Riiiiight... It's not the russians this time, now it's the chinese again... And coincidentally this is published in the middle of US-China trade war 😀

If we see things as a whole China now exactly behaving like the old US were. Karma retaliation 😛

5$ says typhoon is a bot. any takers?

austin865a:

But a better questing, how does the chip work without drivers? What about OS support? Or is the chip so simple (dumb) that it doesn't need anything from the OS and just passes info gathered form the onboard nic or hdd controllers to where ever?

The same way your Intel or AMD CPU works without drivers. The driver is embedded in the chip itself and is called "firmware". By the way, you realize that Intel ME is essentially the same thing like this new supposedly Chinese spy chip. Intel ME has it's own mini-OS running separate from everything else on your PC, complete with network access to top it off.

Brasky:

5$ says typhoon is a bot. any takers?

I'll take that 5 bucks anytime 😉

oh noes... them pesky Russians, err... Chinese are SPYING AGAIN!!! "The stories get weird here; Apple and Amazon are denying any existence of the chip. "Apple has never found malicious chips, hardware manipulations or vulnerabilities that have been deliberately placed on a server, Apple has never had contact with the FBI or any other service about such an incident," Apple says it has 2000 servers from Supermicro, but denies that it has found the chips. Amazon says in its denial that it found four problems with the purchase of Elemental, a takeover that took place in 2015. None of those were in the hardware." But of course, you can't believe any of those Commie Tech companies like Apple or Amazon... Still waiting for Trump to drain that swamp...

Bloomberg is fake news.

I just want to say something real quick, let's not make this into a political debate. I already got enough of that going around with all the freaking political ads everywhere!

austin865a:

And this is why I get my servers and parts from small US company's. Its nice to have parts in your PC that say made in USA or Germany, UK and not china, Taiwan or something. But my wallet hates me for it 😛

As an American, I can't say US-based companies are a whole lot more trustworthy than Chinese or Russian. But... I also don't really care if a government (domestic or foreign) is spying on me, so despite this news, I'll still gladly buy Chinese (or American) parts. All I care about is price and performance.

Anyway, a simple fix. take the chip off the board? But a better questing, how does the chip work without drivers? What about OS support? Or is the chip so simple (dumb) that it doesn't need anything from the OS and just passes info gathered form the onboard nic or hdd controllers to where ever?

I was also thinking of just simply removing the chip. Or, take a screwdriver and a hammer and just give it a little tap to crush it. Surely, the chip is not crucial to the functionality of the board, so might as well ignore it. As for the driver thing, there are plenty of hardware features that work without drivers. Drivers are nothing more than just basic code that allows the OS to have control/access over hardware. There is nothing preventing hardware from performing logic functions without the OS being aware of it. Take keyloggers for example, or the potential malware that takes advantage of Spectre and Meltdown. That being said, I wouldn't be surprised if the chip sits somewhere between the storage controller, the chipset, and the NIC. It probably just listens in on the data and encodes it to be sent over the NIC. I'm sure it's completely isolated and undetectable by the rest of the system.

austin865a:

^this. I don't see why it would need to get political. This is more of issue of security more then anything. I'd like to see how the server OS maintainers and how supermicro deal with this. Its not like you can always drop everything and get a new server right away.

It would get political because all the companies that Bloomberg said this happening to are outright denying the story. Typically if they want to keep shut they'll use boilerplate "No comment" but they are literally saying this didn't happen and it's entirely fabricated news story. Bloomberg itself posted a counter article summarizing it. https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond So what exactly is going on here? Seems extremely weird for them to deny it like this because any indication of a real attack would open them to a massive legal liability after a denial like that.

and i thought I was cynical...lol anyhow, Denial is on point about the liability issues. Amazon Cloud Services and Apple Cloud... that's a lot of liability right there without bringing in government contracts. SuperMicro, wow, i had such a high opinion of them. one of the reasons (other than cheap labor and a huge market) tech companies produce in China is political stability. this is a gut punch to every American tech company with eyes on the fat wallets of the Pentagon.

Denial:

It would get political because all the companies that Bloomberg said this happening to are outright denying the story. Typically if they want to keep shut they'll use boilerplate "No comment" but they are literally saying this didn't happen and it's entirely fabricated news story. Bloomberg itself posted a counter article summarizing it.

There isn't exactly any penalty to publicly lie about stories like this anymore. I can't even count how many times a story came out in the past year (politically motivated or not) that was denied and then turned out to be true in the end.

nhlkoho:

There isn't exactly any penalty to publicly lie about stories like this anymore. I can't even count how many times a story came out in the past year (politically motivated or not) that was denied and then turned out to be true in the end.

You're right and it's definitely getting significantly more difficult to judge the accuracy of stories due to the increasing level of dishonesty across the board. Is Bloomberg outright fabricating this story? Are the six current/former white house officials lying? Are the companies lying that this didn't happen? I don't know - which is why I find this story so strange. Bloomberg is a fairly trusted news publication, it's rated typically as center/left center - most of the "conspiracy this is fake news" posts I see about this story are implying that it's a White House hit job on China designed to "promote" the ongoing trade dispute, in fact someone mentioned that here. I don't know why a slightly left leaning site (at worst) would fabricate or agree to fabricate a story about this. I'm also positive that if they didn't fabricate the story, they did some due diligence and vetted the sources - there is six of them from the white house and several "apple insiders" they are using as sources. That's like a fair number of sources - which would lead me to believe that there is some level of truth to the story. But even the company's responses are outright puzzling to me. In terms of PR you almost never outright deny a story like this - whether the story is true or false - it's just not worth the legal risk. Yet, despite the ongoing facebook saga, complete with multi-billion dollar fines due to them covering their hack up, all of these companies choose to outright deny this story. I'm not really taking a side or saying who is lying or not but it's just extremely weird to me. None of the "conspiracyesque" narratives I've seen thus far really fit what's going on here.

Bloomberg being hacked with fake article? Or is that real article? In-Q-tel? Good name for company... intel "Q"estion/ery/... Secondly, I really want to see real photo of those microchips and to what components they were connected. There are very few specific places where some chip can affect anything. No way to affect code being executed in CPU, that's simply not possible as chip would have to intercept, analyze and change data going from memory/storage in real time. (crazy computational capacity required, a lot of traces overriden, And a lot of hacking-chip-on-board-storage required to actually have reference on what to intercept.) Maybe possible to send fake read and writes to storage controller, but again very complicated for anything this small without a lot of onboard memory and traces. Most feasible way would be this having access to BIOS chip, simply parsing and altering/inserting modules. So basically rootkit deploy chip. - reason here would be to survive BIOS update But then following description is way too incorrect: "⑤ When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code." = = = = And then there is that F*ing Big Important thing: IIRC, US made some legislation changes which classify foreign cyber-attack as Act of War. I have no clue if it went through and under which conditions it should have apply. US guys will probably know.

All that is missing is one PHYSICAL example of this. I find it impossible to believe that these are installed all over the planet yet nobody can find one? That not one single person in years has come forward and said 'hey look at this'. This story fails my basic sniff test for that basic reason.

HeavyHemi:

All that is missing is one PHYSICAL example of this. I find it impossible to believe that these are installed all over the planet yet nobody can find one? That not one single person in years has come forward and said 'hey look at this'. This story fails my basic sniff test for that basic reason.

Yeah I agree but then why is there a concerted effort by seven different people ranging from different backgrounds both politically and private/public trying to say this happened? Or, why is Bloomberg so hellbent on fabricating a story like this when it was obviously going to be outright denied by the companies and obvious lack of evidence? The whole thing just seems so strange to me.

austin865a:

...... ...... ...... The parts tend to be alot better made too. How many can say they seen a $400+ h110 chip set motherboard? Yes that is what a low end board made by a US company that does not out source to china can cost you.

Care to share any links? Honestly I would loved to see some! I thought you meant PNY at first but afaik they don't make motherboards anymore.

What's really sad is that SuperMicro used to be the only company who made their boards in the USA.

I agree the way the denials are written are odd. Amazons in particular:

It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.

So all they are saying is they didn't know of any malicious chips being installed. There could have been, they just didn't know of any. They also aren't saying that one of these chips was installed in every server. If this is true, they could be in 1 in every 1000 or something. Of course it would then be harder for them to find.

Operation CLOUDHOPPER Since 2017