Today we are going to share the result of a bit of investigation that started a few months ago on STH. The short version, it appears as though the Dell EMC S5200-ON series switches, the company’s high-end 25GbE-200GbE switches, have license/ royalty stickers that have a different company name on them than they should have. Instead of saying “American Megatrends”, they instead said “American Megatrands”. To give some perspective, this looks strange because it would be like buying a Dell notebook and getting a “Macrosoft Wandows” license sticker on it.[…]
Through a fairly rough October, we validated that indeed these stickers are in the wild. Ultimately, after we brought their existence to American Megatrends (AMI) and Dell’s attention (HPE did not care enough to investigate), we now have an artifact that says that American Megatrends is honoring the license stickers and will not pursue legal action against Dell’s customers or those using them.
This may seem like something insignificant and innocuous, but supply chain security is a big, big deal, and the fact these clearly misspelled license/royalty stickers made their way from printing down to the end-user of not just corporate hardware but supercomputers for the US military is… Concerning, to say the least. It shows that tampering with hardware anywhere between production of the individual chips and components down to delivery by the delivery person might be a lot easier to do than we think.
It seems to be common for the big name vendors to buy chips from suppliers who don’t have the security, etc. in place.
For example talk shows how things work in practice:
You can buy rolls of PAT test labels on EBay. Admittedly it’s a niche use and the chance of a health and safety incident is low but a label doesn’t prove anything more than it’s a label. Most sites which might be touchy about such things probably have reasonable site security to match but it can take only one dodgy piece of equipment to kill people or cause millions of pounds worth of damage.
I bought some Duo lash glue off Ebay once. The first order was fine. Another order struck me as a bit odd and it turned out on reflection to be PVA glue. I had my doubts about it and visited Boots to buy some more and that was definitely the real thing and unmistakably gluey in a way PVA is not. The fake was some very expensive PVA glue! I’m much more touchy about supply chain issues after that.
PVA glue is actually fine for lashes according to a woman in Boots who said she used it when working abroad as an actress in New York. Originally made for stage actors working under hot lights some of the boutique fixing sprays with extra hold have a magic ingredient which they use to justify their three times the average inflated price. The magic ingredient is a percentage of PVA glue. That’s less than one pence worth.
Is this for real? This is what the tech bloggers are focusing on now? A random label with one wrong letter…. JFC.