[monocasa]

Right, so a small chip sitting on the SPI bus for the flash would fit all of what you said and give attackers another capability: persistency in the face of replacing the flash itself. And yes, it'd probably be something small, like rewriting one of the keys stored in flash.

And BMC networks are extremely high value targets. Tons of exploits from running ancient code, and DMA access to the the rest of the system, often without even an IOMMU in the way.

[dragontamer]

The Bloomberg article doesn't talk about BMCs however. That's __me__ talking about BMCs.

I don't need the Bloomberg article distracting the discussion. Its clear that the Bloomberg article was just fully and completely useless. It contributed no useful, technical details to the discussion.

We're sitting here arguing about how Bloomberg might have written the article better. At some point, we just gotta realize that Bloomberg wasn't helpful at the discussion at all.

Which is fine: Bloomberg is primarily a trading / commodities / financial newspaper. To expect expertise in technical issues (better than typical Hacker News discussion) is probably expecting too much from that group of journalists. But lets not pretend that the article under discussion was useful to any of us here.

[monocasa]

> The Bloomberg article doesn't talk about BMCs however. That's __me__ talking about BMCs.

You are not the only one talking about BMCs. The entire discussion has centered on that since the beginning. I'm not sure how you thought that you invented that line of discussion.

> We're sitting here arguing about how Bloomberg might have written the article better. At some point, we just gotta realize that Bloomberg wasn't helpful at the discussion at all.

> Which is fine: Bloomberg is primarily a trading / commodities / financial newspaper. To expect expertise in technical issues (better than typical Hacker News discussion) is probably expecting too much from that group of journalists. But lets not pretend that the article under discussion was useful to any of us here.

People coming forward about a successful foreign state sponsored attack on AWS and Apple server infra is a pretty big story for HN, even if it doesn't have all the details you'd like.

[dragontamer]

https://www.bloomberg.com/features/2021-supermicro/

Bloomberg's followup article (and probably the original article) doesn't seem to discuss BMCs at all.

I'm not saying that I invented the line of argument. I'm saying that Hacker News, the community, brought up BMCs. Its not a talking point of the Bloomberg article at all.

The fact remains: we're already in a fully tangential point compared to Bloomberg's "facts" (of which there are very few. Its largely just allegations and FUD).

--------

The most frustrating thing is that Bloomberg very well could be correct. But the articles they wrote are absolute crap on this subject.

> People coming forward about a successful foreign state sponsored attack on AWS and Apple server infra is a pretty big story for HN, even if it doesn't have all the details you'd like.

Without the details of how it happened or the mechanism, then it doesn't matter.

We exist in a zero-day world: there are attacks I will never understand in my lifetime, happening today. Welcome to modern computer security.

What's important is understanding as many of these attacks as possible, so that we can build the proper security mechanisms and policies to defend ourselves correctly. Without an action plan, the news is basically null and void. It doesn't matter if China hacks us per se, it could be Russia or Iran tomorrow. There's always state actors trying to do things.

[mike_d]

It might not have been useful to you, but it was useful to the people who might be targets of this type of attack. I know of at least two organizations that are now randomly x-raying datacenter components and comparing them to reference designs.

You also seem to confuse an article being helpful to you with an article being correct. You clearly are not in a line of work where you need to worry about this, and that is ok. But it does not invalidate the article at all.

The NSA's TRINITY chip circa 2008 was smaller than a penny and the workhorse behind implants that hid inside ethernet headers on motherboards and USB cables. The CIA has a team dedicated to interdicting shipments and modifying firmware or hardware. It is absolutely foolish to assume other countries intelligence services are not capable of the same.