 So Bloomberg claims there is new evidence of hacked super micro hardware found in US telecom This discovery shows that could China continues a sabotage critical technology components bound for America In maybe you could hear the skepticism my voice So this is part of the Bloomberg China hack story as it's been kind of referred to that our supply chain has been infiltrated and super Micro has been shipping chips that are completely compromised and da da da da This is probably my final video on this unless some incredible thing happens but so far it looks like it's all a bunch of stories And I'll jump to this part of the article I mean I'll leave a link so you can read it, but I thought this was funny They had sepio systems and real quick who sepio systems is they find ghosts in your hardware ghosts put there by other companies You know because they implanted Something they they validate hardware for computers to make sure it was not compromised They have different tools for doing this for keeping the ghosts out of the machines But this part really caught me is a little bit funny Applebomb said one key sign of the implant is that a manipulated ethernet connector has metal sides instead of the usual plastic And I'm like, huh metal I grabbed and there's a reason I'm holding a prop here It's a PCI network card by real tech. These are you know the cheap ones you can find this is particularly a trend net model that I know of it's not compromised but if you're familiar with these they They're metal on the backing so the part and I didn't feel like pulling out a camera But good enough on my webcam here to get the idea the part that surrounds the RJ45 port is metal and it's metal on even the cheapest ten dollar network cards and these old ones that have been around forever and new Ones that I found and this is common. They always seem to be this way So I thought this was a weird statement to put in here like look for metal around the network card Yeah, we're gonna find that it's pretty much on all the servers pretty much universally have metal around them It's part of the reinforcement in the way it's soldered in so Yeah, that statement's a lot, but go on to read and blah blah blah. It's real, but can give us no detail so Allegedly sepia who validates hardware found these scary chips inside of a US telecom through one of their audits It was a client of theirs. They said, oh, yeah, we had to say this is very real I don't doubt that we find these in targeted attacks. So let's outcome razors this Let's just break this down real quick of why I think this is a story supply-to-chain attack great compelling Could really happen something we should be absolutely diligent. Don't let your guard down Yes, there could be a supply chain tech all those things are true that it actually happened is what we're trying to determine Is it plausible lots of things are plausible that's makes good story makes it very believable story That's why we like a lot of books very based on a reality that we live in and it's very plausible Yeah, all these things could happen. This makes a lot of sense But in reality did it happen when you look at the facts It is really difficult to do a supply chain level attack It is the holy grail of hacks because if we could secretly just have backdoors and everything that went out Governments wishes would be that Because now they can just do whatever they want whenever they want to go Hey, we already got the chip in there and we know what this company bought those servers So let's flip the switch turn it on and take over this company's network so we can see what's going inside You would raise every red flag not to mention Attacking at the supply chain level becomes a challenge because you have to trust all the employees not to say anything like hey Who's the weird people coming in and adding extra chips? That's going down the line. You have a lot of pieces of trust that have to be maintained There's a lot of issues with this. It's a very difficult attack to pull off not implausible difficult Let's look at Bob and accounting send him a phishing email. We're in Read any books on hacking we look through any debriefs on hacks that went through and went down They find that someone internally at the company somewhere click the link and the hackers got in That is the most common scenario targeted attacks targeted Directly at someone you know works at a place so they can infiltrate it It's the most likely scenario for how any attack has happened and it's much easier now Targeted attacks against hardware do occur and we've seen this Snowden talked about this And what those are is when we know a shipment of servers is going somewhere one of the government agencies foreign or domestic here in the u.s targets those servers Take some apart adds whatever they want software hardware whatever thing they're going to do and Gets in their systems and hopefully that company doesn't have any outbound monitoring to see weird data leaving your system And we know that attack has occurred And it's going to be denied by both sides and that's a more plausible way to do it versus infiltrating the company from the raw At the super micro level and hoping those servers get distributed everywhere I mean i've read that there is some knowledge if you work inside a super micro and you have an inside guy who goes Oh, yeah, sony just ordered 200 servers at and t just ordered 200 servers You're going to want to add your chips to these But they're more likely to be added after they leave the factory and things like that statistically not saying they were That's a more plausible thing. But as we know how most hacks occur It's still the old spy techniques. It's still targeting the person who works at the company Getting someone hired who's an undercover person to work at the company and leak out the secrets These are all way more plausible Easier to pull off back to the actum's razor thing Everything would say that is the way to do it. It's less resource intensive and more likely to happen now Back to the story here. I'm going to say don't rip out your super micro stuff I just don't see this Any more credible so it's been a few days since this came out the only update they've given us this they've sent us Nowhere they gave us no leads. They've given us no hardware to look at. I'm not saying you need to reveal your sources I'm saying you could easily say Look for xyz model chip and look for extra hardware or use a firmware detection to do this Then you have something you have something we can look at and if we really are under threat They should be doing that that would be proper due diligence because We have a time bomb if that gets out in the public We have to disclose it so we can figure out how to mitigate it So if there is a secret firmware and you're just waiting and there's a command you send and it's easy Well, we need to know about it now because eventually the bad guys will figure it out because unfortunately the information doesn't stay secret for long And these back doors if they exist Someone else may find ways to activate them and that would be terrible and cause the attack on our infrastructure So if the evidence actually is as real as they're saying You can whisper out there into the channels into the security researchers who will have a mitigation for this problem And we will work on it. I don't think it's real. None of this has come forward. None of this has happened and We've seen joe fits. Uh, he did an interview with the risky business podcast He was one of the name sources. He says doesn't sound You know, he even kind of hinted that it was all taken out of context from the letter that he sent to the editor Tavis Ormandy doesn't seem to care much for it either and he is an amazing security researcher He works over at google's project zero right now and just He is someone that I look to for some of these. I've also looked at bruce neyer clubs on security There's a lot of security industry people who are talented at this who are going show us show us show us and Nothing Tavis actually tweeted and I'll leave a link to this because he talked about even how Sepio systems systems work and how they intercepted it So it is even less clear on how they got knowledge of it. He's actually made a few tweets I thought this was interesting. So leave a link to that too if you're curious what this is The sepio solution for things which as he tweeted apparently this product from bloomberg source is selling I had to find a specs and archive drug because their website doesn't work Well, yeah, so kind of a mystery box. Like I said, they get the ghost on machine I don't know anything good or bad about sepio systems But you know, it feels like a corporate company that markets to other corporate companies It puts ghosts on chips because that's what scares corporate people. I don't know I also thought it was weird. It says dreams time. Is this a stock photo? Well, I guess it is a stock photo. It still says dreams time on it. So I found it on a stock photo Which irony is they apparently this one doesn't say dreams time on it. So is that Isn't dreams times a stock photo place? Yes, dreams time is a stock photo place can confirm So I thought I thought that's who they were. So apparently this company is uh been featured in Lots of places, but can't buy stock. I'm sorry. I'm not trying to pick on the credibility of these companies, but really you're using Not purchased stock photos. Anyways, I won't rant about that. That's a completely separate thing I'm not trying to tear them down. Okay. Maybe I'm gonna poke fun at them a little bit for using Stock images that they didn't buy on your website for a commercial product that charges a lot of money Anyways, well, I'm done ranting about this. I'll leave links to all the stuff I just talked about. I don't think Bloomberg is going to provide us any more evidence This story is going to go by the wayside. I think it may be one reporter Really excited who doesn't understand technology who took things out of context. I'll give them the benefit of the doubt But I don't rip out your super micros I don't it did a lot of stock manipulation could have gone on here There could be a lot of other things going on but from the technology standpoint, it doesn't make sense for this attack It's a good story. It's a compelling story. I think supply chain is a huge risk But I don't think that's how this actually occurred and how it went down It's just a story still with no evidence if there was evidence Someone would have stepped forward someone would have found it If Bloomberg wants to keep your credibility, they would have pointed us in it. But yeah, that's it for now That's all I have to say about this in my last video. I think I'll be doing unless something incredible happens, which I don't think it will Thanks Thanks for watching if you like this video, go ahead and click the thumbs up Leave us some feedback below to let us know any details what you like and didn't like as well Because we love hearing the feedback or if you just want to say thanks Leave a comment if you wanted to be notified of new videos as they come out Go ahead and hit the subscribe and the bell icon that lets youtube know that you're interested in notifications Hopefully they send them as we've learned with youtube Anyways, if you want to contract us for consulting services You go ahead and hit launch systems.com and you can reach out to us for all the projects that we can do and help You we work with a lot of small businesses it companies even some large companies And you can farm different workout to us or just hire us as a consultant to help design your network Also, if you want to help the channel in other ways we have a patreon We have affiliate links you'll find them in the description You'll also find recommendations to other affiliate links and things you can sign up for on laurance systems.com Once again, thanks for watching and i'll see you in the next video