[francoisp]

my question is: who benefits? Follow the money. About if this hack is true or not: It should have been simple to prove true.

Just show a single compromised article with an extra chip, at least one is bound to show up on ebay? Can three letter agencies round up all compromised hardware in all of America in secrecy?? To this day none has shown up, it's all theoretically true. A compromised sample is worth at least 1M vues on youtube, it's worth real money, yet it remains elusive.

A compromised BIOS update is more likely, a BMC IMPI infected by a trojan thing; the new piece is hinting to that in the FUD. Then again, that should be possible to find in a compromised board on ebay (prolly worth less yt vues since nothing physical to look at), and therefore prove this article is not a hit piece for someone with a short position.

I think WSB best look into this... :-)

Cheers! edit: typo

[jstrong]

I don't think this is as easy as you say it is.

from the article:

> The machines turned out to be loaded with unauthorized instructions directing each one to secretly copy data about itself and its network and send that information to China, according to six former senior officials who described a confidential probe of the incident. The Pentagon found the implant in thousands of servers, one official said; another described it as “ubiquitous.”

assuming this is true, there is a universe of "thousands" of supermicro servers purchased by the pentagon that were targeted.

my expectation is that most supermicro servers would not be targeted, just those sold to certain buyers. does the pentagon sell used supermicro servers on ebay? is it easy to obtain a used supermicro server from the pentagon? (I don't know the answer to those - genuine questions).

even if you had one in your possession, it wouldn't be easy to find the exploit, which was (again, assuming it exists) installed by nation state with the intention of concealing it from another nation state (the world's most powerful). for example, it might only turn on under certain conditions. I wouldn't know where to start.

I'm not saying it's impossible, but I am saying it seems much more daunting then you make it out to be ("should have been simple to prove").

[imglorp]

The article said something about messing with traces on the circuit board to hide a component.

I think it would be far more likely to start with a well known component like a network or bus drive and produce a modified chip with identical packaging and markings. Only one person in the board vendor's supply chain needs to swap spools of tampered chips into the manufacturing stream.

It could sit dormant in most situations unless it saw, say, Pentagon LAN traffic. This means the EBay case is covered; the machine would be normal for everyone else, including the board vendor's QA.

You'd have to simulate the target's traffic to see the board doing something wrong. Or decap the chip and read it out.