[HN Gopher] Super Micro Computer has gone from an obscure server...
___________________________________________________________________
Super Micro Computer has gone from an obscure server maker to $60B
market cap
Author : Bostonian
Score : 140 points
Date : 2024-03-17 11:25 UTC (11 hours ago)
(HTM) web link (www.wsj.com)
(TXT) w3m dump (www.wsj.com)
| Bostonian wrote:
| 'Nvidia's chips became the workhorses of the boom, making the
| complex computations necessary to create systems such as OpenAI's
| ChatGPT. Server manufacturers who could ship those chips to
| customers fastest and in the largest quantities had an edge.
|
| Liang said it has been helpful that his base in San Jose, Calif.,
| is just a 15-minute drive from Nvidia's headquarters in Santa
| Clara. "Our engineering teams are able to work together from
| early morning to midnight," he said.
|
| Supermicro's recent dominance in the AI boom, industry executives
| and analysts say, also stems partly from its strategy of making
| electronic "building blocks" that can be assembled into servers
| in an almost endless number of configurations. Rivals offer a
| more limited menu to customers.
|
| That flexibility has been an advantage in the AI boom, analysts
| say. Developers of self-driving car technology want different
| server setups than companies making language-generation AI
| systems such as ChatGPT. Supermicro can deliver customized
| infrastructure for both.'
| drakerossman wrote:
| Who's their competition? What's their moat, except for being
| 15-minutes drive away from Nvidia's HQ?
| Bostonian wrote:
| The article says
|
| `Analysts clash on Supermicro's ability to hold on to its
| position longer term. Wedbush analyst Matt Bryson said,
| historically, no company selling servers has had more than 30%
| market share.
|
| "There's not a reason Dell can't do exactly what they're
| doing," Bryson said.
|
| Others aren't so sure. Some analysts say that established
| competitors will have a hard time bringing new products to
| market so quickly and have larger revenue streams from software
| and services.
|
| Supermicro is trying to gain further market share by doubling
| down on AI and continuing to ship its servers out quickly. The
| company is also keeping prices low to entice new customers: Its
| gross profit margin totaled around 15% in its latest quarter,
| down from 17% in the previous one. HPE, by comparison, had
| gross margins of 36% in its latest quarter.`
| idontknowifican wrote:
| fwiw:
|
| my work is moving from supermicro to dell nodes due to the
| immaturity of the support (interface and personnel).
| mrweasel wrote:
| Funny, we're going the other direction, for much the same
| reasons. I suppose different organizations have different
| needs and Dell is moving in the wrong direction for us,
| while SuperMicro seems to deliver in the areas we value.
| lightedman wrote:
| "There's not a reason Dell can't do exactly what they're
| doing," Bryson said.
|
| I find that quote interesting. As someone that worked for
| Dell, I can figure out why - they're heavily-invested in the
| support side of things. They're too busy with that and their
| current consumer and business-class offerings that
| realistically the server market segment they're already in
| doesn't exactly overlap with Super Micro, and most likely
| never will outside of some buzzword AI marketing.
| convolvatron wrote:
| its not really a moat, but its a difficult model to emulate.
|
| what they offer is a set of standard parts, tailored for
| verticals they think are important. but the secret sauce is
| that they are willing to customize just that much to make
| things work the customer.
|
| even if you are a small startup and can't promise more than 100
| units/yr, its entirely likely that they will build a custom PCB
| or riser or chassis on the chance that you will be successful.
| not a whole design, but a tweak on one of their standard
| models. they've done that for me before with no NRE, maybe they
| do charge sometimes.
|
| so their moat is that they have enough money to make those
| bets, and an engineering organization that can do that in a
| lightweight enough fashion to make the whole thing work. and
| they do this while remaining very cost competitive
| godzillabrennus wrote:
| Given how few people in a "startup" possess the skills to
| know and articulate their needs and have the network to reach
| the right people in a company that size, it seems like a
| reasonable bet to make.
| convolvatron wrote:
| their sales people are in on this - not a special deal.
| need a extra hole in this chassis? yeah sure, lets do that.
| throwaway11460 wrote:
| Their moat is good server hardware that can be ordered without
| talking to a sales person that has one goal - determine how
| much they can milk your budget.
| 1oooqooq wrote:
| ironically they could only do that by a lack of investor
| interest. Let's see how many days this last now.
| throwaway11460 wrote:
| It lasted 3 decades and they always knew that this is the
| number one reason why people buy from them. I think it's
| safe, but let's see.
| Gelob wrote:
| They used to let you order without talking to sales, now they
| want to validate the config like Dell and HPE. They are slow
| and don't respond and their ETAs are terrible and often
| wrong.
| amluto wrote:
| They have multiple friendly, competent resellers who will
| happily quote their machines, often using online tools, and
| will often come in around half of, say, Dell's price. Maybe
| even better if you want something ridiculous like disks in
| your machine.
|
| This has been the case for years.
| rmah wrote:
| Their competition is the enterprise hardware divisions of HP,
| Dell, and IBM. SuperMicro makes reasonably good quality, lower-
| cost server equipment. They are, IMO, a pretty good value if
| you don't want high-end support from the hardware vendor.
| 0xcde4c3db wrote:
| ASRock has also pushed into some of Supermicro's traditional
| product segments via the "ASRock Rack" brand. I have no idea
| how big that business is, though.
| kbar13 wrote:
| nowhere near as prevalent as supermicro still. asrock rack
| does make some decent stuff tho so i would imagine theres a
| good future there
| jauntywundrkind wrote:
| Gigabyte and Zotac also comes to mind, resemble Asrock.
|
| There's a bunch of other kit too, but
| https://servethehome.com reviews a bunch of the various
| rack systems.
|
| Example of some late January posts. Albeit none are of the
| "fits lots of GPU" sort that is helping propel Supermicro,
| but these folks all have those offerings too,
|
| Supermicro SYS-511R-M Intel Xeon E-2488 1U Server Review
| https://www.servethehome.com/supermicro-sys-511r-m-intel-
| xeo...
|
| Gigabyte R183-Z95 Review Dual AMD EPYC Server with a EDSFF
| Twist
| https://www.servethehome.com/gigabyte-r183-z95-review-
| dual-a...
|
| ASRock Rack ALTRAD8UD-1L2T Review This is the Ampere Arm
| Motherboard You... https://www.servethehome.com/asrock-
| rack-altrad8ud-1l2t-revi...
| 1letterunixname wrote:
| HPE, Dell, and IBM are glorified CDW-business model
| salespeople. Megacorps have no use for that when they can
| engage the source and get their own custom gear.
|
| https://en.wikipedia.org/wiki/Quanta_Computer
| oldpersonintx wrote:
| Decent products with decent service, no gimmicks and fair
| pricing is a moat
| 1letterunixname wrote:
| Quanta and FoxConn. The weird thing though, is the megacorps
| who can afford to design their own gear in-house are spending
| money on these outside shops. Waste of money.
| fragmede wrote:
| Depends how you see it. Spending resources to do it in house
| when an outside shop does it could be seen as a waste of
| money too. if someone else is already doing it, why spend
| money redoing what they do?
| guilhas wrote:
| As a home user I like their hardware has the least vendor lock
| in, so when things break it is easier to replace with generic
| parts or swap around
| rodgerd wrote:
| Here's the incumbent experience for proper servers:
|
| 1. You're a small company. None of the big companies will talk
| to you. You're a waste of their time.
|
| 2. You're a medium company. Maybe the worst sales person on the
| team is desperate enough to talk to you.
|
| 3. You're a big company. They will be only too happy to talk to
| you.
|
| You want to buy a rack of servers. They will not sell you a
| rack of servers. No, no, no.
|
| You need to talk about how their SAN is much better than your
| current SAN. Also they just bought a virtualisation company so
| maybe you should replace your virtualisation stack with theirs.
| And have you considered how helpful their outsourcing service
| could be for running your datacentre? They'll undercut your
| current team of staff as long as you commit to replacing all
| your servers with theirs. Also they hear you're making use of
| REST services, have you considered one of their REST security
| appliances? They'll throw them in free.
|
| None of these conversations happen with the person trying to
| buy a rack of servers, they'll happen with a vice president or
| procument or your finance team. Your rack of servers comes with
| a bunch of "free" stuff that you didn't want and don't have
| time to implement. Eighteen months later you're being told to
| drop all your work that your customers care about, because
| whoever inked the deal with the free REST appliances looks
| stupid if they don't get used, so you have to implement them
|
| Supermicro are just selling you a rack of servers.
| dangle1 wrote:
| https://archive.ph/FrBaL
| rasz wrote:
| >obscure server maker
|
| First google server racks
|
| https://blog.codinghorror.com/building-a-computer-the-google...
|
| https://en.wikipedia.org/wiki/History_of_Google#Late_1990s
|
| https://commons.wikimedia.org/wiki/Category:Google%27s_first...
|
| were build using Supermicro P6SBM
| bawana wrote:
| I guess a company just has to move close to nvidia, label one of
| its products with 'ai' and watch its valuations 10x.
| Foodtruck.ai?
| riwsky wrote:
| LLM = Large Lunch Menu = $$$
| solumunus wrote:
| SMCI is experiencing massive revenue growth, so you also need
| that. SMCI forward PE isn't even that crazy yet, TSLA had much
| higher at its peak.
| m3kw9 wrote:
| I thought this was a meme pump, are these guys actually having
| some legitimate products or services?
| ardaoweo wrote:
| Server-grade motherboards that have been widely used for a long
| time sounds like a legitimate product business. Whether or not
| they have long-lasting competitive advantage, that is another
| question.
| throwaway11460 wrote:
| It's the oldest, most successful, cheapest and for many people
| technologically superior server maker that's not IBM or HPE.
| Many successful businesses were built on their products in the
| past 3 decades. Most notably Google.
| hakfoo wrote:
| They were always in the list of "you want something that's
| workstation/server reliable, but you don't want to deal with
| an OEM who's going to sell you a propriatery
| case/PSU/motherboard. ISTR Tyan being in the same boat, but
| you don't hear as much about them anymore.
| chx wrote:
| As a small, very specific footnote: I am unaware of anyone
| but Supermicro making 3U chassis with a 80mm rear fan. As
| the ATX rear I/O is sized to squeeze into 1U it means
| there's only 2U or 88.90mm left for fans and most chassis
| makers will just go with 60mm fans.
| hakfoo wrote:
| ISTR seeing they did 4U with 120mm instead of dual 80
| too. That always looked compelling, because I figured a
| 4U rackmount would make a neat desktop-style case, but I
| could never justify the price.
| somat wrote:
| I make my desktops out of 4u chassis. Mainly because they
| have good airflow. But it does bring one glaring design
| issue to light. consumer grade mother boards are
| schizophrenic about their airflow. the cpu and ram are
| orientated to flow left to right and the expansion cards
| expect the flow to go front to back. Server grade mother
| boards have coherent airflow however I have found server
| boards are less than optimal for a desktop application.
| they boot slow, are picky about components, and the cpus
| tend to be slow and wide. So I tend to alternate, one
| generation I get fed up with consumer grade bullshit and
| buy a server grade board, the next I get fed up with
| server grade bullshit and buy a consumer board.
|
| My favorite chassis so far has been this generic one, the
| fans suck(just buy a new set of good fans right away) and
| supplied drive bays suck. but look at all them 5 1/4
| bays, bays for days. You can put every stupid hotswap
| bay, fan controller and drink holder gimmick you want in
| there. and still have room for more.
|
| https://www.newegg.com/rosewill-
| rsv-l4500u-black/p/N82E16811...
| chx wrote:
| AsRock X570D4i-2t because https://www.reddit.com/r/sffpc/
| comments/lymbka/asrock_rack_x...
| jethro_tell wrote:
| Man, I got a rack of tyans recently and I have to say, its
| not even a contest. Maybe something was of with that order
| but 1/3 of the hosts had issues, I suspect at the
| motherboard level but aside from sending them back a couple
| times for service support I've pretty much abandon the rack
| at this point. I'll probably send the machines to the
| shredder and replace them next time I have a budget cycle.
| formerly_proven wrote:
| Supermicro has been around since forever and is like one out of
| one and a half OEMs who actually sell server building blocks on
| the open market.
|
| Stock market shenanigans are also hardly a new experience for
| this symbol, either: Already forgot about the discredited 2018
| Bloomberg hit piece?
| https://www.bloomberg.com/news/features/2018-10-04/the-big-h...
| rsync wrote:
| "...are these guys actually having some legitimate products or
| services?"
|
| rsync.net is built entirely on supermicro head units and, until
| a few years ago, their JBODs.
|
| Then they got greedy and tried to do the old "certified drives"
| bullshit with their JBODs and that was the end of that ... now
| we use the celestica JBODs we source from IX systems.
|
| Head units are still supermicro, though. Fingers crossed ...
| wil421 wrote:
| I've used several of their sever motherboards and RAM. They are
| good products. There's one in my NAS right now.
| andruby wrote:
| I've bought and used supermicro servers since 2004. They sell
| good hardware without the IBM / HP premium.
| hello_computer wrote:
| They aren't as nicely made as HP's offerings, but solid, and
| good value for the price. I'd buy a used Super Micro before I'd
| buy a brand-new Dell, even if the Dell were cheaper.
| linsomniac wrote:
| Since around 2000 I bought something shy of 1,000 of them for a
| small server hosting company. Mostly the smaller ones in the
| sub-$1,000 price range, and we had very good luck with them.
| With the exception of one year where we had a roughly 100%
| failure rate on the power supplies (same make, model, mfg as
| ones we had in service 5+ years), they were just workhorses at
| extremely reasonable prices.
|
| After the power supply failures we started switching to their
| "twin^2" units (or something named like that) which were 2U RM
| boxes with redundant power supplies and 4x semi-blade servers,
| which again we could provision for the sub-$1,000 price.
|
| I've since looked at pricing some systems from them as an
| alternative for the Dell servers we've been buying more
| recently, and oddly enough the prices all seem to be in the
| $10K+ range. A pretty big shock to see what used to be "dirt
| cheap servers" up in that range, but the RAM and SSDs really
| add up. Even though Dell seems to have insane pricing in their
| configurator for RAM and drives...
| toast0 wrote:
| Softlayer was built on all/mostly all SuperMicro servers up
| until IBM bought Softlayer and then there were a lot of Lenovo.
|
| As an employee of a customer of Softlayer, the servers were
| very reliable. I have my personal hosting on a rented
| SuperMicro server now, and pretty happy with it, even if the
| hardware is 10+ years old (Xeon Lynnfield) and the IPMI
| requires ancient JNLP that barely works ... I only barely need
| IPMI (gotta console in to decrypt the disks on reboots, and it
| was handy for setup)
| pavlov wrote:
| Super Micro stock was clearly undervalued even on traditional P/E
| metrics as recently as 2022. And I believe the reason for the
| depressed stock price was Bloomberg's allegations that China was
| using Super Micro's motherboards as Trojan horses for spy chips:
|
| https://www.datacenterdynamics.com/en/news/years-later-bloom...
|
| Bloomberg originally broke this story in 2018, then repeated the
| allegations in 2021. But AFAIK it was never proven.
|
| The Nvidia + Meta connection finally broke the spell and allowed
| investors to look at SMCI with fresh eyes.
| diggan wrote:
| > Bloomberg originally broke this story in 2018, then repeated
| the allegations in 2021. But AFAIK it was never proven.
|
| Isn't that libel? Or something similar at least, not super
| familiar with US laws.
| pavlov wrote:
| My amateur understanding is that it's very hard to
| successfully sue journalists for libel in the US because
| you'd have to prove malicious intent. A journalist writing a
| story based on their sources may have been misled by someone
| with an agenda, but didn't write the false story with active
| malice.
| ghaff wrote:
| As someone who has done journalism, that's basically
| correct. All indications are that simultaneously the story
| wasn't true and the reporter and all their editors firmly
| believed it was true. My personal assumption is that they
| believed the story was solidly sourced but they were
| misled.
|
| ADDED: Standards are somewhat different between private
| people and public people/corporations.
| GauntletWizard wrote:
| I'm glad the story ran, even if it wasn't true - because
| it opened people's minds to the idea that this was
| happening. And it is a very real possibility. O.MG is a
| hobbyist project, but there's no question that the NSAs
| dirty tricks book, ANT/TAO[1] has something similar, but
| far more capable.
|
| We should all be paying attention to hardware suppliers
| and making sure that objects are "as-ordered", but today
| even a standard chip packaging can hide a ton of
| malicious logic.
|
| [1]https://en.m.wikipedia.org/wiki/ANT_catalog
| mschuster91 wrote:
| > We should all be paying attention to hardware suppliers
| and making sure that objects are "as-ordered", but today
| even a standard chip packaging can hide a ton of
| malicious logic.
|
| For smartphones, laptops and PCs that is relatively easy
| to defend against if you think you might be a target for
| three-letter agencies - just walk into a computer store
| and buy what they have on the shelf with cash. Even the
| NSA doesn't have the resources to intercept and modify
| all the shipments to Apple, Best Buy, Costco and whatnot
| - and I'd guess at least Apple has pretty strict security
| in their supply chain given that Apple stuff has insane
| value even just for parts if someone were to intercept a
| delivery.
|
| Network architecture however, that is more complex.
| Cables, Ubiquiti, HP and Dell stuff, you can buy that off
| the shelf, so same advantage. But servers? Good luck
| finding ones on the shelf _anywhere_.
| bdangubic wrote:
| and ruining Company's reputation over a lie is what - a
| collatetal damage?
| kevin_thibedeau wrote:
| The source in this case admitted that he presented a
| hypothetical scenario with a random SMD component as an
| example. The ignorant Bloomberg employee embroidered that
| into a lie.
| underlipton wrote:
| >Ignorant
|
| Never attribute to ignorance what can be explained by
| malice and corruption (post-GFC/Madoff, finance and its
| cottage industries no longer get the benefit of the
| doubt).
| verticalscaler wrote:
| First we had too big to fail, now we have too stupid to fail.
| 1letterunixname wrote:
| Meta is wasting all kind of money ($40B across 2 years) on
| Nvidia, SMCI, and their own gear. SMCI and Nvidia stocks are
| now overvalued because there are no fundamentals to sustain
| this business. OpenAI/Microsoft may be an exception, but Meta
| is wasting money it doesn't have on profits that aren't there.
| These data centers and servers are being built on orders of
| Zuck without a concrete, specific product or purpose for their
| use. This is akin to a newbie business owner buying lots of
| inventory without orders.
| fragmede wrote:
| you know the saying; the market can stay irrational longer
| than you can stay solvent and all that. turns out P/E ratios
| determine a theoretical floor for the price, but as we've
| seen with Tsla and crypto, this shits all vibes anyway. AI
| isn't slowing down, or going to go anywhere, so these stocks,
| overvalued though you might see them, aren't going to go down
| anytime soon, in my opinion, so while what your say is true,
| NVDA and smci are safe to hold. the real question is what's
| going on with tsmc and mu, given their proximity to NVDA, and
| their lack of a pop.
| solumunus wrote:
| Currently TSM isn't guiding much growth, I would guess we
| see an uptick in guidance in their next earnings report.
| _zoltan_ wrote:
| they report earnings monthly.
| epolanski wrote:
| It's interesting you mention Tesla, because their sales
| clearly show that the growth expectation was not realistic.
|
| And in case of Nvidia it's even much worse.
|
| In order for Nvidia to be worth a decent premium over the
| yield of some index fund like VOO (you're taking much more
| risk), it has to grow in the order of 42% per year for a
| decade in revenue.
|
| There's no such amounts of money to be spent in hardware,
| it's lunacy.
|
| Not even the other tech giants combined have even a small
| part of the money required for such growth.
|
| And on top of that, this is a very dynamic sector where any
| competitor, technological breakthrough can make you the new
| IBM.
|
| Prices like Nvidia were highly overvalued but
| understandable with a stretch of imagination of 25% growth
| for a decade when it was 300$. I could almost see it and
| would've still concluded it was an unlikely outcome and
| risk/reward ratio was not there.
|
| But now we long past that mark and in the territory of
| insane expectations and high premiums paid with a very high
| risk.
| mschuster91 wrote:
| > There's no such amounts of money to be spent in
| hardware, it's lunacy.
|
| Oh, money there is. NVIDIA is selling shovels to hordes
| of people searching for gold... first it was cr*ptoc*in
| miners, now it's billion dollar companies in the search
| for AGI. But unlike shovels that anyone with access to
| iron, a fire and a hammer can make, there are only five
| companies on this planet that can design the chips in the
| first place: Google and Amazon (who don't sell to
| outsiders), Intel (who has other, more pressing issues
| than to design AI training accelerators), AMD (who has
| the chops on the hardware design side but seems to be
| completely unable to get the software side stable enough
| that people would be even willing to look at it) and
| NVIDIA.
|
| And to make the issue worse, there are only three fab
| houses who can physically manufacture the chips: TSMC,
| Samsung and Intel... TSMC is all but booked out already,
| Samsung is nowhere near their level, and Intel both
| doesn't do fab jobs for outsiders _and_ has completely
| botched their new nodes for years now.
|
| There is just no way _anyone_ can outsmart NVIDIA at that
| point, and demand is only going to increase in pretty
| nasty bidding wars.
| matwood wrote:
| > Oh, money there is.
|
| Spot on. Nvidia can't even meet all existing demand right
| now.
|
| https://fortune.com/2024/02/21/nvidia-earnings-ceo-
| jensen-hu...
| bluGill wrote:
| Money there is for sure, the claim though is the slightly
| different 'there isn't that much'. I don't know who is
| right, but it is the imporant question if you are
| investing long term.
| caslon wrote:
| Meta obviously has the money; $135B revenue, $88B in
| expenses, $18B in debt.
|
| Even assuming the current push toward general AI is a bubble,
| which is not unreasonable, the company can afford to throw
| away billions of dollars. It doesn't matter at all; they own
| the money printer and can make as many bets in as many
| markets as they want.
|
| The same GPUs that are presently being used to create semi-
| open AI projects can just as easily be repurposed to power a
| public launch of their Codec avatars, which are lightyears
| ahead of what Apple has, or for better prediction engines in
| what are quite probably the best sales engines of all time:
| Their websites.
|
| Their data centers will be useful for the future of selling
| products to gullible consumers: Short-form video, which is
| the first chance in years that they've had to meaningfully
| take market share from Google.
|
| Even assuming it was all vanity, Zuckerberg has earned the
| right at this stage in his career to _make_ vanity plays. He
| still has majority control over his company, which
| shareholders have insisted upon, and he has an almost
| untarnished record of making incredible long-term bets that
| seem irrational at the time (Instagram acquisition, Whatsapp
| acquisition, arguably the Oculus acquisition).
|
| He's earned drastic amounts of money for speculators, who
| have done little to deserve any of it. It would be a strange
| thing to argue that the speculators suddenly have a better
| grasp of what he's doing than he does; there are millions of
| speculators, but only one person with a track record like
| Zuckerberg.
| matwood wrote:
| Meta has plenty of money to spend. It's also been reported
| that Meta is using AI to get around Apple's ATT [1], with
| some reports saying that user ad targeting is better than
| before ATT came out [2]. Meta is already executing and
| succeeding on a concrete plan using their AI.
|
| [1] https://www.forbes.com/sites/jonmarkman/2023/05/24/metas-
| ai-...
|
| [2] https://www.socialmediatoday.com/news/meta-outlines-
| evolving...
| hello_computer wrote:
| I think most consumer market "reporting" is poorly-disguised
| market-manipulation. Best advice for your portfolio is to tune
| all of those assholes completely out.
| underlipton wrote:
| Something fun: pay attention to how many financial news
| headlines are formatted, "X as Y" or "Statement Presented as
| Fact: Says Opinion-Haver". The first implies that there's
| some causational link between X and Y, when none might exist;
| the writer can claim that they were just stating that two
| events were happening in tandem. The second biases a reader
| before they receive the crucial information that the
| preceding statement was not, in fact, fact.
|
| (Also, lately, look out for listicles of stocks "to buy" (not
| financial advice, of course) and "Forget X".)
| zettabomb wrote:
| That was such an incredibly ridiculous story. I spoke with more
| than a few supposed infosec "professionals" who believed it
| entirely too. Never mind that there were zero reports from
| other journals (you know, like anything even slightly
| technical), that none of the cited sources would reiterate what
| they had supposedly said, or that the claimed mode of operation
| wasn't even possible. Their follow-up, _despite having been
| disproven numerous times over_ , was even more ridiculous.
| toast0 wrote:
| If I'm assuming everyone involved had good intentions, the
| best thing I can guess is someone was speaking to the writer
| about the potential of the BMC being used for spying and got
| some details mixed up.
|
| Consider: the BMC has access to the system via PCI-e, as well
| as kvm and comport. In some systems, the BMC is in the path
| of the main NIC. There have been some major software flaws in
| BMC software, including revisions that SuperMicro shipped,
| where passwords could be bypassed in the network interface.
|
| Stuff like this https://web.archive.org/web/20140625065505/ht
| tp://blog.cari.... and other things on this page
| http://fish2.com/ipmi/ are all pretty nasty if you thought
| IPMI was secure in the neighborhood of 2014.
| darth_avocado wrote:
| The low valuation had less to do with the spying allegations
| and more to do with a history of accounting frauds. Obviously
| if you have a proven history of fudging up revenue numbers,
| investors are less likely to invest in you.
|
| https://www.sec.gov/news/press-release/2020-190
| guiriduro wrote:
| If that were true, Carvana wouldn't have an obscene
| valuation.
| solarkraft wrote:
| ... and they're not an obscure server maker anymore? What
| happened?
|
| As far as I know, as much as being obscure, they've also been
| around forever.
| jsnell wrote:
| I would have thought every server maker was able to sell every
| GPU they got their hands on at this point in the hype cycle. If
| SuperMicro is gaining market share, isn't it just a sign that
| Nvidia is giving them a bigger GPU allocation?
| solumunus wrote:
| That's the rumour, NVDA give them higher priority because of a
| longstanding relationship.
| johnklos wrote:
| It'd be nice if they gave a damn about security. I had clients
| stop buying them because a glaring security problem was
| determined to be "not an issue" that they wouldn't fix.
|
| It's one thing to say they wouldn't or couldn't fix products
| already made with the flaw, but it's another entirely to have a
| culture of security that says, "Sure, this flaw could cause your
| machine full, unfettered compromise, but because it's not likely
| to happen and not highly publicized, we don't care."
|
| It makes me think they'll treat current and future security
| problems the same way. Security shouldn't be based on popularity
| contests.
|
| Sorry, but not for me.
| gizmo wrote:
| Do you have more info on this? iDRAC doesn't have the best
| security track record either, but people don't really seem to
| care.
| dualboot wrote:
| Indeed. An OOB interface is something you should always
| handle like radioactive material. It's volatile, powerful,
| and should be handled with extreme care and caution.
| johnklos wrote:
| In a nutshell, the problem is this. I don't know whether this
| has changed, but this was true as of 2018 / 2019.
|
| Most of their motherboards have IPMI with a separate a
| management port. A good number of them share IPMI management
| with the motherboard's primary ethernet port by default if
| nothing is plugged in to the management port. The
| motherboards have no way to configure them to NOT share the
| primary ethernet port beyond having the full stack of
| software needed to configure their IPMI.
|
| What this means is that there're no jumpers one can change
| and no settings accessible in the BIOS that can force IPMI to
| stay on its own port, so if a BIOS gets reset, the battery
| dies or even just temporarily fails to provide power (like if
| it's being shipped by air and gets very cold), or you want to
| ship servers directly to a datacenter, the machine is 100%
| ownable on the public interface BY DEFAULT unless the
| management port is connected (and even then sometimes it
| decides to share the primary port - probably a function of
| link negotiation speed with the switch).
|
| Sure, it's not a common occurrence, but it happens.
|
| The solution for all the servers we already had deployed? We
| got ethernet loopback plugs for every one of them where the
| IPMI port wasn't already connected to a switch we
| administered.
|
| A reasonable response: "Sure, that could be a problem
| sometimes. We can't change motherboards we already sold, but
| we'll bring this up with our design team so there'll be a
| jumper you can change so sharing will never happen, even with
| a reset BIOS."
|
| Their response: "This isn't a security issue."
| dilyevsky wrote:
| This! And their bmc is trash and openbmc only ships on few
| boards (arm ones iirc)
| secabeen wrote:
| This is an interesting attack surface. Can you extend the
| risk out a bit? Assume that you have a vulnerable
| supermicro IPMI now exposed on a public interface. It has
| no IP address, and is presumably issuing DHCP DISCOVERs in
| an effort to get an IP. How do you reach the IPMI device to
| exploit it? What additional access do you need to get
| there?
|
| Root on another device on that public network would do, you
| could forge the necessary DHCP responses to get it
| configured with an IP address of your choosing. Non-root on
| another device on that network might also work, if it fails
| DHCP and self-configures on a 169.254 address, assuming it
| does that.
|
| Is there an obvious way to exploit such an issue from
| beyond the public subnet?Every attack I can imagine would
| be blocked by either inbound firewalls, or a failure to
| reach the IPMI as an unexpected device on the public
| subnet. I suppose that it would be a possible risk if you
| have a DHCP server on that public subnet issuing IP
| addresses to all devices, but that seems like a larger risk
| anyways. Server networks should be static assigned or
| static DHCP in all cases.
| dilyevsky wrote:
| > This is an interesting attack surface. Can you extend
| the risk out a bit? Assume that you have a vulnerable
| supermicro IPMI now exposed on a public interface. It has
| no IP address, and is presumably issuing DHCP DISCOVERs
| in an effort to get an IP. How do you reach the IPMI
| device to exploit it? What additional access do you need
| to get there?
|
| I think you misunderstood the level of fucked up this
| really was. The BMC device sits on the north bridge and
| literally scoops up packets from the main NIC which means
| it can even be accessible from the internets (if you
| didn't firewall port 623). See [0] for an example how
| variation of this unfolded.
|
| [0] -
| https://www.zdnet.com/article/over-47000-supermicro-
| servers-...
| hsbauauvhabzb wrote:
| I unknowingly did this, I found a random ip exposing the
| interface, and used admin/admin to compromise it - I was
| very confused as I explicitly did not plug in the ipmi
| interface as I do not want it.
|
| I ended up using a PCIE nic, which ipmi does not auto
| bridge to.
| johnklos wrote:
| There are plenty of cheap colos that do no filtering on
| their public networks. Some are saving money by putting a
| number of machines on a single ethernet segment, some are
| saving IPs by not having a /31 (or, much more often, a
| /30) for each client, and some both, so a compromised
| machine could easily run a DHCP server and scan any
| takers. You're right that no sensible network would
| forward packets to a misconfigured IPMI, though.
|
| That still leaves very real things that've happened - the
| IPMI switches to the public interface and can no longer
| be reached on the managed local interface, and then
| you're rebooting several times in hopes it'll switch back
| and making aliases on a public interface to see if you
| can talk to it on the public segment. It's not
| professional at all.
| wannacboatmovie wrote:
| > The motherboards have no way to configure them to NOT
| blah blah blah....
|
| Most of your claims are false.
|
| Super Micro has a utility to write the correct bits into
| EEPROM to disable this behaviour and stop the failover as
| default.
|
| The utility was available years ago, prior to the time
| frame you state.
|
| Any competent sysadmin would just build this into the
| deployment task sequence.
| johnklos wrote:
| First, do you have a link to documentation for this
| ability?
|
| Second, "any competent sysadmin" would have to know that
| this exists. Super Micro's security team didn't know this
| existed, or if they did, they failed to mention it in
| their response.
| wannacboatmovie wrote:
| In the normal run of things, I'd tell you to do your own
| research.
|
| But we're all Irish today and I'm in a particularly
| giving mood.
|
| https://www.supermicro.com/Bios/sw_download/645/IPMICFG_U
| ser...
|
| IPMICFG -lani 0
|
| You're welcome.
|
| (I do recall the syntax being a bit more cryptic, passing
| hex values, perhaps they've improved things since I last
| did this. Nevertheless, the capability has always been
| there.)
|
| SuperMicro themselves not knowing this exists isn't
| surprising in the least.
| RVuRnvbM2e wrote:
| according to that doc the functionality was only added
| late 2022.
| wannacboatmovie wrote:
| Impossible as I was doing this nearly 10 years ago.
|
| See my comment about remembering the process to be rather
| cryptic (writing hex values to address offsets) but the
| capability WAS there.
|
| Perhaps they added that switch recently to make it more
| user friendly.
| johnklos wrote:
| ...but IPMI configuration isn't stored in EEPROM. It's
| stored in NVRAM.
|
| And I believe you that you configured this pre-2022, but
| anyone could use the IPMI tools to configure this
| pre-2022 and pre- -lani option. You're trying to say it's
| in EEPROM, meaning it's invulnerable to battery loss. It
| definitely isn't.
| broknbottle wrote:
| Supermicro does offer board variants without the IPMI
| feature. I'd argue that most people who are buying the
| variants with IPMI are planning to utilize the feature..
|
| The sideband feature also tends to be associated with an
| interface on the board that is considered the non dedicated
| IPMI "management" interface. Use one of the other onboard
| NIC ports or an PCI-E NIC like x550-T2, etc.
| markhahn wrote:
| hasn't been obscure for a long time.
|
| this says more about WSJ-reading "enterprise" IT than anything
| else.
| dboreham wrote:
| If only I had known they were listed in the US. Just assumed they
| were an offshore company (based on their pretty terrible
| support). Disclosure: long time user.
| jakehop wrote:
| SM has been producing good quality hardware for decades. I
| remember them from catalogues of my childhood. Obscure is not the
| right word here.
| gnuser wrote:
| I've built entire DC's out of Super Micro hardware, they rock.
|
| For example, their quad opteron boards allowed me to make 64 core
| systems in 2013-era!
| latchkey wrote:
| Disclosure: Building a CSP business around SMCI products. Sorry
| if this sounds like an advertisement, I'm really just a happy
| customer.
|
| I feel like the reason why SMCI has done so well in this AI round
| is because their server architecture is best in class and they
| have been able to support the internal changes necessary for AI
| workloads. They also support AMD CPUs, while others only offer
| Intel.
|
| 6 years ago, Cenly Chen / SMCI was saying AI was going to be huge
| and that total revenue would be $36B, in 2025 [0]. We are well
| past that number now. Amazing how AI turned out to be even bigger
| than anyone could have imagined, but at least they had some
| vision even back then.
|
| Dell, Giga, ZTS are all behind in their offerings while SMCI is
| iterating and are now even getting to the point of water cooling
| and L11 manufacturing.
|
| I just received a shipment of AS-8125GS-TNMR2 (8U MI300x) and the
| thing is an amazingly well designed beast of a chassis.
| Everything slots together perfectly. If you study the user
| documentation, the layouts of the internal block diagrams are
| fantastic and build for speed.
|
| We are lucky enough to have been able to open an account directly
| with them. It wasn't easy and required a ton of due diligence,
| but working with the team there has been a top notch experience.
|
| [0] https://www.youtube.com/watch?v=WzqBuiwkv5I
___________________________________________________________________
(page generated 2024-03-17 23:01 UTC)