One Year After “The Big Hack”
It sounded like the information security scoop of the decade — except there’s virtually no proof that any of it is true.
At the time of the story’s publication, representatives from the named companies denied Bloomberg’s reporting in statements that left virtually no wiggle room. Tim Cook called for the story’s retraction — a call that was soon echoed by Amazon and Supermicro. Michael Riley — who reported the story alongside Jordan Robertson — took to Twitter on October 5 to point out that the physical evidence would make it “hard to keep more [details] from emerging”.
So far, that has not happened.
[…]
Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware.
Mind you, if it were true, there would also be proof.
This was the one thing lacking from the Bloomberg piece, though you would think it would be the first thing that this or any publication would have insisted on. You would at least, at the utter least, expect Bloomberg to have one of these motherboards and show us this spy chip. Instead, we got an illustration by artist Scott Gelber.
It’s not as if the company would have had to go far —the Bloomberg company itself owns some Super Micro servers.
[…]
There is this one exception, but it’s not that anyone agrees with the story, it’s that we do not know the outcome of this other investigation. That’s because it was done by Bloomberg itself, after publication, and its findings have not been published.
[…]
Co-author Michael Riley was promoted in September 2019 to oversee all of Bloomberg’s technology security coverage.
With not one shred of evidence emerging in a year, it seems very clear that this was, in fact, “the biggest reporting fuck-up of its type”.
Previously:
Update (2019-12-30): See also: Hacker News.