New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg (bloomberg.com)

← Back to Stories (view on slashdot.org)

New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg (bloomberg.com)

Posted by msmash on Tuesday October 9, 2018 @05:31AM from the doubling-down dept.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., Bloomberg reported Tuesday. From the report: The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China's intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015. Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum's nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.

104 of 191 comments (clear)

Min score:

Reason:

Sort:

Bloomberg! Bloomberg! Bloomberg! by The+Original+CDR · 2018-10-09 05:34 · Score: 5, Interesting

Has any other news media outfit independently verified the Bloomberg claims?
1. Re:Bloomberg! Bloomberg! Bloomberg! by Sarten-X · 2018-10-09 05:41 · Score: 3, Insightful
  
  Nope, nor have enough details been released that somebody could even start. There's speculation, but Bloomberg hasn't published anything that would let someone verify it on their own.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
2. Re:Bloomberg! Bloomberg! Bloomberg! by Calydor · 2018-10-09 05:47 · Score: 3, Insightful
  
  Does Bloomberg?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
3. Re: Bloomberg! Bloomberg! Bloomberg! by Anonymous Coward · 2018-10-09 06:06 · Score: 4, Interesting
  
  but I also wouldn't put it past Bloomberg to publish rumors for page hits.
  The Supermicro story is turning out to be a hoax.
  The only person actually named in the original Bloomberg story about the Supermicro servers was a "hardware expert" named Joe Fitzpatrick. As it turns out, he' s not all that much of an expert, and he has now done an interview where he says that he doubts the accuracy of the story:
  https://risky.biz/RB517_featur...
  He was communicating with one of the authors of the Bloomberg story for a couple of months before the story was published. Then, the story came out and things that he had described as being hypothetically possible were in the story, but presented as facts that they had gotten from various anonymous sources
  For example, the Bloomberg guy said to him "One of my sources said the chip might be a signal coupler. What does that look like?" So Joe Fitzpatrick sent him a link to a picture from a catalog. And, lo and behold, when the story was published it contained that exact picture, presented as "proof" of the chip that was implanted on the Supermicro motherboards.
4. Re:Bloomberg! Bloomberg! Bloomberg! by rudy_wayne · 2018-10-09 06:12 · Score: 5, Interesting
  
  The authors of this most recent story were also the author of the original Supermicro story. They also wrote other pieces over the last couple of years were they have made lots of spectacular claims, with little or no evidence, and, there has never been any follow-up on the stories.
5. Re:Bloomberg! Bloomberg! Bloomberg! by gnick · 2018-10-09 06:14 · Score: 1
  
  He didn't equate Bloomberg with the Chinese government except in the sense that neither can be trusted with outrageous claims without verification.
  
  --
  He's getting rather old, but he's a good mouse.
6. Re:Bloomberg! Bloomberg! Bloomberg! by Sarten-X · 2018-10-09 06:14 · Score: 5, Insightful
  
  The public deserves the truth.
  Security is complicated. On the one hand, perfect security is impossible. Your servers can be hacked, your data can be stolen, and your users can be phished.
  However, there is another perspective that I think is equally important, if not moreso: It's not hopeless. The attackers are not omnipotent. They have 9-5 schedules, bureaucracies, budgets, and deadlines. If your system is protected well enough that your attackers' budget runs out, it will stay safe. From that perspective, security is just a matter of economics. Your security is bought by spending a little money and effort to drastically increase the effort the attackers need to spend.
  An attacker embedding a custom chip in server hardware, then processing thousands of phone-home results is expensive for them, and unlikely to get a result. However, replacing your whole data center to use non-Supermicro servers is also expensive. Frankly, the whole thing probably isn't worth anybody's time.
  Breaking into an internet-facing server with a default password is easy. There are lots of routers and firewalls out there with default credentials or hidden backdoor accounts. Exploiting one of those is ridiculously cheap for an attacker, and gets them far better results.
  The notion of "the attacker is almighty" doesn't help improve overall security, because it silences discussion about how to actually improve security posture. Instead, we should set aside hardware concerns for now, and ask "What's the easiest way we can be attacked, and how can we fix it?", then make the fix, and repeat until your own budget runs out.
  My skepticism is not about doubting China's ability. I'm sure China (or any nation or well-funded individual) could get hardware inserted into servers. What I'm skeptical of is whether China (or any nation or well-funded individual) would even bother with the expense and risk when they could send a phishing campaign instead.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
7. Re:Bloomberg! Bloomberg! Bloomberg! by mujadaddy · 2018-10-09 06:16 · Score: 1
  
  The problem with that idea is that China fucking with the supply chain is not an outrageous claim.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
8. Re: Bloomberg! Bloomberg! Bloomberg! by MachineShedFred · 2018-10-09 06:22 · Score: 5, Interesting
  
  If there were supposedly thousands of these things sold to various customers all over the place, how is it that nobody kept one for forensic analysis?
  How is there not one live example if all these networks and servers were compromised?
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
9. Re: Bloomberg! Bloomberg! Bloomberg! by Anonymous Coward · 2018-10-09 06:25 · Score: 2
  
  the idea of bloomberg publishing sensational garbage is even easierto believe
10. Re: Bloomberg! Bloomberg! Bloomberg! by mujadaddy · 2018-10-09 06:31 · Score: 1
  
  So then we're left with an important question: Why did Amazon & Apple dump Supermicro at around the same time?
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
11. Re:Bloomberg! Bloomberg! Bloomberg! by infolation · 2018-10-09 06:32 · Score: 4, Interesting
  
  First the authors shorted supermicro stock ahead of the original claims, then they used the profits from that short to pull an even bigger leveraged short of supermicro stock ahead of the second batch of claims.
  
  I have no evidence of this but... if you were writing those stories, why wouldn't you?
  
  2018/10/04 US:SMCI $21.47 --> $8.55
  2018/10/09 US:SMCI $15.55 --> $10.80
12. Re:Bloomberg! Bloomberg! Bloomberg! by Aighearach · 2018-10-09 06:41 · Score: 5, Insightful
  
  Does anybody think the Chinese government deserves the benefit of the doubt?
  
  Does Bloomberg?
  Yes. Bloomberg is a center-right media outlet, and almost all of their profitable business is related to selling financial information to professionals. They make an industry-leading software product called Bloomberg Terminal that they use to disseminate this information.
  I wouldn't trust them on political reporting, because they tend to give the perspective of a center-right business executive. But on general news that doesn't relate to their industry, they are nothing if not mainstream. They don't go for bombastic tabloid nonsense, it would tarnish their brand. Getting page views isn't the purpose of their public news service; enhancing their brand is the purpose.
  Therefore, I would give Bloomberg the benefit of the doubt that they believe this information to be true, and to be of great import to purchasing and IT managers, in addition to investors and financial services providers. This is big enough that the insurance community is probably taking a lot of interest, too. They would never intentionally publish a false report that purported to be of great interest to the industries where they make their bread-and-butter; it would be all downside for them.
  https://www.bloomberg.com/comp...
  Don't worry about the PR there, just look at the bottom of the page under "Products" and "Industry Products" and you can understand why they are a trusted source on this; they'd lose a lot by being wrong. And they have a lot to lose.
13. Re: Bloomberg! Bloomberg! Bloomberg! by TechyImmigrant · 2018-10-09 06:47 · Score: 1
  
  So then we're left with an important question: Why did Amazon & Apple dump Supermicro at around the same time?
  
  Government contracts requiring certification that in turn require a secure supply chain which in turn requires systems to be manufactured in the US.
  Big, boring makers of overpriced data center equipment play this game well. Supermicro sell less costly stuff, but it's made in China.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
14. Re: Bloomberg! Bloomberg! Bloomberg! by mujadaddy · 2018-10-09 06:50 · Score: 1
  
  Unfortunately, your post raises more questions than it answers. Go read the first article again.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
15. Re: Bloomberg! Bloomberg! Bloomberg! by TechyImmigrant · 2018-10-09 07:07 · Score: 1
  
  I read it.
  It is still a real thing. To get certified to be eligible to bid for and get certain government contracts, a certified secure supply chain is needed. This is not new.
  This being true doesn't tell you whether or not that's the cause of recent actions - but it tells you that it's going to happen anyway and you can't tell the difference from the outside.
  It's worth looking to see it Apple and Amazon were bidding for some large government business around the same time.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
16. Re: Bloomberg! Bloomberg! Bloomberg! by mujadaddy · 2018-10-09 07:12 · Score: 1
  
  The problem with your line of thinking here is that these companies already had government contracts, and
  
  Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
  So, as far as being the "reason" for dumping Supermicro at that time, "government contracts" do not compute.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
17. Re:Bloomberg! Bloomberg! Bloomberg! by Sarten-X · 2018-10-09 07:13 · Score: 2
  
  On the contrary... I've been a government contractor, and money was often an issue, though mostly it was in terms of ROI more than actual dollars. Governments don't mind spending a lot of money as long as they know they're getting what they asked for.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
18. Re:Bloomberg! Bloomberg! Bloomberg! by ole_timer · 2018-10-09 07:26 · Score: 2
  
  exactly! phishing is nearly free, but we have to spend all this money - viola, hardware exploits, buying software zero days, etc. the ends (i. e., the data) justifies all means to get it. money is not the issue.
  
  --
  nothing to see here - move along
19. Re:Bloomberg! Bloomberg! Bloomberg! by SB5407 · 2018-10-09 07:44 · Score: 1
  
  No, but there is prior evidence of tampering of Supermicro property: https://www.macrumors.com/2017...
20. Re: Bloomberg! Bloomberg! Bloomberg! by Junta · 2018-10-09 07:59 · Score: 3, Interesting
  
  It does certainly sound that the reporters behind the story are not particularly good at understanding the information they get, or else vetting their sources...
  The first story appears to be cobbled together out of misunderstandnigs spread across many sources (the number of sources then used to declare how valid it must be. Of course one of those 'sources' has come forth and said one source used a hypothetical and his role in corrobariting it was to include a picture of what a signal coupler is, showing how dodgy the story was assembled.
  This time, it's at least more straightforward, one named source with a more straightforward and more credible strategy. However it is entirely possible that the guy doesn't know what a BMC is and mistakes the errant traffic from a BMC trying to DHCP or somethnig as an overtly malicious thing. He may not recognize some component of the jack or phy or noted the NCSI lines from NIC to another chip and presumed that was snooping.
  Now it's one thing to put this out there for further investigation to get clarity, but the stories are emphatic and unambiguously making accusations which is causing the general tech market stock to move by billions of dollars and for customers to take the headlines at face value and decide things (moving from one company that was 'more chinese' than they realized to an american company with the same supply chain issues in all likelihood, even vendors making systems elsewhere generally ship circuitboards out of China). This could end up in a big defamation suit by many parties in the tech industry.
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
21. Re:Bloomberg! Bloomberg! Bloomberg! by sjames · 2018-10-09 08:17 · Score: 1
  
  China fucking with the supply chain in such a ham fisted way and at the same time confining it to only one brand of motherboard is a bit odd to say the least.
  I would expect something harder to detect, harder to prove, nearly impossible to trace back, and affecting every single brand of motherboard.
  I would also expect that once it came out, a zillion tweets and blogs of OMG, I found one and a zillion me-to articles from every news outlet saying OMG these people found one. Complete with pictures.
22. Re:Bloomberg! Bloomberg! Bloomberg! by barc0001 · 2018-10-09 08:47 · Score: 4, Interesting
  
  > how they could siphon off gigabytes of data and ship it to China, presumably over network connections and through firewalls,
  That's the interesting thing to me as well. If your network and firewalls are properly designed, it shouldn't matter if your servers have a rogue little chip wanting to call home - your network should shitcan any attempt regardless.
23. Re:Bloomberg! Bloomberg! Bloomberg! by SirSlud · 2018-10-09 08:49 · Score: 1
  
  I have no evidence of this but... if you were writing those stories, why wouldn't you?
  I suspect one wouldn't because it would be a massive financial risk by one who doesn't have massive amounts of money to lose (aka some journalists)
  
  --
  "Old man yells at systemd"
24. Re:Bloomberg! Bloomberg! Bloomberg! by Gr8Apes · 2018-10-09 09:01 · Score: 1
  
  I have no evidence of this but... if you were writing those stories, why wouldn't you?
  Jail?
  
  --
  The cesspool just got a check and balance.
25. Re:Bloomberg! Bloomberg! Bloomberg! by Dr.+Evil · 2018-10-09 09:06 · Score: 1
  
  Center-right media outlet before the world went insane.
  Now you would call it "business journalism" or something.
26. Re: Bloomberg! Bloomberg! Bloomberg! by Alain+Williams · 2018-10-09 10:27 · Score: 1
  
  The clickbait ad revenue would be peanuts compared to the lost subscriptions due to them losing reputation.
  I'm not making my mind up -- I'll wait to see how this develops.
27. Re:Bloomberg! Bloomberg! Bloomberg! by jythie · 2018-10-09 10:27 · Score: 1
  
  Yeah, in general the people who have the resources to make a real profit from such a move probably do not work in journalism in the first place.
28. Re: Bloomberg! Bloomberg! Bloomberg! by mentil · 2018-10-09 10:47 · Score: 1
  
  This could end up in a big defamation suit by many parties in the tech industry.
  If that's what it takes to improve tech journalism in the MSM, then I'm all for it.
  
  --
  Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
29. Re:Bloomberg! Bloomberg! Bloomberg! by Swave+An+deBwoner · 2018-10-09 10:49 · Score: 1
  
  https://en.wikipedia.org/wiki/Market_manipulation
  
  Market manipulation is a deliberate attempt to interfere with the free and fair operation of the market and create artificial, false or misleading appearances with respect to the price of, or market for, a product, security, commodity or currency.[1] Many forms of market manipulation are prohibited in most countries, in particular, it is prohibited in the United States under Section 9(a)(2)[2] of the Securities Exchange Act of 1934 ...
  Also see the bullet point a little further down in that article on "Stock bashing".
  In short (no pun intended) I believe that it would be illegal had the reporters actually done this.
30. Re: Bloomberg! Bloomberg! Bloomberg! by Anonymous Coward · 2018-10-09 11:01 · Score: 1
  
  I know for fact the US government uses supermicro boards. Around Fall 2016 the DoD came down hard wanting to make sure all bmc on Super Micro boards were absolutely disabled, even on devices that weren't connected to any network.
31. Re:Bloomberg! Bloomberg! Bloomberg! by rtb61 · 2018-10-09 11:52 · Score: 3, Interesting
  
  Why would it be in any way shape or form outrageous, they would be logical and expected. The best supply line hack, high efficiency capacitors are smaller than low efficiency capacitors (much more expensive as well). So you can put a high efficiency capacitor in a low efficiency capacitor casing and have room left for a chip. What the chip does is check from a signal on the power flow, if it gets the right code, it shorts out the connection and the capacitor dies, taking out what ever product ie a computer it is in. So done on a broad scale you can collapse a country. The chaos, everything with that capacitor goes down, replacement computer motherboards are really difficult to order because the computers down. Get the motherboard, and if the signal is still going, once it is powered it fails.
  Get enough tainted capacitors into the infrastructure and that country goes down for months, everything goes down, it basically just lost a war it never knew it was fighting, would I trust capacitors out of China or the US in essential infrastructure, absolutely not, I would strive for all infrastructure components to be locally made. If I was supplying them to another country, I would bobby trap it all, just in case, so much fucking cheaper than a war machine and far more effective. Not happy with the supply of my tainted components, make your fucking own, or buy some other countries tainted components. US tech industries are so screwed and the US government did it to them.
  
  --
  Chaos - everything, everywhere, everywhen
32. Re: Bloomberg! Bloomberg! Bloomberg! by Anonymous Coward · 2018-10-09 13:37 · Score: 2, Interesting
  
  The presence or absence of a defamation lawsuit will clarify the truth. Plus a defamation lawsuit would require the companies filing the suit to prove the accusations are false and allow outsiders access to the technology under review for independent analysis. And China seems to be pretty quite about the whole affair since a story like this will further limit their ability to sell their technology in the US. Maybe China is afraid to say anything because they are afraid of giving Trump a bigger bat to whack them upside their head with. Not to mention the US government are reactionary morons who have already enacted regulations against both Chinese and Russian technology companies. And Congress doesn't require any proof when China or Russia is involved. The only thing the two political parties in the US agree on is giving China and Russia a hard time. However, in this instance there is really is no reason not to stick it to the Chinese. It's not like the US cannot manufacture or get similar technology from others. SE Asia is full of countries who can undercut China when it comes to taken advantage of low labor costs.
33. Re:Bloomberg! Bloomberg! Bloomberg! by Graymalkin · 2018-10-09 13:47 · Score: 2
  
  An attacker only needs to get through the defense once (for various values of once) to be successful while the defender needs to block every attack to be successful.
  A little spy chip spitting out a DNS query for an innocuous looking domain to exfiltrate data and/or grab C&C instructions from a TXT record or something might never be noticed.
  
  --
  I'm a loner Dottie, a Rebel.
34. Re:Bloomberg! Bloomberg! Bloomberg! by Aighearach · 2018-10-09 20:24 · Score: 1
  
  Money remains money, even in a weird year.
35. Re: Bloomberg! Bloomberg! Bloomberg! by Type44Q · 2018-10-09 21:27 · Score: 1
  
  It seems to me that it would mak sense to gather intel on your enemies before you whack them but what do know; you sound authoritative.
36. Re: Bloomberg! Bloomberg! Bloomberg! by BanHammer · 2018-10-09 21:29 · Score: 1
  
  You're expecting journalists to research stuff instead of telling people what to think?
37. Re:Bloomberg! Bloomberg! Bloomberg! by DeVilla · 2018-10-10 10:38 · Score: 1
  
  That seems to be getting harder and harder to do. Sure, you block incoming traffic, but more and more software is getting dependent on the "cloud" (in the somebody else's computer sense) and it's getting harder to run current software without allowing it to talk to huge swaths of internet. It doesn't matter if it's the new hot devops tools or the latest Windows. You can't run Office with a firewall without getting constant requests to phone all over the place.
  It's irresponsible that businesses have allowed this to become the norm, but it is.
38. Re:Bloomberg! Bloomberg! Bloomberg! by Aighearach · 2018-10-10 15:04 · Score: 1
  
  If the attacker has insider access to China's network, because of their national perimeter firewalls, they could put it all into queries for subdomains of any legit domain in China, and even intercept them so they don't get to the actual name server. They just disappear from the backbone, and the data goes into a database. Responses can happen the same way; the packets don't even exist inside the Chinese network, they just appear on the external interface and off they go to their destination.
  If they control intermediate servers they can even do that exact same thing using domains whose name servers are hosted in any compromised datacenter. All they need to control is one managed switch for this to happen.
  If there are already ways to catch them or not depends on details, and it is no trouble to imagine something new that wouldn't be detected by the old tests. Just like with the Olympics and drug testing.
  Time will tell if this is real, but there are no obvious limits that prevent it from being even worse than claimed.
39. Re:Bloomberg! Bloomberg! Bloomberg! by Sarten-X · 2018-10-10 15:55 · Score: 1
  
  That wouldn't be independent verification. At most, you could verify that Yossi Appleboum claims to have seen compromised servers. That's lovely, but I can also claim to have seen Bigfoot living in my data center, and it's worth about as much (though I'm not pitching a business locating rack-dwelling cryptids).
  For independent verification, we'd need a way to identify suspicious servers (like a batch of affected part or serial numbers), a real picture of the offending chip, and someone completely unaffiliated with Bloomberg to publish their analysis of the attack and how it works.
  As an alternative, providing enough detail for self-identification would also be enough. Most valuable to ops teams would be a description of the traffic when the servers phone home, so it could be detected in live environments, but even having a list of the IP addresses it tries to contact would be enough to write some NIDS rules.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
Where? by 110010001000 · 2018-10-09 05:40 · Score: 5, Interesting

Where is the evidence? They keep saying they have it. Why don't they show it?
1. Re:Where? by Aighearach · 2018-10-09 06:46 · Score: 4, Interesting
  
  Investigative reporting doesn't work that way in most cases. There are a lot of unknowns. Right now, they enhance their own research by not giving out too many details, and letting the companies involved say stupid things that might be refutable by that evidence.
  Evidence is good. Don't decide if it is actually true or not until you get it. But that doesn't imply that when you first hear about the issue, the evidence will be published, or that it is tactically wise to lead with the evidence instead of the accusation.
  If we get to the end of the story and Bloomberg says "that's all we have," that's when you can weigh the evidence they presented. If they haven't presented the evidence yet, then before you start to worry about that, you should simply check if the process has reached the end, of if the evidence is still waiting to be released. If it is still waiting to be released, there is nothing suspicious at all about the fact that you have not been given a personal viewing.
2. Re:Where? by Freischutz · 2018-10-09 08:46 · Score: 1
  
  Where is the evidence? They keep saying they have it. Why don't they show it?
  Is somebody stopping you from buying one of their products: https://www.supermicro.com/pro... ...and looking for these backdoors yourself?
3. Re:Where? by barc0001 · 2018-10-09 09:00 · Score: 1
  
  > Right now, they enhance their own research by not giving out too many details,
  Sure, but how hard would it be for them to put out a piece of proof like saying "we found this chip (pictured at right) on several motherboards of the following model that appear in Supermicro chassis x, y, z and bb." And then anyone who owns one of those can just *go look for themselves* to see if the chip is there too.
  Put up or shut up...
4. Re:Where? by slack_justyb · 2018-10-09 10:17 · Score: 1
  
  Don't decide if it is actually true or not until you get it.
  The only thing is that what Bloomberg is stating in the first story and to a much lesser degree in this current one are things that are tantamount to massive tectonic accusations. In fact, I'm really under selling it here. These claims are bigger than the second coming. So yeah, you're damn tooting I'm hyper skeptical of this story.
  
  If we get to the end of the story and Bloomberg says "that's all we have,"
  No, I think you aren't understanding the gravity of these claims. If we get to the end and Bloomberg has nothing, they need to be sued into a molten crater of nothing. That they published something like this, isn't "Oh ho hum same-o, same-o story." No this is, if this sotry proves to be false, your company is gone and your career as a reporter is ended for all of eternity. Additionally, the editor and everyone else who touched this story before it was actually printed should have their careers ended in the most spectacular way. And trust me I'm still seriously underselling how massive these claims are. If Bloomberg's story is true, they've single handedly uncovered the biggest story in tech/spy since Edward Snowden. And I would dare say that this revelation is bigger than that by several orders, if true.
  So yeah, they need to pony up some hard proof ASAP. because I'm pretty sure some atom bomb sized libel suits are going to be coming their way at twenty orders of magnitude faster than Bloomberg is putting out updates. Bloomberg's claims are Earth shattering for the tech industry, there will literally be repercussions that will change things for forever, if ture. Those claims have the potential to end companies (and we've seen supermicro's stocks in free fall) and end them no matter size. So yeah, I'm going to need a lot more than "claims" for this one. This is way, way, way, way, way, way past the threshold of standard level of skepticism. Like we're not even in the same ballpark here, we're not even in the same galactic supercluster here for standard level of skepticism. If the saying is shit just got real, like this is where the shit transcends corporeal existence. And after all of that, I'm still really understating how massive these claims are.
Plenty of evendince of this is real by supercell · 2018-10-09 05:43 · Score: 5, Informative

I had SMCI stock in 2017 and sold it after reports that Apple dropped them when they found serious security issues with their servers.
Now Apple and others claim they have no idea what Bloomberg is talking about. Clearly something was installed on Supermicro servers to cause Apple and others to stop using them.
Report from early 2017
https://www.marketwatch.com/st...
1. Re:Plenty of evendince of this is real by mujadaddy · 2018-10-09 05:48 · Score: 4, Interesting
  
  Correct: Bloomberg's reporting is lagging real events, but Apple & Amazon haven't come up with a better explanation of why they switched hardware at that time.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
2. Re: Plenty of evendince of this is real by Anonymous Coward · 2018-10-09 05:54 · Score: 1
  
  The problem is that Apple (Google, etc.) is stuck between contenders who are State actors, two of which (the US and China) can make life very difficult for any company who decides to call them out. So they play a game of mitigating risk whenever itâ(TM)s found without actually calling out the State actor for nefarious activity. Instead, they cut ties with the corporate entity that is left holding the bag. In this case, itâ(TM)s SuperMicro who let their Chinese operations become overrun by the Chinese government.
3. Re:Plenty of evendince of this is real by mujadaddy · 2018-10-09 06:47 · Score: 1
  
  The story is a plant. The Trump admin is
  The source of the story is an ex-Mossad spook with ex-Mossad spooks on the corporate board. "Trump" is too simple of an answer, but you may not be on the wrong track...
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
4. Re:Plenty of evendince of this is real by Rick+Schumann · 2018-10-09 06:47 · Score: 1
  
  Here's how I see this so far: If it's all true, then Apple and anyone else would be nuts to just blab about it all to the media right away, because if it is true then it means not only a gigantic percentage of the Internet in general is compromised, it also means that critical infrastructure is compromised, as well as government and the military, and not just here in the U.S., but in every 1st-world country, and anywhere else in the world, too. There'd be a panic, and rightly so, because it would mean someone out there almost literally has a Big Red Button they could press and bring everything to it's knees. Think 'cyber-doomsday weapon'.
5. Re:Plenty of evendince of this is real by Aighearach · 2018-10-09 06:49 · Score: 2
  
  And yet, they do offer an explanation they claim is not only better, but true! That it was only a software issue. They said that in response to the first Bloomberg story. So now Bloomberg is doubling-down on that part.
6. Re:Plenty of evendince of this is real by mujadaddy · 2018-10-09 07:00 · Score: 1, Interesting
  
  ...it was only a software issue...
  Sorry, jack: there's not any claim by Amazon or Apple that there even WAS an issue. Try again.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
7. Re:Plenty of evendince of this is real by afidel · 2018-10-09 07:36 · Score: 1
  
  It was a hacked driver file on their public FTP server which was downloaded to a single Apple lab machine. All the details are out there. That wasn't the reason that Apple dropped them, it was purely price. When you order your servers by the container ship it's cheaper and more efficient to go to the ODM and have them build to your specifications thus cutting out the middle man and features that your use case doesn't require (like LOM cards, when you have a redundant array of inexpensive datacenters you don't care if an individual server has issues, you pave the OS and reboot, if that doesn't fix it you power it down and have it replaced when the rack gets too old or has too many failed units)
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
8. Re:Plenty of evendince of this is real by Anubis+IV · 2018-10-09 11:03 · Score: 3, Interesting
  
  I had SMCI stock in 2017 and sold it after reports that Apple dropped them when they found serious security issues with their servers.
  Going by that, the timeline would be that these companies discovered malicious hardware in 2015, kept thousands of those servers in service for two or more years, and only then decommissioned them. Does that make any sense at all?
  Instead, if you read their initial responses to what Bloomberg published, they actually say more than that "they have no idea what Bloomberg is talking about". For instance, Apple provides an alternative explanation for Bloomberg's confusion:
  
  [...] Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
  Apple dropped SuperMicro shortly after that incident, making it a much more likely cause for the falling out. Likewise, Amazon cites firmware issues with SuperMicro boards in their response, though you'll note that they were still using SuperMicro boards in 2018:
  
  Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware. As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.
  All of which is to say, nothing about Bloomberg's story makes any sense. The timeline makes no sense, none of the alleged victims has anything to gain by lying, one of their only named sources has come out saying he doubts the story, literally every company or agency allegedly involved has said it's untrue, and Apple has even gone so far as to formally inform Congress that inasmuch as the story pertains to them it's untrue, while additionally affirming via press releases that they are not under a gag order or anything else of the sort.
  Someone's credibility is going to take a nosedive after the dust settles from this, and I expect that it will be Bloomberg's.
Evidence? by Anonymous Coward · 2018-10-09 05:47 · Score: 1

Can they a least release the damn documents.
If they don't want to compromise the company just obfuscate the names with a fucking marker.
o better yet where this devices are for god sake.
1. Re:Evidence? by Anonymous Coward · 2018-10-09 06:01 · Score: 1
  
  Because it might not be what you or I would think. What if those chips weren't planted by the Chinese but some other IO? What if releasing that information would expose some intelligence agents that are on someone's side? What if they don't want to expose that they know who these agents are? What if the whole story is bull shit and they don't want to expose their propaganda? Many options for why they wouldn't want to release that info.
2. Re:Evidence? by Anonymous Coward · 2018-10-09 06:16 · Score: 1
  
  While the American government spent a decade bumbling around with regulatory requirements for protocol backdoors, compulsory cooperation including gag orders, etc....
  China just baked into the hardware, and shipped it all over the world.
  I think it is quite clear which country has the more technically literate government.
I have a load of SuperMicro gear by guruevi · 2018-10-09 05:52 · Score: 3, Interesting

Also from that era that they say. I haven't seen anything anomalous. The fact is that some of their IPMI stuff is vulnerable and they're not updating the firmware (eg. old versions of Dropbear SSH), so if you leave it on the Internet, it may get compromised.
On the other hand, I also don't leave that stuff on a routable VLAN. If it tries to connect to anything (and I haven't seen it reach out), I'd notice and it wouldn't work anyway. Sure the IPMI has some hooks into the rest of the hardware so it is potentially capable of doing 'weird stuff' to my Linux or Windows kernels (although it'd have to be pretty smart to intercept keyboard authentication, wait for someone to be away from the keyboard, automatically replay credentials, then load a workable kernel module to do that) and have the OS compromised do the dirty work, but then again, I haven't seen anything there either and we've used various integrity and antivirus systems from TripWire, Sophos and Cylance that probably would've noticed.

--
Custom electronics and digital signage for your business: www.evcircuits.com
1. Re:I have a load of SuperMicro gear by ole_timer · 2018-10-09 06:25 · Score: 4, Insightful
  
  you have no ip worth stealing...why would they go after you?
  
  --
  nothing to see here - move along
2. Re:I have a load of SuperMicro gear by Aighearach · 2018-10-09 07:01 · Score: 1
  
  Uhm, if somebody put a hardware backdoor in one of the chips on the board, and as far as you know hasn't activated it, why would you expect to see anything "anomalous?"
  That you consider that to be information with value really discredits your analysis as a whole.
  And you're simply wrong that it needs to "reach out" in a detectable way to be a problem. In fact that's the difference between a hardware backdoor and a software one! The software one has to go through whatever networking you have set up. The hardware one could be doing almost anything, and you have no idea. It could be activated wirelessly through a passive wifi-band antenna that you didn't even know was hiding inside what otherwise looks like a port buffer IC, and that signal could be coming from nearby mobile devices that were also backdoored. There is no reason at all to presume that a major nation-state attacker would not be able to achieve that given the nature of the accusation. It could have already been activated and exfiltrated all your data without you even knowing.
3. Re:I have a load of SuperMicro gear by ArchieBunker · 2018-10-09 07:02 · Score: 2
  
  Who in the hell exposes their management consoles to the outside world?
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
US Government does not want egg on face by Anonymous Coward · 2018-10-09 05:53 · Score: 1, Interesting

The US government is going to bury this at all costs, either because it doesn't want egg on its face, or because it is complicit in this hacking. Perhaps these devices were installed at the behest of the NSA and the Chinese simply redesigned them to also send info to the Chinese government.
Not implausible, if you ask me.
1. Re:US Government does not want egg on face by TechyImmigrant · 2018-10-09 06:52 · Score: 1, Insightful
  
  >The US government is going to bury this at all costs
  The US government would love a culture of suspicion of foreign built hardware to develop.
  That's one plausible source of the story.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:US Government does not want egg on face by jeff4747 · 2018-10-09 07:38 · Score: 1
  
  Perhaps these devices were installed at the behest of the NSA and the Chinese simply redesigned them to also send info to the Chinese government.
  Because when I want to implement my super-secret and highly illegal surveillance program, I turn to a hostile government to implement it. :eyeroll:
3. Re:US Government does not want egg on face by Freischutz · 2018-10-09 08:55 · Score: 1
  
  >The US government is going to bury this at all costs
  The US government would love a culture of suspicion of foreign built hardware to develop.
  That's one plausible source of the story.
  Too bad for the Trump admin then that there is already a culture of severe suspicion of domestically made US hardware after the NSA bugging revelations. Now that it seems everybody is spiking computer hardware with spy chips I suppose we can always follow the example of the Russians and their intelligence services, they keep all their most sensitive data on paper and replicate it only with typewriters.
4. Re:US Government does not want egg on face by AHuxley · 2018-10-09 12:14 · Score: 1
  
  The US government would not get caught on the "internet" and allow its collect it all to be discovered.
  Sending the information back over the internet is not without risks. Use a person to collect data.
  Transmit the data out over a short distance not using the "internet"
  
  Smart and skilled people notice extra data moving to strange places along their networks out to the internet.
  
  --
  Domestic spying is now "Benign Information Gathering"
Might not be just Supermicro by caffeinejolt · 2018-10-09 06:02 · Score: 5, Interesting

The article states:

The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.

According to the original article - the alleged Chinese culprit chip exploited via the BMC. Aspeed is the company that makes 99% of the BMC controllers in Supermicro boards. If China really did go through the trouble to develop a chip to exploit via Aspeed controllers.... why limit themselves to Supermicro? I know at least Tyan and Lenovo also use Aspeed. From China's intelligence perspective, they would want a solution that could work across multiple board vendors.

According to latest:

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.
1. Re:Might not be just Supermicro by ole_timer · 2018-10-09 06:28 · Score: 1
  
  phone homes with encrypted data - but covert channels are notoriously hard to find.
  
  --
  nothing to see here - move along
2. Re:Might not be just Supermicro by ole_timer · 2018-10-09 06:29 · Score: 1
  
  the phone homes could be extra data in an email to a hop point...
  
  --
  nothing to see here - move along
3. Re:Might not be just Supermicro by TechyImmigrant · 2018-10-09 06:55 · Score: 2
  
  >Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.
  It doesn't add up.
  Why would you put your trojan chip in the ethernet connector? It's away from the signals you want to get to - serial and/or usb wires to get at UEFI. Trying to cram and ethernet stack, phy and the drivers into a tiny package to get at a much harder but to crack is not how you would do it. It's also inconsistent with the first story.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
4. Re:Might not be just Supermicro by mujadaddy · 2018-10-09 07:02 · Score: 1
  
  It's also inconsistent with the first story.
  Because it's a different set of hardware supply hacks.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
5. Re:Might not be just Supermicro by TechyImmigrant · 2018-10-09 07:14 · Score: 1
  
  It's also inconsistent with the first story.
  Because it's a different set of hardware supply hacks.
  Yes. And a less technically logical one. Could you fit a 10G transceiver, phy, mac and stack inside the connector? Why would you? Consider equivalence to plugging your trojan into the back panel - you could pick the ethernet, or the USB. The USB gives you keyboard access and a low effort way to subvert the machine before it's provisioned.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
6. Re:Might not be just Supermicro by mujadaddy · 2018-10-09 07:18 · Score: 1
  
  Granting all the following: the public doesn't have any information on this; this second story is much less 'frightening' than the first.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
7. Re:Might not be just Supermicro by jeff4747 · 2018-10-09 07:49 · Score: 2
  
  Why would you put your trojan chip in the ethernet connector? It's away from the signals you want to get to - serial and/or usb wires to get at UEFI
  Option 1: There's no requirement that there be no connection from this chip to another part of the computer. If you're planting rogue hardware in one thing there's little reason to believe you can't plant rogue hardware elsewhere.
  Option 2: PXE boot attack.
  Option 3: Their desired attack vector only uses this additional chip, the chip itself isn't the attack vector. After all, where do you get that BIOS image? Or the firmware on the rest of the motherboard's chips? Or perhaps you need the server to receive a malformed packet to implement an exploit of some other process, but that malformed packet can't survive routing.
  Option 4: This isn't for spying. Cut off all packets or scramble some packets and you've effectively disabled the server.
8. Re:Might not be just Supermicro by iCEBaLM · 2018-10-09 08:08 · Score: 1
  
  Why would you put your trojan chip in the ethernet connector?
  Because that's generally where the aspeed BMC is, which has access to everything. The BMC has a dedicated/shared ethernet port for remote management.
9. Re:Might not be just Supermicro by TechyImmigrant · 2018-10-10 07:10 · Score: 1
  
  I'm talking about the electronics.
  An ethernet port has a MAC, PHY, transceiver and connector. The connector, transceiver and MAC+PHY are usually separate chips because of the different silicon needs for analog signalling and digital processing. The claim is that they stuffed all this into the connector. Maybe, but this is all to get at a config interface that you typically can get to through serial or usb wires that are comparatively trivial to latch onto.
  All they had to do was show us the electronics so we could see for ourselves. But they didn't. Why not?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
#gifs by Anonymous Coward · 2018-10-09 06:03 · Score: 2, Funny

Pics or it didn't happen.
1. Re:#gifs by TechyImmigrant · 2018-10-09 07:00 · Score: 1
  
  Pics or it didn't happen.
  This
  Pics and network traces diffed with/without the trojan.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:#gifs by TechyImmigrant · 2018-10-09 09:35 · Score: 1
  
  Not quite the last. I've worked HW trojan analysis before. That's why I have opinions.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Bloomberg getting desperate ... by Pinky's+Brain · 2018-10-09 06:31 · Score: 1, Interesting

This is an interesting story and all, but a targeted attack on a single machine using interception doesn't really make it likely there was compromise of Supermicro's supply chain at the factory level.
We know NSA intercepts Cisco routers, but that doesn't prove Cisco intentionally backdoors their machines for them in the factory.
1. Re:Bloomberg getting desperate ... by mujadaddy · 2018-10-09 06:44 · Score: 1
  
  a targeted attack on a single machine using interception doesn't really make it likely there was compromise of Supermicro's supply chain at the factory level.
  The "single machine", according to the story, had a false ethernet port manufactured into it. What is your more likely explanation?
  
  Interestingly, though, the named source for this article is an ex-spook for Israel. We are definitely in Hardball territory with this one, kids.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
2. Re:Bloomberg getting desperate ... by Pinky's+Brain · 2018-10-09 06:52 · Score: 1
  
  Interception and a soldering iron.
3. Re:Bloomberg getting desperate ... by mujadaddy · 2018-10-09 06:58 · Score: 1
  
  "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.
  Now, he may be wrong, but your partial version of events is not what the article's partial version of events is.
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
4. Re:Bloomberg getting desperate ... by ffkom · 2018-10-09 09:54 · Score: 1
  
  We know NSA intercepts Cisco routers, but that doesn't prove Cisco intentionally backdoors their machines for them in the factory.
  Given that recently every month or so a new back door was found in Cisco's products, one could say we know for sure they are at least unintentionally backdoor their machines.
5. Re:Bloomberg getting desperate ... by bongey · 2018-10-09 11:10 · Score: 1
  
  Problem in China there is no such thing as privately owned and the government can do what ever it wants at anytime. Crap China kidnapped , I mean 'arrested' the head of Interpol without telling anyone. Interpol had to beg China to finally say he was arrested two weeks ago when he came home. https://www.cnn.com/2018/10/09...
6. Re:Bloomberg getting desperate ... by Swave+An+deBwoner · 2018-10-09 11:11 · Score: 1
  
  From TFA:
  
  The goal of hardware implants is to establish a covert staging area within sensitive networks, and that's what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client's security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip.
  "... multiple rogue electronics also detected on the network" ... ?
  "... alerted the client's security team in August, which then removed them for analysis"?
  This is beginning to sound a little different from "Supermicro sent us a bugged motherboard".
Re:time to make stuff in the USA! by Sarten-X · 2018-10-09 07:07 · Score: 1

...Why? Are Americans somehow incapable of being bribed to tweak a design? Does spending more on American parts mean your engineers are more likely to actually read the instruction manual and change defaults? Is an American developer going to oppose when their boss tells them to store passwords in plaintext, because the deadline's approaching and they refuse to delay for something the customer will probably never notice?
Checking the country of origin is a poor proxy for security. All it really means to have American sources is that when there's a breach, an American company has a slim hope to blame another American, and have a public trial to deflect the blame from their own mistakes.
Buy from whoever makes a quality product and shows the most interest in staying up-to-date with the latest security developments. Assume that all parts (including humans) will generally work as promised, but design your system with defense in depth, so any compromised subsystem will be blocked by other layers of protection.

--
You do not have a moral or legal right to do absolutely anything you want.
Completely incredible... by rthille · 2018-10-09 07:55 · Score: 5, Informative

"Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones."
Take a look at a google image search for "motherboard" and see if you can find an RJ-45 socket that doesn't have a metal shield around it for RF blocking.

--
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
1. Re:Completely incredible... by tsqr · 2018-10-09 08:17 · Score: 1
  
  "Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones."
  Take a look at a google image search for "motherboard" and see if you can find an RJ-45 socket that doesn't have a metal shield around it for RF blocking.
  OMG! They've all been hacked!! Run for your lives!!!
2. Re:Completely incredible... by Trogre · 2018-10-09 13:30 · Score: 1
  
  Plastic connectors.
  Do your motherboards by any chance have the words, "Fisher Price" stamped on them somewhere?
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Re:time to make stuff in the USA! by Sarten-X · 2018-10-09 08:16 · Score: 2

Put in a tightly-configured firewall so your data doesn't get sent anywhere without your approval.
Keep management systems isolated so the data-holding servers can't modify that firewall.
Don't rely on tightly-integrated single-source solutions, so one vendor being compromised won't leave that firewall ineffectual.
Maintain independent layers of security that protect in case of another layer's failure.
That's defense in depth.

--
You do not have a moral or legal right to do absolutely anything you want.
The CEO says keep it secret. by emil · 2018-10-09 11:11 · Score: 3, Interesting

Do you think that your corporate security team wants to admit that you were infiltrated?
The first dozen companies that admit this will likely see their stock price decline. Do you want your company to go first?
1. Re:The CEO says keep it secret. by MachineShedFred · 2018-10-10 01:30 · Score: 2
  
  Yeah good plan, because it always goes better when they try to cover it up and instead get hauled in front of Congress, testifying under oath.
  What does that do to the stock price?
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
The Register also discussed this... by emil · 2018-10-09 11:23 · Score: 1

...in their first article on the subject:

A third thing to consider is this: if true, a lot of effort went into this surveillance operation. It's not the sort of thing that would be added to any Super Micro server shipping to any old company – it would be highly targeted to minimize its discovery. If you've bought Super Micro kit, it's very unlikely it has a spy chip in it, we reckon, if the report is correct. Other than Apple and Amazon, the other 30 or so organizations that used allegedly compromised Super Micro boxes included a major bank and government contractors.

There is a second article with the latest details.
1. Re:The Register also discussed this... by ole_timer · 2018-10-09 12:17 · Score: 1
  
  just like we did to them with cisco routers etc. not everyone.
  
  --
  nothing to see here - move along
Re:Silly Chinese by Ungrounded+Lightning · 2018-10-09 12:11 · Score: 2

Why put the chip on the Ethernet connector? You know this doesn't decrypt encrypted traffic.
To give it the ability to exchange command-and-control traffic with a remote controller while keeping it from the rest of the system (by "eating" the incoming packets for itself without handing them to the processor's stack, and sending outbound packets directly, again without processing them through the rest of the system.)
This is both convenient, and lets the C&C communicate with the victim box even when the bulk of the victim is shut down.
The Ethernet controller has lots of processing power to play with once it's subverted, control-channel access to the board management system, and already has power-when-the-system-is-down specifically so it can hear the wake-on-LAN packets and bring the machine up to full function - one less mechanism to build.
That's exactly what Intel did when they first started doing Management engines. It was only later versions where they moved it in deeper.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Maybe they just saw Intel AMT traffic. B-) by Ungrounded+Lightning · 2018-10-09 12:19 · Score: 1

TFA says: "Unusual communications from a Supermicro server ..." and on inspection the Ethernet hardware looked odd.
Maybe they just saw some Intel AMT traffic and components. B-)

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Question is by nehumanuscrede · 2018-10-09 14:33 · Score: 1

Will anyone admit to being compromised by such a thing, if the story turns out to be true.
The impact on stock prices alone will probably keep companies from disclosing anything if they have any say so in the matter.
If you live in the US, you can't really be outraged about what China is doing when we have the NSA intercepting Cisco* hardware and tampering with it before shipping it on to the end customer. ( *Cisco is the only one we know about, who knows what else they have their hands in )
This is something everyone needs to think carefully about.
How much do you trust your supplier and what happens when relations with your supplier takes a bad turn ?
Still think relying on a single source for the majority of your goods is a great idea ?
Bullshit meter DINGDINGDING by lindseyp · 2018-10-09 14:34 · Score: 1

NO! The first story was 'anonymous sources', who failed to provide any evidence or samples of the alleged hardware. Multiple credible sources have spoken up to refute the claims that they used tainted hardware or even found any such hack despite inspections.
THIS time, the only source on record is a 'security' company that seems to be staffed/directed entirely by ex CIA and Mossad operatives. They obfuscate their claim by refusing to name the actual company, and again fail to deliver any evidence.
You'd think that if Supermicro were shipping these hardware-hacked boards in bulk, as suggested by the original article, that some shred of evidence would be forthcoming.

--
j'ai découvert une démonstration vraiment admirable (de ce théorème général) que cette si
when the chinese secret service calls.... by lkcl · 2018-10-09 14:48 · Score: 1

.... you don't say no. if you recall i think it was "Kingsmen", samuel jackson saying, "y'know, the chinese secret service is so secret it doesn't even have a name?" that's because it's operated along isolated cell network lines. *not even the chinese government* can contact those independent cell networks! the only way to "contact" them is for the chinese government - just like everyone else - to make a bit of a fuss, publish a press release and hope like hell that the relevant cell happens to be reading the local or national news.
"Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector"
translation: someone from an unidentifiable cell called someone in supermicro up, and sai something along the lines of, "we know where you live, we know where your children go to school. we know the manager at the bank and how much is in your bank account, and we know where the bank manager lives as well. now, _about_ those servers you ship to the USA..."
Re: time to make stuff in the USA! by Sarten-X · 2018-10-09 16:40 · Score: 1

The whole point if this is that if they have a chip in your infrastructure, you have no defense.
That's the defeatist attitude that is so harmful to having meaningful security discussions.

Outward blocking firewall is great, unless they have their chip in it in which case they can be running an invisible proxy, or secret port knocking activated by other chips to trigger a "please forward this traffic".
But that means they need two chips, in two appliances, from probably two vendors, with two separate supply chains. For the price of bringing in a second-source vendor, you've doubled their attack cost.

Any defense you can implement, I can undermine for 1% of the effort
I think you mean "I can trivially move the goalposts a bit further".

if I already have access to the hardware via these exploits/backdoors and vulnerabilities.
Or in other words, "If everything is already completely breached, then everything is already completely breached, so everything will always be completely breached". Never mind that new designs are always being produced, new non-corrupted supply chains are being forged, and new mitigations keep being developed. In the real world, compatibility between published protocols is rare. What makes you think that different hardware tools, built by different intelligence teams at different times, will be compatible in any meaningful way?
The government-backed attacking engineers still have bureaucracy. They have a committee dictating how their chips will work. They have software bugs. They make mistakes. It's simply not realistic to assume that developing a widespread hardware-based attack is going to be something any organization can consistently execute while maintaining the extreme precision required for secrecy.

Hell, I breached hypervisors in the Virtual PC days before and after MS bought them. The Intel IME public disclosure invalidated a lot, but not all, of my private... extra curricular... access tools. Now you can breach it as a script kiddy.
Well, that's fantastic, but you still need to get your code to the system to run it... Then you need to have an analysis of what you're running on, and an exfiltration... A breach is just a tool. To make it an attack requires tactics, which I see as more opportunities for defense.

--
You do not have a moral or legal right to do absolutely anything you want.
that's directly from NSA's playbook by sxpert · 2018-10-09 17:35 · Score: 2

implant in ethernet connector point to NSA's ANT catalog,
either "COTTONMOUTHIII" https://nsa.gov1.info/dni/nsa-...
or "FIREWALK" https://nsa.gov1.info/dni/nsa-...
this whole thing sounds more and more suspicious by sxpert · 2018-10-09 17:40 · Score: 1

It looks as if someone is attempting to raise anti-china sentiment, with the goal of getting USA manufacturing back in shape... surely it couldn't be the US governement (haha)...
Yossi Appleboum, BB's source for second story, hat by deaddeng · 2018-10-13 01:35 · Score: 1

Yossi Appleboum Disagrees with How Bloomberg is Positioning His Research ...
ServeTheHome â ... â Other Components

--
--- .085 as cool; proving that a little knowledge is dangerous