Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article | AWS Security Blog

["Dave Farber" <farber () gmail com>]

> https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/ 
> <https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/>
>
> Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article
>
> 04 OCT 2018
> Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips 
> in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that 
> Amazon was aware of modified hardware or chips in AWS’s China Region.
>
> As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past 
> or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards 
> in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
>
> There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only 
> a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our 
> own security team, and also commissioned a single external security company to do a security assessment for us as 
> well. That report did not identify any issues with modified chips or hardware. As is typical with most of these 
> audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition 
> closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned 
> security report nor any other (and refused to share any details of any purported other report with us).
>
> The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we 
> conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data 
> center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or 
> malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers 
> in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner 
> Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers 
> since we ‎launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a 
> transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate 
> in China.
>
> Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior 
> to going into production and performing regular security audits internally and with our supply chain partners. We 
> further strengthen our security posture by implementing our own hardware designs for critical components such as 
> processors, servers, storage systems, and networking equipment.
>
> Security will always be our top priority. AWS is trusted by many of the world’s most risk-sensitive organizations 
> precisely because we have demonstrated this unwavering commitment to putting their security above all else. We are 
> constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them 
> whenever they are identified.
>
> – Steve Schmidt, Chief Information Security Officer



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-a538de84&post_id=20181004223329:09823810-C847-11E8-9D32-EA604C3A4439
Powered by Listbox: https://www.listbox.com