TR Forums

https://www.bloomberg.com/news/features ... -companies

This is some really crazy stuff. If the story is accurate, some (if not all) models of Supermicro server motherboards contain a secret back door hidden in the IPMI (remote management port) hardware. This isn't a case of compromised firmware; it is someone gaining access to Supermicro's supply chain, and adding a tiny physical "phone home" chip to the boards at the factory.

If this is true, IMO it could kill Supermicro. People won't trust 'em any more. I sure don't.

Edit: In at least one case, the back door chip was supposedly thin enough that it had been embedded between layers of the PCB during PCB manufacturing. That's some sophisticated stuff, and nearly impossible to detect unless you catch it in the act of phoning home.

This is just tip of the iceberg. I wouldn't be too surprised if certain parties and agencies had secretly placed in hardware-level backdoors on a large range of electronics over the past decade or so.

Krogoth wrote:

I wouldn't be too surprised if certain parties and agency had secretly placed in hardware-level backdoors on a large range of electronics over the past decade or so.

We do it all the time. There is nothing surprising about it.

Glorious wrote:

Krogoth wrote:

I wouldn't be too surprised if certain parties and agency had secretly placed in hardware-level backdoors on a large range of electronics over the past decade or so.

We do it all the time. There is nothing surprising about it.

The difference is that we (supposedly) tend to add these things further down the supply chain, after the product leaves the factory. The Chinese appear to have compromised the original board design, and (in at least one case) hidden the "bug" between layers of the PCB, making it nearly undetectable.

The part that is surprising is that various big companies have publicly denied that this happened to them, but yet it appears that bloomberg has numerous government sources who privately claim otherwise.

Unless this discovery and investigation was completely hidden from those companies, which doesn't really seem possible, that gets them into trouble: Those companies made material (and categorical) statements potentially affecting stock price that were untrue.

If the allegations are true, and this doesn't stay classified, they could be in trouble.

JBI wrote:

The difference is that we (supposedly) tend to add these things further down the supply chain, after the product leaves the factory. The Chinese appear to have compromised the original board design, and (in at least one case) hidden the "bug" between layers of the PCB, making it nearly undetectable.

Well, I'd drop the "supposedly" part But that's just a matter of circumstance. If the motherboards were designed & built here, we'd would of course try to do the same(as far as we could anyway, given our legal system and civilian cooperation). We intercept and modify only because they're not made here.

Wow that is a proper bug in the espionage context of the word!

Glorious wrote:

JBI wrote:

The difference is that we (supposedly) tend to add these things further down the supply chain, after the product leaves the factory. The Chinese appear to have compromised the original board design, and (in at least one case) hidden the "bug" between layers of the PCB, making it nearly undetectable.

Well, I'd drop the "supposedly" part But that's just a matter of circumstance. If the motherboards were designed & built here, we'd would of course try to do the same(as far as we could anyway, given our legal system and civilian cooperation). We intercept and modify only because they're not made here.

The "supposedly" was regarding the assertion that we don't insert bugs during manufacturing, only later. I don't disagree that we do this. Just noting that (if this article is true), the Chinese are better at it.

JBI wrote:

The "supposedly" was regarding the assertion that we don't insert bugs during manufacturing, only later.

Ah.

We're on the same page then.

One of tie cited researches is backing away from the story: https://www.zdnet.com/article/security- ... -on-story/

Claims his quotes were taken out of context, and doesn't think the Bloomberg article makes sense.

just brew it! wrote:

One of tie cited researches is backing away from the story: https://www.zdnet.com/article/security- ... -on-story/

Claims his quotes were taken out of context, and doesn't think the Bloomberg article makes sense.

He sent them a picture of a decoupling capacitor, and suddenly it appears on the front page.

I expect Bloomberg to publish an apology. And fire their editor and the "reporter". This is utterly irresponsible, especially from a major publication like Bloomberg.

JBI wrote:

One of tie cited researches is backing away from the story

I guess maybe the allegations aren't true then...


As I said previously, it was always really hard to square the reports with the firm & categorical denials by the companies involved.

Those would have gotten very important people in those companies in very serious trouble if the allegations gained support and further evidence.

People tried to hypothesize ways that the government could induce them to lie, but there's really no such mechanism legally available.

It would also be terrible, terrible policy, and to what end? If we're already reacting to this than whoever did it already knows. And it's not exactly the biggest deal in the first place.

---

Bloomberg better hope these "17 sources" aren't all just a single reporter saying "oh yeah, trust me!"

Glorious wrote:

JBI wrote:

One of tie cited researches is backing away from the story

I guess maybe the allegations aren't true then...

Not necessarily. It just means that part of the story was wrong. Which doesn't speak well for the whole article of course.

https://www.bloomberg.com/news/articles ... -s-telecom

I dunno how much to trust Bloomberg here stil. But what it seems like is Bloomberg got a scoop on a bug, but they didn't have all the details. So they literally made up details. I'm going to have to see other reporters from other publications confirm these details though. Bloomberg published the first article way too early, with way too little actual evidence. It does seem like there's a story here, but it was irresponsible to publish it before understanding the whole picture.

------------

I dunno, it smells like blatant stock manipulation to me. Considering that Bloomberg is primarily a financial publication, they really aren't in the business of publishing technical discoveries. Stock manipulation with an element of truth, that was grossly exaggerated.

EDIT: I guess I'm about 50/50. I wouldn't be surprised if there's truth here. But its clear that Bloomberg was "exaggerating" the facts nonetheless, and blatantly making up details. Someone's imagination got ahead of them, and they lost the ability to distinguish between fact and fiction. I still bet that there's a nugget of truth somewhere in the story, but its hard to figure out what it is.

dragontamer5788 wrote:

Not necessarily. It just means that part of the story was wrong. Which doesn't speak well for the whole article of course.

Again, against the firm & categorical denials, this really only has two outcomes:

1) The essential nature of the claim is false.
2) The essential nature of the claim is true, and all of these companies are in very serious trouble legally for publicly lying about material information.

(There could be option 3, in which we stagnate and nothing further occurs to tilt the scales---but this is not likely, because a large conspiracy on the side of the companies would be virtually impossible to maintain, and because these companies are massive, know all the right people (particularly google, which funds an incredible amount of security research) and will push back).

----

The only reason I was leaning towards option two, to any degree, is because Bloomberg claimed to have an extremely large amount of sources. They are also the news source that is most attune to the ramifications of what I was discussing: being financial news, I assumed they assembled such an ensemble of sources specifically because they knew they were going to be impeaching the denials and therefore invoking a minimum of SEC civil sanction for non-disclosure (which are on a ROLL with, lately).

But, once it turns out that there is serious reason to believe the majority of this story was lifted from a single researcher's musings and theoretical discussions, the dial swings HARD towards one.

If that was misrepresented, what about the sources?

There's little-to-no-reason to believe any of it, and it'll be interesting to see how Bloomberg reacts to this.

dragontamer5788 wrote:

I dunno, it smells like blatant stock manipulation to me. Considering that Bloomberg is primarily a financial publication, they really aren't in the business of publishing technical discoveries. Stock manipulation with an element of truth, that was grossly exaggerated.

This is an outlandish conspiracy theory that's actually bigger than the original story and any conspiracy within Amazon, google, et al to suppress it.

Risking prison and the complete and utter discussion of Bloomberg as an entity, for what? Supermicro was about to be delisted before this article, and unless you could substantiate the story, it isn't really going to move Google or Amazon.

What was the strategy? And how would you hide the trading patterns?

EDIT: I guess I'm about 50/50. I wouldn't be surprised if there's truth here. But its clear that Bloomberg was "exaggerating" the facts nonetheless, and blatantly making up details. Someone's imagination got ahead of them, and they lost the ability to distinguish between fact and fiction. I still bet that there's a nugget of truth somewhere in the story, but its hard to figure out what it is.

EDIT: Or, as I was already implying, they gave a journalist too much and the journalist went and hung themselves with it.

As I said, the editor better be real confident about quite a few of these "sources" or we're going to have another name on the journalist wall of shame next to Glass, Blair, Finkel etc...

Glorious wrote:

There's little-to-no-reason to believe any of it, and it'll be interesting to see how Bloomberg reacts to this.

Per the link dragontamer5788 posted, it would seem they're doubling down.

Glorious wrote:

EDIT: Or, as I was already implying, they gave a journalist too much and the journalist went and hung themselves with it.

And an editor as well. The editor who thought the story was fit to publish. A lot of the technical details don't sniff out at all in the original article.

Anyway, there seems to be a nugget of truth somewhere. But I'm not sure what it is, and its unfortunate that so much of the article is falling apart now. Bloomberg needs to issue an apology over this event, to say the least. And maybe clarify which facts are correct, and which ones are not.

JBI wrote:

Per the link dragontamer5788 posted, it would seem they're doubling down.

I'd feel better about that if it wasn't from the same two guys. They're also not really defending the original reporting, just adding another story to it.

Meanwhile, Apple is going in front of EDIT: writing to Congress right now saying this is completely untrue.

^ That is a really, really bad idea if it is even kinda, sort-of, true.

I'm not saying they can't lie, but why would they even lie about this? They didn't do anything wrong, if it happened to them, they are victims. And covering it up, man, a lot of people would know.

If someone somewhere has encountered something like this on a supermicro server, like, I have no reason to doubt that. That's not really new, and anyone familiar with this stuff shouldn't be surprised.

But that's really not the essential nature of the story, which is that this happened to the big three (Amazon, Apple, Google).

All three of them are saying, in ways that will get them in serious trouble, that it isn't remotely true.

And a -named source- in the original article is now basically saying he doesn't see how it can be true and not only did they not accurately represent him but that he can see echoes of his "hand-waving" in their factual reporting.

Huge, huge red flag.

My FP comment was that I would be pleasantly surprised if even 40% of the story were materially true as written by Bloomberg. Looks like we're still headed in that direction.

Glorious wrote:

Meanwhile, Apple is going in front of EDIT: writing to Congress right now saying this is completely untrue.

^ That is a really, really bad idea if it is even kinda, sort-of, true.

Yeah, but Apple has shareholders and customers who are concerned about privacy. If they don't respond forcibly, then their image also falls apart.

A huge part of Apple's marketing is their Facial-recognition security features, among other things. If it turns out chips were being stuck onto their phones to send your faces to some hacker, that would be bad. Apple needs to do everything in its power to protect its reputation.

Bloomberg definitely kicked the hornet's-nest with that story.

dragontamer5788 wrote:

Yeah, but Apple has shareholders and customers who are concerned about privacy. If they don't respond forcibly, then their image also falls apart.

The company (and the Presidency) falls apart completely if it turns out that:

1) They bare-faced lied to Congress. You see, no hypothetical gag order/agreement by the executive can *EVER* legally cover "lie to Congress". So either Apple is doing this completely voluntarily, which is bizarre because then they have no support from the Government, or this is now turning into "How Trump actually gets impeached" and "How Google etc... get broken up into smaller companies".
1a) They bare-faced lied to the public, with public consequences: If they have no support from the Government, how does Apple not go to prison and get fined out of the wazoo? Over what? The fact that something happened TO THEM and that WITH THE GOVERNMENT they appropriately reacted?
2) They bare-faced lied to the public, with private consequences: The civil liability is immense, and no government agreement can ever immunize them from that. The Feds can say we won't prosecute you, but they can't say private individuals can't sue because the courts are going to have to agree. There's really no way they can, and absolutely no way they would. The lawyers of Apple, Google and Amazon are going to point this out, that is there nothing the government can promise in this regard that can have any degree of reliability. No go.
3) They cooperated with the NSA et al, and then blatantly lied about it: The reputational damage is.... incalculable. You can easily envision hundreds of billions of dollars evaporating, massive push on Congress to regulate and punish them. It doesn't matter that they were lying about being spied upon, as opposed to spying themselves, once it's clear that they did this in any context, why ever believe them again?

dragontamer5788 wrote:

A huge part of Apple's marketing is their Facial-recognition security features, among other things. If it turns out chips were being stuck onto their phones to send your faces to some hacker, that would be bad. Apple needs to do everything in its power to protect its reputation.

I mean, yes, that would be bad.

It's also entirely different than what any of these stories is alleging...

...soo...?

Glorious wrote:

dragontamer5788 wrote:

Yeah, but Apple has shareholders and customers who are concerned about privacy. If they don't respond forcibly, then their image also falls apart.

The company (and the Presidency) falls apart completely if it turns out that:

1) They bare-faced lied to Congress. You see, no hypothetical gag order/agreement by the executive can *EVER* legally cover "lie to Congress". So either Apple is doing this completely voluntarily, which is bizarre because then they have no support from the Government, or this is now turning into "How Trump actually gets impeached" and "How Google etc... get broken up into smaller companies".
1a) They bare-faced lied to the public, with public consequences: If they have no support from the Government, how does Apple not go to prison and get fined out of the wazoo? Over what? The fact that something happened TO THEM and that WITH THE GOVERNMENT they appropriately reacted?
2) They bare-faced lied to the public, with private consequences: The civil liability is immense, and no government agreement can ever immunize them from that. The Feds can say we won't prosecute you, but they can't say private individuals can't sue because the courts are going to have to agree. There's really no way they can, and absolutely no way they would. The lawyers of Apple, Google and Amazon are going to point this out, that is there nothing the government can promise in this regard that can have any degree of reliability. No go.
3) They cooperated with the NSA et al, and then blatantly lied about it: The reputational damage is.... incalculable. You can easily envision hundreds of billions of dollars evaporating, massive push on Congress to regulate and punish them. It doesn't matter that they were lying about being spied upon, as opposed to spying themselves, once it's clear that they did this in any context, why ever believe them again?

Alternatives:

4) Apple Executives don't know about it, and at best, a few isolated Apple Engineers know about these particular issues. Since Apple, as a whole, doesn't know about it, they released a letter to Congress forcibly defending themselves.

5) A serious, but isolated, incident occurred, but doesn't apply to Apple / SuperMicro / etc. in general. Bloomberg exaggerated the claims in their story and are making a mountain out of a molehill.

Information doesn't traverse through a company instantaneously. In most cases, the left hand doesn't know what the right hand is doing. With that being said: Bloomberg need more evidence before I believe their story. Especially since major elements of the original story is beginning to fall apart. #5 is my current theory. The story wouldn't have come together unless Bloomberg had a nugget of truth somewhere. My question is: what is that nugget of truth, and how much of Bloomberg's story can we trust?

In any case, Bloomberg doesn't seem to be walking back claims. They're really confident in some story here.

----------

Edit: With regards to "spooks" like the FBI and whatever... https://www.dhs.gov/news/2018/10/06/sta ... compromise

DHS at least believes in Apple / Supermicro. Doesn't say too much of course, but it is kinda weird. Anyway, I don't think there's a major conspiracy here either. The Occam's razor is that DHS is using Apple and/or Supermicro equipment, so they're covering their own ass on this issue.

dragontamer5788 wrote:

4) Apple Executives don't know about it, and at best, a few isolated Apple Engineers know about these particular issues. Since Apple, as a whole, doesn't know about it, they released a letter to Congress forcibly defending themselves.

That makes absolutely no sense whatsoever.

1) Why would those isolated engineers lie to their employer in the first place? They risk their job, and for what?

2) How do isolated engineers manage to get Apple to switch suppliers, in a matter of tens of millions of dollars, without ever explaining why?

3) How do isolated engineers dispose of millions of dollars of hardware, without ever explaining why?

4) How do isolated engineers coordinate with data-center folks, because if they are mucking around looking for evidence of tampering with hundreds to thousands of servers, what on earth do they say to regular operations staff? Moreover, from initial discovery, why would they decide to keep the situation secret? For what conceivable reason would they do that? (If these Apple engineers found these on their own, why would the initial reaction be to tell absolutely no one else at the company? Likewise, if an outside party alerted Apple to go look, how do outside parties know who to choose that A) can successfully do that without notice and B) won't just immediately tell their superiors?)

5) How do isolated engineers coordinate with networking, because Apple explicitly claimed to Congress that they've never seen traffic like this?

6) How do isolated engineers "cooperate" with the FBI without anyone else in the company knowing it? How could the FBI do anything meaningful whatsoever if any overture or contact to anyone else at the company would reveal the situation?

7) How do isolated engineers completely hide from the internal investigation (Bloomberg contact Apple about this story 12 months ago, and Apple immediately acted)? Apple could easily guess who would be in a position to know, and now those people would have to cover-up the cover-up, which is like insanely impossible: If you are the person who could have discovered this and successfully hidden it, there will be a pattern of behavior that would at least implicate you (if not prove your complicity) and now Apple is -still- lying, about something much worse: They can't categorically say it didn't happen, and now they can't categorically say that this "isolated engineer" isn't a chinese spy that has infiltrated them and is doing WHO ONLY KNOWS WHAT ELSE.

tl;dr: No.

dragontamer5788 wrote:

5) A serious, but isolated, incident occurred, but doesn't apply to Apple / SuperMicro / etc. in general. Bloomberg exaggerated the claims in their story and are making a mountain out of a molehill.

This is the story being manifestly false.

It really makes no difference if something like this happened to someone, because, yes, something like this has assuredly happened to someone.

I mean, the defense to outright libel isn't "Well it wasn't you, and it wasn't this, but someone else did something similar to my allegation, so I'm not really wrong"

Glorious wrote:

dragontamer5788 wrote:

4) Apple Executives don't know about it, and at best, a few isolated Apple Engineers know about these particular issues. Since Apple, as a whole, doesn't know about it, they released a letter to Congress forcibly defending themselves.

That makes absolutely no sense whatsoever.

1) Why would those isolated engineers lie to their employer in the first place? They risk their job, and for what?

Lazines: https://en.wikipedia.org/wiki/General_M ... ch_recalls

Look, engineers don't always tell executives what goes on. That's like... normal. No conspiracy here. That's just how the world works. You can't just assume that everyone in a large corporation is on the same page.

What we can say, for sure, is that Apple, as a whole, is unaware of any problems. Cool. That doesn't necessarily mean Bloomberg is correct mind-you, it just means that Apple presumably looked into the matter, and hasn't found anything yet. I don't necessarily see any reason to disbelieve Apple.

2) How do isolated engineers manage to get Apple to switch suppliers, in a matter of tens of millions of dollars, without ever explaining why?

3) How do isolated engineers dispose of millions of dollars of hardware, without ever explaining why?

4) How do isolated engineers coordinate with data-center folks, because if they are mucking around looking for evidence of tampering with hundreds to thousands of servers, what on earth do they say to regular operations staff? Moreover, from initial discovery, why would they decide to keep the situation secret? For what conceivable reason would they do that? (If these Apple engineers found these on their own, why would the initial reaction be to tell absolutely no one else at the company? Likewise, if an outside party alerted Apple to go look, how do outside parties know who to choose that A) can successfully do that without notice and B) won't just immediately tell their superiors?)

5) How do isolated engineers coordinate with networking, because Apple explicitly claimed to Congress that they've never seen traffic like this?

6) How do isolated engineers "cooperate" with the FBI without anyone else in the company knowing it? How could the FBI do anything meaningful whatsoever if any overture or contact to anyone else at the company would reveal the situation?

7) How do isolated engineers completely hide from the internal investigation (Bloomberg contact Apple about this story 12 months ago, and Apple immediately acted)? Apple could easily guess who would be in a position to know, and now those people would have to cover-up the cover-up, which is like insanely impossible: If you are the person who could have discovered this and successfully hidden it, there will be a pattern of behavior that would at least implicate you (if not prove your complicity) and now Apple is -still- lying, about something much worse: They can't categorically say it didn't happen, and now they can't categorically say that this "isolated engineer" isn't a chinese spy that has infiltrated them and is doing WHO ONLY KNOWS WHAT ELSE.

tl;dr: No.

You said it. Not me. I don't know where you get all of these stories from, but that's not my argument, nor does it seem to logically flow from my earlier statement. Aside from 1), if you assume malice.

Glorious wrote:

dragontamer5788 wrote:

5) A serious, but isolated, incident occurred, but doesn't apply to Apple / SuperMicro / etc. in general. Bloomberg exaggerated the claims in their story and are making a mountain out of a molehill.

This is the story being manifestly false.

It really makes no difference if something like this happened to someone, because, yes, something like this has assuredly happened to someone.

I mean, the defense to outright libel isn't "Well it wasn't you, and it wasn't this, but someone else did something similar to my allegation, so I'm not really wrong"

I'm just saying: if one or two iPhones were attacked during manufacturing, then Bloomberg's story would be correct, AND Apple would also be correct. Mind you, Apple contracts a lot of these details out to Foxconn, so its not like Apple has 100% control over their entire supply chain.

I'm not necessarily saying Bloomberg has a correct story here. I'm simply painting a picture on how Bloomberg AND Apple can be simultaneously correct.

If a small, isolated incident occurred, and no engineer felt it was necessary to tell executives about, then everything kinda fits.

dragontamer5788 wrote:

The Occam's razor is that DHS is using Apple and/or Supermicro equipment, so they're covering their own ass on this issue.

Uh, they frequently award their contracts to the likes of Dell and HP, so I'd actually be very surprised if they were ever a supermicro customer. At any rate, Supermicro is almost certainly not an government approved vendor now and probably hasn't been for years, if ever.

Likewise with Apple, do you mean maybe the phones? I have no idea what they issue, but if it is apple, the handsets have nothing to do with this whatsoever.

dragontamer5788 wrote:

Lazines: https://en.wikipedia.org/wiki/General_M ... ch_recalls

Look, engineers don't always tell executives what goes on. That's like... normal. No conspiracy here. That's just how the world works. You can't just assume that everyone in a large corporation is on the same page.

First paragraph:

wikipedia wrote:

The fault had been known to GM for at least a decade prior to the recall being declared

Please read your sources.

Your cite basically demonstrates the exact opposite of what you contend happened: those GM engineers helped the plaintiffs attorney uncover something that the *COMPANY* was suppressing/underplaying.

They weren't the ones who conspired to hide this problem from the company, they "conspired" to help reveal it:

https://www.ajc.com/business/marietta-l ... iZ8xapzJJ/

article wrote:

In subsequent depositions, though, GM engineers referred to documents that the automaker hadn’t provided, Cooper said. In June, he filed a motion seeking penalties against the carmaker for withholding information.

There were recalls (the company therefore knew) contemporary to the accident that spawned the litigation. There were technical service bulletins (the company therefore knew) for 5 years before the accident.

The engineers helped put that picture together, and they told the attorneys that the company wasn't being honest in discovery.

dragontamer5788 wrote:

What we can say, for sure, is that Apple, as a whole, is unaware of any problems. Cool. That doesn't necessarily mean Bloomberg is correct mind-you, it just means that Apple presumably looked into the matter, and hasn't found anything yet. I don't necessarily see any reason to disbelieve Apple.

I'm not sure what you even think you are arguing now.

dragontamer5788 wrote:

You said it. Not me. I don't know where you get all of these stories from, but that's not my argument, nor does it seem to logically flow from my earlier statement. Aside from 1), if you assume malice.

I'm trying to explain how to how utterly outlandish your argument is. If you don't want to think through your offhanded claims and baseless suppositions, please just don't make them then.

dragontamer5788 wrote:

I'm just saying: if one or two iPhones were attacked during manufacturing, then Bloomberg's story would be correct, AND Apple would also be correct. Mind you, Apple contracts a lot of these details out to Foxconn, so its not like Apple has 100% control over their entire supply chain.

No, it absolutely wouldn't. Because the handsets have *LITERALLY ZERO* to do with this story (which is solely about SERVERS).

Did you even read the original article?

dragontamer5788 wrote:

I'm not necessarily saying Bloomberg has a correct story here. I'm simply painting a picture on how Bloomberg AND Apple can be simultaneously correct.

If a small, isolated incident occurred, and no engineer felt it was necessary to tell executives about, then everything kinda fits.

You're blathering about make-believe, and no, it obviously doesn't fit.

Glorious wrote:

Did you even read the original article?

Yes. They have a picture of an lol coupling capacitor and claim it can take over a computer. Which is utter bulls---. Coupling capacitors have 8-pins but only logically have 2-connections on the PCB. Soooo... no.

So my question is: what nugget of truth are they basing their article on? There must have been some incident that these "sources" are talking about, that the reporter doesn't fully understand, and wrote very poorly about. Very likely, the incident is being exaggerated by the "reporter", and they are making a mountain-out-of-a-molehill.

You're blathering about make-believe, and no, it obviously doesn't fit.

I love you too man.

I'm trying to explain how to how utterly outlandish your argument is. If you don't want to think through your offhanded claims and baseless suppositions, please just don't make them then.

And you're explaining it poorly. Either explain it better, or stop trying to explain things to me. Because it is hurting your case.

Glorious wrote:

dragontamer5788 wrote:

The Occam's razor is that DHS is using Apple and/or Supermicro equipment, so they're covering their own ass on this issue.

Uh, they frequently award their contracts to the likes of Dell and HP, so I'd actually be very surprised if they were ever a supermicro customer. At any rate, Supermicro is almost certainly not an government approved vendor now and probably hasn't been for years, if ever.

Likewise with Apple, do you mean maybe the phones? I have no idea what they issue, but if it is apple, the handsets have nothing to do with this whatsoever.

Super Micro is absolutely an approved government vendor.

dragontamer5788 wrote:

Yes. They have a picture of an lol coupling capacitor and claim it can take over a computer. Which is utter bulls---. Coupling capacitors have 8-pins but only logically have 2-connections on the PCB. Soooo... no.

So my question is: what nugget of truth are they basing their article on? There must have been some incident that these "sources" are talking about, that the reporter doesn't fully understand, and wrote very poorly about. Very likely, the incident is being exaggerated by the "reporter", and they are making a mountain-out-of-a-molehill.

Someone, somewhere, do something "bad" to Supermicro. This ended up being discovered by some company in the United States.

I have zero problem believing this. Supermicro, at least as of two years ago, ships with ADMIN/ADMIN, not an unique password on a sticker/card for their BMC like, idk, everyone else. (Ok, yes, that's an exaggeration, but that's indeed what you get with iLO/iDRAC computers). Security is obviously not even remotely a concern.

In particular, Apple has pointed out that in 2016 they received supermicro hardware, which they never deployed but were evaluating, that had available firmware on supermicro's site that was infected with malware. This was public knowledge:

https://arstechnica.com/information-tec ... re-update/

and materially differs from the current story:

1) Just "evil" firmware (which a lot of researchers have indicated would be the way a malicious actor would likely try to accomplish this--not vaguely described "magic bean" chips that can do ... the same sort of functions as "evil" firmware).
2) Not in production.
3) Not new.
4) Not part of an ongoing investigation.
5) Very likely just generic malware
6) Not pre-installed on the server---just downloadable from the supermicro site.


So who knows, that could be the "nugget of truth" and Apple is suggesting that it might be.