Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is either going to turn out to be an NSA gag order, or a total misunderstanding on Bloomberg's part. For me, this is the most interesting news story to follow in a decade.


The response is equally interesting. I wouldn't have assumed people would be so quick to jump to "Well, private US companies are lying to the public because the US government is compelling them to."

Times we live in...


> I wouldn't have assumed people would be so quick to jump to "Well, private US companies are lying to the public because the US government is compelling them to."

I mean ask Joe Nacchio how going up against the NSA worked out.


The reason for that response is:

* this all seems within reason, knowing the hardware

* the denials are unusually strong

If any of it is true or not I don't know, but the IPMI stuff is crappy, if not backdoored.


Are they unusually strong? I work in government, we take these allegations really serious. The data we house in the cloud simply can’t be compromised.

We’re apparently home free by using Azure, but I think the responses are justified if the story is fake.


Since everyone assumed IPMI was crappy and potentially backdoored, that's why the story seems fishy. Why go to science fiction lengths to subvert some easily subervertable thing?


The described hack is nowhere near science fiction levels. Even embedding a bare silicon chip in the layers of a board would be factible.


As I referred to in the original thread, this is a commonplace construction method.


I suppose I meant "presented as science fiction". I formerly worked as a hardware design engineer so I'm pretty familiar with what's actually science fiction ;)


New theory: the actual "attack" was a production mistake. E.g. an active component meant for a different product was accidentally loaded onto the PnP machine for these SM motherboards in place of some passive component. The changed component happened to trigger unexpected behavior in the BMC (e.g. put it into a TFTP firmware load mode sometimes). Those inspecting the hardware persuaded themselves they were witnessing a sophisticated attack, because that's what they expected to find one day.


The number of affected companies is also odd: 30. Wouldn't it either be 1-2, or "thousands"? Since almost everyone uses SM boards somewhere.


Not really -- I have used SuperMicro servers in the past, and we had our own Super Micro part numbers based on the company -- so, they know who is ordering each piece of equipment and they know where each piece of equipment is being built and sent to.

If you're just ordering boards through a reseller, I wouldn't expect those to be infected, but, when you're ordering 10,000+ servers at a time, you'll get your own Part Numbers, your own specs, and your own build times/specs.


Not really? If you have the ability to insert this bugged version into orders from specific companies why would you stop at just 1-2 major companies.


Or a truly massive act of trolling by Anonymous members inside government and Apple/Amazon, planting false information to sway politics, or just to prove that they can.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: