Chinese manufacturer puts hardware backdoor onto Supermicro server boards.

[MK14]

"shenanigans..."

Pictures or it didn't happen.
Evidence NOT conspiracy theories.

Examples:
He looks guilty...
He's a man, so he must've done it...
There is NO evidence, so they must be guilty, as they hid the evidence...
The Police would never investigate them in the first place, if they had nothing to do with the crime...
Etc etc.

[mnementh]

*Yaaawwwwnnnn*

Same old tautology... "There's nothing to see here, because I said there's nothing to see here."

Good luck widdat when they come for you. 

mnem
    "First they came for the Communists, and I did not speak out —
         Because I was not a Communist.

    Then they came for the trade unionists, and I did not speak out —
         Because I was not a trade unionist.

    Then they came for the Jews, and I did not speak out —
         Because I was not a Jew.

    Then they came for me - and there was no one left to speak for me." ~ One of several version of "First They Came..." attributed to Martin Niemöller

[MK14]

*Yaaawwwwnnnn*

Same old tautology... "There's nothing to see here, because I said there's nothing to see here."

Sorry, I can't reply to you at the moment.

I heard a noise outside, and I'm investigating.
I can't go too far (or I'll fall off the edge of the flat Earth), be eaten by BigFoot, who is an Alien, From another time-zone. I can't injure him, because they will come back as a Ghost, and haunt me.
Also, it is NOT politically correct for me to criticize, BigFoot, because they are a minority.

[technix]

欲加之罪，何患无辞。

[MK14]

欲加之罪，何患无辞。

one can always trump up a charge against sb Give a dog a bad name, then hang

Some people think that the Trump (administration), may have trump-ed up the accusations. Because of the US/China trade war.

But Bloomberg News, seems to have spent a very long time, creating/researching the news story (apparently confirmed by some of the denial reports, from Apple, Amazon and Super-Micro). Which would tend to mean the Trump administration had nothing to do with it.

[mnementh]

*Yaaawwwwnnnn*

Same old tautology... "There's nothing to see here, because I said there's nothing to see here."

Sorry, I can't reply to you at the moment.

I heard a noise outside, and I'm investigating.
I can't go too far (or I'll fall off the edge of the flat Earth), be eaten by BigFoot, who is an Alien, From another time-zone. I can't injure him, because they will come back as a Ghost, and haunt me.
Also, it is NOT politically correct for me to criticize, BigFoot, because they are a minority.

Yes, your argument is precisely THAT infantile. Glad you understand this; now perhaps you could actually come up with something that demonstrates independent thought rather than simply parroting the same old "Fake news" mantra over and over again and attempting to marginalize those who actually bother to think.

It is that logic which allows all evil in the world to go first uninvestigated, then undiscussed, then allowed to prosper.

mnem
"All that is required for evil to flourish is that good men do nothing."

[MK14]

Yes, your argument is precisely THAT infantile. Glad you understand this; now perhaps you could actually come up with something that demonstrates actual independent thought rather than simply parroting the same old "Fake news" mantra over and over again and attempting to marginalize those who actually bother to think.

It is that logic which allows all evil in the world to go first uninvestigated, then undiscussed, then allowed to prosper.

mnem
"All that is required for evil to flourish is that good men do nothing."

I'm the official court judge, presiding over this case. Judge Mr MK 14!.

The defendant, Mr China, is accused of Stealing secret information.

Mr Bloomberg, has testified, that three people were robbed of their information. Mr Apple, Mr Amazon and Mr Super-Micro.

On testifying to the court, Mr Apple, Mr Amazon and Mr Super-Micro, all swear on oath that the robberies (of the data), NEVER took place.

No pictures of the said robberies (Tiny Sot-23 devices and suchlike), have been submitted as evidence.

The stolen data items (affected Servers), have not been submitted to the court as evidence.

My Verdict. NOT GUILTY (or certainly NOT PROVEN by the evidence submitted and made available so far).

[mnementh]

....and now you've gone recursive; just another way of repeating the same exact tautology:  "There's nothing to see here, because I said there's nothing to see here."

Good luck widdat.   

mnem
"Good night, and may your god go with you."  ~ Dave Allen

[bd139]

There is nothing to see at the moment. Extraordinary claims require at least some evidence. It’s all words and farts.

Anyway a relevant anecdote for you. I spoke to someone yesterday who has about 1500 Supermicro boxes in production. They have inbound/outbound IDS systems and the management VLAN has no outbound. No attempt has been made by anything in the management VLAN to call home.

Windows however, and I’m quoting here “hammers the fucking shit out of the firewall even though we turn all the switches off”.

I think we’re prioritising risk vectors incorrectly here.

Personally I’m more worried about the nasty American monopoliser’s vampiric tendency and addiction to telemetry and activation data. Imagine the GDPR hell if some of that data contains PII one day due to a bug like the .Net core CLR telemetry logger logging command lines fully...

[mnementh]

I already answered this; my point is, and always has been, that there is something here... maybe not exactly what was first presented, but clearly something.

Dismissing it entirely because those who have reason and ability to cover up what exactly it is have done so successfully under the weakest of cover stories is exactly no less ignorant than Uncle Filbert and his Sasquatch picnic story.

It is in fact a worse kind of ignorance; the willful kind that permits a white trash racist, rapist, misogynist, pathological liar career deadbeat sociopathic felon to squat in the White House and there's jack shit We The People can do about it.

Just because there's lots of common mundane threats in everyday life doesn't mean we can stop looking for the outrageous threats when we know they're not only probable, but inevitable.

mnem
"Eternal vigilance is the price of Freedom."

[bd139]

We’re certainly not dismissing it but at the moment it looks improbable until evidence suggests otherwise.

Answering every what if without evidence isn’t productive which is the problem. File it in the “keep an ear open for more info” drawer.

Can you just shoot him? You’ve done it before  (I joke but...)

[donotdespisethesnake]

I already answered this; my point is, and always has been, that there is something here... maybe not exactly what was first presented, but clearly something.

There is NOTHING here. It's bullshit concocted by reporters who get a bonus for moving markets.

What it does show it how easily you can dangle a little bit of propaganda and many people will believe it. Fake news is being used by all sides.

[Cerebus]

Can you just shoot him? You’ve done it before  (I joke but...)

I just knew that pram on the grassy knoll looked suspicious.

[bd139]

Shhhhhhhhhhhh 

[mnementh]

[...] a white trash racist, rapist, misogynist, pathological liar career deadbeat sociopathic felon to squat in the White House and there's jack shit We The People can do about it [...]

Get over it, that's how democracy works *********************** We The People are the ones who put him there.

(And don't do like bd139 says)

No, We the People did NOT. He was installed in the White House against the will of the American People by a cabal of ultra-wealthy sociopaths intent on completing their hostile corporate takeover of our sovereign nation.

DON'T EVER FORGET THAT. Don't ever stop fighting it.

Unless by "We put him there" you mean by policy of inaction, wherein we didn't immediately march en masse on Washington with torches and pitchforks... then of course you are correct. 

We’re certainly not dismissing it but at the moment it looks improbable until evidence suggests otherwise.

Answering every what if without evidence isn’t productive which is the problem. File it in the “keep an ear open for more info” drawer.

Can you just shoot him? You’ve done it before  (I joke but...)

I fear it will come to some point where his own party is forced to do just that in self-defense; in the same way some animals eat their young.

And bringing it back to the original topic again: I agree in principle... we need to keep investigating this and the likelihood that it is just the tip of the iceberg, rather than the current ADD/Bipolar pendulum swing of "going thermal" one minute and completely ignoring it the next.

That "muddle ground" is all I'm asking for; yet some folks seem unwilling to even concede THAT. 

I have no doubt that in the next few years, some "shockingly similar widespread IT infrastructure compromise" will be discovered, and substantiated in incontrovertible fashion, and those who warned that "it isn't over" will yet again be proven right.  Just like we warned with CISCO.

mnem
Fucking Cassandra, man...

[MK14]

No, We the People did NOT. He was installed in the White House against the will of the American People by a cabal of ultra-wealthy.................
.........

That is why, I believe (and I don't think, I'm alone), that evidence based, scientific/mathematical methods, are important.

Rather than just simply believing whatever, floats randomly into peoples heads, and whatever they "feel", is the reality. Completely ignoring the facts, science, logic and sometimes even the truth.

You may have noticed, from some of my previous posts, that I am NOT 100% entirely happy with Trump. (Possibly TINY understatement, here).

But, I have encountered, real life people who support him.

So unless there is rigorous proof, that his election, is a fraud. E.g. Russian fiddling.

He was at least, genuinely and fairly elected to be the president.

Anyway, we are straying badly off-topic, and turning this into a political (anti-Trump) thread.
We should be discussing the possible hardware hacked servers here, and NOT Trump.
Otherwise the thread could get locked, as has many others, before this one.

[Marco]

1) Chinese manufacturers pwn!!! our supply chain. To them, altering hardware in a malicious manner is no harder, probably easier, actually, than hacking someone else's code... and much easier to keep the machine itself and those operating it from discovering the mod in normal operation, where FW and SW are CONSTANTLY being reviewed and scrutinized and upgraded.

It's very expensive to get caught, that it's easy is besides the point.

[mnementh]

No, We the People did NOT. He was installed in the White House against the will of the American People by a cabal of ultra-wealthy.................
.........

That is why, I believe (and I don't think, I'm alone), that evidence based, scientific/mathematical methods, are important.

Rather than just simply believing whatever, floats randomly into peoples heads, and whatever they "feel", is the reality. Completely ignoring the facts, science, logic and sometimes even the truth.

You may have noticed, from some of my previous posts, that I am NOT 100% entirely happy with Trump. (Possibly TINY understatement, here).

But, I have encountered, real life people who support him.

So unless there is rigorous proof, that his election, is a fraud. E.g. Russian fiddling.

He was at least, genuinely and fairly elected to be the president.

Anyway, we are straying badly off-topic, and turning this into a political (anti-Trump) thread.
We should be discussing the possible hardware hacked servers here, and NOT Trump.
Otherwise the thread could get locked, as has many others, before this one.

And now you're in the third iteration of the SAM EXACT argument.   "Willfully ignorant" of what is plainly visible all around you is NOT scientific method.

I already brought my own conversation into balance with the topic at hand; yet you conveniently ignore the bulk of my post to make the "Anti-Trump" argument yourself, using that to obfuscate your own childish unwillingness to admit this still bears further investigation.

The more you talk, the more you prove my point: some folks simply WILL NOT learn from the past, but insist on ignoring he lessons of history. Willfully. Adamantly. Ignorant.

mnem
 

[MK14]

......................childish unwillingness to admit this still bears further investigation.

Sure. Investigate it further, and produce actual evidence, that the server(s), have been hardware hacked, and investigate (if hacking evidence has been found), by whom (Chinese ?).

(But if you are still talking about Trump, it is getting TOO off-topic, so I've stopped).

[mnementh]

Nope. That comment was in passing, as I just said; not the primary message.

That investigation is supposed to be the entire point of this thread; discussing how what has been presented is valid, vs how it isn't... but what has happened here is that a very small, very vocal minority are demanding that there is nothing here to discuss and we should all just stop talking about it.

That is the antithesis of DISCUSSION.

If you want to not talk about it, then fine, don't. Nobody is making you come in here, to a thread devoted to this discussion, and read it. If you don't like the discussion, then don't participate.



Much of IT is just THIS... and we're now in approximately the third generation where any "professional" in any way involved with IT is fighting a constant battle against letting THAT be the product that ships, and we've all been forced to learn very quickly, by way of simple self-preservation, to NOT look too closely at anything outside our own very specific SOW.

That intimate knowledge, within my own very small portion of what is known as "IT" as a global phenomenon, fills me with terror any time I actually think about it. Knowing that there are lots of folks who know my specialty better than I, and knowing that there are so many other aspects of IT as a whole which rely on the other specialties to work properly, yet those specialties are every bit as much a kludge as my own is daunting... yet still we continue to blunder forward into every new day as if the house of cards made of houses of cards will never fall.

Maybe, just maybe... now is a good time to at least try shoring things up a little, instead of continuing to promote the current race to the bottom, which tactic we've already seen fail spectacularly numerous times in just the last few years.

mnem
Just a suggestion.

[bd139]

Indeed. On numerous occasions I have considered digging myself a nuclear bunker and hiding in it. There is some pretty scary shit out there in the wild.

This rant always sticks with me: https://www.stilldrinking.org/programming-sucks

To back up my initial point, the internet is literally hanging by a thread most days. It’s lucky it even works. One router or BGP hijack away from end game. I’ve seen a company lose two days trade due to a router being fucked two hops away.

[mnementh]

Indeed. On numerous occasions I have considered digging myself a nuclear bunker and hiding in it. There is some pretty scary shit out there in the wild.

This rant always sticks with me: https://www.stilldrinking.org/programming-sucks

To back up my initial point, the internet is literally hanging by a thread most days. It’s lucky it even works. One router or BGP hijack away from end game. I’ve seen a company lose two days trade due to a router being fucked two hops away.

I remember that; it was brought to my attention sometime around my last regular 9-to-5 gig. It instantly validated decades of deeply-rooted professional hunches and internal "Spidey-sense" type alarm bells that pretty much never completely go silent; until of course, the day you wake up on the wrong side of the grass. 

The two bits that really stuck with me... (especially since I was involved in essentially tearing down an entire ISD's network and replacing Cheney-era infrastructure with modern, while trying not to lose phones and printers we couldn't even test) were these:

"...and then all the programmers’ snowflakes get dumped together in some inscrutable shape and somebody leans a Picasso on it because nobody wants to see the cat urine soaking into all your broken snowflakes melting in the light of day. Next week, everybody shovels more snow on it to keep the Picasso from falling over."

Because that essentially described pretty much every bit of HARDWARE and cabling in every MDF/IDF/Bathroom/Janitor's Closet in 14 different campuses we had to gut & restuff in some semblance of order all while working in buildings that had the AC off for the summer in Tejas . 

And the other part was this... anybody who's ever tried to coax a PC back to life just long enough to recover some otherwise irretrievable bit of data knows this intimately:

"Why do we tell you to turn it off and on again? Because we don’t have the slightest clue what’s wrong with it, and it’s really easy to induce coma in computers and have their built-in team of automatic doctors try to figure it out for us. The only reason coders’ computers work better than non-coders’ computers is coders know computers are schizophrenic little children with auto-immune diseases and we don’t beat them when they’re bad."

And this part is why I now KNOW I was lucky I never finished my MBA-turned-Network Administration degree:

"...There’s a team at a Google office that hasn’t slept in three days. Somewhere there’s a database programmer surrounded by empty Mountain Dew bottles whose husband thinks she’s dead. And if these people stop, the world burns. Most people don’t even know what sysadmins do, but trust me, if they all took a lunch break at the same time they wouldn’t make it to the deli before you ran out of bullets protecting your canned goods from roving bands of mutants."

mnem
*Over-taxed*

[MK14]

yet you conveniently ignore the bulk of my post to make the

I agree with you. I have been ignoring much of your post(s). You are right.

Let me try and explain why.

When I see dodgy technology, such as "Free energy Wheels/devices/Claims" or ">99.9% energy transmission for powering electronic devices, over distances of several metres, completely wirelessly", etc etc. I get concerned at the claims validity.

Similarly, when people make claims that someone/company/technology is bad/guilty, WITHOUT any real/valid evidence, being presented. I also get similarly concerned.

So, in this case. Because there is apparently no actual evidence being presented. I am concerned with any claims that this "China has hardware hacked some servers", is not provably true at the moment. At least not with the information which has been presented, publicly.

Hence I like to jump in and (hopefully) using proper Engineering, Science, Mathematics and Logical reasoning. Make people realize that the "dodgy technology or whatever", is probably NOT true.
E.g. A water bottle, which rapidly/automatically fills itself with pure drinking water, WITHOUT any source of power, or a wheel which spins round, generating huge amounts of usable (free) electricity/power. Without using any source of fuel/battery etc.

But on the other hand. If you want to discuss things in general. Such as (if I understand the point you are trying to make), IT systems have become so complicated, have so many layers to them and have numerous design compromises/fixes.
That no single person, can fully 100% understand the entire system, from start to finish.

Hence there are inherent dangers of such ways of doing things.

It is worrying, that so much electronics seems to come from China these days. Especially since, China seems to at least slightly, be moving itself on a kind of war footing, with the West, over the last few decades. E.g. The disputed South China Islands (which DON'T seem to even belong to China), which seem to be increasingly militarized by China.

[mnementh]

Just because this particular flavor of industrial espionage hasn't been proven here doesn't make it NOT valid discussion. You're NOT doing anybody a service by demanding that just because it hasn't been proven here by what we can see that it is not true.

"Absence of proof is NOT proof of absence." There - scientific method. Prove it HASN'T happened. You can't, just like I can't prove it HAS happened.

Stop telling us that it isn't so, when you don't KNOW it isn't so. You BELIEVE it is not so, based on your very narrow view of the scientific method. But THAT is just as much YOUR opinion (as is your opinion of how to apply scientific method) as it is MY opinion (and that of anyone with a reasonably healthy level of cynicism) that if it isn't already happening, it will be happening tomorrow, or the next day.

It is not only probable, it is inevitable, and sooner rather than later. All you have to do is pay attention to human nature and history to know this.

THAT is where YOUR view of the scientific method differs from mine: You use it as an excuse to view the world with blinders on, while I use it to fuel my curiosity.

You say "Lets not talk about what hasn't been proven yet. It doesn't make any sense to waste time on it."

I say "Let's talk about it until it DOES make sense, no matter how ridiculous that conversation may seem. You never know where understanding may come from."

mnem
Most people, on seeing something that doesn't make sense, will pause with a dark expression on their face; be instead the person whose face brightens at the prospect.

[bd139]

Even Bloomberg are slowly backtracking https://www.bloomberg.com/news/articles/2018-10-10/nsa-cyber-official-asks-for-first-hand-accounts-of-chip-hacking

Even NSA doesn’t have samples. I know NSA. NSA get first samples.