Possible massive Chinese hardware compromise of server equipment

[cordex]

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

If true, this is a huge deal.  All involved companies appear to publicly deny it, but I find the story plausible at some level.

For the record, the US has done similar stuff, just on a much more targeted scale.  For instance, intercepting deliveries of computer equipment being sent to particular foreign entities and implanting monitoring hardware on those targeted machines.  This kind of mass exploit is pretty audacious.

What surprises me most is the closing remarks that there exists no commercial way to detect the compromise.  Seems that if control server endpoints are known there should be a way to do that via network monitoring and firewall rules - at least for the existing equipment.

[slugcatcher]

There very well is a way to stop it but that would cost money.  The secrets lost are not worth the expense of buying hardware not built by the lowest and most untrustworthy bidder (China).  I have no pity for any company that fell or continues to fall for this.  The west cannot and never will be able to trust China.  The people there have been raised for decades to hate the west.  Anything they do to us we deserved as far as they are concerned.  Honor and integrity mean nothing to them as far as we are concerned.

[Hawkmoon]

What surprises me most is the closing remarks that there exists no commercial way to detect the compromise.  Seems that if control server endpoints are known there should be a way to do that via network monitoring and firewall rules - at least for the existing equipment.

That's not what it said. It said, "In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge." They have ways to do it, but the phrase "commercially viable" means those ways are so costly that few entities would be willing to spend that kind of money.

[slugcatcher]

I was replying to the article in general.  They act like this was totally unexpected and the sky is falling.  Again, I don't have any sympathy for any of these companies.  As a result of their lack of awareness anyone doing business with them is at risk.  It would be nice if China and the server mfg were held accountable.  This won't happen.  Everyone knows the Chinese can't be trusted.  As long as they are the cheapest option on the table nobody cares. Maybe this will start to change the corporate thought on Chinese manufacturing.  I doubt it.  I am impressed with the tech however.  I wonder who they stole it from.