Watch this episode on YouTube.
Reasonably Accurate 🤖🧠 Transcript
Morning everybody. How are you doing today? Um Interesting one on the books today. Uh We're gonna talk about this absolutely earth shattering report that came from Bloomberg uh yesterday about a possible hardware supply chain attack. Now, the report alleges and numerous anonymous sources behind it that a company called Super Micro, which is actually one of the largest motherboard manufacturers on the planet inserted unauthorized chips into various customers products that gave access to a third party.
So basically, they put a hardware hacking device on these orders and they named some pretty big names. They called out saying that Apple was a customer and that Elemental, which is a video processing company that had some rather large government contracts and was eventually acquired by Aws was also a customer. Now, a couple of interesting things about this, actually a mountain of interesting things about this.
One of the biggest is the fact that all the companies named are issuing vehement denials to the point where Csos are putting their names on the line saying no, this never happened. We told the reporters repeatedly, this never happened yet. Bloomberg obviously has a strong reputation. They also have an army of lawyers. So there's going to be a lot of, he said, she said there's an interesting journalistic integrity thing calling out here and I don't want to dive into that because that's not very productive, that's going to play out over the next few days and weeks.
What I think is really interesting is even just the concept of a hardware supply chain attack. Now, a lot of what we do in security is built on. I don't want to say trust but trust because when you are building out certain security controls, you trust that they work in a certain manner. Now, hopefully you're testing that we never assume anything insecurity, we always want to verify.
So trust but verify. But when your fundamental platform that processes things is compromised, that causes a huge amount of issues. You'll see in regards to this Bloomberg story, you're going to see a number of security experts, people like Kate Missouris who's well respected in the community, quoting out some of the impacts and those impacts are, you know, if you can't trust the hardware you're running on or all the software controls built up with the assumption that the hardware platform will actually execute them or, and if it doesn't and goes around, there's no way for software to detect that.
And that's really one of the biggest challenges we've dealt with that in virtualization. We've dealt with that in the cloud as well is that there's this, you're building up a set of security controls to match the value of the data in your, in your deployment. And you need to be aware of what the risks are that they could be subverted.
And in this case, I'll give you an example that actually doesn't relate to this case, but it helps explain it. So when we talk about encrypting at the application layer. So for web applications, that's the HTTP s that's the lock in your browser. The reason why we suggest encrypting up at that level, which is really high up after a whole bunch of things have happened, you know, like a physical networking connection, communications across that wire to establish a connection between two points, moving it up the chain through the operating system.
And a whole bunch of other things, we suggest that the application layer because that prevents any compromise at the lower levels, it reduces the risk of the impact of any of those compromises, it doesn't prevent, it reduces the risk. So if I'm encrypting at the very top of the stack, so just my application and your application can un encrypt that then everything in between, even if they capture those communications, they have to break that encryption.
It's a similar thing while we talk about end to end encryption in messaging apps, things like whatsapp, things like signal telegram. The reason why end to end encryption is so important is because it assumes me and you the only two devices that have the encryption keys to access the conversation. That's everything else below, even if they capture that conversation or they divert that network traffic somewhere else as a copy stream, no matter what they do, they have to deal with this encrypted packet.
So this is a concept in security we talk about is defense in depth. It's also secured by design and it's also understanding the environment in which you're executing. So the scary thing about a hardware supply chain attack is that a lot of people just simply don't consider it, they don't work through some of the issues and they don't realize that a compromised hardware platform or the extent of the impact of compromised hardware platform could have.
And when you're talking about your baseline servers and the motherboard on that server being compromised at a hardware level, everything that you do in the OS has the potential potential of being compromised. Because if your hardware is compromised, anything you do do in crypt. So if we do that same thing that end to end point, the memory on that server could potentially be accessed because memory at the end of the day is a physical and this hardware hack is a physical thing and it could access, could bypass the route around some protections and access that memory directly.
So now the technical complexity of an attack like this is absolutely off the charts. So it's unlikely that it can actually occur but it is possible for some really sensitive applications. And that's why I think the report called out Elemental Pre Aws and Apple, they handle some sensitive data. So this is going to be really interesting to see how this plays out from a story perspective, but from a hardware supply chain attack, that's why people are so concerned because it's extremely difficult to defend against the hardware we build is extremely complicated.
So the vast majority of manufacturers is whether they're in us, Canada Europe have their stuff built in Asia Pacific. And the reason being is that that's where the great factories are. That's where the factory is capable of hitting the volume of scale the quality needed are because when you do something like ac pu there's trillions of transistors on that CPU and having a few extra gates in there trying to find that post production is almost impossible.
So it's really difficult to verify the validity of the hardware, which is why this kind of attack is so scary because now you aren't sure about the, if there's a hardware intercept on your devices and then how do you handle that in software? You can't really handle the theoretical in software. Now, this is an extreme attack.
This is extremely involved, it's resource intensive, it would take a mountain of effort and resources to pull it off, to target it and pull it off. So again, security is always this compromise between business value and cost to defend the data versus costing of attacking it. This was not done. We're going to see a lot of stuff, but that's a little bit of insight as to why hardware and supply chain attacks are so terrifying that the security community are so difficult to defend against.
What do you think? Let me know, hit me up online at marknca for those of you in the vlog in the comments down below. And as always by email me@markn.ca, I hope you're set up for a fantastic Friday and a great weekend. It's a long weekend for me. So I'll be back on the air on Tuesday.
Um Hope you have a good one. I'll talk to you online and uh on the show next week.
