Is it fair to say that Bloomberg killed Super Micro?

And yet, people on HN still don't believe that the Chinese did and do all that stuff.

Fucking morons.

Attached: Screen Shot 2018-10-06 at 15.15.14.png (1276x1088, 203K)

Other urls found in this thread:

twitter.com/GossiTheDog/status/1048322164653535232
uk.reuters.com/article/us-china-cyber-britain/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials-idUKKCN1MF1DN
twitter.com/NSFWRedditGif

>trusting amerilard conspiracies
kys

Zoom out

found the chink. I hope the world isolates that fucking hellhole, and starve it with opium.

everybody does it

Nah supermicro stock is just on sale rn.

Either amazon and apple are sinultaneously commiting securities fraud and complying to a gag order OR a gigantic journal just risked their reputation and a billion dollar defamation lawsuit over a verifiable lie.

We’re living in a post-fact society, boiz. Pick your reality.

Yeah me too, I fucking hate mickey mouse and McDonalds anyway, burgerland should be nuked

>trusting (((bloomberg)))
Go back to Jow Forumspolitics or something

Do you really think a company like Bloomberg would risk everything just for the news of the month? Are you fucking retarded? If the story is easily verified to be a lie, Bloomberg is dead. How stupid are you? Really, do you want 100s of variations of the same phrase that tells you how idiotic you are? Think for 1 fucking second, THINK.

The "hack" is complete and utter bullshit. The Bloomberg article states that it's a "rice grain sized chip" and yet it can do this:

>To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users.

This is impossible for a "grain sized" chip. They are literally suggesting that the chip has a memory controller and hooks directly onto both the address bus and data bus to system memory, magically knows what the system's memory map looks like, magically knows exactly where said code would be in physical memory and then is able to either replace all password validation code with other instructions.

#1: There's literally not enough physical space on the chip for all those connections.
#2: It can't know the memory map, because it'd have to scan the entire thing, which is likely to crash the machine through writing invalid data to memory mapped I/O.
#3: To be able to find the code that needs modification, it would then have to know how the memory is mapped, data it needs to get from the x86 MMU. Since that MMU is integrated into the x86 processor and the attacker chip is not, and the attacker chip doesn't have access to it, it cannot know that.
#4: Even *if* it knew the exact physical memory map, then Linux has ASLR and KASLR, so the password validation location is randomised both in the virtual address space and the physical address space. It would have to look at ALL memory and correctly guess where the password validation code is.
#5: Injecting other instructions into the memory address bus is easily defeated with other optimisation options on the compiler, or different compiler versions.

>unironically defending the nose
I want this reddit invasion to end

It only alters the built in remote management built into the boards originally. Everything else is done via the board's existing capabilities.

spot the brainlet

It has been three days already, do we actually have some proof or it's just people confirming and denying random claims?

Yes, yes I absolutely would believe that. Why? Because the same reporters put out similar lies before.

twitter.com/GossiTheDog/status/1048322164653535232

Not to mention the entire article is full of technical bullshit and very light on the actual details of the attack.

Part 2

So the infeasibility of this particular attack leaves us with... the BMC. The Bloomberg article briefly mentions it:

>The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

However, to address what I said above, the BMC CANNOT replace code on the fly, and cannot interfere with x86 execution.

With that out of the way, it *does* have disk access, which can be used for the same purpose. However, this is a "grain sized" chip, and undoubtedly is restricted in its storage space. If it attacks the BMC and rewrites data from the EEPROM, then this "grain sized" chip would have to fulfill all of these conditions:

#1: Contain enough storage space to attack the BMC itself
#2: Also contain enough storage space to modify the kernel image
#3: That modification to the kernel image needs to be a meaningful backdoor that doesn't break the kernel

The former of these conditions is likely, but I don't think any of the other ones are. Not for an absolutely tiny "grain sized chip".

Neither. We’ve all quietly reasoned that there is not enough information to be convinced of which story is the truth. These threads should stay up so we can stay up to date as information comes out.

See Nice argument moron

And then finally, there's the thing where instead of vaguely denying claims, Apple, Amazon and Supermicro have instead given complete refutations to the Bloomberg story. Simply denying it without refuting it would be sufficient, if the story wasn't outright wrong.

And then there's the GCHQ coming out and agreeing with the refutations: uk.reuters.com/article/us-china-cyber-britain/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials-idUKKCN1MF1DN

Why the fuck would they provide such detailed refutations? Why would the British GCHQ then go on to support them, if it was true?

Why the hell does procurement of Supermicro boards continue in U.S. military contracting to this day? Why did procurement of Supermicro boards not cease years ago when this thing was supposed to have happened?

It doesn't make sense at all, given the above. Then there's also the fact that the chip itself is simply too small to be able to do a complete system pwn from the BMC, and it's too small to mess with the memory itself.

All the chip needs to do is get the BMC to execute one instruction to help establish remote control. You don’t need a sci-fi computer for that. There is a very good reason that any system that an attacker has physical access to is considered “100% comprimised no matter what software is running”.

>SHUT IT DOWN, THE GWEILLO KNOW

I'm skeptical simply because there has been no reasonable big response from anybody. Considering the scale and implication, I'd say half of the IT companies would already have their important hardware inspected or at least notified workers to do so. I'm yet to hear of such activity and it's not like there's any risk if any information leaks. Chinese can't clean the evidence anyway.

If it did that, it would be caught immediately. Apple, Amazon, Supermicro themselves and ABSOLUTELY the U.S. Department of Defense do testing on all incoming boards to make sure they don't do anything suspicious.

If the first thing the BMC did was to set up malicious IPMI, they would notice. If the first thing it did was begin downloading modifications, they'd notice.

It is far more likely in my opinion that Bloomberg heard about some BMC vulnerability and then they managed to spin the story out of control into complete bullshit. These reporters have a history of doing that, see >Yes, yes I absolutely would believe that. Why? Because the same reporters put out similar lies before.
>twitter.com/GossiTheDog/status/1048322164653535232

All of those companies are publicly traded and would make huge refutations in order to maximize profit. Their response is the same response they would give in all plausible scenarios. They would be liable for securities fraud were it not for a gag order. Apple explicitly also said they were not under a gag order, something that gives exactly zero information about whether they are or aren’t.

Britain’s got no hand in this. The US intel agencies weighing in would be useful but they wouldn’t just share what they know with the world for no reason. You make it seem like there’s an obvious conclusion from the current information but there isn’t. We need public third parties to get their hands on these sus boards. If that never happens then we will never know.

>All of those companies are publicly traded and would make huge refutations in order to maximize profit.
So when they get caught actually *lying*, if the story gets confirmed to be true, they would lose profit and far more on the stock value than if they simply said "no comment" or made vague denials.

>They would be liable for securities fraud were it not for a gag order.
If they were under a gag order, it is far more likely they would vaguely deny it or provide no comment, and the Bloomberg story probably wouldn't come out, given that they seemed to have known about it a year in advance:

>Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc , a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

>“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

uk.reuters.com/article/us-china-cyber-britain/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials-idUKKCN1MF1DN

>Britain’s got no hand in this.
But they do, you moron. They're in NATO and if China attacks the US, then it's very possible they're also attacking other NATO countries. If this actually happened, the first thing the NSA would do is alert its allies (five eyes) of the problem and tell them to investigate.

It makes no sense that if this was provable and true, the NSA's closest partner would both not know about it and also publicly say that.

What use is a gag order? To prevent Chinese getting spooked and hitting a kill switch? Why is Bloomberg article still online then?

Only other possibility to gag companies would be to allow Chinese to continue their infiltration, which is even more unrealistic reason.

Isn't this whole thing a very good excuse for Trump to pass legislation that would essentially have every company create all of their shit in the US? It's way too convenient for him.

>people on HN
So retards?

>it's another case of eeeebil communist China!!!! from the ameriretards

You have no proof anything has been hacked and if it was you are powerless to do anything.

Deal with it.

>he believes the stock market has any sort of rationality
wew lad

Based PC user BTFO'ing NPCs who blindly trust murrican media

>the nsa said it so it must be true

Not without an actual investigation by the DoD

>people on HN still don't believe that the Chinese did and do all that stuff.
Don't lie here, their hate towards chinks is evident, they barely hold themselves from using slurs against Chinese in news concerning their dirty deeds.

Never even mentioned the NSA. Read the post again, retard.

Enjoy the slow economic collapse and never attaining hegemony chinko

>defending (((Bloomberg)))
>when the same reporters are known for posting fake shit before
The absolute state of Jow Forums