1. 28

  2. 10

    Featuring Lobsters’ very own @stevelord. Nice busting Supermicro out, Steve!

    And if anyone is wondering, I think the bad security started with apathy but they might have gotten paid for it later. There’s only a few mobo vendors. If I did BULLRUN, Id have paid them off before anyone except maybe Intel/AND/IBM. Big checks to five or six companies would backdoor almost everything in production in desktops and servers.

    1. 2

      I’ve read a couple articles on this topic now that are calling BS on Bloomberg’s reporting.

      Here’s some alternative analysis, pure speculation.

      […] comparing the feat to “throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.”

      Yep. That’s why they hit 30 companies when they were aiming for one. Hell, they could have been aiming for a single server with a single job, like storing the iOS firmware signing keys, or Signal’s Contact Discovery Servers

      […] the firmware update process didn’t use digital signing […] made it easy for attackers to install […] firmware

      So the target is an organization that uses custom firmware on its servers, at least the special servers, eh? Okay.

      Thus concludes my baseless speculation.

      1. 4

        The whole ME processor and IPMI and UEFI and trusted computing “architecture” is such a mess that there is no secure system anywhere - security depends on the firewall.

        1. 2

          It’s mostly noise without real data and verification. I’d rather all that be off Lobsters. I liked this one for various reports of firmware vulnerabilities that show Supermicro’s security is garbage. That’s a bit more actionable.