A couple of years ago Bloomberg reported about spy chips/hw backdoors in SuperMicro mainboards but to my knowledge without a smoking gun proof. Maybe they had to settle outside of court and also had to sign papers to help protect the company from further damage in the future. Using (other) Bloomberg material may have triggered this. Of course this is a wild speculation. I have no evidence or insider knowledge.
GN used Bloomberg clips of US Gov officials speaking on AI chip matters, fully under fair use.
And Bloomberg did a DMCA takedown through youtube, copystrike in parlance which pulled the video down for a week. GN had no recourse other than to wait and counterclaim.
Week timed out, Bloomberg did nothing but be the bully.
As always, Louis is being a bit sensationalist and stretches the truth to whip up outrage. Contrary to what he claims, GN could have easily quoted the president without Bloomberg's video, and that would be fine. "that outlet now has a monopoly on who is able to quote the president" is just a totally false premise. Moreover he tries to argue that GN's video falls under fair use, because it's a 1 minute clip in a 3 hour video. However it's not hard to think of a rebuttal to this. If news organizations can copy each other's clips of official speeches, who would bother going out and making such recordings? Usually how this would be resolved would be by citing precedents, but he doesn't bother citing any.
>Brother, wait until you learn about the associate press.
The same AP that licenses content to its members and charges non-members for the privilege of reusing their content?
"Many newspapers and broadcasters outside the United States are AP subscribers, paying a fee to use AP material without being contributing members of the cooperative. As part of their cooperative agreement with the AP, most member news organizations grant automatic permission for the AP to distribute their local news reports. "
> GN's use seems to satisfy all four factors.
It's weakest at #1 and #4.
#1: it's a commercial piece of work (so far as I can tell GN isn't a non-profit), and the use of the clip specifically isn't critical to the work. If you're critiquing a movie or something, and need to show a screengrab to get your point across, then that makes sense, but if the purpose of the video is just to establish "Trump said this", the video isn't really needed.
#4: see above regarding making recordings of official speeches.
Moreover I'm not trying to argue that GN is definitely not fair use, only that there's a plausible case otherwise. If there's actual disagreement over it's fair use or not, then the DMCA process is working as intended, and Bloomberg isn't abusing it as Louis implies.
Yeah yeah, everyone enforces their copyrights to the maximum extent possible. But this does not prevent massive amounts of both licensed copying and free use copying. The framework I outlined above is from the US Supreme Court's rulings on fair use so applies for everyone in the US.
[responses to edited-out portion of parent comment]
Re: #1, GN's work while commercial is an educational investigative journalism / documentary piece which are well established users of Free Use protection. GN's use is absolutely transformative.
#4: Bloomberg would have to prove a financial loss to have standing. That would mean that GN must have no other option than to use Bloomberg's clip, and pay the license, which I don't think would fly. GN would have just produced the segment differently.
I disagree. HN discussions seem to have wildly liberal views of US copyright law and, in particular, fair use. Gamer's Nexus is surely commercial because they either make money (1) directly from YouTube, (2) directly from adverts / product placements, or (3) indirectly from merch.
I agree with the parent poster's point: "If news organizations can copy each other's clips of official speeches, who would bother going out and making such recordings?" When you see a head of state (or other VIP) making a speech and they show the media, there are normally 10+ different camera crews. If competitors can claim "fair use" for any of that footage, why would so many different media outlets send camera crews? The question answers itself.
A good counterpoint for fair use would be Wikipedia. They are very conservative about claiming fair use. I assume they have had pro bono (or not) lawyers review their policy and uses to confirm the strength of their claims. After hundreds of hours of reading Wiki, I can recall only once or twice ever seeing an artifact claim fair use. I think it was a severely downscaled photo of a no-longer-living person.
I think Wikipedia's relatively conservative (one might say erring on the side of safety) stance on free use is easy to understand when considering that they have a bank account stuffed to the brim with cash, minimal spend on hosting and developers compared to income and savings, and copyright lawsuits are one of very few of their exposed legal surfaces.
Additionally, folks don't like to rely on free use because the tests, though they have been well articulated, are inherently subjective and must be decided by a judge or jury. It's the sort of defense one wants to have available, but not depend on if possible, as a result.
Re: commercial use, in the US, just because a work is commercial does not automatically mean it loses fair use protection. Commerciality is only one factor of the four to be considered. Commercial parodies, for example, can still be fair use, especially where the work is transformative. IOW commerciality may weigh against fair use, but it is not dispositive. Google v Oracle involved fair use which was clearly commercial, for example.
GN's case would also be helped by the nature of the information being factual as opposed to artistic.
There are a lot of factors in whether or not an org can successfully take something to trial. Venue, judge, representation, jury selection, evidentiary rulings, all kinds of stuff. An imbalance in representation could easily swing it. So when I say that I think GN has a reasonable case, it's just me using the Supreme Court's rubric and some theoretical idealized court room which doesn't really exist. All I can say is that a good job could be done in arguing it. Whether or not GN could afford that work, or would want to, IDK.
They did have the video uploaded to archive.org (or at least link to someone else who did) and gave permission to anyone else to repost it. Which is how I saw it, some rando burner account on YouTube :)
It's sad to see what's happened to SuperMicro. They were one of the few vendors of server-grade hardware fitting standard ATX, mATX, and ITX form factors. In my experience their hardware was always better than the others who attempted to do the same (Gigabyte, Asus, ASRock). These days, motherboards with the features I want are going to be on AliExpress. Ironic considering this latest news is about putting trade barriers between the US and mainland China.
Supermicro is definitely a "you get what you pay for". We bought thousands of servers from their vertical integrations partners, had massive board and backplane problems. Took a few years but they eventually took back over $30 million dollars worth of servers, which were scrapped ultimately because the rework on them was so cost prohibitive. We lost $30M on that even after the $30M in good will refunds.
Supermicro also has the lowest bios/efi/bmc/ipmi/redfish out of any vendor we have seen.
Just low tier cheap ass shit by a company who can barely survive quarter to quarter without running some new scam on customers, investors, and even governments.
Pretty much the same experience (on a much smaller scale). And just open up one of their servers and compare the engineering to a Dell or HPE server. Anything that can be cheaped out is. Corrugated plastic for cooling air channels, FRU assemblies held in place with sheet metal screws, all very bargin basement.
I haven't worked with anything at that scale, but the little bit that I was SuperMicro adjacent I was always unimpressed by the "fit and finish" of the entire experience, as compared to Dell and HP. (Having said that, the entire x86 commodity server experience is shitty anyway. I had a brief time, early in my career, when I did work with DEC Alpha machines. Man, they had their shit together. Stuff was expensive as sin, but stuff worked together and worked well. Build quality was tank-like.)
When Compaq servers were still a thing it was the same with those. You could drop them two stories and they'd probably continue playing if the cable was long enough ;)
Oh and you'd get fined for damage to the pavement.
Pretty much. But at one point you could buy 2 to 3 units to every equivalent Dell or HP unit unless you had enough scale to get volume discounts. At $30M I expect the price to be a lot closer though.
Then it’s a matter of how well your engineering/ops org is setup to deal with silly hardware issues and annoyances. Some orgs will burn dozens of hours on a random failure, some will burn an hour or treat the entire server as disposable due to aforementioned cost differences. If you are not built to run on cheaply engineered gear that has lots of “quality of life” sharp edges (including actual physical sharp edges!) then you are gonna have a bad time. Silly things like rack rails sucking will bite you and run up the costs far more than anyone would expect unless you have experience to predict and plan for such things beforehand.
Of course you do have the risk of a totally shit batch or model of server where all that goes out the window. I got particularly burned by some of their high density blade servers, where it was a similar story to yours. Total loss in the 7 figures on that one!
Totally agreed on their BMC/firmware department. Flashbacks to hours of calls with them trying to explain the basics. My favorite story from that group is arguing with them over what a UUID is - they thought it was just a randomly generated string. Worked until one didn’t pass parsing on some obscure deeply buried library and caused mysterious automation failures due to being keyed against chassis UUID… and that’s when they’d actually burn one into firmware in the first place.
It was also always a tradeoff of having to deal with cheaped out hardware engineering with supermicro or with some horrible enterprise quarterly numbers driven sales process with Dell.
I've never received something other than what I've ordered. At worst the documentation is scant or missing entirely. Specifically with respect to motherboards, most of the aliexpress specials I've interacted with have had completely unlocked BIOSes. Which are easy to get yourself into trouble with, but kind of nice to have when you need them.
Curious what the features are that you like and can source from AliExpress? I have usually gotten boards from Asus and its ilk, these days with 4+ M.2 slots...
Of course. Just as it's impossible to have zero inefficiencies in any business or market. That's why I said "ideal", i.e. unachievable. But the closer we get, the better we are.
Most inefficiencies come from hard-to-get-into markets, like telecom market is an oligopoly. Or information disbalance (business actors hide their pricing, khm.. hospitals khm..). A good government would try to remove them inefficiencies as much as possible (public pricing, easy-to-get capital), and make every business race-to-the-bottom competition.
I thought about quite often while visiting a pub owned by the land lord renting out 150 rooms above. Each floor had a large industrial shared kitchen, shared bathrooms, toilets and a large shared living room. If people had 1-2 guests they would stay in their room, if they had 2-10 guests they would use the shared space, if they had 4-80 guests they would take the elevator to the pub. When one was bored with the guests or didn't have time they were left in the pub. Technically people had bar shifts in their rent contract (that you could buy your way out of) but there were plenty who enjoyed running the bar for free. Drinks were at cost. If you tried to tip or didn't take your change they left it on the counter and it would sit there for a day or two. The problem of the pinball machine earnings they solved with rounds of free drinks and chips.
When asked the owner said exploiting a bar was entirely to much work. If he wanted more money from the people living there he could just increase the rent?
Yeah this is just describing providing amenity for common areas in a shared building. Not much different from the doorman and free water bottles in the lobby or the rooftop swimming pool being baked into the rent of the units.
It depends on what you mean, do you mean both gross and net? Just one of the two?
Gross margin of zero would be mean you sell at exactly the cost to produce. Net margin of zero means you cover all your expenses including COGS. The only really difficult, practically impossible, thing would be doing both at the same time. Though, I could also see a case where you drive down net margins once sunk costs are paid and achieve both.
Doing so practically, or sustainably, in most circumstances would be uhh crazy… but it’s not impossible. Even then I think aiming for zero margin is a pretty credible tactic in eliminating competition if you can out sustain them.
TLDR; Weird? Sure. But not impossible. And even sort of likely if you’re trying to atrophy your competition out of existence.
> Remember the 2018 accusations of spy chips implanted in supermicro motherboards that everyone denied so strongly
It'd be easy to prove the existence of a pervasive "spy-chip" problem using a camera or a microscope. Unsurprisingly, neither Bloomberg nor it's quoted "experts" ever managed to do so, deapite loudly banging that drum.
Remember when Singapore buyers were an abnormally high percentage of nvidia's revenue? You have to wonder if these companies are this brazen because they know the DoJ will have political pressure not to nuke the bubble which is more important than being China hawks.
Yep, same how the sales of German industrial CNC, machines, tools and lathes exploded in Russia's neighbouring former soviet republics after 2022 for some reason.
Man, Kazakhstan must be an industrial powerhouse by now with all that German machinery. Can't wait for Kazakh EVs and semiconductors to hit the market.
The timing is brutal - SMCI already had the accounting restatement scandal in 2024, spent months fighting delisting, finally got somewhat rehabilitated in the AI infrastructure boom... and now this. 25% single-day drop on a company that was already trading at a discount to peers tells you the market was still pricing in tail risk. For anyone tracking institutional holdings - the 13F filings from Q4 showed several funds adding back SMCI after the accounting mess cleared up. Those bets just got very painful.
For fun, I will sometimes buy trivial positions in solid companies whose stock price falls 8-10% or so due to some minor temporary bad press and then resell in a month or two when the news cycle forgets about them and price rebounds. I make a decent amount of play money this way.
SMCI has a pattern of missteps over the years, I would not qualify them as a solid future bet.
(And in case someone asks the question, no that is not a viable long-term strategy one's retirement savings because it's very much speculating and doesn't work AT ALL when the market is volatile or falling as a whole.)
You could be right. But reading the comments here it seems it's had 2-3 scandals in the last 4 years, which makes me suspect that more could be brought to light.
MICE is the acronym for categorizing the common motivations for espionage:
M - Money/Greed
I - Ideology/Divided Loyalty
C - Coercion/Compromise
E - Ego
Sometimes, I think we look at people who are this wealthy and think they should be immune to these kinds of shenanigans, but I'd wager that the -ICE becomes even easier to exploit in people once they no longer need money, if they were already susceptible to it to begin with.
I wonder which of these the intelligence services prefer. Every one of them has their own advantages and drawbacks in terms of predictability, reliability, long term stability and chances of double dipping/playing both sides.
Most of these assets are not super spies. They have access to one particular type of information and the adversary squeezes all they can until all the juice is gone. Sophisticated espionage and double agents only exist in le Carre novels now.
People are commonly in it for the money, so they naturally project this on the ultra-wealthy. But you will (almost) never get to ultra-wealthy status without some other external drive. Everyone else hits $20M, set for life, checks out and retires.
All these billionaires are unfathomably rich, and still slamming 60-80hr work weeks. They are not in it for the money.
Can someone shed light on why China still couldn't copy the Nvidia GPUs in some form?
I understand its complex and there many parts to it, but which is the most complex part making it difficult for China to copy it?
Let's say they don't have access to 3nm process, what if they just use 12nm and create GPUs with much bigger size but comparable performance with CUDA compatibility? Or other option could be less tensor units, training will take longer, but they might be able to produce it cheaply
Copying CPUs isn't really a thing: they are too complex.
If you could steal all the designs at TSMC, and you had exactly the process that TSMC uses, you could definitely make counterfeits. If you didn't have TSMC's specific process, you could adapt the designs (to Intel or Samsung) with serious but not epic effort. If you couldn't make the processes similar (ie, want to fab on SMIC), you are basically back to RTL, and can look forward to the most expensive and time-consuming part of chip design.
This is nothing like copying a trivial, non-complex item like a car. Copying a modern jet engine is starting to get close (for instance, single-crystal blades), but even they are much simpler. I mention the latter because the largest, most resourced countries in the world have tried and are still trying.
Even if you had 'ai tools' guessing at component blocks on evaluation you would have to have some evaluation of the result.
And, thats assuming NVDA hasn't pulled a Masatoshi Shima type play on their designs (i.e. complex traps that could require lots of analysis to determine if they are real or fake)
Im not sure how much of a speedup even modern tooling/workflow could do reliably.
Even then,
The elephant in the room is that China is working on their own AI accelerators/etc, so while there can be benefit from -studying- the existing designs, however I think they do not want to clone regardless.
Oh, absolutely. Straight up soviet style cloning of masks makes no sense for multitude of reasons. In addition to what you've said, China isn't banned from N7 class Nvidia architectures so could just buy those on the open market.
If engines are hard to build, why not build a car 3x the size of a normal one, well you can but due to things like aerodynamics, etc etc you'll never match the speed or fuel economy of cars.
Same with chips, efficiency, speed, etc all depend on good design, and cutting edge factors, if the main reason your chip isn't faster is because of the distance between your L1 cache and your core is far, then having a bigger node process but bigger chip won't make it quicker.
> Can someone shed light on why China still couldn't copy the Nvidia GPUs in some form?
They have alternatives, like the Tian supercomputer was originally built with Xeon Phi chips that have been replaced with their own domestic alternatives.
A big limitation is getting access to fab slots. Nvidia and Apple are very aggressive about buying up capacity from TSMC, etc, and China's own domestic fabs are improving fast but still not a real match, particularly for volume.
But there's a distinct time/value of investment equation with the current AI boom. The jury is at best still out on what that equation is for the goals of capital (it's increasingly looking like there's no moat), but if you're a national government trying to encourage local bleeding edge expertise in new fields like this it's quite a bit more clear.
You can you just have to use a tiled architecture. And microprocessors already have far shorter wiring distances than the simple speed of light calculation because it takes time for the gates to make the transition as well.
With processors it's customary to use the "Fan out of 4" metric as a measurement of the critical paths. It's the notional display for a gate with fan out of 4, which is the typical case for moving between latches/registers. Microprocessor critical paths are usually on the scale of ~10 FO4.
The largest chip at the moment is Cerebras's wafer scale accelerator. There the tile is basically at the reticule limit, and they worked with TSMC to develop a method to wire across the gaps between reticules.
They can copy it. And no, the software moat is not there if someone choose the blatant copy route. They just can't build it in the scale they want yet.
> what if they just use 12nm and create GPUs with much bigger size but comparable performance
well, physics does work that way, depending on what you mean by performance.
(in the sense that power is normally part of performance when we're talking about chips).
you could certainly use a larger process and clone chips at an area and power penalty. but area is the main factor in yield, and talking about power is really talking about "what's the highest clockrate can you can still cool".
so: a clone would work in physics, but it would be slow and hot and expensive (low yield). I think issues like propagation delay would be second- or third-order (the whole point of GPUs is to be latency-tolerant, after all).
I'd been assuming that the Chinese AI labs producing excellent LLMs despite the NVIDIA export restrictions was due to them finding new optimizations for training against the hardware they had access to.
I wonder if any of those $2.5B of smuggled chips ended up being used for those training runs.
combination of both, they published papers so we can clearly see they are not just duplicating old methods but coming up with new optimizations. ... yet we can't rule out that they used Nvidia. I don't even see how the export restrictions work, it's stupid. A Chinese company can go to another country, say France or Canada, setup a business buy a bunch of GPUs then make it available to their subsidiary in China. The export restrictions doesn't restrict usage/sharing/renting as far as I know...
They definitely are using Nvidia. Part of deepseek's special sauce was using an "undocumented" ptx instruction to get a cute microoptimization with the memory hierarchy.
They don't work. Chinese are skilled enough to desolder and smuggle just the ships themselves. They make the rest of GPU in-house. With more VRAM than the nvidia offers, comically, in case of 4090.
Did you think the hesitancy of westerners engaging and relying on Chinese labs was due to vibes? There are fundamental cultural differences at play, wether we are comfortable admitting that or not.
If they were using banned chips they wouldn't declare them in public papers. There have been multiple documented/alleged cases of chips being routed through Singaporean shell companies.
Simon, love your work. Hope this is sarcasm. If not, imagine the opposite: Sam Altman and co suddenly started producing tons of content about how smart they are in Mandarin. Why do they even need a story to begin with, let alone one they push halfway around the world?
The $2.5B number is just these guys. It could be 10x in total.
Wild timing on this. SMCI was already under scrutiny from the accounting issues last year, and now this. Institutional holders have been quietly reducing positions over the last two quarters if you check the 13F filings. Sometimes the smart money exit is the real signal.
If you do, you could protect yourself with a sell stop below $17.25... because if it breaks that on weekly candles, next are $14 and $10. Or you could buy some calls instead when the volatility calms down. If you do it now, the volcrush could happen even if you're correct.
Not investment advice, do you own research. I'm just someone on the Internet.
I've had my own dealings with this awful company. Including Wally.
Let's just say that none of this comes as any surprise.
Now, what people should be asking is how much Jensen knew. In May he said there was nothing going on. But the videos of the Chinese guy holding H1/200's ... never got to him?
Also interesting how they waited until just after GTC...
Well, also had other pen testers come forward saying that they had found implants on supermicro servers and had talked to federal authorities who had said it was a known relatively large issue they were trying to get a handle on while keeping it under wraps.
And if it were posted to move the market, that would have been about the most cut and dry SEC violation possible, posted at a time when the federal government still enforced such things.
Whenever some soylent-drinking, impossible foods-eating dilettante says "debunked" I find myself not fully believing them. And Supermicro has always been sus. I can't believe people are only just now noticing.
Those claims were never confirmed, no? Some of it might be true or trueish but I'm not talking Bloomberg's anonymous sources word for it, and with so much supermicro gear out there you would think some other evidence would show up.
It depends on what you consider confirmed. It was kind of corroborated, at least. There was a CEO of a hardware security firm that came forward after the original article. He claimed that his firm had actually found a hardware implant on a board during a security audit. It wasn't exactly as Bloomberg described, though.
His take was that it was very unlikely that it impacted exclusively Supermicro, though.
I don't think it was a confirmed story. That is, the tiny "grain of rice" size Ethernet module that CEO of a security audit company allegedly found, was not present in other SuperMicro servers. SuperMicro itself, as well as it's buggest customers did not confirm the findings.
From what i recall, the story was very vague, there were no pictures of the specific chip, no pictures of the motherboard of the motherboard that would include serial, i.e. no details that would accompany a serious security research.
A supply chain attack similar to Supermicro's would be much more targeted and recalls with national security implications do get flagged via a separate chain.
Bloomberg's tech coverage is not great from what I've seen. Last year they published a video which was intended to investigate GPUs being smuggled into China, but they couldn't get access to a data center so they basically said we don't know if it's true or not. Meanwhile an independent Youtuber with a fraction of the resources actually met and filmed the smugglers and the middlemen brokering the sales between them and the data centers. Bloomberg responded by filing a DMCA takedown of that video.
What Bloomberg proposed - sniffing the TTL signal between BMC and boot ROM and flipping a few bits in transit - is far from science fiction. It would be easy to implement in the smallest of microcontrollers using just a few lines of code: a ring buffer to store the last N bits observed, and a trigger for output upon observing the desired bits. 256 bytes of ROM/SRAM would probably be plenty. Appropriately tiny microcontrollers can also power themselves parasitically from the signal voltage as https://en.wikipedia.org/wiki/1-Wire chips do. SMBus is clocked from 10khz to 1mhz, assuming that's what the ROM was hanging off of, which is comfortably within the nyquist limit on an 8 - 20mhz micro.
Something similar has been done in many video game console mod chips. IIRC, some of the mod chips manage it on an encrypted bus (which Bloomberg's claims do not require).
"On PsNee, there are two separate mechanisms. One is the classic PS1 trick of watching the subchannel/Q data stream and injecting the SCEx symbols only when the drive is at the right place; the firmware literally tracks the read pattern with a hysteresis counter and then injects the authentication symbols on the fly. You can see the logic that watches the sector/subchannel pattern and then fires inject_SCEX(...) when the trigger condition is met.
PsNee also includes an optional PSone PAL BIOS patch mode which tells the installer to connect to the BIOS chip’s A18 and D2 pins, then waits for a specific A18 activity pattern and briefly drives D2 low for a few microseconds before releasing it back to high-impedance. That is not replacing the BIOS; it is timing a very short intervention onto the ROM data bus during fetch."
> why not just modify it instead of adding physically observable devices to mess with it?
Look to the video game mod chip industry for your answer. Consoles obsessively verify system integrity from boot ROM to game launch. Most firmwares and OSes are encrypted, signed, hashed. Flipping bits in transit and perhaps only at specific times like system power on allows for the ROM to be read, verified, and checksummed correctly without detection of the implant. This makes the implant not only persistent, but stealthy. Even pulling the ROM chip and replacing it with a different IC would not remove the implant. And if the injection point were chosen carefully, implant functionality may reasonably be expected to persist across ROM updates. This is exactly the case with the PSNee mod chip I mention above. If I had to wager a guess, it'd be because the target, like console makers, was known to update and verify ROMs, which is SOP is any large org.
In terms of being physically observable... barely. You'd need an X-ray to find such a thing buried between PCB layers or inside another component. And not only that, you'd need to be routinely X-raying all your incoming equipment and comparing all the images. And even if you dug the thing out, you'd get a few dozen bytes of ROM out of it with no clue about who made it or how. Perhaps you might be able to determine origin for the silicon based on doping ratios and narrow it down to a few facilities operating at the right feature size. How many of us, upon receiving new equipment, immediately disassemble it to bits, individually x-ray each, then re-assemble it? Not many.
It's not a dumb idea. And whether or not actual evidence exists, exploiting the firmware on the board management controller is exactly the place where you can poke with the least effort for the greatest reward. That alone makes the attack plausible. Honestly surprised we haven't seen a BMC worm yet.
What was the last thing Schneier wrote on it? I thought it was this:
I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.
HNers are acting reflexively skeptical (which isn't always a bad thing), but targeted supply chain based attacks conducted by a nation statein the manner described are actually doable, and back when I was still a line-level SWE this was when we started putting significant engineering effort into hardware tampering protections back in the 2015-17 period.
The hardware supply chain incident itself most likely happened in the late 2000s to early 2010s when hardware supply chain security wasn't top of mind as an attack surface.
Modchips targeting contemporaneous gaming systems like the PS1 and PS2 use a similar approach to the SuperMicro incident.
I don't believe that there was ever extra chips being added to the boards, but what I could believe is that they shipped with firmware on specific chips that enabled data exfiltration for specific customers and due to a game of telephone with non technical people it turned into "they're adding chips inside the pcb layers!"
I thought the point was an extra chip in the place of a pull up resistor or something that would edit the firmware image as it made its way across the bus, so you wouldn't see the modifications even if you pulled the flash chip and read it out manually, and would also be persistent across flash updates.
There also was a CEO of a hardware security company that came out and said that his firm had found an implanted chip during an audit. IIRC, he was convinced that it was very unlikely to be limited to Supermicro hardware.
I wonder what impact that kind of publicity had on their firms’ business…
I’m sure a brief glance at his shares and the company’s share price was enough to convince him that the “problem” was unlikely to be limited to just SuperMicro.
Amazing coincidence that his company could help others find out if they were impacted!
> he was convinced that it was very unlikely to be limited to Supermicro hardware
Yep. This was why there was a significant movement around mandating Hardware BOMs in both US and EU procurement in the early 2020s.
Also, the time period that the Bloomberg story took place was the late 2000s and early 2010s, when hardware supply chain security was much less mature.
Schneier was simply taking at face value the contents of the Bloomberg article, especially the statement by Mike Quinn who claimed he was told by the Air Force not to include any Supermicro gear in a bid.
There was a security auditing firm that came out a few days later claiming they'd found a chip, similar to the one Bloomberg described, during a security audit.
It's still nothing concrete, though. Their CEO basically said that they'd found one and that they couldn't say much more about it due to an NDA.
I'd like to think that modern centers are water cooled so it'd be more quiet these days unless you are implying that this application of theirs is running on legacy hardware? :P
Violating sanctions isn't exactly the same thing as smuggling. It also doesn't seem like it should be a crime to disagree with your state on who deserves what service... i never voted for the dingbats who control who is called a terrorist, let alone the people scared of china.
> It also doesn't seem like it should be a crime to disagree with your state on who deserves what service...
Seems like that's a pretty obvious and straightforward power for a state to have. The state has to make foreign and domestic policy decisions, and to be effective that would have to include trade restrictions. Otherwise you could have situations like businessmen profiting by selling weapons to the enemy to kill his own countrymen--and there are sociopaths who'd do that.
> i never voted for the dingbats who control who is called a terrorist, let alone the people scared of china.
> Otherwise you could have situations like businessmen profiting by selling weapons to the enemy to kill his own countrymen
We do this already, though—we sell weapons to israel to kill americans living in palestine—Israel has certainly killed many more americans than Iran ever has. And yet, the sanctions are applied as if the situations were the opposite. Make it make sense!
This entire line of thinking just seems like delusion to comfort yourself for having to live under a shitty state.
I agree. this is about US corporations using the government to protect their business moat. But 300M citizens can't use the government to ensure we have access to a doctor. It's sickening. China would be such a great competitor at what, making deep fakes or stealing from artists/musicians? It's stupid-on-top-of-stupid.
And the entire Bloomberg takedown drama added fire to the flames.