Super Micro stock was clearly undervalued even on traditional P/E metrics as recently as 2022. And I believe the reason for the depressed stock price was Bloomberg’s allegations that China was using Super Micro’s motherboards as Trojan horses for spy chips:
The low valuation had less to do with the spying allegations and more to do with a history of accounting frauds. Obviously if you have a proven history of fudging up revenue numbers, investors are less likely to invest in you.
My amateur understanding is that it’s very hard to successfully sue journalists for libel in the US because you’d have to prove malicious intent. A journalist writing a story based on their sources may have been misled by someone with an agenda, but didn’t write the false story with active malice.
As someone who has done journalism, that's basically correct. All indications are that simultaneously the story wasn't true and the reporter and all their editors firmly believed it was true. My personal assumption is that they believed the story was solidly sourced but they were misled.
ADDED: Standards are somewhat different between private people and public people/corporations.
I'm glad the story ran, even if it wasn't true - because it opened people's minds to the idea that this was happening. And it is a very real possibility. O.MG is a hobbyist project, but there's no question that the NSAs dirty tricks book, ANT/TAO[1] has something similar, but far more capable.
We should all be paying attention to hardware suppliers and making sure that objects are "as-ordered", but today even a standard chip packaging can hide a ton of malicious logic.
Lots of weird things have been said about many companies. I think the other part of this story is thus - Don't believe everything you read on the internet, or even in print media.
> I'm glad the story ran, even if it wasn't true - because it opened people's minds to the idea that this was happening.
By 2018, all the eyes that could be opened already were.
It's true that there were people that aren't convinced by the well-evidenced reporting from the Snowden, etc revelations. Of that group, I can't see Bloomberg's low-evidence story as what finally opened their eyes.
> We should all be paying attention to hardware suppliers and making sure that objects are "as-ordered", but today even a standard chip packaging can hide a ton of malicious logic.
For smartphones, laptops and PCs that is relatively easy to defend against if you think you might be a target for three-letter agencies - just walk into a computer store and buy what they have on the shelf with cash. Even the NSA doesn't have the resources to intercept and modify all the shipments to Apple, Best Buy, Costco and whatnot - and I'd guess at least Apple has pretty strict security in their supply chain given that Apple stuff has insane value even just for parts if someone were to intercept a delivery.
Network architecture however, that is more complex. Cables, Ubiquiti, HP and Dell stuff, you can buy that off the shelf, so same advantage. But servers? Good luck finding ones on the shelf anywhere.
> Even the NSA doesn't have the resources to intercept and modify all the shipments
Your words are close to truth, but not equal to it. I don't know exact resources of NSA, but I know businesses in exUSSR, who done exactly what you say with smartphones and audio/video.
This was grey scheme of import, with which imported more then 90% of tech in these countries, and this was reason, why Sony was condemned in Russia in 90s "for extremely low quality" (because local Sony representatives participated in scheme and central office closed eyes on this).
So, in Eastern Europe that time existed zero import taxes for electronics. They imported electronics, disassembled it to parts, and exported to exUSSR as garbage; then these parts reassembled in garages and sold in ordinary shops as new devices.
As I said, more then 90% reassembled, only less than 10% imported as ordinary contraband, or officially imported.
For scale, as I remember, US have about 300mln population, Russia have 140mln, approx half (sure, Russians have much less purchasing power, but it is hard to estimate now, if may help, Russia GDP is very close to Italy with about 59mln population).
> Apple has pretty strict security in their supply chain
Must admit, Apple have better security than other manufacturers, but grey iPhones still sold in Russia, so real hackers found ways.
The source in this case admitted that he presented a hypothetical scenario with a random SMD component as an example. The ignorant Bloomberg employee embroidered that into a lie.
Never attribute to ignorance what can be explained by malice and corruption (post-GFC/Madoff, finance and its cottage industries no longer get the benefit of the doubt).
I think most consumer market "reporting" is poorly-disguised market-manipulation. Best advice for your portfolio is to tune all of those assholes completely out.
Something fun: pay attention to how many financial news headlines are formatted, "X as Y" or "Statement Presented as Fact: Says Opinion-Haver". The first implies that there's some causational link between X and Y, when none might exist; the writer can claim that they were just stating that two events were happening in tandem. The second biases a reader before they receive the crucial information that the preceding statement was not, in fact, fact.
(Also, lately, look out for listicles of stocks "to buy" (not financial advice, of course) and "Forget X".)
That was such an incredibly ridiculous story. I spoke with more than a few supposed infosec "professionals" who believed it entirely too. Never mind that there were zero reports from other journals (you know, like anything even slightly technical), that none of the cited sources would reiterate what they had supposedly said, or that the claimed mode of operation wasn't even possible. Their follow-up, despite having been disproven numerous times over, was even more ridiculous.
If I'm assuming everyone involved had good intentions, the best thing I can guess is someone was speaking to the writer about the potential of the BMC being used for spying and got some details mixed up.
Consider: the BMC has access to the system via PCI-e, as well as kvm and comport. In some systems, the BMC is in the path of the main NIC. There have been some major software flaws in BMC software, including revisions that SuperMicro shipped, where passwords could be bypassed in the network interface.
> If I'm assuming everyone involved had good intentions, the best thing I can guess is someone was speaking to the writer about the potential of the BMC being used for spying and got some details mixed up.
I can't judge their intentions. But Bloomberg doubling down on the story in 2021 strongly discounts the possibility that the original reporting was based on any kind of bad info.
> “This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” he said, declining to reveal which company he worked for at the time.
Still kind of reads like someone told us there was a bad chip on the motherboard. And there was, and it was the BMC/firmware for the BMC.
Did SuperMicro (or their suppliers) just write shitty firmware with zero security for their BMCs because that was the industry standard, or was it a Chinese Ministry of State Security plant who did it as part of an evil plot?
Did big companies pull out of SuperMicro because of poor BMC security? Sometimes, a bit, often as just one more checkbox on the way to OCP style defluffed machines; in an early revision of OCP, rather than a BMC, the NIC's wake on lan signal was rerouted to reset, to become reboot on lan. But then OpenBMC happened, cause reboot on lan isn't enough for everyone.
>But Bloomberg doubling down on the story in 2021 strongly discounts the possibility that the original reporting was based on any kind of bad info.
How so? If there was an ulterior motive (I don't know if there was, but it's been suggested) then they'd also double down. They also didn't even attempt to respond to the issues. If they had good information based in reality, a lot of the claims would've been trivial to refute.
Meta is wasting all kind of money ($40B across 2 years) on Nvidia, SMCI, and their own gear. SMCI and Nvidia stocks are now overvalued because there are no fundamentals to sustain this business. OpenAI/Microsoft may be an exception, but Meta is wasting money it doesn't have on profits that aren't there. These data centers and servers are being built on orders of Zuck without a concrete, specific product or purpose for their use. This is akin to a newbie business owner buying lots of inventory without orders.
Meta obviously has the money; $135B revenue, $88B in expenses, $18B in debt.
Even assuming the current push toward general AI is a bubble, which is not unreasonable, the company can afford to throw away billions of dollars. It doesn't matter at all; they own the money printer and can make as many bets in as many markets as they want.
The same GPUs that are presently being used to create semi-open AI projects can just as easily be repurposed to power a public launch of their Codec avatars, which are lightyears ahead of what Apple has, or for better prediction engines in what are quite probably the best sales engines of all time: Their websites.
Their data centers will be useful for the future of selling products to gullible consumers: Short-form video, which is the first chance in years that they've had to meaningfully take market share from Google.
Even assuming it was all vanity, Zuckerberg has earned the right at this stage in his career to make vanity plays. He still has majority control over his company, which shareholders have insisted upon, and he has an almost untarnished record of making incredible long-term bets that seem irrational at the time (Instagram acquisition, Whatsapp acquisition, arguably the Oculus acquisition).
He's earned drastic amounts of money for speculators, who have done little to deserve any of it. It would be a strange thing to argue that the speculators suddenly have a better grasp of what he's doing than he does; there are millions of speculators, but only one person with a track record like Zuckerberg.
> almost untarnished record of making incredible long-term bets that seem irrational at the time (Instagram acquisition, Whatsapp acquisition, arguably the Oculus acquisition).
Meta has plenty of money to spend. It's also been reported that Meta is using AI to get around Apple's ATT [1], with some reports saying that user ad targeting is better than before ATT came out [2]. Meta is already executing and succeeding on a concrete plan using their AI.
you know the saying; the market can stay irrational longer than you can stay solvent and all that. turns out P/E ratios determine a theoretical floor for the price, but as we've seen with Tsla and crypto, this shits all vibes anyway. AI isn't slowing down,
or going to go anywhere, so these stocks, overvalued though you might see them, aren't going to go down anytime soon, in my opinion, so while what your say is true, NVDA and smci are safe to hold. the real question is what's going on with tsmc and mu, given their proximity to NVDA, and their lack of a pop.
It's interesting you mention Tesla, because their sales clearly show that the growth expectation was not realistic.
And in case of Nvidia it's even much worse.
In order for Nvidia to be worth a decent premium over the yield of some index fund like VOO (you're taking much more risk), it has to grow in the order of 42% per year for a decade in revenue.
There's no such amounts of money to be spent in hardware, it's lunacy.
Not even the other tech giants combined have even a small part of the money required for such growth.
And on top of that, this is a very dynamic sector where any competitor, technological breakthrough can make you the new IBM.
Prices like Nvidia were highly overvalued but understandable with a stretch of imagination of 25% growth for a decade when it was 300$. I could almost see it and would've still concluded it was an unlikely outcome and risk/reward ratio was not there.
But now we long past that mark and in the territory of insane expectations and high premiums paid with a very high risk.
> There's no such amounts of money to be spent in hardware, it's lunacy.
Oh, money there is. NVIDIA is selling shovels to hordes of people searching for gold... first it was cr*ptoc*in miners, now it's billion dollar companies in the search for AGI. But unlike shovels that anyone with access to iron, a fire and a hammer can make, there are only five companies on this planet that can design the chips in the first place: Google and Amazon (who don't sell to outsiders), Intel (who has other, more pressing issues than to design AI training accelerators), AMD (who has the chops on the hardware design side but seems to be completely unable to get the software side stable enough that people would be even willing to look at it) and NVIDIA.
And to make the issue worse, there are only three fab houses who can physically manufacture the chips: TSMC, Samsung and Intel... TSMC is all but booked out already, Samsung is nowhere near their level, and Intel both doesn't do fab jobs for outsiders and has completely botched their new nodes for years now.
There is just no way anyone can outsmart NVIDIA at that point, and demand is only going to increase in pretty nasty bidding wars.
Money there is for sure, the claim though is the slightly different 'there isn't that much'. I don't know who is right, but it is the imporant question if you are investing long term.
Why are you using the metric of annual revenues must equal market capitalization to determine whether a company is overvalued? And why use revenue instead of earnings?
Currently if NVDA can double their earnings next year they’d have a P/E ratio similar to MSFT. I think many investors believe they can reach this target hence the high valuation.
Whether NVDA will continue to maintain this level of profit for the coming decade is another issue.
None of what you said denies any of my conclusions: expecting Nvidia to grow at a 40%+ rate for a decade is ludicrous.
Any of your arguments has been done about leaders like Cisco, Intel or Tesla that balooned to valuations that did not meet reality regardless of those companies in fact doing well, the revenue and growth expectations were just asinine and void of basic math.
There's no such thing as infinite demand growth and infinitely deep pockets, let alone margins staying that good for so long (and again the aforementioned companies are examples of the phenomenon).
You will likely do much better investing in VOO today than buying Nvidia, let alone having a much better risk/reward ratio.
Disclosure: Building a CSP business around SMCI products. Sorry if this sounds like an advertisement, I'm really just a happy customer.
I feel like the reason why SMCI has done so well in this AI round is because their server architecture is best in class and they have been able to support the internal changes necessary for AI workloads. They also support AMD CPUs, while others only offer Intel.
6 years ago, Cenly Chen / SMCI was saying AI was going to be huge and that total revenue would be $36B, in 2025 [0]. We are well past that number now. Amazing how AI turned out to be even bigger than anyone could have imagined, but at least they had some vision even back then.
Dell, Giga, ZTS are all behind in their offerings while SMCI is iterating and are now even getting to the point of water cooling and L11 manufacturing.
I just received a shipment of AS-8125GS-TNMR2 (8U MI300x) and the thing is an amazingly well designed beast of a chassis. Everything slots together perfectly. If you study the user documentation, the layouts of the internal block diagrams are fantastic and build for speed.
We are lucky enough to have been able to open an account directly with them. It wasn't easy and required a ton of due diligence, but working with the team there has been a top notch experience.
My point is that it doesn't sound like they're customizing anything for you. It's ridiculous that you need permission to buy GPU servers. I realize there's a backlog but there are neutral ways to manage that.
The equipment was all ordered to our individual spec. Our box is one of the most powerful they've shipped so far. For example, everyone else is getting it without NVMe and we got it with 155TB.
As for permission, look up 88 Fed. Reg. 73458. I (and every other CSP) had to sign multiple documents agreeing to those regulations. Both SMCI and I are taking them very seriously, especially as a CSP renting them out. I'll vet every customer personally.
Neutral or not, from what I understand, there is no backlog for MI300x. You're either on the approved list or not and the entire list is spoken for. AMD knows every single business buying these chips right now, and they are carefully watching the orders ship out.
Wholesale vs. retail? They probably don’t want to deal with 1000 HNer accounts buying a single chip and do credit checks on them all (or do retail at all).
That's exactly it. Normally they direct you to an OEM partner like Exxact.
To be honest, they are really not set up for individual accounts. It was a bit of back and forth with the paperwork to get everything done, which took a lot of time.
They asked for everything about the business.
As for the direct account, once you have it, it is a golden egg because this way you also have direct support from their teams for anything you need. It is fantastic and I feel lucky to have gotten in.
Shipped a SYS-531A-IL workstation in less than a week including a weekend as my latest workstation configured with my chosen, albeit from a limited selection of memory, good CPUs and NVME and SATA drives (enterprise options for all of those), all properly kept cool per lm-sensors and smartmontools. I used their live chat to quickly get a couple of answers, it was packed well, and in theory for a reasonable up front cost they'll cross ship a replacement for the next 5 years.
When Mr. Rsync.net was composing his message today I was adjusting my scripts to do their nightly backup to his service that uses their servers.
For a couple of decades have bought a bunch of their motherboards through resellers for myself and family, and built some rack mount systems for a friend bought I forget from where with excellent results. The current swapping of hardware due to the above purchase took down a system that had been in service for a dozen years.
See also its Nvidia equivalent https://www.supermicro.com/en/products/system/gpu/8u/as-8125... which is implicitly on allocation because TSMC has been contracted to make only so many H100 chips per unit of time, I think I heard 550,000 for 2023. I remember seeing that the Nvidia cards list at around $30K each....
I think the store is more for stuff that's in more plentiful supply and less ITAR restricted, with a limited number of SKUs and options for each that they're prepared to support for a long time.
I worked for a much much smaller customer than yourself several years back.
The store never showed the server boards in stock that we were after. We had to go in via a disty to get anything of value. The impression we got was that nothing was staying in stock very long, and at the time there were enough part shortages that they seemed to be slightly modifying SKU's at a rapid enough rate that it didnt make financial sense to keep the hobbyists happy.
Not surprising back when chip shortages were severe, and while checking out all their workstations I did note one of their oldest SKUs having a CPU option disappear in the process. Some of that might count as clearance but there's reasons to not be on the bleeding edge.
As I'm finding with a Raptor Lake CPU and conservative stock Debian 12 bookworm and it's 6.1 kernel, largest format video playing has some tearing and so on due to driver support based on the error messages I'm seeing, 720p is much better. At the bottom of the stack root ZFS is rock solid: https://openzfs.github.io/openzfs-docs/Getting%20Started/Deb...
Today availability should be different and skimming their rackmount SKUs the vast majority claim "Ships Within 3-5 Business Days" which was my experience with a tower workstation.
I went to the above few minutes of effort because the company has done very well for me and mine in the last couple of decades, and people who are buying small quantities which certainly includes small or startup businesses as well as "hobbyists" shouldn't think the old shortages still hold in a period where I hear general demand is down outside of AI platforms. And prices are certainly pretty good.
The article hints at a special relationship with NVIDIA, but it goes back a long time. They didn't move recently to be close to NVIDIA's HQ. They have been there for 30 years. For example, back in the 90s Supermicro was selling NVIDIA products and NVIDIA was buying Supermicro desktops for their offices.
their Atom half-step servers were very, very effective for building out call center routing and VM nodes. Atom has/had some problems with one-off issues like race conditions, but they worked quite well.
data center vendor also let us do some non-traditional airflow steps as long as it didn't screw with the hot aisle, so we packed racks with these things front and back
Their moat is good server hardware that can be ordered without talking to a sales person that has one goal - determine how much they can milk your budget.
They used to let you order without talking to sales, now they want to validate the config like Dell and HPE. They are slow and don't respond and their ETAs are terrible and often wrong.
They have multiple friendly, competent resellers who will happily quote their machines, often using online tools, and will often come in around half of, say, Dell’s price. Maybe even better if you want something ridiculous like disks in your machine.
its not really a moat, but its a difficult model to emulate.
what they offer is a set of standard parts, tailored for verticals they think are important. but the secret sauce is that they are willing to customize just that much to make things work the customer.
even if you are a small startup and can't promise more than 100 units/yr, its entirely likely that they will build a custom PCB or riser or chassis on the chance that you will be successful. not a whole design, but a tweak on one of their standard models. they've done that for me before with no NRE, maybe they do charge sometimes.
so their moat is that they have enough money to make those bets, and an engineering organization that can do that in a lightweight enough fashion to make the whole thing work. and they do this while remaining very cost competitive
Given how few people in a “startup” possess the skills to know and articulate their needs and have the network to reach the right people in a company that size, it seems like a reasonable bet to make.
I have a system along these lines lying around. It’s a very low volume Supermicro board, made for a partnership between Intel and a little startup (not mine). The startup might, at their discretion and possibly with an NDA or two, tell you the model number. Then Supermicro would sell you the board.
I have no idea what money, if any, changed hands, other than the fact that I paid, IIRC, about $600 for the board.
Their competition is the enterprise hardware divisions of HP, Dell, and IBM. SuperMicro makes reasonably good quality, lower-cost server equipment. They are, IMO, a pretty good value if you don't want high-end support from the hardware vendor.
ASRock has also pushed into some of Supermicro's traditional product segments via the "ASRock Rack" brand. I have no idea how big that business is, though.
Gigabyte and Zotac also comes to mind, resemble Asrock.
There's a bunch of other kit too, but https://servethehome.com reviews a bunch of the various rack systems.
Example of some late January posts. Albeit none are of the "fits lots of GPU" sort that is helping propel Supermicro, but these folks all have those offerings too,
HPE, Dell, and IBM are glorified CDW-business model salespeople. Megacorps have no use for that when they can engage the source and get their own custom gear.
`Analysts clash on Supermicro’s ability to hold on to its position longer term. Wedbush analyst Matt Bryson said, historically, no company selling servers has had more than 30% market share.
“There’s not a reason Dell can’t do exactly what they’re doing,” Bryson said.
Others aren’t so sure. Some analysts say that established competitors will have a hard time bringing new products to market so quickly and have larger revenue streams from software and services.
Supermicro is trying to gain further market share by doubling down on AI and continuing to ship its servers out quickly. The company is also keeping prices low to entice new customers: Its gross profit margin totaled around 15% in its latest quarter, down from 17% in the previous one. HPE, by comparison, had gross margins of 36% in its latest quarter.`
“There’s not a reason Dell can’t do exactly what they’re doing,” Bryson said.
I find that quote interesting. As someone that worked for Dell, I can figure out why - they're heavily-invested in the support side of things. They're too busy with that and their current consumer and business-class offerings that realistically the server market segment they're already in doesn't exactly overlap with Super Micro, and most likely never will outside of some buzzword AI marketing.
Dell also can’t do what supermicro does because it would eat their margins. The dirty secret is that supermicro is making headway because they’re a lot cheaper than dell or hp. If dell/hp start to compete on price they don’t really gain any additional marginal business to speak of, but they do lose margin on all their current contracts (who presumably want to get the discount too).
The “companies become too stagnant to disrupt their own revenue streams” isn’t just a trope about leadership vision, it’s a very real financial phenomenon. Customers don’t like open price discrimination and often it’s better to keep your best customers than to chase after new ones and push all your margins downwards.
Funny, we're going the other direction, for much the same reasons. I suppose different organizations have different needs and Dell is moving in the wrong direction for us, while SuperMicro seems to deliver in the areas we value.
Quanta and FoxConn. The weird thing though, is the megacorps who can afford to design their own gear in-house are spending money on these outside shops. Waste of money.
Depends how you see it. Spending resources to do it in house when an outside shop does it could be seen as a waste of money too. if someone else is already doing it, why spend money redoing what they do?
Here's the incumbent experience for proper servers:
1. You're a small company. None of the big companies will talk to you. You're a waste of their time.
2. You're a medium company. Maybe the worst sales person on the team is desperate enough to talk to you.
3. You're a big company. They will be only too happy to talk to you.
You want to buy a rack of servers. They will not sell you a rack of servers. No, no, no.
You need to talk about how their SAN is much better than your current SAN. Also they just bought a virtualisation company so maybe you should replace your virtualisation stack with theirs. And have you considered how helpful their outsourcing service could be for running your datacentre? They'll undercut your current team of staff as long as you commit to replacing all your servers with theirs. Also they hear you're making use of REST services, have you considered one of their REST security appliances? They'll throw them in free.
None of these conversations happen with the person trying to buy a rack of servers, they'll happen with a vice president or procument or your finance team. Your rack of servers comes with a bunch of "free" stuff that you didn't want and don't have time to implement. Eighteen months later you're being told to drop all your work that your customers care about, because whoever inked the deal with the free REST appliances looks stupid if they don't get used, so you have to implement them
Supermicro are just selling you a rack of servers.
It'd be nice if they gave a damn about security. I had clients stop buying them because a glaring security problem was determined to be "not an issue" that they wouldn't fix.
It's one thing to say they wouldn't or couldn't fix products already made with the flaw, but it's another entirely to have a culture of security that says, "Sure, this flaw could cause your machine full, unfettered compromise, but because it's not likely to happen and not highly publicized, we don't care."
It makes me think they'll treat current and future security problems the same way. Security shouldn't be based on popularity contests.
In a nutshell, the problem is this. I don't know whether this has changed, but this was true as of 2018 / 2019.
Most of their motherboards have IPMI with a separate a management port. A good number of them share IPMI management with the motherboard's primary ethernet port by default if nothing is plugged in to the management port. The motherboards have no way to configure them to NOT share the primary ethernet port beyond having the full stack of software needed to configure their IPMI.
What this means is that there're no jumpers one can change and no settings accessible in the BIOS that can force IPMI to stay on its own port, so if a BIOS gets reset, the battery dies or even just temporarily fails to provide power (like if it's being shipped by air and gets very cold), or you want to ship servers directly to a datacenter, the machine is 100% ownable on the public interface BY DEFAULT unless the management port is connected (and even then sometimes it decides to share the primary port - probably a function of link negotiation speed with the switch).
Sure, it's not a common occurrence, but it happens.
The solution for all the servers we already had deployed? We got ethernet loopback plugs for every one of them where the IPMI port wasn't already connected to a switch we administered.
A reasonable response: "Sure, that could be a problem sometimes. We can't change motherboards we already sold, but we'll bring this up with our design team so there'll be a jumper you can change so sharing will never happen, even with a reset BIOS."
This is an interesting attack surface. Can you extend the risk out a bit? Assume that you have a vulnerable supermicro IPMI now exposed on a public interface. It has no IP address, and is presumably issuing DHCP DISCOVERs in an effort to get an IP. How do you reach the IPMI device to exploit it? What additional access do you need to get there?
Root on another device on that public network would do, you could forge the necessary DHCP responses to get it configured with an IP address of your choosing. Non-root on another device on that network might also work, if it fails DHCP and self-configures on a 169.254 address, assuming it does that.
Is there an obvious way to exploit such an issue from beyond the public subnet?Every attack I can imagine would be blocked by either inbound firewalls, or a failure to reach the IPMI as an unexpected device on the public subnet. I suppose that it would be a possible risk if you have a DHCP server on that public subnet issuing IP addresses to all devices, but that seems like a larger risk anyways. Server networks should be static assigned or static DHCP in all cases.
There are plenty of cheap colos that do no filtering on their public networks. Some are saving money by putting a number of machines on a single ethernet segment, some are saving IPs by not having a /31 (or, much more often, a /30) for each client, and some both, so a compromised machine could easily run a DHCP server and scan any takers. You're right that no sensible network would forward packets to a misconfigured IPMI, though.
That still leaves very real things that've happened - the IPMI switches to the public interface and can no longer be reached on the managed local interface, and then you're rebooting several times in hopes it'll switch back and making aliases on a public interface to see if you can talk to it on the public segment. It's not professional at all.
I unknowingly did this, I found a random ip exposing the interface, and used admin/admin to compromise it - I was very confused as I explicitly did not plug in the ipmi interface as I do not want it.
I ended up using a PCIE nic, which ipmi does not auto bridge to.
Assume your network is not-entirely-trusted - like a college network where some curious students might be poking around and running network scans, and some others have malware on their computers.
The expected network port is plugged in, so even if your switch is checking MAC addresses, everything is in order. Most networks use DHCP, so the IPMI picks up an IP address. A student finds it with their port scan.
Interesting. I never use DHCP pools / random allocation on server networks; everything there is static assignment on the host, or static DHCP with whitelisted MAC.
> This is an interesting attack surface. Can you extend the risk out a bit? Assume that you have a vulnerable supermicro IPMI now exposed on a public interface. It has no IP address, and is presumably issuing DHCP DISCOVERs in an effort to get an IP. How do you reach the IPMI device to exploit it? What additional access do you need to get there?
I think you misunderstood the level of fucked up this really was. The BMC device sits on the north bridge and literally scoops up packets from the main NIC which means it can even be accessible from the internets (if you didn't firewall port 623). See [0] for an example how variation of this unfolded.
First, do you have a link to documentation for this ability?
Second, "any competent sysadmin" would have to know that this exists. Super Micro's security team didn't know this existed, or if they did, they failed to mention it in their response.
(I do recall the syntax being a bit more cryptic, passing hex values, perhaps they've improved things since I last did this. Nevertheless, the capability has always been there.)
SuperMicro themselves not knowing this exists isn't surprising in the least.
...but IPMI configuration isn't stored in EEPROM. It's stored in NVRAM.
And I believe you that you configured this pre-2022, but anyone could use the IPMI tools to configure this pre-2022 and pre- -lani option. You're trying to say it's in EEPROM, meaning it's invulnerable to battery loss. It definitely isn't.
Supermicro does offer board variants without the IPMI feature. I'd argue that most people who are buying the variants with IPMI are planning to utilize the feature..
The sideband feature also tends to be associated with an interface on the board that is considered the non dedicated IPMI "management" interface. Use one of the other onboard NIC ports or an PCI-E NIC like x550-T2, etc.
Indeed. An OOB interface is something you should always handle like radioactive material. It's volatile, powerful, and should be handled with extreme care and caution.
I would have thought every server maker was able to sell every GPU they got their hands on at this point in the hype cycle. If SuperMicro is gaining market share, isn't it just a sign that Nvidia is giving them a bigger GPU allocation?
If only I had known they were listed in the US. Just assumed they were an offshore company (based on their pretty terrible support). Disclosure: long time user.
'Nvidia’s chips became the workhorses of the boom, making the complex computations necessary to create systems such as OpenAI’s ChatGPT. Server manufacturers who could ship those chips to customers fastest and in the largest quantities had an edge.
Liang said it has been helpful that his base in San Jose, Calif., is just a 15-minute drive from Nvidia’s headquarters in Santa Clara. “Our engineering teams are able to work together from early morning to midnight,” he said.
Supermicro’s recent dominance in the AI boom, industry executives and analysts say, also stems partly from its strategy of making electronic “building blocks” that can be assembled into servers in an almost endless number of configurations. Rivals offer a more limited menu to customers.
That flexibility has been an advantage in the AI boom, analysts say. Developers of self-driving car technology want different server setups than companies making language-generation AI systems such as ChatGPT. Supermicro can deliver customized infrastructure for both.'
I love this investment because when Bloomberg News posted their SMCI story all the security suckers ate it up and dunked shares. Picked a bunch up at a 50% discount and they rebounded.
The problem is that security groupies are really eager for there to be obscure security flaws. HN was full of them. And they have this thing about "respected sources" and shit like that because they don't know how to evaluate things themselves.
"...are these guys actually having some legitimate products or services?"
rsync.net is built entirely on supermicro head units and, until a few years ago, their JBODs.
Then they got greedy and tried to do the old "certified drives" bullshit with their JBODs and that was the end of that ... now we use the celestica JBODs we source from IX systems.
Head units are still supermicro, though. Fingers crossed ...
It's the oldest, most successful, cheapest and for many people technologically superior server maker that's not IBM or HPE. Many successful businesses were built on their products in the past 3 decades. Most notably Google.
They were always in the list of "you want something that's workstation/server reliable, but you don't want to deal with an OEM who's going to sell you a propriatery case/PSU/motherboard. ISTR Tyan being in the same boat, but you don't hear as much about them anymore.
Man, I got a rack of tyans recently and I have to say, its not even a contest. Maybe something was of with that order but 1/3 of the hosts had issues, I suspect at the motherboard level but aside from sending them back a couple times for service support I've pretty much abandon the rack at this point. I'll probably send the machines to the shredder and replace them next time I have a budget cycle.
As a small, very specific footnote: I am unaware of anyone but Supermicro making 3U chassis with a 80mm rear fan. As the ATX rear I/O is sized to squeeze into 1U it means there's only 2U or 88.90mm left for fans and most chassis makers will just go with 60mm fans.
ISTR seeing they did 4U with 120mm instead of dual 80 too. That always looked compelling, because I figured a 4U rackmount would make a neat desktop-style case, but I could never justify the price.
I make my desktops out of 4u chassis. Mainly because they have good airflow. But it does bring one glaring design issue to light. consumer grade mother boards are schizophrenic about their airflow. the cpu and ram are orientated to flow left to right and the expansion cards expect the flow to go front to back. Server grade mother boards have coherent airflow however I have found server boards are less than optimal for a desktop application. they boot slow, are picky about components, and the cpus tend to be slow and wide. So I tend to alternate, one generation I get fed up with consumer grade bullshit and buy a server grade board, the next I get fed up with server grade bullshit and buy a consumer board.
My favorite chassis so far has been this generic one, the fans suck(just buy a new set of good fans right away) and supplied drive bays suck. but look at all them 5 1/4 bays, bays for days. You can put every stupid hotswap bay, fan controller and drink holder gimmick you want in there. and still have room for more.
Since around 2000 I bought something shy of 1,000 of them for a small server hosting company. Mostly the smaller ones in the sub-$1,000 price range, and we had very good luck with them. With the exception of one year where we had a roughly 100% failure rate on the power supplies (same make, model, mfg as ones we had in service 5+ years), they were just workhorses at extremely reasonable prices.
After the power supply failures we started switching to their "twin^2" units (or something named like that) which were 2U RM boxes with redundant power supplies and 4x semi-blade servers, which again we could provision for the sub-$1,000 price.
I've since looked at pricing some systems from them as an alternative for the Dell servers we've been buying more recently, and oddly enough the prices all seem to be in the $10K+ range. A pretty big shock to see what used to be "dirt cheap servers" up in that range, but the RAM and SSDs really add up. Even though Dell seems to have insane pricing in their configurator for RAM and drives...
Server-grade motherboards that have been widely used for a long time sounds like a legitimate product business. Whether or not they have long-lasting competitive advantage, that is another question.
Softlayer was built on all/mostly all SuperMicro servers up until IBM bought Softlayer and then there were a lot of Lenovo.
As an employee of a customer of Softlayer, the servers were very reliable. I have my personal hosting on a rented SuperMicro server now, and pretty happy with it, even if the hardware is 10+ years old (Xeon Lynnfield) and the IPMI requires ancient JNLP that barely works ... I only barely need IPMI (gotta console in to decrypt the disks on reboots, and it was handy for setup)
They aren't as nicely made as HP's offerings, but solid, and good value for the price. I'd buy a used Super Micro before I'd buy a brand-new Dell, even if the Dell were cheaper.
https://www.datacenterdynamics.com/en/news/years-later-bloom...
Bloomberg originally broke this story in 2018, then repeated the allegations in 2021. But AFAIK it was never proven.
The Nvidia + Meta connection finally broke the spell and allowed investors to look at SMCI with fresh eyes.