On 10/04/2018 09:47 AM, Douglas Eadline wrote:
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Key snippet:
"The illicit chips could do all this because they were connected to the
baseboard management controller, a kind of superchip that administrators
use to remotely log in to problematic servers, giving them access to the
most sensitive code even on machines that have crashed or are turned off."
My take-away:
This will only impact systems where there is a route between the wider
world and the IPMI ports on your servers. That's an extremely terrible
practice anyhow since IPMI isn't the most secure protocol, so the
solution should be to cordon off your IPMI network to a separate,
non-network-attached switch or leave it disconnected entirely if you
don't administer your machines in that way. If you've properly secured
that network you should be sufficiently guarded at least from an outside
intruder having levers into your system. Rogue chips on your boards
could of course always impact the system at some future date in a
pre-programmed way, but I know of no way to guard against that kind of
an attack short of vetting each and every board under suspicion on a
chip-by-chip basis.
Best,
ellis
--
Ellis H. Wilson III, Ph.D.
www.ellisv3.com
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
