Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday February 26 2017, @11:31PM   Printer-friendly [Skip to comment(s)]
from the broken-out-of-the-box dept.

A mid-2016 security incident led to Apple purging its data centers of servers built by Supermicro, including returning recently purchased systems, according to a report by The Information. Malware-infected firmware was reportedly detected in an internal development environment for Apple's App Store, as well as some production servers handling queries through Apple's Siri service.

An Apple spokesperson denied there was a security incident. However, Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased. An anonymous source was cited as the source of the information regarding infected Siri servers.

[...] A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple's design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro's support site—and that firmware is still hosted there.

Source: ArsTechnica


Original Submission

Related Stories

Supermicro Says That an Audit Found No Evidence to Support Claims of Chinese Backdoors in Products 21 comments

Audit: No Chinese surveillance implants in Supermicro boards found

In a letter to customers issued December 11, Supermicro President and CEO Charles Liang and other top executives announced that an audit conducted by an outside investigating team had found no evidence of any malicious hardware incorporated into motherboards currently or previously manufactured by the company. The letter is the latest rebuttal to Bloomberg reports in October that claimed tiny chips that provided a backdoor for China's intelligence agencies had been integrated into boards provided to major Internet and cloud providers—a report also refuted by the companies the report claimed were targeted.

"After a thorough examination and a range of functional tests, the investigative firm found absolutely no evidence of malicious hardware on our motherboards," the letter signed by Liang, Supermicro Senior Vice President and Chief Compliance Officer David Weigland, and Senior VP and Chief Product Officer Raju Penumatcha stated.

Searching for site:soylentnews.org supermicro on Google brought up a Supermicro ad linking the CEO letter, with the link entitled "Supermicro Independent Testing | No Malicious Hardware‎". Do you believe them?

Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials
Bloomberg Claims That a Major U.S. Telecom Operated a Server Backdoored by a Hidden Chip

Related: Apple Deleted Server Supplier After Finding Infected Firmware in Servers
Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Insightful) by Anonymous Coward on Monday February 27 2017, @12:32AM (4 children)

    by Anonymous Coward on Monday February 27 2017, @12:32AM (#472051)

    If this is true, then Supermicro cannot be trusted.

    • (Score: 0) by Anonymous Coward on Monday February 27 2017, @07:00AM (3 children)

      by Anonymous Coward on Monday February 27 2017, @07:00AM (#472129)

      Heinleins razor seems important to remember here: You have attributed conditions to villainy that can simply result from stupidity.

      • (Score: 2) by maxwell demon on Monday February 27 2017, @08:00AM (2 children)

        by maxwell demon (1608) on Monday February 27 2017, @08:00AM (#472161) Journal

        So you would knowingly buy from a vendor whom you know to be stupid enough to allow the computers to come preinstalled with malware?

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 0) by Anonymous Coward on Monday February 27 2017, @04:41PM (1 child)

          by Anonymous Coward on Monday February 27 2017, @04:41PM (#472345)

          Would you buy from a vendor that charged twice the money for the same server? Your boss may care more about saving money. And even if you went with Dell or HP, you wouldn't have any guarantees that the product is malware free.

          • (Score: 2) by bob_super on Tuesday February 28 2017, @07:17PM

            by bob_super (1357) on Tuesday February 28 2017, @07:17PM (#472973)

            But it would be 'Murican malware!

  • (Score: 4, Insightful) by jasassin on Monday February 27 2017, @12:37AM

    by jasassin (3566) <jasassin@gmail.com> on Monday February 27 2017, @12:37AM (#472052) Journal

    I'd like to know what the malware did, and how they detected it. Why is the firmware still on the sight?

    Hmmmm...

    --
    jasassin@gmail.com Key fingerprint = 0644 173D 8EED AB73 C2A6 B363 8A70 579B B6A7 02CA
  • (Score: 3, Interesting) by Anonymous Coward on Monday February 27 2017, @12:41AM (6 children)

    by Anonymous Coward on Monday February 27 2017, @12:41AM (#472053)

    Apple is well known to be a horrible company to sell to. They will tear up contracts at the slightest provocation, don't believe in negotiated settlements, demand special snowflake treatment to the point of having products redesigned for them - oh, unless it's the other way around, then everybody is expected to pucker up and get smoochy with their big, greasy butthole. They make Donald Trump look like a reasonable and friendly counterparty for vendors - it's that bad.

    What's different here is that supermicro is being honest about what happened. Apple hates their suppliers even being known - so supermicro are burning a bridge here.

    Honestly, I suspect that supermicro's people have found Apple such a monumental, vast pain to deal with that they've figured it's a customer that it's better not to have.

    I have direct, personal, first-hand knowledge of Apple's business practices from more than one of my employers over the years. It has reached the point that I actively recommend that my employers steer clear of them, and if Apple for some weird reason comes cap-in-hand, get the contract tied up by the most savage, blood-sucking lawyers they can afford.

    • (Score: 2, Insightful) by Anonymous Coward on Monday February 27 2017, @01:58AM

      by Anonymous Coward on Monday February 27 2017, @01:58AM (#472072)

      Replace every apple reference in there with walmart and you have described two of the largest companies in the world.

      I have been saying this to people for years Apple is not a company to be trusted (my stories go back to the mid 90s). MS is good/'bad' at what they do but they learned at the hands of a true Sith master, Apple. The GUI wasnt the only thing MS copied.

    • (Score: 3, Interesting) by Snotnose on Monday February 27 2017, @02:09AM (2 children)

      by Snotnose (1623) on Monday February 27 2017, @02:09AM (#472074)

      I worked at Qualcomm in, I dunno, '05 or '06 when we got a supersekrit assignment to look into what it would take to add some special features to our chips, both hardware and software. We were told explicitly, several times, to not discuss this with anyone not in the room, not even our wives.

      Turned out the chip was going to go into the original iPhone. I don't know how or why Qualcomm lost the deal, but for 3 weeks it was a major PITA.

      --
      I hate when I put something off to tomorrow, and tomorrow arrives.
      • (Score: 1, Informative) by Anonymous Coward on Monday February 27 2017, @02:32AM

        by Anonymous Coward on Monday February 27 2017, @02:32AM (#472080)

        I worked at qcom too at the same time. It was not that big of a secret ;)

        As to why? Jobs played us. He already knew which chips were in. He was using us to negotiate a better price.

      • (Score: 2) by FatPhil on Monday February 27 2017, @03:27PM

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday February 27 2017, @03:27PM (#472304) Homepage
        Haha, I worked for Freescale at about the same time, and one of the companies we were trying to gflog chips too was Apple. I remember taking some EVBs that had just been returned by Apple to Nokia for evaluation (for the n900, we lost to TI, because of inertia). I never dealt with Apple, so don't know if they had any supaseekrit special feature requests. Other customers certainly did. *cough*Cisco*cough*.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 2) by Nobuddy on Monday February 27 2017, @04:52PM (1 child)

      by Nobuddy (1626) on Monday February 27 2017, @04:52PM (#472355)

      Seems odd that holding a business partner to the terms of the contract is viewed as malicious and unfair in todays business world. Why have a contract at all if you never intended to hold up your end?

      • (Score: 0) by Anonymous Coward on Monday February 27 2017, @07:47PM

        by Anonymous Coward on Monday February 27 2017, @07:47PM (#472486)

        Because you have absolutely no clue if the other party intended to hold up their end in this case, and businesses usually go to great lengths to do so?
        Because business conditions change, and companies that want to be in business with one another recognize that?
        Because you don't bankrupt your business partner, and you should be smart enough to know when your deal is so razor-thin that will happen?
        Because good will in business is a tangible thing and sometimes it's better to keep good will going than take someone's last dollar?
        Because malicious and unfair are the norm for today's business contracts, and the world does not have to be that way?
        Because one that will do anything, at any cost, to stay at number one will sooner or later get covered in number two?
        Because someone has understood the words, "I desire mercy, not sacrifice?"
        Because businesses do not hurt. People do?

  • (Score: 0) by Anonymous Coward on Monday February 27 2017, @08:42AM (3 children)

    by Anonymous Coward on Monday February 27 2017, @08:42AM (#472170)

    I wonder if Tau Leng knows who did it

    • (Score: 0) by Anonymous Coward on Monday February 27 2017, @02:20PM (2 children)

      by Anonymous Coward on Monday February 27 2017, @02:20PM (#472271)

      I'm sure those sneaky chinamen infected their own equipment via a malicious pact with the pinko commies in china to steal even more IP. The biggest disappointment in IT is the fact that we worry about US surveillance while completely forgetting that most if not close to all of our IT components are made in commie land. One day those gooks are going to phone it in and destroy our economy and the US, a war without ever firing a single shot. Then they get to strut around, with their racist yellow pride, yelling china #1! I hope Trump manages to fix the greedy fucks who export our manufacturing to hostile 3rd world shit holes. Fuck china. And fuck the greedy cunts who send our jobs there. I hope we send their economy down the crapper first and let half a billion of them starve to death. Too many of em anyway.

      • (Score: 1) by Frost on Monday February 27 2017, @02:27PM

        by Frost (3313) on Monday February 27 2017, @02:27PM (#472273)

        China is second world, not third world.

        The three worlds [wikipedia.org]

      • (Score: 0) by Anonymous Coward on Tuesday February 28 2017, @04:54PM

        by Anonymous Coward on Tuesday February 28 2017, @04:54PM (#472856)

        Sounds like grandpa...

  • (Score: 3, Interesting) by TheRaven on Monday February 27 2017, @09:38AM

    by TheRaven (270) on Monday February 27 2017, @09:38AM (#472189) Journal
    And this is why you shouldn't trust cloud services. Apple may have the best of intentions and respect your privacy, but simply by collecting a load of data in one place they're creating a high-value target. No one cares about you enough to try to compromise your account, but the data about you and a few million others is quite valuable in aggregate. Whether it's by inserting unscrupulous employees, compromising something in the supply chain, or old fashioned theft, someone else will get at the data eventually.
    --
    sudo mod me up
  • (Score: 0) by Anonymous Coward on Monday February 27 2017, @03:52PM

    by Anonymous Coward on Monday February 27 2017, @03:52PM (#472315)

    well, have those jackasses replaced the alleged compromised firmware on their site and updated their site/employee roster not to be so easy to compromise? have they been investigated by SAGs? sick of most hardware vendors.

  • (Score: 2) by rts008 on Monday February 27 2017, @09:48PM

    by rts008 (3001) on Monday February 27 2017, @09:48PM (#472542)

    I knew Apple were assholes, but to delete a supplier?

    Supermicro better hope someone cares enough to undelete/restore them. It's hard to exist and do business when you've been deleted!

    *watches out window to see if anyone crawls out of the trashcan*

    It's past time to upgrade my firewall...

(1)