back to article Super Micro chief bean counter: Bloomberg's 'unwarranted hardware hacking article' has slowed our server sales

Super Micro Computer on Thursday reported net sales in the range of $952m to $962m for the first quarter of its fiscal 2019, which ended September 30, 2018. That's higher than company guidance of $810m to $870m, and up roughly 40 per cent on the year-ago period. The Silicon Valley server maker delivered GAAP EPS in the range …

  1. Shadow Systems

    I give SuperMicro the benefit of the doubt.

    If the entity making a claim can not or will not produce proof of their claim, then the other party can legally sue for libel. If the paper refuses to produce one of the supposedly compromised boards, SuperMicro can take them to court & sue the shit out of them.

    Because of that I'm siding with SuperMicro on this one. The paper either has to Put Up, Shut Up, or Get Sued. A full page retraction may be just the tip of the court ordered justice.

    1. Mark 85

      Re: I give SuperMicro the benefit of the doubt.

      I tend to agree but I wonder if this is more of a "targets of opportunity in a trade war"? It could be either one or both. The old "simplest answer is usually right" seems to apply here.

      Yes, Super Micro can sue and Bloomberg will either have to put up or pay. Seems to be sloppy reporting if the only evidence was "photos" and they never actually had or have the evidence in question.

      1. GidaBrasti
        Windows

        Re: I give SuperMicro the benefit of the doubt.

        In the meantime, I am sure you have noticed that none of the affected enterprises, namely Apple, Amazon and SuperMicro, have done anything substantial against Bloomberg other than whining.

        Now if the impact on the financials is what it seems and the allegation is false, surely one might expect a more definitive action right?

        Instead, everyone hopes that it will soon be forgotten just like Spectre and Meltdown.

        Which leads me to the conclusion that either the Bloomberg story (at least the core of it) is indeed correct or that no company involved is actually sure that what is described in the story could not have happened. Which basically means that the story has a high chance of been correct.

        Icon because Windows users have been willingly subjected to the spy treatment all along since 10. One spy more doesn't make that much of a difference.

        1. doublelayer Silver badge

          Re: I give SuperMicro the benefit of the doubt.

          What action do you need to make you doubt the story? If your only reason for believing it's true is that all Amazon, Apple, and SuperMicro have done is to get grumpy and deny it, I don't know how far they can go. Do they need to sue to convince you? I don't know for sure, but I would believe the companies without some additional evidence. The chip seems borderline feasible, but I don't tend to believe things at that level of feasibility without evidence in the form of named sources, external confirmation, or ideally physical evidence.

          1. Yet Another Anonymous coward Silver badge

            Re: I give SuperMicro the benefit of the doubt.

            >Do they need to sue to convince you?

            Not clear they can sue unless they can prove some sort of conspiracy. Shorting of the stock by some Bloomberg insider for instance. Simpy getting a story wrong is unlikely to be punished in court in the USA.

            Unless the corporations can lean on the idea that they are "natural persons" and so could sue for libel, but in the USA they would have to prove it was both untrue and malicious - unless they could go to court in the much more libel friendly UK

            1. Jtom

              Re: I give SuperMicro the benefit of the doubt.

              The elements of a libel/defamation claim are: 1) intentional publication of a statement of fact 2) that is false 3) unprivileged 4) has a natural tendency to injure or which causes "special damage," and 5) the defendant's fault in publishing the statement amounted to at least negligence.

              Unless you are a public figure, the false statements need not be malicious, nor must you know that the statements are untrue. Failure to adequately vet a story is negligence.

              For a media outlet to print a false story like this (assuming it is) is prima facia evidence of negligence, and sticking to it increases the liability. They will have to reveal what their basis were for determining the story’s veracity, and it better be solid. Otherwise, they are clearly negligent in determining the facts. Did they get access to a ‘corrupted’ board? Get it checked by an independent research group? How did they verify any internal documents they obtained? They can likely protect their sources, i.e., not be forced to reveal names, but they cannot use that as a defense. When they protect the source, they give up any firsthand evidence that source could attest to.

              If they cannot prove they had credible reasons to believe the story was true, a good attorney would sue them for whatever shortfall in revenues suffered that could reasonably be shown. Considering that the company had a great previous quarter, the assumption would be that the next quarter would have been at least as good without the article.

            2. JohnFen

              Re: I give SuperMicro the benefit of the doubt.

              "Not clear they can sue unless they can prove some sort of conspiracy."

              Sure they can. I think you mean that it's not clear they'd win the lawsuit. That may (or may not) be -- but if the Bloomberg story actually made false claims without having a reasonable belief that they were true, then Bloomberg would lose.

              But suing them would bring a critically important benefit even if they lost the lawsuit: it would force Bloomberg to come forward with their evidence, which would at least give everyone something more than hot air to go by.

            3. gnasher729 Silver badge

              Re: I give SuperMicro the benefit of the doubt.

              "Not clear they can sue unless they can prove some sort of conspiracy. "

              Of course they can sue. It is unlikely they would win a libel suit, since it would be very hard to prove malice. However, if a court ruled "there is not one bit of evidence that Bloomberg's facts are true, but Apple / Amazon etc. cannot prove malice", the companies would be happy with that.

          2. JohnFen

            Re: I give SuperMicro the benefit of the doubt.

            "What action do you need to make you doubt the story?"

            I do doubt the story, in the sense that it's vague enough to suspend judgement about it. If SuperMicro, Apple, etc., feel that the story is so blatantly wrong, though, then suing Bloomberg would go a long way toward demonstrating that.

            The fact that all they've done is blow as much hot air as Bloomberg tells me that they're not so sure. So, I remain undecided.

        2. Anonymous Coward
          Anonymous Coward

          Re: I give SuperMicro the benefit of the doubt.

          "Instead, everyone hopes that it will soon be forgotten just like Spectre and Meltdown. Blah blah blah...Which basically means that the story has a high chance of been correct."

          Or, basically means the opposite.

          Or, the best way for it to "be forgotten" is to ignore it and not try and refute a negative and pursue a lawsuit. A lawsuit win (not a cakewalk) is winning a battle in a lost war.

        3. Jtom

          Re: I give SuperMicro the benefit of the doubt.

          Amazon has pulled their ad money. That’s the most painful cut of all for a news org. Do you have any idea how the media are struggling for revenues?

    2. a_yank_lurker

      Re: I give SuperMicro the benefit of the doubt.

      For a successful suit one has to prove Bloomberg knew the story was false at the time they published it. If the reporters have good notes, etc. the suit will go nowhere fast as Bloomberg would show it had information (erroneous to be sure) that said this was happening. The fact that many who have some real knowledge of manufacturing and inspection find the story dubious does not matter.

      The more likely story is this was a plant by someone who wanted to short SupreMicro and needed a plausible story in reputable rag to trigger a stock price decline. If orchestrated correctly, it has a chance of working if a rag swallows the line and runs the story. The rag is an unwilling dupe and actually as much victim as SuperMicro.

    3. the spectacularly refined chap

      Re: I give SuperMicro the benefit of the doubt.

      If the entity making a claim can not or will not produce proof of their claim, then the other party can legally sue for libel. If the paper refuses to produce one of the supposedly compromised boards, SuperMicro can take them to court & sue the shit out of them.

      They can try. However if it goes to court the onus is on the party making the claim to provide the evidence - in libel cases this is inverted to how you might expect, i.e. the potentially libelled party has to prove they were libelled rather than the libelling party proving what they have said is true, since the case is about the libel rather than the original allegation.

      That makes the case difficult to prove absent evidence of conspiracy or some other skullduggery since you are trying to prove a negative - the inability to produce boards that do not exist is not itself evidence that the supposed boards do not exist.

      1. Jtom

        Re: I give SuperMicro the benefit of the doubt.

        ‘Fraud you have that one bass-ackwards. The only thing the offended party need prove are his damages. You can’t say or print whatever you want about someone else unless you can show you could reasonably believe it was true.

        Otherwise, I could say that two years ago, you had sex with a five year old - prove that you didn’t. You can’t, of course, so you would be defenseless against the accusation. Might as well throw out all the slander laws if that were the way things worked.

        In a criminal case, you are innocent in a court of law until proven guilty by the government. In a slander suit, you are innocent of a claim until it is proven true by the slanderer. That’s the only way justice can work.

        1. Orv Silver badge

          Re: I give SuperMicro the benefit of the doubt.

          @Jtom: It's not that cut and dried, at least under US law. Statements of opinion and rhetorical hyperbole are protected, for example. Ability to show damages is not enough. US law tends to fall on the side of not chilling speech, even that speech is really assholeish. (You may be correct in terms of UK law, though.)

          Ken White has an analysis of Elon Musk's statements calling Vernon Unsworth a pedophile that is probably instructive here, in that it shows which of his statements are defensible and which may not be:

          https://www.popehat.com/2018/09/17/cave-diver-vernon-unsworth-sues-elon-musk/

    4. JohnFen

      Re: I give SuperMicro the benefit of the doubt.

      "SuperMicro can take them to court & sue the shit out of them."

      I have been wondering why they (or Apple, etc.) have not already done this. That they haven't raises the possibility that the reason they haven't is because they think there's a chance that the story is correct.

  2. Big Al 23

    I'm sure there will be litigation over the Bloomberg story

    To make such damming claims without a shred of physical evidence leaves Bloomberg in a very bad light as well as legal position. If there multiple sources were accurate you'd expect them to be able to at least produce one compromised mobo, pictures of the compromised mobo, data logs of the mobo transmitting improper data or some reasonable irrefutable evidence to support their claims. Absolutely no one involved be it the companies or the authorities are supporting the Bloomberg story and in fact it has been denied by all parties. I'd expect Bloomberg to be served before the end of the year for damages and possibly malicious criminal fraud.

    1. bombastic bob Silver badge
      Big Brother

      Re: I'm sure there will be litigation over the Bloomberg story

      one way or another, I'd rather see THE TRUTH than "it gets swept under a rug".

      not quite time for popcorn, yet.

      /me hopes it's a lie (chinese spying chips NOT actually inserted into the boards) but expects it is NOT a lie.

  3. Anonymous Coward
    Anonymous Coward

    Dump SuperMicro Stock

    My policy is that a company restating 3 years of earnings has rot that may be through the core. Now they can blame Bloomberg for their revenue and stock failings, how convenient, but restating that many years of earnings almost always has detrimental effects on the stock price through deep suspicion of investors based on other companies that went bust through malfeasance. Which may not be the case for SuperMicro, but why take the risk as an investor.

    Just to throw more kindling on the fire, maybe SuperMicro instigated the Chinese Chip story so that SuperMicro can sue Bloomerg for the stock falling-- you have to show damages to sue for Real Money (r)-- when the actual cause was a c-suite failure resulting earnings restatement. How convenient, someone else takes the fall, it is the American Way ("it is not my fault!").

    We all know the hardware attack is possible, but did it happen? With the earnings restatement by SuperMicro, their cred is definitely doubtful.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dump SuperMicro Stock

      Their financial history opens them up for soft "persuasion" from China, like small amendments to the board design and no questions asked. Now, that the impact is clear, the management can chose between desperate denial or 40 years in jail.

    2. hahnchen

      Re: Dump SuperMicro Stock

      They were delisted from the NASDAQ due to financial reporting issues. They are now correcting those issues. Every investor with interest in Super Micro already knows this, it was already priced in before the Bloomberg story.

  4. RLWatkins

    I'm puzzled about all the controversy here.

    This is the kind of thing which, if the Chinese government had thought of it, they would have done. And they have more than an adequate number of qualified people to have come up with the idea.

    Moreover, the simpler integrated circuits are quite tiny. It's possible to embed the things into circuit boards where only a fine-tooth X-ray could find them. We know how. So do they.

    Finally like most states, they have the attitude of "Whatever happens to you is OK, because you aren't us." And unlike all but a few other states, they discuss the stratagem openly.

    Our own (EEC, US) people have been warning us about this for twenty years. Really, if I were in the upper echelons of the Guo Yi, it's what I'd have done. Why not? Why the skepticism?

    We, all of us, are a bunch of large-animal, mammalian, top-predator, omnivores. We live in a big world. And the only people in it who don't want to defeat us are the ones who haven't noticed us yet.

    It's been going on all along. Get used to it.

    1. bombastic bob Silver badge
      Meh

      Re: I'm puzzled about all the controversy here.

      "It's been going on all along. Get used to it."

      I'd rather expose it and put a stop to it, thanks, but upvote for the rest of what you said.

    2. Spazturtle Silver badge

      Re: I'm puzzled about all the controversy here.

      It would have been easier to just install a modified firmware on the boards instead of putting a chip on the board to modify the firmware.

      1. CrazyOldCatMan Silver badge

        Re: I'm puzzled about all the controversy here.

        It would have been easier to just install a modified firmware on the boards

        You mean - like the CIA/NSA did with Cisco routers & switches before they were shipped off to foreign shores?

        (My thoughts on this lie with SuperMicro/Apple/Amazon being correct - Bloomburg/Business Insider are bottom feeders and pretty much scrape any 'sensational' news they can without bothering to test veracity. After all, doing *actual* pre-publication fact-checking would mean someone else might publish it first and get all those ad-revenue-generating clicks!)

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm puzzled about all the controversy here.

        >It would have been easier to just install a modified firmware on the boards instead of putting a chip on the board to modify the firmware.

        What firmware? A lot can be re-uploaded by the end users and I see no reason why an opponent could get their hand on deep firmware and upload it to masked ROM.

  5. FlamingDeath Silver badge

    it all comes down to size

    Most companies are so monstrously large, they have no clue what is going on inside their computer systems, you only have to visit corporate websites to see that iceberg poking out. I once visited an ISP that had no access control systems in their building and was not challenged when I started wondering around. What is all of this saying?

    Don't discount something because evidence is lacking, if you're not looking for it of course it doesnt exist.

    Unfortuately we live in a world where appearances are more important than hard facts, after all, investors (sic), shareholders, and other such antisocial people only care about money and PR is king

    You're welcome

    1. Doctor Syntax Silver badge

      Re: it all comes down to size

      "Don't discount something because evidence is lacking"

      But if evidence is lacking don't claim something, especially something as way out as this.

      1. doublelayer Silver badge

        Re: it all comes down to size

        Actually, do discount something when evidence is lacking. Don't discount it all the way down to zero, but "because it is possible" is not enough to believe something. It is possible that I run a group of people who break into peoples' homes, yours earlier today, and insert malware onto any computers found there. We are very good at getting through locks without leaving a trace, and our malware hides in the firmware where you can't easily find it. Prove that didn't happen. That is not a good enough argument. I believe this story to be unlikely. The things stated are feasible, but with the lack of substantiation from external sources or release of evidence, I believe it to be less likely.

  6. Anonymous Coward
    Anonymous Coward

    NSM - follow up?

    Has the Reg followed up the lead about NSM confirming the story? After all they are the only authority seen so far that confirms Bloomberg.

    1. nagyeger

      Re: NSM - follow up?

      Urm... NSM?? Google gives me lots of links about Naval Strike Missiles.

      1. Anonymous Coward
        Anonymous Coward

        Re: NSM - follow up?

        NSM: https://nsm.stat.no/english/

        They were interviewed by the Norwegian press about Supermicro. It was mentioned several times earlier in the discussions so far.

  7. cookieMonster Silver badge

    Three little words....

    National Security Letter(s) ???

  8. _LC_
    Thumb Up

    Thanks for the article!

    Some commentator's reasoning is rather awkward. "It could have happened". This then makes it okay to blame them for something that DIDN'T happen, huh?

    Furthermore, it could not have happened like that. If you know a little about electronics and software, you can easily debunk the story as horseshit. "I've seen a hippo with wings glued on to each side. I swear it can fly!". Yeah, no. :-P

  9. NonSSL-Login
    Holmes

    Amazon, Cisco etc no Angels

    I can see Amazon not wanting to push this publicly other t might get mentioned how they work with the CIA and allow parcels on route to be opened, motherboards with backdoors placed in to packages in place of legit hardware, then sent on the rest of the journey.

    It's highly possible super micro has made a few modified boards for Chinese intelligence to be used in a handful of places, in a similar way the US works with Intel, Cisco, Apple, Microsoft etc to backdoor devices and software in a small number of cases.

    Finding evidence when only a few are out there would be difficult. At the same time, without evidence anyone can com e along and claim x, y and z and damage a companies credentials. The US have a habit of trying to damage foreign competitors of its companies. Look at all the angles they attacked Kaspersky with (even signing US gov malware with kasperskys digital keys) in a hope of damaging the company beyond repair. THey have upped their game on these attacks since the Sony attack.

    1. CrazyOldCatMan Silver badge

      Re: Amazon, Cisco etc no Angels

      Your point is somewhat damaged by:

      1. Including Cisco in this (they were not part of the Bloomburg 'story')

      2. Suggesting that Apple co-operate with the NSA and pre-backdoor their devices. Given that they stood firm against the FBI when requested that they do just that, it's less believable that they would roll over for the NSA..

      1. JohnFen

        Re: Amazon, Cisco etc no Angels

        "Given that they stood firm against the FBI when requested that they do just that, it's less believable that they would roll over for the NSA.."

        I disagree with this reasoning. Standing up to the NSA is a completely different, and more serious, matter than standing up to the FBI.

      2. Anonymous Coward
        Anonymous Coward

        Re: Amazon, Cisco etc no Angels

        > 2. Suggesting that Apple co-operate with the NSA and pre-backdoor their devices. Given that they stood firm against the FBI when requested that they do just that, it's less believable that they would roll over for the NSA..

        You assume too much. We do not know they stood firm against the FBI, we only know they said so. If even half the stories we hear about the intelligence agencies are true, it is clear that appearances are important but are not necessarily that closely related to the truth,

  10. Andrew Mayo

    Never a plausible story in the first place

    This was never a plausible story from day one. SuperMicro's manufacturing facilities will work from downstream manufacturing artifacts e.g the Gerbers, pick and place files etc, which drive the PCB manufacture and subsequent pick and place and wave soldering stages and so on. They don't have the original design files, nor do they need them to manufacture product.

    It's like 3d printing. I have the FreeCAD files, I export STLs, the STLs get sliced to produce gcode. I give the gcode to the printer, that's all it needs.

    Yes - theoretically I can hack the gcode; that's hard. And detectable, if I compare with a master copy. Much easier to change the CAD file - but that's not a downstream artifact, why would I give that to the people printing my design?

    To somehow interfere with these manufacturing files, which are under rigorous version control, and distribute the tampered copies to the fabrication pipeline would be an incredibly challenging task. Since QA also then take finished boards and X-Ray them and compare against an exemplar board, you also then have to somehow ensure that the resulting compromised board is undetectably different, which given that you need to route power and signal traces to these spy chips really starts to challenge credulity.

    Bloomberg could make these assertions because their reporters and editors were technically naive about hardware manufacturing and probably figured if you can tamper with software, surely it's just as easy to tamper with hardware. As for why Bloomberg made the claims, a number of industry sources believe that they were indeed the fall guy for a state-sponsored disinformation campaign timed to coincide with the US disfavouring Chinese vendors. Recall that AT&T got leaned on heavily over selling Huawei phones to the extent they pulled out from a deal.

    Finally, no-one's sueing anyone because, in the case of Apple/Amazon there's no basis for legal action; no-one accused them of anything but, allegedly, being victims. They deny this. End of story. As for SuperMicro, they could sue Bloomberg but, absent proof of malice, Bloomberg have a fairly strong defence that they had reasonable grounds to believe the story to be true.

    1. JCitizen
      Megaphone

      Re: Never a plausible story in the first place

      I'm not a fan of Bloomberg, so don't get me wrong there; but I have a friend who actually saw some early examples of these chips while visiting a lab in Indonesia! My friend said they were so arrogant back then, that they even printed a logo on the back of the chips placed on the circuit boards. They were a little crude at the time, more like a piggy back chip. So I totally believe the report, and in fact, they would have to prove this report was wrong in my not so humble opinion.

      I can see why the OEMs are squawking, because the recovery of hardware like that would destroy the company; I doubt they will ever admit it - and it would take a government investigation to bring out the truth, which I doubt will happen, because our spooks would like to take advantage of these back doors as well.

      1. _LC_
        Facepalm

        Re: Never a plausible story in the first place

        "... and in fact, they would have to prove this report was wrong in my not so humble opinion."

        *Errmm* - which century did you escape from?!?

        Bloomberg did not deliver ANY evidence. How can you prove them wrong? This is like one of those silly "Prove that god doesn't exist!" debates.

    2. Anonymous Coward
      Anonymous Coward

      Re: Never a plausible story in the first place

      Are you really familiar with the workflow of a contract manufacturer? It is more than 10 years I was working in that industry but I didn't expect radical changes since then.

  11. HmmmYes

    Bloomberg needs at least one of these servers wit hthe magic spy chips stored in its lawyers safes.

    If it hasnt than it can expect to sued out of business.

    a far as the Supermicro needing to prove the other side a leir. Simple - MI Lud, does Bloomberg have one of these hacked machines it can provide to a 3rd party for insopection and analysis?

    Tumble weeds rolls across the court ...

    Having a jounro in court saying 'A big boy told me it was posbile' doesnt cut it.

    1. JohnFen

      "Having a jounro in court saying 'A big boy told me it was posbile' doesnt cut it."

      That depends on how the story was reported. If Bloomberg reported (as I think that they did, but can't be bothered to read the piece again) that "According to Big Boys, the boards were compromised" then they're legally on safe ground, as they correctly reported that somebody else told them something. Whether or not what the somebody else said is correct doesn't really enter into it (unless a "reasonable person" should have known that they were being told bullshit).

      If, however, Bloomberg reported that they were in possession of evidence that they weren't in possession of -- in other words, that they knowingly lied -- then they are in legal jeopardy.

  12. Anonymous Coward
    Anonymous Coward

    Bloomberg Rumor mill

    I re-read the article and other articles by Bloomberg. They really are not a news org.

    in this article:

    1) they start off with the premise that people who speak Mandarin are conspiring against the US.

    2) They state what could happen. then back it up with anonymous sources

    3) they state it as fact with all references to "someone told me"

    This is pretty much all Bloomberg articles. its how all conspiracy theories are based

    In this case:

    governments try to steal secrets. the US is leading in this area. US government People work 24/7 on spy techniques like this

    It is possible that they tried something like this. It can easily be caught and removed and the factory was changed. Super Micron caught it before anything shipped and the rumor leaked out.

    The number of Bloomberg articles based on Fear or idea, followed by rumors to back it up are quite large. I was surprised.

    We should have flying cars..... a guy says it is possible. Publish that flying cars are coming in 2020.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like