Chinese manufacturer puts hardware backdoor onto Supermicro server boards.

[tooki]

1. I’m not “painting” you as a nut. You’re doing a jolly good job of that yourself. Your many comments on this thread read like the crazy ramblings on the back (and front, and sides) of a Dr. Bronner’s bottle.
2. This is a public forum. I don’t need your permission (or “prior warning”) to reply to a discussion, never mind one I joined long before. Not that I feel any obligation to receive education on how to work the internet from someone who can’t even follow how a web forum works, and replies to people based on things they did not say.
3. You STILL did not understand my original reply. If you are seeing it as purely support for Mk14’s POV, then you haven’t understood it. My comment neither refuted nor confirmed either side: it simply explained that the Bloomberg story isn’t plausible. I didn’t say it’s impossible, and I didn’t say we should stop studying it!
4. Learn. To. Read. Carefully. You are repeatedly responding to arguments that are simply not there. You cannot interpolate things and then respond to your own interpolations. Just respond to what’s actually there.
5. Oh, you think you haven’t been employing personal attacks? You’ve been using them since long before my first reply to you. That you used them so liberally is why I have not held back with you. You forfeited the right to complain about name calling long ago.

I have enough trouble dealing with the offenses I'm guilty of, and those I've already admitted to and tried to be fair. I refuse to be held responsible for the ones you've imagined. What you're saying amounts to this:

"I didn't shove the stick in the hornets nest, that was another guy. I was just passing by and tripped over it a little. Those hornets have no right to be pissed off at me!" 

You led out of the gate calling me names and speaking in a belittling manner, and you did so while interjecting into a mostly polite disagreement between two other people.

I was a part of this discussion long before you two started going at it. It’s a public forum, it didn’t magically become “your” discussion.

Not only that, but you continue to do so, all the while blaming me for your belittling tone.  Get over yourself, man.

I don’t think you realize how patronizing your tone was long before I addressed you. As far as I’m concerned, you earned that tone and then some. Even more so after you proved that you weren’t even aware of who you were responding to.

You earned that response; suck it up buttercup. <~~~ See that right there? THAT was me being deliberately offensive, because you pissed me off.

Ah yes, “suck it up, buttercup”: the rallying cry of the conservative right when it’s decided “I’m not going to attempt to be polite any more, and with this magic incantation, I can gaslight the recipient into thinking that they’re being oversensitive, rather than acknowledge that I’m wrong.”

And I'm NOT going to apologize for it, because you earned that one too. 

You wouldn’t apologize even if you realized you were wrong.

Of course you’re so convinced that you know the truth and that everyone else is sheeple that you’ll never realize when you’re wrong.

[Cerebus]

Ah yes, “suck it up, buttercup”: the rallying cry of the conservative right when it’s decided “I’m not going to attempt to be polite any more, and with this magic incantation, I can gaslight the recipient into thinking that they’re being oversensitive, rather than acknowledge that I’m wrong.”

You're so wound up by this that you've forgotten how to judge written evidence, or so it seems. If you'd check back:

It is in fact a worse kind of ignorance; the willful kind that permits a white trash racist, rapist, misogynist, pathological liar career deadbeat sociopathic felon to squat in the White House and there's jack shit We The People can do about it.

is one of the many bits of evidence in this thread that your implicit characterisation of Mnementh^* as being on the Right of American politics is woefully off mark.

Really, I suggest you perhaps cool your heels on this topic for a day or two. You've got so heated that you're not thinking straight and being far too prone to shooting first and asking questions later. Go and start a thread where you can have an argument with me about 'merkin being the original and more genuine form of the Queen's^** English.



^* Apparently Pernish for "Awkward bastard who picks a name that is hard to remember how to spell".
^** Elizabeth I's English - perhaps, Elizabeth II's - not on your nellie.

[tooki]

Oh, I’m not saying that mnementh himself is on the right. It’s just the right that uses that phrase all the time to self-congratulate on being rude and obtuse — in mentioning that, it’s simply to remind that it’s nothing more than gaslighting.

[FrankBuss]

A video on Computerphile. Nothing new, but the interesting idea that such a chip could be hidden inside the PCB itself between the layers. This would be really difficult to detect, if you don't x-ray the PCBs and carefully examine and compare the images.

[mnementh]

Maybe my cynicism has reached critical mass, I dunno.

I'm sorry if I seem too hostile, when people start mentioning (conspiracy ..) stuff. Some of which, might be right.

But, a silly (conspiracy ..) theory, can be created, in some 60 seconds, while not thinking straight, but it might take experts, many hours, days, weeks or even longer to robustly disprove those theories.
Which are likely to either be ignored or disbelieved by the creator(s) of the (conspiracy ..) theories.
Or they will just carry on, and 60 seconds later, produce even more (conspiracy ..) stuff.

MK14 saying about this:
"Conspiracy theories are like foolish people, who spend seconds starting crazy fires, which take firefighters, days to put out"

The world around us is full of real conspiracy. Every day we find real evidence of some business, celebrity, or politician (usually more than one) involved in some heinous act and trying to cover it up. It is far more dangerous in this age to think that just because something sounds like a conspiracy theory that it is nuttery than that there is some grain of truth to it. You do so at your own peril.

The question then becomes "just how assache are you willing to put into a specific theory". That of course is always a case by case basis; both the person and the theory involved. I try to give a LITTLE more latitude; but then, I enjoy the occasional mental exercise. And that, BTW, is why I came into this thread specifically devoted to a conspiracy theory.  Again... This is THE PLACE for this kind of discussion. Why would you come in here and NOT expect people to want to discuss conspiracy theories?

Oh, BTW... (Raises hand) REAL firefighter here. (Retired) You wanna have a side conversation about Draeger Pacs and BLEVEs? I'm your guy. 

(SNIP Lots and lots of reiterations of the same exact shit over and over again-mnem)

And I'm NOT going to apologize for it, because you earned that one too. 

You wouldn’t apologize even if you realized you were wrong.

Of course you’re so convinced that you know the truth and that everyone else is sheeple that you’ll never realize when you’re wrong.

I've already proven that I have no problem apologizing. But you're so busy being right you never bothered to notice. You also still haven't noticed that I deliberately turned your own argument on its head and fed it right back to you several posts ago; hence the...

mnem
Wait for it... wait for it...

...at the end.

But I know I can be an asshole. I try to temper my judgement of every person I meet with the knowledge that we all... each and every one of us... take our turn being the asshole at one time or another. Sooner or later, it's gonna be my turn, so try not to be too judgemental.

It's inevitable; part of human nature. Eat. Sleep. Try not to be an asshole & sometimes fail, repeat.

I'm sorry I was an asshole. I'm trying really hard NOT to be an asshole now. Can we please just move forward, before Cerebus has to bring out the conversational cutlery? I can already hear the sound of steel against whetstone...

mnem
*Off to work*

[coppercone2]

i wanna see a pie chart with the contents of this thread explained I don't think I can read it anymore its out of control

[mnementh]

mnem
yum.

[Marco]

A video on Computerphile. Nothing new, but the interesting idea that such a chip could be hidden inside the PCB itself between the layers. This would be really difficult to detect, if you don't x-ray the PCBs and carefully examine and compare the images.

Why bother putting something in between the flash and BMC? Just make your own flash chip instead. Designing the tiny interceptor and hiding it in the PCB is harder than just putting it directly in the flash IC.

[MK14]

MK14 saying about this:
"Conspiracy theories are like foolish people, who spend seconds starting crazy fires, which take firefighters, days to put out"

The world around us is full of real conspiracy. Every day we find real evidence of some business, celebrity, or politician (usually more than one) involved in some heinous act and trying to cover it up. It is far more dangerous in this age to think that just because something sounds like a conspiracy theory that it is nuttery than that there is some grain of truth to it. You do so at your own peril.

The question then becomes "just how assache are you willing to put into a specific theory". That of course is always a case by case basis; both the person and the theory involved. I try to give a LITTLE more latitude; but then, I enjoy the occasional mental exercise. And that, BTW, is why I came into this thread specifically devoted to a conspiracy theory.  Again... This is THE PLACE for this kind of discussion. Why would you come in here and NOT expect people to want to discuss conspiracy theories?

Oh, BTW... (Raises hand) REAL firefighter here. (Retired) You wanna have a side conversation about Draeger Pacs and BLEVEs? I'm your guy. 

Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them:

It's like spending the day, with an excited 4 year old child, running around, downstairs for a while.

They may shout out every 5 minutes:
"The TV is broken"
"They can see a bad man through the window"
"The house across the street is on fire"
"The water tap is broken"

So one could, immediately do the following:
Call the TV repair man to come over
Phone the Police via the emergency number
Phone for the firefighters to come
Phone for a plumber to fix the tap

But there is a big chance, there are no real problems (just like conspiracy theories), because:
They were using the WRONG remote, to try to operate the TV
The "bad man", was just a neighbor, wearing a uniform and going to work
There is a small bonfire in the garden, across the street, NOT a house-fire
The "tap" is fine, it was just turned off too tightly by an Adult, for them to be able to release it
Etc etc

Yes, there is a relatively small chance, that any one of the "issues", the child raises every 5 minutes (approx), is real. But, most of the time, it is just a normal mistake, that children often make.

Conspiracy theories are similar.

E.g. YouTube went down for an hour or two, recently. There were soon conspiracy theories, that the Moon had been struck by a huge object, and so the (implied) Government(s), had got youtube switched off, to stop people noticing from live video feeds of the Moon.

To me, it is obvious that the Moon story is crazy/false. But some people might wait until tonight, go outside, and look up to check the Moon is still there.

There are much more likely explanations, such as that the youtube servers had a software fault(s) or crashed, or even they were hacked. These are sensible possibilities.
But a huge asteroid hitting the moon and/or aliens landing on the Moon, needs huge/big evidence and pictures, or it didn't happen.

So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.

[tooki]

Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them:

[snip]

So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.

You hit the nail on the head: signal to noise ratio. Love your analogy!

[FrankBuss]

A video on Computerphile. Nothing new, but the interesting idea that such a chip could be hidden inside the PCB itself between the layers. This would be really difficult to detect, if you don't x-ray the PCBs and carefully examine and compare the images.

Why bother putting something in between the flash and BMC? Just make your own flash chip instead. Designing the tiny interceptor and hiding it in the PCB is harder than just putting it directly in the flash IC.

It would be probably still cheaper to hide a chip inside the PCB than building your own modified flash IC, because you could use an off-the-shelf microcontroller for it.

[mnementh]

Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them:

[snip]

So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.

You hit the nail on the head: signal to noise ratio. Love your analogy!

Great! you agree with each other! Now when you two are done patting each other on the back, could you PLEASE take it SOMEWHERE ELSE BESIDES the thread BASED ON A FUCKING CONSPIRACY THEORY?

In HERE, YOU and your constant bitching about conspiracy theories ARE THE NOISE!!!

mnem
 

[MK14]

Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them:

[snip]

So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.

You hit the nail on the head: signal to noise ratio. Love your analogy!

Thanks!

EDIT:
It is difficult putting a message here, because it will be read by everyone.
But, people who strongly believe in many/all conspiracy theories, (in my experience) tend to also be people, who extremely (impossibly) stubbornly, won't listen to logical/scientific/sensible/evidence. How ever long you patiently spend, trying to explain it to them.
So, don't get annoyed with them. I find they can be nice people, in other respects.

[MK14]

Apparently, a researcher, has done a "sniff test", and hence investigation. On the plausibility/viability, of the possible hardware hack. He explains in nice details, why/how it could work.

The second link, is actually included in the story of the first link.

https://www.theguardian.com/commentisfree/2018/oct/13/tech-giants-us-chinese-spy-chips-bloomberg-supermicro-amazon-apple

https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

But, it is very easy to create hypothetical stories about "bad" China.

What we really need is the real evidence. I.e. Server(s) which have been hacked and can be independently verified and/or the attacked/hacked parties to confirm/agree they were attacked.

Otherwise, it just looks like a falsely made up or planted story.
I.e. It would be getting like Russian media, which seems to create a lot of stories, which are maybe possible. But they need evidence to confirm, they are not just figments of the Russian propaganda machine.

[mnementh]

Analogy on why conspiracy theories produce way too much noise, and too little signal, to regularly take notice of them:

[snip]

So my default behavior, is to treat most conspiracy theories, as if they are FALSE, until there is sufficient evidence, to give them some merit.

You hit the nail on the head: signal to noise ratio. Love your analogy!

Thanks!

EDIT:
It is difficult putting a message here, because it will be read by everyone.
But, people who strongly believe in many/all conspiracy theories, (in my experience) tend to also be people, who extremely (impossibly) stubbornly, won't listen to logical/scientific/sensible/evidence. How ever long you patiently spend, trying to explain it to them.
So, don't get annoyed with them. I find they can be nice people, in other respects.

You do realize that you've just "discovered" a boorishly common analogy that literally dates back to UseNet and the days of dialup, right?   

I was probably using the term in alt.sci.repair when you lot were in diapers.

mnem
 

[tooki]

You do realize that you've just "discovered" a boorishly common analogy that literally dates back to UseNet and the days of dialup, right?   

SNR or the children? The analogy I was referring to is the involved analogy about children. Obviously SNR is a well established term, that IMHO isn’t reeeeally an analogy anyway.

I was probably using the term in alt.sci.repair when you lot were in diapers.

Technically possible, but not terribly likely, since Usenet is slightly younger than I am, and I was only in diapers for a few short years as a baby.

Of course, even if you are older than me, that has no correlation to wisdom or critical thinking ability. (FYI: a huge part of critical thinking is being able to detect and reject bad science, unreliable sources, etc. Accepting anything and everything as a possibility is NOT an indicator of good critical thinking, quite the contrary. As the saying goes, keep an open mind, but not so open that your brains fall out.)

[MK14]

As the saying goes, keep an open mind, but not so open that your brains fall out.)

That is a very good one.
It's good to keep an open mind, because there could be things going on, beyond, what you are immediately considering.

E.g. You are measuring the temperature, of a suspect, overheating transistor.

Your open mind, needs to notice/realize that the heatsink has fallen off, which is why the transistor's temperature readings have gone so high.

**But not so open, that it wastes time, ignoring the evidence in front of you, and thinks the overheating transistor, is being caused by aliens, from another universe, because they don't want humans to invent transistor technology, and invade their galaxy, in another century.

**Unless, you are an upcoming book/film writer, who is going to come up with the next, star trek/wars, stuff. In which case, please carry on.

[mnementh]

I said probably, because statistically, it's true. Anyone I talk to on the internet, it's highly probable I've been online since they were in diapers, enough so that the few times it isn't so fall within the statistically insignificant margin of error that would be discarded anyways. Congrats! You made the cut! 

And again... it doesn't matter. THIS is not the place for that crap. Pretty much ANYWHERE ELSE on eevBlog (aside from the few other Conspiracy Theory threads) this is appropriate response... but in here, a thread set aside for us to discuss such wacky shit so we don't bother the normals, it borders on trolling. PARTICULARLY as has been done here, where you guys just WILL NOT LET UP. 

We get it. You think Conspiracy Theories are dumb. You've displayed your intellectual prowess for all to see.

Now move along... nothing to see here.

mnem
 

[Mr. Scram]

Guys, it may be time to roll them back into your pants. We've seen enough and we're not impressed.

[mnementh]

, THAT is exactly the point... what I'm saying (when I have a chance) is essentially exactly what George is saying here: QUESTION EVERYTHING.

All I want to do is DISCUSS LIKE ADULTS the conspiracy theory that is the TITLE of this freaking thread, yet I'm getting to spend nearly ZERO time doing that for having to fend off sophomorically pedantic and personal attacks on the very concept of conspiracy theories.     Shockingly, that is not the least bit fun.   

mnem
 

[cdev]

Good article on this story from a Cambridge security researcher here: https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

[CaptCrash]

I remember an example at a partner company to where I worked where data was transmitted by issuing DNS queries from a compromised system using the DNS infrastructure as a very slow semaphore.

How was this detected? I guess if you fully control the server, you could monitor the internet traffic and then compare all internet traffic with the installed programs. But if it is something like an Amazon cloud server, you would need to analyze every customer application. So it would be impossible to detect hidden traffic, except by detecting the hidden program itself. This makes it again more plausible to install something in the hardware, which can initiate network traffic outside of the core CPUs itself, because hidden programs with high privilege, which has suspicious network traffic, might be easier to detect. Of course, would be much better to install a modified BMC chip instead of an extra chip, maybe with 2 layers, like running the transferred firmware in the normal layer, but one hidden layer above an additional spy firmware. But would be much more expensive, if they need to change the die for it.

In this case the partners servers were utilizing DNS services in our DMZ environment.
The amount of traffic being reported leaving this DMZ increased and we were troubleshooting what we through was an issue with our servers.  It turned out to be an issue with the partners servers on the other side of a VPN between the sites.
The discovery came about due to testing a new reporting process tracking interzone traffic within our production network.  Luck did play a large part in the discovery.

Working out what the partner servers were doing was due to me explaining to a junior staff member how DNS worked (DNS forwarders and root servers).  As part of this I was demonstrating  how the caching worked for our internal DNS and during the process cleared the cache, to demonstrate.
Up to this point, it just appeared that the partner company was doing regular DNS lookups (unusual to use our services but not unreasonable).  That they were querying external hosts was unusual.
On clearing the DNS cache on our DNS servers, the odd domain and host entries were quickly repopulated and this caught our attention.

From there we started capturing the packets, verified the source of the traffic and the oddity of the destination, contacted the partner and shutdown the partner servers access to our services.

Later on the service was re-enabled to our test infrastructure and full packet captures were collected.

Trying to resolve something like this from a shared cloud resource would be next to impossible.  From a dedicated server, in a cloud environment, the process would be exactly the same.

[mnementh]

Good article on this story from a Cambridge security researcher here: https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

You see, that's the bit that's always seemed flaky to me, yet this guy is saying it seems okay. Why would you NOT use the same package as belongs there? To connect to that you'll either have to alter the board or put it on a breakout wafer of its own. That odd little part in the middle of an unpopulated footprint for something else actually WOULD look suspicious to me; drop a soic 8/16 chip on there with a phony label and nobody would ever notice it.

I always thought it was just one of those "Stupid cover pics" like when some magazine shows you a picture of a supposed RF "bug" that's nothing more than a microphone element with a diode and a resistor soldered to it.  That's also why I thought all the argument over the package could support a processor powerful enough, had enough pins, etc was just inane nitpicking.

The ONLY reason I can think of to use that odd tiny package would MAYBE be to go unnoticed by robotic eyes in the QC phases... of course, if you're doing this from within the company, you can just add the soic8/16 to the QC template until after the job is done is and the robot cameras would ignore it unless it was installed wrong.

Of course, the "stupid cover pic" argument also applies to the mainboard depicted; it's also probably something they were easily able to pull together from images off the net, not the specific board in question... so the device package and the place it goes could either or both be just "representations", even though the location shown is suspiciously correct for the purpose claimed.

mnem
 

[bd139]

BTW I’ve spent most of my week trying to get hold of the proposed Supermicro B1DRI blades and I can’t get one anywhere. Thought it might be interesting. Boo hiss. Everyone is using HP or Dell blades and said “why would I buy Supermicro blades?”. Supermicro appears to have the niche of 1U shite pushing boxes and I doubt the bottom end boards are compromised. Doesn’t seem like a valuable target.

I can get hold of other server boards but it’s not worth digging around on one without some sort of positive correlation.

And thus ends my interest in the matter

[FrankBuss]

BTW I’ve spent most of my week trying to get hold of the proposed Supermicro B1DRI blades and I can’t get one anywhere. Thought it might be interesting. Boo hiss. Everyone is using HP or Dell blades and said “why would I buy Supermicro blades?”. Supermicro appears to have the niche of 1U shite pushing boxes and I doubt the bottom end boards are compromised. Doesn’t seem like a valuable target.

Someone is selling it on eBay, but the whole blade, not just the board:

http://cgi.ebay.de/142875604607

Might even have a harddisk, the auction text is not clear.