On 04/10/2018 20:26, William Herrin wrote:
On Thu, Oct 4, 2018 at 3:07 PM Denys Fedoryshchenko <denys@visp.net.lb> wrote:

It would be better for them(AMZN, SMCI, AAPL)  to prove that these
events did not take place - in court.

"Can't prove a negative."

You can in effect do so by suing for defamation. It's then up to the person who has made allegedly defamatory claims to prove their claims. If they can't prove their claims in court then the claims are, in effect, proven to be false.

However, I'm not sure that Amazon, Apple or Supermicro have actually been defamed by the article in question. In other words, there could be nothing to sue for. The PLA and Chinese government would have been defamed (if the claims are untrue) but that's a different matter. Any lawyers wants to offer an opinion?

The Bloomberg article described them as looking like 'signal
conditioning couplers" on the motherboard. There is no such part on
server boards but maybe they meant optoisolators or power conditioning
capacitors. The former is a hard place to tweak the BMC from without a
high probability of crashing it. The latter doesn't touch the data
lines at all.

The mystery object in the pictures in the article seemed to me to (sort of) resemble a surface mount power conditioning capacitor. Note that there was no suggestion that the mystery objects were connected in place of capacitors; the article merely claimed that they were visually disguised. They would obviously have to connect to data lines somewhere to do what is claimed.

They also quoted someone describing such a hack as being "like
witnessing a unicorn jumping over a rainbow." I agree.

It doesn't seem so unreasonable to me. If true, this is not a matter of fitting the mystery components to random hardware and hoping that they go somewhere useful. Instead, these were specific models of hardware being manufactured for specific customers for use in specific locations/roles. In other words, it was near-guaranteed that the hardware (or at least some of it) would end up being used in a location that carried 'interesting' target data. As such, this would be, if true, an example of very carefully targetted espionage, not some random lucky miracle.

-- 
Mark Rousell