Super Micro Says Review Found No Malicious Chips in Motherboards (reuters.com) 95
Computer hardware maker Super Micro Computer told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards. From a report: In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.
Re: (Score:2, Funny)
Re: (Score:2)
No, haven't had the pleasure (Score:2)
I've dealt with several HP computers directly over the years, some laptops and otherwise, and am familiar with dozens of others who have had HP computers as well.
I have *no* impression that HP equipment is less reliable than any other brand of computer. I think the total number of samples within my awareness is about 30-50 computers. Yes, some have died or have had parts die, but not that many.
I don't have direct experience with any repair attempts on any of this equipment, though.
Re: No, haven't had the pleasure (Score:2)
I worked at Best Buy where I would service ten machines or so a day: HP, Sony, Lenovo, Fujitsu, eMachines, and maybe a few more brands I don't recall. HP most definitely had a higher failure rate than average. Now, maybe HP users were more likely than Sony users to take the machine to Best Buy rather than dealing direct with the manufacturer, or maybe HP customers were more likely to purchase Best Buy protection plans. But it was a notable a significant difference.
Re:Well, if the most incompetent tech company on t (Score:4, Informative)
Good value as well. And only make servers (Score:2)
I've also had several Super Micro and have been very happy. Especially given the pricing.
Unlike HP etc, Super Micro only makes servers. They don't make laptops and mp3 players and crap for Best Buy. Everything they do is designed for the data center.
Re: (Score:2)
Be that as it may, the intercept Bloomberg is speculating about, would have had no ill effect on your "user experience".
Re: Well, if the most incompetent tech company on (Score:2)
I guess a slashdot anonymous coward must have opinion that is worthwhile... Oh wait you don't. Meanwhile the company in question is hugely successful
Re: meaningless (Score:3, Funny)
So you thought that "outside investigation" meant that they performed it outdoors.
Re: meaningless (Score:1)
Just the investigators were outdoors. The chips were indoors
Re: (Score:2)
Hope they can back up these strong comments!
Re: (Score:2)
... but there is now! (Score:3)
i fully expect the next news report to be, "Supermicro computers discovered in second audit to have been compromised by auditing company. The first audit company, itself secretly compromised by {insert government-of-paranoia-choice-here}, was found to have tampered with the master copies of the bootloader firmware, during its on-site privileged access to Supermicro's Headquarters".
quis custodiet custodiens?
Re: ... but there is now! (Score:2)
Hahaha are there even any non+Chinese made server boards for x86-64?
Sufficient proof to 'prove the negative'? (Score:5, Interesting)
On this story, and the previous stories on this topic, a lot of posters have doubted the denials from Super Micro, Apple, Facebook and the various government agencies. I suspect this independent audit won't convince them, either.
So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen? Or is this one of those things where you won't accept any explanation from "the deep state"/"vested interests"/etc?
This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.
Re:Sufficient proof to 'prove the negative'? (Score:5, Insightful)
There's no proving a negative. Burden of proof is on Bloomberg and they don't have it. People who believe the Bloomberg story aren't going to be convinced of anything otherwise. It's like trying to argue a person's religious belief is 'not true'.
Re:Sufficient proof to 'prove the negative'? (Score:5, Insightful)
Exactly. Supposedly thousands of motherboards were compromised, and sold to multiple customers. The failure of Bloomberg (or anyone else) to produce a single compromised piece of hardware, or even a die photo of the supposed spy chip, says it all. There's no evidence to be found because it doesn't exist.
Conspiracy believers aren't going to change their minds. But for everyone else in the industry, it has become blatantly clear that Bloomberg screwed up royally with this story.
Memberberries - I 'member! (Score:4, Insightful)
I have some doubts about how a tiny "grain of rice sized chip" can both send and receive data on the wired ethernet port (differential signals) without actually BREAKING the lines and inserting itself into the path. Also, it wouldn't magically have FULL CONTROL of the PC, but would be able to only retransmit the data that was coming in/going out of the ethernet port to another ip address.
Re: (Score:2)
I have some doubts about how a tiny "grain of rice sized chip" can both send and receive data
an RFID device uses the remote transmitter's power to charge up a capacitor sufficient to power the entire RFID processor, and the response transmitter (at very low power).
an RFID transceiver plus its power circuit *and* the antenna would easily fit within a compromised ASIC, under the packaging case.
Re: (Score:2)
Exactly this. Their only named source says he was speaking in the hypothetical and taken out of context, and multiple 3rd parties say they found nothing. Ni pictures, just artist's concepts obviously meant to be mistaken for pictures.
Re: (Score:2)
So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen? Or is this one of those things where you won't accept any explanation from "the deep state"/"vested interests"/etc?
This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.
“To one who has faith, no explanation is necessary. To one without faith, no explanation is possible.”
St. Thomas Aquinas
Re: (Score:2)
Re: (Score:2)
The SEC needs to investigate illegal Short and Distort stock scams. The FCC needs to enforce laws where media intentionally spread false reports.
I dislike government oversight, but I dislike anarchy more.
Re: (Score:2)
I dislike government oversight, but I dislike anarchy more.
What you're missing is that people only believe the Bloomberg reporter because they believe he fears retributive justice by the government (slander, libel, etc. laws) that could carry prison time.
Absent that most people would assume everybody is full of bullshit without convincing evidence because private law solutions focus on restitutive mechanisms, not penal. If this turns out to be a short play then the profits would still be worth direct prova
Re: (Score:2)
> At least the wise ones.
On the surface, it seems wisdom is in short supply. Digging deeper it seems that people make logical choices based upon the information they are given. It is an unintended consequence of the Internet to see the decline in journalism. Media outlets are under intense pressure to survive and are making choices to run unsubstantiated stories that would never have been run more than 20 years ago, This is combined with more than half of people getting their
Re: (Score:2)
So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen?
Proving or disproving a particular incident is irrelevant, what is relevant is proving that it's not possible for it to occur.
This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.
Absolutely. It can be done but it's very expensive because it requires making bug-free software and then releasing it for public review. Until then your best option is to use ultraparanoid computing which assumes the host system is compromised. The alternative is cross your fingers and wait for the CVE reports to roll in.
Re: Sufficient proof to 'prove the negative'? (Score:1)
There isn't anything. Some people are just crazy.
Obama shows his official birth certificate, and people (including the current us president) think it's fake
Re: (Score:2)
OK, here's a conspiracy theory. Why did Obama wait years to make the official birth certificate available for public inspection? He needed time to have a high quality forgery made.
Re: (Score:1)
So...a tempest in a teapot, then.
The original story mentioned an unnamed "security company" as the source. But no details. "Ongoing investigation" and "top secret" as reasons for this.
There was a distinct fishy odor, but, hey, better safe than sorry, and they wouldn't have gone public if they hadn't found something, was my take. So yeah, I was suckered into the hysteria.
What would have constituted proof? Well, for a start, good pictures of the offending chips and a marked up schematic of where they were
Re: (Score:3)
One suggestion for motivation is to drive prices of Super Micro, and tech in general, down. That certainly happened for Super Micro. Another is to cast doubt on tech, particularly Big Tech (and cloud vendors) in general. That could be for financial reasons, or it could be for propaganda/'engendering distrust" reasons.
I'm not saying I necessarily believe either suggestion, but they're worth considering if one concludes the Bloomberg story was a deliberate plant, rather than just particularly shoddy journa
Bloomberg needs to explain where photos came from (Score:3)
Generally bloomberg is pretty reliable so one wants to give them the benefit of the doubt. And they must think their sources reliable enough to make them worth protecting. But at this point is seems like they do need to defend their certainty more.
Super micro presumably can only inspect the boards it has now not the boards it shipped. It could try recalling some of those but if the infiltration was selective and rare that might not be possible. For example if a few of the boards shipped to say, the NSA, whe
Re: (Score:2)
Re: (Score:2)
This is the same Bloomberg that runs news story suggested by Wall Street elite to pump and dump stocks. This is the same Bloomberg that is the unofficial marketing arm of Wall Street. This is the same Bloomberg that has been saying regulations aren't needed anymor
Re: (Score:2)
They could start with a denial that is even a denial; when the headline says their review found no malicious chips "in" their motherboards, I assume they're telling me that the did find some on their motherboards.
Re: (Score:2)
What would be -sufficient proof- this didn't happen?
Give it up man. The moon landing was filmed in a studio in LA, and the earth is flat.
Re: (Score:2)
Did anyone expect an internal investigation of Supermicro to yield anything but an "innocent" verdict?
It wasn't an internal investigation; it was an external investigation. That's what "outside" means in TFS.
Re: (Score:2)
While I'm not usually part of the conspiracy crowd, I'll make an exception for this one. Did anyone expect an internal investigation of Supermicro to yield anything but an "innocent" verdict? Can you imagine the damage to Supermicro's brand had any other result been released?
Wait a sec. That logic makes no sense.
Regardless of which side of this debate you're on, this is the result we expected. The people who think Bloomberg got it wrong were expecting this result because Bloomberg got it wrong. The conspiracy believers were execting this result because there's a coordinated coverup. That the result matched everyone's expectations no more proves a coverup than it disproves one. It's simply the expected result.
That said, while the result matching expectations may not prove or dis
In other words, Bloomberg reporting sucks (Score:1)
The biggest red flag on the Bloomberg report is it's a sorry hack attempt. To put an additional chip on a board that can easily be caught with automated visual scans (ie computer vision) is just sloppy and stupid. There are so many other ways to compromise a MB without l
Until ... (Score:2)
Like the Trumped up charges against Huawei CFO (Score:1)
Part of the propaganda war that is going on between US & China.
Fake news (I do hate that cliche; smells bad).
Re: (Score:2)
Except SuperMicro is a Taiwanese company. Sure Taiwan is in a weird place, claimed by China but considers itself independent, but most Taiwanese actually believe they are an independent country regardless of what the UN and other people say. (Plus, they have a real democracy and not a dictatorship).
And the real articles are Apple and Amazon for those two were the ones first reported on by Bloombe
Re: (Score:2)
Chips? (Score:2)
Re: (Score:2)
Because the contents of the firmware are easy to audit. If you have customers that do factory inspections and pay for specific firmware to be installed, you can't hide anything there. You need something that isn't on the BOM to actually hide anything if you have big customers that send auditors.
Re: (Score:2)
The Indian government was partially responsible for the Bhopal tragedy.
There's lot's of competition for environmental disaster. Exxon Valdez was not as bad as Chernobyl, which pales in comparison the destruction of some of the world's best agricultural land by the gross mismanagement of the Stalin regime. That in turn is minor compared to some asteroid impacts.
It's always funny to see the conventional view of the 2007+ "Great Recession", which was caused by economic policies in large part the fault of Democ
Worrying (Score:2)
Wait... so they couldn't detect them? This is getting scary!