U.S. Republican senator seeks briefings on reported China hacking attack

WASHINGTON (Reuters) – The top Republican on the Senate Commerce Committee has asked Apple Inc, Amazon.com Inc and Super Micro Computer Inc for staff briefings about a Bloomberg report that the Chinese government implanted malicious hardware into server motherboards provided by Super Micro.

FILE PHOTO: Senator John Thune (R-SD), chairman of the Senate Commerce, Science and Transportation Committee, questions executives from AT&T, Amazon, Google, Apple and Twitter on safeguards for consumer data privacy in Washington, U.S., September 26, 2018. REUTERS/Joshua Roberts/File Photo

Senator John Thune said in letters to the chief executives made public on Tuesday that he had sought staff briefings by Oct. 12 from the three companies.

“Allegations that the U.S. hardware supply chain has been purposely tampered with by a foreign power must be taken seriously,” Thune wrote.

The companies did not immediately comment on Tuesday on Thune’s letter. All have denied the report, published by Bloomberg Businessweek on Thursday.

Separately, Republican Senator Marco Rubio and Democratic Senator Richard Blumenthal wrote to Super Micro’s chief executive, Charles Liang, and asked him to provide by Oct. 17 information including when the company first became aware of the report and whether and how it investigated.

“If this news report is accurate, the potential infiltration of Chinese backdoors could provide a foothold for adversaries and competitors to engage in commercial espionage and launch destructive cyber attacks,” the senators said in their letter, which was seen by Reuters.

Apple’s top security officer, George Stathakopoulos, told Thune and other members of Congress in a letter on Sunday that the company had found no sign of suspicious transmissions or other evidence that it had been penetrated in a sophisticated attack on its supply chain.

Stathakopoulos said he would be available for briefings this week.

Reporting by David Shepardson and Patricia Zengerle; Editing by Bill Rigby and Darren Schuettler

Amazon scraps secret AI recruiting tool that showed bias against women

SAN FRANCISCO (Reuters) – Amazon.com Inc’s (AMZN.O) machine-learning specialists uncovered a big problem: their new recruiting engine did not like women.

FILE PHOTO: Brochures are available for potential job applicants at “Amazon Jobs Day,” a job fair at the Amazon.com Fulfillment Center in Fall River, Massachusetts, U.S., August 2, 2017. REUTERS/Brian Snyder/File Photo

The team had been building computer programs since 2014 to review job applicants’ resumes with the aim of mechanizing the search for top talent, five people familiar with the effort told Reuters.

Automation has been key to Amazon’s e-commerce dominance, be it inside warehouses or driving pricing decisions. The company’s experimental hiring tool used artificial intelligence to give job candidates scores ranging from one to five stars – much like shoppers rate products on Amazon, some of the people said.

“Everyone wanted this holy grail,” one of the people said. “They literally wanted it to be an engine where I’m going to give you 100 resumes, it will spit out the top five, and we’ll hire those.”

But by 2015, the company realized its new system was not rating candidates for software developer jobs and other technical posts in a gender-neutral way.

That is because Amazon’s computer models were trained to vet applicants by observing patterns in resumes submitted to the company over a 10-year period. Most came from men, a reflection of male dominance across the tech industry.

(For a graphic on gender breakdowns in tech, see: tmsnrt.rs/2OfPWoD)

In effect, Amazon’s system taught itself that male candidates were preferable. It penalized resumes that included the word “women’s,” as in “women’s chess club captain.” And it downgraded graduates of two all-women’s colleges, according to people familiar with the matter. They did not specify the names of the schools.

Amazon edited the programs to make them neutral to these particular terms. But that was no guarantee that the machines would not devise other ways of sorting candidates that could prove discriminatory, the people said.

The Seattle company ultimately disbanded the team by the start of last year because executives lost hope for the project, according to the people, who spoke on condition of anonymity. Amazon’s recruiters looked at the recommendations generated by the tool when searching for new hires, but never relied solely on those rankings, they said.

Slideshow (3 Images)

Amazon declined to comment on the recruiting engine or its challenges, but the company says it is committed to workplace diversity and equality.

The company’s experiment, which Reuters is first to report, offers a case study in the limitations of machine learning. It also serves as a lesson to the growing list of large companies including Hilton Worldwide Holdings Inc (HLT.N) and Goldman Sachs Group Inc (GS.N) that are looking to automate portions of the hiring process.

Some 55 percent of U.S. human resources managers said artificial intelligence, or AI, would be a regular part of their work within the next five years, according to a 2017 survey by talent software firm CareerBuilder.

Employers have long dreamed of harnessing technology to widen the hiring net and reduce reliance on subjective opinions of human recruiters. But computer scientists such as Nihar Shah, who teaches machine learning at Carnegie Mellon University, say there is still much work to do.

“How to ensure that the algorithm is fair, how to make sure the algorithm is really interpretable and explainable – that’s still quite far off,” he said.

MASCULINE LANGUAGE

Amazon’s experiment began at a pivotal moment for the world’s largest online retailer. Machine learning was gaining traction in the technology world, thanks to a surge in low-cost computing power. And Amazon’s Human Resources department was about to embark on a hiring spree: Since June 2015, the company’s global headcount has more than tripled to 575,700 workers, regulatory filings show.

So it set up a team in Amazon’s Edinburgh engineering hub that grew to around a dozen people. Their goal was to develop AI that could rapidly crawl the web and spot candidates worth recruiting, the people familiar with the matter said.

The group created 500 computer models focused on specific job functions and locations. They taught each to recognize some 50,000 terms that showed up on past candidates’ resumes. The algorithms learned to assign little significance to skills that were common across IT applicants, such as the ability to write various computer codes, the people said.

Instead, the technology favored candidates who described themselves using verbs more commonly found on male engineers’ resumes, such as “executed” and “captured,” one person said.

Gender bias was not the only issue. Problems with the data that underpinned the models’ judgments meant that unqualified candidates were often recommended for all manner of jobs, the people said. With the technology returning results almost at random, Amazon shut down the project, they said.

THE PROBLEM, OR THE CURE?

Other companies are forging ahead, underscoring the eagerness of employers to harness AI for hiring.

Kevin Parker, chief executive of HireVue, a startup near Salt Lake City, said automation is helping firms look beyond the same recruiting networks upon which they have long relied. His firm analyzes candidates’ speech and facial expressions in video interviews to reduce reliance on resumes.

“You weren’t going back to the same old places; you weren’t going back to just Ivy League schools,” Parker said. His company’s customers include Unilever PLC (ULVR.L) and Hilton.

Goldman Sachs has created its own resume analysis tool that tries to match candidates with the division where they would be the “best fit,” the company said.

Microsoft Corp’s (MSFT.O) LinkedIn, the world’s largest professional network, has gone further. It offers employers algorithmic rankings of candidates based on their fit for job postings on its site.

Still, John Jersin, vice president of LinkedIn Talent Solutions, said the service is not a replacement for traditional recruiters.

“I certainly would not trust any AI system today to make a hiring decision on its own,” he said. “The technology is just not ready yet.”

Some activists say they are concerned about transparency in AI. The American Civil Liberties Union is currently challenging a law that allows criminal prosecution of researchers and journalists who test hiring websites’ algorithms for discrimination.

“We are increasingly focusing on algorithmic fairness as an issue,” said Rachel Goodman, a staff attorney with the Racial Justice Program at the ACLU.

Still, Goodman and other critics of AI acknowledged it could be exceedingly difficult to sue an employer over automated hiring: Job candidates might never know it was being used.

As for Amazon, the company managed to salvage some of what it learned from its failed AI experiment. It now uses a “much-watered down version” of the recruiting engine to help with some rudimentary chores, including culling duplicate candidate profiles from databases, one of the people familiar with the project said.

Another said a new team in Edinburgh has been formed to give automated employment screening another try, this time with a focus on diversity.

Reporting By Jeffrey Dastin in San Francisco; Editing by Jonathan Weber and Marla Dickerson

7 Strategies to Maximize Your Productivity While Traveling

Whether you hate the idea of traveling or you actually look forward to it, it’s hard to deny that travel can sabotage your productivity–at least temporarily. It takes hours of planning and coordination to prepare for some trips, and hours to navigate airports, not to mention the actual time you spend traveling.

It can make a full day of responsibilities feel like a waste, and put you behind on achieving your goals. Fortunately, there are some helpful strategies that can make you more productive–no matter how you’re traveling.

Try using these tactics to get more done when you’re setting course on a major trip:

1. Get used to a different sleep cycle.

One of the biggest sources of productivity disturbance while traveling is the disruption in your sleep cycle. Depending on where you travel to, you could be dealing with timezone changes and jet lag, and you may not be able to get a comfortable eight hours of sleep when you’re used to getting it.

Instead, you can try a biphasic cycle or an everyman cycle, which rely on split patterns to break up your time sleeping; that way, travel may not have as big of an impact on you. The caveat here is that it takes time to get used to a new sleep cycle, so it’s best for frequent travelers only.

2. Take a private jet.

One of the biggest sources of time delay while traveling is navigating the airport; going through customs, waiting to board the plane, dealing with delays, etc., can add several unnecessary hours to your trip.

Taking a private jet allows you to circumvent most of these problems–and it’s cheaper than you think. If a few hundred dollars can save you literally hours of time, and afford you a better workspace when you’re flying, it’s likely worth the extra money.

3. Look for coworking spaces when you arrive.

Coworking spaces are popping up everywhere, so you shouldn’t have trouble finding one at your destination. Instead of going straight to a hotel or meeting, check into one of these productivity hubs; you’ll be able to get coffee, work in a peaceful environment, and if you’re up for it, socialize with other people who may be in similar situations. It’s a great way to both decompress and get more work done, so take advantage of it.

4. Rely on audio.

While you’re driving, navigating the airport, or dealing with a lack of lighting or Wi-Fi, you won’t be able to work on your most important heads-down tasks–but that doesn’t mean you can’t be productive.

Try focusing on audio-specific tasks when you can, listening to recordings of old meetings to prepare for the future, catching up on your favorite industry podcasts, and listening to audiobooks that can improve your skills or expand your professional horizons. There’s no shortage of audio content to plunder, so make good use of it.

5. Prepare travel-specific tasks.

While traveling, you won’t be able to do tasks that require multiple monitors, or meet with your teammates in person. You’ll have limited space, and in some cases, limited Wi-Fi connectivity.

Prepare tasks that you can work on under these conditions, so you don’t run out of things to do. As long as you have a few days’ heads-up, you can handle your least travel-friendly tasks in advance, and set yourself up to work offline for the next several hours.

6. Say “no” and delegate.

New things are going to come to your attention before and during your travel; for example, you might get a client email requesting a change to a piece of work you submitted. If this is the type of work that can’t be done efficiently when traveling, don’t bend over backwards trying to do it; instead, tell them you’re traveling, and not able to do it right now.

If it’s an emergency, or if you won’t be able to get to it for a while, consider delegating it to someone who can handle it.

7. Rest (if you can).

To some people, sleeping may seem like the opposite of productivity. But in reality, sleeping is one of the best things you can do for your mental energy and cognitive capacity. It can even reduce your susceptibility to illness and improve your overall physical health.

Accordingly, if it’s possible for you to take a nap during a long flight or car ride, take advantage of the opportunity. Use a face mask, a neck pillow, or some comforting white noise from your headphones–whatever you need to get some extra shuteye when you’re between destinations. You’ll thank yourself later.

Finding Your Own Style

Not everyone is going to travel the same way. For example, some people may not be able to read while in a vehicle, and some may have trouble sleeping on airplanes. The goal isn’t to fall in line with a series of productive habits, but rather to craft your own habits to maximize your personal productivity. Learn which strategies and actions suit you best, and customize your own set of approaches.

Walmart partners with MGM to boost video-on-demand service Vudu

NEW YORK (Reuters) – Walmart Inc (WMT.N) said on Monday it would partner with U.S. movie studio Metro Goldwyn Mayer to create content for its video-on-demand service, Vudu, which the retailer bought eight years ago.

FILE PHOTO: Walmart signage is displayed outside a company’s store in Chicago, Illinois, U.S. November 23, 2016. REUTERS/Kamil Krzaczynski

Walmart has been looking to prop up Vudu’s monthly viewership that remains well below that of competitors like Netflix Inc (NFLX.O) and Hulu LLC, which is controlled by Walt Disney Co (DIS.N), Comcast Corp (CMCSA.O) and Twenty-First Century Fox Inc (FOXA.O).

Media outlets had reported the Bentonville, Arkansas-based company was looking to launch a subscription streaming video service to rival that of Netflix and make a foray into producing TV shows to attract customers.

Walmart is not planning such a move, company sources have told Reuters. The retailer continues, however, to look for options to boost its video-on-demand business and offer programs that target customers who live outside of big cities.

Walmart and MGM will make the announcement at the NewFronts conference in Los Angeles on Wednesday. It will include the name of the first production under the partnership, which Walmart will license from MGM.

“Under this partnership, MGM will create exclusive content based on their extensive library of iconic IP (intellectual property), and that content will premiere exclusively on the Vudu platform,” Walmart spokesman Justin Rushing told Reuters.

The focus will be on family-friendly content that Walmart customers prefer, Rushing said.

The financial deals of the deal were not disclosed.

Licensing content is a cost-effective strategy at a time when producing original content has become a costly venture. As of July, Netflix said it was spending $8 billion a year on original and acquired content. Amazon.com Inc’s (AMZN.O) programming budget for Prime Video was more than $4 billion, while U.S. broadcaster HBO, owned by AT&T Inc (T.N), said it would spend $2.7 billion this year.

Walmart acquired Vudu in 2010 to safeguard against declining in-store sales of DVDs. Walmart bet that customers would continue to buy and rent movies and move their titles to a digital library, which Vudu would create and maintain for viewers.

But the video site has not posed a significant challenge to rivals that dominate the segment even though it is pre-loaded or can be downloaded to millions of smart televisions and video-game consoles.

Vudu offers 150,000 titles to buy or rent, while its free, ad-supported streaming service, called Movies On Us, includes 5,000 movies and TV shows.

There are currently more than 200 video services that bypass cable providers and stream content directly to a TV, laptop, phone or game console. That is up from 68 five years ago, according to market researcher Parks Associates.

Reporting by Nandita Bose in New York; Editing by Peter Cooney

Microsoft Suspends Windows 10 Update Rollout After Users Report Deleted Files

Microsoft delivered its October Windows 10 update this week, but it didn’t exactly go as planned.

Microsoft had to pause its software update after some users reported that their files were inadvertently being deleted. Reports of the issue have been adding up since the Windows 10 update was released on October 2.

“We have paused the roll-out of the Windows 10 October 2018 Update (version 1809) for all users as we investigate isolated reports of users missing some files after updating,” Microsoft added to its page for the update. Microsoft added that it will give an additional update to customers once the Windows 10 update is made available again.

The issue was sent to Microsoft’s Feedback Hub for Windows Insider beta testers, but because it seems to affect only a few users, the issue wasn’t flagged, Engadget reported.

Anyone who has downloaded the October 2018 Windows 10 update, but has not yet installed it, is encouraged to wait before installation. It’s unclear when the update will be made available again.

The Cars of the Paris Auto Show Reveal a Quirky, Urban, Electric Future

The Renault Ez-Ultimo brings the high-end glitz to the show this year. Just because cities of the future may prioritize ride sharing over private cars doesn’t mean you should have to slum it on the way to opening night at the Opéra national de Paris.

This rounded bronze box is about as far from a production car as a concept can be (could those wheels even turn? where’s the ground clearance for cobbled streets?) but Renault says it shows a vision of an autonomous future, where passengers demand more from vehicles. In particular, the interior “reflects French elegance” with wood, leather, and marble.

Citroën went the opposite direction, unveiling a very real, very modest EV. The DS3 Crossback E-Tense is a fashionable crossover SUV, and an update on Citroen’s tres popular DS3 supermini car. The electric version comes with a 50-kWh battery—about half that of a high-end Tesla—a range of 186 miles on the generous European test cycle, and a 0-60 time of 8.7 seconds. None of those specs are going to blow buyers away, but at the right (to be revealed) price, the quirky car, with sharp angles and odd window cutouts, could rival the Nissan Leaf or Renault Zoe, as a city runabout.

Europe has taken styling cues from the US for the Peugeot E-Legend concept, albeit with a little added flair. There are plenty of muscle car hints in the styling, with a side profile reminiscent of the modern Dodge Challenger, and a Mustang-like front squint. Of course it’s a concept, so it’s electric and autonomous, and supposed to show that those things don’t have to be boring or bland.

The retro theme continues inside with velvet upholstery and fake wood screensavers for the displays when they aren’t in use. It’ll apparently have a 100-kWh battery pack and all-wheel drive, but it’s so concept-y that wise money should be on all that potentially changing, if and when the E-Legend makes it to production.

It wouldn’t be a European auto show without a city car, and Smart is the brand synonymous with cars so small they can be parked end-on to a curb. The Smart Forease moves that theme into an electric age. The rather optimistic concept banks on the future always being sunny, given that it doesn’t have a roof. Not even an optional one. (Have these people been to Europe?)

Smart has already stopped the sales of all internal combustion engined cars in the US, and if this car makes it across the Atlantic (and to reality) it could find a place in some Californian garages. The Golden State has good EV electric rebates, and as close to a guarantee of good weather as you’re going to find.

Infiniti is keeping it real with its Project Black S hybrid, based on a Q60 coupe and its V6 engine. Infiniti engineers turned to electrification, and lessons from partner Renault’s Formula 1 team (there’s the French connection) to give the machine an e-boost.

It’s a hybrid, but one that delivers performance rather than economy. The three motors add 213 horsepower to bring the total to 563, and drop the 0-60 mph time to under four seconds.

Toyota didn’t use the Paris show to unveil radical new concepts, but did introduce a term that will be new to most buyers: self-charging hybrids. This is no magical perpetual motion-type technology: Self-charging hybrids are just cars that can run on battery power, but can’t be plugged in. The type Toyota has been selling for years with the Prius, when they used to be just called “hybrids.” As they’ve gone from being radical, to commonplace, to somewhat lame given the influx of more robust electric options, Toyota is looking to rebrand to remind people that the tech is still quite clever, and does save fuel.

​Red Hat Satellite integrated new, improved Ansible DevOps

When Linux’s sysadmin graybeards got their start, they all used the shell to manage systems. Years later, they also used system administration programs such as Red Hat Enterprise Linux (RHEL)‘s Red Hat Satellite and SUSE Linux Enterprise Server (SLES)‘s YaST. Then, DevOps programs, like Ansible, Chef, and Puppet, appeared so we can manage hundreds of servers at once. Now, Red Hat is bridging the gap between the old-style server management tools and DevOps with Red Hat Satellite 6.4.

This new management tool comes with a deeper integration with Red Hat Ansible Automation automation-centric approach to IT management. This enables sysadmins to use the Red Hat Satellite interface to manage RHEL with Ansible’s remote execution and desired state management. This integration will help identify critical risks, create enterprise change plans, and automatically generate Ansible playbooks.

Also: How Red Hat’s strategy helps CIOs take baby steps to the cloud TechRepublic

Red Hat claimed, “This exciting integration is designed to help not only identify critical risks but then create enterprise change plans and automatically generate Ansible playbooks to better remediate those risks.”

The updated Red Hat Satellite also comes with these new features:

  • Redesigned user interface for easier navigation and improved auditing of user events.
  • Increased supportability including the ability to provision in AWS GovCloud and custom configuration preservation.
  • Enhanced performance including RHEL Performance Co-Pilot integration and general stability fixes.

Red Hat Satellite 6.4 will be available later in October through the Red Hat Customer Portal.

But that’s only the start of Red Hat’s DevOps and sysadmin news. Red Hat is also introducing a Red Hat Ansible Automation Certification Program to deliver tested, trusted, and supported Ansible Playbooks.

These certified Playbooks, from Red Hat and its partners, will provide everything you need to automate your infrastructure, networks, containers, and deployments. Besides Red Hat’s offerings, Cisco, CyberArk, F5 Networks, Infoblox, NetApp, and Nokia will offer 275 Ansible modules in the initial release.

These Playbooks, Modules and Plugins are scanned against known vulnerabilities, checked for compatibility, and validated to work in production. These will have a similar lifecycle to Ansible Engine. They’ll also be regularly re-evaluated for certification qualification and are fully-backed with Red Hat’s support.

Also: From Linux to cloud, why Red Hat matters for every enterprise

If you’re using Ansible and RHEL and you don’t want to build your own Playbooks, this new offering is a must.

Looking ahead, Red Hat is adding automated security capabilities, such as enterprise firewalls, intrusion detection systems (IDS), and security information and event management (SIEM) to Ansible.

In 2019, Ansible will include the following security features:

  • Detection and triage of suspicious activities: Automatically configure logging across enterprise firewalls and IDS,
  • Threat hunting: Automatically create new IDS rules to investigate the origin of a firewall rule violation and whitelist non-threatening IP addresses.
  • Incident response: Ansible will be able to automatically validate a threat by verifying an IDS rule, trigger a remediation from the SIEM solution and create new enterprise firewall rules to blacklist the source of an attack.

It will do this, in part, by integrating Check Point Next Generation Firewall (NGFW); Splunk Enterprise Security; and Snort, the open-source IDS program.

Joe Fitzgerald, Red Hat Business Management VP, explained in a statement:

“Since

Red Hat acquired Ansible in 2015, we have been working to make the automated enterprise a reality by driving Ansible into new domains and expanding automation use cases. With the new Ansible security automation capabilities, we’re making it easier to manage one of enterprise IT’s most complex tasks: systems security. These new modules can help users take an automation-centric approach to IT security, integrating solutions that otherwise would not work together and helping to manage and orchestrate entire security operations with a single, familiar tool.”

It sounds good to me. We’ll see early next year how well Red Hat delivers on this promise.

Related stories:

Why Supply Chain Hacks Are a Cybersecurity Worse Case Scenario

A major report from Bloomberg on Thursday describes an infiltration of the hardware supply chain, allegedly orchestrated by the Chinese military, that reaches an unprecedented geopolitical scope and scale—and may be a manifestation of the tech industry’s worst fears. If the details are correct, it could be a nearly impossible mess to clean up.

“This is a scary-big deal,” says Nicholas Weaver, a security researcher at the University of California at Berkeley.

Cybersecurity experts often describe supply chain attacks as worst-case scenarios, because they taint products or services at the time of their creation. They’ve also been on the rise on the software side, precisely because of that reach and effectiveness. But the Bloomberg report raises a much more alarming specter: that Chinese government actors compromised four subcontractors of the US-based Super Micro Computer Inc. to hide tiny microchips on Supermicro motherboards.

The chips, Bloomberg says, offered a fundamental backdoor into the devices they were hidden in, ultimately helping the Chinese government access the networks of more than 30 US companies—including Apple and Amazon—and to gather intelligence on their plans, communications, and intellectual property.

Apple, Amazon, and Super Micro all issued extensive statements to Bloomberg refuting the report, categorically denying having ever found evidence of such an attack in any of their infrastructure. “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” the company wrote, later adding in an extended post more details, including that it was not operating any kind of government-imposed gag order. Amazon published a extended rebuttal as well. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems,” the company wrote. “Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” wrote Super Micro in a statement.

Security researchers and analysts emphasize, though, that the Bloomberg report raises crucial questions about the threat of hardware supply chain attacks, and the industry’s lack of preparedness to deal with them. Lawmakers have clearly considered the issue, given the recent ban on devices made by the Chinese manufacturers ZTE and Huawei in government use. But there still aren’t clear mechanisms in place to respond to a successful hardware supply chain compromise.

“This sort of attack undermines every security control we have in place today,” says Jake Williams, a former NSA analyst and founder of the security firm Rendition Infosec. “We can detect anomalies on the network to bring us back to a suspicious server, but most organizations simply can’t find a malicious chip on a motherboard.”

Mere awareness of the threat doesn’t help much. Behemoths like Apple and Amazon have effectively unlimited resources to audit and replace equipment throughout their massive footprints. But other companies likely don’t have this flexibility, especially given how elusive these intruders are; Bloomberg says the PLA’s stowaway component was no bigger than a pencil point.

“The problem with detection is that it’s extremely impractical,” says Vasilios Mavroudis, a doctoral researcher at University College London who has studied hardware supply chain attacks and worked last year on a model for cryptographically ensuring the integrity of hardware parts during manufacturing. “You need specialized equipment and you have to carefully examine several heterogenous pieces of complex equipment. It sounds like a nightmare, and it’s an expense that’s hard for companies to justify.”

Even companies that can afford to properly remediate a hardware breach face the obstacle of finding replacements. The threat of supply chain attacks makes it difficult to know who to trust. “Most computer components come through China,” Williams says. “It’s hard to picture they don’t have hooks into companies other than Super Micro. At the end of the day, it’s hard to evaluate what’s more trustworthy. Backdoored hardware on such a wide scale is unprecedented.”

The situation Bloomberg describes acts as a chilling reminder that the tech industry has not deployed mechanisms for preventing or catching hardware supply chain attacks. In fact, there isn’t an easy answer of what a comprehensive response would even look like in practice.

“As for cleaning up the mess, that would require looking at the whole value chain, from design through manufacturing, and carefully monitoring every step,” says Jason Dedrick, a global information technology researcher at Syracuse University. “It might not be so hard to move motherboard assembly out of China, but the bigger issue is how to control the design process so that there isn’t a space for a counterfeit chip to be inserted and actually function.”

Some cloud services, like Microsoft Azure and Google Cloud Platform, have built-in protections that security researchers say could potentially obviate an attack like the one Bloomberg describes. But even if these defenses could defeat some specific attacks, they still can’t protect against all possible hardware compromises.

Mavroudis’s research into integrity checks for hardware parts, meanwhile, attempts to account for how much uncertainty exists in the supply chain. The scheme creates a sort of consensus system, where the different components of a device monitor each other and can essentially run interference against rogue agents so the system can still function safely. It remains theoretical.

Ultimately, fixing supply chain incidents will take a new generation of protections, implemented swiftly and widely, to give the industry an appropriate recourse. But even the most extreme hypothetical solution—treating electronics as critical infrastructure and nationalizing manufacturing, an entirely improbably outcome—would still be at risk of an insider threat.

This is why it’s not enough to simply be aware that supply chain attacks are theoretically possible. There need to be concrete defenses and remediation mechanisms in place. “I mean, yes, we wrote a paper about detection,” Mavroudis says. “But I always believed it wasn’t very likely that such backdoors would get deployed in practice, especially against non-military equipment. Reality is sometimes surprising.”


More Great WIRED Stories

Tesla's Musk mocks SEC as judge demands they justify fraud settlement

NEW YORK (Reuters) – Tesla Inc’s Elon Musk on Thursday mocked the U.S. Securities and Exchange Commission, just hours after a federal judge ordered him and the regulator to justify their securities fraud settlement, which let Musk remain chief executive.

FILE PHOTO: Tesla Chief Executive Elon Musk stands on the podium as he attends a forum on startups in Hong Kong, China January 26, 2016. REUTERS/Bobby Yip/File Photo

“Just want to [sic] that the Shortseller Enrichment Commission is doing incredible work,” Musk, a frequent critic of investors betting against the electric car company, wrote on Twitter. “And the name change is so on point!”

The tweet came five days after Musk settled SEC charges that he misled investors in tweets on Aug. 7, including that there was “funding secured” to take his Palo Alto, California-based company private at $420 per share.

Musk agreed to pay a $20 million fine, and step aside as Tesla’s chairman for three years, to settle charges that could have forced his exit from Tesla. The company also accepted a $20 million fine, despite not being charged with fraud.

Tesla and the SEC declined requests for comment.

Former SEC lawyers questioned the wisdom of Musk’s latest tweet, but said it was unlikely to jeopardize the settlement, which prevents Musk from denying wrongdoing or suggesting that the regulator’s allegations were untrue.

“I don’t think the SEC would look at this as a denial of the facts alleged,” said Peter Henning, a law professor at Wayne State University in Detroit. “But you don’t take gratuitous shots at the SEC. There’s no real upside.”

Shares of Tesla closed down $12.97, or 4.4 percent, at $281.83, and fell another 2.1 percent to $276 following Musk’s tweet after market hours.

The tweet came less than four hours after U.S. District Judge Alison Nathan in Manhattan ordered Musk and the SEC to explain by Oct. 11 in a joint letter why their settlement was fair and reasonable and would not hurt the public interest.

Nathan said it was her regular practice to request such letters.

FILE PHOTO: A newly installed car charger at a Tesla Super Charging station is shown in Carlsbad, California, U.S. September 14, 2018. REUTERS/Mike Blake

“She may want to know why Tesla is paying a fine because the CEO doesn’t know when to shut up,” said Adam Pritchard, a University of Michigan law professor and former SEC lawyer.

DEFERENCE TO SEC

The settlement also required Tesla’s board to implement procedures for reviewing Musk’s communications with investors, which include tweets.

Thomas Gorman, a partner at Dorsey & Whitney in Washington, D.C., said Musk might argue that the latest tweet might be a mere “personal lament,” and not a violation of the settlement.

For her part, Nathan may have limited room to intervene, after a federal appeals court curbed the ability of judges to reject SEC settlements.

One such judge was Jed Rakoff, a colleague of Nathan’s who objected to the SEC policy of letting some corporate defendants settle without admitting or denying wrongdoing, as Musk did.

But in 2014, the 2nd U.S. Circuit Court of Appeals overturned Rakoff’s rejection of a $285 million SEC settlement with Citigroup Inc, saying he should have given “significant deference” to the regulator.

The 2nd Circuit has jurisdiction over Nathan’s court, and lawyers said Musk’s settlement would likely win approval, though orders such as Nathan’s are not too common.

“In and of itself it’s not an ominous sign,” said Jordan Thomas, a partner at Labaton Sucharow and former SEC lawyer. “The vast majority of settlements like this are approved by courts.”

Pritchard said before Musk’s tweet that he saw no “serious chance” for a rejection of Musk’s settlement, based on 2nd Circuit precedent. “This is just a hoop to be jumped through,” he said.

The case is SEC v Musk, U.S. District Court, Southern District of New York, No. 18-08865.

Reporting by Joanthan Stempel in New York; Additional reporting by Sonam Rai in Bengaluru and Jan Wolfe in Washington; Editing by Anil D’Silva and Lisa Shumaker

'Oh My God, Why Do I Have a Text From the President?' (The Presidential Alert Today, Explained)

Ever since he announced he was running for president, it’s been basically impossible to get away from Donald Trump. 

Some people hate that. Others love it. Almost nobody’s indifferent. 

But today has even more Trumpian ubiquity than most other days–even by the president’s standards.

The reason? The Wireless Emergency Alert system test that the government set up for 2:18 p.m. Eastern. If you’re reading this early, or if you didn’t get it for some reason, here’s the text:

Presidential Alert
THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed. 

That’s it, kind of like an Amber alert or a weather warning, no big deal on its face. But it’s set to go to every single cell phone that’s turned on at the time and that has a United States phone number.

And it will be followed two minutes later by an interruption on ever television and radio show with a similar message–basically very close to the emergency broadcast system messages that they test every month or so, and that you’ve probably seen since you were watching kids’ T.V. shows.

Anyway, the whole thing today has its roots int the Communications Act of 1934, which FEMA says:

“established the authority for the President to use certain private sector communications systems for priority communications, such as sending alert and warning messages to the public, during national emergencies.”

It’s the text part of this that has some people a little freaked out. Granted, the text doesn’t say it’s coming from President Trump, per se, just that it’s a “presidential alert.” 

And the plan was actually put in motion in 2012, when you might recall somebody else was president. You can imagine scenarios in which it might actually be very useful for the president to be able to send a message to almost all U.S. citizens; perhaps if God forbid we ever had another national emergency on the scale of September 11, 2001 of course.

Step back from whether you support President Trump or not. If we’re going to have this kind of system, it makes very good sense to at least test it before using it.

As I wrote at the time, thank God it happened on a weekend, otherwise you can imagine the worldwide panic that might have spread.

So sure, Trump has completely dominated the media for more than three years at least, ever since he first announced he was running for president back in June 2015. We’re getting a little bit more of that today. 

And tomorrow we can all just return to checking his Twitter feed.