[HN Gopher] Dell and HPE switches come with 'American Megatrands...
___________________________________________________________________
Dell and HPE switches come with 'American Megatrands' stickers
Author : geerlingguy
Score : 159 points
Date : 2021-12-14 18:14 UTC (4 hours ago)
(HTM) web link (www.servethehome.com)
(TXT) w3m dump (www.servethehome.com)
| dubcanada wrote:
| General question, but who cares? Would you rather then reprint
| all of these stickers just to solve your OCD about proper
| spelling?
| jacquesm wrote:
| Labels like that are quite frequently a sign that you're
| dealing with a counterfeit product or something that has been
| places where it shouldn't.
| rasz wrote:
| Misspelled stickers is how you recognize Chinese
| clones/counterfeits.
|
| Want some Amtech flux made in Colifomia?
| https://sudonull.com/post/100244-Amtech-fluxes-hoax-on-a-glo...
| https://ultrakeet.com.au/write-ups/fluxInfo
| cbm-vic-20 wrote:
| Made with in Colifornia
| walrus01 wrote:
| Designed by Abble in Califarnia
| newsclues wrote:
| Yes.
| xondono wrote:
| If I'm spending thousands of dollars on these devices, I expect
| them to not screw up something like that.
|
| It would not be the first time someone sends a device for RMA
| to be told it's out of warranty because it has been tampered,
| when in reality it was a manufacturing mistake.
| ComputerGuru wrote:
| My Dell Precision 5520 (nee XPS 9560) battery came with obvious
| spelling and grammatical errors.. just like the cheap Chinese
| clones I bought to replace it after a few years did (because Dell
| doesn't sell the battery online). The clone I received was
| garbage and not up to the advertised specs so I tossed it and
| called my Dell sales rep and managed to get him to order me a new
| battery (it's apparently not considered a user-replaceable part
| although it really is) and lo and behold the new one came with
| the same spelling errors as the one I got from China.
|
| I have zero faith in their supply chain.
| MangoCoffee wrote:
| i used to work for a Dell contracted repair/shipping center.
| Corporate screw up happen all the time. there is one incident,
| before winter shopping holidays, Dell ordered thousands of 27"
| all in one pc for retail sales from a China OEM.
|
| the problem is the all in one is not all in one. the back of all
| in one is missing a PC! the all in one is now a 27" monitor with
| a empty lump where the PC supposed to be. Dell screw up. Dell end
| up selling these all in one PC monitors to Corporation for cheap.
| walrus01 wrote:
| Wouldn't the LCD panel in the all-in-one (missing actual x86-64
| PC) be something like an LVDS interface between the intended
| motherboard and the panel? this would mean you couldn't just
| sell them off as cheap weird monitors since they would have no
| external HDMI or displayport connectors or interface to plug a
| computer into.
|
| Persons intending to use it as a monitor would have to go
| scrounge ebay for something like an HDMI-to-LVDS interface
| board and wire it up themselves.
| MangoCoffee wrote:
| it was made with a lump in the back as a functional monitor.
| it was supposed to be a all in one and now it just an "all in
| one" monitor.
|
| sorry if i wasn't clear.
| walrus01 wrote:
| you weren't unclear I was just curious how they resolved
| it, since that's a really weird scenario...
| ksec wrote:
| > (HPE did not care enough to investigate)
|
| That is a useful signal to avoid HPE.
| Am_I_Right wrote:
| Neither Dell nor HPE manufactures switches (the former never has,
| the latter hasn't for the past few years). So, these are all
| sourced from an OEM like Edgecore.
|
| And, someone at that OEM ordered a bunch of misspelled stickers.
| Easy mistake to make, if the latin alphabet is literally foreign
| to you.
|
| And if you think that sticker is bad? Wait until you see the
| actual firmware, oh boy... (I had some fun Edgecore LACP bugs
| take down an pretty sizable network. Things got slightly better
| once they moved to Linux-based firmware, but never to the point
| that their kit was, like, entirely reliable...)
| walrus01 wrote:
| edgecore is just a marketing name, the actual company is accton
|
| they're generally a competitor of companies like compal, clevo,
| quanta. All well known in Taiwan if you're in the business of
| having 3rd parties manufacture your stuff.
| alliao wrote:
| I'm pretty sure accton's compal's communications subsidiary
| walrus01 wrote:
| that is a good point, not something I'd had reason to think
| about since 2006 or so. Compal is quite a behemoth.
|
| https://en.wikipedia.org/wiki/Compal_Electronics
|
| US $26 billion revenues. Most people have never heard of
| it, only its consumer facing brands like Ignitenet.
| merb wrote:
| it's crazy how much tech companies taiwan has. i'm pretty
| sure that this has conflict potential with china (i.e. china
| with the eu/us).
| walrus01 wrote:
| some 15-20 years ago most of the big taiwanese electronics
| manufacturing companies (top tier x86-64 motherboard makers
| would be a good example) moved a lot of their factory
| operations to mainland china, for lower cost labor.
|
| it's very interconnected now.
|
| there's a fascinating yearly trade show of taiwanese
| manufacturers:
| https://www.computextaipei.com.tw/en/index.html
| ksec wrote:
| Well, for many stickers, they have to be ordered from original
| vendor / AMI. I guess this is not the case here.
|
| Turns out it is coming from AMI, but AMI Taiwan.
|
| >AMI Taiwan needed to get license stickers for the local
| market. Instead of using the "American Megatrends" MegaRAC PM
| sticker template, it decided to make its own that had the
| misspelling.
| bluedino wrote:
| Isn't the fear that they are imitation parts?
| mxxx wrote:
| Yes, but they're not. It was just a typo.
| Am_I_Right wrote:
| I'm not entirely sure what the fear is. The AST2600 the
| sticker seems to have been pasted to is a pretty complicated
| IC with (and this is the important part) user-upgradeable
| flash to begin with.
|
| So, you want to do a supply-chain attack? Simply reflash the
| genuine modules. No need to spend more. On the other hand:
| you want to save a few bucks? Possibly do a knock-off chip,
| but you're definitely not going to bother with the firmware.
| Too expensive!
|
| This is definitely a case of "trying to save a few bucks".
| Both Dell and HPE are in a race to the bottom, and the
| sticker being indicative of anything significant beyond that
| is... unlikely...
| NAR8789 wrote:
| I think so, but assuming that is the case... what's to stop a
| shady chipmaker from printing properly-spelled "American
| Megatrends" stickers? More generally... are there any actual
| protections offered by genuine stickers?
|
| The article makes this out to be a major supply chain
| security issue, and that only makes sense if branding
| stickers are actually reliable for validation purposes. But
| that seems... nonsensical? Wouldn't stickers be very easy to
| forge?
|
| But, I don't work in supply chains. Anyone with better
| expertise in this area able to chime in?
|
| I will admit I skimmed the article, because it is long and
| overly-detailed for my level of interest, and because it
| lacks summary sections.
| jcrawfordor wrote:
| It's not at all that a properly spelled sticker gives
| assurance that it's not counterfeit... it's just that a
| misspelled sticker is such an obvious sign of a potential
| counterfeit that it's basically the #1 thing that any
| counterfeit/suspect items program teaches people to look
| for. Most people working on counterfeits don't speak
| English so it's very easy for these kinds of mistakes to
| slip through, and on the other hand they're rarely made by
| the genuine manufacturer which usually has a process to
| check for this kind of thing even if the engineering work
| is done in a non-English speaking country (most of all that
| the logos usually come from off-the-shelf art files from
| the marketing department, so no one's even typing the name
| to make a mistake).
|
| Almost any corporate or institutional counterfeit or supply
| chain security program will explicitly teach you: if
| anything is misspelled or shows other obvious mistakes,
| hold the part as a suspected counterfeit. It's a pretty
| good quality indication.
|
| So of course manufacturers do genuinely make spelling
| mistakes sometimes, but this context makes it a pretty
| embarrassing and serious thing to do. It's like your bank
| misspelling their name in an account notification: sure, in
| some extremely theoretical sense it doesn't _mean_
| anything, but in practice they 're giving you exactly the
| signal that everyone tells you to check for to identify
| phishing, and it raises questions about their processes
| that they let it slip through.
| jdlshore wrote:
| The article takes a while to get to the point, so here it is:
|
| 1. Article author discovers "American MegaTrAnds" sticker on a
| chip in high-end switches.
|
| 2. Author fears supply chain tampering.
|
| 3. Author contacts American Megatrends (AMI). Hijinks ensue. AMI
| eventually confirms that it's a typo.
|
| 4. Therefore, there is no supply chain tampering.
|
| 5. But author is concerned about what this means for the state of
| supply chain verification.
| howdydoo wrote:
| > supply chain tampering
|
| Naive question, I don't know much about this industry. But if
| someone from China or the NSA wanted to make counterfeit chips,
| why would they risk putting something different on the label?
| It seems like a weird place to draw the line. Would the NSA
| really say "oh no, we can't violate anyone's trademark!" and
| misspell the label and hope their entire operation isn't
| exposed?
| bellyfullofbac wrote:
| Sometimes bandits are sloppy or have Dunning-Kruger, e.g.
| with pirated DVDs the sleeve art is just a hot mess of random
| words, but I guess if they were making fake chips they'd be a
| bit better at it. Or the guy they hired to do the Photoshop
| says he's real good but he's actually sloppy, and everyone
| else just sees random glyphs (imagine if you were having to
| copy an Arabic label, I assume you can't read Arabic).
| vgel wrote:
| Counterfeit chips aren't just a state-level actor problem,
| companies do it for profit as well. I think the worry is
| just, if the person who was supposed to be checking for
| counterfeits missed _this_ , how would they have any chance
| of catching a more sophisticated counterfeit?
| foobiekr wrote:
| This is laughably sloppy.
|
| One of my favorite customers actually took a calorimeter to the
| LEDs that were in one of our deliveries of router chassis. They
| felt that the Amber wasn't quite Amber enough and so they
| measured it. They were right while it was amber it wasn't spec
| amber. So they shipped it all back. We were very embarrassed
| and supply chain was given a dressing down. They missed a parts
| quality issue.
|
| A typo like this is extremely indicative of a sloppy
| organization.
| alfalfasprout wrote:
| Was your typo intentional? Calorimeter -> colorimeter?
| mrtksn wrote:
| > sloppy organization.
|
| Or a communication issue? How do the people looking inside
| the assembled product tell the people who design the product
| that they made a typo?
|
| A few years back, the company I worked for created a landing
| page where an image of a beautiful young woman was happy
| about our deals. It wasn't my job, I was looking at the
| design out of curiosity and I noticed that one eye of her was
| looking in another direction and the other eye to the other
| direction. I tried to raise the issue with a few people
| higher up but they didn't understand or didn't care as they
| were excited for the release or busy with other stuff.
|
| To this day, I wonder, was it intentional? Maybe it was a
| joke or something I didn't get. The campaign run fine, no one
| talked about it. I don't, maybe I don't get graphic design,
| maybe the eye situation was a marketing message about how the
| lady was having eye on the numerous amazing deals of ours.
| detaro wrote:
| What is the relevant spec for colors here? Is there some ISO
| or whatever for signal lights on equipment defining it?
| jwandborg wrote:
| It might be regulatory concerns, maybe they hadn't licensed
| that particular wavelength of orange for local broadcasting
| purposes, or EMI concerns with regards to the the off-white
| spectrum, at least if I let my thoughts run without
| moderation.
| fxtentacle wrote:
| Parent comment probably meant "colorimeter" which will
| measure colors in either spectral distribution or XYZ color
| space.
|
| So you could say something like RAL color # 123 +- 5% in
| XYZ space. Or you can just specify: That color needs to be
| closer to RAL #123 than to any other RAL number, so then
| you'd also have an implicit definition of the valid color
| range.
| detaro wrote:
| What the "something like" is exactly and where it came
| from is kind of my question.
| KennyBlanken wrote:
| What I find funny: the guy who runs STH frothing at the mouth
| about a typo. To paraphrase Nick Fury: "Pot, kettle."
|
| The STH guy can't spell to save his life and his grammar is
| terrible. His sentence structure and general writing skills are
| about what I would expect from a fourth-grade child.
|
| He also is an incredible drama-llama, making mountains out of
| molehills; I've seen him do this time and time again.
|
| He sees a misprinted sticker and sees supply chain attacks?
| Dude. This gear is assembled by people in third world countries
| making wages that amount to a few dollars a day or less. They
| don't speak English. They may not even read roman letters. I'd
| challenge him to do QA on any non-roman alphabet...
|
| I bet someone did notice the stickers, but getting them
| reprinted (assuming it was caught before assembly started) may
| have meant a delay. Even a minor delay can be a major, major
| problem since this stuff is scheduled practically down to the
| hour in the factories; ditto for shipping deadlines. Or if they
| were already on assembled boards (or worse, inside assembled
| equipment) the cost to replace the sticker would be
| astronomical, with exactly zero value to the vendor or their
| customers. It's cosmetic.
| [deleted]
| 1970-01-01 wrote:
| Yes. TL;DR: Chip does not meet MILSPEC or any other spec.
| People are OK with it. The chips really should be de-capped and
| researched.
| ricardobeat wrote:
| They _said_ there is no tampering. Someone should x-ray this
| chip vs a correctly labeled one to verify.
| sneak wrote:
| X-ray won't help you. You can backdoor silicon by introducing
| a single faulty junction.
| wmf wrote:
| AMI is a firmware company so you'd check the hash of the BMC
| flash contents.
| xondono wrote:
| Although it would be much ( _much_ ) more elaborate, a
| counterfeit BMC could have hidden ROMs or bootloaders
| capable of opening backdoors into running machines.
| wmf wrote:
| Note that the BMC chip comes from a different company
| (ASPEED) who has not been implicated in this
| "stickergate".
| bruce343434 wrote:
| perhaps off-topic, but where does the -gate suffix come
| from? It seems it can be replaced by "troubles".
|
| Gamer troubles. Sticker troubles. But what does -gate
| even mean?
| cipheredStones wrote:
| This is covered by the Wikipedia articles others have
| linked, but briefly: Richard Nixon (US President from
| 1969-1974) was forced to resign by the revelation that he
| had paid for criminals to break into the Democratic
| Party's campaign headquarters in the Watergate Hotel. The
| entire affair became known as Watergate.
|
| Later, one of Nixon's former speechwriters, William
| Safire, propagated the use of -gate as a generic suffix
| for any type of scandal, notably including very minor
| ones. It's likely that part of why he did this was to
| retrospectively diminish the perceived seriousness of the
| Watergate scandal.
| mensetmanusman wrote:
| Have you heard about the gategate?
|
| https://www.poynter.org/reporting-editing/2015/gategate-
| its-...
| freeman478 wrote:
| I think it comes from
| https://en.wikipedia.org/wiki/Watergate_scandal
| handrous wrote:
| Ah, good old Watergate-gate.
| CBLT wrote:
| https://en.wikipedia.org/wiki/List_of_%22-gate%22_scandal
| s_a...
| walrus01 wrote:
| > But author is concerned about what this means for the state
| of supply chain verification.
|
| This is a brown M&Ms problem:
| https://conversableeconomist.blogspot.com/2020/10/the-no-bro...
|
| If they missed something as obvious as this, who knows what
| other problems are going on in supply chain security or total
| lack of QA.
| formerly_proven wrote:
| I'm not so sure. These BMCs are dumb SoCs like any other
| (just with specialized I/O), their firmware comes from an
| external SPI flash. I doubt there is anything AMI specific at
| all in these chips. Looks like it's basically a license
| sticker some worker is putting on these boards after they're
| all assembled and tested. I can see how these stickers are
| there, maybe for contractual/legal reasons, without being a
| critical part of the BMC board BOM (1x roll of "AMI loicense
| stickers").
| xondono wrote:
| These "dumb SoCs" are one of the biggest security holes in
| a lot of high end equipment.
|
| It would not be the first time someone finds exploitable
| firmware bugs and vulnerable BMCs through Shodan.
| NAR8789 wrote:
| I'd argue it's slightly different--
|
| - no brown m&m's specifically calls out no brown m&ms in a
| list of requirements, and uses it as a canary for reading
| comprehension.
|
| - a misspelling is an "obvious" problem, but I suspect not
| called out anywhere as a specific requirement.
|
| "No brown m&ms" catches when people aren't paying detailed
| attention to your (presumably reasonably scoped) requirements
| doc.
|
| Asking people to catch all "obvious" problems holds them
| accountable to an unbounded guessing game, and you're far
| more likely to catch people out, simply because of
| differences in where they choose to focus.
| walrus01 wrote:
| The misspelling means two different things to two
| categories of people... Those who haven't worked in
| electronics manufacturing are highly likely to say "oh it's
| just an honest mistake".
|
| Those who _have_ worked in electronics manufacturing will
| immediately see it as a possibly scary sign of counterfeit
| components making their way into the supply chain. Same as
| what happened with counterfeit capacitors in east asia.
| Much like the early 1980s Van Halen tour example linked
| above, it 's a reason for hitting the big red "OKAY, STOP
| EVERYTHING" button and re-check of all of the other
| components and supply chain going into the product.
| KennyBlanken wrote:
| Anyone familiar with electronics manufacturing knows that
| for most of the people involved in the production of your
| stuff, English is a second language and roman characters
| are not their primary alphabet.
|
| > it's a reason for hitting the big red "OKAY, STOP
| EVERYTHING" button and re-check of all of the other
| components and supply chain going into the product.
|
| The notion that someone would pause a line over this
| (even if we were not in the middle of unprecedented
| component/manufacturing/shipping disruptions) is _beyond
| fucking absurd_ , much less that anyone would do so until
| a "re-check of the supply chain" is completed.
|
| Production schedules are tight as hell.
|
| You miss your deadline for getting the board assembled,
| they don't make it to the line or factory putting the
| boards into the chassis on time.
|
| That means they've started on another job and now you
| wait until they have free time on the line.
|
| That means you don't get your container to the port on
| time.
|
| That means you miss the space you had paid for on the
| ship.
|
| That means you miss your product launch date. Possibly by
| _months_ ; especially right now, shipping is severely
| constrained.
|
| That means your competitor takes your lunch money.
| walrus01 wrote:
| If your goal is to crank out the largest quantity of
| cheapest-unit-priced products as quickly as possible,
| then yes, absolutely stick with what you just wrote
| above.
|
| Are you familiar with what happened with the counterfeit
| capacitor plague?
|
| https://www.google.com/search?client=firefox-
| b-d&q=capacitor...
|
| Keep on cranking out that production line with your
| suspicious/manufacturer-source-unknown parts with
| improper labeling on them and end up in a situation with
| hundreds of millions of dollars of financial damages due
| to burst capacitors.
|
| Not every manufacturer has its absolute and highest goal
| set as massive quantity/cheap and shoddy QA/lowest
| price/highest volume possible.
|
| For something like a 100Gb ethernet switch, standards
| should be much higher than the PCBs of a bunch of $40
| 802.11ac wifi routers to put in a shiny box and sell at
| Best Buy.
| btown wrote:
| More specifically, if there is a person in a QA role
| looking out for counterfeit components, and they miss
| such a glaringly obvious typo, they may not be paying
| attention to enough details. And if a language barrier is
| at fault, that's itself a flag that they may not have
| full comprehension of the specifications they are
| supposed to QA for. Perhaps not "stop the line" but "we
| need to do an audit of this component" - and that audit
| needs to actually be performed.
| NAR8789 wrote:
| Ahhh, that's the critical piece of context I was missing.
| Thank you!
|
| Article didn't fully explain why the sticker matters so
| much, so that left me scratching my head. (my gut
| reaction was "well, wouldn't a genuine sticker still be
| easy to counterfeit?). But based on your explanation this
| is more of a smell that everyone in the electronics
| manufacturing space is culturally attuned to. So, the
| fact that it slipped by so many people _does_ indicate a
| slippage of norms.
|
| If I draw a comparison to software to bring it closer to
| something familiar to me... would this be like
| inconsistent variable name formatting? CamelCase in some
| places and snake_case in others? To an outsider, arguably
| inconsequential, so insisting on consistency here might
| seem OCD to them, but to someone who's worked in the
| space it's actually a useful marker of general detail
| orientation.
| 3np wrote:
| > would this be like inconsistent variable name
| formatting? CamelCase in some places and snake_case in
| others?
|
| I'd say it's more like misspelling your own company name
| in the JPEG logo in the HTML welcome email sent out to
| new users, and no one notices for a year.
| walrus01 wrote:
| In software it would be like if you found evidence that
| one of your trusted developers had outsourced their own
| job to an unknown person in India, who was controlling
| their home office desktop PC by some sort of remote
| desktop tool and adding code/making commits on their
| behalf.
| bopbeepboop wrote:
| This would be like if one day you found "MicronSoft Word"
| installed on your computer, when you went to write a
| document.
|
| Or your compiler started saying it was "Jawa 9".
|
| Maybe someone just typo'd the name in an update.
| ATsch wrote:
| People who do not work in hardware seriously
| underestimate how often counterfeit components enter the
| supply chain. Even trustworthy distributors like digikey
| and mouser have had regular cases of their supplies
| becoming contaminated. It is just way too easy to do and
| rarely discovered as long as you mix them with enough
| legitimate components to avoid suspicion. Unless you're
| unlucky and they happen to reach someone with an affinity
| for chip photography, the worst case is they'll just
| think a few components were DOA or out of spec.
|
| It mostly affects low complexity components that are easy
| to clone so a BMC would be unlikely, but even that is not
| safe as sometimes used components de-soldered from other
| products make it back into the supply chain too.
| xondono wrote:
| I'm still haunted by nightmares of fake FTDI chips
| kragen wrote:
| The bigger supply-chain problem there wasn't the fake
| FTDI chips, which actually worked reasonably well; it was
| the _totally genuine and authorized_ FTDI driver update
| _which FTDI designed to brick your customers ' hardware
| if they installed it_, if you had been so unfortunate as
| to get fake FTDI chips.
| ATsch wrote:
| I look at it the other way around, the driver update is a
| rare case where it was publicly exposed just how
| widespread of an issue forgery is in the electronics
| industry. FTDI likely expected the number of fake devices
| already in the field to be significantly lower than they
| actually were. If that was the case, it is unlikely it
| would have become the story it did.
| xondono wrote:
| Given some of the devices I've seen these ICs, the fact
| that they were fake _is_ a problem, no matter if they
| work reasonably well.
| yjftsjthsd-h wrote:
| Sure, and they would have gotten precious little
| criticism if they had displayed a big warning message on
| detecting a questionable part. The _problem_ was that
| they decided to unilaterally destroy customer property.
| ComputerGuru wrote:
| Or worse: if they _mistakenly_ thought you had a non-
| genuine FTDI component when you really didn't.
| ATsch wrote:
| That's a good public example, here's a post for anyone
| that missed it: https://zeptobars.com/en/read/FTDI-
| FT232RL-real-vs-fake-supe...
| stronglikedan wrote:
| I work in an industry rife with typos, and can assure you
| that typos are missed all the time, and it doesn't indicate a
| greater QA problem or lack of QA. It's just a missed typo.
| treesknees wrote:
| Where I work, we treat grammar and spelling errors as a sev
| 2 bug (sev 1 being highest.) It will quickly erode trust in
| your product even if everything else is working fine. All
| of our customer-facing text (UI/CLI/API names, labels,
| error messages, etc.) go through QA and also a separate
| documentation team for consistency and spelling checks.
| mistrial9 wrote:
| in other contexts this is referred to as "alarm fatigue" ..
| there is no assurance and masking it is not the move here
| ok_dad wrote:
| I used to work in incoming inspection department for a
| medical device manufacturer. If the switch/router company did
| a "first article inspection" (FAI) and missed this (or missed
| it on a later incoming inspection), I would agree, but if
| they found it and called AMI and got the answer it was a
| typo, then they would note that on the inspection sheet and
| move on.
| fckgw wrote:
| The problem is, as pointed out in the example, is that the
| memo the writer got from Dell that came from AMI informing
| Dell about the typo contained an image that the own writer
| sent to AMI. Meaning AMI had no idea about this typo before
| they were contacted by the writer.
| bigmattystyles wrote:
| I had multiple thoughts -
|
| 1. If one is going to counterfeit the chip, counterfeiting the
| sticker wouldn't give you any pause - so it's probably just an
| error, however counterfeiters wouldn't have the review process
| that would catch typos.
|
| 2. Maybe it is a sneaky warranty workaround like a bank calls
| itself Banq on paperwork -
| https://en.wikipedia.org/wiki/Banq_(term)
|
| So in the end, there's no real way for the end-user to know
| what's what and I agree with the author that the typo deserves an
| answer.
| toast0 wrote:
| Oddities in labels are a typical sign of a counterfeit. Yes,
| it's possible to counterfeit labels with good quality, but
| often it doesn't happen.
|
| If someone manages to do a good job of replicating the labels,
| hopefully they did a good job of replicating everything else.
|
| On the other hand, if QA didn't notice the label is misspelled,
| what other problems did they miss (some of which may be obvious
| to them if they look, but not obvious to me even)
| Lammy wrote:
| And yet people loudly denounced Bloomberg for "The Big Hack"
| story every time it came up on HN:
| https://www.bloomberg.com/news/features/2018-10-04/the-big-h...
|
| I believed it then, and I still believe it now. An "evil" BMC
| (like the ASPEED AST2600 mentioned in this article) is game over
| security-wise. BMCs are capable of flashing the BIOS/UEFI,
| capable of inserting arbitrary disk images as virtual CD/etc
| drives, capable of arbitrary keyboard/mouse input equivalent to
| having a hardware keyboard/mouse attached, like a remote evil-
| maid. If you had to pick one single thing to "pwn" in a server it
| would be the BMC. There's no way it's just a typo.
| wmf wrote:
| It's obvious that an evil BMC _would be_ game over because the
| BMC is the most trusted component in the system (for normal
| servers that don 't have Titan or whatever). But there's no
| evidence of compromised BMCs actually happening.
| Lammy wrote:
| Is there evidence of it _not_ happening? Can I do a
| reproducible build of a verified AMI BMC firmware and compare
| it against what comes flashed on my motherboard? They have a
| "MegaRAC Open Edition" but it says it's only for "OCP
| compliant platforms":
| https://github.com/opencomputeproject/HWMgmt-MegaRAC-
| OpenEdi...
| rcxdude wrote:
| It's very believable, but that's basically all that the
| bloomberg story had going for it. None of the actual concrete
| details (of which there were few) made any sense.
| alliao wrote:
| whatever became of it? I thought at the time security experts
| would swarm and dissect it to death to give us articles after
| articles of concrete tampering examples... but it just
| vanished?
| fckgw wrote:
| Security researchers did swarm on it and none of them could
| corroborate the story. It's been widely discredited in
| security researcher circles.
| jandrese wrote:
| If it was an attack that one guy was specifically being
| attacked.
| dogecoinbase wrote:
| No one has ever found or been shown one of the affected
| boards.
| Lammy wrote:
| When it's a plausible attack against an obviously-critical
| component it seems most prudent to assume the worst and
| hope to be wrong :)
| yjftsjthsd-h wrote:
| Okay, assume that your motherboard/BMC is backdoored.
| What exactly is the sane way to proceed, given that you
| can't verify it and you have no reason to believe that
| any alternatives are better?
| detaro wrote:
| Bloomberg didn't just claim "evil" BMC, but very specific
| things that nobody ever could confirm, and Bloomberg never
| supplied any evidence about. If the Bloomberg reporting, or any
| followup, had been anywhere close to e.g. the reporting in this
| blog post in detail, then they would have a believable case.
| ohazi wrote:
| > This was not caught by Dell, or even the STH team at first, it
| was a YouTube commenter. If that is how we as an industry are
| catching the easy plain-to-see stuff, that should scare everyone
| about what may be hard to see.
|
| And this is why the people shouting that "the _direct cause_ of
| the log4j bug is our collective failure to give open source
| maintainers bags of money " are wrong. Don't get me wrong, you
| _should_ give people bags of money if you want them to drop
| everything and go fix a critical bug _after_ it 's been
| discovered.
|
| But our collective ability to _discover_ bugs is abysmal.
| fragmede wrote:
| Which definition of _our_? Seems like it was _found_ just fine.
| It didn 't get the attention it needed until after it was
| publicly disclosed, however.
|
| The distinction is that even with a magic 100% infallible bug
| finding service, if the fixes don't get the attention they
| need, even with this magic service is, the problem's still
| going to be around. (While this perfect infallible service
| doesn't actually exist, fuzzers _do_ find bugs in a semi-
| automated fashion. Still, getting someone to pay attention to
| the reports is an uphill battle due to false positives.)
| yjftsjthsd-h wrote:
| It was found by a random third party; I think it's reasonable
| to say that "our" should include the people who are getting
| paid to ship the thing.
| rand49an wrote:
| Weird. A few weeks ago I turned up to a site that wasn't working
| after a power cut. They had two S5200's configured in a stack as
| core switches. Both had lost their firmware and we could only
| access the BIOS on them. All attempts to install/upgrade the
| firmware was a bust. Both had to be RMA'd and two days later we
| installed the replacements and 1 of those had the same issue.
| all2 wrote:
| > William Barath December 13, 2021 At 5:27 pm
|
| > John Etulain of Seattle Washington registered those 2 domain
| names, and it is being served HTTP using STH's SSL cert.
|
| > Staffer of yours, Pat?
|
| Huh.
| geerlingguy wrote:
| In the linked video, it's explained that the domains were
| registered by STH to prevent them from falling into some
| malicious actor's hands.
| alliao wrote:
| I recently needed to contact Microsoft support, and looking at
| the support engineer's email address I literally felt like I was
| being targeted by fraudsters, easily the most suspicious company
| name I can think of.
|
| Shanghai Wicresoft Co.,Ltd
| [deleted]
| urbandw311er wrote:
| Slightly OT but why is American Megatrends called American
| Megatrends? It has always seems a slightly absurd name.
| SOLAR_FIELDS wrote:
| TLDR: Just bad naming from the founders because they wanted to
| keep AMI initials
|
| * American Megatrends Inc. (AMI) was founded in 1985 by
| Subramonian Shankar and Pat Sarma with funds from a previous
| consulting venture, Access Methods Inc. (also AMI). Access
| Methods was a company run by Pat Sarma and his partner. After
| Access Methods successfully launched the AMIBIOS, there were
| legal issues among the owners of the company, resulting in
| Sarma buying out his partners. Access Methods still owned the
| rights to the AMIBIOS. Sarma had already started a company
| called Quintessential Consultants Inc. (QCI), and later set up
| an equal partnership with Shankar.
|
| By this time the AMIBIOS had become established and there was a
| need to keep the initials AMI. The partners renamed QCI as
| American Megatrends Inc., with the same initials as Access
| Methods Inc.; the renamed company then purchased AMIBIOS from
| Access Methods. Shankar became the president and Sarma the
| executive vice-president of this company. This partnership
| continued until 2001, when LSI Logic purchased the RAID
| Division of American Megatrends; American Megatrends then
| purchased all shares of the company owned by Sarma, making
| Shankar the majority owner. *
| laurent92 wrote:
| It's better than Atlassian Pty Ltd's story, renamed from
| Atlassian Software Systems.
| [deleted]
| Lammy wrote:
| I wonder if that's what inspired "Epic MegaGames, Inc."
___________________________________________________________________
(page generated 2021-12-14 23:00 UTC)