[danellis]

> We know the difference between processors and capacitors around here.

Maybe for a two-legged device like a capacitor, but for something in, say, a SOT-23 package, you can't be sure what it is from the outside.

Then again, maybe even something in a capacitor-like package could both communicate and be powered.

[dragontamer]

But Bloomberg didn't show an SOT-23 package. They showed something like an 0402 or maybe 0201 capacitor on the tip of a pencil.

Could China be hacking motherboards and then shipping them to the USA? Maybe. I'm certain that they're trying to figure out a plan at least. But the Bloomberg article was fully bunk and just FUD from the start.

And I think we all know how we'd hack Supermicro motherboards anyway: those BMCs are well known to be poorly updated, proprietary chips with full access to the keyboard / mouse / display of every single Supermicro motherboard ever made.

One would _assume_ that a Supermicro motherboard hack would involve a BMC attack, if it were to exist at all. If there's news that some hacker is using some other means than the "obvious" BMC, it'd be news, but you gotta be really, really technical and explain just how it works... so that you know, it'd be useful to IT departments to know how to defend against? (Ex: put BMC on its own VLAN at least)

[mike_d]

It sounds like you are having difficulty drawing a distinction in your mind between the journalist who did the reporting on the story and the art department that had to come up with something that conveys "small chip" to an average reader without having actual photos.

Most stories about COVID include inaccurate artistic renditions of the virus, but that does not discredit the reporting.

[dragontamer]

There's a big difference between a physical hardware attack (that is fully unspecified and fully FUD), and an actual threat to IT departments (ex: insecure BMC that needs to be isolated into its own VLAN).

The minute you start thinking about "how do I protect my company's computers from this attack?" is the minute the Bloomberg article falls apart. Asking for further details just resulted in Bloomberg clamming up and remaining silent on any additional details.

Bloomberg has had multiple years at this point to provide the details needed to be useful to IT departments everywhere about their purported attack. At some point, we just gotta assume that they were making things up.

-----

Lets say Bloomberg is correct about these hypothetical chips being placed into ill-specified motherboards. No attack is perfect: this is all computer equipment after all. It needs to be powered, it needs to have communications to the outside world, it needs to have spy-information (aka: taking information from the motherboard).

Its unlikely that a small chip with low-power could interface with high-speed components (ie: RAM, PCIe, Southbridge, SATA), it wouldn't have enough power. Etc. etc. Whatever the hypothetical attack is, there would be physical requirements it needs to satisfy.

All point back to the BMC: a low-bandwidth interface with huge amounts of information, with highly proprietary / likely insecure code running. So we think about how hardware could be used to hack this interface.

At which point, we immediately enter the realm of ridiculousness, because BMCs are CPUs in their own rights and simply run software to do their job. For a "zero-hardware" attack, China could just be rewriting BMC firmware or something way, way, waaaaay easier than what was described in the Bloomberg article.

Now China doesn't have to worry about replacing chips at all, and they still get all their spy-craft working.

------

But guess what? I think most IT departments are well aware of the proprietary and possibly insecure BMC interface. That's why there's a lot of discussions online about how to protect that interface.

[monocasa]

Right, so a small chip sitting on the SPI bus for the flash would fit all of what you said and give attackers another capability: persistency in the face of replacing the flash itself. And yes, it'd probably be something small, like rewriting one of the keys stored in flash.

And BMC networks are extremely high value targets. Tons of exploits from running ancient code, and DMA access to the the rest of the system, often without even an IOMMU in the way.

[dragontamer]

The Bloomberg article doesn't talk about BMCs however. That's __me__ talking about BMCs.

I don't need the Bloomberg article distracting the discussion. Its clear that the Bloomberg article was just fully and completely useless. It contributed no useful, technical details to the discussion.

We're sitting here arguing about how Bloomberg might have written the article better. At some point, we just gotta realize that Bloomberg wasn't helpful at the discussion at all.

Which is fine: Bloomberg is primarily a trading / commodities / financial newspaper. To expect expertise in technical issues (better than typical Hacker News discussion) is probably expecting too much from that group of journalists. But lets not pretend that the article under discussion was useful to any of us here.

[monocasa]

> The Bloomberg article doesn't talk about BMCs however. That's __me__ talking about BMCs.

You are not the only one talking about BMCs. The entire discussion has centered on that since the beginning. I'm not sure how you thought that you invented that line of discussion.

> We're sitting here arguing about how Bloomberg might have written the article better. At some point, we just gotta realize that Bloomberg wasn't helpful at the discussion at all.

> Which is fine: Bloomberg is primarily a trading / commodities / financial newspaper. To expect expertise in technical issues (better than typical Hacker News discussion) is probably expecting too much from that group of journalists. But lets not pretend that the article under discussion was useful to any of us here.

People coming forward about a successful foreign state sponsored attack on AWS and Apple server infra is a pretty big story for HN, even if it doesn't have all the details you'd like.

[mike_d]

It might not have been useful to you, but it was useful to the people who might be targets of this type of attack. I know of at least two organizations that are now randomly x-raying datacenter components and comparing them to reference designs.

You also seem to confuse an article being helpful to you with an article being correct. You clearly are not in a line of work where you need to worry about this, and that is ok. But it does not invalidate the article at all.

The NSA's TRINITY chip circa 2008 was smaller than a penny and the workhorse behind implants that hid inside ethernet headers on motherboards and USB cables. The CIA has a team dedicated to interdicting shipments and modifying firmware or hardware. It is absolutely foolish to assume other countries intelligence services are not capable of the same.