Everybody does it: The messy truth about infiltrating computer supply chains https://theintercept.com/2019/01/24/computer-supply-chain-attacks/
@micahflee Bloomberg's story is complete bullshit. The fact that you lead with it makes it impossible for me to read the rest of the article.
@micahflee Because it destroys your credibility to lead with an article that has been so thoroughly debunked by the Infosec crowd.
The #35C3 talk on supply chain attacks and hardware implants concluded that it's possible, just on a different step then Bloomberg suggested. I can totally see Bloomberg messing up which step it implantation happened, but the story still being mostly true.
Also, nobody sued Bloomberg over it. Which would be surprising if the story was completely false.
@freakazoid @micahflee and here's the talk in question: https://media.ccc.de/v/35c3-9597-modchips_of_the_state
This is the same problem as with UFO sightings: multiple pieces of flawed evidence combined with experts saying it's possible don't add to up to proof.
Until Bloomberg comes up with real evidence, I think their story should be ignored.
I'm probably overstating things to say it's been "debunked". But here's the problem: their only source is someone who stands to make a lot of money from people being worried about supply chain attacks, because that's his company's product. Their other source has expressed doubts about the claimed attack.
Yes, it's possible. But Bloomberg's reporting is super sloppy, and lots of people have called buillshit on it.
@freakazoid I appreciate that.
"The Intellipedia page also stated that, beginning in 2002, France’s intelligence agency, #DGSE, “delivered #computers and #fax equipment to #Senegal’s security services and by 2004 could access all the information processed by these systems, according to a cooperative source with indirect access.”"
@micahflee "supply chain attacks are a well-established, if underappreciated, method of surveillance — and much work remains to be done to secure computing devices from this type of compromise."
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!