Of course! If your company is hanging by a thread because of the news. Admitting that it happened will only kill them off completely.Supermicro calls Bullshit
Supermicro | News | Supermicro Refutes Claims in Bloomberg Article
The ultimate results of this issue will have lasting effects--especially for IT--which has already been dragged to the front lines in this war.So #1 - chips fabbed at big fabs have had extra logic added. I have had enough people tell me this that I believe it.
This makes a lot of sense too as why would a story from a few years ago matter today unless someone was going to profit from it. Short-selling has become 'a thing' in the last few years, so this could make sense as well.The Bloomberg 'expose' reads like a supermarket tabloid: it contains only the slightest hint of anything factual. This reeks of market manipulation; the SM share price closed yesterday at $21 and opened today at $15... A lot of shares got dumped before this was released.
Bloomberg offers zero facts other than to say they "stand by their sources" who apparently were privy to classified information in 2015 that someone tried to backdoor someones BMC by exploiting compromised hardware. You can imagine the water-cooler talk of the time, and how the story has grown over the years.
It's all bullshit. Someone 3 years ago intercepted a foreign entity attempting to backdoor Lockheed or their kin, got caught, and the ensuing fallout surrounding BMC exploits was initiated. About this time I started noticing delays in F-35 deliveries due to the governments insistence that not one chip could come from China. It doesn't take a rocket scientist to figure out the PRC had compromised the hardware.
But to make a big deal of it now, after we know the CIA was doing the same thing, is not only hypocritical, it's entirely self-serving.
A couple dozen people just helped themselves to a billion dollars of market cap.
I hope we don't play the 'chicken' game because I don't know how well the US would do without all the things manufactured there. We can always recover, and maybe that's the reason we could win a 'game' like this. But instead of playing games maybe we should just bit smarter about things like farming out manufacturing to people who aren't exactly your buddy.This is a prelude to the kinds of things that'll pop up in the future, due to the "trade war with China". Trump's got his pea shooters out and Xi is...considering his options. From a brutally honest perspectuve, China cannot survive a prolonged trade war with the US. Their indigenous economy cannot support even a 10th of their GDP.
We're gonna see more "exposes".
Lord Acton once said... "Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men."I hope we don't play the 'chicken' game because I don't know how well the US would do without all the things manufactured there. We can always recover, and maybe that's the reason we could win a 'game' like this. But instead of playing games maybe we should just bit smarter about things like farming out manufacturing to people who aren't exactly your buddy.
Yep, and for shops that have management interfaces segregated and locked down hard, this really shouldn't be too much of an issue.Possibly silly question here. If the BMC were compromised by this extra chip, wouldn't any "phone home" or other nefarious network activity be initiated by the BMC's IP? (I'm assuming the BMC has its own IP like mine do.) If so, it seems like it would be really easy to detect any unexpected network traffic to/from that BMC IP.
I have an x9 board I got off eBay that has corrupt ME firmware that I could not get to flash for the life of me. Can yafukcs dump ME firmware?Just a quick thought:
While everyone focuses on the BMC, there is another management facility: Intel ME.
An attack could work the similar as for the BMC, with the chip attached to any of the 'management' IOs - network, SMBus, TPM access, maybe USB - and inject malicious code once the ME is up and running. Manipulating the ME FW during the boot would seem unlikely to me.
- Intel ME has more access to the host than the BMC.
- The ME is known to have (had) 'quality issues'.
- The ME has networking capabilities.
Can we completely discount this as an attack vector?