re:
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
from a side convo with a well known sec researcher:
>> saw that a couple of years back when apple tossed them out. so who
>> do we know that is for sure not
Would be remiss in our duties if we didn't also link AWS' blog, in response
to the Bloomberg article.
In short, AWS refutes many of Bloomberg's reporting in the article.
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/
Ken
On Thu,
On Thu, Oct 4, 2018 at 11:20 AM Ross Tajvar wrote:
> I'm rolling my eyes. We'll be using IPv6, but obviously we need IPv4 too.
>
> On Thu, Oct 4, 2018, 12:00 PM John Lee wrote:
>
>> If is a new US business and you are working internationally why not go
>> simple and use IPv6 addresses?
>>
>>
I'm rolling my eyes. We'll be using IPv6, but obviously we need IPv4 too.
On Thu, Oct 4, 2018, 12:00 PM John Lee wrote:
> If is a new US business and you are working internationally why not go
> simple and use IPv6 addresses?
>
> John Lee
>
> On Thu, Oct 4, 2018 at 10:59 AM Ross Tajvar wrote:
--- matlock...@gmail.com wrote:
From: Ken Matlock
Would be remiss in our duties if we didn't also link
AWS' blog, in response to the Bloomberg article.
--
Every company and the Chinese gov't is saying "no,
Bloomberg is wrong":
On Thu, 04 Oct 2018 15:26:15 -0400, William Herrin said:
> The Bloomberg article described them as looking like 'signal
> conditioning couplers" on the motherboard. There is no such part on
> server boards but maybe they meant optoisolators or power conditioning
> capacitors.
You overlook the
If is a new US business and you are working internationally why not go
simple and use IPv6 addresses?
John Lee
On Thu, Oct 4, 2018 at 10:59 AM Ross Tajvar wrote:
> Thanks everyone who replied. I got many responses off-list, including a
> lot of positive endorsements for several different
Since I know network engineers are geeks, and can't stop themselves from
looking...
On your iPhone (and android, and likely other cell phone OS), there are
detailed diagnostics logs. On your iPhone, look under
Settings->Privacy->Analytics->Analytics Data->awdd-
"awdd" means Apple Wireless
Op 04-10-18 om 22:07 schreef John Levine:
Even if you do have v6, some things like DNSSEC don't work very well
if you can't do them over v4.
Is that so?
--
Marco
signature.asc
Description: OpenPGP digital signature
On 2018-10-04 23:37, Naslund, Steve wrote:
I was wondering about where this chip tapped into all of the data and
timing lines it would need to have access to. It would seem that
being really small creates even more problems making those
connections. I am a little doubtful about the article.
--- snasl...@medline.com wrote:
From: "Naslund, Steve"
The other thing I am highly skeptical of is the suggestion
of attempting to tap sensitive intel agency systems this way.
Talking to a C server is suicide from within their network.
> To me this looks like a Chinese version of the NSA FIREWALK product.
so the good thing about the trade war with china is that it keeps
implant designers fully employed on both sides. they can't just buy
eachother's implants; the tariffs would be too high.
randy
On 04/10/2018 22:00, Naslund, Steve wrote:
> The other thing I am highly skeptical of is the suggestion of attempting to
> tap sensitive intel agency systems this way. Talking to a C server is
> suicide from within their network. How long do you think it would take them
> to detect a reach
Remember it's the data that is classified, not the network. It does not matter
if you have IP connectivity, it matters if the classified data is allowed to
move over the connection. When a government agency talks about a "classified
network" they are talking about a network that has been
On 04/10/2018 20:26, William Herrin wrote:
> On Thu, Oct 4, 2018 at 3:07 PM Denys Fedoryshchenko wrote:
>> It would be better for them(AMZN, SMCI, AAPL) to prove that these
>> events did not take place - in court.
> "Can't prove a negative."
You can in effect do so by suing for defamation. It's
Supermicro's response at
https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm
On Thu, Oct 4, 2018 at 12:03 PM Randy Bush wrote:
> re:
> https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
>
The US' extensive reliance on third party commercial contractors to
implement a lot of programs, means that despite laws and SOW/PWS for their
contracts, many contractors *do* have sensitive data on their networks with
a gateway out to the public Internet. I have seen it. I have cringed at it.
Quite different really. FIREWALK is really an intercept device to get data out
of a firewalled or air gapped network. The exploit Bloomberg describes would
modify or alter data going across a server’s bus. The big difference is the
Bloomberg device needs command and control and a place to
On 04/10/2018 22:28, Naslund, Steve wrote:
>
> Quite different really. FIREWALK is really an intercept device to get
> data out of a firewalled or air gapped network. The exploit Bloomberg
> describes would modify or alter data going across a server’s bus. The
> big difference is the Bloomberg
On Thu, Oct 4, 2018 at 2:26 PM William Herrin wrote:
> On Thu, Oct 4, 2018 at 3:07 PM Denys Fedoryshchenko
> wrote:
> > It would be better for them(AMZN, SMCI, AAPL) to prove that these
> > events did not take place - in court.
>
> "Can't prove a negative."
>
> > In the opposite case, even if
William Herrin wrote on 04/10/2018 20:53:
I wonder if it would be useful to ask the IETF to assign a block of
"origination-only" IP addresses... IP addresses which by standard are
permitted to be the source of ICMP packets but which should be
unreachable by forward routing.
no - this would be
> Classified networks do not connect to other networks unless
> they are equally or higher classified.
that sentence makes no sense. if A can connect to B because B is more
highly classified than A, then B is connecting to a less classified
network A.
randy
It would be really noticeable. In the secure networks I have worked with
"default routes" were actually strictly forbidden. Also, ACLs and firewall
policy is all written with Deny All policy first. Everything talking through
them is explicitly allowed.
The government especially in the three
Hello Brandon,
instead of not announcing it you can send it to your upstream and tag it with
no-export.
That way you can still see your router in traceroutes if the source ASN of the
traceroute doesn't do uRPF.
If you don't have a separate range from which you assign PTP/loopback
addresses,
To me this looks like a Chinese version of the NSA FIREWALK product. Which
is a network implant built into a RJ45 jack intended to be soldered onto a
motherboard. The FIREWALK info came out with the Snowden leaks in 2013 and
the tech was years old at that time.
On Thu, 04 Oct 2018 21:00:57 -, "Naslund, Steve" said:
> The other thing I am highly skeptical of is the suggestion of attempting to
> tap sensitive intel agency systems this way. Talking to a C server is
> suicide from within their network. How long do you think it would take them
> to
>
--- ra...@psg.com wrote:
From: Randy Bush
> Classified networks do not connect to other networks unless
> they are equally or higher classified.
that sentence makes no sense. if A can connect to B because B is more
highly classified than A, then B is connecting to a less classified
network
My wife and I, both on AT iPhones in the greater Cleveland area, received
nothing. A co-worker of mine in Virginia got an alert, another in Texas did
not. I believe the co-workers are both on AT
I can't speak for the co-workers, but my wife and I do not have wifi calling
enabled.
Dan
On
On Thu, 04 Oct 2018 14:10:07 -0700, "Scott Weeks" said:
> Classified networks do not connect to other networks unless
> they are equally or higher classified. No internet connection.
> Period.
Well, if your classified network is connecting to a higher classified net, then
*that* network is
On Thu, Oct 4, 2018 at 5:17 PM Scott Weeks wrote:
> --- snasl...@medline.com wrote:
>> The other thing I am highly skeptical of is the suggestion
>> of attempting to tap sensitive intel agency systems this way.
>> Talking to a C server is suicide from within their network.
>
> Classified networks
Hello,
I’ve seen mention on this list and other places about keeping one’s PTPs /
loopbacks out of routing tables for security reasons. Totally get this and am
on board with it. What I don’t get - is how. I’m going to list some of my
ideas below and the pros/cons/problems (that I can think
On Thu, Oct 4, 2018 at 3:07 PM Denys Fedoryshchenko wrote:
> It would be better for them(AMZN, SMCI, AAPL) to prove that these
> events did not take place - in court.
"Can't prove a negative."
> In the opposite case, even if this article is full of inaccuracies,
> judging by the discussions of
Not received here but the BBC did apparently...
https://www.bbc.com/news/technology-45730367
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Bill Woodcock
Sent: Wednesday, October 03, 2018 5:17 PM
To: nanog@nanog.org list
Subject: Re: Oct. 3, 2018 EAS
On Thu, Oct 4, 2018 at 4:37 PM Naslund, Steve wrote:
> On the opposite side of the argument, does anyone think it is strange that
> all of
> the companies mentioned in the article along with the PRC managed to get a
> simultaneous response back to Bloomberg. Seems pretty pre-calculated to
> me.
On 2018-10-04 21:52, Scott Weeks wrote:
--- matlock...@gmail.com wrote:
From: Ken Matlock
Would be remiss in our duties if we didn't also link
AWS' blog, in response to the Bloomberg article.
--
Every company and the Chinese gov't is saying
Le jeu. 4 oct. 2018 à 21:12, Brandon Applegate a écrit :
>
> I’ve seen mention on this list and other places about keeping one’s PTPs /
> loopbacks out of routing tables for security reasons. Totally get this and
> am on board with it. What I don’t get - is how. I’m going to list some of
>
> On Oct 4, 2018, at 3:07 PM, Brandon Applegate wrote:
>
> Thanks in advance for insights on this.
If you’re MPLS enabled, one implementation could see place the loop/infra/p2p
in the global table and customer/internet traffic inside a VRF.
In article
you
write:
>
>If is a new US business and you are working internationally why not go
>simple and use IPv6 addresses?
Just a guess, but it's probably because they would like for the large
fraction of the net that is still v4 only to be able to contact them.
Even if you do have v6,
On Thu, Oct 4, 2018 at 3:57 PM Mark Rousell wrote:
> The mystery object in the pictures in the article seemed to me
> to (sort of) resemble a surface mount power conditioning
> capacitor.
Though Bloomberg didn't go out of their way to say it, the photos were
"representative" of the chip
I was wondering about where this chip tapped into all of the data and timing
lines it would need to have access to. It would seem that being really small
creates even more problems making those connections. I am a little doubtful
about the article. It would seem to me better to create a
I can read but I am really finding it hard to believe that they all agreed to
even comment on it at all. Especially the PRC. Next question would be that if
Bloomberg was calling me for "months to a year" why not get out in front of it
in the first place? The whole story and its responses are
>> Classified networks do not connect to other networks unless they are
>> equally or higher classified. No internet connection.
>> Period.
Not quite but there are at least application level gateways. For example,
there are usually gateway that can let unclassified email flow into classified
On Thu, Oct 4, 2018 at 3:10 PM Brandon Applegate wrote:
> I’ve seen mention on this list and other places about keeping one’s PTPs /
> loopbacks out of routing tables for security reasons. Totally get this and
> am on board with it. What I don’t get - is how. I’m going to list some of
> my
It is definitely more desirable to try and tap a serialized data line than the
parallel lines. The thing that made me most suspicious of the article is why
would anyone add a chip. It requires power and connections that a highly
detectable. Motherboard designs are very complex in the
In article <60afb948-5f6d-8ea8-00c9-6d4d92ff0...@forfun.net>,
Marco Davids via NANOG wrote:
>> Even if you do have v6, some things like DNSSEC don't work very well
>> if you can't do them over v4.
>
>Is that so?
Yeah, V6 UDP fragmentation and anycast are bad news. You can sort of
fix it by
On 5/Oct/18 03:07, John Levine wrote:
> Yeah, V6 UDP fragmentation and anycast are bad news. You can sort of
> fix it by doing all your v6 DNSSEC DNS queries over TCP but it's a lot
> easier to stick to v4.
>
> Geoff Huston has written about this a lot and it's a well known problem
> in the
--- eric.kuh...@gmail.com wrote:
From: Eric Kuhnke
many contractors *do* have sensitive data on their
networks with a gateway out to the public Internet.
I could definitely imagine that happening.
scott
Just to try to squeeze something worthwhile out of these reports...
I wonder, if there were a real alert, what the odds are that one
wouldn't hear about it in 1 minute, 5 minutes, etc even if they didn't
personally get it.
Obviously edge cases are possible, you were deep in a cave with your
You are what you allow
--
The fact that there's a highway to Hell but only a stairway to Heaven says a
lot about anticipated traffic volume.
> On Oct 4, 2018, at 17:07, Naslund, Steve wrote:
>
> It would be really noticeable. In the secure networks I have worked with
> "default routes"
> On 5 Oct 2018, at 3:12 pm, Mark Tinka wrote:
>
>
>
> On 5/Oct/18 03:07, John Levine wrote:
>
>> Yeah, V6 UDP fragmentation and anycast are bad news. You can sort of
>> fix it by doing all your v6 DNSSEC DNS queries over TCP but it's a lot
>> easier to stick to v4.
>>
>> Geoff Huston
Thanks everyone who replied. I got many responses off-list, including a lot
of positive endorsements for several different vendors. It's good to know
there are so many reputable options.
-Ross
On Mon, Oct 1, 2018 at 9:57 PM, Ross Tajvar wrote:
> Hi all,
>
> My US-based employer will be
51 matches
Mail list logo
