[dragontamer]

There's a big difference between a physical hardware attack (that is fully unspecified and fully FUD), and an actual threat to IT departments (ex: insecure BMC that needs to be isolated into its own VLAN).

The minute you start thinking about "how do I protect my company's computers from this attack?" is the minute the Bloomberg article falls apart. Asking for further details just resulted in Bloomberg clamming up and remaining silent on any additional details.

Bloomberg has had multiple years at this point to provide the details needed to be useful to IT departments everywhere about their purported attack. At some point, we just gotta assume that they were making things up.

-----

Lets say Bloomberg is correct about these hypothetical chips being placed into ill-specified motherboards. No attack is perfect: this is all computer equipment after all. It needs to be powered, it needs to have communications to the outside world, it needs to have spy-information (aka: taking information from the motherboard).

Its unlikely that a small chip with low-power could interface with high-speed components (ie: RAM, PCIe, Southbridge, SATA), it wouldn't have enough power. Etc. etc. Whatever the hypothetical attack is, there would be physical requirements it needs to satisfy.

All point back to the BMC: a low-bandwidth interface with huge amounts of information, with highly proprietary / likely insecure code running. So we think about how hardware could be used to hack this interface.

At which point, we immediately enter the realm of ridiculousness, because BMCs are CPUs in their own rights and simply run software to do their job. For a "zero-hardware" attack, China could just be rewriting BMC firmware or something way, way, waaaaay easier than what was described in the Bloomberg article.

Now China doesn't have to worry about replacing chips at all, and they still get all their spy-craft working.

------

But guess what? I think most IT departments are well aware of the proprietary and possibly insecure BMC interface. That's why there's a lot of discussions online about how to protect that interface.

[monocasa]

Right, so a small chip sitting on the SPI bus for the flash would fit all of what you said and give attackers another capability: persistency in the face of replacing the flash itself. And yes, it'd probably be something small, like rewriting one of the keys stored in flash.

And BMC networks are extremely high value targets. Tons of exploits from running ancient code, and DMA access to the the rest of the system, often without even an IOMMU in the way.

[dragontamer]

The Bloomberg article doesn't talk about BMCs however. That's __me__ talking about BMCs.

I don't need the Bloomberg article distracting the discussion. Its clear that the Bloomberg article was just fully and completely useless. It contributed no useful, technical details to the discussion.

We're sitting here arguing about how Bloomberg might have written the article better. At some point, we just gotta realize that Bloomberg wasn't helpful at the discussion at all.

Which is fine: Bloomberg is primarily a trading / commodities / financial newspaper. To expect expertise in technical issues (better than typical Hacker News discussion) is probably expecting too much from that group of journalists. But lets not pretend that the article under discussion was useful to any of us here.

[monocasa]

> The Bloomberg article doesn't talk about BMCs however. That's __me__ talking about BMCs.

You are not the only one talking about BMCs. The entire discussion has centered on that since the beginning. I'm not sure how you thought that you invented that line of discussion.

> We're sitting here arguing about how Bloomberg might have written the article better. At some point, we just gotta realize that Bloomberg wasn't helpful at the discussion at all.

> Which is fine: Bloomberg is primarily a trading / commodities / financial newspaper. To expect expertise in technical issues (better than typical Hacker News discussion) is probably expecting too much from that group of journalists. But lets not pretend that the article under discussion was useful to any of us here.

People coming forward about a successful foreign state sponsored attack on AWS and Apple server infra is a pretty big story for HN, even if it doesn't have all the details you'd like.

[dragontamer]

https://www.bloomberg.com/features/2021-supermicro/

Bloomberg's followup article (and probably the original article) doesn't seem to discuss BMCs at all.

I'm not saying that I invented the line of argument. I'm saying that Hacker News, the community, brought up BMCs. Its not a talking point of the Bloomberg article at all.

The fact remains: we're already in a fully tangential point compared to Bloomberg's "facts" (of which there are very few. Its largely just allegations and FUD).

--------

The most frustrating thing is that Bloomberg very well could be correct. But the articles they wrote are absolute crap on this subject.

> People coming forward about a successful foreign state sponsored attack on AWS and Apple server infra is a pretty big story for HN, even if it doesn't have all the details you'd like.

Without the details of how it happened or the mechanism, then it doesn't matter.

We exist in a zero-day world: there are attacks I will never understand in my lifetime, happening today. Welcome to modern computer security.

What's important is understanding as many of these attacks as possible, so that we can build the proper security mechanisms and policies to defend ourselves correctly. Without an action plan, the news is basically null and void. It doesn't matter if China hacks us per se, it could be Russia or Iran tomorrow. There's always state actors trying to do things.

[mike_d]

It might not have been useful to you, but it was useful to the people who might be targets of this type of attack. I know of at least two organizations that are now randomly x-raying datacenter components and comparing them to reference designs.

You also seem to confuse an article being helpful to you with an article being correct. You clearly are not in a line of work where you need to worry about this, and that is ok. But it does not invalidate the article at all.

The NSA's TRINITY chip circa 2008 was smaller than a penny and the workhorse behind implants that hid inside ethernet headers on motherboards and USB cables. The CIA has a team dedicated to interdicting shipments and modifying firmware or hardware. It is absolutely foolish to assume other countries intelligence services are not capable of the same.