Tech Brew Ride Home - Thu. 10/04 - Biggest Hardware Hack Ever?
Episode Date: October 4, 2018Did China pull off a hardware hack to end all hardware hacks, is a new Nintendo Switch coming as soon as next summer, the ThinQ has five cameras on one phone, and Movie Pass? Still alive! Links: The... Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies (Bloomberg Businessweek) Russia cyber-plots: US, UK and Netherlands allege hacking (BBC News) Nintendo Plans New Version of Switch Next Year (WSJ) LG V40 THINQ REVIEW: ONE PHONE, FIVE CAMERAS (The Verge) Verizon’s Severance Offer Goes to About 44,000 Employees (WSJ) Barnes & Noble names board committee to review possible sale, shares soar (CNBC) MoviePass' new funding means it isn't going anywhere just yet (Engadget) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the Tech Meme Right Home for Thursday, October 4th, 2018.
I'm Brian McCullough today.
Did China pull off a hardware hack to end all hardware hacks?
Is a new Nintendo Switch coming as soon as next summer.
The Thing Q has five cameras on one phone.
And Movie Pass.
Update.
Still alive.
Here's what you missed today in the world of tech.
This morning in a lengthy cover story, Bloomberg Business Week outlined
what it says is perhaps the biggest hardware and supply chain hack in history.
According to extensive sourcing and reporting agents from China's People's Liberation Army
inserted tiny chips into products produced by U.S.-based motherboard giant super micro.
It would be useful for you to click over to the link to this story in the show notes to see what we're talking about here.
When I say tiny chip, I'm talking tiny, so tiny as to be undetectual.
in the maze of doodads on a motherboard.
Pull out a penny and look at Abe Lincoln's ear.
The chips were about that size.
These chips were inserted onto motherboards
that were then used to run servers,
and those servers were used at almost 30 U.S. companies
like Amazon and Apple.
Again, the company that manufactured the motherboards
was U.S.-based Super Micro.
Quote,
think of Super Micro as the Microsoft of the hardware world,
a former U.S. intelligence official said in the piece.
attacking super micro motherboards is like attacking windows.
It's like attacking the whole world, end quote.
And of course, super micro motherboards were manufactured in China,
which is how these chips were inserted during the manufacturing process.
Quoting extensively from the piece,
the chips on elemental servers were designed to be as inconspicuous as possible,
according to one person who saw a detailed report prepared for Amazon
by its third-party security contractor,
as well as a second person who saw digital photos and x-ray
images of the chips incorporated into a later report prepared by Amazon's security team.
Gray or off white in color, they looked more like signal conditioning couplers, another common
motherboard component, than microchips, and so they were unlikely to be detectable without
specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting
that the attackers had supplied different factories with different batches, end quote.
But what exactly would these chips do? Quote, since the implants were
small, the amount of code they contained was small as well, but they were capable of doing two
very important things, telling the device to communicate with one of several anonymous computers
elsewhere on the internet that were loaded with more complex code, and preparing the devices
operating system to accept this new code. The illicit chips could do all this because they were
connected to the baseboard management controller, a kind of super chip that administrators used to
remotely log in to problematic servers, giving them access to the most sensitive code even on machines
that have crashed or are turned off.
This system could let the attackers alter how the device functioned line by line,
however they wanted, leaving no one the wiser.
To understand the power that would give them, take this hypothetical example.
Somewhere in the Linux operating system, which runs in many servers,
is code that authorizes a user by verifying a typed password against a stored encrypted one.
An implanted chip can alter part of that code so the server won't check for a password and presto.
A secure machine is open to any and all users.
A chip can also steal encryption keys for secure communications,
block security updates that would neutralize the attack,
and open up new pathways to the internet, end quote.
The piece says that U.S. officials have caught China experimenting
with hardware tampering like this in the past,
but they have never seen anything at the scale.
Frankly, this piece is mind-boggling,
and it's well worth reading the whole thing.
Supposedly this unit of the Chinese PLA
that U.S. intelligence has been tracking for a while,
threatened factory managers that if they didn't cooperate
and install the chips on boards destined for the U.S.,
their factories could be shut down.
There are all sorts of knock-on effects as well.
Amazon apparently recently sold its Chinese server business,
and the piece suggests it was because it felt it had been compromised
in some similar fashion.
And Apple reportedly removed all super micro servers
from its data centers back in 2015.
The Pentagon has also met with tech companies
to warn them of this ongoing issue.
The piece ends this way, quote,
In the three years since the briefing in McLean,
no commercially viable way to detect attacks like the one in Super Micro's motherboards has emerged
or has looked likely to emerge.
Few companies have the resources of Apple and Amazon,
and it took some luck even for them to spot the problem, end quote.
Now, a quick PS on this.
This morning, Amazon, Apple, Super Micro, and the Chinese government
have all issued statements disputing the allegations in this Business Week story.
And when I say disputing, I should really say categorically denying.
For example, Apple's statement read, quote,
On this we can be very clear. Apple has never found malicious chips,
hardware manipulations, or vulnerabilities purposely planted in any server.
Apple never had any contact with the FBI or any other agency about such an incident.
We are not aware of any investigation by the FBI,
nor are our contacts in law enforcement, end quote.
To which Kevin Van Haren responded, quote,
I don't think I've ever seen a flat out denial of anything from Apple.
Even the Antenigate response was basically,
yeah, that happens, but you can avoid it.
You can't walk back that statement at all, end quote.
To which Renee Ritchie tweeted,
that's the thing.
If Bloomberg got it wrong, it's a bloody nose.
If Apple, Amazon, etc., PR are misleading,
it's a body blow. I'd say it's worse, but things that ended careers decades ago barely get
remembered days later now, end quote. So there is a huge ongoing debate right now on Hacker
News and other places around the internet weighing the veracity and or the possible impact of this
huge story. And here's some more Infosec news with geopolitical implications. The U.S. Department
of justice has indicted seven GRU officers with charges relating to cyber attacking around the world.
The GRU is Russia's military intelligence agency. Among the incidents that this particular
cyber squad is alleged to have been involved with, quote,
The Netherlands has accused four Russians of plotting to hack the organization for the prohibition
of chemical weapons, which had been probing the chemical attack on a Russian ex-spy in the UK. The
UK government accused the GRU of being behind four high-profile cyber attacks, whose targets
included firms in Russia and Ukraine, the U.S. Democratic Party, and a small TV network in the UK.
The U.S. said its anti-doping agency and the U.S. nuclear energy company Westinghouse were targeted
by Russian intelligence. Canada said with high confidence that breaches at its center for ethics
in sports and the Montreal-based world anti-doping agency were carried out by Russian intelligence.
added to this, the Dutch authorities have said a laptop seized from the four suspects in April
was found to have been used in Brazil, Switzerland, and Malaysia, end quote.
Sounds like these guys sure do get around.
The Wall Street Journal is reporting that Nintendo plans to release a new version of its popular Switch gaming consoles
sometime in the latter half of 2019, but possibly as soon as the summer.
Quote, Nintendo is still debating what new hardware and software.
software features to include in the upgrade and weighing the cost of the features.
People with knowledge of the discussion said,
one option is improving the display, they said.
The current switch uses a lower-end liquid crystal display without some technologies that are
standard in more recent smartphone LCDs.
Updating the display with these technologies would make it brighter, thinner, and more energy
efficient, end quote.
Nintendo officials declined to comment.
The LGV40 ThinQ is out.
Don't at me, people.
The pronunciation of this smartphone is ThinQ, not think, but, you know, whatever.
Call it whatever you want.
This is the phone that has the five-lens camera system, though it also has a 6.4-inch quad-hd
display, 6 gigabytes of RAM, and a Snapdragon 845.
But it's those five cameras that everybody talks about when they talk about this phone.
So how do they work?
Dan Seafurt at The Verge says,
it's like having a camera bag full of lenses built right into your phone.
The V40 gives you a more versatile camera
than any other smartphone available right now.
You can go from taking standard snaps to ultra-wide vistas
to close-up portraits and just a matter of taps on your screen.
LG has built in some clever features to its camera app
to make the most of the three cameras as well.
Long pressing on the different zoom buttons
brings up a live thumbnail of each lens's field of view
so you can easily see what the other cameras can capture
before you take a snap.
There's even a mode called triple shot,
which will take a picture from all three cameras
in just one press of the shutter,
so if you're really indecisive about which camera to use,
you can just shoot all three of them, end quote.
He gives it a verge score of eight.
The LGV40 is available
for pre-order today, starting at $900.
In an effort to cut around $10 billion in costs, Verizon is essentially outsourcing a huge chunk of its IT systems to Indian outsourcing giant InfoSys.
And Verizon has offered voluntary severance packages to about 44,000 employees or more than a quarter of the telecon company's entire workforce.
Quoting from the Wall Street Journal, the severance packages,
We'll give Verizon, quote, an opportunity to find more efficiencies in the size and scope of our V team
and help expedite the building of an innovative operating model for our future.
Chief Executive Hans Vesterberg wrote in a memo sent to employees last week and reviewed by the journal, end quote.
Brad Samms snarked on Twitter, every good decision starts with outsourcing your core infrastructure.
Looking at things from one angle, the Internet era has been basically a long,
running saga of nimble internet companies disrupting stodgy old offline companies, right?
I mean, Netflix slew blockbuster, Napster, almost took down an entire industry.
But the company that was maybe the first to face internet disruption was the first company
that was Amazoned, as it were. I'm speaking, of course, of Barnes & Noble. Now, Amazon hasn't killed
the bookstore. It did kill borders, of course, but borders had bigger financial issues. And I'm not
saying that Barnes & Noble has been killing it lately, but it hasn't exactly been on life support either.
And hey, it's survived doing battle with Amazon and others these last 20 years, which is more than I can say for Circuit City.
But perhaps the oldest grudge match with internet disruption is reaching some sort of an end game.
CNBC is reporting that Barnes & Noble is naming a special committee to look at strategic alternatives,
including a possible sale after receiving interest from multiple parties,
perhaps keen on the retailer that has more than 600 stores across the U.S.
This news sent Barnes & Noble stock soaring this morning more than 20 percent,
quoting CNBC.
In the first quarter, ending July 28th,
Barnes & Noble said total revenue declined 6.9%
while sales at those stores open for at least 12 months fell 6.1% from a year ago.
Its same store sales have fallen for 20 of the last 23 quarters, end quote.
After today's share rise, Barnes & Noble has a market cap of roughly $400 million.
So a mere drop in the bucket for, I don't know, who do you think would be a logical acquirer of Barnes & Noble?
For just the real estate, perhaps?
Actually, I could think of several companies, but you know who I mean.
Finally today, let's check in with Movie Pass.
Prognosis?
still not dead.
Ted Farnsworth, CEO of Helios and Matheson,
movie pass's parent company,
told a conference that the company
has secured $65 million in new funding just last month,
but Farnsworth declined to say who the funding was from,
which is an odd thing since,
aren't they a publicly traded company?
And it, quote,
seems like the company's restrictions on memberships
have helped achieve movie pass's counterintuitive goal.
its customers aren't heading to the movies that often anymore.
Speaking at the Grill 2018 conference, the CEO Matheson said that, quote,
people are going to less than one movie a month.
So technically, subscription alone right now is doing just fine.
Now it's tacking on all the other things on top of it, he said, end quote.
So all those changes that Movie Pass recently made to their monthly plans,
which now give you a mere three movie tickets a month instead of one a day,
has stemmed the immediate bleeding, it seems,
but one does wonder if it has done so
at the cost of what consumers responded to in the first place, right?
Of course, I think a large part of what consumers responded to all along
was a deal that we all knew intuitively was probably too good to be true.
Still, apparently, the company has the breathing room to figure things out,
as Engadget headlined the piece I just quoted from,
Movie Pass's new funding means it isn't going anywhere just yet.
That is all for today, people.
As always, I've been Brian McCullough.
As always, you can follow me on Twitter at Brian MCC.
And by the way, since our subscriber numbers went up about 20% last month in September,
and FYI to any new listeners or anyone who hasn't done so before,
feel free to rate and review this podcast anywhere you can,
but especially on Apple Podcasts and Google Play or whatever Google Podcasts.
I can't remember what their current branding is.
And feel free to tweet and post about us wherever you'd like to spread the word, just like James McLeod did last night.
Thanks as always for any kind words when you feel like sharing them, because spreading the word helps us build our mutant podcast army, right?
Talk to you tomorrow.