Where's SEC when you need it..
Hardware builder Super Micro has delivered another effort to prove to the public its machines were not bugged by the Chinese government. The US-based company on Tuesday issued the findings of an investigation it says show no indication that its motherboards were ever compromised at the factory level and modified with …
Wednesday 12th December 2018 02:05 GMT shawnfromnh
I so believe this
Because the security and integrity of our products is our highest priority
I thought money and not being jailed for not cooperating with the chinese government was the actual priority. Really doesn't matter because no matter where you build something in this politically charged world the chinese, russians, cia, nsa, or mi6 and a slew of others will force you to put spy shit in your boards or else. So this huge lie about your highest priority is shit since any boardmaker in China has plants in them that swap out parts occasionally so it's a hit or miss if you catch them and it's probably multiple parts so they can go to part B for a while then keep switching out as needed. Hell the parts are probably also switched along the chain so if one part of the chain goes down an existing one starts up.
Wednesday 12th December 2018 02:47 GMT Medixstiff
Re: I so believe this
I'm waiting to see the fall out from the idiots putting through the encryption laws here in Aus.
You can bet as a Five Eyes nation, any changes they request manufacturers to make will get shared around with other partners.
Blind Freddie can see it's just a matter of time before a work around get's out and if it's by an ex-employee, they better make the most horrific example of them that they can, because if there's large scale identity or data theft that occurs afterwards, voters are going to be mega p1ssed.
Wednesday 12th December 2018 05:14 GMT Lyle Dietz
Re: I so believe this
I want the Russians* to lift data about our pollies through a TCN mandated back-door and then publish it somehow. Bonus points if it's Christian Porter, Mr Potato-head or AFP top brass.
* or anyone but the Chinese, because if its China the chuckle-heads in Canberra will just blame hardware back-doors from Chinese kit.
Friday 14th December 2018 03:23 GMT Trevor_Pott
Re: I so believe this
I think you're a bit out to lunch on this. Want to not be jailed by the Chinese? Don't go to China. Especially when the nation you live in is in the middle of a pissing match with China, and you're a high-powered executive. That's just life at that level, regardless of whether or not someone has asked you to compromise your gear.
As for the "money is the only thing that matters" bit...you had damned well better believe that "the security and integrity of [Supermicro's] products is [Supermicro's] highest priority". A single accusation - and one that most of the infosec world didn't buy at the outset, and which has since been considered completely debunked - absolutely tanked Supermicro's shares. Please do explain to me exactly how letting $nation stick shit on their boards is somehow making Supermicro money.
Or any manufacturer.
One does not have to do business with China. One does not have to manufacture things there. China may be a few points cheaper than Taiwan, India, Vietnam, or what-have-you, but a few points is absolutely not enough to entice a manufacturer like Supermicro if the tradeoff was "we will put spy chips on your stuff".
Let's consider this rationally for a moment:
1) Supermicro isn't - and hasn't been - the low-cost tin shifter for some time. You want some of the Chinese server manufacturers for that. Supermicro, Dell, HPE and even Lenovo can't compete with the likes of Inspur, and they're not really trying to, either. Supermicro's schtick is flexibility. They have a server room widget for anything you can possibly imagine. That means higher R&D costs, which means no playing in Inspur's sandbox.
2) The big buyers are the public cloud providers. Chinese cloud providers buy predominantly from Chinese companies. Non-Chinese cloud providers don't build a lot of data centers in China. There's a lot more money to be made putting data centers near China, but not actually inside the Great Firewall, with all its geopolitical restrictions. Why in Jibbers' name would Supermicro - or any non-Chinese tin shifter - knowingly let the Chinese government put spy chips on their board, when they know damned well that the instant it was discovered it would alienate the customers responsible for 50%+ of their revenue? There is zero logic in that.
3) Supermicro are terrible at politics. Absolutely terrible. They can't even deal with their own internal politics. They are not about to start playing geopolitical bullshit, because the people in charge of that company know that they would fail catastrophically.
Look, Supermicro has a lot of problems, but willingly getting mixed up in these sort of shenanigans? I just don't buy it. Their CEO is a giant nerd. Obsessive engineer type. He is emphatically not someone who is any good at politics, and he's perfectly aware of that. This extends to pretty much all of Supermicro's leadership.
Supermicro are heavy on nerds, heavy on suit-and-tie from-the-past marketing/PR/sales types, and are more or less what you'd expect from any large predominantly USian corporation that got where they got by building something useful, but never did the ruthless, cutthroat thing and brought in corporate fixers.
If China - or anyone else - had somehow demanded that Supermicro knowingly compromise their own gear, you would not have gotten a full-throated denial from them. You would have gotten a stone wall of "no comment", and lots of "talk to our lawyers".
This is because the people in charge of Supermicro aren't masterful political chess players who even attempt to play complicated geopolitical bullshit games. They'd piss themselves in terror and do whatever their lawyers told them to, and lawyers always tell their clients the same thing: shut the hell up.
So, to me at least, the fact that this particular pack of politically mediocre nerds and empty corporate suits decided that they were going to stand up and say "nyet" actually lends Supermicro's story some credibility.
They could always have been compromised without knowledge of the decision makers...but so far, the evidence doesn't seem to be bearing that out either. And that leaves me with all sorts of questions about this entire thing...but that's a rant for another day.
Wednesday 12th December 2018 03:35 GMT Malcolm Weir
Wednesday 12th December 2018 04:14 GMT Phil Kingston
Wednesday 12th December 2018 05:56 GMT Anonymous Coward
Wednesday 12th December 2018 09:24 GMT imanidiot
Wednesday 12th December 2018 17:17 GMT Crazy Operations Guy
"Super Micro is an american company that does most of it's manufacturing in China."
So you mean like IBM, Apple, Dell, HPE, Cisco, Oracle; Intel, AMD, Nvidia, Micron, Kingston, Asus, Acer, MSI, Crucial, Texas Instruments, and so on.
I don't think there is a single "American" company that hasn't offshore'd the vast majority of its manufacturing to Pegatron, Foxxconn, TSMC, or some other Chinese-owned manufacturer.
Wednesday 12th December 2018 11:10 GMT SuccessCase
Also the fact that there is a security researcher - Joe Fitzpatrick - who talked to Bloomberg journalists over many meetings/calls about speculative "this is how it is theoretically possible to do this" scenarios, and then was surprised to find the article in question claimed *exactly* the scenarios he described had been executed by the Chinese. Fitzpatrick said, given he is not working at State level with State level resources, and his speculations were his own personal pet hobbyist theories as to how it could be done (when there are many alternative possibilities) he was very surprised to find it claimed it had been done by the Chinese exactly how he had described. In other words it very much appears his speculative theoretical scenarios were lifted by the Bloomberg Journalists and published as fact.
All in all Bloomberg's failure to retract this story leaves a sizeable stain on their integrity.
Wednesday 12th December 2018 05:30 GMT Dabbb
Wednesday 12th December 2018 10:08 GMT Roland6
Wednesday 12th December 2018 11:16 GMT SuccessCase
Re: Again, why bother
@Roland6. I think you will find the issue is that the manufacturing is taking place in China. So it wouldn't be so much a break-in as, "oh shit, this guy in mirror shades working for my government who still make people disappear without trial has asked me if we can modify the motherboard, but hasn't smiled once as he asked"
Thursday 13th December 2018 04:47 GMT Dabbb
Re: Again, why bother
"I would love to see an example of a spy break into a factory and inconspicuously add one of these to a few motherboards;"
Inconspicuously ? BMC Pilot is THE most widely used LOM chip for servers, it's literally everywhere. It's firmware is closed source, what inside silicon only Chinese know.
To make it clear - it controls everything and has access to everything on a server. There's no need to add anything else.
Wednesday 12th December 2018 13:42 GMT phuzz
Wednesday 12th December 2018 06:18 GMT bombastic bob
'Fake News' by Bloomberg, then?
I think SuperMicro has at least done the right thing and made a SERIOUS effort to, well, "take it seriously" and ensure that NONE of their products have been tampered with. It's also likely they'll continue to look for the possibility just so they can SAY they are.
It's hard to re-build a reputation that's been SO DAMAGED like this.
THAT being said, reputations are what they are, and I think the ball is NOW in Bloomberg's court.
'Fake News' has been getting out of hand a LOT. These "un-named sources" who seem to know SO much, wanting to blow the lid off of some scandal, blah blah yotta yotta TABLOID NEWS.
Bloomberg, I think you guys SCREWED THE PROVERBIAL POOCH. Funny how they doubled down on it, too.
I hope they have really GOOD evidence to support their claim, if it's true. Because it's PLAUSIBLE. But if they have NOTHING, which I suspect is the case, they'll end up on the wrong side of a defamation and libel lawsuit. And, don't forget the drop in stock value.
Then again, the drop in stock might be 'stock manipulation'. Did anyone MAKE LOTS OF MONEY by SELLING SHORT on SuperMicro stock? S.E.C. where are you?
I'd like to see how this plays out. Needless to say, if spy chips WERE being planted, I doubt it will happen again any time soon, because NOW people are LOOKING for it...
Wednesday 12th December 2018 07:15 GMT Anonymous Coward
Re: 'Fake News' by Bloomberg, then?
It was not only SuperMicro stock that fell. The main target for NYSE Shorters, namely APPL were hit as well along with others like AMZN.
Bloomberg is regarded with contempt by many TSLA stock holders for their continual 'Tesla is doomed. Chapter 11 filing next week' sort of stories.
Putting my conspiracy tin-foil hat on for a moment...
"Could all this be part of an orchestrated plan by people behind those who are behind Bloomberg to destabilise the NYSE or at the very least, certain widely held stocks?"
Once upon a time, Bloomberg was the 'go-to' place for financial information. I still go there but view everything that that say with suspicion and at a lenght of several 40ft barge poles.
I don't directly own any stock in any of the companies mentioned in this post.
Stock prices may go down as well as up and...
This is not financial advice in any way shape or form.
Wednesday 12th December 2018 09:18 GMT Anonymous Coward
Re: 'Fake News' by Bloomberg, then?
Apple barely fell the day the story broke, and to the extent it did it fell about the same as the similar tech stocks. Apple has fallen a lot since, but well after the story had faded away so if you think Apple's stock price drop over the past month had ANYTHING to do with this story, you are an idiot.
If you want to short Apple, you don't make up a story without evidence that elicits immediate denials from all companies involved. You report a rumor that one of its suppliers is reporting reduced demand from "one of its largest customers". That's been proven to cause Apple's stock to fall many times in the past, both when the rumor turned out to be true and when it turned out to be false.
Reporting a story you know is false will get you in a lot more trouble than reporting a rumor that you have plausible deniability for because you state outright that it is a RUMOR.
Wednesday 12th December 2018 06:59 GMT Neoc
Wednesday 12th December 2018 09:46 GMT happy but not clappy
Not a scam
It's US foreign policy driven from the White House. Look at all the other Chinese manufacturers that have been banned/harassed and generally interfered with over the past few years. Not that the Chinese are being especially targeted, just that the dirty tricks are much more public.
Anyone entering the US market does so with trepidation IME.
Wednesday 12th December 2018 10:05 GMT Andy The Hat
I feel that this was, as eluded to at the time, an elaborately baited US 'government' hook with the aim of discrediting the use of Chinese made equipment. It probably is fake news but based on believable information from more than one source.
In this situation Bloomberg were damned if they did and damned if they didn't. Fail to report what fifteen (?) individuals have 'corroborated' and pass up a truly massive scoop or report a story that you are now convinced is true as it has been corroborated by fifteen individuals and get shot down because the 'government' smoke screen was so thick that you ended up trusting the web of deceit ...
The obvious loser is SM's reputation who have that nightmare to prove that something that never existed was never fitted to a few of their boards which themselves may not even have existed ...
Wednesday 12th December 2018 10:33 GMT Steve Graham
Wednesday 12th December 2018 12:06 GMT juice
Get your tin-foil hats ready...
IIRC, the article claimed that it was a small number of motherboards which were affected, and that they were delivered to specific companies.
So if the perpetrators withdrew and covered their tracks, there'd be nothing at the "manufacturing" side to see.
OTOH, at this point, I would have expected Bloomberg to have produced some physical evidence - even a single demonstrably hacked motherboard would be enough to give them the benefit of the doubt.
Either way, may the best conspiracy theory win!
Wednesday 12th December 2018 15:50 GMT mutin
Re: Get your tin-foil hats ready...
You write :"I would have expected Bloomberg to have produced some physical evidence - even a single demonstrably hacked motherboard"
So, do you really expect that such evidence can be found? All what was altered has been destroyed. It was not in Apple or Amazon or Super Micro interest to keep any evidence for investigation.
Wednesday 12th December 2018 12:09 GMT adam payne
"After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,"
So they have had now jumped through hoops and proven to the best of their ability that the claims are completely false. What's bloopersberg going to do now? probably nothing.
Super Micro lawsuit?
Wednesday 12th December 2018 13:31 GMT trev101
Wednesday 12th December 2018 15:45 GMT mutin
It is really funny - have anybody tried to follow the link in the article likely to pointing to a report from independent company? It goes to Super Micro site saying that it was a company and a report. Super Micro DOES NOT provide a link or a document or disclosing the name of the company. So, what are you talking about? What SM proved as we cannot see it published?
Nobody mentioned in original article really wants INDEPENDENT PUBLIC investigation. It is all cover-up. Too much money and reputation i.e. money involved.
So far Super Micro does bla-bla-bla and no proof that Bloomberg was incorrect.
Wednesday 12th December 2018 21:01 GMT Crazy Operations Guy
Release the schematics?
I'd breathe a lot easier if they were to publicly release the schematics of one or two of the products at the center of this. From my knowledge of electrical engineering, the suspected part wouldn't even have access to the proper buses to even doing anything like what Bloomberg is alleging. From Bloomberg's report, the device looked to be a simple two-conductor component, but was quite difficult to see exactly what the device looked like in the images.
I'd go a long way to dispelling rumors if SuperMicro were to release the schematic and board layout drawings so that independent researches and private individuals could take a look to see if such a device is even possible in the first place. It would also allow researchers to test suspected boards to see if the component behaves as expected and is the intended device.
The security researcher in me also doubts the Bloomberg report in that no one in their right mind would go through the effort of breaking a system by inserting a chip into the assembly logistics in the hopes that one of the tens of thousands of parts actually made it into their target's system and the system is in a location that can be compromised and that particular system actually contains the target data. Especially since if they wanted that much access, the IPMI chip and the Intel Management Engines are already present in the system to begin with, either one could be compromised and would give you ridiculous amounts of control over the system without the risk of compromising a component.
Really, it would be so much easier to just send fake firmware patches to the target and produce a much more direct attack rather than casting a massive net in the slim chance of getting access to that specific target.
Thursday 13th December 2018 04:29 GMT Big Al 23
Bloomberg has provided zero proof of their claims
It must be about time for the lawsuits to begin as Bloomberg has provided zero evidence to support their claims which have been denied by virtually all parties involved not just Super Micro. It's time to put up or pay dearly for unsubstantiated rumors and beliefs. You know this has cost Super Micro major revenue and will continue to do so until Bloomberg admits they have no evidence to support their allegations.