[HN Gopher] Dell and HPE switches come with 'American Megatrands... ___________________________________________________________________ Dell and HPE switches come with 'American Megatrands' stickers Author : geerlingguy Score : 159 points Date : 2021-12-14 18:14 UTC (4 hours ago) (HTM) web link (www.servethehome.com) (TXT) w3m dump (www.servethehome.com) | dubcanada wrote: | General question, but who cares? Would you rather then reprint | all of these stickers just to solve your OCD about proper | spelling? | jacquesm wrote: | Labels like that are quite frequently a sign that you're | dealing with a counterfeit product or something that has been | places where it shouldn't. | rasz wrote: | Misspelled stickers is how you recognize Chinese | clones/counterfeits. | | Want some Amtech flux made in Colifomia? | https://sudonull.com/post/100244-Amtech-fluxes-hoax-on-a-glo... | https://ultrakeet.com.au/write-ups/fluxInfo | cbm-vic-20 wrote: | Made with in Colifornia | walrus01 wrote: | Designed by Abble in Califarnia | newsclues wrote: | Yes. | xondono wrote: | If I'm spending thousands of dollars on these devices, I expect | them to not screw up something like that. | | It would not be the first time someone sends a device for RMA | to be told it's out of warranty because it has been tampered, | when in reality it was a manufacturing mistake. | ComputerGuru wrote: | My Dell Precision 5520 (nee XPS 9560) battery came with obvious | spelling and grammatical errors.. just like the cheap Chinese | clones I bought to replace it after a few years did (because Dell | doesn't sell the battery online). The clone I received was | garbage and not up to the advertised specs so I tossed it and | called my Dell sales rep and managed to get him to order me a new | battery (it's apparently not considered a user-replaceable part | although it really is) and lo and behold the new one came with | the same spelling errors as the one I got from China. | | I have zero faith in their supply chain. | MangoCoffee wrote: | i used to work for a Dell contracted repair/shipping center. | Corporate screw up happen all the time. there is one incident, | before winter shopping holidays, Dell ordered thousands of 27" | all in one pc for retail sales from a China OEM. | | the problem is the all in one is not all in one. the back of all | in one is missing a PC! the all in one is now a 27" monitor with | a empty lump where the PC supposed to be. Dell screw up. Dell end | up selling these all in one PC monitors to Corporation for cheap. | walrus01 wrote: | Wouldn't the LCD panel in the all-in-one (missing actual x86-64 | PC) be something like an LVDS interface between the intended | motherboard and the panel? this would mean you couldn't just | sell them off as cheap weird monitors since they would have no | external HDMI or displayport connectors or interface to plug a | computer into. | | Persons intending to use it as a monitor would have to go | scrounge ebay for something like an HDMI-to-LVDS interface | board and wire it up themselves. | MangoCoffee wrote: | it was made with a lump in the back as a functional monitor. | it was supposed to be a all in one and now it just an "all in | one" monitor. | | sorry if i wasn't clear. | walrus01 wrote: | you weren't unclear I was just curious how they resolved | it, since that's a really weird scenario... | ksec wrote: | > (HPE did not care enough to investigate) | | That is a useful signal to avoid HPE. | Am_I_Right wrote: | Neither Dell nor HPE manufactures switches (the former never has, | the latter hasn't for the past few years). So, these are all | sourced from an OEM like Edgecore. | | And, someone at that OEM ordered a bunch of misspelled stickers. | Easy mistake to make, if the latin alphabet is literally foreign | to you. | | And if you think that sticker is bad? Wait until you see the | actual firmware, oh boy... (I had some fun Edgecore LACP bugs | take down an pretty sizable network. Things got slightly better | once they moved to Linux-based firmware, but never to the point | that their kit was, like, entirely reliable...) | walrus01 wrote: | edgecore is just a marketing name, the actual company is accton | | they're generally a competitor of companies like compal, clevo, | quanta. All well known in Taiwan if you're in the business of | having 3rd parties manufacture your stuff. | alliao wrote: | I'm pretty sure accton's compal's communications subsidiary | walrus01 wrote: | that is a good point, not something I'd had reason to think | about since 2006 or so. Compal is quite a behemoth. | | https://en.wikipedia.org/wiki/Compal_Electronics | | US $26 billion revenues. Most people have never heard of | it, only its consumer facing brands like Ignitenet. | merb wrote: | it's crazy how much tech companies taiwan has. i'm pretty | sure that this has conflict potential with china (i.e. china | with the eu/us). | walrus01 wrote: | some 15-20 years ago most of the big taiwanese electronics | manufacturing companies (top tier x86-64 motherboard makers | would be a good example) moved a lot of their factory | operations to mainland china, for lower cost labor. | | it's very interconnected now. | | there's a fascinating yearly trade show of taiwanese | manufacturers: | https://www.computextaipei.com.tw/en/index.html | ksec wrote: | Well, for many stickers, they have to be ordered from original | vendor / AMI. I guess this is not the case here. | | Turns out it is coming from AMI, but AMI Taiwan. | | >AMI Taiwan needed to get license stickers for the local | market. Instead of using the "American Megatrends" MegaRAC PM | sticker template, it decided to make its own that had the | misspelling. | bluedino wrote: | Isn't the fear that they are imitation parts? | mxxx wrote: | Yes, but they're not. It was just a typo. | Am_I_Right wrote: | I'm not entirely sure what the fear is. The AST2600 the | sticker seems to have been pasted to is a pretty complicated | IC with (and this is the important part) user-upgradeable | flash to begin with. | | So, you want to do a supply-chain attack? Simply reflash the | genuine modules. No need to spend more. On the other hand: | you want to save a few bucks? Possibly do a knock-off chip, | but you're definitely not going to bother with the firmware. | Too expensive! | | This is definitely a case of "trying to save a few bucks". | Both Dell and HPE are in a race to the bottom, and the | sticker being indicative of anything significant beyond that | is... unlikely... | NAR8789 wrote: | I think so, but assuming that is the case... what's to stop a | shady chipmaker from printing properly-spelled "American | Megatrends" stickers? More generally... are there any actual | protections offered by genuine stickers? | | The article makes this out to be a major supply chain | security issue, and that only makes sense if branding | stickers are actually reliable for validation purposes. But | that seems... nonsensical? Wouldn't stickers be very easy to | forge? | | But, I don't work in supply chains. Anyone with better | expertise in this area able to chime in? | | I will admit I skimmed the article, because it is long and | overly-detailed for my level of interest, and because it | lacks summary sections. | jcrawfordor wrote: | It's not at all that a properly spelled sticker gives | assurance that it's not counterfeit... it's just that a | misspelled sticker is such an obvious sign of a potential | counterfeit that it's basically the #1 thing that any | counterfeit/suspect items program teaches people to look | for. Most people working on counterfeits don't speak | English so it's very easy for these kinds of mistakes to | slip through, and on the other hand they're rarely made by | the genuine manufacturer which usually has a process to | check for this kind of thing even if the engineering work | is done in a non-English speaking country (most of all that | the logos usually come from off-the-shelf art files from | the marketing department, so no one's even typing the name | to make a mistake). | | Almost any corporate or institutional counterfeit or supply | chain security program will explicitly teach you: if | anything is misspelled or shows other obvious mistakes, | hold the part as a suspected counterfeit. It's a pretty | good quality indication. | | So of course manufacturers do genuinely make spelling | mistakes sometimes, but this context makes it a pretty | embarrassing and serious thing to do. It's like your bank | misspelling their name in an account notification: sure, in | some extremely theoretical sense it doesn't _mean_ | anything, but in practice they 're giving you exactly the | signal that everyone tells you to check for to identify | phishing, and it raises questions about their processes | that they let it slip through. | jdlshore wrote: | The article takes a while to get to the point, so here it is: | | 1. Article author discovers "American MegaTrAnds" sticker on a | chip in high-end switches. | | 2. Author fears supply chain tampering. | | 3. Author contacts American Megatrends (AMI). Hijinks ensue. AMI | eventually confirms that it's a typo. | | 4. Therefore, there is no supply chain tampering. | | 5. But author is concerned about what this means for the state of | supply chain verification. | howdydoo wrote: | > supply chain tampering | | Naive question, I don't know much about this industry. But if | someone from China or the NSA wanted to make counterfeit chips, | why would they risk putting something different on the label? | It seems like a weird place to draw the line. Would the NSA | really say "oh no, we can't violate anyone's trademark!" and | misspell the label and hope their entire operation isn't | exposed? | bellyfullofbac wrote: | Sometimes bandits are sloppy or have Dunning-Kruger, e.g. | with pirated DVDs the sleeve art is just a hot mess of random | words, but I guess if they were making fake chips they'd be a | bit better at it. Or the guy they hired to do the Photoshop | says he's real good but he's actually sloppy, and everyone | else just sees random glyphs (imagine if you were having to | copy an Arabic label, I assume you can't read Arabic). | vgel wrote: | Counterfeit chips aren't just a state-level actor problem, | companies do it for profit as well. I think the worry is | just, if the person who was supposed to be checking for | counterfeits missed _this_ , how would they have any chance | of catching a more sophisticated counterfeit? | foobiekr wrote: | This is laughably sloppy. | | One of my favorite customers actually took a calorimeter to the | LEDs that were in one of our deliveries of router chassis. They | felt that the Amber wasn't quite Amber enough and so they | measured it. They were right while it was amber it wasn't spec | amber. So they shipped it all back. We were very embarrassed | and supply chain was given a dressing down. They missed a parts | quality issue. | | A typo like this is extremely indicative of a sloppy | organization. | alfalfasprout wrote: | Was your typo intentional? Calorimeter -> colorimeter? | mrtksn wrote: | > sloppy organization. | | Or a communication issue? How do the people looking inside | the assembled product tell the people who design the product | that they made a typo? | | A few years back, the company I worked for created a landing | page where an image of a beautiful young woman was happy | about our deals. It wasn't my job, I was looking at the | design out of curiosity and I noticed that one eye of her was | looking in another direction and the other eye to the other | direction. I tried to raise the issue with a few people | higher up but they didn't understand or didn't care as they | were excited for the release or busy with other stuff. | | To this day, I wonder, was it intentional? Maybe it was a | joke or something I didn't get. The campaign run fine, no one | talked about it. I don't, maybe I don't get graphic design, | maybe the eye situation was a marketing message about how the | lady was having eye on the numerous amazing deals of ours. | detaro wrote: | What is the relevant spec for colors here? Is there some ISO | or whatever for signal lights on equipment defining it? | jwandborg wrote: | It might be regulatory concerns, maybe they hadn't licensed | that particular wavelength of orange for local broadcasting | purposes, or EMI concerns with regards to the the off-white | spectrum, at least if I let my thoughts run without | moderation. | fxtentacle wrote: | Parent comment probably meant "colorimeter" which will | measure colors in either spectral distribution or XYZ color | space. | | So you could say something like RAL color # 123 +- 5% in | XYZ space. Or you can just specify: That color needs to be | closer to RAL #123 than to any other RAL number, so then | you'd also have an implicit definition of the valid color | range. | detaro wrote: | What the "something like" is exactly and where it came | from is kind of my question. | KennyBlanken wrote: | What I find funny: the guy who runs STH frothing at the mouth | about a typo. To paraphrase Nick Fury: "Pot, kettle." | | The STH guy can't spell to save his life and his grammar is | terrible. His sentence structure and general writing skills are | about what I would expect from a fourth-grade child. | | He also is an incredible drama-llama, making mountains out of | molehills; I've seen him do this time and time again. | | He sees a misprinted sticker and sees supply chain attacks? | Dude. This gear is assembled by people in third world countries | making wages that amount to a few dollars a day or less. They | don't speak English. They may not even read roman letters. I'd | challenge him to do QA on any non-roman alphabet... | | I bet someone did notice the stickers, but getting them | reprinted (assuming it was caught before assembly started) may | have meant a delay. Even a minor delay can be a major, major | problem since this stuff is scheduled practically down to the | hour in the factories; ditto for shipping deadlines. Or if they | were already on assembled boards (or worse, inside assembled | equipment) the cost to replace the sticker would be | astronomical, with exactly zero value to the vendor or their | customers. It's cosmetic. | [deleted] | 1970-01-01 wrote: | Yes. TL;DR: Chip does not meet MILSPEC or any other spec. | People are OK with it. The chips really should be de-capped and | researched. | ricardobeat wrote: | They _said_ there is no tampering. Someone should x-ray this | chip vs a correctly labeled one to verify. | sneak wrote: | X-ray won't help you. You can backdoor silicon by introducing | a single faulty junction. | wmf wrote: | AMI is a firmware company so you'd check the hash of the BMC | flash contents. | xondono wrote: | Although it would be much ( _much_ ) more elaborate, a | counterfeit BMC could have hidden ROMs or bootloaders | capable of opening backdoors into running machines. | wmf wrote: | Note that the BMC chip comes from a different company | (ASPEED) who has not been implicated in this | "stickergate". | bruce343434 wrote: | perhaps off-topic, but where does the -gate suffix come | from? It seems it can be replaced by "troubles". | | Gamer troubles. Sticker troubles. But what does -gate | even mean? | cipheredStones wrote: | This is covered by the Wikipedia articles others have | linked, but briefly: Richard Nixon (US President from | 1969-1974) was forced to resign by the revelation that he | had paid for criminals to break into the Democratic | Party's campaign headquarters in the Watergate Hotel. The | entire affair became known as Watergate. | | Later, one of Nixon's former speechwriters, William | Safire, propagated the use of -gate as a generic suffix | for any type of scandal, notably including very minor | ones. It's likely that part of why he did this was to | retrospectively diminish the perceived seriousness of the | Watergate scandal. | mensetmanusman wrote: | Have you heard about the gategate? | | https://www.poynter.org/reporting-editing/2015/gategate- | its-... | freeman478 wrote: | I think it comes from | https://en.wikipedia.org/wiki/Watergate_scandal | handrous wrote: | Ah, good old Watergate-gate. | CBLT wrote: | https://en.wikipedia.org/wiki/List_of_%22-gate%22_scandal | s_a... | walrus01 wrote: | > But author is concerned about what this means for the state | of supply chain verification. | | This is a brown M&Ms problem: | https://conversableeconomist.blogspot.com/2020/10/the-no-bro... | | If they missed something as obvious as this, who knows what | other problems are going on in supply chain security or total | lack of QA. | formerly_proven wrote: | I'm not so sure. These BMCs are dumb SoCs like any other | (just with specialized I/O), their firmware comes from an | external SPI flash. I doubt there is anything AMI specific at | all in these chips. Looks like it's basically a license | sticker some worker is putting on these boards after they're | all assembled and tested. I can see how these stickers are | there, maybe for contractual/legal reasons, without being a | critical part of the BMC board BOM (1x roll of "AMI loicense | stickers"). | xondono wrote: | These "dumb SoCs" are one of the biggest security holes in | a lot of high end equipment. | | It would not be the first time someone finds exploitable | firmware bugs and vulnerable BMCs through Shodan. | NAR8789 wrote: | I'd argue it's slightly different-- | | - no brown m&m's specifically calls out no brown m&ms in a | list of requirements, and uses it as a canary for reading | comprehension. | | - a misspelling is an "obvious" problem, but I suspect not | called out anywhere as a specific requirement. | | "No brown m&ms" catches when people aren't paying detailed | attention to your (presumably reasonably scoped) requirements | doc. | | Asking people to catch all "obvious" problems holds them | accountable to an unbounded guessing game, and you're far | more likely to catch people out, simply because of | differences in where they choose to focus. | walrus01 wrote: | The misspelling means two different things to two | categories of people... Those who haven't worked in | electronics manufacturing are highly likely to say "oh it's | just an honest mistake". | | Those who _have_ worked in electronics manufacturing will | immediately see it as a possibly scary sign of counterfeit | components making their way into the supply chain. Same as | what happened with counterfeit capacitors in east asia. | Much like the early 1980s Van Halen tour example linked | above, it 's a reason for hitting the big red "OKAY, STOP | EVERYTHING" button and re-check of all of the other | components and supply chain going into the product. | KennyBlanken wrote: | Anyone familiar with electronics manufacturing knows that | for most of the people involved in the production of your | stuff, English is a second language and roman characters | are not their primary alphabet. | | > it's a reason for hitting the big red "OKAY, STOP | EVERYTHING" button and re-check of all of the other | components and supply chain going into the product. | | The notion that someone would pause a line over this | (even if we were not in the middle of unprecedented | component/manufacturing/shipping disruptions) is _beyond | fucking absurd_ , much less that anyone would do so until | a "re-check of the supply chain" is completed. | | Production schedules are tight as hell. | | You miss your deadline for getting the board assembled, | they don't make it to the line or factory putting the | boards into the chassis on time. | | That means they've started on another job and now you | wait until they have free time on the line. | | That means you don't get your container to the port on | time. | | That means you miss the space you had paid for on the | ship. | | That means you miss your product launch date. Possibly by | _months_ ; especially right now, shipping is severely | constrained. | | That means your competitor takes your lunch money. | walrus01 wrote: | If your goal is to crank out the largest quantity of | cheapest-unit-priced products as quickly as possible, | then yes, absolutely stick with what you just wrote | above. | | Are you familiar with what happened with the counterfeit | capacitor plague? | | https://www.google.com/search?client=firefox- | b-d&q=capacitor... | | Keep on cranking out that production line with your | suspicious/manufacturer-source-unknown parts with | improper labeling on them and end up in a situation with | hundreds of millions of dollars of financial damages due | to burst capacitors. | | Not every manufacturer has its absolute and highest goal | set as massive quantity/cheap and shoddy QA/lowest | price/highest volume possible. | | For something like a 100Gb ethernet switch, standards | should be much higher than the PCBs of a bunch of $40 | 802.11ac wifi routers to put in a shiny box and sell at | Best Buy. | btown wrote: | More specifically, if there is a person in a QA role | looking out for counterfeit components, and they miss | such a glaringly obvious typo, they may not be paying | attention to enough details. And if a language barrier is | at fault, that's itself a flag that they may not have | full comprehension of the specifications they are | supposed to QA for. Perhaps not "stop the line" but "we | need to do an audit of this component" - and that audit | needs to actually be performed. | NAR8789 wrote: | Ahhh, that's the critical piece of context I was missing. | Thank you! | | Article didn't fully explain why the sticker matters so | much, so that left me scratching my head. (my gut | reaction was "well, wouldn't a genuine sticker still be | easy to counterfeit?). But based on your explanation this | is more of a smell that everyone in the electronics | manufacturing space is culturally attuned to. So, the | fact that it slipped by so many people _does_ indicate a | slippage of norms. | | If I draw a comparison to software to bring it closer to | something familiar to me... would this be like | inconsistent variable name formatting? CamelCase in some | places and snake_case in others? To an outsider, arguably | inconsequential, so insisting on consistency here might | seem OCD to them, but to someone who's worked in the | space it's actually a useful marker of general detail | orientation. | 3np wrote: | > would this be like inconsistent variable name | formatting? CamelCase in some places and snake_case in | others? | | I'd say it's more like misspelling your own company name | in the JPEG logo in the HTML welcome email sent out to | new users, and no one notices for a year. | walrus01 wrote: | In software it would be like if you found evidence that | one of your trusted developers had outsourced their own | job to an unknown person in India, who was controlling | their home office desktop PC by some sort of remote | desktop tool and adding code/making commits on their | behalf. | bopbeepboop wrote: | This would be like if one day you found "MicronSoft Word" | installed on your computer, when you went to write a | document. | | Or your compiler started saying it was "Jawa 9". | | Maybe someone just typo'd the name in an update. | ATsch wrote: | People who do not work in hardware seriously | underestimate how often counterfeit components enter the | supply chain. Even trustworthy distributors like digikey | and mouser have had regular cases of their supplies | becoming contaminated. It is just way too easy to do and | rarely discovered as long as you mix them with enough | legitimate components to avoid suspicion. Unless you're | unlucky and they happen to reach someone with an affinity | for chip photography, the worst case is they'll just | think a few components were DOA or out of spec. | | It mostly affects low complexity components that are easy | to clone so a BMC would be unlikely, but even that is not | safe as sometimes used components de-soldered from other | products make it back into the supply chain too. | xondono wrote: | I'm still haunted by nightmares of fake FTDI chips | kragen wrote: | The bigger supply-chain problem there wasn't the fake | FTDI chips, which actually worked reasonably well; it was | the _totally genuine and authorized_ FTDI driver update | _which FTDI designed to brick your customers ' hardware | if they installed it_, if you had been so unfortunate as | to get fake FTDI chips. | ATsch wrote: | I look at it the other way around, the driver update is a | rare case where it was publicly exposed just how | widespread of an issue forgery is in the electronics | industry. FTDI likely expected the number of fake devices | already in the field to be significantly lower than they | actually were. If that was the case, it is unlikely it | would have become the story it did. | xondono wrote: | Given some of the devices I've seen these ICs, the fact | that they were fake _is_ a problem, no matter if they | work reasonably well. | yjftsjthsd-h wrote: | Sure, and they would have gotten precious little | criticism if they had displayed a big warning message on | detecting a questionable part. The _problem_ was that | they decided to unilaterally destroy customer property. | ComputerGuru wrote: | Or worse: if they _mistakenly_ thought you had a non- | genuine FTDI component when you really didn't. | ATsch wrote: | That's a good public example, here's a post for anyone | that missed it: https://zeptobars.com/en/read/FTDI- | FT232RL-real-vs-fake-supe... | stronglikedan wrote: | I work in an industry rife with typos, and can assure you | that typos are missed all the time, and it doesn't indicate a | greater QA problem or lack of QA. It's just a missed typo. | treesknees wrote: | Where I work, we treat grammar and spelling errors as a sev | 2 bug (sev 1 being highest.) It will quickly erode trust in | your product even if everything else is working fine. All | of our customer-facing text (UI/CLI/API names, labels, | error messages, etc.) go through QA and also a separate | documentation team for consistency and spelling checks. | mistrial9 wrote: | in other contexts this is referred to as "alarm fatigue" .. | there is no assurance and masking it is not the move here | ok_dad wrote: | I used to work in incoming inspection department for a | medical device manufacturer. If the switch/router company did | a "first article inspection" (FAI) and missed this (or missed | it on a later incoming inspection), I would agree, but if | they found it and called AMI and got the answer it was a | typo, then they would note that on the inspection sheet and | move on. | fckgw wrote: | The problem is, as pointed out in the example, is that the | memo the writer got from Dell that came from AMI informing | Dell about the typo contained an image that the own writer | sent to AMI. Meaning AMI had no idea about this typo before | they were contacted by the writer. | bigmattystyles wrote: | I had multiple thoughts - | | 1. If one is going to counterfeit the chip, counterfeiting the | sticker wouldn't give you any pause - so it's probably just an | error, however counterfeiters wouldn't have the review process | that would catch typos. | | 2. Maybe it is a sneaky warranty workaround like a bank calls | itself Banq on paperwork - | https://en.wikipedia.org/wiki/Banq_(term) | | So in the end, there's no real way for the end-user to know | what's what and I agree with the author that the typo deserves an | answer. | toast0 wrote: | Oddities in labels are a typical sign of a counterfeit. Yes, | it's possible to counterfeit labels with good quality, but | often it doesn't happen. | | If someone manages to do a good job of replicating the labels, | hopefully they did a good job of replicating everything else. | | On the other hand, if QA didn't notice the label is misspelled, | what other problems did they miss (some of which may be obvious | to them if they look, but not obvious to me even) | Lammy wrote: | And yet people loudly denounced Bloomberg for "The Big Hack" | story every time it came up on HN: | https://www.bloomberg.com/news/features/2018-10-04/the-big-h... | | I believed it then, and I still believe it now. An "evil" BMC | (like the ASPEED AST2600 mentioned in this article) is game over | security-wise. BMCs are capable of flashing the BIOS/UEFI, | capable of inserting arbitrary disk images as virtual CD/etc | drives, capable of arbitrary keyboard/mouse input equivalent to | having a hardware keyboard/mouse attached, like a remote evil- | maid. If you had to pick one single thing to "pwn" in a server it | would be the BMC. There's no way it's just a typo. | wmf wrote: | It's obvious that an evil BMC _would be_ game over because the | BMC is the most trusted component in the system (for normal | servers that don 't have Titan or whatever). But there's no | evidence of compromised BMCs actually happening. | Lammy wrote: | Is there evidence of it _not_ happening? Can I do a | reproducible build of a verified AMI BMC firmware and compare | it against what comes flashed on my motherboard? They have a | "MegaRAC Open Edition" but it says it's only for "OCP | compliant platforms": | https://github.com/opencomputeproject/HWMgmt-MegaRAC- | OpenEdi... | rcxdude wrote: | It's very believable, but that's basically all that the | bloomberg story had going for it. None of the actual concrete | details (of which there were few) made any sense. | alliao wrote: | whatever became of it? I thought at the time security experts | would swarm and dissect it to death to give us articles after | articles of concrete tampering examples... but it just | vanished? | fckgw wrote: | Security researchers did swarm on it and none of them could | corroborate the story. It's been widely discredited in | security researcher circles. | jandrese wrote: | If it was an attack that one guy was specifically being | attacked. | dogecoinbase wrote: | No one has ever found or been shown one of the affected | boards. | Lammy wrote: | When it's a plausible attack against an obviously-critical | component it seems most prudent to assume the worst and | hope to be wrong :) | yjftsjthsd-h wrote: | Okay, assume that your motherboard/BMC is backdoored. | What exactly is the sane way to proceed, given that you | can't verify it and you have no reason to believe that | any alternatives are better? | detaro wrote: | Bloomberg didn't just claim "evil" BMC, but very specific | things that nobody ever could confirm, and Bloomberg never | supplied any evidence about. If the Bloomberg reporting, or any | followup, had been anywhere close to e.g. the reporting in this | blog post in detail, then they would have a believable case. | ohazi wrote: | > This was not caught by Dell, or even the STH team at first, it | was a YouTube commenter. If that is how we as an industry are | catching the easy plain-to-see stuff, that should scare everyone | about what may be hard to see. | | And this is why the people shouting that "the _direct cause_ of | the log4j bug is our collective failure to give open source | maintainers bags of money " are wrong. Don't get me wrong, you | _should_ give people bags of money if you want them to drop | everything and go fix a critical bug _after_ it 's been | discovered. | | But our collective ability to _discover_ bugs is abysmal. | fragmede wrote: | Which definition of _our_? Seems like it was _found_ just fine. | It didn 't get the attention it needed until after it was | publicly disclosed, however. | | The distinction is that even with a magic 100% infallible bug | finding service, if the fixes don't get the attention they | need, even with this magic service is, the problem's still | going to be around. (While this perfect infallible service | doesn't actually exist, fuzzers _do_ find bugs in a semi- | automated fashion. Still, getting someone to pay attention to | the reports is an uphill battle due to false positives.) | yjftsjthsd-h wrote: | It was found by a random third party; I think it's reasonable | to say that "our" should include the people who are getting | paid to ship the thing. | rand49an wrote: | Weird. A few weeks ago I turned up to a site that wasn't working | after a power cut. They had two S5200's configured in a stack as | core switches. Both had lost their firmware and we could only | access the BIOS on them. All attempts to install/upgrade the | firmware was a bust. Both had to be RMA'd and two days later we | installed the replacements and 1 of those had the same issue. | all2 wrote: | > William Barath December 13, 2021 At 5:27 pm | | > John Etulain of Seattle Washington registered those 2 domain | names, and it is being served HTTP using STH's SSL cert. | | > Staffer of yours, Pat? | | Huh. | geerlingguy wrote: | In the linked video, it's explained that the domains were | registered by STH to prevent them from falling into some | malicious actor's hands. | alliao wrote: | I recently needed to contact Microsoft support, and looking at | the support engineer's email address I literally felt like I was | being targeted by fraudsters, easily the most suspicious company | name I can think of. | | Shanghai Wicresoft Co.,Ltd | [deleted] | urbandw311er wrote: | Slightly OT but why is American Megatrends called American | Megatrends? It has always seems a slightly absurd name. | SOLAR_FIELDS wrote: | TLDR: Just bad naming from the founders because they wanted to | keep AMI initials | | * American Megatrends Inc. (AMI) was founded in 1985 by | Subramonian Shankar and Pat Sarma with funds from a previous | consulting venture, Access Methods Inc. (also AMI). Access | Methods was a company run by Pat Sarma and his partner. After | Access Methods successfully launched the AMIBIOS, there were | legal issues among the owners of the company, resulting in | Sarma buying out his partners. Access Methods still owned the | rights to the AMIBIOS. Sarma had already started a company | called Quintessential Consultants Inc. (QCI), and later set up | an equal partnership with Shankar. | | By this time the AMIBIOS had become established and there was a | need to keep the initials AMI. The partners renamed QCI as | American Megatrends Inc., with the same initials as Access | Methods Inc.; the renamed company then purchased AMIBIOS from | Access Methods. Shankar became the president and Sarma the | executive vice-president of this company. This partnership | continued until 2001, when LSI Logic purchased the RAID | Division of American Megatrends; American Megatrends then | purchased all shares of the company owned by Sarma, making | Shankar the majority owner. * | laurent92 wrote: | It's better than Atlassian Pty Ltd's story, renamed from | Atlassian Software Systems. | [deleted] | Lammy wrote: | I wonder if that's what inspired "Epic MegaGames, Inc." ___________________________________________________________________ (page generated 2021-12-14 23:00 UTC)