back to article Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware. PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers …

  1. Paul Smith

    Strong hints of nationalistic bias running through this story. That PAX is a Chinese company is incidental to the story, so why does it make the headline? Have the Chinese become the modern day Jews to be blamed for every ill?

    1. Anonymous Coward
      Anonymous Coward

      “The Chinese” are fine. Covers a broad linguistic and ethnic group spread across all major centres of human civilisation. Nothing wrong with Chinese people as a rule.

      Companies headquartered in the People’s Republic of China are a different story. Not to be trusted, due to influence and absolute power of the dictators of the “People’s” Republic of China over these companies.

      Nice move with the Jewish comparison though. Probably more apt to compare PRC treatment of Uyghurs with Nazi treatment of the Jews though, isn’t it?

      1. martinusher Silver badge

        Its often said here that "no matter who you vote for the government always gets in". That's because whatever political philosophy you might vote for the overriding political and economic philosophy we call capitalism (which, strictly speaking, it isn't) rules the roost. We get changes in leadership but every candidate is ultimately tested before being viable as 'sound'; those deemed not so, even if they're a trivial threat to the status quo, are dealt with. (For example, look what happened to Corbyn in the UK.)

        The Chinese have a system based on communism that suits their needs. We've tried to import our political ethos into their country but it resulted in what they call the Century of Humiliation. They seem happy with what they've got on the whole. They have become a formidable economic competitor, though, so we've been increasingly running a sort of Cold War against them. Since we've rather improvidently let much of our global supply chain run through them we can't undertake the regular tactic of economic warfare against them (not for a lack of trying but it often ends up with us shooting ourselves in the foot) but there are plenty of other tools we use, among them encouraging separatism.

        All this is well documented. Even the UK government, continually strapped for funds to invest on domestic projects as it is, has ample funding for these sorts of projects.

        1. llaryllama

          The PRC system is far removed from communism. "Communism with Chinese characteristics" is nothing more than a fiercely protected autocracy based on the worst tenets of capitalism.

          It's really none of my business how China wants to run their country. Problem is they want to annex mine (Taiwan) and promote greater autocracy around the world - with China pulling the strings, of course. The PRC is slowly expanding their regional claims and I would not be surprised to see parts of India or Korea taken through gray zone warfare in my lifetime.

          For anybody about to do the predictable smug comparison between modern day PRC and America or the UK <our government is just as bad, blah blah> have a good hard think before you type that reply. This message board with its open discussion simply wouldn't exist in the PRC. Neither would any of the many freedoms you take for granted. Imagine if Boris was not just an elected official who could eventually be kicked out but Dictator for Life.

      2. Anonymous Coward
        Holmes

        Should Astroturfing be a crime?

    2. Electronics'R'Us
      Holmes

      I see no...

      particular bias against the company or its origins.

      Given that both US agencies and MI5 are looking at the issue it seems that the problem is real.

      Now, that said, the CCP has a law in place that all companies in China are required to 'assist' state agencies when told to do so requested so there is going to be a reasonable suspicion around that.

      Whether it is that or not we will (hopefully) find out in due course.

    3. steviebuk Silver badge

      The Chinese people are fine, its the CCP that aren't. They have gotten worse over the past year. They're own anti-foreigner campaigns you appear to have ignored. Attempt to stay in a lot of hotels in certain parts of China and you'll be denied as they don't allow "Foreigners", nothing against the Chinese people, most of them are nice, its the CCP that are doing it and the populous have to tow the bullshit line.

      The CCP come up with stupid rules like tea pot petrol fills for motorbikes. At some point there must of been a story of a bike catching fire at petrol station. So the CCP in its stupid "wisdom" (Its members have probably never had to fill their own petrol) decided to make a spot a few yards away for bikes to fill up. However, you have to take, what is essentially a metal OPEN watering can and fill it with petrol, then carry that open can to your bike and fill it up. Do the CCP not understand how petrol works.

  2. PhilipN Silver badge

    "... easy to overlook..."

    Why? You mean a bank or whoever signs up for masses of these machines without getting IT to see what they do?

    1. Mike 137 Silver badge

      Re: "... easy to overlook..."

      In my experience (particularly in local government) individual services may buy a POS terminal and install independently. Often the first that IT hears of it is when a firewall rule request is submitted to change control, and in some cases I've encountered, the request didn't even mention that it was for a POS terminal (despite of course modifying the PCI DSS CDE scope).

      But this is not unique to POS terminals or local government - it probably goes on in any large and evolving organisation. Indeed I've encountered physical servers that IT knew nothing about until they were asked for emergency support.

      1. Giles C Silver badge

        Re: "... easy to overlook..."

        I spent a long time working for an insurance broker and dealing with pci controls on the network.

        At another company a year ago someone came up with a pos terminal that they wanted on the network. ( the company was a food manufacturer so no pci controls needed as everything was b2b).

        When I told them how much work it was goi;g to be to put the payment terminal on the network they promptly banned it and told them to connect via 4G instead to avoid the problems.

        This did remove the network from being in scope so they probably should have been ok (I no longer work there)

        Mike’s comment reminds me of the BOFH a couple of weeks ago. All too common a situation in companies

        1. A random security guy

          Re: "... easy to overlook..."

          The standard way to get approved forSoC2,PCI, etc is to declare an errant system out of scope.

      2. Robert Helpmann??
        Childcatcher

        Re: "... easy to overlook..."

        ...I've encountered physical servers that IT knew nothing about until they were asked for emergency support.

        And we all know where this leads to, don't we?

        https://www.theregister.com/2021/10/08/bofh_2021_episode_18/

      3. steviebuk Silver badge

        Re: "... easy to overlook..."

        And if its the NHS with large big roll outs they either employee underpaid beginner engineers who don't care as they aren't being paid enough too, or they'll under pay a good engineer (who is desperate for a job) to install along side the ones that don't care. But despite the good engineer being very knowledgeable, limit his/her access on what they can do. Wasting everyone's time because the perm engineers have god complexes. This then makes the good engineer decide to not give a fuck after a while.

        May or may not be speaking from experience.

    2. This post has been deleted by its author

  3. Doctor Syntax Silver badge

    Trust in the software supply chain becomes ever more problematical. If only there were some way to audit the source code in the open and to verify that shipped binaries match that source.

    1. JohnTill123

      Sorry, that won't help.

      Citation: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

  4. Mike 137 Silver badge

    "audit the source code in the open and to verify that shipped binaries match that source"

    Unless I've missed something, that's the key despite Thompson_1984. He's talking about a compromised compiler, the source of which will not show up the compromise but which will cause the executable of a program compiled on it to differ functionally from its source.

    Comparison of the source and executable of the compiled program should show up any differences (Trojan code) as (at least in C) the compiler doesn't modify the source of the application being compiled.

    1. Anonymous Coward
      Anonymous Coward

      Re: "audit the source code in the open and to verify that shipped binaries match that source"

      It is and does happen in the industry, just not in public or released to the public (im still under NDA's i signed nearly decade ago relating to payment devices), much like access to the window source code.

      Wouldnt be surprised for it to be supply chain related, the fact its a chinese company means nothing try and find a POS manufacturer that is 100% chinese component free, i bet you cant...

      The fact its pos based makes me think its likely to be a skimmer of somesorts which would probably point to organised crime, or a cash strapped hermit nation.

      If it is actually a bit more sophisticated then its an APT and probably related to solarwinds, but why oh why would they be sloppy enough to get caught with obvious unusual traffic??. Just think of the disruption that would be caused if say a hostile nation could disrupt payments nationally trivial things like denying someone morning coffee to worse things like stopping payment for medical procedures and drugs or causing mass defaults of mortgages and triggering a financial crash, while also being able to syphon funds from accounts, that could be pretty devastating at both personal and state level.

      1. The Basis of everything is...
        Unhappy

        Re: "audit the source code in the open and to verify that shipped binaries match that source"

        If ever I get the urge for overpriced shop coffee I can always use these handy little metal tokens, or even scrumpled bits of plasticy fake-paper.

        It's going to be a very long time before my mortgage payments drop to the level that a PoS terminal can handle though.

        1. Hubert Cumberdale Silver badge

          Re: "audit the source code in the open and to verify that shipped binaries match that source"

          All the way through reading these comments, I've been unable to stop my brain from replacing "PoS" with "piece of sh#t". It even fits when I read it using the tone of your comment.

    2. SImon Hobson Bronze badge

      Re: "audit the source code in the open and to verify that shipped binaries match that source"

      Comparison of the source and executable of the compiled program should ...

      Except that it doesn't. The days of a "dumb" compiler that would produce predictable code from a piece of source are long gone. These days, the code is heavily optimised to match the target processor - so even very minor changes to compile conditions can produce significantly different code.

      AIUI it's one of those areas that's had a lot of attention over the years.

  5. Peter D

    The sneaky pre-justification

    The CCP mouthpiece/Corporate shill built in the company's future defence into the response to El Reg "As always we monitor...". In other words, there's nothing to see here. We were keeping you safe and any suggestion we've been keeping track of who buys what is a vile, nay defamatory, slur of ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like