On the one had, while I have no reason to disbelieve this specific blog post about Super Micro, I know for a fact that elements of their other posts about other companies are simply wrong, including a number of their claims about Roblox.
That's the risk with relying on short sellers' reports. Very frequently, the short seller is lying.
With SuperMicro, the auditor's withdrawal is worth 100x the short sellers' report. This is because it is very common for short sellers to make up claims about a company's financials, but it is very rare for an auditor to voluntarily withdraw.
They used to give out a calendar every year filled with pictures of their executives (mainly CEO) living a lavish lifestyle. Posing with Ferrari's, ribbon cutting ceremonies, stepping onto the company private jet, etc...
You could always tell when investors or potential customers were in town because the SMCI parking lot would suddenly have brightly colored sports cars parked right out front of the office, only to vanish shortly after until the next high profile meeting.
I always thought this was strange, but chalked it up to it being a cultural difference on how business is done in Asia vs the USA, but apparently not. GoPro used to do the same thing at their office in San Mateo back when the stock wasn't circling the drain, two Ferrari's parked right outside the front door as you walked into the building. Appearances can often be deceiving I guess.
I would call it more stupid than strange. It practically screams "Please eat our lunch with a more lean and efficient company!" when they think bragging about how much money they waste is a good thing.
Supermicro and Asus are just about the only ones who make the motherboards I need in my COTS on-prem/dc stuff. Why don't more manufacturers target the server x64 market? It's sorely needed. I've built entire systems with SM, but they've long had issues, there just aren't many alternatives in the space.
I think you're making the mistake of confusing a cover image for a claim. If you have any experience with magazine cover images, you shouldn't take them that literally, because they're not meant to be.
I always assumed they were talking about vulnerabilities slipped into BMC firmware or maybe into (counterfeit?) ASPEED BMC chips themselves. If there was one thing an attacker would want to pwn to pwn an entire server, it would be the BMC.
It's really weird to me how desperate so many people are to shut down any mention of this story instead of adopting a “if it were true, what would it look like?”-and-hope-to-be-wrong approach.
The issue I have with it is that they make specific claims about a single manufacturer and certain of their customers, with no evidence to back up what specifically they think was done, and in fact the details they do give don't really make much sense. The general claim, that these sorts of attacks are possible, and likely do happen, is not really in dispute, and you can of course imagine all kinds of details that would fit with the vague claims that they make (though, this also tends to require making up extra hoops or just assuming they invented some of the details that they did give, like you've just done by assuming it's a firmware attack, when they specifically mention an extra chip), but that's not really the point. If they run a story about an attack, it should have some credibility about that specific attack beyond that it's the kind of thing that could happen.
To use an analogy, it's much like running a story that Mrs Perkin's dog bit Mr Jones. It's not exactly something that in the abstract anyone would consider particularly unusual, but if they don't even tell you where such canine attack took place, or how they came to know about it, or indeed anything else, and Mrs Perkins and Mr Jones deny it happened, you might quite reasonably want more details before you believe that it did happen (or indeed, get any real value at all from the story, even if you believe it did, given that, again, the general concept that a dog might bite someone isn't particularly interesting or surprising).
I'm not surprised about this at all. In spite of having plenty of actually decent products and good demand, the company has a history of acting shady and caring more about perceived appearance than about doing the right thing.
For instance, they appear to care about security issues that publicly embarrass them or that affect huge customers of theirs, issues that'd've been trivial to fix, instead of fixing issues for the sake of fixing them. This kind of "sales" based security and their responses have forced me to encourage multiple companies to use other vendors.
Less than four months ago there was a lot of hype urging people to buy SMCI. Can anybody really trust the financial news outlets these days?
https://www.fool.com/investing/2024/07/13/is-super-micro-com...
https://www.forbes.com/sites/investor-hub/article/is-super-m...
https://investorplace.com/2024/03/smci-stock-alert-does-this...
You're taking financial advice from "forbes.com" ?
Why do you think you could ever trust them?
Was the Fool article stealth-updated? It's not particularly positive at the moment.
Love that fool.com article includes an up-to-date stock price graph showing the drop.
Betteridge's law of headlines strikes again, even if not all the reporters intended it that way
This is not surprising. Hindenburge Research (a short seller) documented SuperMicro’s problems in August 2024 (https://hindenburgresearch.com/smci/).
On the one had, while I have no reason to disbelieve this specific blog post about Super Micro, I know for a fact that elements of their other posts about other companies are simply wrong, including a number of their claims about Roblox.
That's the risk with relying on short sellers' reports. Very frequently, the short seller is lying.
With SuperMicro, the auditor's withdrawal is worth 100x the short sellers' report. This is because it is very common for short sellers to make up claims about a company's financials, but it is very rare for an auditor to voluntarily withdraw.
What exactly were they wrong about with regards to Roblox?
I called bluff on the Roblox short also. of course there are bots, but the bots probably improve engagement also, so they aren’t all bad.
I have heard Roblox is way worse than described. So trust random internet anons however you want
I love how Hindenburg Research cleans up the market.
Is there any public data on how much money they have made, doing so?
They used to give out a calendar every year filled with pictures of their executives (mainly CEO) living a lavish lifestyle. Posing with Ferrari's, ribbon cutting ceremonies, stepping onto the company private jet, etc...
You could always tell when investors or potential customers were in town because the SMCI parking lot would suddenly have brightly colored sports cars parked right out front of the office, only to vanish shortly after until the next high profile meeting.
I always thought this was strange, but chalked it up to it being a cultural difference on how business is done in Asia vs the USA, but apparently not. GoPro used to do the same thing at their office in San Mateo back when the stock wasn't circling the drain, two Ferrari's parked right outside the front door as you walked into the building. Appearances can often be deceiving I guess.
I would call it more stupid than strange. It practically screams "Please eat our lunch with a more lean and efficient company!" when they think bragging about how much money they waste is a good thing.
Supermicro and Asus are just about the only ones who make the motherboards I need in my COTS on-prem/dc stuff. Why don't more manufacturers target the server x64 market? It's sorely needed. I've built entire systems with SM, but they've long had issues, there just aren't many alternatives in the space.
I moved to gigabyte for epyc builds, they seem to run a bit quicker than super micro on initial launch and product line updates.
I've wondered this, too. I think the market must just not be big enough to support other players?
Another commentator mentioned gigabyte, there's also asrocks asrack line.
This was also content in today's Money Stuff [0]. Middle section, "Super Micro".
[0] https://www.bloomberg.com/opinion/articles/2024-10-30/florid... or https://archive.is/SGhLe
Bloomberg was the source that claimed SuperMicro servers were compromised by a grain of rice sized chip that only had two conductor leads on it. https://www.theregister.com/2021/02/12/supermicro_bloomberg_...
…and most notably, never retracted the story.
> Bloomberg was the source that claimed SuperMicro servers were compromised by a grain of rice sized chip that only had two conductor leads on it.
In a similar vein, Bloomberg was the source that Continental and United passenger jets were humping mid-air: https://www.reddit.com/r/unitedairlines/comments/13xq64x/thi....
...
You're talking about this cover, right? https://westoahu.hawaii.edu/cyber/vulnerability-research/did...
I think you're making the mistake of confusing a cover image for a claim. If you have any experience with magazine cover images, you shouldn't take them that literally, because they're not meant to be.
Well, the biggest problem was that they basically had no details whatsoever in their report, and it was completely unverifiable.
I always assumed they were talking about vulnerabilities slipped into BMC firmware or maybe into (counterfeit?) ASPEED BMC chips themselves. If there was one thing an attacker would want to pwn to pwn an entire server, it would be the BMC.
Verifiable fact: SuperMicro BMC firmwares (really all BMC firmwares from all manufacturers) have and will continue to have exploits: https://www.supermicro.com/en/support/security_BMC_virtual_m...
Verifiable fact: SuperMicro BMCs' default behavior is to expose itself on the LAN0 port if the dedicated BMC interface has no link: https://www.supermicro.com/manuals/other/IPMI_Users_Guide.pd...
It's really weird to me how desperate so many people are to shut down any mention of this story instead of adopting a “if it were true, what would it look like?”-and-hope-to-be-wrong approach.
The issue I have with it is that they make specific claims about a single manufacturer and certain of their customers, with no evidence to back up what specifically they think was done, and in fact the details they do give don't really make much sense. The general claim, that these sorts of attacks are possible, and likely do happen, is not really in dispute, and you can of course imagine all kinds of details that would fit with the vague claims that they make (though, this also tends to require making up extra hoops or just assuming they invented some of the details that they did give, like you've just done by assuming it's a firmware attack, when they specifically mention an extra chip), but that's not really the point. If they run a story about an attack, it should have some credibility about that specific attack beyond that it's the kind of thing that could happen.
To use an analogy, it's much like running a story that Mrs Perkin's dog bit Mr Jones. It's not exactly something that in the abstract anyone would consider particularly unusual, but if they don't even tell you where such canine attack took place, or how they came to know about it, or indeed anything else, and Mrs Perkins and Mr Jones deny it happened, you might quite reasonably want more details before you believe that it did happen (or indeed, get any real value at all from the story, even if you believe it did, given that, again, the general concept that a dog might bite someone isn't particularly interesting or surprising).
Also, I see 3, not 2 pins on that chip.
I'm not surprised about this at all. In spite of having plenty of actually decent products and good demand, the company has a history of acting shady and caring more about perceived appearance than about doing the right thing.
For instance, they appear to care about security issues that publicly embarrass them or that affect huge customers of theirs, issues that'd've been trivial to fix, instead of fixing issues for the sake of fixing them. This kind of "sales" based security and their responses have forced me to encourage multiple companies to use other vendors.
That sounds like the majority of companies to me.
that'd've
I know what you mean, but that is the first time I've encountered that contraction in print or even in conversation.
[dead]