The Long Hack
Jordan Robertson and Michael Riley (Hacker News, 9to5Mac):
Bloomberg Businessweek first reported on China’s meddling with Supermicro products in October 2018, in an article that focused on accounts of added malicious chips found on server motherboards in 2015. That story said Apple Inc. and Amazon.com Inc. had discovered the chips on equipment they’d purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed the article.
With additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products.
[…]
“In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm. “These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips.”
The story has more than 50 sources, most anonymous. All the companies and the NSA still deny it. I guess the truth could be so bad that everyone is conspiring to cover it up, but in that case I still would have expected Bloomberg to present some more convincing details and evidence. I started reading this thinking they were going to go back and lock down the 2018 story, but that’s not what this is.
Robertson and Riley’s new report concerns the three specific incidents in the quoted portion above. There is no new information about the apparent victims described in their 2018 story. They do not attempt to expand upon stories about what was found on servers belonging to Apple or the Amazon-acquired company Elemental, nor do they retract any of those claims. The new report makes the case that this is a decade-long problem and that, if you believe the 2010, 2014, and 2015 incidents, you can trust those which were described in 2018. But if you don’t trust the 2018 reporting, it is hard to be convinced by this story.
This time around, there are many more sources, some of which agreed to be named. There is still no clear evidence, however. There are no photographs of chips or compromised motherboards. There are no demonstrations of this attack. There is no indication that any of these things were even shown to the reporters. The new incidents are often described by unnamed “former officials”, though there are a handful of people who are willing to have quotes attributed.
It’s a 4,000-word exercise in journalistic sophistry. It creates the illusion of something being there, but there is nothing there.
tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press, and bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.
[…]
Articles like this are constructed out of parts. There are a series of claims attributed to collections of sources, grouped into an overall story. The way to read them is to read carefully to break out the specific claims and the corresponding sourcing.
Previously:
3 Comments RSS · Twitter
@Niall O'Mara
>The timing of the update to the original article is surely not a coincidence.
Not sure what you meant, considering this update came out *after* Trump lost
Why would anyone pay attention to a claim that would be so easy to verify but has never been verified? All it would take is a single example of a board with a "malicious chip" on it. No evidence => bull.
It seems obvious (to me) that the Trump administration wanted a reason to stop the Chinese tech industry’s increasing presence in the USA and Bloomberg were the conduit - whether knowingly or not.
The timing of the update to the original article is surely not a coincidence.