Anyone have any SuperMicro Boards? China hardware hack

Message boards : Number crunching : Anyone have any SuperMicro Boards? China hardware hack
Message board moderation

To post messages, you must log in.

1 · 2 · Next

AuthorMessage
Ian&Steve C.
Avatar

Send message
Joined: 28 Sep 99
Posts: 4267
Credit: 1,282,604,591
RAC: 6,640
United States
Message 1958393 - Posted: 4 Oct 2018, 17:43:48 UTC

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

i have several. not that any one of us would be a real target for something like this. and it *sounds* like it's only impacting boards with IPMI access via the BMC.

but wow.
Seti@Home classic workunits: 29,492 CPU time: 134,419 hours

ID: 1958393 · Report as offensive
Al Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Avatar

Send message
Joined: 3 Apr 99
Posts: 1682
Credit: 477,343,364
RAC: 482
United States
Message 1958401 - Posted: 4 Oct 2018, 19:04:22 UTC - in response to Message 1958393.  
Last modified: 4 Oct 2018, 19:07:16 UTC

Holy Crap. This is Huge. SuperMicro's stock when I typed this is down almost 50% right now. This could actually kill the company, especially when the lawsuits start flying - if it can be independently verified that what Bloomberg stated is actually true. Wonder if it's still possible to short them? :-O

ID: 1958401 · Report as offensive
Profile Zalster Special Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 27 May 99
Posts: 5517
Credit: 528,817,460
RAC: 242
United States
Message 1958403 - Posted: 4 Oct 2018, 19:29:55 UTC - in response to Message 1958401.  

This is what happens when you shift production overseas. Lack of oversight allows for such things.
ID: 1958403 · Report as offensive
Ian&Steve C.
Avatar

Send message
Joined: 28 Sep 99
Posts: 4267
Credit: 1,282,604,591
RAC: 6,640
United States
Message 1958409 - Posted: 4 Oct 2018, 20:14:51 UTC - in response to Message 1958403.  

This is what happens when you shift production overseas. Lack of oversight allows for such things.


not just overseas, but China specifically. the government has the final say to which companies are "allowed" to continue operating. which likely involves allowing government access deep within the business and the ability to keep things like this under wraps.
Seti@Home classic workunits: 29,492 CPU time: 134,419 hours

ID: 1958409 · Report as offensive
TBar
Volunteer tester

Send message
Joined: 22 May 99
Posts: 5204
Credit: 840,779,836
RAC: 2,768
United States
Message 1958420 - Posted: 4 Oct 2018, 21:17:21 UTC

I've got a Chinese story of my own. It involves those Chinese Video cards selling on eBay. I ended up with one and decided it might be useful to just run the Display on My development machine. As long as you don't try to use it for compute, it seems to run the monitor fine in Linux. Most of My cards are in the Mining machine so I was short a card or two. All seemed well, the Apps passed the Benchmark App so I placed it on the Miner. Then I noticed the Inconclusives. Then I checked the results...most of the Stderr output was missing. Then I checked the Stderr output in the slots as it was being written. The Stderr output in the Slots were all in Chinese. You can't make this up. The client_state apparently doesn't do Chinese so the results were just missing in the Client_state file. The files in the Slots were full of Chinese though, even though the App wasn't being run on a Chinese card. Weird. So, I replaced the Chinese card, compiled another App, and all is well, No more Chinese in the Stderr output.
Be careful with your Chinese video cards...
ID: 1958420 · Report as offensive
MarkJ Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 17 Feb 08
Posts: 1139
Credit: 80,854,192
RAC: 5
Australia
Message 1958421 - Posted: 4 Oct 2018, 21:17:54 UTC

Great I have two as file servers. I wonder how you check for this chip, and if one can do anything about it apart from junking an otherwise perfectly good motherboard.
BOINC blog
ID: 1958421 · Report as offensive
RickToTheMax

Send message
Joined: 22 May 99
Posts: 105
Credit: 7,958,297
RAC: 0
Canada
Message 1958423 - Posted: 4 Oct 2018, 21:45:01 UTC

You might also want to read the response from Apple, Amazon and Supermicro.
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond

No idea if it is true or not, but bloomberg could at least provide some evidence, actual hardware proof of some sort to back up the claim.
Not going to happen in today's journalism i don't think..
ID: 1958423 · Report as offensive
Profile Tom M
Volunteer tester

Send message
Joined: 28 Nov 02
Posts: 5124
Credit: 276,046,078
RAC: 462
Message 1958437 - Posted: 4 Oct 2018, 23:44:23 UTC

I hope ASRock and MSI mb's are not related to SuperMicro at all!

On the other hand I have a generic Chinese X79 mb so maybe I should be worried :(

Tom
A proud member of the OFA (Old Farts Association).
ID: 1958437 · Report as offensive
Profile betreger Project Donor
Avatar

Send message
Joined: 29 Jun 99
Posts: 11360
Credit: 29,581,041
RAC: 66
United States
Message 1958440 - Posted: 4 Oct 2018, 23:54:11 UTC - in response to Message 1958423.  

ID: 1958440 · Report as offensive
Ian&Steve C.
Avatar

Send message
Joined: 28 Sep 99
Posts: 4267
Credit: 1,282,604,591
RAC: 6,640
United States
Message 1958475 - Posted: 5 Oct 2018, 2:20:57 UTC - in response to Message 1958437.  

Great I have two as file servers. I wonder how you check for this chip, and if one can do anything about it apart from junking an otherwise perfectly good motherboard.


I hope ASRock and MSI mb's are not related to SuperMicro at all!

On the other hand I have a generic Chinese X79 mb so maybe I should be worried :(

Tom


i wouldnt worry about it. no one cares about our home file servers or seti machines or cat pictures.

they are after IP from big companies and government info.
Seti@Home classic workunits: 29,492 CPU time: 134,419 hours

ID: 1958475 · Report as offensive
Profile Brent Norman Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester

Send message
Joined: 1 Dec 99
Posts: 2786
Credit: 685,657,289
RAC: 835
Canada
Message 1958480 - Posted: 5 Oct 2018, 2:54:47 UTC - in response to Message 1958475.  

Exactly, If they want to impress us, tell us which files need to be looked at closer :))
ID: 1958480 · Report as offensive
Profile zoom3+1=4
Volunteer tester
Avatar

Send message
Joined: 30 Nov 03
Posts: 65709
Credit: 55,293,173
RAC: 49
United States
Message 1958514 - Posted: 5 Oct 2018, 8:33:38 UTC

Thankfully, No, just Asus and EVGA at the moment, though I had contemplated SuperMicro and this came up, that finished that.
The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's
ID: 1958514 · Report as offensive
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 1959216 - Posted: 8 Oct 2018, 6:57:22 UTC - in response to Message 1958420.  

I've got a Chinese story of my own. It involves those Chinese Video cards selling on eBay. I ended up with one and decided it might be useful to just run the Display on My development machine. As long as you don't try to use it for compute, it seems to run the monitor fine in Linux. Most of My cards are in the Mining machine so I was short a card or two. All seemed well, the Apps passed the Benchmark App so I placed it on the Miner. Then I noticed the Inconclusives. Then I checked the results...most of the Stderr output was missing. Then I checked the Stderr output in the slots as it was being written. The Stderr output in the Slots were all in Chinese. You can't make this up. The client_state apparently doesn't do Chinese so the results were just missing in the Client_state file. The files in the Slots were full of Chinese though, even though the App wasn't being run on a Chinese card. Weird. So, I replaced the Chinese card, compiled another App, and all is well, No more Chinese in the Stderr output.
Be careful with your Chinese video cards...

Did you try just to install generic driver instead one provided by supplier?
AFAIK GPU can't write into stderr on its own. So, it's driver API messages from localized driver. The single place that could give chinese symbols directly from hardware is device model name stored in it's ROM.
Such weakness of BOINC XML parser is sad thing. What if app's stderr will contain let say cyrillic, will it break too?...
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 1959216 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1959225 - Posted: 8 Oct 2018, 7:54:01 UTC

The Chinese spy on you through Chinese hardware? And that's news?
North Korea does it better:
Today, the country’s firms generate foreign revenue from the sale of a wide range of related goods and services, including website and app development, administrative and business management software, radio and mobile communications platforms, IT security software, and biometric identification software for law enforcement applications. North Koreans appear to have marketed virtual private networks (VPNs) and encryption software in Malaysia, sold fingerprint-scanning technology to large Chinese companies and parts of the Nigerian government, produced facial recognition software for law enforcement agencies via front operations, and built websites for myriad individual and corporate clients. (from this PDF).

It sells all that from apparently legitimately looking businesses outside of NK.
So watch out what you order on the internet. Or have it vetted. Or don't put it on your network without some air gap or sandboxing.
ID: 1959225 · Report as offensive
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 1959233 - Posted: 8 Oct 2018, 8:32:04 UTC - in response to Message 1959225.  


So watch out what you order on the internet. Or have it vetted. Or don't put it on your network without some air gap or sandboxing.


I'd say what you give is what you get in return. Nothing new. Absolutely same measures required when one deals with "good old" non-outsourced Americans firms and their hardware/software .
History of different hardware bookmarks in Intel's production lasts decades. "Ooops, just bug-just bug" every time when disclosed :)
Not to say about last Google/M$ trends that got in user's underwear already. Re-phrase Twain, rumors of NK danger are greatly exaggerated.
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 1959233 · Report as offensive
TBar
Volunteer tester

Send message
Joined: 22 May 99
Posts: 5204
Credit: 840,779,836
RAC: 2,768
United States
Message 1959273 - Posted: 8 Oct 2018, 15:43:55 UTC - in response to Message 1959216.  
Last modified: 8 Oct 2018, 15:44:44 UTC

I've got a Chinese story of my own. It involves those Chinese Video cards selling on eBay. I ended up with one and decided it might be useful to just run the Display on My development machine. As long as you don't try to use it for compute, it seems to run the monitor fine in Linux. Most of My cards are in the Mining machine so I was short a card or two. All seemed well, the Apps passed the Benchmark App so I placed it on the Miner. Then I noticed the Inconclusives. Then I checked the results...most of the Stderr output was missing. Then I checked the Stderr output in the slots as it was being written. The Stderr output in the Slots were all in Chinese. You can't make this up. The client_state apparently doesn't do Chinese so the results were just missing in the Client_state file. The files in the Slots were full of Chinese though, even though the App wasn't being run on a Chinese card. Weird. So, I replaced the Chinese card, compiled another App, and all is well, No more Chinese in the Stderr output.
Be careful with your Chinese video cards...

Did you try just to install generic driver instead one provided by supplier?
AFAIK GPU can't write into stderr on its own. So, it's driver API messages from localized driver. The single place that could give chinese symbols directly from hardware is device model name stored in it's ROM.
Such weakness of BOINC XML parser is sad thing. What if app's stderr will contain let say cyrillic, will it break too?...
Common Raistmer, you know the only drivers supplied by the 'Suppliers' are for Windows. That driver CD would be more useful being used as a Frisbee with Fido than a Linux driver CD. The Driver was the standard one from nVidia, which has Never embedded Chinese in an App before. Obviously the stderr was being written by the App, the machine running the App didn't even have a Chinese card, I believe I mentioned that. The only question is how the Chinese card trigger the App to write stderrs in Chinese. I wasn't aware a GPU can override the code being used by a compiler. Both Systems involved were using English, US as the language.
ID: 1959273 · Report as offensive
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 1959278 - Posted: 8 Oct 2018, 17:20:04 UTC - in response to Message 1959273.  

The only question is how the Chinese card trigger the App to write stderrs in Chinese.

Yep, very hard question :)
And if app is Lunatics based I'm sure it has no any localization strings beside English at all. So, still only driver/ runtime could be responsible.
Trigger factor could be ID string in ROM. Hardly believable though driver/runtime selects language based on card ID.
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 1959278 · Report as offensive
TBar
Volunteer tester

Send message
Joined: 22 May 99
Posts: 5204
Credit: 840,779,836
RAC: 2,768
United States
Message 1959280 - Posted: 8 Oct 2018, 17:55:11 UTC - in response to Message 1959278.  

So, still only driver/ runtime could be responsible....
Hard to believe you keep saying that when the problem doesn't exist when a US marketed card is used. Obviously the Fake Chinese 970 is responsible. This is a Fake 970, to fool the BIOS the card uses a Boot ROM prior to entering BIOS. If you watch the screen closely you can see the card info appear on screen just before the machine enters BIOS. This is how they can fool the machine/OS into reporting a 550Ti is really a 970. Remove the Chinese Fakery and the problem goes away.
ID: 1959280 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1959283 - Posted: 8 Oct 2018, 18:11:20 UTC - in response to Message 1959233.  

I'd say what you give is what you get in return. Nothing new. Absolutely same measures required when one deals with "good old" non-outsourced Americans firms and their hardware/software .
Yes, and you're a Russian, anything you say has to be not believed or let's call out the Russian Ambassador on that. :-)
ID: 1959283 · Report as offensive
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 1959307 - Posted: 8 Oct 2018, 20:20:01 UTC - in response to Message 1959280.  

So, still only driver/ runtime could be responsible....
Hard to believe you keep saying that when the problem doesn't exist when a US marketed card is used. Obviously the Fake Chinese 970 is responsible. This is a Fake 970, to fool the BIOS the card uses a Boot ROM prior to entering BIOS. If you watch the screen closely you can see the card info appear on screen just before the machine enters BIOS. This is how they can fool the machine/OS into reporting a 550Ti is really a 970. Remove the Chinese Fakery and the problem goes away.

So you suppose GPU BIOS is able to redirect text output to file? Hm... I would like to look at such card, really. Sounds like this masterpiece would be much more costly that usual 1080Ti perhaps :)
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 1959307 · Report as offensive
1 · 2 · Next

Message boards : Number crunching : Anyone have any SuperMicro Boards? China hardware hack


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.