Supermicro along with Apple and Amazon refute claims in Bloomberg story

https://www.bloomberg.com/news/arti...cked-supermicro-hardware-found-in-u-s-telecom

again, Bloomberg verifies every story it prints from at least three sources. Unlike almost all internet news sites, but just like traditional journalism.

there are other articles but behind paywalls (The Economist, WSJ).

 

So, you quote a company who's domain was registered in February 2016 (same year the company was founded) and claims to be a "pioneer" in their field.... The people running the company also have zero background in hardware, while trying to sell a "security suite"..... Everything about their claim screams either stock manipulation or scaremongering as a marketing tactic. They claim their "security suite" can stop "hardware level" attacks.... Please find a credible source of information. From the information I've found, this looks like another attempt at stock manipulation.

For a company that claims to have earned "global recognition", they appear to be pretty damn unknown globally. Every site I can find even mentioning the company, is all marketing BS.

 

if you've never heard of Bloomberg, then you're not involved in Business.

Bloomberg is the premier business news media operation in the United States. if you've heard of BusinessWeek - that's Bloomberg.

they have a far greater reputation than the Wall Street Journal (which has fallen under Murdoch - owner of Fox News).

so really you are voicing Ignorance and not any opinion backed by experience, knowledge, or credibility.

 

What I'm most curious now at this point is, that if the story is not true, will Supermicro sue Bloomberg for putting preasure on their stock and making them lose millions in stock worth over night? Not to mention a damage in reputation that's pretty hard to put into numbers they'd have to put into a lawsuit to claim further damage?
Because if this happens, I don't want to know what a judge says about Bloomberg's keeping their sources "secret".

 

dude you are trying to start a fight with the wrong person.

and yes, you are ignorant and not actually involved in business if you're American.

end of story, end of my participation with you on this thread.

 

@austin865 : A litle info for you about Bloomberg: https://en.wikipedia.org/wiki/Bloomberg_L.P.

They are highly reputable.

 

as the story has progressed, SuperMicro is a victim.

and yes, there is extreme liability in publishing any type of derogatory story that is not verified as fact.

the Chinese are the folks who are doing this, not any foreign corporation.

which should have been anticipated frankly and that's where the corporate responsibility lies.

to paraphrase Vladimir Lenin "the capitalists will sell you the gun you use to shoot them".
and while China is not actually communist anymore their state mythology and government structure is.

 

So all in all there is little chance to prove this story either true or false, as well as even if they are true, they will never get who did it? And they can't change the fact that the demand for infrastructural hardware can't be met by any manufacturing outside China?
Seems like there is little choice but to go on the way it is, right?

 

not quite.
there are other choices than China (after 18 months of transition, building factories).
China is no longer as cheap as they used to be for labor. and the Chinese economy is not fully robust as they've learned some really bad debt lessons from the U.S. and have over-leveraged their banking industry.
in other words China's in a bubble economy right now and they've relied on exports to drive up their standards of living. now they have to maintain growth for political stability as that is the bargain they made with their citizens (in exchange for gov't control). and their domestic market is saturated in some industries and barely existent in others, so it really isn't a mature economy.
Vietnam has been extremely cordial and has stability that corporations desire, along with Malaysia and Singapore (which is limited by land for factories).

 

Still those other choices would cost more money for manufacturing, even though China's wages (and probably taxes / costs for the infrastructure) have risen. Not that it wouldn't make sense for high sensibility markets like servers, I still don't thing they will flash out billions to avoid this risk, or it would have happened 5 to 10 years ago already...
And I wouldn't trust Singapore either, since they're more or less Chinese, and I wouldn't count on the Chinese to not have their fingers (agents) there too. If you want to be totally secure, I guess there's little choice but to bring manufacturing to domestic soil.

 

I am inclined to agree with you tunejunky.

At the end of the day, espionage is big business, allows you to harvest information, manipulate your own and also foreign populations potentially with ease, and is still economical relative to outright war. There are many large scale data harvesting and manipulation schemes, and countries always have used whatever they have at their disposal. The fact that this has not been done before is perhaps more surprising to me. I mean there was this leak https://www.businessinsider.com/russia-claims-china-bugged-tea-kettles-2013-10 a few years ago and some others rumoured prior to this. Whilst I am sure not everything is an outright hack, I would not doubt that there is something going on regularly, and why the Chinese government would not use manufacturing to get something into hardware is beyond me. It really falls to the companies and the countries trying to save money and outsourcing their security through manufacturing elsewhere, and these are the subsequent risks taken by doing so. The fact that China has done custom deals with AMD, they are pushing their own CPU development and this seems to have been an upswing since the whole Meltdown/Spectre reveal. I remember this story https://www.techpowerup.com/241024/...meltdown-and-spectre-before-the-us-government and whilst this may be "true", it assumes that the US government did not know about it which I still consider highly unlikely (for a variety of reasons - can Intel really be that incompetent for >15 years and over multiple new designs of CPU, integration of their hardware into security, tech, research industries and few others). US government agencies have requested overrides to security (Apple and the FBI) and the integration of back doors into new products and integration of existing services into data harvesting projects like PRISM, and countries like the UK have had legal data tapping and information collection enshrined in law since WW2 (and has companies large mobile telecom companies like vodafone).

I would say this is simply the new standard of espionage to any country that has the infrastructure to implement it. Whether this specific case is true or not, I am sure there is an interesting game afoot. Denying it however is in the interest of all parties involved, as companies are libel for more data breaches and failure to check their hardware if it is true, and in the face of current rising tensions, could push countries towards outright conflict which will harm everyone in the long run, though with current posturing things may well end up that way anyway.

 

Proving this? Easy. Hand me one modified HW component and in few days, I'll tell you without knowing what part of it is doing it that it is doing it. All that is needed is doing same installation on modified HW and clean HW. Then you compare OS images. Same goes for BIOS, clean flash of BIOS, then you let it do its thing and read flash memory while system is powered down.

Those small things with limited traces available can't affect OS on runtime, they have to alter some very specific binary code to deploy its payload and that can be detected.

From start I am highly skeptical and because they clearly pointed fingers on China's government and army, they clearly did not even remotely understand all possible outcomes. Or they simply did not care.

They provided story, that's what you do if you want to persuade mass population. If they wanted to sell that to likes of us, they would provide facts and evidence.

 

there is an adage "a little knowledge is a dangerous thing"...
mainly meaning those with expertise elsewhere who dabble in deep waters are adrift.

frankly it's adorable how naive so many of you are. and the naive ignorance of what can and cannot be done, just because it's outside your experience.

i have experience of decades working for multinationals and government contractors from the beginning of the pc revolution and my late brother was one of the men in gov't handling technology transfers to South Korea (hello IC manufacturing). i lived in Japan and Hong Kong
and currently consult in aerospace (satellites).

the allegations of Chinese tampering are far from imaginary or political (other than the long range plan for supremacy).
this stuff is real and it happens every day.
and again the U.S. has done and has been doing this for decades.
one of the selling points for E.U./Russian/Japanese/Indian launch vehicles is that they're not launched from the U.S. on American rockets.

and there is a reason for that...

 

and oh yes...
go look up Plausible Deniability

 

This story is getting better by the day.
First the anonymous sources accused specific companies, and now the specific source (Yossi Appleboum) is accusing anonymous companies.

Mr. Yossi Appleboum, CEO of Sepio Systems, previously worked for Israeli intelligence, the only state entity beside the US that's known to be involved in the case of destructive hacking, and then went to brag about it!
Foxnews called it 21st century James Bond, and reported it as "Stuxnet. Shaken, not stirred."
Sepio Systems’ board includes Chairman Tamir Pardo, former director of the Israeli Mossad, the national defense agency of Israel, and its advisory board includes Robert Bigman, former chief information security officer of the U.S. Central Intelligence Agency.

Somewhat surprisingly Mr. Yossi Appleboum went into great length to absolve Supermicro of any guilt, and instead is pointing finger at... well EVERYONE.
According to him the problem is wide spread and the entire industry is affected. And the most common way to hack you is... they send you a malicious serviceman or you already have a compromised employee... :

I want to be quoted. I am angry and I am nervous and I hate what happened to the story. Everyone misses the main issue.
The problem is that when you get the hardware how can you make sure the product was not compromised?
Someone can replace modules that validate hardware with other modules that say it is okay.

We are spending $100B on software related attacks, but near zero for hardware attacks. That is irresponsible and that is the problem that we need to fix.


PS
If you visit Sepio's website you are greeted with:

VALIDATING YOUR HARDWARE ASSETS
Protecting Organizations Against Malicious Hardware Device Attacks

TAGS:

• zero specifics, zero proofs
• no legal liability
• impossible to disprove
• 'do unto others'
• free marketing

 

and that's when they haven't compromised your factory management and employees.
gentle reminder...there is no freedom in China and if the gov't says hop, you hop.

 

The "specific source" for this story is a company called Sapio. The company is new, being incorporated in early 2016. The company is relatively unknown in the industry it's part of. They are trying to sell software that claims to secure against hardware level threats. What better way to market a security product than to claim that all hardware is affected by a "malicious" chip that the hardware companies don't know exists. It's generally referred to as scaremongering....and it's one of the most effective ways to sell a "security" product.

 

If Supermicro, Apple, and Amazon are lying, then its easily provable. Bloomberg needs to put up or shut up. Let's see some motherboards with this secret chip on it, and proof that it is what they claim. Because if they went and printed a story with such far reaching implications without a shred of evidence... well.... hate to break it to you but freedom of the press does not legalize slander/libel.

The days of objective, ethical journalism are long dead. Hardly anyone does actual investigative journalism anymore. They just repeat rumors that are phoned in as if they're fact. Or they flat out fabricate stories out of whole cloth.

Bloomberg has published all kinds of fake news lately. They claimed that Nikki Haley resigned over the Brett Kavanaugh appointment even though she had planned on leaving for many months. They also reported china was banning bitcoin, and the completely fabricated a story about getting free upgrades to 1st class, just to name a few. Calling Bloomberg an industry leader doesn't say much considering the current state of journalism.

And i'm not sure if you ever took a civics class, or have any concept of the law, but this recent trend of making outlandish accusations and then demanding the accused prove their innocence is not how our system works. The burden of proof is on the accuser and the accused is given the presumption of innocence.

 

Andrew LB, you are conflating different things to come up with your desired point.

no news agency is 100% accurate all of the time. but there's a huge difference between financial rumors (which Bloomberg has to cover as a financial news outlet read by every player on Wall Street) and investigative reporting.

i could care less about domestic politics on this point and claims of "fake news" put out by proven liars.

what amazes me is the arrogant ignorance of those who think this is either not possible, not plausible, or political.

it is entirely possible in the realm of Plausible Deniability that the Chinese didn't do this, but for anybody to say that they couldn't do this is for them to be either fooling themselves or talking up something with absolutely no knowledge of the subject.

 

I tell you, it smells. I'd bet that the least of all the hardware is de facto compromised right now. But the point of compromised service technicians is probably the most prominent. But that's quality reassurance, and that's actually a thing that the institution or company that gives out their orders is supposed to do...

So instead of making everybody crazy they should just stfu and manage their own processes better so that they'd know what's happening. End of story. No need to make the public crazy about it.