back to article Forgotten that Chinese spy chip story? We haven't – it's still wrong, Super Micro tells SEC

The computer server maker at the center of a dramatic secret Chinese spy-chip story has again insisted the yarn is wrong, and called the whole thing "technically implausible." US-headquartered Super Micro sent a note to its customers late last week denying all claims in a recent Bloomberg BusinessWeek article that the Chinese …

  1. Mark 85

    The simplest answer is usually the right answer...

    Normally that's true, but in the spy-vs-spy world maybe not so much. Another saying goes: "Every answer begats two more questions". It would seem someone is/has been shoveling the pile, the questions are "who" and "why"?

    From the article: Although a better explanation may be that it accurately reported a misinformation campaign put together by some part of the intelligence services.

    That seems a simple explanation but I'll reserve judgment as there's still too much politics, etc. from the agencies to really know. If its a misinformation campaign to discredit the Chinese, then Super Micro is taking a huge hit in credibiity in a variation of a drive-by shooting and the company and the IT industry will suffer.

    IF there's been mods to the board than why haven't any been produced for independent inspection? At this point, that would point back to the TLA's and "national security" excuses. The Rabbit Hole is getting deeper the longer this goes on.

    1. Gene Cash Silver badge

      Re: The simplest answer is usually the right answer...

      > IF there's been mods to the board than why haven't any been produced for independent inspection

      Bingo. Why isn't Super Micro going "look, no sekrit chippies here!"?

      1. JohnFen

        Re: The simplest answer is usually the right answer...

        "Why isn't Super Micro going "look, no sekrit chippies here!"?"

        You can't prove a negative. Super Micro could trot out boards all day long and show them to by spychip-free, and it wouldn't mean a thing in terms of demonstrating that the boards in question are spychip-free.

        The flip side of that is that the burden of proof is on the one making that positive claim. It's up to the ones saying there are spy chips on the boards to produce one as evidence. That would be meaningful.

        1. Anonymous Coward
          Anonymous Coward

          Re: The simplest answer is usually the right answer...

          The flip side of that is that the burden of proof is on the one making that positive claim. It's up to the ones saying there are spy chips on the boards to produce one as evidence. That would be meaningful.

          Which is Bloomberg's problem. If this did happen, as soon as it became apparent all suspect boards would have been replaced, rounded up and taken away by the Feds to a very secure location and destroyed other than a few retained for spooks to play with. All concerned (including China) are best served by a strategy of outright denial.

          Personally, I tend to side with Bloomberg, because if I were part of the Chinese intelligence service, that's certainly something I'd try. If the Chinese haven't tried this, it begs the question why not? Even before this they were still subject to the assumption of guilt and backdoors, with sales restrictions on certain kit and the like.

          I'm not sure that the logic is strong, doubting the story because the big DC businesses have advanced traffic monitoring which would have detected suspect traffic. For starters, maybe they did work, and that's how all the affected boards were rounded up. Maybe they didn't work - all the evidence of data leaks since big data existed suggests these tools have limited effectiveness. And in either case the Chinese would know that there's a risk of traffic detection - so would plan the attack and data exfiltration accordingly. No point exfiltrating several terabytes of low value data, when potentially the really valuable stuff is a handful of gigabytes that can be snuck out over a period of time - the potential benefits of the (reportedly) targeted attack, and the resources to execute it would not be risked with a vast and obvious data grab, or connections to obvious C&C servers. That's how I'd approach it. Then I'd expect that the PLA spooks would be far better at their tradecraft than some random commentard - if we agree on that, then they'd have an even lighter touch than I'm suggesting, because the trick only works until discovered, so it is vital that it goes undiscovered for long enough to get the really vital stuff.

          1. iron Silver badge

            Re: The simplest answer is usually the right answer...

            "If the Chinese haven't tried this, it begs the question why not?"

            Because it would be extremely difficult, expensive and once caught all that investment would be lost. It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals.

            1. Doctor Syntax Silver badge

              Re: The simplest answer is usually the right answer...

              "It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals."

              If you were doing that it would be handy to plant a story like this to misdirect attention.

              1. Anonymous Coward
                Anonymous Coward

                Re: The simplest answer is usually the right answer...

                "It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals."

                If you were doing that it would be handy to plant a story like this to misdirect attention.

                The problem I have with the alleged modification is that my experience suggests it isn't just a matter of some extra small chips - other than when they trigger something else, far bigger, that is already there.

                I may be behind in my electronics, but to get a stack that AND extracts meaningful data from storage (because that bypasses the need to add to the complexity of breaching a higher level OS of which you never know type, version and patch level in advance) AND communicates meaningfully across a routed IP network whilst evading detection from NIDS et al - sorry, I don't see that fit in a chip that small. If China was capable of doing that they would not have the "creatively acquire" IP et al, it would lock the door and never permit that chip to cross their borders to protect that sort of own IP from discovery instead (and the Americans would be falling over themselves to obtain it in any manner possible, including the illegal options).

                Ergo, either this leads to something far more sinister (which I am not buying), or Bloomberg has been fed BS and is still figuring out how that was possible (it has plenty to lose here - it does have a reputation to defend). The latter is IMHO far more likely, but I lack the creativity to come up with a plausible motive for doing this to Bloomberg other than to harm their credibility.

                Whatever it was, it must have been very sophisticated. Bloomberg is not a novice in the news industry - but maybe the journalists were..

            2. Anonymous Coward
              Anonymous Coward

              Re: The simplest answer is usually the right answer...

              Because it would be extremely difficult, expensive...

              And you're seriously proposing that worries China, or any other large national security agency? Where there's a good prize, budgets are limitless - look at the probable cost the US incurred for Glomar Explorer many decades back - around $4bn in current prices. This possible hardware backdoor would be a lot cheaper than that type of effort - probably an end to end project cost similar in magnitude to Stuxnet, of the order of $200m. So on balance difficulty and expense don't come into it.

              once caught all that investment would be lost

              For this particular version yes. But if the data stolen is valuable enough, that doesn't matter. And even if that was not the plan, there's plenty of really useful lessons that can be learned from any US response. Moreover, this is spooks we're talking about. This could have been intended to come to light, either as a distraction from something else the originators are doing, or simply as a message. And maybe it was simply a message - if China had found a hardware backdoor in a US technology import (ie US spooks planning to target China), then this could be simply a formal response from one TLA to another: "Don't screw with us, we found your toy, and we'd like to remind you that we own the majority of your tech supply chain". Look at the risks and high diplomatic costs recently incurred by both Russia and Saudi to send simple messages to specific groups - the Russians knew they'd be caught, and even wanted to be caught - the message worked best when everybody knows who did what to whom and why. The Saudis seem to have been under the impression they might get away with simply denying it, but regardless believe that their money will protect them from the consequences.

              It's orders of magnitude easier and cheaper to use flaws in software, firmware and Intel's hardware to accomplish the same goals.

              Except that they are known to all the TLAs and big tech, so relatively easy to mitigate against. Great against poorly hardened targets like your average corporation or private individuals. But poor at messaging.

              1. Robert Helpmann??
                Headmaster

                Re: The simplest answer is usually the right answer...

                Look at the risks and high diplomatic costs recently incurred by both Russia and Saudi to send simple messages to specific groups...

                Not to detract from the conversation, but this usage is just wrong. "Saudi" is a noun if you are talking about a person group of people ("She is a Saudi," or "The Saudis all got on a plane.") and an adjective elsewhere ("I ate way too much Saudi food!"). The combination used here is the equivalent of "New Zealand and British" or "Venezuela and Persian". Why is this confusing?

                1. Anonymous Coward
                  Anonymous Coward

                  Re: The simplest answer is usually the right answer...

                  Not to detract from the conversation,

                  Not at all - no offence is taken, and the correction duly noted.

                  And I doff my hat to you: In the Reg forums there is no higher badge of honour than to be called a pedant.

            3. Anonymous Coward
              Anonymous Coward

              Re: The simplest answer is usually the right answer...

              Because it would be extremely difficult, expensive and once caught all that investment would be lost.

              Exactly, this strikes me as one of those super fantasy spy things where they're basically using stealth fighter technology to steal the latest in fly swatter tech. It doesn't make sense.

        2. John Brown (no body) Silver badge
          Joke

          Re: The simplest answer is usually the right answer...

          "The flip side of that is that the burden of proof is on the one making that positive claim. It's up to the ones saying there are spy chips on the boards to produce one as evidence. That would be meaningful."

          Or it's an elaborate stock swindle. Is anyone buying SuperMicro stock right now?

    2. ShortLegs

      Re: The simplest answer is usually the right answer...

      And the simplest answer is "if didn't happen"

      The article refers to previous carefully spun press releases from large corporations, but in Apple's case last week Tim Cook was very, very emphatic; this did not happen. Not "did not happen as reported" or any other carefully constructed and ambiguous denial, but a flat outright rejection.

    3. Rol

      Re: The simplest answer is usually the right answer...

      The fact that denials by several organisations were almost immediate, suggests they hadn't bothered to examine the allegations, which in itself tells a story.

      I have a sneaking suspicion that someone in the industry will come to Bloomberg's aid. Not waving a compromised Super Micro board from one of the named companies, but waving another brand of server board.

      A run of the mill server board that they had spare and piqued by the story, started to investigate out of curiosity.

      What I fear, and if true, what our intelligence agencies are now fearing, is that the world will be presented with proof that motherboards used in many servers have had the secret chip treatment.

      And seeing as our very own agencies will be looking very sheepish once that revelation comes to light, is it any wonder denials are coming thick and fast from all quarters.

    4. unscarred

      Re: The simplest answer is usually the right answer...

      More likely a misinformation campaign started by the Chinese secret services.

      It creates FUD in the West, and supports the panopticon effect that China likes to use to repress activism at home.

    5. Anonymous Coward
      Anonymous Coward

      Re: someone benefits.

      Is it just for the media attention, the share price dealings, or political standings or eventually misinformation for data collection services/agencies?

      Who knows, lots of people with fingers in the pot there.

    6. big_D Silver badge

      Re: The simplest answer is usually the right answer...

      It's easy, Bloomberg just has to show off one of the affected mainboards, with embedded chip.

      Then the story holds water. If there are so many affected mainboards out there, it should be relatively easy for them to get hold of one.

  2. Will Godfrey Silver badge
    Angel

    Conspiracy theory?

    Is it possible that the entire story was invented by some people wanting to depress the value of Super Micro - some aggressive investor maybe. Although Icant think of anyone who'd want to do that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy theory?

      There are far less public ways to knock down the stock price of a target. Much better to start rumors of some type of earnings restatement being required, rather than weave a story that includes both the FBI and the two largest publicly traded companies in the world. There's no way any trading to take advantage of the stock price fall (or subsequent rise if/when the story is retracted) would not be looked at very closely by the SEC given this has received so much publicity.

      1. streaky
        Terminator

        Re: Conspiracy theory?

        There are far less public ways to knock down the stock price of a target.

        Not many *that* effective though. This did more relative damage to the SMC price than happened to Equifax in the aftermath of their massive incompetence.

        My theory is more that somebody has made up this story to either dupe Bloomberg as an attack on Bloomberg or to hit SMC stock so they can buy it cheap. Either way Bloomberg has a serious problem. Nobody in the industry is taking this story seriously because as reported it's completely absurd. Not that it's impossible but the technical claims just aren't right. Think I said elsewhere for China to pull this [specifically what Bloomberg have claimed] off they'd have to be far more technically advanced than any other country in the world and not for nothing people would notice so why try to do it anyway.

        Option C is it's an attack on China and given the involvement of security services that's not implausible either.

        Bloomberg is a dupe, and how hard it's standing by its story doesn't end well. Course we shouldn't feel sorry for them - SMC can't sue Bloomberg because if somebody produces a hacked motherboard no matter the provenance or capabilities of the board SMC basically automatically lose. If this was a UK publication regulated by IPSO I'd personally have seen to it by now there was an IPSO complaint in there. I don't know what the SEC rules are but I'd be interested generally and especially if I was SMC what the rules about this kind of thing are; there's a point Bloomberg either have to produce *any* evidence (and we should be clear there's zero evidence right now) or retract and apologise very publicly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy theory?

      Bloomberg is a business oriented new site and the editors would have had to know this story would have had a major impact on the shares. It is hard to see they would have opened themselves up for a major court case because someone just wanted to depress the value of one company. They live by their business reputation and this could have a major impact.

      The fake diaries published by Newsweek had a long lasting impact on their credibility.

      1. a_yank_lurker

        Re: Conspiracy theory?

        @AC - I would expect that Bloomberg in this scenario is a dupe. Feed some journalists a juicy enough story that sounds plausible to someone not familiar with manufacturing and QA inspections through a source that appears to have ties to a TLA. Done right the reporters and editors might bite very hard. When the story breaks be ready to short someone for a few hours or days. It would be hard to unravel unless the reporters turnover the notes and sources to the ferals.

        This is a plausible scenario, that a group who wants to short someone like Super Micro cook plant the story and hopes someone reputable bites. Probably tried many times but someone smelled a rat and did push the story.

      2. Santa from Exeter

        Re: Conspiracy theory? @ AC

        One of the issues here is that these particular Bloomberg journos seem to have form in the bullshit stakes https://twitter.com/RobertMLee/status/1049617855396933632.

        Bloomberg stood by them in this as well.

        The reason I distrust Bloomberg is that as was stated in an earlier Reg piece, the reporters are regarded by how much their reporting influences stock proces. To my mind that's just another way of saying Bloomberg manupilates the markets.

        1. DCFusor

          Re: Conspiracy theory? @ AC

          Yeah, having been a market player myself, I note Bloomberg does NOT in any way represent any sort of "gold" standard to anyone who pays attention to what they do. They of course please the seriously left-leaning non-financially in-the-know people like um...some here who don't know about the financial facts but love the hard-left opinions constantly expressed on Bloomberg. Many consider their reporting quite slanted - you can not tell lies but still fail to tell enough truth .... telling only one side of a multifaceted story is not telling the whole truth. In fact, it's propaganda and deception 101.

          They're in the same business as the other sharks and snakes, people, and play it the same as any of the other not-too-honest market participants. They make money from turmoil, even if they didn't short this stock first themselves directly (oh, there are so many ways...that don't leave much of a trail). They sell data, and the crazier things get, the more money they make. EG, simplest theory follows from Cui Bono.

          A well setup outfit could indeed do such a plant on a board, there's no technical or financial reason not to, and there are such things as "silent assets" for "last resorts" in the military and spy communities, but lacking even one proven sample...the fact that it's possible is only one leg of the stool.

    3. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy theory?

      Is it possible that someone might want to tarnish the credibility of one of the most respected main stream media publications?

      1. Anonymous Coward
        Anonymous Coward

        Re: Conspiracy theory?

        Yes I wasn't suggesting that if the story is untrue Bloomberg knew about it. It would take some fairly sophisticated people to fool the writers and editors at Bloomberg. Not saying it would take a nation state, but definitely more than a 400 lb guy sitting on a bed somewhere.

    4. bombastic bob Silver badge
      Black Helicopters

      Re: Conspiracy theory?

      "some people wanting to depress the value of Super Micro" "some aggressive investor maybe"

      I recall a well-known investor that once "broke the bank of England" through currency manipulation, etc. [and has done so in other cases as well]. This guy's billionaire rich, too, and interferes in politics a LOT, indirectly sponsoring MOBS of people that disrupt, etc. via well known 'charities'. No names mentioned, of course [probably don't need to]. And as I recall he was once known to have collaborated with Nazis during WW2. Yeah, THAT guy.

      Yet, I'd hope that Bloomberg reporters would be smart enough NOT to fall for a plot hatched by THAT guy.

      Selling short on Super Micro could've gotten a 30% or better return, maybe. I don't think he's been known to have manipulated STOCKS, though. But if he did, there's probably a record of it somewhere.

      It's back to that old journalistic trope, "follow the money".

      1. Anonymous Coward
        Anonymous Coward

        Re: Conspiracy theory?

        And as I recall he was once known to have collaborated with Nazis during WW2.

        Don't bring your alt-right boogieman fantasies on to here.

      2. streaky

        Re: Conspiracy theory?

        @Bob - George Soros has his fingers in enough corruption pies we don't need to implicate him in things there's no evidence of. I'm not even sure Soros knows what a computer even is anyway..

  3. Anonymous Coward
    Anonymous Coward

    Not confirmed?

    > Super Micro stresses that no one has come to the support of Bloomberg's article

    Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, confirmed Bloomberg?

    1. whitepines

      Re: Not confirmed?

      Do you have a link to that? Haven't heard of it before.

      1. Norman Nescio Silver badge

        Re: Not confirmed?

        >> Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, confirmed Bloomberg?

        > Do you have a link to that? Haven't heard of it before.

        VG: Storavis: Hevder Kina installerte spionverktøy i maskinvare

        VG: Forsvarsdepartementet kjøpte utstyr for 533.000 – droppes etter Kina-avsløring

        Google Translate can probably help. In the first article, Mona Strøm Arnøy, the Communications Director for the Norwegian National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is quoted as saying:

        "We have known this since June," says Strøm Arnøy, who does not want to elaborate on where they have the information from.

        NN

        1. Anonymous Coward
          Anonymous Coward

          Re: Not confirmed?

          Not sure if you can actually read Norwegian or if you are just relying on google translate or are just being selective on what you pick (just like the reporting). In the VG articles the comments are all about how the Norwegian government have known that Supermicro could have been compromised, not that they have been compromised. They could not not confirm or deny the information in the Bloomberg article.

          The rest of the article is a rehash of the Bloomberg article.

          1. Norman Nescio Silver badge

            Re: Not confirmed?

            I was trying to be helpful and find the link to a statement by the relevant Norwegian Authorities on the Supermicro case. Essentially, putting "Supermicro Bloomberg site:no" into a search engine, and finding the relevant results, as I have a passing knowledge of Scandinavian.

            The odd thing about it is the public statement on knowing about the case on a specific date before the Bloomberg article was published. Obviously supply chain security is an issue that national information security authorities would be expected to know about, so that is not news. The question is, why put a date on it? It wasn't necessary in the context of the article - all that was needed is the non-committal 'neither confirm nor deny' statement. It is an oddly specific fact.

            However, I am not a tinfoil hat wearer, and I don't wish to try and blow this up into something with any more significance. The relevant text from the article is below, and I hope I'm not cherry picking. I wish I hadn't bothered looking for the reference now. As they say, no good deed goes unpunished.

            Original text:

            Kjente til saken i juni

            Nasjonal sikkerhetsmyndighet (NSM) kjenner til problemstillingen knyttet til Supermicro.

            – Vi kjenner til dette, men kan hverken avkrefte eller bekrefte at dette stemmer. Vi registrerer at dette benektes av selskapene, sier Mona Strøm Arnøy, kommunikasjonsdirektør i NSM til VG.

            NSM har imidlertid vært klar over at Supermicro kan ha vært kompromittert, lenge før Bloombergs artikkel.

            – Vi har kjent til dette siden juni, sier Strøm Arnøy, som ikke ønsker å utdype hvor de har informasjonen fra.

            Google Translation:

            Known for the case in June

            The National Security Authority (NSM) is familiar with the issue of Supermicro.

            - We know this, but can not confirm or confirm that this is correct. We register that this is denied by the companies, "says Mona Strøm Arnøy, Communications Director at NSM to VG.

            However, NSM has been aware that Supermicro may have been compromised long before Bloomberg's article.

            "We have known this since June," says Strøm Arnøy, who does not want to elaborate on where they have the information from.

            1. Doctor Syntax Silver badge

              Re: Not confirmed?

              "The odd thing about it is the public statement on knowing about the case on a specific date before the Bloomberg article was published."

              A. Bloomberg's reporters had asked them. B. Whoever planted the story planted it with them. What seems to emerge from the translation is that they'd heard of it but have no direct information themselves.

          2. Anonymous Coward
            Anonymous Coward

            Re: Not confirmed?

            > Not sure if you can actually read Norwegian or if you are just relying on google translate or are just being selective on what you pick (just like the reporting).

            I am Norwegian, the articles are written in my own language so I am not being selective here. The links provided here, thanks to NN, have also been provided earlier in the previous debates so where the down votes are coming from now is unclear. Norway is a fairly open country so this has been debated openly and widely.

            I am also puzzled I got down voted for suggesting to go to NSM, the only governmental organisation I know of that has confirmed Supermicro servers are problematic. NSM work on national security. They are expected to know what they are talking about, and having been informed in June it is evident they had been tipped off from someone else.

            1. Trygve

              Re: Not confirmed?

              You are getting downvoted because its obvious that you are either desperately seeking confirmation of your own biases or just a bloody idiot

              "kan ha vært kompromittert" - that's confirmation of absolutely nothing.

              Would you be happy sending someone to prison because they "kan ha vært skyldig"? If your doctor told you that your tumour "kan ha vært kurert" would you happily cancel all your future visits and stop taking the medication?

              1. Norman Nescio Silver badge

                Re: Not confirmed?

                Hello Trygve,

                Just to make clear, 'Anonymous Coward' above is not me (NN). I (NN) am not Norwegian, and I have a policy of posting under my handle (Norman Nescio) rather than as Anonymous Coward.

                I am also, apparently either desperately seeking confirmation of [my] own biases or just a bloody idiot.

                - I'll admit to being an idiot.

                I hope that clears up any confusion.

                NN

              2. Anonymous Coward
                Anonymous Coward

                Re: Not confirmed?

                >You are getting downvoted because its obvious that you are either desperately seeking confirmation of your own biases or just a bloody idiot

                You are projecting. I am participating in a discussion, and simply having a view that differs from yours should never be seen as desperation or idiocy. That would be seriously bad faith on your part.

                >"kan ha vært kompromittert" - that's confirmation of absolutely nothing.

                You are selective. The point is that they confirm they have been aware of an issue in June. And if you are Norwegian you should also have known that Digi reported that "Forsvarsdepartementet skroter utstyr etter spionavsløring", or in my translation "Norwegian Department of Defence Scraps Equipment after Espionage Disclosure".

                >Would you be happy sending someone to prison because they "kan ha vært skyldig"? If your doctor told you that your tumour "kan ha vært kurert" would you happily cancel all your future visits and stop taking the medication?

                Well done, you have succeeded in turning the issue upside down. Rather it is like a doctor stating there might be cancer so we will make a thorough check.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Not confirmed?

                  >"Well done, you have succeeded in turning the issue upside down. Rather it is like a doctor stating >there might be cancer so we will make a thorough check."

                  that is not the same as:

                  >"Okaaaaay? And have the journalists here contacted the Norwegian government office that, well, >confirmed Bloomberg?"

                  You are saying that they have confirmed it, no they haven't. They have confirmed that they have known about the possibility of a compromise, That is the problem Trygve appears to be having with what has been said (me too). A compromise hasn't been confirmed, just that they new of the possibility (probably due to them being contacted in June before the Bloomberg article was release).

                  If you work in a sensitive sector (which I do), when you receive information on a possible compromise, you investigate. If you believe that it is a credible threat, you isolate / remove said threat. Upon the conclusion of the investigation, depending on the result being proved or disproved, you then can reinstate or carry on course with the removal of systems if you believe that its a possible future threat.

                  Forsvaret will be doing exactly this, they have scraped 1 or 2 supermicro servers that they were testing (~533000kr in servers), In the sector that I am working, we have purchase multiple supermicro servers, each of which cost close to that price.

                  Everything in the VG article can be 100% true, each statement printed can be exactly what was said, and likely is, otherwise they would be stupid. But what is printed isn't everything that is said and can in what context.

                  What should be printed is the complete transcript of the conversation.

                  > "You are selective. The point is that they confirm they have been aware of an issue in June. "

                  And there it is again, the context. What is the issue they have been aware of? Have they been aware of a compromise, have they been aware that there could have been a compromise, have they been aware of the issues Bloomberg were going to bring up in the article since June?

                  That last one of mine can be interpreted 2 ways also, they knew about the problems before they knew about the article, they knew about the issues Bloomberg were going to public as they had been told what was in the article.

            2. Anonymous Coward
              Anonymous Coward

              Re: Not confirmed?

              AC you are replying to.

              I am not Norwegian, but have lived in Norway for many years. So I also speak / understand Norwegian.

  4. Brian Miller

    No trace of spying!

    It's very odd that the journalists were not presented with any real evidence. Really, is it so difficult to sniff the glue that holds the ethernet together?

    If there was odd network traffic, then it would be nearly child's play to get a packet dump, and show world+dog the data. "Look, here's the data! That's our server IP, that's the other end point, and that's the data." No problem. How many of us do that on a daily basis?

    Even if the journalists couldn't understand the data themselves, there are plenty of people who do. Trust me, we'd all love to see that trace.

    1. Pascal Monett Silver badge
      Flame

      Re: No trace of spying!

      Not to mention a pic of "compromised" motherboard. Why isn't there a single pic ? Produce that and all the doubters will have to shut up.

      Instead, we have this endless continuing of a useless argument, useless because nobody can prove anything either way.

      Show me the goods or get out of the room.

  5. Anonymous Coward
    Anonymous Coward

    You have more chance of finding rocking horse shit than these chips.

  6. vtcodger Silver badge

    More questions

    Some good questions in this thread.

    1. Where are examples of the altered boards?

    2. Or at least of the purported chips

    Plus

    3. Is it even possible to create a spy chip? (Probably yes?)

    4. How would it get power, access to memory, data buses, clock, control buses? (Dunno. Maybe doable. But probably very difficult to do)

    5. How the heck would one talk to it and control it without getting root or microcode access to the machine? If you have root/microcode access, why do you need a spy chip?

    6. Assuming that you can somehow insert altered boards into the manufacturing stream, how do you route them to your target customers? (I suspect that's nowhere near as easy as it sounds).

    7. Assuming that you have state resource behind you and can interfere in the manufacturing/shipping process at will, wouldn't it be easier to grab a board destined for a target destination for an hour or three and alter the on board microcode?

    1. JohnFen

      Re: More questions

      "Is it even possible to create a spy chip? (Probably yes?)"

      Well, the US did it to some Cisco routers being shipped to an entity they were interested in, so yes.

      1. Anonymous Coward
        Anonymous Coward

        Re: More questions

        I thought it was done to all Cisco routers and then remote activated against targets of interest

        1. rmason

          Re: More questions

          @AC

          No, it was (according to snowden et al) literally a man or three in the back of a delivery truck while the cisco gear were on a part of their journey.

      2. Doctor Syntax Silver badge

        Re: More questions

        "Well, the US did it to some Cisco routers being shipped to an entity they were interested in, so yes."

        Wasn't that a case of planting something in the firmware?

        1. streaky

          Re: More questions

          It was firmware. Wasn't in a truck. There are photos of this happening.

          If bloomberg were claiming firmware it'd be another thing entirely, but they're not.

    2. Palladium

      Re: More questions

      Not to mention the EE industry is obsessed with BoM costs and even an unneeded 1 cent board component would find itself on the chopping block, much less a suspicious spy chip.

      1. bombastic bob Silver badge
        Devil

        Re: More questions

        yeah 1 cent per board BOM cost matters when you want to be PROFITABLE, at least sometimes.

        I suspect that only a handful of boards would need to be modified, especially if the destination is known ahead of time.

        But if a gummint is involved, money isn't a concern so much in the espionage game. The actual cost was probably extorted out of the (alleged) compromised manufacturer in some way [assuming the alleged events actually happened].

        And yeah the cost of the mods + chip wouldn't be on the official BOM.

    3. streaky

      Re: More questions

      4. How would it get power, access to memory, data buses, clock, control buses? (Dunno. Maybe doable. But probably very difficult to do)

      5. How the heck would one talk to it and control it without getting root or microcode access to the machine? If you have root/microcode access, why do you need a spy chip?

      Course it's possible but it'd be a pretty chunky chip at the speeds of those data lines. On your #5 point once you have DMA things like that are irrelevant, that's why it would be a powerful tool.

      I find it very hard to believe such a chip would get through QA - and RMA - not be noticed by anybody and that nobody would contact any of the companies involved - including SMC. We should be clear nobody has any reason to protect China here and every reason to call them out.

      1. bombastic bob Silver badge
        Devil

        Re: More questions

        4. how could it get power? parasitic power, depending on the usage. Or just run some power lines to it by adding 'inner layer' traces to the board.

        5. how would one talk to it? I expect that it could load firmware by intercepting the FLASH ROM loadup, if in fact this is being done via SPI or some similar mechanism. Like Intel's ME, or some kind of hypervisor, it would stay resident and listen for stuff.

        (didn't we discuss all of this in the comments for the previous article?)

    4. a_yank_lurker

      Re: More questions

      @vtcodger - If the targets were specific how would the mb manufacturer know who gets a particular board especially if they are from the same lot. So either modify all the boards and risk have the lot rejected and very pissed customer or roll the dice and hope a few modified boards end up at the target. Neither seems to be very good plan. If you have specific target in mind, more conventional techniques such as bribing an employee might be more fruitful.

  7. wownwow

    It caused the SMCI stock to drop more than 40%. but the related paycheck-collectors.gov is still hibernating?

  8. Big Al 23

    A retraction is unlikely

    Bloomberg knows it will get sued for tens of millions in damages by Super Micro and possibly others if it prints a retraction. Instead Bloomberg will force Super Micro to sue them and prove in court that the story is false before Bloomberg is forced to pay proper damages in the tens of millions. A quiet out of court settlement is likely with Bloomberg not admitting the story was untrue but paying damages because they fear a court verdict for even greater damages. The very unfortunate part is few people will ever read that the Bloomberg story was in fact false. Super Micro will suffer damages for decades as a result.

    1. streaky

      Re: A retraction is unlikely

      Instead Bloomberg will force Super Micro to sue them and prove in court that the story is false before Bloomberg is forced to pay proper damages in the tens of millions.

      You've got the evidentiary standard backwards. SMC *do not* have to prove the story is false. The problem SMC have is as I said in another comment if Bloomberg produce anything that smells even remotely like what they're claiming (it doesn't have to even be even slightly close) they could easily win that case - especially in jury trials. It's a very risky lawsuit for SMC to file - it shouldn't be, but it is. You just have to look at the idiocy of the rulings in the Apple v Samsung stuff to know that you shouldn't let technical arguments anywhere near courts because they have *no idea* what you're talking about and will take very tenuous claims as valid.

  9. Daniel Hall
    Facepalm

    And..

    All that will happen is this..

    In 6 months time or less, some or none of the ideas in this thread will be shown to be true.

    SuperMicro's share price will have recovered back to not far off what it was before.

    Everyone forgets or doesnt talk about "that time we thought China put spy chips on those motherboards.

    Because, as much as you're generally all smart enough to figure out what the real story is, no one will push to get the PCAP or photos of the boards and those chips. It just wont happen.

    It's just another rumour and we've all got a bit excited about it. All I will get is negative comments from people I've offended. Boohoo.

  10. Potemkine! Silver badge

    "it is possible to scan a motherboard for electromagnetic emissions and identify anything unexpected"

    An IR camera would be enough to see any power-dissipating device even if buried into a motherboard.

    I doubt this story, adding a chip would be very, very risky and would provide a tangible proof of a black-op.

    1. Anonymous Coward
      Anonymous Coward

      Firmware hack = plausible deniability.

      Hardware hack inside the board and you know how and when it was done. Chip on the board, and you can deduce how and when it was done.

      Firmware? Well, only if you check it every step of the way and manufacturing and trust the other companies/deliveries/warehouses records.

      Firmware or MITM is very much easier to pass the blame onto some other bait.

    2. streaky

      Even boards in short take a lot of current to heat up and be seen on an IR camera. Most mobo PCBs are fairly decent heat sinks - semi-intentionally. The real issue is this stuff would show up on X-Rays and using AI to QA mobos is nothing new. Chips that don't belong would attract attention at all sorts of parts of manufacturing and post-ship QA like when somebody attaches a chip to data lines causing high failure rates and being shipped back to SMC for it.

      Ignoring all the other reasons to not accept BB's case at face value, it's an *extremely* risky strategy.

  11. Gordon 10

    How many enemies have Bloomberg made?

    Lets say you have an objection to fact based reporting - especially around financial services and money flows. Who wins if Bloomberg are tarnished?

    1. Most financial services companies get to re-negotiate rates on Bloomberg subscriptions which they are hated/envied for.

    2. Anyone involved in dodgy financial flows (ie a big chunk of the 1%).

    3. Russia/Putin??

  12. adam payne

    If the Bloomberg story is actually false then I feel sorry for Super Micro. Bloomberg has yet to show any real evidence but Super Micro will have to jump through hoops to prove the story is false.

  13. martin__r

    It would be surprising if the Chinese had *NOT* done this.

    It should not be surprising that they do not want to fall behind NSA, which got their own backdoor (within IntelME) directly into the CPUs and Chipsets.

  14. Anonymous Coward
    Anonymous Coward

    ...the chip shown in the Bloomberg piece...

    "...is too small to realistically contain the necessary logic and all the data to insert a viable backdoor into a software stack."

    I'd estimate that the chip shown in the first reg article on this story:

    https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/

    is roughly 1mm x 3mm, or a little under, so between 2.5-3 mm2.

    But in this reg article:

    https://www.theregister.co.uk/2018/10/22/arm_cortex_a5_designstart/

    it is stated that "one [A5] CPU core, minus all the extras, [but] with 4KB of instruction cache, and 4KB of data cache, comes in at 0.28 mm2 of die area"

    It seems to me then, that the chip shown by Bloomberg is not too small for the necessary logic and data.

    1. Anonymous Coward
      Anonymous Coward

      Re: ...the chip shown in the Bloomberg piece...

      No. But it is for the hookup... though, you could to a one wire system I guess.

      There are already RFID chips that are smaller than this, but the antennas are larger. Theoretically a MITM chip could be added on I guess. Time to check all the motherboards and radio/network traffic?

    2. Claptrap314 Silver badge

      Re: ...the chip shown in the Bloomberg piece...

      This is a common error for those who have never worked the process. Die size <<< chip size. Even ten years ago, chip size was basically the number of pins x the area required per pin. The die in the middle was routinely < 10% of the area. Often < 5%.

    3. streaky
      Alien

      Re: ...the chip shown in the Bloomberg piece...

      It seems to me then, that the chip shown by Bloomberg is not too small for the necessary logic and data.

      I suggest looking again at the capabilities bloomberg were claiming which leads to the conclusion it's plausible *if* and only if China are actually space aliens or that guy who claims to have travelled to the future and everybody else is doing it is telling the truth.

      I could believe it if there's been wires crossed somewhere (no pun intended) between what bloomberg have been told, capabilities and what I'm sure China might do if they could, but just no. It's that why are you so adamant thing again.

  15. Patched Out
    Holmes

    Thinking outside the box

    China is well known in the industry for getting counterfeit chips into the supply stream, so it is not unfathomable that they could have introduced a counterfeit version of a device that is in the design of the motherboard already - maybe the Flash memory used for the BIOS with some hard-coded instructions built-in. No need for special traces on the board for power or data; and board level X-rays or IR scans would find no rogue device embedded in or on the circuit board. Chip level X-rays might detect differences in the silicon, but that might be fool-able as well. Obviously they would have several technological and procedural hurtles to get over to accomplish this - but a determined, state-sponsored effort might be able to do this.

    Just thinking outside the box on how it might be done. I'm not conjecturing either way on if it actually was done.

  16. steviebuk Silver badge

    I assume if it's untrue...

    ...couldn't all those companies sue? Aren't they all big enough that they can afford to sue? And by not does this, possibly mean its true?

    Hmmm.

  17. DXMage

    FISA

    FISA would basically force any company with assets in the USA to claim it wasn't true or risk criminal charges against the executives, forfeiture of all assets and massive punitive fines in a worse case scenario.

  18. Registered Register Registrant

    Never forget: the Nayirah testimony

    A 15-year-old Kuwaiti girl in 1990 claims before a U.S. congressional caucus to have witnessed atrocities committed by Hussein's troops. That Pearl Harbor moment leads to millions displaced, more than a hundred thousand violent Iraqi civilian deaths, widescale destruction, two decades of war, and genocidal sanctions so obscenely catastrophic that two UN human rights rapporteurs quit out of protest.

    Her story was fabricated by a U.S. public relations firm, and the girl was in reality the daughter of the Kuwaiti ambassador to the United States at that time.

    Government agencies have misled the press for reasons much more evil than industrial sabotage.

    1. HmmmYes

      Re: Never forget: the Nayirah testimony

      In 1990 Saddam invaed Kuwait.

      US were aligned to Kuwait.

      US and Kuwait told Saddam to go away.

      He didnt.

      US colaition invaded.

  19. Jeff 11

    A more cynical - and plausible, at least to me - theory is that some actor wants to devalue Supermicro or damage its reputation to manipulate the market. The technical difficulty of doing what Bloomberg has reported makes me very cynical, especially when there are easier avenues of attack.

  20. Cynic_999

    Too complex to be true

    I stated in the comments to the earlier article - if you have the resources to make a custom chip, then you would create a lookalike of a suitable chip that is *already used* on the MB, and substitute the bogus chip for the real one anywhere along the supply chain to the MB manufacturer. No board modifications needed, and nobody associated with the server manufacture will know a thing. The bogus chip would work correctly, but have extra functionality. Then there would be no outward difference in the motherboard and it could only be discovered by observing the unauthorised behaviour. Not even examination of the silicon would make it immediately apparent, because the bogus silicon could be marked with the correct chip ID and a bogus "new revision" number.

    Extraordinary claims require extraordinary proof. Embedding a chip in a PCB would require a completely new PCB fabrication process so is inherently unlikely (Everyone working in the PCB fab would have noticed all the new machinery and a complete change to the process flow). Unless the news agency can produce a PCB modified in the way claimed, I do not believe a word of it.

    1. elkster88

      Re: Too complex to be true

      'Not even examination of the silicon would make it immediately apparent, because the bogus silicon could be marked with the correct chip ID and a bogus "new revision" number.'

      Many moons ago I worked for the Semiconductor Control Facility of Sperry Univac. Our incoming inspection/failure analysis lab routinely de-lidded integrated circuits and looked at them under an electron microscope, and also subjected them to scanning by a secondary ion mass spectrometer (SIMS). Any such undisclosed modification would have been flagged and a full and frank discussion with the supplier would shortly ensue. It did happen on occasion that there was a die shrink or a design change that was not communicated to us beforehand, and such behavior was explicitly against the purchase agreements we made with our suppliers. Violations could and did result in suppliers being struck off the approved vendor list of the part control drawing.

      Since that time, the state of the art in quality assurance has shifted, with more trust placed in suppliers, and incoming inspection has been mostly replaced by supplier audits, sending component engineers out to the fabs or simply reviewing data provided by the manufacturer. So I would not be surprised if a counterfeit IC could be inserted into the supply chain by a nation-state spy agency.

      Another comment about this paragraph from the story:

      'It claims that its system is "designed so that no single Supermicro employee, single team, or contractor has unrestricted access to the complete motherboard design."'

      As someone who does this for a living: I'm almost certain that the engineers who develop the functional and in-circuit tests for these motherboards do in fact have unfettered access to the complete motherboard design at the IC interconnect level, since they need the netlist, the bill of materials, FPGA programming images, firmware images, boundary scan vectors, physical board layout (Gerber files), schematics, etc.

  21. Bitsminer Silver badge

    Latest from Amazon...

    Amazon announces their latest book, by Xi Jinping:

    "If I Did It"

  22. EnviableOne

    There are problems either way ...

    The reason SMC wont sue is "The burden of proof is always on the plaintiff" and it is intensley hard to prove a negative as they have said.

    Its hard to see the conclusions either way as there is no evidence presented either way.

    But an absence of evidence is not evidence of absence

    so its basically Bloomberg and its anonymous sources vs SMC, Apple, Amazon and the TLAs

    the question is who do you trust more, and who should you trust.

    with a story of this magnitude, Bloomberg will have done enough to ensure their Liability is covered, SMC need this to go away fast, so their rep can recover.

    IRT the previous quotes about Saudi, its not cash that menas people wont care, its the largest oil reserves in the world ... From vlad&Co its their Natural Gas, and the iranians have a good 3rd on the Oil reserves especially with sanctions, reducuing their output.

  23. martinusher Silver badge

    Its the information deficit in action

    I read an interesting article this morning about how the media we read is inherently biased against progressive ideas. Its a long read -- and I haven't got the reference to hand -- but the gist runs something like the media can make a big deal of Clinton's Email server (for example) while completely ignoring the wholesale use of private mail accounts by members of the current administration. Its a current that runs through much more than politics and leads us to Supermicro. Anyone who's 'in the trade', as it were, would tell you that this story was somewhere between 'highly unlikely' and 'total bullshit'. However, because it runs counter to the populist narrative of China this and that we have to pussyfoot around, trying to be as even handed as possible, which in this day and age leads Joe Public to believe that we're either hiding something or we don't know what we're talking about. We -- experts, progressives, whatever -- just can't do conspiracy theories right.

    This has been brewing up for some time, a generation or more. Look at the themes in movies over the last 30 years or so and the underlying message is always the same. It might have been harmless fun at the time but now its the foundation of the reality we have to live with.

  24. Rol

    And the votes are in.

    It appears the idea that a story intimating towards another mass surveillance episode should be cremated and buried, rather than investigated further, judging by the comments and thumbs on here.

    Isn't it worth a little bit of effort to either prove or disprove the story?

    To categorically deny everything in a knee-jerk manner, without bothering to seek any kind of validity for such a denial, is in itself worthy of an investigation.

    My fears are that western agencies have been doing this motherboard hack for quite some time, and are now actively suppressing the story.

    Yes they do have many other covert means of data gathering, but that has never stopped them from seeking other means, to better spread their portfolio of intrusion technology.

    What bothers me more than anything, is the number of people on this forum who are busily trying to wish this story away, and are unwilling to consider the wider implications to OUR privacy.

    1. Claptrap314 Silver badge

      Re: And the votes are in.

      The problem is that those of us with a background in hardware design, manufacture, and/or maintenance all agree: this story is ********. What we're in a hurry to do is to explain this fact to the world so that the focus will go where it belongs: "Why did it come out, and why is Bloomberg still standing by it?" If you've read as thoroughly as you imply, you see that the general consensus is that the story was planted by a national security service. What is not clear is who and why.

      Almost any reasonable explanation has really nasty implications for our freedom generally--not just privacy.

  25. Anonymous Coward
    Anonymous Coward

    "Fake" Motherboard

    I find it weird that this came up now...a few years ago my GF took her iphone to the Apple store to get a replacement since her phone was acting up and they told her that they couldn't help her out. They said that they couldn't replace the device because the motherboard was from a third party and did not have an Apple serial # but she bought the iphone from the Apple store...so the whole time she was using an iphone with a fake motherboard that Apple said was not theirs. My GF's brother worked at Apple so he was able to get her a replacement with proof that the phone was bought at the Apple store, but now we look back at this and we're mind boggled...could be coincidence or it could have actually been a spy motherboard? Strange.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like