Happy “The Big Hack”-iversary! What have we learned in a year?

There are still divergent opinions about what actually happend here’s a bit of a refresher, plus some of my conclusions. Initially I was fascinated by the technical possibilies and quickly shared my thoughts:

There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: https://t.co/7VdmaDaQNr
— Joe Fitz (@securelyfitz) October 4, 2018

I was asked repeatedly by people if they had hardware implants, so I summarized my answer:

Do I Have a Hardware Implant?

I’ve gotten lots of inquiries if I could analyze some hardware for or could recommend someone who might.

I’ll be blunt - most of you don’t need this. Here are some things you should consider before seeking out services like this:
— Joe Fitz (@securelyfitz) October 8, 2018

Way too many people spent those few weeks ripping apart servers looking for grain-of-rice sized malicious chips. When I saw this happening and took the time to stop think about it rationally, I realize that this was most certainly not a good use of resources. At the time, I also shared the best TL;DR that I heard:

@syncsrc said it to me best:

TL,DR - if you haven’t talked to your vendors about the supply-chain integrity mechanisms they have in place, tearing down a few motherboards for analysis won’t solve your problems.
— Joe Fitz (@securelyfitz) October 8, 2018

Many of you owe thanks to @kimzetter and @riskybusiness who both convinced me to got on the record and share my dissatisfaction with the reporting. I have heard in the past year thanks from many people who felt the riskybusiness podcast saved them days or weeks of work searching for something that still hasn’t surfaced a year later.

I did a thing on the Bloomberg "Big Hack" story. @securelyfitz, one of the story's only named sources, warned the publication that its central claim "didn't make any sense," prior to publication.https://t.co/giXVXo1tbF pic.twitter.com/6cnwuZGx99
— Patrick Gray (@riskybusiness) October 8, 2018

I also spent some time theorizing about how and why the whole story came together, analyzing all of the details to see if they could fit together in a more realistic way. I never found the solution, but do check out my amateur, and likely incomplete anaysis.

So What?

Over the past year, I’ve presented a few times and touched on several points that I feel are critical:

Perhaps it’s time to consider hardware differently in your threat model.
Focus on your threat model. Don’t waste your budget protecting someone else’s threat model.
$1M hardware and supply chain attacks sound cool, but don’t waste resources on them if you’re not protecting against $5 attacks.

October 4, 2018 was a firedrill.

Who passed or failed the firedrill? Who took steps to adequately prepare for the actual fire when it happens?

Are you better prepared today for a supply chain attack than you were a year ago?

Have you had conversations with your suppliers about what they do to ensure authenticity?

If a report came out today that a specific silicon manufacturer had a supply chain issue - how long would it take you to confidently confirm whether or not you have any of that manufacturer’s silicon?

How have you revised your threat model in the past year to consider hardware and supply chain attacks?