Ultraviolet (HDUV) Legacy Survey, and covers 14 times more sky than a similar image released back in 2014.

And you can’t miss the absolutely incredible images of local galaxies released a few months ago:

Hubble Messier 66

Hubble image of Messier 66

Survival of the laziest

Science says that laziness, or as I prefer to call it, economy of effort, could be a fantastic survival strategy:

A new large-data study of fossil and extant bivalves and gastropods in the Atlantic Ocean suggests laziness might be a fruitful strategy for survival of individuals, species and even communities of species. The results have just been published in the Proceedings of the Royal Society B by a research team based at the University of Kansas.

Looking at a period of roughly 5 million years from the mid-Pliocene to the present, the researchers analyzed 299 species’ metabolic rates—or, the amount of energy the organisms need to live their daily lives—and found higher metabolic rates were a reliable predictor of extinction likelihood.

“We wondered, ‘Could you look at the probability of extinction of a species based on energy uptake by an organism?'” said Luke Strotz, postdoctoral researcher at KU’s Biodiversity Institute and Natural History Museum and lead author of the paper. “We found a difference for mollusk species that have gone extinct over the past 5 million years and ones that are still around today. Those that have gone extinct tend to have higher metabolic rates than those that are still living. Those that have lower energy maintenance requirements seem more likely to survive than those organisms with higher metabolic rates.”

I’m not sure whether this is related, but many of us have had the experience of working with high-energy, high-stress people who scurry around in a whirlwind of activity and give every indication of being extremely busy, and yet are strangely unproductive (and sometimes actively destructive) within the organization. Do they have elevated metabolic rates and if so, are they less “fit” to survive?

“Maybe in the long term the best evolutionary strategy for animals is to be lassitudinous and sluggish—the lower the metabolic rate, the more likely the species you belong to will survive,” Lieberman said. “Instead of ‘survival of the fittest,’ maybe a better metaphor for the history of life is ‘survival of the laziest’ or at least ‘survival of the sluggish.'”

The most successful leaders often have a laconic, hands-off management style, and it’s astounding what a truly great leader can accomplish by just hiring the right people, saying a few words and then heading out for a round of golf. The less perceptive might see this approach as leisurely or even “lazy,” but it’s actually just extremely efficient.

I close with an anecdote from historian Paul Johnson about a 1946 encounter with Winston Churchill:

He gave me one of his giant matches he used for lighting cigars. I was emboldened by that into saying, “Mr. Winston Churchill, sir, to what do you attribute your success in life?” and he said without hesitating: “Economy of effort. Never stand up when you can sit down, and never sit down when you can lie down.” And he then got into his limo.