News Supermicro audit finds no evidence of back doors

As expected. The interesting bit would be knowing who fed Bloomberg the initial line of bull, and whether they were targeting Supermicro, or Apple & Amazon.

 

I still think this was an attempt at stock manipulation, along the lines of CTS Labs and "RyzenFall" (et al.) vulnerabilities that were in... AsMedia chips?

But it successfully knocked the share price down hard. Investigators need to go looking at who sold (just before this "report") or bought (just after said "report") large amounts of SuperMicro stock.

 

Personally i think it's more a case of some SS goons in fear of loosing funding briefing some technology illiterate journalist about hardware level attacks are possible.

 

Is there anyone surprised by this?

When it first hit the news, I was on the fence between stock manipulation and a journalist getting the wrong end, of the wrong stick. After Bloomberg doubling-down when doubts were raised, I moved a little bit further over to column A.

Having spyware baked in just seemed a bit too tinfoil-hat for the likes of Supermicro. Maybe China-serv International Business Server Machine Co, but Supermicro?

 

Having hardware-based backdoors inserted into hardware is not in the least tinfoil-hattish (we even have the leaked NSA documents on how they did it by snatching Cisco routers during shipping to customers and adding hardware and firmware mods), but the way Bloomberg were claiming it was done was pure fantasy. Magical redundant optoisolaters snuck onto the BoM, really?
It would not only be easier, but also more covert, to suborn the supply chain of an existing component; that is something that has already happened in non-malicious incidents (counterfeit parts slipped into the supply chain with genuine ones and making their way to military hardware, for example) and would not leave a 'this component should not be here' telltale.

 

I don't doubt that there's all kinds of kit out there with hardware based backdoors implanted through various means.
It was more the alleged scale and duration of the breach, the levels of oversight and scrutiny that it would have had to just slip through and the number of people that would have had to know about it that left me unconvinced.