Super Micro Shares Plunge 25% After Co-Founder Charged in $2.5B Smuggling Plot

Posted by pera 6 hours ago

Super Micro Shares Plunge 25% After Co-Founder Charged in $2.5B Smuggling Plot(www.forbes.com)

238 points | 106 commentspage 2

simonebrunozzi 5 hours ago|

So, good time to buy on the panic?

czbond 4 hours ago||

If you do, you could protect yourself with a sell stop below $17.25... because if it breaks that on weekly candles, next are $14 and $10. Or you could buy some calls instead when the volatility calms down. If you do it now, the volcrush could happen even if you're correct.

Not investment advice, do you own research. I'm just someone on the Internet.

stevewodil 4 hours ago|||

Thank you stock astrologist

czbond 2 hours ago||

In know you're in jest, but no worries. Strong support around $17 for lots of reasons - would be difficult to push it below that.

In fact there is an open gap that I'd expect it to close around $16.30 and another one around $19

brcmthrowaway 1 hour ago|||

How did you learn algotrading?

daedrdev 45 minutes ago||

Id like to sell you a bridge

markhahn 3 hours ago||

interesting that the stock market (a subset of the prediction market now, right?) would even care, or would take this as a negative.

"sorry guys, I did something token-bad a while ago that got you more money."

that's the sort of meaculpa I'd expect to get rewarded these days...

dwa3592 5 hours ago||

https://substack.com/home/post/p-191531928

latchkey 4 hours ago||

I've had my own dealings with this awful company. Including Wally.

Let's just say that none of this comes as any surprise.

Now, what people should be asking is how much Jensen knew. In May he said there was nothing going on. But the videos of the Chinese guy holding H1/200's ... never got to him?

Also interesting how they waited until just after GTC...

phendrenad2 4 hours ago||

Maybe it's time to re-visit that "spy chip" story from almost a decade ago.

Edit: Officially-debunked, I should note

CamperBob2 3 hours ago|

Yes, debunked or at least never backed up any actual evidence.

(Allegedly) just some Bloomberg (alleged) bullshittery, (allegedly) posted to move the market.

monocasa 3 hours ago|||

Well, also had other pen testers come forward saying that they had found implants on supermicro servers and had talked to federal authorities who had said it was a known relatively large issue they were trying to get a handle on while keeping it under wraps.

And if it were posted to move the market, that would have been about the most cut and dry SEC violation possible, posted at a time when the federal government still enforced such things.

midtake 3 hours ago|||

Whenever some soylent-drinking, impossible foods-eating dilettante says "debunked" I find myself not fully believing them. And Supermicro has always been sus. I can't believe people are only just now noticing.

maxglute 4 hours ago||

They need a new logo.

alephnerd 5 hours ago||

Oof. SuperMicro also had it's hardware supply chain compromised back in the 2010s [0][1][2][3]

[0] - https://www.bloomberg.com/news/features/2018-10-04/the-big-h...

[1] - https://www.bloomberg.com/features/2021-supermicro/

[2] - https://www.schneier.com/blog/archives/2021/02/chinese-suppl...

[3] - https://www.theinformation.com/articles/apple-severed-ties-w...

progbits 5 hours ago||

Those claims were never confirmed, no? Some of it might be true or trueish but I'm not talking Bloomberg's anonymous sources word for it, and with so much supermicro gear out there you would think some other evidence would show up.

protimewaster 5 hours ago|||

It depends on what you consider confirmed. It was kind of corroborated, at least. There was a CEO of a hardware security firm that came forward after the original article. He claimed that his firm had actually found a hardware implant on a board during a security audit. It wasn't exactly as Bloomberg described, though.

His take was that it was very unlikely that it impacted exclusively Supermicro, though.

It was covered various places, including The Register https://www.theregister.com/2018/10/09/bloomberg_super_micro...

kantselovich 5 hours ago||

I don't think it was a confirmed story. That is, the tiny "grain of rice" size Ethernet module that CEO of a security audit company allegedly found, was not present in other SuperMicro servers. SuperMicro itself, as well as it's buggest customers did not confirm the findings.

From what i recall, the story was very vague, there were no pictures of the specific chip, no pictures of the motherboard of the motherboard that would include serial, i.e. no details that would accompany a serious security research.

monocasa 2 hours ago||

Did they originally say it was a grain of rice Ethernet module?

I thought it was supposed to be an incredibly tiny micro sitting on the bmc's boot flash to break inject vulnerabilities.

alephnerd 5 hours ago|||

A supply chain attack similar to Supermicro's would be much more targeted and recalls with national security implications do get flagged via a separate chain.

frenchtoast8 5 hours ago|||

Bloomberg's claims sound like science fiction: https://www.servethehome.com/investigating-implausible-bloom...

Bloomberg's tech coverage is not great from what I've seen. Last year they published a video which was intended to investigate GPUs being smuggled into China, but they couldn't get access to a data center so they basically said we don't know if it's true or not. Meanwhile an independent Youtuber with a fraction of the resources actually met and filmed the smugglers and the middlemen brokering the sales between them and the data centers. Bloomberg responded by filing a DMCA takedown of that video.

timschmidt 4 hours ago||

What Bloomberg proposed - sniffing the TTL signal between BMC and boot ROM and flipping a few bits in transit - is far from science fiction. It would be easy to implement in the smallest of microcontrollers using just a few lines of code: a ring buffer to store the last N bits observed, and a trigger for output upon observing the desired bits. 256 bytes of ROM/SRAM would probably be plenty. Appropriately tiny microcontrollers can also power themselves parasitically from the signal voltage as https://en.wikipedia.org/wiki/1-Wire chips do. SMBus is clocked from 10khz to 1mhz, assuming that's what the ROM was hanging off of, which is comfortably within the nyquist limit on an 8 - 20mhz micro.

Something similar has been done in many video game console mod chips. IIRC, some of the mod chips manage it on an encrypted bus (which Bloomberg's claims do not require).

Here's one example of a mod chip for the PS1 which sniffs and modifies BIOS code in transit: https://github.com/kalymos/PsNee

"On PsNee, there are two separate mechanisms. One is the classic PS1 trick of watching the subchannel/Q data stream and injecting the SCEx symbols only when the drive is at the right place; the firmware literally tracks the read pattern with a hysteresis counter and then injects the authentication symbols on the fly. You can see the logic that watches the sector/subchannel pattern and then fires inject_SCEX(...) when the trigger condition is met.

PsNee also includes an optional PSone PAL BIOS patch mode which tells the installer to connect to the BIOS chip’s A18 and D2 pins, then waits for a specific A18 activity pattern and briefly drives D2 low for a few microseconds before releasing it back to high-impedance. That is not replacing the BIOS; it is timing a very short intervention onto the ROM data bus during fetch."

throwa356262 5 hours ago|||

Didn't that turn out to be incorrect?

Multiple security companies looked into this and found nothing malicious.

alephnerd 5 hours ago||

Nope. Bloomberg doubled down on it and even Bruce Schneider accepted it despite initially being a skeptic.

WillPostForFood 2 hours ago|||

What was the last thing Schneier wrote on it? I thought it was this:

I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

https://www.schneier.com/blog/archives/2018/11/that_bloomber...

alephnerd 1 hour ago||

https://www.schneier.com/blog/archives/2021/02/chinese-suppl...

HNers are acting reflexively skeptical (which isn't always a bad thing), but targeted supply chain based attacks conducted by a nation statein the manner described are actually doable, and back when I was still a line-level SWE this was when we started putting significant engineering effort into hardware tampering protections back in the 2015-17 period.

The hardware supply chain incident itself most likely happened in the late 2000s to early 2010s when hardware supply chain security wasn't top of mind as an attack surface.

Modchips targeting contemporaneous gaming systems like the PS1 and PS2 use a similar approach to the SuperMicro incident.

unsnap_biceps 5 hours ago||||

I don't believe that there was ever extra chips being added to the boards, but what I could believe is that they shipped with firmware on specific chips that enabled data exfiltration for specific customers and due to a game of telephone with non technical people it turned into "they're adding chips inside the pcb layers!"

monocasa 2 hours ago||

I thought the point was an extra chip in the place of a pull up resistor or something that would edit the firmware image as it made its way across the bus, so you wouldn't see the modifications even if you pulled the flash chip and read it out manually, and would also be persistent across flash updates.

protimewaster 5 hours ago||||

There also was a CEO of a hardware security company that came out and said that his firm had found an implanted chip during an audit. IIRC, he was convinced that it was very unlikely to be limited to Supermicro hardware.

alephnerd 5 hours ago||

> he was convinced that it was very unlikely to be limited to Supermicro hardware

Yep. This was why there was a significant movement around mandating Hardware BOMs in both US and EU procurement in the early 2020s.

Also, the time period that the Bloomberg story took place was the late 2000s and early 2010s, when hardware supply chain security was much less mature.

greedo 5 hours ago||||

Schneier was simply taking at face value the contents of the Bloomberg article, especially the statement by Mike Quinn who claimed he was told by the Air Force not to include any Supermicro gear in a bid.

tumult 5 hours ago|||

No evidence was ever presented and nobody ever found anything, as far as I can tell?

protimewaster 5 hours ago||

There was a security auditing firm that came out a few days later claiming they'd found a chip, similar to the one Bloomberg described, during a security audit.

It's still nothing concrete, though. Their CEO basically said that they'd found one and that they couldn't say much more about it due to an NDA.

fidotron 4 hours ago||

From thousands of miles away you can hear the fans at the NSA data center as they spin up checking the background to all responses to this posting.

nebula8804 4 hours ago||

I'd like to think that modern centers are water cooled so it'd be more quiet these days unless you are implying that this application of theirs is running on legacy hardware? :P

jacquesm 3 hours ago||

I have it on good authority they only use SuperMicro ;)

throwaway27448 3 hours ago|

Violating sanctions isn't exactly the same thing as smuggling. It also doesn't seem like it should be a crime to disagree with your state on who deserves what service... i never voted for the dingbats who control who is called a terrorist, let alone the people scared of china.

kube-system 18 minutes ago||

> Violating sanctions isn't exactly the same thing as smuggling.

The actions described in the article is both smuggling and a violation of sanctions.

palmotea 2 hours ago||

> It also doesn't seem like it should be a crime to disagree with your state on who deserves what service...

Seems like that's a pretty obvious and straightforward power for a state to have. The state has to make foreign and domestic policy decisions, and to be effective that would have to include trade restrictions. Otherwise you could have situations like businessmen profiting by selling weapons to the enemy to kill his own countrymen--and there are sociopaths who'd do that.

> i never voted for the dingbats who control who is called a terrorist, let alone the people scared of china.

So what?