Author Topic: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.  (Read 67947 times)

0 Members and 2 Guests are viewing this topic.

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #400 on: October 19, 2018, 09:22:57 am »
Yes to note I am trying to do this for £0  :-DD
 

Offline TimNJ

  • Super Contributor
  • ***
  • Posts: 1649
  • Country: us
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #401 on: October 19, 2018, 03:01:36 pm »
Macrofab Podcast published this podcast with a very interesting discussion on the state of hardware/supply chain security. Worth a listen!

https://macrofab.com/blog/mep-ep-142-supply-chain-conspiracy-securities/
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #402 on: October 19, 2018, 03:28:27 pm »
Yes to note I am trying to do this for £0  :-DD
I'd be willing to chip in for a board, though absence of a part would prove nothing.
 

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #403 on: October 19, 2018, 04:23:28 pm »
Macrofab Podcast published this podcast with a very interesting discussion on the state of hardware/supply chain security. Worth a listen!

https://macrofab.com/blog/mep-ep-142-supply-chain-conspiracy-securities/

"There's a lot of Kabuki theater of denial going on about this, we just don't know if the story is real. But just look at it this way: Does it really matter if it's real? Because if it hasn't happened yet, how long do we have to wait until it does?"

The terrifying takeaway from this conversation is how bluntly it confirms the most cynical notion that the single major form of IT security employed today still boils down to one form or another of "Security Through Obscurity".  The constant cat & mouse between exploiters and IT security people is really just another aspect of that. Every new level of security we apply is only as good as discovery time to the next exploit.

That's exactly where I was going with this comment:

The reason you say that is because you think like a westerner, where you have to pay a third party to make the hardware. They OWN the foundries where this stuff is forged; for them electronic hardware is as fluid and dynamic as the software used to create it. It is just the CUSTOMER who has to pay for changes, because revision is their stock in trade. ;)

A custom device, completely self-contained from the device it is monitoring, is the obvious choice from a security penetration standpoint, as EVERYTHING software that is supposed to be there has the potential to be reviewed while the device is IN USE.

And the use of such a device instantly allows deniability... it becomes much harder to track down where in the supply chain such a device was added; no way of knowing, or even guessing, whether the device was intercepted and the bug planted after the fact, or if it was contracted by one of the "Five Eyes, etc" groups to be produced in a "special run" of product that supposedly "never existed".

Really... you're thinking like a normal, sane person and attempting to apply LOGIC to the actions of government and enterprise BUREAUCRACY... that is why you can't imagine this. ;)

mnem
Follow. The. Money.

Interesting though that they do address my previous comment about "Why not just drop a phony chip on there that looks like what belongs?" In that either is feasible... the pics could just be "dramatization" of what was really discovered, or equally possible is that it really is just that easy at that stage to move a few traces to allow connection to that little grain of rice.

I hate having my most cynical notions confirmed... or at least "not reasonably disproven". It beats the sh** out of my attempts to maintain a generally hopeful attitude towards human nature.  |O

mnem
 :popcorn:
« Last Edit: October 19, 2018, 05:35:45 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline donotdespisethesnake

  • Super Contributor
  • ***
  • Posts: 1093
  • Country: gb
  • Embedded stuff
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #404 on: October 19, 2018, 05:41:02 pm »
"I spoke to another conspiracy theorist and he confirmed we are probably/maybe/possibly being visited by aliens, but even if we are not, it must be inevitable, surely?"

 :-DD
Bob
"All you said is just a bunch of opinions."
 
The following users thanked this post: tooki

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #405 on: October 19, 2018, 06:21:31 pm »
You are conflating two completely different quantum levels of conspiracy theory. Science fiction vs science fact.

The difference here being that we have proven that this exact kind of skullduggery exists, because we've seen similar attacks performed by our own alphabet soup agencies, and concrete proof thereof.

The difference here is not substance, but choice of vector. A COMPLETELY different level of "What If?"

[EDIT]

I was really hoping that these guys, who work directly with the kinds of manufacturing involved, could lay down some meager reassurance that there was some level of  security at this level of production. Of course, they probably don't work with the specific factory in question, so still a case of "Absence of proof ≠ proof of absence"; even as horrifying a picture as they paint of that supply chain in general, it's still POSSIBLE that the particular factory SuperMicro contracted with actually has some reasonable physical security in place.  :palm:

[/EDIT]

Cheers,

mnem
 :popcorn:

« Last Edit: October 19, 2018, 06:31:00 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #406 on: October 19, 2018, 06:47:21 pm »
Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story

https://www.buzzfeednews.com/article/johnpaczkowski/apple-tim-cook-bloomberg-retraction
 
The following users thanked this post: tooki, MK14

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #407 on: October 19, 2018, 06:58:52 pm »
Oooohhhh! The Kabuki Theater continues!!!  Do I have time to run down to concessions? I'm all out of popcorn!!!  :-DD

mnem
 :popcorn:
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #408 on: October 19, 2018, 07:22:32 pm »
It’s certainly interesting!

 

Offline chris_leyson

  • Super Contributor
  • ***
  • Posts: 1541
  • Country: wales
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #409 on: October 19, 2018, 09:59:03 pm »
Not surprised Tim Cook isn't happy about the story, who would be. SuperMicro stock at $14 down from $25. If I was Charles Liang, CEO of SuperMicro, I wouldn't be happy either with a made up story about infiltrated supply chains. From a legal point of view I think Bloomberg are skating a very thin ice just to make news. Allegedly.
 
The following users thanked this post: tooki, MK14, bd139

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2365
  • Country: de
    • Frank Buss
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #410 on: October 20, 2018, 01:13:57 am »
Not surprised Tim Cook isn't happy about the story, who would be. SuperMicro stock at $14 down from $25. If I was Charles Liang, CEO of SuperMicro, I wouldn't be happy either with a made up story about infiltrated supply chains. From a legal point of view I think Bloomberg are skating a very thin ice just to make news. Allegedly.

I wonder why SuperMicro doesn't sue Bloomberg for reputational damage or something. Usually these big companies have big legal departments and sue a lot, just see all the patent lawsuits.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 
The following users thanked this post: tooki

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11341
  • Country: ch
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #411 on: October 20, 2018, 01:22:25 am »
I wonder why SuperMicro doesn't sue Bloomberg for reputational damage or something. Usually these big companies have big legal departments and sue a lot, just see all the patent lawsuits.
I am sure that SuperMicro has its lawyers drafting up the papers while their QA and engineering (and probably some outside contractors, for neutrality's sake) tear apart hundreds of boards with a microscope and x-ray machines to make sure they are correct. The last thing they want is to sue Bloomberg and it turns out Bloomberg was right. I don't think that's the case, but SuperMicro is going to make damned sure they have a case, and when they do, they're probably not going to approach it gingerly.
 

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #412 on: October 20, 2018, 04:09:59 am »
Yeah, that's what we've said before will be the proof of the pudding... if/when these companies sue Bloomberg.

It may be they're very busy cleaning house and retconning records to be sure there's no chance it's true, and nothing that points, even faintly, towards it being possible... which thought is almost as scary as if it is true.

Time for the 3rd (4th?) Act in our little Kabuki Theater; I hear Kimiko is pregnant!  :-DD

mnem
 :popcorn:
« Last Edit: October 20, 2018, 04:17:06 am by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 10576
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #413 on: October 20, 2018, 08:16:29 am »
Time for the 3rd (4th?) Act in our little Kabuki Theater; I hear Kimiko is pregnant!  :-DD

I think you'd be better off characterising it as Noh theatre. Everybody wears masks, there are five one act plays in a programme, with a comedy piece somewhere in the middle.

Given the origins, it's not impossible that the comedy piece could conceivably involve a dwagon.  :)
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 
The following users thanked this post: tooki

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6694
  • Country: nl
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #414 on: October 20, 2018, 11:30:26 am »
What is the latest law made from the bench (aka jurisprudence) on companies as public figures in the US? If Supermicro has to prove malice it's an uphill battle.
 

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 10576
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #415 on: October 20, 2018, 04:45:29 pm »
What is the latest law made from the bench (aka jurisprudence) on companies as public figures in the US? If Supermicro has to prove malice it's an uphill battle.

I think you probably mean precedent, not jurisprudence.

Quote
jurisprudence |ˌdʒʊərɪsˈpruːd(ə)ns|
noun [ mass noun ]
the theory or philosophy of law.

Quote
precedent
noun |ˈprɛsɪd(ə)nt|
an earlier event or action that is regarded as an example or guide to be considered in subsequent similar circumstances: there are substantial precedents for using interactive media in training.
• Law a previous case or legal decision that may be or (binding precedent) must be followed in subsequent similar cases: we hope to set a legal precedent to protect hundreds of miles of green lanes.

What do you mean by "companies as public figures"? It's an odd phrase, and I can think of no particular relevance to defamation law.

Beware with the law of defamation. It is highly variable between jurisdictions both national and, in the case of the US, the jurisdictions of individual States. What law applies may depend very strongly on where the allegations were made, and what States/countries a plaintiff may be legally able to, or may choose to, take action in. Also, although many people think they know what the law is, experience and some formal instruction in defamation law in a previous life as a journalist, tells me that they are often mistaken.
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #416 on: October 20, 2018, 05:15:15 pm »
It's a fair question, actually... even if phrased poorly.

As new laws are bought by the involved corporations, the current shift towards sanctioned "corporate personhood" affects all aspects of law.

Sad to say, but the current free-for-all has potential to increase exponentially in complexity and frequency... further distancing the average citizen from anything resembling justice.    :palm:

mnem
*Sigh*



« Last Edit: October 20, 2018, 05:17:06 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #417 on: October 20, 2018, 05:29:44 pm »
Time for the 3rd (4th?) Act in our little Kabuki Theater; I hear Kimiko is pregnant!  :-DD
I think you'd be better off characterising it as Noh theatre. Everybody wears masks, there are five one act plays in a programme, with a comedy piece somewhere in the middle.

Given the origins, it's not impossible that the comedy piece could conceivably involve a dwagon.  :)
Yes, and a favorite theme of said comedy involves said dwagon dying (usually a victim of his own hubris) comically and ironically at the hands of an incompetent or child protagonist.   :palm:
As you might imagine, not my favorite flavor of humor. ;)  However, the rest of your characterization is pretty spot on... including drama twice-distilled to improve its potency. :-DD

mnem
"Dying is easy; now comedy... that's hard."
« Last Edit: October 22, 2018, 02:24:23 am by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 6694
  • Country: nl
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #418 on: October 20, 2018, 08:37:11 pm »
What do you mean by "companies as public figures"? It's an odd phrase, and I can think of no particular relevance to defamation law.
If the company counts as a public figure they have to prove malice, in this old case a company was not deemed one ... but times change and law is hard to google.
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
 
The following users thanked this post: BravoV, borjam, tooki, MK14, mnementh

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
 
The following users thanked this post: MK14

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #421 on: October 23, 2018, 02:25:58 pm »
Yes, but this is hardly news!  :-DD

Journalism has ALWAYS functioned this way; whether it's in the contract or the "unspoken law" that "you will break stories or you won't be here long", this has ALWAYS been the way the profession works. J. Jonah Jameson may be a caricature, but he's STILL an amalgam of real people, and there are plenty in the trade who still operate exactly the same way, even if only slightly less blatant about it.

Also: Seriously? Now we're having a shitfit because a "news agency" deliberately used sensationalist language in a headline?   ::)

mnem
"Nothing to see here, move along..."
« Last Edit: October 23, 2018, 04:26:12 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11341
  • Country: ch
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #422 on: October 23, 2018, 07:38:54 pm »
 :palm: :palm: :palm: |O |O  |O :-DD

Remunerating journalists based on how they move the market is absolutely, positively not normal.

Historically, journalists are either salaried or paid by the piece. (Nowadays, there’s a shift towards unpaid journalism, which is unsustainable.)
 
The following users thanked this post: MK14

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11341
  • Country: ch
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #423 on: October 23, 2018, 07:42:29 pm »
And no, it’s not about a “sensationalist” headline. It’s about an entire article whose allegations are likely completely false!!!
 
The following users thanked this post: mtdoc, MK14

Offline donotdespisethesnake

  • Super Contributor
  • ***
  • Posts: 1093
  • Country: gb
  • Embedded stuff
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #424 on: October 23, 2018, 08:29:25 pm »

Journalism has ALWAYS functioned this way;

Nope, that's total  :bullshit: !

OTOH The media have ALWAYS published false or overblown stories - and Bloomberg have a history of this. Yet strangely, you are desperate to believe your conspiracy theory version than the simpler explanation that Bloomberg published a lemon. Whether the journalists were in search of Scoop of the Year or a fat bonus, we don't know, but we do know there is ZERO, ZILCH, NADA hard evidence for their story.

It's all very well people calling for transparency from SuperMicro, Apple, Amazon, how bout some transparency from Bloomberg.
Bob
"All you said is just a bunch of opinions."
 
The following users thanked this post: mtdoc, tooki, Halcyon, MK14


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf