Posts

Digging Through The Science—And The Noise—On What Is Known About The Origin Of SARS CoV-2

Update: In a new post we find that Shi Zhingli of Wuhan Institute of Virology has provided convincing evidence to Scientific American that SARS CoV-2 is the result of a natural jump to humans from an animal host and was not accidentally released from her lab, which had no isolates of any viruses that match closely enough to be the outbreak virus.

Although it seems that all of this has been going on forever at this point, it’s important to realize that the COVID-19 pandemic outbreak probably began less than six months ago. In the context of how we develop an understanding of a disease like this one, and the virus that causes it, SARS CoV-2, that means that we really have only just begun our analysis. Nevertheless, because of the ongoing disastrous impact on global public health as well as the global economy, it is imperative that we learn as much as we can as fast as we can.

In this post, I want to take a deep dive into what virologists and epidemiologists have pieced together on the emergence of SARS CoV-2. The problem is that what might initially appear to be straightforward scientific and public health questions eventually get muddled by accusations of disinformation, accusations of hiding data and offerings of potential leaks of intelligence that also have a chance to be disinformation. These noisy battles relate to basic facts that have a direct bearing on our understanding of the virus’ origin.

As a result, it needs to be stated from the outset that because some of the needed basic information may be hidden or some of what we think we know might be wrong. Therefore, this analysis will be unable to come to a definite conclusion. With any luck, the discussion will help us to have a framework within which we can proceed as more facts become verified.

Overview Derived From SARS CoV-2 Genetic Sequence

I want to start with the science.  The very helpful graphic below is lifted from this paper in Current Biology. It is in three sections. The section on the left illustrates what we know from the genetic sequence of the virus when that is compared to other known viruses. What it shows is that the closest overall relative to SARS CoV-2, with a sequence identity of 96%, is RaTG13, another coronovirus isolated from a bat:

Let’s move to this Nature Medicine article from March 17 and this Cell article from April 16 for the narrative on diving into the distinguishing features of SARS CoV-2 from its genetic sequence.

From the Nature Medicine article, we get a description of the features of SARS CoV-2 that distinguish it from other known viruses (these features are what the center and right panels of the graphic address):

Our comparison of alpha- and betacoronaviruses identifies two notable genomic features of SARS-CoV-2: (i) on the basis of structural studies and biochemical experiments, SARS-CoV-2 appears to be optimized for binding to the human receptor ACE2; and (ii) the spike protein of SARS-CoV-2 has a functional polybasic (furin) cleavage site at the S1–S2 boundary through the insertion of 12 nucleotides, which additionally led to the predicted acquisition of three O-linked glycans around the site.

To translate some of the terms and clarify a bit, there are four genera of coronaviruses, with alpha and beta infecting mammals and delta and gamma infecting birds. The genome is the genetic sequence of the virus. I would usually say the DNA sequence, but coronaviruses are RNA viruses. There has been much discussion of ACE2 on this blog in the comments, so for now let’s just say ACE stands for angiotensin converting enzyme and ACE2 is present on the surface of many cell types found in many different tissues within the body. So what stands out here is that the structure of the virus spike protein, as determined from its genetic sequence and tests in the lab, allows it to bind exceptionally well to ACE2 when compared to other coronaviruses.

The middle panel of the graphic shows us that although the overall sequence of SARS CoV-2 is very closely aligned to the bat virus, when we narrow it down to only compare the region where the spike protein binds to ACE2, it is a perfect match of that part of a pangolin virus, while it is very different from the bat virus. For the important stretch of the spike protein (these amino acids are not next to each other when the gene sequence is read from start to finish, but once the protein is assembled from amino acids, the amino acids are close to each other from the way the protein assumes its three dimensional structure), the gene encodes a string of five amino acids in the protein that matches exactly with the pangolin virus sequence but in only the first of the five positions on the bat virus sequence.

But that final panel and the second half of the Nature Medicine snippet goes further in what is different about this virus. The gene for the spike protein encodes two subunits, S1 and S2. Remarkably, SARS CoV-2 has acquired a site where the two subunits can be separated using a enzyme called furin that is found in mammalian cells. The right panel shows us that neither the bat sequence nor the pangolin sequence has a furin cleavage site.

The Cell paper tells us that a furin cleavage site has not been seen in the betacoronaviruses closely related to SARS CoV-2. It has been seen in other human coronaviruses, though. Of further significance is that a furin cleavage site also appears in the more pathogenic bird flu viruses.

Not A Lab Construct

From the Nature Medicine article, we get one of the most convincing arguments I’ve seen against the virus being created in a lab:

While the analyses above suggest that SARS-CoV-2 may bind human ACE2 with high affinity, computational analyses predict that the interaction is not ideal and that the RBD sequence is different from those shown in SARS-CoV to be optimal for receptor binding. Thus, the high-affinity binding of the SARS-CoV-2 spike protein to human ACE2 is most likely the result of natural selection on a human or human-like ACE2 that permits another optimal binding solution to arise. This is strong evidence that SARS-CoV-2 is not the product of purposeful manipulation.

So, in other words, if someone in the lab wanted to set out to make a virus with the best possible ACE2 binding site, this is not the sequence the computer or the literature would have given them. That suggests that this very good binding sequence is a product of natural evolution instead. The Nature Medicine article also further noted that the genetic sequence of SARS CoV-2 differs too much from that of any other known coronavirus sequence for one of the known viruses to have been used as a starting point in engineering this stronger pathogen.

The Species Jump

Perhaps the most important step in the emergence of SARS CoV-2 is the jump from its initial host species to humans. This could have happened directly, or as in the case of MERS CoV, which went from bats to camels to humans, with an intermediate host. Note that MERS still has not adapted to efficient human to human transmission, and so when we see it, it’s usually from multiple camel to human events.

The problem here is that we don’t have proof of the host from which humans were first infected with SARS CoV-2. In other words, no virus isolated from an animal so far is related closely enough at the sequence level to SARS CoV-2 that we can say this is where humans were first infected, as we can tell from the MERS jumps from camels to humans. As we will discuss below, and as you are well aware, early suspicion on the origin of human infection centered on the wet market in Wuhan. Remarkably, authors of the Cell paper visited the market and took these pictures in October 2014 because they were concerned that wet markets in general, and this one in particular, represent a particularly large risk for bringing humans into contact with less commonly encountered hosts of potentially deadly viruses:

The caption properly notes that many early cases are linked to the market, but we don’t yet have proof of where and how the first human infection(s) took place. In discussing the jump and subsequent outbreak, the Cell authors continue:

The emergence and rapid spread of COVID-19 signifies a perfect epidemiological storm. A respiratory pathogen of relatively high virulence from a virus family that has an unusual knack of jumping species boundaries, that emerged in a major population center and travel hub shortly before the biggest travel period of the year: the Chinese Spring Festival.

/snip/

While our past experience with coronaviruses suggests that evolution in animal hosts, both reservoirs and intermediates, is needed to explain the emergence of SARS-CoV-2 in humans, it cannot be excluded that the virus acquired some of its key mutations during a period of “cryptic” spread in humans prior to its first detection in December 2019. Specifically, it is possible that the virus emerged earlier in human populations than envisaged (perhaps not even in Wuhan) but was not detected because asymptomatic infections, those with mild respiratory symptoms, and even sporadic cases of pneumonia were not visible to the standard systems used for surveillance and pathogen identification. During this period of cryptic transmission, the virus could have gradually acquired the key mutations, perhaps including the RBD and furin cleavage site insertions, that enabled it to adapt fully to humans. It wasn’t until a cluster of pneumonia cases occurred that we were able to detect COVID-19 via the routine surveillance system. Obviously, retrospective serological or metagenomic studies of respiratory infection will go a long way to determining whether this scenario is correct, although such early cases may never be detected.

So, the sequence information comes to a dead end here until the details of the epidemiology are reconstructed. As the authors note, it likely will prove impossible to sample many of the most important animals and humans that would clarify the route and timing. It is further worth noting that the bat from which the RaTG13 sequence is derived was found in Yunnan province, a very long way from Wuhan.

Epidemiology

It appears that as of this writing, the earliest known infection may have been a shrimp seller in the wet market who first developed symptoms on November 17. Also, this Lancet article provides further details on some of the early studies showing a high concentration of cases affiliated with the market in December. The Lancet graphic suggests a case on December 1 not affiliated with the market and the start of the market cluster on the tenth, with 27 of the 41 early patients considered here being associated with the wet market. If that were indeed the earliest case, we might think we’ve seen the index case. But if the South China Post article is to be believed, the shrimp seller fell ill on November 17 and, according to the article, one to five people a day from that day forward had the disease. If we believe that information, then the virus appears to have already been circulating before the middle of November.

It is when we start getting into this information that accusations of hiding information are thrown about. Were there earlier cases that China suppressed or that simply went undetected? We have no way of knowing at this point.

A further point that comes from the Cell paper is that SARS CoV-2 has been circulating long enough that minor variations in the gene sequence are arising that don’t affect pathogenicity but allow for tracing of various lineages of the virus in its spread around the globe. They also note that the lineages allow them to go back in time over the evolution of those sequences and the diversity diminishes a lot as they get back to the early isolates from Wuhan. This is further confirmation for Wuhan being essential in the earliest part of the outbreak.

Accidental Release

It is here that the noise gets really loud. If we accept the really strong evidence that SARS CoV-2 was not deliberately made in a laboratory, there remains the possibility that the virus could have escaped from a laboratory that studies potential pandemic agents.

As long ago as 2004, Rutgers scientist Richard Ebright spoke out against the massive amount of funding that was funneled into research on bioweapons after the 2001 anthrax attacks. From the New York Times:

Dr. Ebright disagrees with much of the security community about how best to protect the nation from attacks with biological weapons.

The government and many security experts say one crucial step is to build more high-security laboratories, where scientists can explore the threats posed not only by deadly natural germs, but also by designer pathogens — genetically modified superbugs that could outdo natural viruses and bacteria in their killing power. To this end, the Bush administration has earmarked hundreds of millions of dollars to erect such laboratories in Boston; Galveston, Tex.; and Frederick, Md., among other places, increasing eightfold the overall space devoted to the high-technology buildings.

Dr. Ebright, on the other hand, views the plans as a recipe for catastrophe. The laboratories, called biosafety level 4, or BSL-4, are costly, unnecessary and dangerous, he says.

”I’m concerned about them from the standpoint of science, safety, security, public health and economics,” he added in an interview. ”They lose on all counts.”

Ebright continues:

The labs, Dr. Ebright says, are a perilous overreaction to an inflated threat and will do more harm than good.

Although the threat of biological warfare is real, the weapons used by terrorists are unlikely to be the next-generation agents that the high-security labs are intended to study, he says. Yet by increasing the availability of such pathogens, Dr. Ebright argues, the labs will ”bring that threat to fruition.”

”It’s arming our opponents,” he said.

In addition, he says, the laboratories could leak. They could put deadly pathogens into irresponsible hands and they will divert money from other worthy endeavors like public health and the frontiers of biology. Moreover, their many hundreds of new employees would become a pool of deadly expertise that could turn malevolent, unleashing lethal germs on an unsuspecting public.

Note the “leak” bit. The article goes on:

But Dr. Ebright noted that the deadly SARS virus recently escaped from BSL-4 and BSL-3 labs in Taiwan, Singapore and Beijing, in each case setting off minor epidemics that killed or sickened people.

This 2014 paper from the Center for Arms Control goes into detail on two separate escapes of SARS from the same laboratory in Beijing,  along with four other documented cases of releases of possibly pandemic pathogens if you care to read further. Suffice it to say that Ebright was right that with the proliferation of these new labs, there would be leaks. So far, they’ve all been accidental instead of the type feared by Ebright where someone from inside a laboratory deliberately releases a pathogen.

With regard to the SARS CoV-2 outbreak, rumors from nearly the very beginning swirled about a lab in Wuhan. There is in fact a level 4 containment lab in Wuhan and there is also a level 2 lab as well, that I believe is very close to the wet market.

Should there have been an accidental release from either of these labs, at this point we would have to postulate that China has specifically quashed all information relating to this event and kept the laboratory personnel and any close family or other contacts who may have been infected out of the databases of patients.

But that hasn’t stopped the noise. Some aspects of the noise even begin to look to me like an information operation of sorts. Of course, since we don’t know the originator of the operation, we don’t know if it is actual intelligence being leaked or if it is disinformation being sown to add to the chaos.

At any rate, this April 2 column from David Ignatius put the idea of an accidental leak from a Wuhan lab into the Washington Post. Those who follow intelligence community news know that Ignatius is often thought of as a mouthpiece for information the CIA wants disseminated. Are they his source here? Was some other information operative his source?

Then things really heated up on April 15. Here is John Roberts of Fox News asking Trump a question during the April 15 “press conference”:

Wow. That’s an incredibly specific question. It assumes a female intern at the lab who infected a boyfriend and then she (or did he, not clear to me from Roberts’ phrasing) went to the market. Even though this was April 15, I’ve seen no further pushing of this specific version of the story.

But Trump’s response is a bit concerning. Note that he says they’re “hearing that story a lot”, but then makes a really big deal of the word “sources”. Given Trump’s history of spilling classified intelligence, and the constant warnings to him about such leaks compromising “sources and methods”, I almost wonder if that’s a genuine response of his lizard brain to all those warnings. We simply have no way of knowing that or knowing if perhaps those “sources” happen to lie outside the intelligence community and among circle of wingnuts who have the ears of Trump and Fox News and he’s really proud of them but doesn’t want to divulge them.

That same day, Josh Rogin put out a Washington Post column pushing the leak from a lab story, this time tying it directly to the State Department cables in 2018 about lax biosecurity protocols at the level 4 containment lab in Wuhan that Roberts mentioned. But Rogin didn’t include the specifics about the intern.

I’ve heard nothing further on the intern question, but the general idea of an escape from a Wuhan lab still gets tossed around. Ignatius returned to the idea of an accidental release on April 23. He even talked to Ebright:

“Science is not going to shift this from a ‘could have been’ to a ‘probably was,’ ” messaged Richard H. Ebright, a leading biosafety expert at Rutgers. “The question whether the outbreak virus entered humans through an accidental infection of a lab worker . . . can be answered only through a forensic investigation, not through scientific speculation.” Ebright told me the Chinese government should launch a forensic investigation by reviewing “facilities, samples, records, and personnel.”

Given Ebright’s history of predicting just such an accidental release, I find it very reassuring that he isn’t ready to say that’s what happened. As he rightfully points out, we can only know what happened when detailed information is assembled on the epidemiology of the earliest cases. Only Chinese medical investigators can know whether any laboratory personnel, and especially whether any family or other close contacts of them appear on the timeline of the early infections. It is also crucial to know where any such infections, if they exist, fall on the timeline in relation to cases affiliated with the wet market.

My gut feeling is that the evidence still very strongly points to the virus originating through the wet market, but I also think the index case there likely goes back even earlier than the November 17 case discussed above, since there are suggestions there were other cases appearing daily by then. Also, it’s hard to imagine that if the official intelligence community had a story as specific as the intern story and had evidence to back it up, that Trump wouldn’t be trumpeting it on a daily basis to deflect the criticism being heaped on his response to the outbreak.

Stay tuned. I suspect the story will take several more turns before we ever reach any level of certainty.

The Orange Injector and the Troubling Tariffs

[NB: Check the byline, thanks. /~Rayne]

He did it again. I am so fed up with this nonsense. This:

is yet another perfect opportunity for someone to game the market and do so in a big way.

Just look at this drop:

One needed only to short the market before it opened on Monday make huge amounts of money with no effort. And this time even the entire American market could have jumped on this; no more advance notice required apart from Trump’s Sunday and Monday tweets.

Believe me, the opportunity tempted me. I could see it coming. I only needed to short the NYSE:DIA using my pre-open trading access and I’d have raked in cash.

But it’s unethical; I can’t make money off people on the wrong side of Trump’s ridiculous foreign policy. It’s more like gambling on a steroid-doped horse and not true investment.

Nothing about Trump’s trade policy makes any sense (not that anything he does makes sense to a rational, ethical, sentient human being). What is the fundamental problem he wants to solve?

…Trump withdrew from the Trans-Pacific Partnership without ever proposing a replacement, and he appeared ready to do the same with the North American Free Trade Agreement (NAFTA). He imposed stiff levies on imported steel and aluminum, leading Canada, China, Mexico, and the European Union to slap the United States with retaliatory tariffs. At the same time, however, his administration ultimately agreed to a renegotiated NAFTA without major changes to the original agreement. It did the same for the U.S. free trade agreement with South Korea. So what signs could reveal his true intentions in 2019?

(source: Understanding Trump’s Trade War by Doug Irwin via Foreign Policy Winter 2019)

This entire paragraph operates on the assumption Trump acted in good faith on NAFTA.

This is the biggest mistake anyone can make about Trump, however. He has never done anything altruistic in his life. Every he’s done has been transactional. His lack of empathy for others combined with his selfish transactional nature precludes any good faith.

One need only look at his marriages to see his true self. He didn’t make any concerted effort to keep his vows, and when he’d obtained all he wanted from those relationships, he ditched his wives.

Even his Access Hollywood “grab them by the pussy” video revealed this: he believes that if one is a celebrity, one can do anything to a woman. In other words, the woman is receiving the attention of a celebrity in exchange for access to her body.

A transaction. Presence and access is consent as far as he’s concerned.

He is incapable of seeing anything he does as president as action on behalf of the country. In his mind the country already got what it wanted — his attention of a celebrity and his commitment to live in our house.

Rather like a second or third wife, we’re supposed to have gone into this relationship with our eyes open and have already received the best that we’ll get out of this deal. Meanwhile, he’s using our house for his personal aims.

And he’s using our relationship with major trading partners to shake them down for something to his benefit.

Re-read that paragraph from Foreign Policy again, only this time recognize the shakedown, the grift in between the lines. He received something from rattling NAFTA partners even if in the end it looks like nothing changed.

The New York Times published another expose on Trump’s finances based on transcripts of his IRS filings from 1985 to 1994. In the wake of the article there’s been a lot of chatter about how deeply in debt he was during the period these filings covered. But debt is just a number; it’s all in the accounting. The average American under the age of 40 is also deeply in debt if they’re buying a home, a car or two, and/or paying off the last of their tuition debt. Some of these debtors may tell you they made money and put it in the bank last year, though.

Trump was doing the same thing but at a much larger scale, only without the same consequences upon failure the average American would face:

Mr. Trump was able to lose all that money without facing the usual consequences — such as a steep drop in his standard of living — in part because most of it belonged to others, to the banks and bond investors who had supplied the cash to fuel his acquisitions. And as The Times’s earlier investigation showed, Mr. Trump secretly leaned on his father’s wealth to continue living like a winner and to stage a comeback.

Here’s the bit that jumped out at me from the NYT’s piece:

As losses from his core enterprises mounted, Mr. Trump took on a new public role, trading on his business-titan brand to present himself as a corporate raider. He would acquire shares in a company with borrowed money, suggest publicly that he was contemplating buying enough to become a majority owner, then quietly sell on the resulting rise in the stock price.

The tactic worked for a brief period — earning Mr. Trump millions of dollars in gains — until investors realized that he would not follow through. That much has been known for years. But the tax information obtained by The Times shows that he ultimately lost the bulk of the gains from his four-year trading spree.

Now Trump — or any of his partners/associates/financiers — no longer has to buy stock in a specific company to make money. He can use our house to act like a corporate raider. He can threaten to make or break a deal using the good faith and credit of the United States (instead of his own bad faith) and mess with the entire market.

In addition to Trump’s Sunday tweets. I suspect participants in the US and overseas markets in Asia and Russia could also have traded on Trump’s early Monday morning tweet:

This tweet is pure bullshit. There is nothing factual about it; it displays a gross ignorance about the trade deficit.

Putting aside the rational explanations about the trade deficit, the U.S. must keep in mind that China has been carefully negotiating its recovery after Mao Tse-tung’s Great Leap Forward and a realignment of mixed capitalist-communist system. It would be all too easy for the balance to shift reactively toward a more militarized communist system if it had an insufficient demand for its capitalist output.

But understanding this requires a degree of nuance beyond the grasp of the malignant narcissist-in-chief. He can only manage to ponder what’s in it for him.

Trump’s early Monday morning tweet would have been seen at these local times:

4:06 am Washington DC
6:06 pm Sydney Australia
5:06 pm Tokyo Japan
5:06 pm Seoul South Korea
4:06 pm Beijing PRC
11:06 am Moscow Russia

Ample time to jump in between the Sunday tweets and this Monday tweet if one was already holding index shares.

Those of use who didn’t trade on this information, though, went for a roller coaster ride on our hard-earned retirement savings and college funds as they plummeted Monday morning.

And because Trump is using our good faith and credit for his own aims, we can’t be absolutely certain he isn’t running some opaque con for a personal gain we know nothing about. We’re trapped in this vehicle for as long as he wants to run this scam.

And like some of the investors who loaned him money or contractors who worked for him in good faith in the past, we’ll end up holding the bag.

Just stop this crazy thing.

~ ~ ~

Oh, two more things:

First, Steve Bannon needs to be de-platformed. He is deliberately sowing anarchy across the globe by promoting white nationalism. Populism, he calls it, but it’s racist appeals encouraging insurrection and sedition against liberal democracy.

When he encourages Trump’s stupidity toward China it’s not because it’s helpful to the common good. He may say that Trump’s tariff threats are a benefit to the working class but Bannon has no fucking clue how manufacturing actually works. It’s all an abstraction to him that capital might reshore from investment in China to investment here.

Reality looks more like Lordstown, Ohio where General Motors just shut down a plant. The economic changes that led to the closure have been years in the making. It takes years and hundreds of millions in capital investment to plan a new product line to respond to trends in consumers’ tastes including the manufacturing processes required. We’re also in the midst of a massive sea change in transportation, with competing countries shifting entirely to electric cars within the next two decades.

But Trump can tweet damaging nonsense in seconds, smashing those carefully laid-out product manufacturing plans to smithereens.

Which may be the point considering Trump and his minions and financial backers are no fans of organized labor in the U.S.

I’m sure Bannon will assure the workers of Lordstown jobs will be there for them at any moment once the impending trade war with China has settled.

[Note: While I was drafting this post Trump tweeted that GM was selling the Lordstown plant to electric truck manufacturer Workhorse. Now Trump will look like a winner for badgering GM’s CEO Mary Barra when this deal was likely in the offing for some time. Really stupid move on Barra’s part because now he’ll use this as leverage — her call gave him presence and access.]

 

Second, it may be valuable to note that key problem children who have supported anarchic white nationalism through Trumpism in the US and Brexit in the UK have something in common:

Steve Bannon = former investment banker

Robert Mercer = former co-CEO of hedge fund

Rebekah Mercer = former trader at daddy’s hedge fund

Nigel Farage = former commodities trader

Arron Banks = owner, insurance company

Wilbur Ross = investment banker

Steve Mnuchin = former mortgage securities and hedge fund executive

Imagine them realizing they could make a shit ton of money by injecting planned volatility into the market using Trump (or Brexit) as their injector.

I wouldn’t be surprised if the entire Trump administration was in on this scam. Here’s U.S. Trade Reprepresentative Robert Lighthizer about Trump’s latest tariffs on Chinese goods:

“This was Trump acting out on a rainy Sunday in Washington with nothing on the public schedule,” he added. “To paraphrase Lenin: there are decades where nothing happens and there are weeks when decades happen…and then there is a single week in the Trump Presidency. What a time to be alive.”

Head, meet desk.

This is an open thread.

Rattled: China’s Hardware Hack – PRC’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response Bloomberg Businessweek received from the Ministry of Foreign Affairs for the People’s Republic of China (PRC) in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. PRC’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses to Bloomberg’s story will be posted separately.
__________

People’s Republic of China

China is a resolute defender of cybersecurity.[1] It advocates for the international community to work together on tackling cybersecurity threats through dialogue on the basis of mutual respect, equality and mutual benefit.

[1] It’s hard to argue that PRC does not defend its own cybersecurity resolutely.

[2] There are four themes here, at least:

— collaboration and ongoing dialog, but this requires trust which are difficult to develop without openness;
— mutuality, which again requires trust;
— equality, an insistence that footing of those in dialog is level;
— benefit, implying a transactional nature.

This may be a very small paragraph but it is heavily loaded and not for the kind of lightweight, half-assed diplomacy we’ve seen from this administration.

Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.[3] China, Russia, and other member states of the Shanghai Cooperation Organization proposed an “International code of conduct for information security” to the United Nations as early as 2011.[4] It included a pledge to ensure the supply chain security of information and communications technology products and services, in order to prevent other states from using their advantages in resources and technologies to undermine the interest of other countries.[5] We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.[6] —Translated by Bloomberg News in Beijing[7]

[3] What is PRC alleging here? Are they accusing the U.S. of compromising their supply chain? Difficult for the American public to debate this when it is so opaque though this comment may be based directly on NSA interception of networking equipment to be used in China as one example.
[4] What was happening between U.S. and Russia at that point in time? PRC acts as if an agreement to this code would happen in a vacuum.
[5] A dig at U.S.
[6] Another dig at U.S.
[7] There has been no apparent demand for correction to any of this translation.

Like Supermicro’s response this one is very short and effective, giving little away.

Still Rattled: Fallout and Pushback

[NB: Note the byline. Portions of this post may be speculative. / ~Rayne]

The tech industry and technology journalism outlets remain rattled by Bloomberg Businessweek’s The Big Hack article.

Bloomberg Businessweek’s Jordan Robertson and Michael Riley published a second article last Tuesday in which a security expert went on the record about compromised servers with Supermicro motherboards in an unnamed telecommunications provider. Do read the article; the timing of the discovery of the unexpected network communications and the off-spec covert chip fit within the timeline of Apple and Amazon problems with Supermicro motherboards.

The FBI’s and DHS’ responses are also interesting — the first refused to comment and the second offered a tepid endorsement of Apple’s and Amazon’s denials.

The second article hasn’t assuaged industry members or journalists, though, in spite of a source on the record about a third affected entity.

The main criticisms of Bloomberg piece are:

— No affected equipment or firmware has been produced for review;

— Too much of Bloomberg’s sourcing remains anonymous;

— The claims cannot be validated by other journalists, technology companies, persons at Apple and Amazon who have been contacted and interviewed by non-Bloomberg journalists;

— Contacts inside the companies in question continue to deny knowledge if they don’t express confusion about the alleged hack;

— Apple and Amazon have published firm denials, including Apple’s preemptive letter to Congress.

However,

— Something drove both Apple and Amazon to change their relationship with Supermicro within a fairly tight time frame;

— The uniformity of their early denials in which they avoid mentioning hardware and lean toward web application as a point of conflict is odd;

— Neither of these enormous firms nor Supermicro have filed a lawsuit against Bloomberg for libel that the public can see, preventing questioning of Bloomberg’s journalists and sources under subpoena;

— Securities and Exchange Commission doesn’t appear to have been engaged to investigate the claims (although it’s possible the SEC is on this and may simply not have disclosed this publicly);

— None of the other unnamed companies alleged to have received compromised motherboards have uttered a peep to defend (or rebut) Apple or Amazon.

I have not seen in any reporting I’ve read to date — from either Bloomberg Businessweek in The Big Hack or subsequent articles examining the claims or rebutting them — that any journalist, tech industry member or infosecurity community member has asked whether Apple, Amazon, or the other affected companies ordered customized motherboards or servers with customized motherboards made to their company’s specifications. Supermicro has also said nothing about any possible differentiation between motherboards for different companies which would affect the scenario. The silence on this point is confounding.

This piece in Ars Technica captures many of the concerns other tech news outlets have with the Bloomberg reports. Complaints that software — meaning firmware — is easier to hack than adding off-spec hardware miss two key points.

Made-to-order components or assemblies in Just-In-Time lean manufacturing enterprises make it easier to ensure that adulterated products reach their intended mark because each order represents an identified, traceable batch. Adherence to ISO standards in manufacturing processes may even make traceability easier.

We know Supermicro uses lean manufacturing techniques because it’s in job postings online (lousy pay, by the way, which may also say something).

Does Supermicro use the same lean manufacturing approach overseas? Do any of its suppliers also use lean manufacturing?

In contrast, release of firmware (without corresponding adulterated hardware) to a single target is more difficult to control than hardware — the example given is Stuxnet (excerpt here from Ars Technica).

Why wouldn’t a determined nation-state ensure there was a failover, a Plan B method for accessing specific intelligence from a narrow range of sources instead of betting the farm on one method alone? Given the means to deploy both malicious firmware and adulterated hardware, why wouldn’t they try both?

~ | ~ | ~

In spite of tech industry and journalists’ criticisms of Bloomberg’s reporting, these facts remain:

1 — Technology supply chain has been compromised;

2 — U.S. government has known about it (pdf);

3 — U.S. government has not been forthcoming about it or the blacklists it has implemented;

4 — U.S. government has tried to investigate the compromise but with insufficient success;

5 — Some companies are also aware of the compromised supply chain.

We’re no closer to resolving this question: has the compromise of the supply chain remained limited to counterfeiting, or does the compromise now include altered products?

At what point will the tech industry and infosecurity community begin to take supply chain hacks more seriously?

_________

[AN: I still have to analyze both Apple’s letter to Congress and its second response posted on their website along with Amazon’s published response. More to come./~Rayne]

Rattled: China’s Hardware Hack – SMCI’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response Bloomberg Businessweek received from Super Micro Computer in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. Super Micro Computer’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses to Bloomberg’s story will be posted separately.
__________

Supermicro

While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.[1] We are not aware of any customer dropping Supermicro as a supplier for this type of issue.[2]

[1] (a) “we are not aware” “nor have we been contacted” — who is we?

(b) “nor have we been contacted by any government agency” — has Supermicro been contacted by customers or their auditors or their security teams, contract or not, about security problems?

[2] Were one or more of Supermicro’s customers dropped by their customers because of security concerns including problems with firmware? Are any of the customers or customers of customers U.S. government entities?

Every major corporation in today’s security climate is constantly responding to threats and evolving their security posture. As part of that effort we are in regular contact with a variety of vendors, industry partners and government agencies sharing information on threats, best practices and new tools. This is standard practice in the industry today. However, we have not been in contact with any government agency regarding the issues you raised.[3]

[3] Has Supermicro been in contact with any government agency regarding any security issues including firmware updates?

Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.[4]

[4] Interesting pointer about networking chips. What other motherboard content does Supermicro not design or manufacture, procuring from other companies? What procured motherboard components have firmware associated with them?

Rattled: China’s Hardware Hack – Amazon’s Response

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

The following analysis includes a copy of an initial response  received from Amazon by Bloomberg Businessweek in response to its story, The Big Hack. In tandem with the Bloomberg story Amazon’s response was published on October 4 at this link. The text of Amazon’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses by Amazon to Bloomberg’s story will be assessed separately in a future post.

This analysis is a work in progress and subject to change.
__________

Amazon

It’s untrue that AWS[1] knew about a supply chain compromise, an issue with malicious chips, or hardware modifications[2] when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI[3] to investigate or provide data about malicious hardware.

[1] Identity – were there ever any third-party contractors or representatives involved in the relationship with Elemental? With Supermicro? Are there more than one Amazon subsidiary entity involved in the evaluation, purchasing, implementation of Elemental or Supermicro products into Amazon or its subsidiary enterprise? Which entity submitted this denial to Bloomberg Businessweek: Amazon, AWS, or some other subsidiary?

[2] What about evidence of bad or mismatched firmware and firmware updates?

[3] Did any law enforcement, military, or intelligence agency work with Amazon or any of its subsidiaries or contractors to investigate or provide data on hardware which failed to operate to specification or as expected?

We’ve re-reviewed our records[4] relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit[5] that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.[6]

[4] “our records” — whose records and what kind? Identity needs clarification as well as the type of records.

[5] Who is the third-party security auditor? How and why were they engaged?

[6] What about evidence of bad or mismatched firmware and firmware updates?

The pre-acquisition audit described four issues with a web application (not hardware or chips)[7] that SuperMicro provides for management of their motherboards. All these findings were fully addressed before we acquired Elemental. The first two issues, which the auditor[8] deemed as critical, related to a vulnerability in versions prior to 3.15 of this web application (our audit covered prior versions of Elemental appliances as well), and these vulnerabilities had been publicly disclosed by SuperMicro on 12/13/2013.[9]

[7] “web application” — but not firmware?

[8] Is this still the unnamed third-party security auditor or an internal auditor employed by Amazon or a subsidiary?

[9] How was this “publicly disclosed by SuperMicro”? SMCI’s website does not currently have either a press release or an SEC filing matching this date (see screenshots at bottom of this page).

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.[10] Nevertheless, the Elemental team had taken the extra action on or about 1/9/2014 to communicate with customers and provide instructions to download a new version of the web application from SuperMicro (and after 1/9/2014, all appliances shipped by Elemental had updated versions of the web application).[11] So, the two “critical” issues that the auditor found, were actually fixed long before we acquired Elemental. The remaining two non-critical issues with the web application were determined to be fully mitigated by the auditors if customers used the appliances as intended, without exposing them to the public internet.[12]

[10] “exposed to the public internet” — did customer data run through Elemental’s Supermicro devices between 2013 and 2015?

[11] What about firmware?

[12] Did customer data still run through devices with the two non-critical issues? Are any machines with these non-critical issues still in production?

Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware.[13] As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.[14]

[13] Researchers at Eclypsium are reported to have told Supermicro of vulnerabilities in January 2018. When was Amazon, AWS, or other Amazon subsidiary notified of these vulnerabilties?

[14] Give the six-month gap between Eclypsium’s notification to Supermicro and the public’s notification, when were Amazon’s, AWS’, or other Amazon subsidiary’s customers notified of these vulnerabilties?

__________

Screenshots

Supermicro’s SEC filings – last of year 2013:

Supermicro’s press releases – last of year 2013:

Rattled: China’s Hardware Hack – Apple’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response received from Apple by Bloomberg Businessweek in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. Apple’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses from Apple to Bloomberg’s story will be assessed separately in a future post.

This analysis is a work in progress and subject to change.
__________

Apple

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple.[1] Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.[2] We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.[3]

[1] Phrasing avoids who made the allegation(s).

[2] “rigorous internal investigations” doesn’t describe what they actually investigated; “each time” refers to investigations AFTER Bloomberg contacted Apple, AFTER 2016 when Apple had broken off relations with Supermicro.

[3] “refuting virtually aspect” does not mean “every and all.”

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server.[4] Apple never had any contact with the FBI or any other agency about such an incident.[5] We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

[4] (a) What about problems with firmware updates, including malicious firmware, firmware not issued by Supermicro, or hijacking to firmware upgrade sites not created by Supermicro?

(b) “purposely planted in any server” refers not to Supermicro’s motherboards but Elemental or other server assemblies.

[5] What about contact with any government agency regarding firmware? What about contact with a third-party entity regarding firmware problems, including security researchers?

[6] This phrasing focuses on law enforcement but not on other possibilities like intelligence entities or non-law enforcement functions like Commerce or Treasury Departments.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers;[7] Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.[9]

[7] (a) What about earlier versions of Bloomberg’s narrative the public hasn’t seen?

(b) Did Siri and Topsy ever share a data farm facility?

[8] (a) Was Siri ever deployed on Elemental brand servers?

(b) Was Topsy ever deployed on Elemental brand servers?

[9] Did any of the servers on which Siri and Topsy were deployed experience firmware problems including malicious firmware, firmware not issued by Supermicro, or hijacking to firmware upgrade sites not created by Supermicro?

As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures.[10]

[10] Is this a statement of current practices or practices during the period of time about which Bloomberg reported? Why did Apple end its relationship with Supermicro?

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs.[11] That one-time event was determined to be accidental and not a targeted attack against Apple.[12]

[11] Gaslighting about the journalists’ credibility. Have there ever been any servers from Elemental or other server manufacturer with “infected drivers,” including the “single Super Micro server in one of our labs”? Were any servers of any make with “infected drivers” in production environments, whether they faced customers or not?

[12] How is an “infected driver” an accident?

While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us.[13] We also want them to know that what Bloomberg is reporting about Apple is inaccurate.[14]

[13] This is not the same as saying “customer data was not exposed.”

[14] “inaccurate” but not “wrong,” “erroneous,” “false,” or “untrue”?

Apple has always believed in being transparent about the ways we handle and protect data.[15] If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement.[16] Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data.[17]

[15] Tell us about iPhone encryption.

[16] “an event” is not “events”. “Forthcoming” may not mean “public disclosure” or “reveal that we are under non-disclosure agreements.” “Would work closely with law enforcement” is not the same as “working with intelligence community,” or “working with Commerce/Treasury Departments.”

[17] No specific mention of nation-state actors.

Rattled: China’s Hardware Hack

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

As I noted in my last Three Things post, information security folks are rattled by the October 4 Bloomberg Businessweek report that extremely tiny microchips may have been covertly embedded in motherboards used by U.S. businesses.

Their cognitive dissonance runs in two general directions — the feasibility of implanting a chip at scale, and the ability of such a chip to provide a viable backdoor to a device.

Hardware security researchers and professionals have been debating manufacturing feasibility and chip ability across Twitter. Joe Fitz’ recent tweet threads suggest implantation of a rogue chip is entirely doable on a mechanical basis though what happens once a chip has been embedded must be assessed from a software perspective. Fitz is not alone in his assessment; other professionals and academics believe it’s possible to insert a ‘malicious’ chip. Computer security academic Nicholas Weaver pointed to small devices which could do exactly what the Bloomberg report suggested if these tiny objects were embedded into motherboards during manufacturing.

The feasibility also requires the right opportunity — a confluence of personnel, manufacturing capability and capacity, timing and traceability. Let’s say a rogue or compromised employee manages to slip chips into a batch of motherboards; which ones? To whom will they ship? How could a rogue/compromised employee ensure the motherboards left the facility undetected?

The Bloomberg report paints the U.S.-based Supermicro plant as a perfect environment in which such hardware infiltration could happen easily. With employees divided by two very different languages — English-speakers far less likely to understand Mandarin-speakers — discussions between multiple rogue/compromised employees could be very easy as would be sharing of written instructions. Supermicro’s ISO certifications for standards 9001, 13485, 14001, and 27001 may shed some light on how the company expected to manage two different languages in the same workplace.

One could argue a bilingual workplace shouldn’t pose a challenge given how many companies already use English/Spanish, English/French, or English/German. Compare, however, these words:

English: hardware

German: either hardware or computerhardware

French: either hardware or le matériel

Spanish: either hardware or los equipos

Mandarin: 硬件 (yìng jiàn)

With enough exposure the average English-as-primary-language worker could readily understand the most common western language words for equipment they were manufacturing. It would take considerably more investment in education to recognize and understand a pictographic language making casual quality control difficult.

The environment is even more challenging for mixed language staff in manufacturing plants located in China.

~ | ~ | ~

Let’s look at a timeline of events leading up to the Bloomberg report this week. Note how often the word ‘firmware‘ is used in this timeline and in the responses from Apple and Amazon to the Bloomberg story:

1993 — Charles Liang launched Supermicro.

2007 — Social search analytics company Topsy founded.

2005 — Defence Science Board warned “trojan horse” chips bought overseas could negatively affective military systems.

2008 — BusinessWeek reported that fake Chinese-made microchips had entered the military’s supply chain causing system crashes.

2010 — Defence Department bought 59,000 chips, unaware they were counterfeit.

2Q2011 — China denied entry visas to senators Levin and McCain staff for congressional probe in Guangdong province.

October 2011 — Apple releases Siri.

December 2013 — Apple acquired  Topsy.

December 2013 — Supermicro publicly disclosed vulnerability/ies in a web application related to management of motherboards (Amazon response, email Oct 2018)

December 2013 — CBS’ 60 Minutes program aired a story about the NSA in which a plot involving a rogue BIOS had been identified.

First half 2014 (date TBD) — Intelligence officials tell White House that PRC’s military would infiltrate Supermicro’s motherboard production with microchips intended for the U.S. market.

January 2014 — Elemental communicated to existing customers that a new version of the web app was available for download; equipment shipped after this date had updated versions of the web app. (Amazon response, email Oct 2018)

Early 2015 — Amazon launched pre-acquistion evaluation of startup Elemental Technologies which used Supermicro motherboards in servers it made.

Late spring 2015 — Elemental sent several servers to Ontario CAN for testing by third-party security firm. It found non-spec chips on server motherboards. (Bloomberg report)

May 2015 — Apple detected unusual network activity and experienced firmware problems.

Summer 2015 — Apple found non-spec chips on Supermicro motherboards Apple bought from Supermicro. (Bloomberg report)

September 2015 — Amazon announced its acquisition of Elemental.

December 2015 — Apple shut down Topsy.

Mid-2016 — Apple broke off its relationship with Supermicro.

June 2018 — Researchers publicized vulnerabilties found in Supermicro firmware. AWS notified customers and recommended a firmware upgrade. (Amazon response, email Oct 2018)

October 2018 — Amazon, Apple, Supermicro, and PRC submitted responses denying Bloomberg’s report. (Published by Bloomberg)

~ | ~ | ~

Follow up reporting by other news outlets increase the layers of denial that cloud companies Amazon and Apple were affected by a possible breach of the hardware supply chain.

Some have asked if Bloomberg’s report is merely an attempt to undermine Amazon and Apple, which are the two most valuable companies in the U.S. and in Apple’s case, the world.

It is their value and their place in the stock market along with the customers they serve which may drive some of the denial.

Remember that Amazon’s AWS has provided hosting to U.S. government agencies. Government employees also use Apple iPhones and by extension, Apple’s cloud services. Is it at all possible that in providing services to government agencies these corporations and/or their subsidiaries have been read into programs obligating a degree of secrecy which includes denial of vulnerabilities and breaches which do not affect directly the average non-governmental user of Amazon and Apple products and services?

~ | ~ | ~

There are additional events which appear to have happened independently of the alleged hardware supply chain infiltration. They may be extremely important and highly relevant if looked at from an industry and intelligence perspective.

March 2014Freescale Semiconductor lost 20 employees in apparent crash of Malaysia Air flight MH370 en route to Beijing. The employees were supposed to begin work on a new chip manufacturing facility in China. While Freescale’s chips were not those one might ordinarily associate with server motherboards, it’s worth asking if Freescale at that time had any chips which might have served as server chips, or if they could work as illicit hardware hacks when embedded in a motherboard. Freescale has since been acquired by NXP.

Late 2010 — Beginning in late 2010, China identified and executed a network of U.S. agents within its borders over a two-year period, resulting in the deaths of at least 30 persons and the prosecution of former CIA agent Jerry Chung Shin Lee who worked as an informant for PRC. The exposure of these spies was blamed in part on a compromised communications system which had been previously used in the middle east. Due to compartmentalization of the project, it’s reported Lee could not have identified the agents, placing more emphasis on the communications system.

Mid-2011 — China refused visas to staff for senators Carl Levin and John McCain for the purposes of investigating electronic components manufacturing in city of Shenzhen in Guangdong province. The congressional probe sought the source of counterfeit parts which had entered the U.S. military’s supply chain; U.S. Commerce Department reported in January 2010 that 400 companies surveyed “overwhelmingly cited China” as the point of origin for counterfeit parts.

These events spawn more questions when looking at technology supply chain hacking and communications systems which rely on this supply chain.

Did Freescale’s plans to expand production in China pose a risk to the hardware supply chain hack? Or was it simply a fluke that a substantive portion of the company’s manufacturing engineers disappeared on that flight? Though Freescale originated in Austin, Texas, it had a presence in China since 1992 with at least eight design labs and manufacturing facilities in China as of 2014.

Was the communications system used by doomed U.S. assets in China affected not by tradecraft or betrayal, or even by counterfeit parts, but by the hardware supply chain hack — and at an even earlier date than the timeline of events shown above related to Supermicro’s compromised motherboard production?

Did China refuse admittance to Guangdong province in 2011 related not to counterfeit parts but to the possibility that supply chain hacks beyond counterfeiting alone might be revealed?

Is the supply chain hack reported by Bloomberg part of a much larger security threat which has been slowly revealed but not widely acknowledged because the threat has been viewed through narrow military, or intelligence, or tech industry lenses?

The tech industry may be rattled by allegations that the computer hardware supply chain has been hacked. But the possibility this hack has gone on much longer and with massive potential collateral damage may truly shake them up.

~ | ~ | ~

There is a third train of cognitive dissonance, not limited to information security professionals. Persons outside the tech industry have indulged in denialism, taking comfort in the aggressive pushback by Apple and Amazon which each claim in their own way that the Bloomberg report is inaccurate. (I have an analysis of the early responses by Apple and Amazon; I will also examine later expanded responses as well as Supermicro’s and PRC’s responses as soon as time permits.)

But there have been reports for years about counterfeit electronic components, obstruction of investigations into these components, system failures which could be attributed to hardware or software which do not meet specifications. Cognitive dissonance also resists Bloomberg’s report that as many as 30 U.S. companies were affected, not just Apple and Amazon which have offered up high-profile rebuttals.

And there have been reports in industries outside of cloud services and the military where off specification or counterfeit electronic components have made it into production. One such anecdote appears in a thread at Hacker News YCombinator, discussing credit card payment systems and development of screening systems requiring application of tests using angular momentum to determine if a board has been altered without breaking the board’s tamper-proof seal.

In addition to his early tweets assessing feasibility of malicious or covert off-spec chips added to motherboards, Nicholas Weaver wrote a post for Lawfare about the Bloomberg report.

The Bloomberg story also explains a previous mystery: in 2016, Apple quietly removed all SuperMicro servers from their products due to an unspecified “Security Incident.”  At the time the rumor was that SuperMicro provided a sabotaged BIOS—that is, the bootstrap program used to start the computer, another “god mode” target for compromise. Apple denied then that there was any security incident—just as they are denying one now.

This incident once again illustrates the “Coventry problem,” referring to Winston Churchill’s apocryphal decision not to prevent the bombing of Coventry in order to keep secret that British intelligence had decrypted the Enigma machine. Robertson and Riley describe a U.S. intelligence apparatus that knew of these ongoing attacks, but could not effectively notify the affected companies nor provide useful recommendations. If the intelligence community had warned these companies, it would probably have revealed to the Chinese that the U.S. was aware of these activities, as well as potentially compromise an ongoing FBI investigation described in the article.

Weaver called the suspect Supermicro firmware a ‘BIOS’ — the first use of this term across multiple reports covering the Bloomberg report and its aftermath. This change in nomenclature is critical, particularly so given the point he makes about the “Coventry problem.” The term ‘BIOS’ does not appear in the early responses from Apple, Amazon, or Supermicro.

In December 2013, CBS’ 60 Minutes aired a report about the NSA; it appeared at the time to puff up the agency after the publication of Edward Snowden’s leaked documents about the government’s domestic spying using  PRISM. Within the story was a claim about a thwarted cyberattack:

Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability— to destroy computers.

John Miller: To destroy computers.

Debora Plunkett: To destroy computers. So the BIOS is a basic input, output system. It’s, like, the foundational component firmware of a computer. You start your computer up. The BIOS kicks in. It activates hardware. It activates the operating system. It turns on the computer.

This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.

John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do.

Debora Plunkett: That’s right.

John Miller: —and basically turned it into a cinderblock.

Debora Plunkett: A brick.

John Miller: And after that, there wouldn’t be much you could do with that computer.

The description sounds remarkably like the rogue firmware update in concert with a malicious/covert chip.

The manner in which this report was handled by the NSA, however, made it appear like disinformation. The assessment that such firmware would be used solely brick a device heightened the FUD around this report, deterring questions about applications other than bricking a device — like taking control of the computer, or collecting all its transaction and data. Was the FUD-enhanced release via 60 Minutes the intelligence community’s approach to the “Coventry problem”?

~ | ~ | ~

The problem Bloomberg’s Jordan Robertson and Michael Riley reported is probably much bigger than they described. It is bigger than Supermicro motherboards and firmware, and it’s not a problem of the near-term future but ongoing over the last decade.

At what point will U.S. industries organize a collective response to both counterfeit and off-specification manufacturing of electronic components overseas? They can’t count on a calm and rational response from the Trump administration given the unnecessary trade war it launched against China.
_____

Disclosure: I have positions in AAPL and AMZN in my investment portfolio.

Three Things: Russia and China Spying, Kavanope

[NB: Yes, it’s Rayne, not Marcy. Check the byline.]

Huge news earlier today related to spying. Really big. MASSIVE.

And a MASSIVE cover-up pawned off on the feeble-minded as a ‘complete investigation‘ into Dr. Ford’s and Deborah Ramirez’s accusations against Brett Kavanaugh.

~ 3 ~

Bloomberg published an epic piece of investigative journalism this morning about China’s spying on U.S. businesses by way of tiny chips embedded in server motherboards. The photos in the story are just as important as the must-read story itself as they crystallize a challenge for U.S. intelligence and tech communities. Like this pic:

That tiny pale obelisk to the right of the penny represents one of the malicious chips found in affected Supermicro brand motherboards shipped to the U.S. market — nearly as small as the numbers in the date on the coin. Imagine looking for something this puny before a machine is turned on and begins to launch its operating system. Imagine trying to find it when it is sandwiched inside the board itself, embedded in the fiberglass on top of which components are cemented.

The chip could undermine encryption and passwords, making any system open to those who know about its presence. According to Bloomberg reporters  Jordan Robertson and Michael Riley, the chips found their way into motherboards used by Apple and Amazon.

Information security folks are scrambling right now because this report rocks their assumptions about the supply chain and their overall infosec worldview. Quite a few doubt this Bloomberg report, their skepticism heightened by the carefully worded denials offered by affected and relevant parties Apple, Amazon, Supermicro, and China. Apple provided an itemization of what it believed Bloomberg Businessweek got wrong along with its denial.

I’ll have more on this in a future post. Yes, indeedy.

~ 2 ~

A cooperative, organized response by Britain, The Netherlands, U.S., and Canada today included the indictment of seven Russians by the U.S. for conspiracy, conspiracy to commit wire fraud, wire fraud, aggravated identity theft, and conspiracy to launder money. The Russians have been identified as members of a GRU team organized out of a facility in Moscow, working on hacking and a disinformation influence campaign focused on anti-doping entities and non-Russian Olympic athletic competitors.

Note the underlined bit in this excerpt from the indictment (pdf) — the last indictment I copied with similar wording was that of Evgeny Buryakov and his two comrades, the three spies based in New York City who worked with “Male-1”, now known to be Carter Page. Who are the known and unknown? Persons who have flipped or co-conspirators yet to be named?

The UK released a statement as did the Canadians, and Netherlands issued a joint statement with the UK about the entirety of spying for which this GRU team is believed to be responsible, including an attempt to breach the Organisation for the Prohibition of Chemical Weapons’ (OPCW) facility analyzing the Novichok nerve agent used to poison the Skripals in the UK as well as chemicals used against Syrians.

Cryptocurrency news outlets report concerns that this indictment reveals the extent of USDOJ’s ability to trace cryptocurrency.

An interesting coincidence took place overnight as well — Russian Deputy Attorney General Saak Karapetyan died last night when an unauthorized helicopter flight crashed northeast of Moscow. Karapetyan had been linked this past January to Natalia Veselnitskaya and an attempt to recruit Switzerland’s top investigator as double-agents. But Karapetyan had also been involved in Russia’s response to the poisoning of Alexander Litvinenko and the aftermath of the Skripals’ poisoning in the UK.

What remarkable timing.

One might wonder if this accident had anything to do with the unusual release of GRU personnel details by the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice during their joint statement today.

By comparing the released identity documents, passports, automobile registrations and the address provided when cars were rented, the identities of a total 305 GRU agents may have been identified by bellingcat and The Insider including the four out of the seven men wanted by the U.S. for the anti-doping hackingas well as attempted breach of OPCW.

The identity of the four GRU agents accused of targeting the OPCW was cinched by a taxi receipt in one agent’s pocket from a location on the road next to the GRU’s facility in Russia. Four agents also had consecutive passport numbers.

What remarkably bad opsec.

~ 1 ~

As for the impending vote on Brett Kavanaugh:

– Senator Heidi Heitkamp is voting her conscience — NO on Kavanaugh.
– Senator Joe Manchin is now the lone Dem holdout; he says he’s still listening but hasn’t seen anything incriminating from Kavanaugh’s adulthood. (Gee, I wonder why.)
– Senator Bob Menendez didn’t mince words. He said “It’s a bullshit investigation.” (He should know what a thorough investigation looks like).

And the beer-loving former Yale frat boy had an op-ed published in the Wall Street Journal which pleads with us to lose all intelligence and believe that he is really very neutral. I am not even going to link to that POS which has re-enraged women all over the country.

GTFO.

Continue calling your senators to thank them for a NO vote on Kavanaugh so that they aren’t hearing right-wing demands alone. Congressional switchboard: (202) 224-3121

~ 0 ~

This is an open thread. Sic ’em.

Hybrid or Ambiguous, Asymmetric Warfare is Here to Stay

[As always, check the byline — this is Rayne with another minority report.]

After the hacking of the U.S. Office of Personnel Management, I wrote in early 2013 about asymmetric warfare. At the time I was puzzled by Americans’ surprise at such an extensive breach of a government asset by China.

We were warned in 1999 by the PRC in a white paper, Unrestricted Warfare, written by two Chinese military officers. They told us what they perceived about U.S.’ defense stance and where they were likely to press given their perception of our weaknesses and strengths.

Our own military processed this warning; it was incorporated into a number of military white papers. The U.S. intelligence community likewise digested the same white paper and military assessments of the same.

And yet the U.S. was not ready for an asymmetric attack.

More disturbingly, we were warned in 2013 — possibly earlier — that Russia was adopting asymmetric warfare. Valery Gerasimov, Chief of the General Staff of the Armed Forces of Russia, wrote a paper discussing the application of “hybrid warfare” or “ambiguous warfare,” partially exemplified in Russia’s 2014 annexation of Crimea.

Our Defense Department analyzed Gerasimov’s Doctrine, as it is now known. The CNA, a nonprofit research and analysis organization working for DOD, published a paper defining “ambiguous warfare” (pdf):

“Ambiguous warfare” is a term that has no proper definition and has been used within U.S. government circles since at least the 1980s. Generally speaking, the term applies in situations in which a state or non-state belligerent actor deploys troops and proxies in a deceptive and confusing manner—with the intent of achieving political and military effects while obscuring the belligerent’s direct participation. Russia’s actions in Crimea and Ukraine clearly align with this concept, though numerous participants pointed out that it is not a new concept for Russia.

CNA even applied a term used by the U.S. to describe Russia’s military action in Crimea — and yet the U.S. was not ready for an asymmetric attack.

The earlier paper PRC paper, Unrestricted Warfare, elaborated,

War in the age of technological integration and globalization has eliminated the right of weapons to label war and, with regard to the new starting point, has realigned the relationship of weapons to war, while the appearance of weapons of new concepts, and particularly new concepts of weapons, has gradually blurred the face of war. Does a single “hacker” attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? Did CNN’s broadcast of an exposed corpse of a U.S. soldier in the streets of Mogadishu shake the determination of the Americans to act as the world’s policeman, thereby altering the world’s strategic situation? And should an assessment of wartime actions look at the means or the results? Obviously, proceeding with the traditional definition of war in mind, there is no longer any way to answer the above questions. When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits, in short: unrestricted warfare.

If this name becomes established, this kind of war means that all means will be in readiness, that information will be omnipresent, and the battlefield will be everywhere. It means that all weapons and technology can be superimposed at will, it means that all the boundaries lying between the two worlds of war and non-war, of military and non-military, will be totally destroyed, and it also means that many of the current principles of combat will be modified, and even that the rules of war may need to be rewritten.

In spite of this warning, the U.S. has not been adequately prepared for asymmetric warfare.

More importantly, the U.S. has not grasped what is meant that “all the boundaries lying between the worlds of war and non-war” no longer exist.

We are in a permanent state of non-war warfare.

And we were warned.

If the CNA’s paper is any indication, the U.S. has been blinded by the lens of traditional warfare. This is an unintended conclusion we can take away from this paper: we are smack in the middle of a debris field in which our entire democratic system has been rattled hard and our president and his dominant political party in thrall to at least one other country’s leader, without a single traditional combat weapon aimed and fired at our military. Yet the paper on “Russia’s ‘Ambiguous Warfare'” looked at the possible effect such war would have on traditional defense, making only the barest effort to include information warfare. The shoot-down over Ukraine of Malaysian Airline flight MH-17 carrying EU citizens offers an example — there is little mention in this paper of Russian and separatists’ efforts to mask the source of the shooting using information warfare, thereby managing to avoid an official invocation of NATO Article 5.

Perhaps the scale of our traditional defense spending and the commitment to sustaining this spending driven by both states’ economies and by corporatocracy locked us into an unwieldy and obstructive mindset unable to respond quickly to new threats. But PRC warned us in 1999 — we have no excuses save for a lack of imagination at national scale, combined with a detrimental perception of American exceptionalism.

If there is something we can still use in this permanent state of non-war warfare, it is one of the oldest lessons of warfare, transcending place, culture, and tradition:

All warfare is based on deception. … Keep him under strain and wear him down. When he is united, divide him. Attack where he is unprepared; sally out when he does not expect you. … 

— Sun Tzu, The Art of War

What were we not expecting? For what were we not prepared? What form may the next ambiguous attack assume, and are we ready to defend ourselves?

More importantly, what does an effective, ambiguous offense look like?