Hacker News new | past | comments | ask | show | jobs | submit login

Actually it’s much easier than that, and what the TAO group [https://en.wikipedia.org/wiki/Tailored_Access_Operations] here does on a smaller scale. There is undoubtably easier and better scale in China since so much tech is manufactured there. They can get the firmware source (or require things be included), and chip masks pretty easily, even easier than the CIA or NSA getting them here. And I doubt any TLA has much problems with that here if they care.

The way you do this, is you have ‘partnerships’ with the major shippers where they match against known person of interest on your list. When someone has an interesting shipment to one of your targets, it gets flagged and set aside in a known location.

Since all new style equipment needs a basic plan to add targeted hardware/firmware attacks anyway, since if you need the capability to compromise any given target at will (which they do) you need the capability to compromise pretty much all common equipment readily available, at a minimum. All available equipment being a realistic requirement too.

Some bored tech will then take the already developed playbook for that specific piece of equipment, write the firmware or glue on the specific special chip to the board, pack it up, and hand it back to the shipper.

A physical version of room 641a [https://en.m.wikipedia.org/wiki/Room_641A] essentially.

The Snowden leaks showed it happened regularly, what, a decade ago?

If you think China doesn’t have something like that too, I have a bridge to sell you.

So then the question is - are you interesting enough to make the list? That I don’t know.




Definitely agreed on the TAO and surveillance, upvoted in fact for that.

But, again, I'll "buy that bridge" when it comes to an Apple product-supply-chain being hacked by a state actor to target an individual.

CCP can't bank on a specific Apple product being purchased by a specific person routed through their side/controlled supply chain.

As before, most apple products are not routed directly from China to a consumer. This is a pretty rare circumstance given the supply chain bottlenecks.

I agree both sides have the ability to "hold product" in the shipping lane to do all sorts of nefarious things, but that only works if you can predict that movement (i.e. destination being on "your side" of control). The specific circumstances matter here and they don't make it an attack vector against a specific person.


FYI - Every Apple product I've bought in the last year or two was routed directly from China to me. From multiple iPads, an iphone, and a macbook pro. With the pandemic shutting down a lot of Apple store traffic, it's probably become more pronounced if anything.

Definitely not the case for everyone, especially an enterprise, but I bought it via the apple store app and the tracking showed it from China -> Chinese Customs -> To me, and through fedex.

So they had all the information they would need in one place to do what I am describing in at least this scenario.

Someone somewhere puts the persons name and address into a To address for a shipping company. If the origination is in China and it's sold direct, that final address and name will be on that label, and in the tracking database.

It doesn't have to be perfect to catch a decent number of targets. If even 25% of the purchased products get intercepted this way for a target it will likely be effective.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: