Slashdot Mirror
Super Micro Says Review Found No Malicious Chips in Motherboards (reuters.com)
Computer hardware maker Super Micro Computer told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards. From a report: In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.
I did not know we were talking about HP.
i fully expect the next news report to be, "Supermicro computers discovered in second audit to have been compromised by auditing company. The first audit company, itself secretly compromised by {insert government-of-paranoia-choice-here}, was found to have tampered with the master copies of the bootloader firmware, during its on-site privileged access to Supermicro's Headquarters".
quis custodiet custodiens?
On this story, and the previous stories on this topic, a lot of posters have doubted the denials from Super Micro, Apple, Facebook and the various government agencies. I suspect this independent audit won't convince them, either.
So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen? Or is this one of those things where you won't accept any explanation from "the deep state"/"vested interests"/etc?
This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.
You have obviously never had the pleasure of returning several HP laptops and having them lost for months. In fact every HP laptop I have had has had it's mother board replaced at some point.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
So you thought that "outside investigation" meant that they performed it outdoors.
Just the investigators were outdoors. The chips were indoors
I've dealt with several HP computers directly over the years, some laptops and otherwise, and am familiar with dozens of others who have had HP computers as well.
I have *no* impression that HP equipment is less reliable than any other brand of computer. I think the total number of samples within my awareness is about 30-50 computers. Yes, some have died or have had parts die, but not that many.
I don't have direct experience with any repair attempts on any of this equipment, though.
Anecdotally speaking, I have had great experience with my Super Micro servers for more than 15 years.
Greed is the root of all evil.
It's a good point, but has anyone actually gotten a root shell prompt to the MINIX layer in their i7?
(No, I'm not asking because I'm concerned about security breaches, I just want to be able to play with it, I'm a nerd not a security expert.)
You are not alone. This is not normal. None of this is normal.
The biggest red flag on the Bloomberg report is it's a sorry hack attempt. To put an additional chip on a board that can easily be caught with automated visual scans (ie computer vision) is just sloppy and stupid. There are so many other ways to compromise a MB without leaving a visual trace. Plus given the Intel CPU bugs, why go through the hassle? You can more easily root an OS without leaving physical evidence. A good attacker knows how to erase their digital foot print. If it really was the chinese government, I seriously doubt they'd be that stupid. From a spying perspective, none of the big countries with the resources would choose such a stupid attack.
Did anyone expect an internal investigation of Supermicro to yield anything but an "innocent" verdict?
It wasn't an internal investigation; it was an external investigation. That's what "outside" means in TFS.
Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
Generally bloomberg is pretty reliable so one wants to give them the benefit of the doubt. And they must think their sources reliable enough to make them worth protecting. But at this point is seems like they do need to defend their certainty more.
Super micro presumably can only inspect the boards it has now not the boards it shipped. It could try recalling some of those but if the infiltration was selective and rare that might not be possible. For example if a few of the boards shipped to say, the NSA, where modified, a sampling might not find them, and the NSA would never let a board leave their facility once it goes into use. So that could be the discrepancy here. The china-modified boards might very well have been shaped to mainly go to orders for targeted customers.
It seems like getting to the bottom of this would be useful.
A good place to start would be those photos accompanying the Bloomberg article. They showed a specific chip on a specific board. So where did that photo come from and is the circled chip really what they claim. That presumably is answerable.
Some drink at the fountain of knowledge. Others just gargle.
I guess a slashdot anonymous coward must have opinion that is worthwhile... Oh wait you don't. Meanwhile the company in question is hugely successful
They just released a video explaining why it's 'physically impossible as a practical matter' for their motherboards to have malicious components.
Hope they can back up these strong comments!
That photo they showed was not the actual chip, just a mockup of what it might look like. They made that fact hard to find in the captions. For anything new to get uncovered with this story, one of the sources to the bloomberg story needs to come forward with more information. Or some other engineer from amazon/elemental/apple who was supposedly involved in the detection of the chip. The article was written like breaking news with the assumption that more information would imminently become public, but that hasn't happened. Additional denials by Supermicro, apple, amazon, or governments don't really add the the discussion.
I seem to remember a news story from almost a decade ago about a surreptitious monitoring chip installed in a laptop, connected to the laptop's keyboard. This may have been a targeted attack, and not an infiltration of the supply line. Personally, I believe the unknown keyboard chip wasn't any kind of listening device, but rather some compatibility device to make the keyboard work.
I have some doubts about how a tiny "grain of rice sized chip" can both send and receive data on the wired ethernet port (differential signals) without actually BREAKING the lines and inserting itself into the path. Also, it wouldn't magically have FULL CONTROL of the PC, but would be able to only retransmit the data that was coming in/going out of the ethernet port to another ip address.
Have gnu, will travel.
This is the same Bloomberg that runs news story suggested by Wall Street elite to pump and dump stocks. This is the same Bloomberg that is the unofficial marketing arm of Wall Street. This is the same Bloomberg that has been saying regulations aren't needed anymore because the market can regulate itself, except that they know they can't. So what good evidence do you have that Bloomberg isn't more than just a wall street marketing machine?
Why do you need chips when you can hide anything in firmware? Show me a single motherboard OEM which releases source code. Also, not only motherboards contain firmware, NICs and storage devices have them too. There are just too many places where you can hide something which makes your hardware easily exploitable.
I've also had several Super Micro and have been very happy. Especially given the pricing.
Unlike HP etc, Super Micro only makes servers. They don't make laptops and mp3 players and crap for Best Buy. Everything they do is designed for the data center.
Be that as it may, the intercept Bloomberg is speculating about, would have had no ill effect on your "user experience".
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Except SuperMicro is a Taiwanese company. Sure Taiwan is in a weird place, claimed by China but considers itself independent, but most Taiwanese actually believe they are an independent country regardless of what the UN and other people say. (Plus, they have a real democracy and not a dictatorship).
And the real articles are Apple and Amazon for those two were the ones first reported on by Bloomberg.
While I'm not usually part of the conspiracy crowd, I'll make an exception for this one. Did anyone expect an internal investigation of Supermicro to yield anything but an "innocent" verdict? Can you imagine the damage to Supermicro's brand had any other result been released?
Wait a sec. That logic makes no sense.
Regardless of which side of this debate you're on, this is the result we expected. The people who think Bloomberg got it wrong were expecting this result because Bloomberg got it wrong. The conspiracy believers were execting this result because there's a coordinated coverup. That the result matched everyone's expectations no more proves a coverup than it disproves one. It's simply the expected result.
That said, while the result matching expectations may not prove or disprove anything, there's only one direction that the result itself can incline any rational person: towards thinking that Bloomberg got it wrong. While you're welcome to dismiss it, the findings themselves are yet another piece of evidence against Bloomberg's claims, and they join a growing body of evidence, all of which so far has lined up against Bloomberg's claims. On the other hand, this result provides no evidence whatsoever in support of a coverup (again, it's the expected outcome for both sides). Of course, if you choose to dismiss it as part of the coverup, then you've just expanded the scope of the coverup to include these auditors as well, in which case it now takes even more faith to believe in the coverup than before. For any rational person, a demand to increase one's faith in a thing without being given any basis for doing so would be cause to reevaluate that faith.
If this result pushed you to "make an exception" by joining the conspiracy crowd, I'd suggest that you're either confused or lying, because you're clearly already a card-carrying member of the conspiracy crowd. At best you can dismiss the results as meaningless, but there's no rational way to take this result and go in the direction you say you went.
Wait... so they couldn't detect them? This is getting scary!
Wikipedia calls SuperMicro a Taiwanese-American company. The headquarters are in California.
Contribute to civilization: ari.aynrand.org/donate
The Indian government was partially responsible for the Bhopal tragedy.
There's lot's of competition for environmental disaster. Exxon Valdez was not as bad as Chernobyl, which pales in comparison the destruction of some of the world's best agricultural land by the gross mismanagement of the Stalin regime. That in turn is minor compared to some asteroid impacts.
It's always funny to see the conventional view of the 2007+ "Great Recession", which was caused by economic policies in large part the fault of Democrats Barney Frank and Chris Dodd. It would have ended quickly if there had been no bailout and the bankrupt companies had had their assets sold off as provided by law.
Contribute to civilization: ari.aynrand.org/donate