Slashdot Mirror
Super Micro Says Review Found No Malicious Chips in Motherboards (reuters.com)
Computer hardware maker Super Micro Computer told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards. From a report: In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.
Well, if the most incompetent tech company on the planet says they have no backdoors, "accidental" or not, then I guess they must be telling the truth and can be fully trusted.
Citation needed.
I did not know we were talking about HP.
We've Investigated ourselves and found we have done nothing wrong!
We're not. You must be thinking of Dell.
Intel CPUs have the Management Engine which is a copy of Minix running at a lower level than you can access. Also have wifi built-in, so it can communicate with the smart meter. Don't think AMD is a whole lot better.
Well, if the most incompetent tech company on the planet says they have no backdoors, "accidental" or not, then I guess they must be telling the truth and can be fully trusted.
That's odd, from the summary it's hard to tell that this article is about Microsoft
First, keep in mind that if any customer data was leaked, it would be a PR disaster of epic proportions for companies that use these servers YET, all the major players that use Super Micro servers deny there is an issue, Apple, Amazon, etc. At some point, you all need to give up on this lameness.
i fully expect the next news report to be, "Supermicro computers discovered in second audit to have been compromised by auditing company. The first audit company, itself secretly compromised by {insert government-of-paranoia-choice-here}, was found to have tampered with the master copies of the bootloader firmware, during its on-site privileged access to Supermicro's Headquarters".
quis custodiet custodiens?
On this story, and the previous stories on this topic, a lot of posters have doubted the denials from Super Micro, Apple, Facebook and the various government agencies. I suspect this independent audit won't convince them, either.
So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen? Or is this one of those things where you won't accept any explanation from "the deep state"/"vested interests"/etc?
This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.
You have obviously never had the pleasure of returning several HP laptops and having them lost for months. In fact every HP laptop I have had has had it's mother board replaced at some point.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Maybe HP packaging.
At the base level it doesn't make any sense. Most of these companies are based in Taiwan. Taiwan and China don't exactly get along. Just because China claims to own Taiwan doesn't mean it's government, or any businesses, act that way.
It could be that China had moles in these companies and surreptitiously put "spy chips" in the boards, but it would be a relatively large conspiracy within the company, as it would involve purchasing managers, board layout techs, manufacturing engineers, electrical engineers, QA people, etc...
While I'm not usually part of the conspiracy crowd, I'll make an exception for this one. Did anyone expect an internal investigation of Supermicro to yield anything but an "innocent" verdict? Can you imagine the damage to Supermicro's brand had any other result been released?
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I've dealt with several HP computers directly over the years, some laptops and otherwise, and am familiar with dozens of others who have had HP computers as well.
I have *no* impression that HP equipment is less reliable than any other brand of computer. I think the total number of samples within my awareness is about 30-50 computers. Yes, some have died or have had parts die, but not that many.
I don't have direct experience with any repair attempts on any of this equipment, though.
Anecdotally speaking, I have had great experience with my Super Micro servers for more than 15 years.
Greed is the root of all evil.
The biggest red flag on the Bloomberg report is it's a sorry hack attempt. To put an additional chip on a board that can easily be caught with automated visual scans (ie computer vision) is just sloppy and stupid. There are so many other ways to compromise a MB without leaving a visual trace. Plus given the Intel CPU bugs, why go through the hassle? You can more easily root an OS without leaving physical evidence. A good attacker knows how to erase their digital foot print. If it really was the chinese government, I seriously doubt they'd be that stupid. From a spying perspective, none of the big countries with the resources would choose such a stupid attack.
Generally bloomberg is pretty reliable so one wants to give them the benefit of the doubt. And they must think their sources reliable enough to make them worth protecting. But at this point is seems like they do need to defend their certainty more.
Super micro presumably can only inspect the boards it has now not the boards it shipped. It could try recalling some of those but if the infiltration was selective and rare that might not be possible. For example if a few of the boards shipped to say, the NSA, where modified, a sampling might not find them, and the NSA would never let a board leave their facility once it goes into use. So that could be the discrepancy here. The china-modified boards might very well have been shaped to mainly go to orders for targeted customers.
It seems like getting to the bottom of this would be useful.
A good place to start would be those photos accompanying the Bloomberg article. They showed a specific chip on a specific board. So where did that photo come from and is the circled chip really what they claim. That presumably is answerable.
Some drink at the fountain of knowledge. Others just gargle.
I guess a slashdot anonymous coward must have opinion that is worthwhile... Oh wait you don't. Meanwhile the company in question is hugely successful
They are just too small to see. Anyway it is in supermicros best interest to say they didnâ(TM)t find any.
That photo they showed was not the actual chip, just a mockup of what it might look like. They made that fact hard to find in the captions. For anything new to get uncovered with this story, one of the sources to the bloomberg story needs to come forward with more information. Or some other engineer from amazon/elemental/apple who was supposedly involved in the detection of the chip. The article was written like breaking news with the assumption that more information would imminently become public, but that hasn't happened. Additional denials by Supermicro, apple, amazon, or governments don't really add the the discussion.
Yeah the whole story has sort of come apart with Bloomberg and these so called spyware chips. Journalism is so bad these days, they print stories with not much more then a anonymous source for evidence. Would be better to have some physical evidence of these chips to provide better proof.
The photo is a stock photo of a standard signal conditioning chip used on ethernet ports. It has nothing to do with Bloomberg's allegations. One of their sources who provided information on how such an attack might theoretically take place suggested such a chip might be made as small as a signal conditioning chip, and provided a link to a stock photo of such a chip. Bloomberg just used that stock photo in their article as the supposed malicious chip. Bloomberg's article is manufactured out of whole cloth. Listen to Risky Business' podcast on the issue, with an interview with the source of the photo.
I seem to remember a news story from almost a decade ago about a surreptitious monitoring chip installed in a laptop, connected to the laptop's keyboard. This may have been a targeted attack, and not an infiltration of the supply line. Personally, I believe the unknown keyboard chip wasn't any kind of listening device, but rather some compatibility device to make the keyboard work.
I have some doubts about how a tiny "grain of rice sized chip" can both send and receive data on the wired ethernet port (differential signals) without actually BREAKING the lines and inserting itself into the path. Also, it wouldn't magically have FULL CONTROL of the PC, but would be able to only retransmit the data that was coming in/going out of the ethernet port to another ip address.
Have gnu, will travel.
This is the same Bloomberg that runs news story suggested by Wall Street elite to pump and dump stocks. This is the same Bloomberg that is the unofficial marketing arm of Wall Street. This is the same Bloomberg that has been saying regulations aren't needed anymore because the market can regulate itself, except that they know they can't. So what good evidence do you have that Bloomberg isn't more than just a wall street marketing machine?
The Bloomberg claim is that all motherboards (or at least certain models) were backdoored. If true, there are millions of examples in the wild, and no reason they can't post teardown pics showing the secret spy chips. Third parties would quickly confirm.
Pics or it didn't happen.
Part of the propaganda war that is going on between US & China.
Fake news (I do hate that cliche; smells bad).
Why do you need chips when you can hide anything in firmware? Show me a single motherboard OEM which releases source code. Also, not only motherboards contain firmware, NICs and storage devices have them too. There are just too many places where you can hide something which makes your hardware easily exploitable.
I've also had several Super Micro and have been very happy. Especially given the pricing.
Unlike HP etc, Super Micro only makes servers. They don't make laptops and mp3 players and crap for Best Buy. Everything they do is designed for the data center.
And on other news, the Chinese investigated and found there is no pee pee in your coke.
So drink up worry free!
Be that as it may, the intercept Bloomberg is speculating about, would have had no ill effect on your "user experience".
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
The worst industrial disaster in history is the Bhopal disaster caused by Union Carbide, now a fully-owned subsidiary of Dow Chemical. Around 4,000 people died instantly, and ~ 500,000 people were injured. This is higher casualty than all the “chemical warfare” in the Middle East combined. After 5 years of litigation, Union Carbide paid $470 million to settle the case. UCC Chairman Warren Anderson was flown out of India immediately, and none of the UCC American owners and corporate officers have ever spent a day in jail.
The worst environmental disaster in history is the Exxon Valdez oil spill. 35,000 tons of oil was released close to the coastal habitat of salmon, otters, seals, and seabirds, covering 1,300 miles of coastline and 11,000 square miles of ocean. 22 orcas, 3,000 sea otters, a quarter million sea birds were wiped out. After 20 years of litigation, Exxon paid ~ $500 million in punitive damages. The boat captain got community service. None of the Exxon executives has ever spent a day in jail.
The worst financial disaster since the Great Depression is the Financial crisis of 2007–2008. Triggered by the subprime mortgage collapse in the US, DJI dropped from a high of ~ 14,000 to a trough of 6,600. The financial crisis spreat from the US to the rest of the world, wiped out an estimated $2.8 trillion from financial institutions, of which, about $1 trillion came from the US banks, and the rest from Europe and Asia. Most countries in the world have still not recovered to this day, but Wall Street was awarded $700 billion bailout immediately. Emergency Economic Stabilization Act of 2008 None of the Wall Street bankers has ever seen a day in jail.
If this is true then I must demand a refund.
Coke Is It.
So where the hell does this leave us then? People have been speculating about hardware hacks for decades really, but no one has ever demonstrated or shown one, beyond keyloggers.
I see several possibilities:
1). Supermicro performed a rather cursory audit. They probably don't want to be known as "the unreliable, compromised company", so this is plausible. And practically they can't do much more than a sampling audit anyway;
2). Supermicro themselves were compromised and were in on the hack somehow. Even if it was just part of the company, someone might be paid off or intimidated into cooperating at Supermicro;
3). Bloomberg is entirely wrong. Maybe their source had some kind of axe to grind and decided to lie to generate a story. Pick your victim here. Supermicro? The Chinese government?
4). Bloomberg is right and so is Supermicro. This is plausible if the hack was very limited, and maybe even targeted to a specific customer, or a specific set of customers. Do you think we'd find one compromised server, or 10, or even 100? The numbers work against you here.
And with all these backdoor chips there's no evidence of them calling home from the major corporations using them?
Wait... so they couldn't detect them? This is getting scary!
Evaluated SuperMicro recently, their firmware update practices seem garbage, they actively advise users to avoid updating firmware and seem to make it as difficult as possible. Don't even get me started with their poor quality OOB remote access stuff like RedFish etc.
The Indian government was partially responsible for the Bhopal tragedy.
There's lot's of competition for environmental disaster. Exxon Valdez was not as bad as Chernobyl, which pales in comparison the destruction of some of the world's best agricultural land by the gross mismanagement of the Stalin regime. That in turn is minor compared to some asteroid impacts.
It's always funny to see the conventional view of the 2007+ "Great Recession", which was caused by economic policies in large part the fault of Democrats Barney Frank and Chris Dodd. It would have ended quickly if there had been no bailout and the bankrupt companies had had their assets sold off as provided by law.
Contribute to civilization: ari.aynrand.org/donate