From a technical perspective I found this story compelling, so I tried out a simple hack to see if it were "possible".
Using an attiny85 uC, a couple resistors, a cap, and a couple diodes I had laying around, I was able to wire up a two terminal "device" that pretty much acts like a 5k pull up resistor on a I2C line.... But when you pass data through the signal line (SDA) wire it can read and modify it. It is crude and very limited, but it works (only at lower I2C data rates in this case, but hey, it's a cheap hack).
A nation state adversary could trivially miniaturize this to the size and form of an SMT resistor, and use a much more capable uC in the process.
Im not saying that this substantiates the Bloomberg story in any way.
Just saying it's a great (black hat) idea, and it works.
It would surprise me a little if this weren't used in the wild by somebody.
The argument that Bloomberg's claim doesn't pass the smell test never originated from the fact that aftermarket out of band management controllers aren't possible, but that it's extremely unlikely that no one ever noticed at any stage.
Some hack targets multiple megacorporations that also lead the technical revolution and all those companies go out of their way to explicitly deny anything ever happened? Undetected arbitrary code execution is one thing, but what was the exfil plan that also avoids a totally separate detection system?
On top of that, these authors are known publishers of bad technical stories?
Possible was never the problem, but the total lack of evidence and massive unlikeliness just doesn't add up.
You can buy a $10 aliexpress logic analyser and lift data off a high speed bus easily. I've got a rather nice oscilloscope that actually does this.
However there's a massive disparity between that and actually modifying the bus data, pattern matching data going across it, delivering a payload effectively (watch how flakey serial busses get at high speeds), miniaturising and packaging the entire exploit, compromising supply chains and board reviews and inspection.
For an analogy, it's like donning a yellow jacket, necking half a bottle of whisky then carrying a bazooka across the whitehouse lawn.
I don't and never will buy this attack vector. They could have easily infiltrated the chipset manufacturer, but no they went through a huge number of difficult steps which leave thousands if not million of smoking guns around which are all traceable back to the source. Hmm...
Hardware hacks are easy for anyone who works in that industry. What's hard is making software that runs on that hardware do anything useful -- it would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard.
Making the main board fail arbitrarily would be easy, but controlling the board or exfiltrating data is hard.
I have the entirely opposite opinion - once you have managed to attack the supply chain and covertly deploy, say, some hardware can write a few hundred arbitrary bytes to the firmware (which was described as the attack vector by Bloomberg), then that's essentially game over. Perhaps designing the hardware hack is easy, but getting the malicious chip on the devices shipping to your targets and keeping it a secret is not trivial.
"communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard." is hard only in the sense that it takes some effort, however, this requires pretty much the same capabilities and skills as every engineered malware we've encountered, so you can assume that every serious adversary can do it, not only nation state adversaries but many serious commercial pentesting companies and cybercrime teams have demonstrated such capabilities.
I can imagine an attacker that can make the "hard" software required but doesn't have the capability to insert that modified hardware within a supply chain - as in, it's not even assumption, for pretty much every intelligence agency it's known that they can easily do software which "would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard" - even just counting things that have failed (because we've detected and analyzed and attributed them), there's clear evidence that they can do it because they've done it many times.
I literally can't imagine an agency that can pull off the supply chain attack but doesn't have the capability to write software to control the board and exfiltrate data.
I just can't imagine anyone exfiltrating the data on a corporate level at any scale without raising alarms. It's just not realistic, once it leaves the board it's pretty easy to see over a network.
Now specific targeted attacks is more believable, at that point though I'd think a one off MITM hardware swap would be more likely.
This is very interesting. Can you be a bit more specific about the design?
When you say you created a two terminal device; do you mean you have a PCB (or equivalent) with two IO pads which you soldered to the pads which would normally be occupied by I2C pull-up R, but on a different PCB.
Basically, I'm wondering how the attiny85 was powered.
Given your description, I'm guessing you made a local power well which floated on the SDA line similar to how a boost cap works in a buck regulator (or more generally a charge pump). This is also approximately how a one-wire device works, like say the DS28E07.
To turn a 0->1 strengthen the pull-up equivalent which is in parallel to the uC circuit. I could probably add a simple feedback circuit to make sure the pull-up is just strong enough to keep SDA above VOH_min which should help prevent the I2C driver from getting damaged. To turn 1->0 open the pull-up equivelent and let the bit leak down.
Assuming standard I2C, I just need to make sure by uC is fully booted and ready to go by the end of the start bit. Should be doable.
I think I mostly convinced myself I could build one too. Of course any board I want to attack probably uses a SPI ROM, so roughly the same idea, but in a series termination resistor. :)
«Basically, I'm wondering how the attiny85 was powered»
You guys are overthinking this. Server motherboard PCBs are usually 4-8 layers with GND and VCC planes available near any component. The hackers, according to Bloomberg, modified the motherboards, so presumably they would simply add vias to the GND and VCC planes to power their rogue chip. You don't gain much by going the trouble of making the chip self-powered by leeching current from the SPI line... The vias that bring power to the chip can be hidden within layers (it's a standard thing to do) It would not even be detectable by a visual inspection. You would have to x-ray the PCB to detect it.
I'm with the GP. I've said it before (https://news.ycombinator.com/item?id=18146566): the presumed hack described by Bloomberg is actually not that hard, and perfectly doable. All the attacker has to do is compromise the PCB manufacturer. Actually not even that. He would swap a box of legit PCBs with a box of compromised PCBs when they are in transit from the PCB manufacturer to the assembler. The assembler (the one who solders components on the PCB) wouldn't suspect a thing because normally PCBs are just passive things. No chip. No logic. No firmware. Just stupid layers of copper that either work (conduct electricity) or don't. That's why no one pays attention to PCB manufacturers and instead supply chain security is focused on everything higher in the chain: the providers of components, the assemblers, the distributors, etc.
This Supermicro rogue chip story is in fact an attack much less advanced than some real-world attacks we have seen, like Stuxnet which exploited four(!) zerodays...
The assembler still has to put a special SKU 5k resistor (with our BMC modifying framework burnt in to it) on the modified PCB without anyone noticing though. I don't follow your conclusion that only the PCBs would have to be swapped.
The attackers supposedly installed the tiny rogue chip, sandwiched between the layers of the PCB (which is unusual and the main innovation of this whole attack), before the PCBs reached the assembler. The assembler start soldering components without knowing one is already hidden in there...
I don't know why anyone is doubting this is possible in the first place. From the Snowden leaks we know in 2008 the NSA had an _entire computer_ complete with CPU RAM and an FPGA smaller than the size of a dime [1] that they implanted inside other devices.
The NSA was also actively using COTTONMOUTH II [2] which was a USB header for a motherboard that could be inserted into the supply chain and provided a long range transceiver for software implants to bypass airgapped networks.
Ten years on I would not be surprised that the Chinese have a similar tool in an even smaller form factor. People seem to be treating this like a futuristic sci-fi plot.
>A nation state adversary could trivially miniaturize this to the size and form of an SMT resistor, and use a much more capable uC in the process.
And sandwich it between the PCB layers. No way to find even upon close up inspection without Xraying the board itself, and even interpreting the Xray image of modern multilayer board would be a nontrivial task. I dont think Supermicro did it, at least for statistically meaningful set of boards.
That would be as easy as getting a same sized chip that is, say, an attiny, a bit of sand-papering and a laser to re-etch the package. If you had access to a wire bonding machine, not difficult, you could mount a second die in a de-capped package and cap it up with a bit of black resin. This would not require state level actors. Bunny Huang type of guys could do it.
I don’t think they have to use xrays. I heard that they spin the boards and measure the angular momentum with very sensitive equipment. I don’t know how you could get around that.
How did you get an ostensible power terminal (for pull up) and two terminals for MiTM (input and output) from two terminals? Assuming a situation where there are other pullups on the wire, how did you assert the low state (short to ground) without a connection to ground?
Probably a win win for US Megacorp Inc and China that nothing malicious was found. Every company even Apple has a line to draw what threatens their long term prospects if things got out.
Let's say Super Micro is right and there were no malicious hardware at all for sure. What are the consequences for Bloomberg for this incompetence? I mean, there needs to be something..
Just because you're a news organization, you can't simply escape with "Oh, my bad". This had real implications on stock prices of so many companies and wiped off shareholder value on many of them, including Super Micro.
If Bloomberg's story was false, they shouldn't just walk away like that because "it's the free press".
Nothing, just like nothing will happen to the outlets who are currently pushing this "Huwai is spying on everybody" narrative with not an ounce of evidence for it except for unfounded and unsourced claims by FiveEyes intelligence services [0].
Afaik that whole Bloomberg/Super Micro thing was similarly set up, referring to "anonymous intelligence/industry services", not even naming the company that supposedly did the security audit.
People have to realize that these kinds of narratives are often pushed by parties in the West, with a vested interest, just as much as it happens in the supposedly "propaganda riddled" East.
It's for those same reasons that the amendments to the Smith-Mundson act, which happened back in 2013, haven't seen any widespread attention or even mention anywhere in the mainstream [1] because the good guys don't do "propaganda", they do "interventions" [2] and "information campaigns" [3].
I see people say this a lot, but I'm using an Honor 10 and have spent a bit of time this week alternately MITM proxying connections from the phone and capturing DNS at the router.
I found very infrequent calls to HiCloud (Huawei's cloud service), almost always using a HiCloud enabled app where it would make perfect sense to communicate with the service.
On the other hand, I seen third party apps (none of which were pre installed) almost constantly firing requests to analytics and ad services. Microsoft Edge was the worst culprit - virtually every action I took (opening menus, tabs, etc) triggered a request to vortex.data.microsoft.com. Spotify calls Scorecard Research in the background often, even if it appears not to be running. Google calls the connectivity check service very frequently (even when network conditions aren't changing). The BBC iplayer apps (when ostensibly not running) refresh channel and config data frequently in the background.
I see a lot of rhetoric calling out Huawei phones for being spyware ridden trash, but honestly my own research this week suggests that the privacy controls on the phone work well and that third party apps are more of a privacy threat.
"Seeing HiCloud request while having HiCloud app enabled" -> and so ... ? The question "if I refuse all their services, do they still collect my data". No surprise your phone makes request if you are using their services.
"Third Party apps are not privacy respecting and sending data to Google" -> yes nothing new, we're not talking about the spyware you can install from the playstore yourself, you have a lot of choice there too indeed, we're talking about pre-installed apps.
As far as I can tell, the concern with Huawei is not that their phones have some kind of obvious backdoor, but that the Chinese government has Huawei's private keys and can load arbitrary software on their phones, something the Chinese government uses sparingly to attack targets they don't like. And not just phones, their switches, routers, base stations, and other gear - in that case used to eavesdrop on cellular voice traffic around the world.
Even if Huawei didn't do this willingly the Chinese government doesn't operate by open rule of law. If the Party decides they will comply then they will comply. No news outlet will report on it. Social media will be censored. None of us in the west will ever know. There is no court to appeal to because the courts are under the thumb of the Party. Huawei is required to hire Party members as employees - Huawei leadership might not even be aware of it for plausible deniability reasons.
This is the direct result of the State apparatus that the Party in China has built for itself. They can cry all the rivers they want about Huawei; it's their own fault. Even if nothing nefarious is going on the suspicion alone has a huge impact.
To address the whataboutism: The whole issue around NSA revelations is entirely because that sort of thing isn't supposed to be possible in the USA (and nominally wrt NSA is only supposed to be valid when it involves foreign individuals). Individuals and companies regularly challenge government over-reach so there are at least some checks and balances, even if they aren't as strong as we'd like. Apple can choose to fight a court order. Trump's executive orders can be blocked.
Now imagine a new story claiming someone sued to block Xi Jinping's executive order in China. Such a scenario is absolutely laughable.
There is a difference between China and the West. To pretend they're the same is to pretend a bicycle is identical to a semi. They're both methods of transportation with wheels that carry cargo but there is a wide gulf in practice.
edit: As for the Supermicro story, who knows. The attack is certainly theoretically possible. Whether such an attack took place is another matter and so far no one has provided a tampered board as evidence.
The only way to be reasonably sure it isn't happening is to sample the final product, tearing down every individual component to verify everything (down to the traces on boards and gates on chips). That's a lot of work, expensive, and time-consuming. Most manufacturers probably don't bother. That applies regardless of where the product is assembled unless your own factories are producing every single component.
I worked for several US-based handset manufacturers as a consultant. It's common to have the handset mfgr host features on its own cloud such that the phone is entirely dependent on it to function: the cloud goes away, large swaths of phone functionality breaks. It sucks but it's true.
Isn‘t the given example of a phone for the chinese market?
From the thread there:
“this will only happen with phones that are meant to stay in china, and also using software made for the chinese market. if your phone is shipped outside of china or has google play services, they're fine”
“It's only Chinese roms that don't have Google play store. This has been known for awhile and honestly this while ep 2 shit is nothing new.”
Can't open the link because of rate limiting - hn effect?
Anyway, is any phone-home spying? What if it phones US servers, say Google's? Unfortunately I can't think of a popular brand that doesn't spy on its users (no matter what the reasons are).
thats not entirely true, while isp's do get a copy of your plain text data if its not end to end encrypted(and likely offsell it), bgp routes would likely need to hijacked or somehow compromised while the data was in transit for a chinese server to get a copy of that data
Seems like anonymous sources inside the intelligence agencies is how a lot of the news gets generated these days. Anonymous figures don't have to worry about their reputation or credibility and can just leak occasionally true information to keep getting published.
When to grant anonymity is a complex question, but I'm immensely frustrated by how many reporters don't even stop to question why a source might want anonymity. In particular, why a source who's part of the government, making a claim that supports a government narrative, via unclassified data, would have any need for anonymity if they had faith in their claim.
Conor Friedersdorf summarized matters very nicely years ago, and it's a shame so few people seem to have paid attention:
> The very weakest case for withholding a source’s name is when 1) powerful officials 2) with a clear incentive to lie 3) use anonymity to spread a self-serving narrative 4) without accountability 5) on a matter of great consequence.
Agencies always have official spokespeople and anyone making comments to the press about things they shouldn't be talking about (like an active investigation) can get in a lot of trouble if that agency finds out it was them who leaked to the press.
They do have a reputation, to the journalist. It's not as far reaching, but you bet that journalist isn't going to trust that source again if they are caught lying. Or even that agency.
This is certainly how things ought to work, but it's far from clear that it does.
A reporter on an international affairs beat can't possibly dismiss sources as broad as the State Department or CIA - which makes it very possible to rotate through mouthpieces as they're proven unreliable. (And that's usually when clear dishonesty is found, not just plausibly-mistaken claims.) And anonymity is usually protected even when a source is found to having knowingly mislead journalists, which means a dishonest source is only burned for a single reporter or outlet and can go seek out a new audience. Multiply the number of mid-level employees at a major government body by the number of reputable news orgs and this starts to look completely sustainable.
It's something (reputable) news accountability groups have been upset about for years, but no one seems to have solved it. Conventional wisdom appears to be that publications are scared they'll lose source access completely if they start unmasking dishonest USG sources.
> A reporter on an international affairs beat can't possibly dismiss sources as broad as the State Department or CIA
It's actually worse, the power dynamics are completely lopsided: He/she can't disgruntle his governmental sources or else there's the very real possibility of being cut out of the loop/any access at all in the future.
Which isn't a great prospect for any journalist because you can't get any "scoops" when your competitors have privileged access to information.
In-depth interviews, early story tip-offs, and 'approved' leaks with accurate content aren't just a way to distribute information and build connections with reporters, they're a way to cultivate dependence. If 95% of unverified content is accurate, a reporter who can't get pithy 'official' quotes or advance warning on stories will consistently produce worse output than those who can.
It seems like a few particularly famous publications can push back because they're too big to shut out, though their individual reporters often still fold. (e.g. the NYT on Iraqi WMDs.) And there's a bit of room for dedicated 'dissenting' sources like The Intercept and CounterSpin, because they can curate a reputation as leak recipients and then fill out the rest of their schedule with media analysis instead of breaking news. But overall, first-line sources seem to be very effectively trapped by this pattern.
The journalists should lose whatever credibility they have as well as their news org that shamelessly supported the "story". I sure as hell don't trust Bloomberg nearly as much as I used to.
When it comes to information on traded companies, people should always consider that anonymous sources are 99% of the time biased. Nobody goes out giving information about a public company for nothing, and when the information is true they will be open and present documents proving it.
Those are very different cases. Also, public citations of classified intel is a dumb thing to require. I hope the reason why is obvious.
In the SuperMicro example, the same shadowy government organizations you accuse of conspiring to build a narrative against China are some of the people who debunked this story.
They do provide sources sometimes - even when their stories are false - which makes credulity without proof that much more surprising.
They're not inviting anyone into Langley, and if this were a claim about e.g. cyberattacks on Ukraine we might not expect evidence. But for something evaluated domestically, especially with physical evidence like SuperMicro, it's relatively common for intelligence sources to point to people who can confirm key elements. That might be a non-government firm which examined the physical evidence, a non-intelligence researcher who can assess the context of a factual claim, or an affected business which can verify what they experienced.
When a CIA source told Judy Miller that Iraq was buying aluminum tubes to centrifuge uranium, they claimed that Oak Ridge nuclear scientists had confirmed their assessment of what the tubes were for. They hadn't, but she apparently didn't bother to check.
When "U.S. officials" told the Washington Post that Russian Grizzly Steppe malware had infected the US electric grid, they provided the name of the utility company which had been attacked - Burlington Electric. Again, this was untrue (the code was found on one laptop unconnected to 'the grid'), but the reporter involved didn't check.
In the SuperMicro case, there doesn't seem to have even been a name given to check, just vague assertions that some company had performed an audit. That ought to have been a warning sign, but it looks like Bloomberg accepted source diversity in place of concrete or verifiable details - we're told of six national security officials, three Apple insiders, two AWS sources (and a partridge in a pear tree).
If they want their claims to be taken seriously, then they really should.
Without that, it's just hearsay, hearsay by agencies who have deceit as part of their job description and as such should be taken with a massive grain of salt.
Imho they've also become shy about openly sharing sources because it allows them plausible deniability, they don't want an Iraq style curveball [0] all over again, where the attribution of the misinformation can be too easily traced back straight to them.
They don’t share sources because simply it would reveal the sources. It has nothing to do with plausible deniability because they don’t care whether you believe them or not. The governments do and that’s all that matters.
I dunno, maybe they've (who is "they" anyway?) become shy because when their claims are examined, they so often turn out to be nonsense? When was the last time anonymous "government sources" or even "five eyes official" told us something which is demonstrably true? Cuban missile crisis?
I wouldn't, but I also wouldn't expect a reporter to publish this info without finding anything corroborating. This whole story is about physical sabotage devices, supposedely planted in large quantities, why couldn't they find any of these devices or a single person willing to state they saw one?
No, they shouldn't just walk away. They should apply sound journalistic principles to investigate exactly how they came to the conclusion, and then publish that investigation with full disclosure. Not sure if I've ever seen a news organization do that though (minimal retractions in a place no-one looks doesn't count).
CBS Killian Papers pretty much. There have been some significant examples but there actually aren’t that many cases of a major pub running a “scoop” that no other major pub runs with as well that turns out to be flat out wrong.
There are certainly examples of mainstream media as a whole getting behind a story like lead-up to Iraq War but this is something different.
Another one that comes to mind is This American Life with the iPhone Chinese factory story. They did an entire episode (hour long) and how/why the error happened.
And still another is the Rolling Stone campus rape story. It does happen but when major media outlets are found to have published a major story that’s flat out untrue there does tend to be a pretty loud mea culpa.
I think that's in large part because often many others will pile in by referring to the newspaper that ran it. I wouldn't count that in same class, as they're often "technically" not wrong in that they're reporting that "according to X, Y happened" rather than making the false claim that "Y happened".
The fake Hitler diaries would be one of the really major examples of this, where Stern, Newsweek and the Sunday Times ran the primary stories, and lots of other publications ran stories about the stories in those three.
And that's also a major example of the main sources taking a lot of flack afterwards, with firings, lawsuits, and books and movies about it afterwards, but it's not clear if it actually harmed the newspapers themselves. E.g. Murdoch has suggested the Sunday Times actually profited from it in the long run as Stern paid them back what they paid for access, and it boosted their subscription numbers even after the hoax was revealed.
>it's not clear if it actually harmed the newspapers themselves
As long as 1.) it's a rare event and 2.) the publication gives the appearance, and perhaps the reality of, throwing the guilty and those in the wrong place at the wrong time under the bus, putting better processes in place, apologizing profusely,and being very introspective about the whole affair, people tend to forgive and forget--or at least forget. And their peers probably have at least a bit of "there but for the grace..." about the whole thing anyway.
I'm being a bit snarky about throwing people under the bus. Usually there are people who are guilty mostly in a "the buck stops here" sort of way. But, in most of the recent cases I can think of, there were individuals in the news organizations who so wanted stories to be true that they were at best inept in a way it's not clear they understood even in retrospect.
Presuming it was him, the story would go like "I'll create a blatantly forged document that confirms a narrative that CBS wants to push and send it to them. I expect they will publish it immediately with no fact checking whatsoever, double down when called out on it, and the entire rest of the mainstream media will stick behind them."
Now if that's the story... I'm not saying Karl Rove is an angel or anything, but this seems like he's 10% bad and CBS news and every media source that stuck behind them is 90% bad.
The genius of what I'm accusing him of is this: the story itself was real (Bush going AWOL; taking advantage of his father's position).
Why not make a document that ostensibly validates that and bake in the fact that it was a forgery to be revealed so that all focus is on the forgery and not the facts that Bush shirked his service?
It's a brilliantly devious move and exactly the type of thing Rove would do (e.g., bugging his own office and then accusing his opponent of the misdeed, etc. etc)
I see what you mean better now. It still strikes me as rather odd though. The AWOL story never got all that much traction in the first place. Why undertake a high-risk plan to kill a relatively minor story? Theoretically, CBS could have identified the forgery, realized someone was trying to pull a dirty trick on them, investigated the source much more closely, and went live with details of that instead of taking it at face value. Unless of course he was so confident that CBS is completely incompetent and will do absolutely anything to push their chosen narrative that he thought there really wasn't any risk at all. If he did do it and thought that, he ended up being far more right than anyone could have imagined.
I distinctly remember the overall landscape of the time being that the mainstream media was constantly poo-pooing bloggers and internet sources for not having the "journalistic standards" of themselves. It's quite an attention-getter to prove by their own actions that their only real journalistic standard is keeping their positions of power and promoting a preselected narrative.
In the context of all that, it seems a little weak to whine that they were set up by a Republican dirty trickster. They had just spent the last few years claiming that they were the only news source that could be trusted because they were the only ones competent enough to properly fact-check sources exactly like that.
That would have been brilliant insofar as the Killian Papers pretty much blew up a legitimate news story, albeit one without quite such a visibly smoking gun. But I don't actually believe that.
Nothing out of the ordinary for people like Roger Stone or Karl Rove. That's what they did for a living for decades, and they were (are?) very good at it.
So, when looking at this, we have to remember that reporters aren't analysts; they're not expected to have subject-specific background and make personal judgement calls as to what the underlying truth is. If you want that you can certainly get it - for a much higher price than a newspaper. That's what firms like Gartner are for.
Reporters to a very large extent report what sources say. Their judgement comes in considering the credibility of the source.
In this case they got a number of "credible" but anonymous sources. What they need to do now is make a choice:
a) burn the sources: publish the names and start investigating them and why they might have fed false information to Bloomberg. This will make it harder for them to get stories in the future, and may be considered a breach of journalistic ethics by some, but it also makes it less likely that people will try to play them like this in the future.
b) try to find some on-the-record sources for their story.
This is a case of c) Reporters were completely reckless. They bought a small 0402 decoupling capacitor, put it on pencil tip, and then claimed that it was a chip that could hack your device.
Any EE worth their salt knows exactly what 0402 decoupling capacitors do, and that there's no way you can hack from that angle. It has to do where that particular chip is placed: usually on power-lines... not really signal-traces.
The fact that all known security forces are denying the story (not just big companies like Apple... but also Homeland Security), means that the reporters likely misunderstood what their sources were trying to say. They published a bad story, exaggerating a molehill into a mountain.
-----------
The thing is: we all know that BMCs are very insecure. A lot of the problem is that the Bloomberg article is pointing at lol 0402 decoupling capacitors, when any security researcher worth their salt is looking at the BMC instead.
There are too many technical details in the Bloomberg article that were outright WRONG. Its a clear cut case of reporters misunderstanding things and focusing on the wrong thing.
A lot of people got hung up on the photos, but did the text actually state what they were or were they just "for illustrative purposes" like stock photos?
I wish news services would stop placing pictures "for illustrative purposes". Either show the real thing, or don't show anything at all. Otherwise, people who aren't experts in the subject domain will have no way to determine which aspects of the picture matches reality, and will implicitly assume most of them do (the alternative, unseeing a picture, is harder).
I know I had this problem in this particular case. I assumed the chip on the photo was real, and only learned on HN that it wasn't.
Bloomberg never indicated that the imaged chip wasn't the backdoor chip. The article repeatedly suggests that they're actually showing the backdoor chip.
That's an 8-pin decoupling capacitor. But there are "really" only 2-pins. The 8-pins are there to reduce resistance and inductance.
----------
Its very clear what happened. One expert probably said something like "The Chinese are using small chips to hack us". And a 2nd expert said "The smallest chip I know of is the 0402 chip-capacitor".
The reporters then combined the two expert opinions into an incorrect statement. I would NOT be surprised if the Chinese were using small chips to hack BMCs of SuperMicro (although there's no evidence of it... it would have at least been a believable story).
But as soon as I saw the above graphic, I just WTF'd at Bloomberg. The infographic was about as misleading and WRONG as you can get.
Decoupling capacitors perform a very specific, and very easy to see function. They have two pins: C+ and C-, and the capacitor tries to keep C+ and C- at roughly the same voltage level across time. In particular, Decoupling capacitors are fully passive (non-powered) devices.
Ex: If the C+ and C- pins are 3V (on the average), then a decoupling capacitor will help keep the voltage stay at 3V. The mechanical analogue would be a flywheel: it helps regulate the voltage and prevents voltage spikes.
-------------
It makes NO SENSE for a chip to disguise itself as a decoupling capacitor. There are lots of other chips that would be a better disguise. The fundamental premise and explanation is a joke to begin with.
Like, how are you supposed to hack into a computer at the electrical level using only two pins?
Mind you: an intelligent chip-level hacking device needs... at minimum... Power, and Ground. Bam, you already used up the two pins that a decoupling capacitor has... and you haven't even touched memory or other issues yet.
Clearly, the reporters have gotten something wrong. I can believe that the reporters maybe have a real story here, but they are wandering into technical details that they clearly do NOT understand. Clearly, a mistake or misunderstanding is somewhere in that explanation.
At very least, a chip-level attacker would need... I dunno, maybe 3 or 4 pins, at the minimum. I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.
> I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.
Your instincts seem to have deceived you. There's a top-level comment with a variety of replies that discusses a 2-pin device to snoop or modify data to an I2C device, and plenty of other literature documenting the feasibility of such devices.
The distinction there is the type of device. Caps are not used on data lines. The parent comment is talking particularly about how the Bloomberg article kept referencing the attack vector as a disguised cap.
The comment that you are referring to used a 2-pin device in place of the pull-up resistor on the SDA line of an I2C bus. That does seem fascinating and I would like to read more about it but I still have a lot of reservations about real-world applications.
Caps can be used on data lines to filter out high frequency noise, as it forms an RC lowpass filter with the source impedence (see here for an example: https://jretest.com/understanding-data-signals/ ), although I do not know enough about motherboard design to know whether these caps are needed on any of the data lines.
c) report it as what it is: unsubstantiated hearsay.
A story can be interesting and relevant but impossible to prove, and you can still report it honestly by simply making it clear what came from an anonymous source and what is verifiable fact. But it's very easy (and appears to have happened all over the place in this particular article) to cite what someone tells you as fact without making it clear you're just reporting what somebody said.
In fact, the article in a couple of places appends "sources say" at the end of some statement, making you think you're reading a fact until you've reached the end of the sentence. Which IMHO is a "journalism anti-pattern".
Most of the top-tier publications actually do make a point of hiring people with subject-specific expertise. I first noticed this when The New York Times' lead medical correspondent was identified as Lawrence K. Altman M.D., because he really had earned a medical degree before heading into journalism.
In my own journalistic travels, I've worked alongside legal reporters who graduated from Harvard Law School, Wall Street reporters who earned certification as Chartered Financial Analysts, tech reporters who majored in computer science at Stanford, etc. That doesn't make them instantly right about everything. But it does mean they have the training to parse conflicting claims.
I'm not sure about the credentials of the specific Bloomberg reporters on this one. But Bloomberg does have budget and resources to hire subject experts to report on complex subjects.
Unqualified does not mean incorrect or wrong, and somebody who is unqualified can employ the services of somebody who is in order to overcome that deficiency.
“If someone says it’s raining & another person says it’s dry, it’s not your job to quote them both. Your job is to look out of the fking window and find out which is true.”
>What are the consequences for Bloomberg for this incompetence?
You, not the general concept of the reader, but you personally neya. You stop trusting Bloomberg's reporting. That's the consequence. Their reputation suffers.
Why do threads like this on HN always have such a desire for retribution?
The thing is – if you have such an incentive and you are faced with the choice between reporting a boring truth or a spiced up lie, you will go for the later. And that has nothing to do with journalism anymore.
It _could_ work – if the editors are espeically on the hunt for bogus stories.
The reason trading on stocks they cover is bad is that it creates an incentive to create news that may not be true to move the market, thus indirectly rewarding them with financial benefit.
The policy of rewarding them for moving the market simply removes the intervening steps and directly rewards them.
In concept, this only makes it worse. How much worse depends on how compensated they are, which I don't know. (e.g., if the bonus is $50 and your boss buys you a latte the next morning, it's not really that big a deal, vs. if it's $25,000 and everyone knows it's a fast track to promotions it's a pretty significant problem)
I can see how it incentivises sensationalism though. I was a tech magazine editor. I did my utmost to check the veracity of stories. I would have hated to think that my journalists were being incentivised to exaggerate.
> Why do threads like this on HN always have such a desire for retribution?
I, personally, am sick of being lied to. Single source reportage violates journalism 101; they really should suffer some consequences, just as someone should pay for the 2008 bubble, the Iraq war (Bill Kristol ... finally losing one of his platforms) and any number of other examples of the managerial class' screw ups from the last 20 years.
Hundreds of locked-in AAPL shareholders who react with venom to anyone perceived to be hurting their financial performance, irrespective of truth or morality. (Same is true for FB and GOOG.)
> Why do threads like this on HN always have such a desire for retribution?
Let's say the Bloomberg article incurred 50% loss of revenues after it was published for Super Micro. (just making up numbers for the sake of the argument). Following this, Super Micro would have to scale down their operations and potentially fire people.
That's just the same thing as sending a DMCA request on Youtube for something that is someone's own work. Currently it's "free" to do so, but don't you think there should be consequences in destroying someone's else business / reputation / work? How would you feel if it happened to you?
Bloomberg has no intrinsic power over the revenue of Super Micro. They only have that influence because people trust them. People only trust them because their reports tend to be trustworthy.
False reports harm Bloomberg, as it erode their trustworthiness and trustworthiness is very nearly their only actual value/product. False reporting is inherently its own repercussion/consequence here.
This is different from DMCA as that has power granted to it by law, not by inherent trust. DMCA does also have consequences for fake claims, so it's a false equivalency here anyway.
> Why do threads like this on HN always have such a desire for retribution?
Seeing a situation where one person/group does something that negatively affects another group without consequence tends to have this emotional response from emotionally healthy individuals.
Where do you see a problem with this type of response?
So why are we giving these reporters the time of day, then? They've demonstrably published crap and not retracted it. That reduces their credibility to nil in my mind.
I believe the current line there, at least in the US, is whether they knowingly ran factually inaccurate information.
Given their doubling down, unless we assume they somehow didn't ask their legal department, I would bet they have enough sources for the information that they think they're not at risk of being prosecuted for libel or slander.
The bar for libel and slander is very high. I also think it’s civil and not criminal, so there would be no prosecution in any case, they would just get sued.
SuperMicro, Apple, Amazon, and others could sue Bloomberg.
But they didn't.
I guess if you sue every news outlet for Rumours then Apple would be basically suing everyone. My problem is, why Apple and Amazon has such as "restrained" action to Bloomberg. May be the story isn't true, but something do smells fishy to me.
Apple isn't going to win a libel case because some source lied or made a mistake, and calling more attention to it is bad PR. It's extremely unlikely that Bloomberg team did this with malicious lies.
This is the same logic Musk applied to “pedo guy” and it was just as ridiculous then. A lack of legal action is in no way an admission that the story was accurate.
Accusing two Trillion dollar company with allegation on a national security level from a reasonably respected Business Journal is not the same as Mush calling another guy pedo.
Although I do agree A lack of legal action is in no way an admission that the story was accurate, I just thought they should do something more.
I believe freedom of speech and press is one thing but when you present serious and very specific allegations you should be able to back them up with comparably serious and specific proofs ("extraordinary claims require extraordinary evidence"). Otherwise we are crossing the boundary between fact and fiction.
The way Bloomberg presented it in the article is as if they had entire story backed by facts. That was my takeaway they sounded pretty sure save for presenting the evidence. Now, what you do if press outright misrepresents the facts and presents fictional story as if it was entirely factual.
Any individual merely accused of a salacious crime has his face spread all over the evening news just to pump ratings. Guilt, innocence, evidence or trial outcome are utterly irrelevant. So it's quite wide spread.
Of course the power dynamic between an ordinary joe and broadcasters is far different than between large corporations and broadcasters. This and worries around sponsors means there is already considerable self censorship when criticizing the latter. But I would not be surprised if industry lobbyist ultimately craft legislation to allow the former while preventing the latter through some high bar liability laws in such away that they get five already sympathetic SCOTUS justices to sign on.
Why does there need to be something more? Do you trust Bloomberg the same amount you did bebfore the story was published? Are you buying just as many Businessweeks as before?
Are you sure it isn't Bloomberg who was misled? Is that more or less likely than a billion dollar company declining to confirm a story that would cost them hugely? In lieu of proof either way, what punishment do you think is just -- and for whom?
I personally think the reward system related current human evolution punishes blunt liars, but reward "Lie Lie" teller.
A "Lie" is something that is easy to falsify with consensus.
A "Lie Lie" is not a lie but a statement intend to mislead people, difficult to get caught, easy to find a lot of lie believer to defend, eventually make a technical evidence based debate into a religious belief based debate. It's a lie about lie or a decoration upon a "lie" so the "lie" can not be categorized as a lie.
There are signatures of "Lie Lie":
* Claim there's a proof instead of provide the proof. actually any claimed proof often is not a proof but just claimers' belief.
* The claims are mixed topics some legitimate and defendable possibility along with some thing that really happened. In simple words mix truth with lie so later the can defend truth topics.
* When they give proof, they will provide the one that there are less controversial topics but not the needed ones.
* Shift the focus to defendable topics so the undefendable part(i.e. belief based part)
* Usually attached with moral high grounded good cause such as "raised the public awareness of threat from an oppressive regime" just as an example, so the "Lie Lie" teller can convince themselves and their friends, coworkers the claimers are decent people.
*The claimers themselves believe the claims so they can claim they are not lying but they don't think they are using deceptive narratives to sell their beliefs.
Most activists are "Lie Lie" tellers. The problem of our society is a lot of journalists become activists involved into ideological fight but pretend they are providing truth.
> Let's say Super Micro is right and there were no malicious hardware at all for sure. What are the consequences for Bloomberg for this incompetence? I mean, there needs to be something..
What are the consequences for a public figure deliberately lying?
What about accidentally lying? What if they are a private figure?
If we're going to have consequences for this sort of stuff, we'd need to lock up most of the people in government, and the employees of every single PR department.
It's difficult to sue a news organization, but you can sue them for false reporting if you prove two things A) actual malice occurred and B) you suffered economic damages.
If companies didn't lose money over this report, this is pretty moot. It's just embarrassing for Bloomberg.
If companies did lose money, the next step is proving that they knowingly went with a poorly-sourced story. That would require discovery, which may be fruitful.
What if there is some truth to such /similar allegations and Bloomberg knows that SunMicro would never sue, discovery and all. If during discovery it is shown that SunMicro dropped the ball 7 years or 5 months ago, it's no good news for their stockholders.
I doubt anything will happen to Bloomberg. If the journalists are found to have fabricated the story, they will probably let go. Even if bloomberg was to suffer financially or legally, some billionaire or company would bail or buy them out like what happened with Rolling Stone or WashingtonPost in the past few years. Well Bloomberg wouldn't even need outside help since their owner and namesake is one of the wealthiest men in the world. These large news companies are pretty much untouchable since they are viewed as systematically important and are backed by the wealthy class.
Using the press to manipulate stock prices has been the standard practice for as long as these two institutions exist. You can go way back to the last years of the 19th century and will find that there was already a thriving business going on between stock manipulators and the press.
"It's capitalism, let's all compete. But wait, if you're getting better than me you're the enemy. "
It goes both ways. US Capitalism vs meets Chinese Capitalism with C.
Does anyone pay attention to the media in China? It's an equally bad actor.
Now seriously, Bloomberg lost a lot of credibility publishing this. Let's see if they say anything about it in the coming days.
You've been identified by Napier's "Black Rooster."
In order to figure out which servant was stealing from him, Napier instructed each to go in the shed and pet a magic rooster that he claimed could reveal to him who the thief was. In reality, Napier covered the rooster in soot. Thus he could identify the culprit-- it was the only servant who exited the shed without soot on their hands.
Here, you correctly applied one sense of the Gell-Mann amnesia effect-- a novelist's speculation about experts' inability/refusal to generalize their criticism of a news item within their field to the entire newspaper that contains it. In practice, however, "Gell-Mann amnesia effect" is a gambit that giving a proper name to rank speculation will cause the speculation to propagate as if it were an insight gleaned from a robust research project. If you had understood that part you would have used the rank speculation only an entry point for a comment that provided greater insight (or at least further rank speculation), rather than an insightful phenomenon unto itself.
Edit: In other words, you've emerged from the shed without anything other than someone's rank speculation masquerading as research. This makes it clear you've fallen for the 2nd-order effect of the term.
By saying I did not pet the rooster you are saying that I misapplied it in way that was lying. This is odious. They published a story not considering the feasability of it. People who knew better called them out.
Crichton himself noted the irony of it by using the famous name to attach greater importance to it. Yet he noted it is true that we will quickly forget when reading other stories and himself has called for turning away from media.
Finally Overton's Window for me is about framing debate and can be applied over broad areas.
>If Bloomberg's story was false, they shouldn't just walk away like that because "it's the free press".
So failure is fine, as long as it's Silicon Valley.
Imagine what the world would be like if journalists investigating stories had to be 110% certain of their work? That if someone said, "that's not true" they'd have to ditch the story altogether?
This controversy, and the aftermath (which isn't over, hence it's in the news today) sounds like "working as intended".
>This had real implications on stock prices of so many companies
Can you provide some references of the "so many" companies that were effected by this? What do you suggest as punishment?
They're free to sue the paper, but it'd be futile because the standard for such lawsuits to succeed in the US basically requires Bloomberg to have known that the claims were false. Just (say) completely ignoring normal journalistic practices to get a juicy scoop would not be enough.
Well, Rolling Stone settled over the UVA rape story. Then again, that settlement is rather small in the grand scheme of things. Given the nature of the case, maybe it was cheaper than going to trial.
As I recall, Rolling Stone got done on a (somewhat dubious) technicality - the jury decided that them adding the disclaimer counted as republishing the article after they knew it was false. If it wasn't for that they'd most likely have got away with it despite all the astoundingly bad reporting.
> They're free to sue the paper, but it'd be futile because the standard for such lawsuits to succeed in the US
Not sure about whether Bloomberg was knowingly publishing false stories. But lawsuits causing media to bankrupt have precedence before - Gwarker Media, that was.
Maybe Super Micro could demand a full-page retraction, just to put the record straight in public. Either that or Super Micro could sue them for $1 just to get a point across. If Bloomberg were wrong they need to admit it.
Nothing. I was downvoted to oblivion less than a week when I said Bloomberg is over and Hackernews should embargo them and people shouldn't click them. Edit: and the downvote brigade is here again, downvoting and not giving a word of explanation. Are you paid by Bloomberg?
When the state department tells you to write a story you write the story, or face the real prospect of the end of access which will be the end your journalism career. Not an ideal system for anyone, except the state department.
As I've now said multiple times and I've not seen anyone argue against very strongly at all, there is no reason to believe this was a government-pushed story, because there are plenty of equally bad or worse things that are known to be true that could easily have been used instead. There are abundant examples of corporate and governmental espionage of this sort, in all directions. Indeed, when the article was first posted, many HN posters were skeptical precisely because they could name two or three much better ways to do it, some provided examples, and some told stories of having found these better examples already in the field.
And because if it had been a government push, it would have been accompanied by a government PR push on other fronts. But I saw no evidence the government picked up this story in particular, or even hardly referenced it. Being now months later we can also observe the government has not lifted a finger to substantiate this storyline or pull Bloomberg's bacon out of the increasingly hot fire.
The theory that this was government-pushed falls down on the ground that even if the government or some aspect of it wanted to push this narrative, this is not even remotely their best choice on how to do it.
Something like that happening would be an even juicier story than the one they published. I totally buy that some people in the government lied to some credulous reporters to get a false story they wanted out there. But there are tons of reporters out there, some of them are easy to trick, and leaning on reporters is likely to trigger their Woodward and Bernstein fantasies and result in some huge blowback. I'm not going to say that I find the level of incompetence you're assigning impossible, just that I find it unlikely.
Oh sure, that's what we need backup for, some random comment on a social news site. Not some hardware firm's claims that they haven't been hacked, nor some news media firm's claims that they were.
Your snark aside, Bloomberg made these claims, it's on them to back it up. Not the other way around. So far, not a single fact has surfaced that lends those claims any credence.
I personally have learned more about the supply chain for various big tech firms. I have learned that something like what the original story described is possible, in that USA-based firms have no reliable way to prevent such hacking. That doesn't mean I believe Bloomberg's version, but then again I rarely do. I'm just not in such a hurry to believe SuperMicro's version either... We don't have to act as if we know what really happened. I don't see why anyone would be so sure that GP's speculation above about the State Department is unfounded either.
The general case of hardware being backdoored is believable, but the problems come down to, not just the lack of any kind of corroborating evidence, but the nature of these specific claims themselves having some hard-to-believe holes in them.
Basic informational hygiene is that the claim is garbage until proven otherwise, "credibility" notwithstanding. There is not only not a single positive reason to believe this story, there is mounting evidence that it should not be believed.
Haha, "credibility". A thing which does not exist.
Seriously, though, it seems that your idea of "basic informational hygiene" conflicts with a basic security posture in this case. We don't have to assume Super Micro has never been hacked, so I don't know why we would assume that. More in keeping with the topic of this thread, we don't have to assume the State Department (or whoever) has never caused a story to be published or discredited, so I don't know why we would assume that.
We're on the internet, a medium in which information can be trivially exchanged. Easily-defeated heuristics like "authority" and "credibility" are meaningless, if not harmful, when individual claims can (and should!) be evaluated on their own merits.
Basic security posture, sure, but nobody's arguing that we should change that and pretend that Supermicro is completely safe. Nothing is ever completely safe.
..but we're talking about a very specific claim which already has a number of gaping holes blown into it.
These reporters cover tech and ostensibly do not need access to the State Department. Nevermind the fact that the reporters who do cover the State Dept still enjoy access despite continuing to publish unflattering stories about the govt.
There has to be more to this story that we don't know. Bloomberg has a lot to lose by publishing such a harsh claim that's not extremely fact-checked. Reliable newspapers generally don't throw around anonymous government sources without doing background checks on these people. I have little doubt that they got the information from who they say they did.
At this point I wonder if they should stop protecting their sources on this story and see if that shakes out any truth.
The problem with that is of course that it erodes trust for future sources, and potentially puts these sources at personal risk. But if not doing so starts putting the entire publication into question, that might be a risk they have to take.
The "should have" pressed the sources for hard proof, or found examples in the wild of adulterated servers before publishing the story. That ship has sailed, of course.
But if what was reported was actually true the best thing that can happen now, for Bloomberg and the public, is for their sources to step forward voluntarily with proof.
Admittedly, that will take a lot of courage in today's political climate, but if it's not all just bullshit, highly principled people may do it.
What I would like to know is what the Bloomberg reporters expected would happen as a result of this story?? Did they think Supermicro and Apple would just admit it? Then what?
If the sources are willing to step forward now, why wouldn't they before?
Sometimes the reason for reporting evidence you have is to motivate other people to display evidence they have but don't know was interesting or useful until they saw your story.
That's why so often a single public allegation leads to an avalanche of similar allegations.
Even if Bloomberg's story is completely true, Apple / Amazon / Super Micro might have no other choice, but to firmly deny it. Because in that case, it's United States vs. China, not just some publisher vs. a few publicly traded companies. When national security interests and international relationships between two largest economies in the world are at stake, it's not Tim Cook or Jeff Bezos, who get to decide, what can be publicly shared, and what cannot.
If the story was true, only a few people in each company would have been aware of these vulnerabilities, and they might not have been allowed to talk to anyone about them by FBI. Then, even if others were informed, they would have to pretend, that they were not.
If it's a national security risk they might not have needed to be compelled to lie at all, but decided to do so themselves. This would be big enough to damage their entire supply chain if they did publicly verify it as truth.
The national security adviser to the president of the United States is the one, who would have to deal with this publicly, if such information was confirmed by some of largest companies in the US. And he might as well prefer to deal with it privately, if it was true.
Not correct. Instead of denying it, they could either confirm it, or non-denial deny it. They would not knowingly issue specific and categorical denials that are lies.
In the cases as this, if you don't firmly deny everything, you basically confirm that it's true. And people responsible for issuing categorical denials might have had no awareness of any vulnerabilities, even if they actually existed.
I don't see why people discard the scenario where both the sources and supermicro are right, but there's been a misunderstanding.
This could happen, for example, with a tabletop exercise. I know the military does these, so it's not unlikely the CIA does them too. The CIA dreamt up a scenario where a US company's hardware was compromised by China, and simulated their response for training. Since it's just an exercise, it obviously wasn't as secret, so employees would have probably not feared to talk about it loudly at e.g. lunch break. Someone overhears, it, runs to bloomberg and we have the situation we have now.
Not the only scenario, but something along these lines is my theory.
The question I have is: is it possible that there was such an incredible threat to national security that even an auditor could be convinced by a federal agency to give a false report?
If it really didn't happen, how could a reputable news agency get a report so wrong? What exactly is going on here?
WRT the how could they get it so wrong question, I guess it's time for the obligatory link to Michael Crichton's essay "Why Speculate?" and his discussion of the "Murray Gell-Mann Amnesia Effect" [1]
Money quote: "You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them.
"In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know."
There really are some publications where you can read an article on a topic you're familiar with and they get it right. For instance I have a subscription to The Economist and sometimes their coverage is a bit shallow. And sometimes it repeats an expert consensus I disagree with. But most of the time the coverage is as good as it can be in the number of paragraphs allotted and sometimes it's downright excellent[1]. You probably have to actually pay money for high quality reporting.
And I’m guessing a lot of people here conflate simplifying for a mainstream audience as getting it wrong because they’ve omitted a lot of details.
Mind you, simplifying with a degree of accuracy is difficult and top writers like those with the Economist do it better than most. With tech stuff, I find more poor and incomplete explanations than I do outright errors. Mind you, back when I provided commentary for a lot of news stories, there were some reporters I always dreaded calls from because I knew steering them in the right direction was going to take an hour out of my life.
Funny I’ve had the opposite experience with the economist. Whenever they touch my area of expertise they demonstrate their substantial ignorance and inability to fact check even the simplest things.
The Economist is good, but tiring. They are sort of like an old school “chamber of commerce” republican version of NPR.
The writing is good and interesting, until to read for a year and realize that formula is pretty much the same, and you can predict the arc of the article after reading a paragraph.
Not that Michael Crichton should be treated as an authority on truth in reporting. He believed there was a vast worldwide conspiracy to defraud poor innocent oil companies by manufacturing evidence of global warming.
AKA the Reddit Effect. Everyone on Reddit posts as if they know what they're talking about when, in reality, they only have a cursory knowledge of it and yet the entire site is somehow treated as a curated collection of high-quality, factual information.
This is right! I think there is another, perhaps unrelated Reddit effect. Blogs and some news sites pick up on Reddit and then feed them what they know will be popular on Reddit. The cycle continues. That's why Reddit is so good for astroturfing.
For whatever reason, HN is different to me because, when discussions center around the things that I actually have expertise in, the information tends to be mostly correct. Every now and then some nonsense slips in but, for the most part, keeping people from being able to downvote and upvote everything eventually leads to a pretty informed view of whatever the topic is. Even in instances where I disagree with something, there's usually a well-reasoned response that includes some support whereas, with Reddit, it's just a bunch of unfounded statements with no backup whatsoever.
HN is generally correct about established computer science and tech stuff. Anything frontier or controversial (e.g. bitcoin) or outside the narrow domain of typical Silicon Valley startups gets the exact same ignorant herd response. The point is that when the topic aligns with the expertise of the community you get quality, whereas when the topic varies you get ignorance and BS spoken just as authoritatively. Always be aware of the latter outcome!
I saw AskHistorians and thought that it was exactly that. I thought I would put together a small collection of subreddits that produce similar quality content. Little did I know that the rest of the website is memes and the same flavor-of-the- month jokes recycled on every post...
I would expect newspapers to be more knowledgable about politics and international relations than scientific topics like physics. The latter is too broad a category, the former is usually the paper's primary focus.
I wouldn't quite say that. Some aspects are opinions, but there's plenty of facts. Such as "House Reps A and B are cooperating on a bill regarding X" - that's a fact. What your position on X is, whether the bill is a good or bad idea, and why A and B are cooperating on it are opinions.
To be clear, this is not an actual 'effect' that anyone has done any research on to demonstrate it exists or has real implications. It's just something that some pop-science writer idly speculated about once, so I question why you would introduce it into this discussion.
An auditor would not have found anything because the alleged attack occurred several years ago and would most likely have been targeted at a limited number of boards, which would have been seized a long time ago.
The result of this audit does not inform about anything related to the allegations published by Bloomberg.
I think it's more about re-building confidence by showing that Supermicro products on sale now can be trusted.
It's rather easy for someone to mislead a BP reporter who understands little about the technical details but is very eager to publish something shocking.
The reporter may have emailed a few dozen security researchers to verify the story, but those who don't believe in the story are less likely to reply (and the reporter is more likely to ignore them), leading to a sampling bias.
And/or the people who did reply gave a response of something along the lines of “Its technically possibly but...” and the author ignored everything after the but.
I see how this could have happened yes. Especially if the reporter was not clear on the angle of the questions.
It's easy to see how security researchers could go off on a tangent about the insecurities of IMPI and other out of band management systems. Which'd sound like an endorsement to the reporter.
TBH if you’re talking to a reporter, thats a bad way to answer a question. “It’s technically possible” is the sort of sound bite someone will grab while ignoring the 5 minute spiel on IPMI and bus interfaces etc. that follows. Be very careful about giving short quotable statements in plain English that you don’t want to see in print.
That's fair, I think it's also fair to point out that the people with the technical know-how about these things aren't often talked to by the press. I mean how many stories do you see about hardware tampering like this? They might not be very well versed in how to communicate with them. Also I know that I have a tendency to enjoy talking through possibilities and scenarios and so could see myself (I'm not a hardware or security expert at all but the points stands) discussing at length how such a thing COULD work and just being excited to talk about a field I am well versed in. A reporter could then take that as my signing off on that it DID happen.
It’s definitely a skill. I’ve caught myself saying something juicy that was off on a tangent or a bit misleading. Usually I’ll realize it and ask the reporter not to use it and they’ll honor that.
But, yes, even reporters that you know want to write a story that will be interesting to readers. As a source, feel free to provide educational background but be really careful about speculating about things if you don’t want that speculation in print.
An on the record conversation isn’t the same as an informal background chat with the same person over drinks. And I’m a bit careful even then.
The problem with this line of reasoning -- "how do we know that each denial isn't just a sign of more coercion from powerful forces" -- isn't that it's impossible. It's that that it's unfalsifiable.
I got into a brief argument in comments here not too long ago about the saying "you can't prove a negative" which got bogged down in (what I considered to be) pedantic semantics; what we mean in practice is this kind of "negative." Instead of the conspiracy-minded folks providing proof that powerful, shadowy forces have come out in force against Bloomberg to discredit and suppress their reporting on an actual national security incident, they're demanding that skeptics prove that they haven't. And how can we do this? The complete lack of evidence for this happening might just mean that the shadowy, powerful forces are really good at hiding their tracks. We can posit that if they were really that powerful, they'd have suppressed the original reporting, but we can't prove that Bloomberg didn't just get lucky, or that their diligent, plucky reporters didn't somehow catch the Deep State off-guard for just a moment. We can point out that generally when we see this kind of story, other reporters in other organizations would have corroborated and even expanded the story by now, and that other reporters have said that they've tried and failed to do so. But that might mean the conspiracy is covering their tracks. That they've got to them. That the rest of the journalistic world is IN ON THE CONSPIRACY, MAN.
But it's also possible that the reason it increasingly looks like Bloomberg got played is that, well, Bloomberg got played. Like a cigar, sometimes a bad article is just a bad article.
The media falls for bullshit all the time, Weapons of mass destruction, incubator babies in Kuwait, etc. They are in the business of making money and not getting the story right and since there is hardley any consequences for them why would they care?
Bloomberg here will blame its source and take no responsibility.
> They are in the business of making money and not getting the story right
All business are "in the business of making money", that's what being a business is. What sets them apart is how they make it. In the case of media companies is, precisely, by getting the story right. A publisher that doesn't is more likely to lose influence and readership as time goes by. For a publication like Bloomberg, more so.
So yeah, they do care. That doesn't mean they don't fall for scams or bad reporting. They do, but it's in their best interest not to do so. In this case, I'm sure Bloomberg is already frantically calling all the reporter sources. They should have done it before the piece was published, sure, and they'll sure blame the reporter and the sources, but I think it's disingenuous to think they just shrug these things off.
> What sets them apart is how they make it. In the case of media companies is, precisely, by getting the story right.
Ideally yes, but nowdays it seems to be rather; by getting the story framed exactly as their corporate owner wants them to frame it.
Yes, they'll slowly loose credibility and in fact that is happening, but the process takes decades and is not likely to affect current reporters, if they lied in service of the status quo.
Bloomberg makes money (a lot of!) from selling terminals, not news. There is literally no point in losing credibility on a story like this. Credible third-party information is the core of the business model and the news department takes that very seriously.
Bloomberg News is not a newspaper. The company makes money from selling terminals not news (although the terminal contains news, but it's easy to see that sensationalism is not what the customers pay for).
I think the most likely explanation is that Bloomberg got played by the sources who perhaps wanted to trade on the price action the story would obviously cause.
We don't really know anything about Bloomberg's sources we do know the nature of all the parties denying any of this is true.
I find that highly unlikely. Since Supermicro was kicked out of the NASDAQ, I would expect their trading to be much thinner. It would be trivial for regulators to spot some inside trades. And if the sources are indeed intelligence officials, I'd expect their financials to be under special scrutiny.
Nope. The only named source in the article said on Twitter that the journalist reported speculation about possible attacks as facts. The story was fabricated by the journalist. How it got through fact-checking, I don't know.
When your writers are rewarded for stories that move the market[1], it's going to be tempting to go for the sensational and to omit information that weakens the story.
I think this might just be another case of unintentional consequences from incentives.
I think this is very realistic. These days prices move purely on speculation much more than they do on metrics like P/E. A source could have been in a short position, then after taking profit after the article was released could have bought up cheap shares. Thinking about the readership of Bloomberg, anything they publish will have a much larger market impact than an article in Ars. I think Bloomberg was played like a fiddle.
When I worked as an attorney for a bank one of my jobs was to "manage" the audit engagements. When an audit has serious findings you can almost guarantee that's just the tip of the iceberg. On the other hand, an audit or review without any findings just means the company under review had some combination of good lawyers and friendly auditors.
In my experience, there are two types of firms you can almost always find "friendly" auditors: law firms and small specialized "boutique" firms (accounting, consulting, etc). Who conducted this review? A boutique law firm.
Plausible deniability? Perhaps the ramifications were so huge (maybe for Apple and others) they would have gone bankrupt in lawsuits. So maybe this is a easier way to bail them out. Just using a tinfoil hat here.
It's definitely easier for a reporter to be a little over eager with a story and run it before being fully vetted than it is to co-opt federal agencies and independent auditors.
I'm not saying that it's not possible for the situation you described to have happened, just that it would be an extreme outlier.
Given the nature of their doubling down upfront about it, it could be quite problematic for them to admit they were Very Wrong.
It's also possibly permanently going to be unclear whether this is factually accurate unless someone discovers a compromised system or the sources for the reporters provide enough information on why they believe what they do to actually investigate.
If they were to publicly say they were wrong then suddenly that would be News the way the original reporting was. If they don't then only specialty publications will cover the failure to pan out.
Bloomberg rewards their "journalists" for moving markets and use the promise of market leading scoops as the carrot to win subscriptions. An admission of generating fake news hurts their core business deeply.
Could a TLA have silenced the real results? Sure, but that seems pretty unlikely. The US Government is not afraid to call out China for real or perceived threats right now (see tariffs). So the government itself silencing this would be pretty counter-intuitive.
I'd believe more that Super Micro is trying to save it's stock value, more than I'd believe government intervention. Of course, it could also just be faulty intelligence. Guess we'll have to wait and see what Bloomberg does with respect to whether they can get their sources on the record.
Looking back at this after the Huawei scandal, it seems very likely it was a preliminary step to create a negative impression regarding Chinese manufacturing. Bloomberg could have been lied to, or been chosen to deliver false stories for propaganda.
Of course it could be irrelevant (there were tensions regardless) but given how everything looks weird, it probably wasn't.
Because no matter what the audits say, this article caused a widespread feeling of mistrust towards Chinese-manufactured electronics.
>is it possible that there was such an incredible threat to national security that even an auditor could be convinced by a federal agency to give a false report?
Absolutely possible, even somewhat plausible but unlikely. Conspiracies are hard to maintain "2 can keep a secret if 1 of them is dead".
You could outright threaten someone with any number of means to get them to comply with your wishes, this is how espionage often works at a state level "ho ho, you like underage boys Mr. Smith, we have these photos of you, you will help us spy on your government!" or "You owe us much monies from your gambling, you can give us information or we make your life very difficult", simply using sex to ease someone into complying (sexpionage both as blackmail and as reward/entrapment. A possible famous case of the blackmail route was with the NSA in 1960, see: https://en.wikipedia.org/wiki/Martin_and_Mitchell_defection ), finding actual irregularities in someone's finances and threatening to go after them for it etc.
Again, possible and somewhat plausible but probably just a journalist fabricating a source or being misled by one. Yellow Journalism is a thing after all https://en.wikipedia.org/wiki/Yellow_journalism and if you look at papers in the 19th century you see all sorts of outright fabrications just to sell papers, like the Great Moon Hoax https://en.wikipedia.org/wiki/Great_Moon_Hoax
A US intelligence agency nowadays would just issue a National Security Letter and force you to not say anything otherwise you go to jail. Most people really don't want to go to jail. An intelligence agency would really only resort to blackmail or extortion if they were operating in a foreign country where they couldn't outright bribe someone.
I imagine that is defeated by simply saying "I refuse to lie", which could be career suicide but it's still an option. I can see how legally they could say "you can't reveal that information, it's a matter of national security" but I don't quite think we're at the point in America where they can go "Say this or go to prison".
It didn't stay too secret, Soviet atomic spies penetrated the program.
Emil Julius Klaus Fuchs for example was convicted of supplying information from the American, British, and Canadian Manhattan Project to the Soviet Union during and shortly after the Second World War https://www.wikiwand.com/en/Klaus_Fuchs
What bothers me most about this article is that it's based around what "Super Micro says" -- why would I care about what Supermicro says? They are the ones being accused of having backdoors in their chips.
I would've liked to hear this directly from the company doing the audit, without Super Micro's own "interpretation".
The second thing that bothers me about this story is that it was Supermicro that paid for the audit. Maybe there was no one else going to do it, or maybe they just thought to get ahead of anyone else trying to review their chips. I don't know, but it doesn't sit well with me.
Only recently we saw at least two major tech companies skirt FCC's privacy monitoring by paying themselves for the audits: Google and Facebook. Both had multiple major privacy scandals in the past couple of years, but somehow all of these privacy issues were completely missed by the companies auditing them.
"A person familiar with the analysis told Reuters it had been conducted by global firm Nardello & Co and that customers could ask for more detail on that company’s findings."
So I guess yes you can bypass Super Micro if you're a customer.
I saw that, but it's not nearly enough. Why isn't the report made public? Why do we have to take Super Micro's word for it?
I seem to remember a very hostile and skeptical attitude from HN against Binance doing exactly this sort of thing when they announced the results of their paid-for "audit" of Tether financials. Why aren't we treating Super Micro's report of the audit the same way?
I keep asking the same thing "how could a reputable news agency get a report so wrong?" They said they have many sources, they double checked things. But the denials from the various places have been SO 100% unbelievably "NO NEVER HAPPENED" that it's hard to know what's going on. If it really never did happen, why did so many people lie about this to reporters? What was the end game? It seems impossible that the reporters just made it all up, doesn't it? But maybe someone paid them to make it all up!
So correct me if I'm wrong, but the most sinister part of the story in how some might assume SuperMicro is a Chinese or a MainlandChinese-founded company. It came right around the time ZTE, Huawei and others were facing renewed scrutiny. So you can imagine how easy it is to read the story and just think "oh, another Chinese company got busted".
Which makes the idea that a US intelligence agency is setting up Supermicro really dumb on its face. The reality is that the company is poorly run and has a lot of resources and background in Taiwan.
If there’s a nefarious nation-state plot, it’s more likely a Chinese one intended to demonstrate their ability to disrupt commerce. Any of the big vendors (HP[E], Lenovo, Dell, etc) are toast without their offshore partners.
Has Bloomberg even replied to the "Uhm, WTF you talking about Willis" responses from Apple/Amazon? I don't recall seeing one. I wonder what they will say now..
How can they just make up a story like this and it can slide?
The reputation hit from being wrong is much bigger than the ad revenue from this one story. Bloomberg has been a very reputable and trusted source and wouldn't willingly throw that away
The story was given legs because Bloomberg has generally been a credible organization. They are tainted if they don't firmly explain their side, and forever anything they report will be coupled with "they were the ones behind that debunked SuperMicro thing".
Clickbait and manufactured stories is a dead end tactic, so they certainly do care, and they certainly have some reasoning. Perhaps they were intentionally mislead.
It would be worth mentioning that the particular journalists behind this story (nevermind Bloomberg as a whole) have been caught pushing nonsense before[1].
On top of that, the story itself has a number of technical implausibilities that render it difficult to believe.[2]
It’s doubtful that the ad revenues on even a highly-clicked story outweighed the cost of paying the reporters for the year they worked on this story, nevermind the costs of the editors and lawyers who pitched in over that year, or the reporting expenses (e.g. travel). Also, it’s well-known that Bloomberg’s news division is heavily subsidized by Bloomberg’s terminal customers.
Evaluating this is tricky. On the one hand, Bloomberg claims it's a well sourced article, not a single person's unsubstantiated claim. On the other, Super Micro claims an audit showed nothing, but then they have an incentive to be less than honest, or to have performed a very superficial check. And couldn't an audit simply miss the issue if the malicious functionality were embedded in an otherwise legitimate chip?
Either way, it seems like Bloomberg really should have pushed for a particular example, e.g. "look at this on model X boards for confirmation"
I am more inclined to believe Super Micro at this point. It is not just them that are denying this. Apple and Amazon have denied it as well and Apple even went so far as to write a letter to Congress[0]. With a hardware attack like the one that Bloomberg reported, there should be some actual physical evidence out in the wild but nothing has been found to date. I think that they really failed with regards to due diligence.
Yes, but the level of detail requested for the audit would be dictated by Super Micro. For example, if the request was to audit boards against the design specs, the audit would never catch something inserted during the design phase. Nor would it catch malicious functionality inserted as part of a legitimate chip. It seems like the potential number of attack vectors is extremely high if the design &/or manufacture process has been subverted.
Alternatively, if there was no attack, it becomes exceedingly difficult to prove the negative. But that also leaves us with the perplexing situation of multiple sources-- 17 from different companies and NSA-- deceiving Bloomberg reporters. Or Bloomberg reporters themselves deceiving everyone. In the later case the motives are clear. It's a career-making story that can't easily be disproved. In the former case the motives are less clear: a desire to smear Super Micro? Who benefits? A desire to stoke anti-China fear? It's all very strange.
I'd be super interested in the follow up, and not just for monetary reasons[1]
I mean, my impression is that there has been a lot of news trying to stir up US vs China animosity; I mean, I'm sure that a lot of industrial/state espionage happens, but the renewed focus just seems a little suspicious to me at a time when our government is trying to distract us from possible Russian interference in our election.
Makes me wonder about huawei - is this all just our government trying to take the heat off their Russian allies? I mean, it wouldn't even need to be made up in that case, I'm sure that if you looked, you could find plenty of sketchy things Chinese companies are already doing.
But that was the weird thing about this supermicro thing... it was really pretty easily disprovable. Like... there are a lot of really smart people in the field looking for this sort of thing. If it was a lie to begin with, why pick one that can be shown to be false, when there are so many other possibilities that can't be proved either way?
Man, I hope I live long enough to read good history books about this era.
[1]I bought a bunch of SMCI when the story first broke; Aside from buying and using a lot of SuperMicro I simply didn't believe that they would be the only company effected if the story was true. When the story broke, I though that someone had probably found something, and that as people tore apart hardware looking, we would find something from other manufacturers, too. As nobody has found anything yet? I now think the story is just false. I know smart people are looking. (software/firmware compromises may not be as durable, but they are a lot easier to implement.) Either way, my SMCI holdings are up a few grand at a time when the rest of my portfolio is looking pretty sad.
> the renewed focus just seems a little suspicious to me at a time when our government is trying to distract us from possible Russian interference in our election
That might be a reasonable suspicion if Bloomberg were a pro-Trump publication. It is anything but. Its editorials and opinion pages bash the current administration almost daily, and there have been rumors recently that Michael Bloomberg is preparing to sell his stake in order to run for president in 2020 (after deciding not to run in 2016 because that could have split the opposition to Trump).
I think if you dangle government sources, even "anonymous" ones, in front of a reporter like Jordan Robertson, you are gonna get a story, regardless of the editorial slant of the paper.
Of course, my crazy conspiracy story doesn't explain Robertson's industry sources. It could be, as others have said, a misunderstanding (I mean, we all know IPMI is run through with exploits; no conspiracy there. You just don't put your IPMI on an untrusted network. ) and it doesn't explain his continuing to stand with the story even after the giant and poorly controlled security community has been set to tearing apart motherboards.
Really, that last bit points to... if not incompetence, at least to him not understanding how this sort of thing works.
Their stock price increased 30% from the drop after the publication of the article, but still 20% down from before the article. Though most of that is probably tech stocks tanking. So they are probably close to where they would have been without the article.
If you were a bad-faith source you would have anticipated this and profited from the movement in both directions. Short when the article is released, then take your profit and buy at an artificially low price.
But did they find malicious chips elsewhere? And what is their definition of motherboard, chips and malicious?
All of these statements seem to be pretty well crafted. It is entirely possible that they found components that don't belong, but don't consider them malicious without the underlying payload that gets uploaded.
Who's this 3rd party Nardello & Co.? A google search leads to a New York based law firm[1]? If so, what's their technical capability to conduct this technical assessment?
For what it's worth, no security experts believe the Super Micro story.
The reasons have nothing to do with whether or not it would be technically possible. That is irrelevant. The point is that the alleged events did not happen.
lets just say what bloomberg claims, was happening, really happened. this audit does nothing to disprove that. considering how many they sell and how many their mentioned clients have. picking a few at random to check is junk science. considering the adversary only needs one to be operating inside the datacenter.
You know what really kills a relationship? Distrust.
Something our intelligence community has been fostering for... Well, what timeframe do I specify? But the past 15 - 20 years have brought something of a nadir.
And the corporate world isn't faring much if any better.
Reassurances don't seem very reassuring, these days...
Seems like a lot of people don't know who to believe. Me too. Hasn't anyone pulled a few Supermicro boards and confirmed that this chip exists? It was reported that the chip might be inside the wafers, but still, that would make finding this a clear smoking gun.
"Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards."
Further down
"A person familiar with the analysis told Reuters it had been conducted by global firm Nardello & Co and that customers could ask for more detail on that company’s findings."
These days most of American media stories about China, Russia etc are probable fakes. Only mass boycott of Western MSMs can fix the situation with these terrible weapons of psyops and propaganda.
Is anyone at all surprised that a company investigated itself and found nothing wrong? It might be true, it might be false, but there's an obvious conflict of interest here.
What are the odds that Bloomberg ran this story under pressure/collusion from Supermicro competitor(s) in Taiwan, US fed govt or other business actors trying to tarnish China's image? That they would knowingly run such a big story without commensurate easily verified evidence and reliable sources is irrationally foolish for such a large news shop.
Not sure I believe this. Would anything bad happen to them if they just lied about it? Probably not. Unless they stepped on some politician's foot somehow.
Bloomberg reporters clearly need retraining. As I've stated a few times regarding this story, "photo or it didn't happen". It's a pretty simple standard, maybe Bloomberg will think about applying it now.
Or maybe someone else will come up with a new conspiracy to punk them.
So let me get this straight... Super Micro hired a firm, who then asked the manufacturers, "Hey guys can we please have your design files for your PCBs" and then they looked at the parts list and said, "Nope, no dedicated backdoor chips here" ?
They didn't really do a thorough examination of the devices in question, but asked the manufacturer for the CAD files?
You should really do thorough examination of the article it's really short.
They did examine hardware both in production and already sold to Apple and Amazon samples.
Well what I was wondering was, what did they examine to be exact? Did they decap chips and reverse engineer them?
The article as you say, is really short. Too short, there isn't really any information in it, besides "Trend micro said this, take their word for it"...
From the article: “Nardello tested samples of motherboards in current production and versions that were sold to Apple Inc and Amazon.com Inc, which were both named in the article, the person said.”
At some point it is up to Bloomberg to show something. It isn’t possible to show a negative in this case.
Well the article doesn't mention how or what was tested. The article doesn't really state what they tested for... Did they swing a dead chicken over the board while chanting "Evils reveal yourself", did they decap chips? Did they just install trend-micro antivirus and let it run?
Again from the article: “A person familiar with the analysis told Reuters it had been conducted by global firm Nardello & Co and that customers could ask for more detail on that company’s findings.”
People worry about malicious chips in instances like this and I mean it's a valid concern but one method of attack I've always thought would be effective and extremely dangerous is strategic placing a component in a circuit that, if it fails, disables the entire device then you simply need a way to activate it.
Radio.
Design a circuit, or better something that appears to be a capacitor and functions as a capacitor but has a small internal compartment at say the top so that it performs at less than what it is rated for but has a small circuit that over-volts via a joule thief and causes a failure. Have the trigger be a small receiver that activates at a certain frequency probably in the ELF or SLF range with just a few bits needed as the activation key.
Put that into the supply chain of whatever industry and when you want to disrupt to cause economic damage, or even as part of causing a bit of chaos preceding a military attack, fire up your ELF station and start pumping out the few bits of data to activate.
ELF will penetrate hundreds of meters of water, it should reach inside most buildings and even if you only had something like a 5% success rate you'd disable a LOT of whatever you'd installed them in. If it's networking hardware, you could likely cripple anything that relies on the internet by causing considerable distributed failures.
I don't know about anyone else, but I did not like your comment because it mixes up tons of technical and high-level detail and also does so in incredibly long form.
You could have reduced the idea to "instead of embedding microchips in other microchips, why not make a device that simply allows one to disable the device remotely? Surely the size requirements would be much smaller"
Instead you go semi-technical about something you know semi-nothing about.
Only problem with LF stuff is that you need a pretty big antenna. You would be better off designing a chip with an RF section that operates in the GHz range so you can get away with a tiny microstrip antenna or with the antenna inside the chip.
I will admit radio is not my thing, that works too though and then you can make it a much larger activation key, even just bytes instead of bits would exponentially increase odds of not having an accidental activation which should make it not get set off by a router or microwave and you could probably activate it simply by flying over with a slightly modified cargo or passenger aircraft that looks business as normal but just belches high-power bursts of the activation signal.
Care to actually point out a flaw instead of replying with a low-value comment that serves no purpose other than stroking your own ego?
Yes, another user has already established ELF would be bad. Microwave would work completely fine however.
A 34.9 mm x 9 mm strip antenna would work more than adequately. Transmission from a geostationary satellite, or better a passing aircraft, could penetrate most non-metal structures (at least into the outer rooms) and would work.
You could easily fit the entire circuit into capacitors used in many power supplies, taking out a power supply is enough to take out hardware long enough to begin an attack (especially if combined with digital attacks on the grid and other critical infrastructure) or to simply cause some sort of economic damages.
And actually, there's a certain type of Atari power brick that is prone to destroying Atari computers as they are highly prone to failure which causes excess voltage being pumped into the machine as the last act of the power supply. The dreaded 'ingot' power supply (part number C061982). Do you know how many people open up wall warts/power bricks? Basically zero and many are actually un-serviceable as they are epoxied shut.
From a technical perspective I found this story compelling, so I tried out a simple hack to see if it were "possible".
Using an attiny85 uC, a couple resistors, a cap, and a couple diodes I had laying around, I was able to wire up a two terminal "device" that pretty much acts like a 5k pull up resistor on a I2C line.... But when you pass data through the signal line (SDA) wire it can read and modify it. It is crude and very limited, but it works (only at lower I2C data rates in this case, but hey, it's a cheap hack).
A nation state adversary could trivially miniaturize this to the size and form of an SMT resistor, and use a much more capable uC in the process.
Im not saying that this substantiates the Bloomberg story in any way.
Just saying it's a great (black hat) idea, and it works.
It would surprise me a little if this weren't used in the wild by somebody.
The argument that Bloomberg's claim doesn't pass the smell test never originated from the fact that aftermarket out of band management controllers aren't possible, but that it's extremely unlikely that no one ever noticed at any stage.
Some hack targets multiple megacorporations that also lead the technical revolution and all those companies go out of their way to explicitly deny anything ever happened? Undetected arbitrary code execution is one thing, but what was the exfil plan that also avoids a totally separate detection system?
On top of that, these authors are known publishers of bad technical stories?
Possible was never the problem, but the total lack of evidence and massive unlikeliness just doesn't add up.
It’s not that no one ever noticed. It’s that the folks who thought somebody did notice didn’t have any idea what they were talking about.
You can buy a $10 aliexpress logic analyser and lift data off a high speed bus easily. I've got a rather nice oscilloscope that actually does this.
However there's a massive disparity between that and actually modifying the bus data, pattern matching data going across it, delivering a payload effectively (watch how flakey serial busses get at high speeds), miniaturising and packaging the entire exploit, compromising supply chains and board reviews and inspection.
For an analogy, it's like donning a yellow jacket, necking half a bottle of whisky then carrying a bazooka across the whitehouse lawn.
I don't and never will buy this attack vector. They could have easily infiltrated the chipset manufacturer, but no they went through a huge number of difficult steps which leave thousands if not million of smoking guns around which are all traceable back to the source. Hmm...
Hardware hacks are easy for anyone who works in that industry. What's hard is making software that runs on that hardware do anything useful -- it would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard.
Making the main board fail arbitrarily would be easy, but controlling the board or exfiltrating data is hard.
I have the entirely opposite opinion - once you have managed to attack the supply chain and covertly deploy, say, some hardware can write a few hundred arbitrary bytes to the firmware (which was described as the attack vector by Bloomberg), then that's essentially game over. Perhaps designing the hardware hack is easy, but getting the malicious chip on the devices shipping to your targets and keeping it a secret is not trivial.
"communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard." is hard only in the sense that it takes some effort, however, this requires pretty much the same capabilities and skills as every engineered malware we've encountered, so you can assume that every serious adversary can do it, not only nation state adversaries but many serious commercial pentesting companies and cybercrime teams have demonstrated such capabilities.
I can imagine an attacker that can make the "hard" software required but doesn't have the capability to insert that modified hardware within a supply chain - as in, it's not even assumption, for pretty much every intelligence agency it's known that they can easily do software which "would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard" - even just counting things that have failed (because we've detected and analyzed and attributed them), there's clear evidence that they can do it because they've done it many times.
I literally can't imagine an agency that can pull off the supply chain attack but doesn't have the capability to write software to control the board and exfiltrate data.
I just can't imagine anyone exfiltrating the data on a corporate level at any scale without raising alarms. It's just not realistic, once it leaves the board it's pretty easy to see over a network.
Now specific targeted attacks is more believable, at that point though I'd think a one off MITM hardware swap would be more likely.
You don't need to exfiltrate data, just detect if some crypto workload was occurring and weaken it in a way known to you.
This is very interesting. Can you be a bit more specific about the design?
When you say you created a two terminal device; do you mean you have a PCB (or equivalent) with two IO pads which you soldered to the pads which would normally be occupied by I2C pull-up R, but on a different PCB.
Basically, I'm wondering how the attiny85 was powered.
Given your description, I'm guessing you made a local power well which floated on the SDA line similar to how a boost cap works in a buck regulator (or more generally a charge pump). This is also approximately how a one-wire device works, like say the DS28E07.
To turn a 0->1 strengthen the pull-up equivalent which is in parallel to the uC circuit. I could probably add a simple feedback circuit to make sure the pull-up is just strong enough to keep SDA above VOH_min which should help prevent the I2C driver from getting damaged. To turn 1->0 open the pull-up equivelent and let the bit leak down.
Assuming standard I2C, I just need to make sure by uC is fully booted and ready to go by the end of the start bit. Should be doable.
I think I mostly convinced myself I could build one too. Of course any board I want to attack probably uses a SPI ROM, so roughly the same idea, but in a series termination resistor. :)
«Basically, I'm wondering how the attiny85 was powered»
You guys are overthinking this. Server motherboard PCBs are usually 4-8 layers with GND and VCC planes available near any component. The hackers, according to Bloomberg, modified the motherboards, so presumably they would simply add vias to the GND and VCC planes to power their rogue chip. You don't gain much by going the trouble of making the chip self-powered by leeching current from the SPI line... The vias that bring power to the chip can be hidden within layers (it's a standard thing to do) It would not even be detectable by a visual inspection. You would have to x-ray the PCB to detect it.
I'm with the GP. I've said it before (https://news.ycombinator.com/item?id=18146566): the presumed hack described by Bloomberg is actually not that hard, and perfectly doable. All the attacker has to do is compromise the PCB manufacturer. Actually not even that. He would swap a box of legit PCBs with a box of compromised PCBs when they are in transit from the PCB manufacturer to the assembler. The assembler (the one who solders components on the PCB) wouldn't suspect a thing because normally PCBs are just passive things. No chip. No logic. No firmware. Just stupid layers of copper that either work (conduct electricity) or don't. That's why no one pays attention to PCB manufacturers and instead supply chain security is focused on everything higher in the chain: the providers of components, the assemblers, the distributors, etc.
This Supermicro rogue chip story is in fact an attack much less advanced than some real-world attacks we have seen, like Stuxnet which exploited four(!) zerodays...
The assembler still has to put a special SKU 5k resistor (with our BMC modifying framework burnt in to it) on the modified PCB without anyone noticing though. I don't follow your conclusion that only the PCBs would have to be swapped.
The attackers supposedly installed the tiny rogue chip, sandwiched between the layers of the PCB (which is unusual and the main innovation of this whole attack), before the PCBs reached the assembler. The assembler start soldering components without knowing one is already hidden in there...
I don't know why anyone is doubting this is possible in the first place. From the Snowden leaks we know in 2008 the NSA had an _entire computer_ complete with CPU RAM and an FPGA smaller than the size of a dime [1] that they implanted inside other devices.
The NSA was also actively using COTTONMOUTH II [2] which was a USB header for a motherboard that could be inserted into the supply chain and provided a long range transceiver for software implants to bypass airgapped networks.
Ten years on I would not be surprised that the Chinese have a similar tool in an even smaller form factor. People seem to be treating this like a futuristic sci-fi plot.
1. https://upload.wikimedia.org/wikipedia/commons/c/cc/NSA_MAES... 2. https://leaksource.files.wordpress.com/2013/12/nsa-ant-cotto...
>A nation state adversary could trivially miniaturize this to the size and form of an SMT resistor, and use a much more capable uC in the process.
And sandwich it between the PCB layers. No way to find even upon close up inspection without Xraying the board itself, and even interpreting the Xray image of modern multilayer board would be a nontrivial task. I dont think Supermicro did it, at least for statistically meaningful set of boards.
Or just replace one of the existing chips on the i2c bus with an identical but malicious one.
I don't know how you would even detect that, short of decapping and scanning the die in.
That would be as easy as getting a same sized chip that is, say, an attiny, a bit of sand-papering and a laser to re-etch the package. If you had access to a wire bonding machine, not difficult, you could mount a second die in a de-capped package and cap it up with a bit of black resin. This would not require state level actors. Bunny Huang type of guys could do it.
I don’t think they have to use xrays. I heard that they spin the boards and measure the angular momentum with very sensitive equipment. I don’t know how you could get around that.
Spinning the boards is of limited use. The attacker now has a specific target to aim for.
It might be useful if nobody knows your doing it, but other than that it’s mostly pointless especially if you compromise every sample.
Curious about how you implemented this. Could you share the schematic somewhere ? It would be very interesting !
> A nation state adversary could trivially miniaturize this to the size and form of an SMT resistor, and use a much more capable uC in the process.
please do elaborate on this uC that will be the size of an SMT resistor, in a 2 lead package.
I am having trouble understanding and believing.
How did you get an ostensible power terminal (for pull up) and two terminals for MiTM (input and output) from two terminals? Assuming a situation where there are other pullups on the wire, how did you assert the low state (short to ground) without a connection to ground?
Yeah I didn't think so.
This is pretty cool. I would also be interested in reading more about it if you made a blog post or some such. How did you manage to sync with SCL?
> Just saying it's a great (black hat) idea, and it works.
How good is the idea while you could be caught with physical evidence?
if you are a state actor implanting devices on your soil why would you care?
Ask Huawei or ZTE why.
Corporations are state actors in China, and their actions have worldwide repercussions.
How are they relevant?
They are investigated for intentional business practices, not for secret hacks by unknown entities.
There is no reason to impact domestic companies you can implant in US companies devices
I would really love to see some photos and a schematic if you're willing to share, that sounds awesome.
Probably a win win for US Megacorp Inc and China that nothing malicious was found. Every company even Apple has a line to draw what threatens their long term prospects if things got out.
Let's say Super Micro is right and there were no malicious hardware at all for sure. What are the consequences for Bloomberg for this incompetence? I mean, there needs to be something..
Just because you're a news organization, you can't simply escape with "Oh, my bad". This had real implications on stock prices of so many companies and wiped off shareholder value on many of them, including Super Micro.
If Bloomberg's story was false, they shouldn't just walk away like that because "it's the free press".
Nothing, just like nothing will happen to the outlets who are currently pushing this "Huwai is spying on everybody" narrative with not an ounce of evidence for it except for unfounded and unsourced claims by FiveEyes intelligence services [0].
Afaik that whole Bloomberg/Super Micro thing was similarly set up, referring to "anonymous intelligence/industry services", not even naming the company that supposedly did the security audit.
People have to realize that these kinds of narratives are often pushed by parties in the West, with a vested interest, just as much as it happens in the supposedly "propaganda riddled" East.
It's for those same reasons that the amendments to the Smith-Mundson act, which happened back in 2013, haven't seen any widespread attention or even mention anywhere in the mainstream [1] because the good guys don't do "propaganda", they do "interventions" [2] and "information campaigns" [3].
[0] https://www.ft.com/content/afa7fd54-79b1-11e8-bc55-50daf11b7...
[1] https://foreignpolicy.com/2013/07/14/u-s-repeals-propaganda-...
[2] https://www.theguardian.com/technology/2011/mar/17/us-spy-op...
[3] https://vimeo.com/67739294
Not that Huawei is the only and surely some other brands are even worse, but still Huawei phones are full of spyware, just open NetGuard or another example here : https://mobile.twitter.com/fs0c131y/status/10515681807480135...
But once again surely other brands, Western companies included, are also spying, but it doesn't change the fact that Huawei does it too.
I see people say this a lot, but I'm using an Honor 10 and have spent a bit of time this week alternately MITM proxying connections from the phone and capturing DNS at the router.
I found very infrequent calls to HiCloud (Huawei's cloud service), almost always using a HiCloud enabled app where it would make perfect sense to communicate with the service.
On the other hand, I seen third party apps (none of which were pre installed) almost constantly firing requests to analytics and ad services. Microsoft Edge was the worst culprit - virtually every action I took (opening menus, tabs, etc) triggered a request to vortex.data.microsoft.com. Spotify calls Scorecard Research in the background often, even if it appears not to be running. Google calls the connectivity check service very frequently (even when network conditions aren't changing). The BBC iplayer apps (when ostensibly not running) refresh channel and config data frequently in the background.
I see a lot of rhetoric calling out Huawei phones for being spyware ridden trash, but honestly my own research this week suggests that the privacy controls on the phone work well and that third party apps are more of a privacy threat.
"Seeing HiCloud request while having HiCloud app enabled" -> and so ... ? The question "if I refuse all their services, do they still collect my data". No surprise your phone makes request if you are using their services.
"Third Party apps are not privacy respecting and sending data to Google" -> yes nothing new, we're not talking about the spyware you can install from the playstore yourself, you have a lot of choice there too indeed, we're talking about pre-installed apps.
As far as I can tell, the concern with Huawei is not that their phones have some kind of obvious backdoor, but that the Chinese government has Huawei's private keys and can load arbitrary software on their phones, something the Chinese government uses sparingly to attack targets they don't like. And not just phones, their switches, routers, base stations, and other gear - in that case used to eavesdrop on cellular voice traffic around the world.
Even if Huawei didn't do this willingly the Chinese government doesn't operate by open rule of law. If the Party decides they will comply then they will comply. No news outlet will report on it. Social media will be censored. None of us in the west will ever know. There is no court to appeal to because the courts are under the thumb of the Party. Huawei is required to hire Party members as employees - Huawei leadership might not even be aware of it for plausible deniability reasons.
This is the direct result of the State apparatus that the Party in China has built for itself. They can cry all the rivers they want about Huawei; it's their own fault. Even if nothing nefarious is going on the suspicion alone has a huge impact.
To address the whataboutism: The whole issue around NSA revelations is entirely because that sort of thing isn't supposed to be possible in the USA (and nominally wrt NSA is only supposed to be valid when it involves foreign individuals). Individuals and companies regularly challenge government over-reach so there are at least some checks and balances, even if they aren't as strong as we'd like. Apple can choose to fight a court order. Trump's executive orders can be blocked.
Now imagine a new story claiming someone sued to block Xi Jinping's executive order in China. Such a scenario is absolutely laughable.
There is a difference between China and the West. To pretend they're the same is to pretend a bicycle is identical to a semi. They're both methods of transportation with wheels that carry cargo but there is a wide gulf in practice.
edit: As for the Supermicro story, who knows. The attack is certainly theoretically possible. Whether such an attack took place is another matter and so far no one has provided a tampered board as evidence.
The only way to be reasonably sure it isn't happening is to sample the final product, tearing down every individual component to verify everything (down to the traces on boards and gates on chips). That's a lot of work, expensive, and time-consuming. Most manufacturers probably don't bother. That applies regardless of where the product is assembled unless your own factories are producing every single component.
Don't worry, no one will ever notice that or they just don't care, but anything from China is evil. I'm not Chinese but I feel poor for them.
I worked for several US-based handset manufacturers as a consultant. It's common to have the handset mfgr host features on its own cloud such that the phone is entirely dependent on it to function: the cloud goes away, large swaths of phone functionality breaks. It sucks but it's true.
Isn‘t the given example of a phone for the chinese market?
From the thread there:
“this will only happen with phones that are meant to stay in china, and also using software made for the chinese market. if your phone is shipped outside of china or has google play services, they're fine”
“It's only Chinese roms that don't have Google play store. This has been known for awhile and honestly this while ep 2 shit is nothing new.”
Can't open the link because of rate limiting - hn effect?
Anyway, is any phone-home spying? What if it phones US servers, say Google's? Unfortunately I can't think of a popular brand that doesn't spy on its users (no matter what the reasons are).
It's not just a phone-home. It's sending your entire browsing history (unencrypted!): every web request you make gets sent back to servers in China.
I am having a very hard time believing this statement is in any way true. If you have a link to details, now is the time to provide it.
Check the Twitter link posted elsewhere in this thread of a security researcher finding exactly that.
That's interesting. Links please?
thats not entirely true, while isp's do get a copy of your plain text data if its not end to end encrypted(and likely offsell it), bgp routes would likely need to hijacked or somehow compromised while the data was in transit for a chinese server to get a copy of that data
Twitter's mobile site does that all the time, just refresh and it'll work.
Please notice that there also are requests to suspicious Western sites like Google as well, which were caught for collecting data before.
I have examined network traffic from my Chinese noname phone, and it also sends data to Chinese servers and to Google.
Also when you visit most websites, there will be a request to Google's data collector service.
Seems like anonymous sources inside the intelligence agencies is how a lot of the news gets generated these days. Anonymous figures don't have to worry about their reputation or credibility and can just leak occasionally true information to keep getting published.
When to grant anonymity is a complex question, but I'm immensely frustrated by how many reporters don't even stop to question why a source might want anonymity. In particular, why a source who's part of the government, making a claim that supports a government narrative, via unclassified data, would have any need for anonymity if they had faith in their claim.
Conor Friedersdorf summarized matters very nicely years ago, and it's a shame so few people seem to have paid attention:
> The very weakest case for withholding a source’s name is when 1) powerful officials 2) with a clear incentive to lie 3) use anonymity to spread a self-serving narrative 4) without accountability 5) on a matter of great consequence.
https://www.theatlantic.com/politics/archive/2015/10/the-per...
Agencies always have official spokespeople and anyone making comments to the press about things they shouldn't be talking about (like an active investigation) can get in a lot of trouble if that agency finds out it was them who leaked to the press.
They do have a reputation, to the journalist. It's not as far reaching, but you bet that journalist isn't going to trust that source again if they are caught lying. Or even that agency.
This is certainly how things ought to work, but it's far from clear that it does.
A reporter on an international affairs beat can't possibly dismiss sources as broad as the State Department or CIA - which makes it very possible to rotate through mouthpieces as they're proven unreliable. (And that's usually when clear dishonesty is found, not just plausibly-mistaken claims.) And anonymity is usually protected even when a source is found to having knowingly mislead journalists, which means a dishonest source is only burned for a single reporter or outlet and can go seek out a new audience. Multiply the number of mid-level employees at a major government body by the number of reputable news orgs and this starts to look completely sustainable.
It's something (reputable) news accountability groups have been upset about for years, but no one seems to have solved it. Conventional wisdom appears to be that publications are scared they'll lose source access completely if they start unmasking dishonest USG sources.
https://fair.org/home/should-media-expose-sources-who-lied-t...
> A reporter on an international affairs beat can't possibly dismiss sources as broad as the State Department or CIA
It's actually worse, the power dynamics are completely lopsided: He/she can't disgruntle his governmental sources or else there's the very real possibility of being cut out of the loop/any access at all in the future.
Which isn't a great prospect for any journalist because you can't get any "scoops" when your competitors have privileged access to information.
Yes, that's a very good point.
In-depth interviews, early story tip-offs, and 'approved' leaks with accurate content aren't just a way to distribute information and build connections with reporters, they're a way to cultivate dependence. If 95% of unverified content is accurate, a reporter who can't get pithy 'official' quotes or advance warning on stories will consistently produce worse output than those who can.
It seems like a few particularly famous publications can push back because they're too big to shut out, though their individual reporters often still fold. (e.g. the NYT on Iraqi WMDs.) And there's a bit of room for dedicated 'dissenting' sources like The Intercept and CounterSpin, because they can curate a reputation as leak recipients and then fill out the rest of their schedule with media analysis instead of breaking news. But overall, first-line sources seem to be very effectively trapped by this pattern.
> Which isn't a great prospect for any journalist because you can't get any "scoops" when your competitors have privileged access to information.
This is an important part of Herman/Chomsky's "Propaganda Model" of media.
https://en.wikipedia.org/wiki/Propaganda_model
The journalists should lose whatever credibility they have as well as their news org that shamelessly supported the "story". I sure as hell don't trust Bloomberg nearly as much as I used to.
Amid all the fake news / paid troll armies dramas, "anonymous government agent" is a pretty old-school approach.
When it comes to information on traded companies, people should always consider that anonymous sources are 99% of the time biased. Nobody goes out giving information about a public company for nothing, and when the information is true they will be open and present documents proving it.
Those are very different cases. Also, public citations of classified intel is a dumb thing to require. I hope the reason why is obvious.
In the SuperMicro example, the same shadowy government organizations you accuse of conspiring to build a narrative against China are some of the people who debunked this story.
Regarding the five eyes sources, are we really expecting that intelligence agencies will give sources/proof?
They do provide sources sometimes - even when their stories are false - which makes credulity without proof that much more surprising.
They're not inviting anyone into Langley, and if this were a claim about e.g. cyberattacks on Ukraine we might not expect evidence. But for something evaluated domestically, especially with physical evidence like SuperMicro, it's relatively common for intelligence sources to point to people who can confirm key elements. That might be a non-government firm which examined the physical evidence, a non-intelligence researcher who can assess the context of a factual claim, or an affected business which can verify what they experienced.
When a CIA source told Judy Miller that Iraq was buying aluminum tubes to centrifuge uranium, they claimed that Oak Ridge nuclear scientists had confirmed their assessment of what the tubes were for. They hadn't, but she apparently didn't bother to check.
When "U.S. officials" told the Washington Post that Russian Grizzly Steppe malware had infected the US electric grid, they provided the name of the utility company which had been attacked - Burlington Electric. Again, this was untrue (the code was found on one laptop unconnected to 'the grid'), but the reporter involved didn't check.
In the SuperMicro case, there doesn't seem to have even been a name given to check, just vague assertions that some company had performed an audit. That ought to have been a warning sign, but it looks like Bloomberg accepted source diversity in place of concrete or verifiable details - we're told of six national security officials, three Apple insiders, two AWS sources (and a partridge in a pear tree).
If they want their claims to be taken seriously, then they really should.
Without that, it's just hearsay, hearsay by agencies who have deceit as part of their job description and as such should be taken with a massive grain of salt.
Imho they've also become shy about openly sharing sources because it allows them plausible deniability, they don't want an Iraq style curveball [0] all over again, where the attribution of the misinformation can be too easily traced back straight to them.
[0] https://en.wikipedia.org/wiki/Curveball_(informant)
This argument is illogical.
They don’t share sources because simply it would reveal the sources. It has nothing to do with plausible deniability because they don’t care whether you believe them or not. The governments do and that’s all that matters.
I dunno, maybe they've (who is "they" anyway?) become shy because when their claims are examined, they so often turn out to be nonsense? When was the last time anonymous "government sources" or even "five eyes official" told us something which is demonstrably true? Cuban missile crisis?
I wouldn't, but I also wouldn't expect a reporter to publish this info without finding anything corroborating. This whole story is about physical sabotage devices, supposedely planted in large quantities, why couldn't they find any of these devices or a single person willing to state they saw one?
Are they expecting us to believe whatever they say without any examination?
Yes.
No, they shouldn't just walk away. They should apply sound journalistic principles to investigate exactly how they came to the conclusion, and then publish that investigation with full disclosure. Not sure if I've ever seen a news organization do that though (minimal retractions in a place no-one looks doesn't count).
CBS Killian Papers pretty much. There have been some significant examples but there actually aren’t that many cases of a major pub running a “scoop” that no other major pub runs with as well that turns out to be flat out wrong.
There are certainly examples of mainstream media as a whole getting behind a story like lead-up to Iraq War but this is something different.
Another one that comes to mind is This American Life with the iPhone Chinese factory story. They did an entire episode (hour long) and how/why the error happened.
And still another is the Rolling Stone campus rape story. It does happen but when major media outlets are found to have published a major story that’s flat out untrue there does tend to be a pretty loud mea culpa.
I think that's in large part because often many others will pile in by referring to the newspaper that ran it. I wouldn't count that in same class, as they're often "technically" not wrong in that they're reporting that "according to X, Y happened" rather than making the false claim that "Y happened".
The fake Hitler diaries would be one of the really major examples of this, where Stern, Newsweek and the Sunday Times ran the primary stories, and lots of other publications ran stories about the stories in those three.
And that's also a major example of the main sources taking a lot of flack afterwards, with firings, lawsuits, and books and movies about it afterwards, but it's not clear if it actually harmed the newspapers themselves. E.g. Murdoch has suggested the Sunday Times actually profited from it in the long run as Stern paid them back what they paid for access, and it boosted their subscription numbers even after the hoax was revealed.
>it's not clear if it actually harmed the newspapers themselves
As long as 1.) it's a rare event and 2.) the publication gives the appearance, and perhaps the reality of, throwing the guilty and those in the wrong place at the wrong time under the bus, putting better processes in place, apologizing profusely,and being very introspective about the whole affair, people tend to forgive and forget--or at least forget. And their peers probably have at least a bit of "there but for the grace..." about the whole thing anyway.
I'm being a bit snarky about throwing people under the bus. Usually there are people who are guilty mostly in a "the buck stops here" sort of way. But, in most of the recent cases I can think of, there were individuals in the news organizations who so wanted stories to be true that they were at best inept in a way it's not clear they understood even in retrospect.
> CBS Killian Papers pretty much
Meh. I'm in the camp that believes Karl Rove pulled off one of his greatest dirty tricks of all time.
Presuming it was him, the story would go like "I'll create a blatantly forged document that confirms a narrative that CBS wants to push and send it to them. I expect they will publish it immediately with no fact checking whatsoever, double down when called out on it, and the entire rest of the mainstream media will stick behind them."
Now if that's the story... I'm not saying Karl Rove is an angel or anything, but this seems like he's 10% bad and CBS news and every media source that stuck behind them is 90% bad.
The genius of what I'm accusing him of is this: the story itself was real (Bush going AWOL; taking advantage of his father's position).
Why not make a document that ostensibly validates that and bake in the fact that it was a forgery to be revealed so that all focus is on the forgery and not the facts that Bush shirked his service?
It's a brilliantly devious move and exactly the type of thing Rove would do (e.g., bugging his own office and then accusing his opponent of the misdeed, etc. etc)
https://theintercept.com/2015/10/27/george-w-bush-was-awol-b...
https://www.seattlepi.com/local/opinion/article/Rove-s-dirty...
I see what you mean better now. It still strikes me as rather odd though. The AWOL story never got all that much traction in the first place. Why undertake a high-risk plan to kill a relatively minor story? Theoretically, CBS could have identified the forgery, realized someone was trying to pull a dirty trick on them, investigated the source much more closely, and went live with details of that instead of taking it at face value. Unless of course he was so confident that CBS is completely incompetent and will do absolutely anything to push their chosen narrative that he thought there really wasn't any risk at all. If he did do it and thought that, he ended up being far more right than anyone could have imagined.
I distinctly remember the overall landscape of the time being that the mainstream media was constantly poo-pooing bloggers and internet sources for not having the "journalistic standards" of themselves. It's quite an attention-getter to prove by their own actions that their only real journalistic standard is keeping their positions of power and promoting a preselected narrative.
In the context of all that, it seems a little weak to whine that they were set up by a Republican dirty trickster. They had just spent the last few years claiming that they were the only news source that could be trusted because they were the only ones competent enough to properly fact-check sources exactly like that.
That would have been brilliant insofar as the Killian Papers pretty much blew up a legitimate news story, albeit one without quite such a visibly smoking gun. But I don't actually believe that.
Nothing out of the ordinary for people like Roger Stone or Karl Rove. That's what they did for a living for decades, and they were (are?) very good at it.
So, when looking at this, we have to remember that reporters aren't analysts; they're not expected to have subject-specific background and make personal judgement calls as to what the underlying truth is. If you want that you can certainly get it - for a much higher price than a newspaper. That's what firms like Gartner are for.
Reporters to a very large extent report what sources say. Their judgement comes in considering the credibility of the source.
In this case they got a number of "credible" but anonymous sources. What they need to do now is make a choice:
a) burn the sources: publish the names and start investigating them and why they might have fed false information to Bloomberg. This will make it harder for them to get stories in the future, and may be considered a breach of journalistic ethics by some, but it also makes it less likely that people will try to play them like this in the future.
b) try to find some on-the-record sources for their story.
This is a case of c) Reporters were completely reckless. They bought a small 0402 decoupling capacitor, put it on pencil tip, and then claimed that it was a chip that could hack your device.
Any EE worth their salt knows exactly what 0402 decoupling capacitors do, and that there's no way you can hack from that angle. It has to do where that particular chip is placed: usually on power-lines... not really signal-traces.
The fact that all known security forces are denying the story (not just big companies like Apple... but also Homeland Security), means that the reporters likely misunderstood what their sources were trying to say. They published a bad story, exaggerating a molehill into a mountain.
-----------
The thing is: we all know that BMCs are very insecure. A lot of the problem is that the Bloomberg article is pointing at lol 0402 decoupling capacitors, when any security researcher worth their salt is looking at the BMC instead.
There are too many technical details in the Bloomberg article that were outright WRONG. Its a clear cut case of reporters misunderstanding things and focusing on the wrong thing.
A lot of people got hung up on the photos, but did the text actually state what they were or were they just "for illustrative purposes" like stock photos?
I wish news services would stop placing pictures "for illustrative purposes". Either show the real thing, or don't show anything at all. Otherwise, people who aren't experts in the subject domain will have no way to determine which aspects of the picture matches reality, and will implicitly assume most of them do (the alternative, unseeing a picture, is harder).
I know I had this problem in this particular case. I assumed the chip on the photo was real, and only learned on HN that it wasn't.
Bloomberg never indicated that the imaged chip wasn't the backdoor chip. The article repeatedly suggests that they're actually showing the backdoor chip.
https://assets.bwbx.io/images/users/iqjWHBFdfxIU/iNO3klzCOEj...
This image is captioned "Microchips found on altered motherboards in some cases looked like signal conditioning couplers."
You can easily find the article yourself here https://www.bloomberg.com/news/features/2018-10-04/the-big-h...
The source material is still on Bloomberg's website. Look at it, its a 0402 Decoupling Capacitor: https://www.bloomberg.com/toaster/v2/charts/85c4e100b7ab4a8b...
The full article here: https://www.bloomberg.com/news/features/2018-10-04/the-big-h...
-------
As for what that thing is... its this (or something like this): https://www.digikey.com/product-detail/en/avx-corporation/W2...
That's an 8-pin decoupling capacitor. But there are "really" only 2-pins. The 8-pins are there to reduce resistance and inductance.
----------
Its very clear what happened. One expert probably said something like "The Chinese are using small chips to hack us". And a 2nd expert said "The smallest chip I know of is the 0402 chip-capacitor".
The reporters then combined the two expert opinions into an incorrect statement. I would NOT be surprised if the Chinese were using small chips to hack BMCs of SuperMicro (although there's no evidence of it... it would have at least been a believable story).
But as soon as I saw the above graphic, I just WTF'd at Bloomberg. The infographic was about as misleading and WRONG as you can get.
It literally says, in the very picture you linked to, that the chips were built to disguise as coupling capacitors.
I'm not sure if you understand my point then.
Decoupling capacitors perform a very specific, and very easy to see function. They have two pins: C+ and C-, and the capacitor tries to keep C+ and C- at roughly the same voltage level across time. In particular, Decoupling capacitors are fully passive (non-powered) devices.
Ex: If the C+ and C- pins are 3V (on the average), then a decoupling capacitor will help keep the voltage stay at 3V. The mechanical analogue would be a flywheel: it helps regulate the voltage and prevents voltage spikes.
-------------
It makes NO SENSE for a chip to disguise itself as a decoupling capacitor. There are lots of other chips that would be a better disguise. The fundamental premise and explanation is a joke to begin with.
Like, how are you supposed to hack into a computer at the electrical level using only two pins?
Mind you: an intelligent chip-level hacking device needs... at minimum... Power, and Ground. Bam, you already used up the two pins that a decoupling capacitor has... and you haven't even touched memory or other issues yet.
Clearly, the reporters have gotten something wrong. I can believe that the reporters maybe have a real story here, but they are wandering into technical details that they clearly do NOT understand. Clearly, a mistake or misunderstanding is somewhere in that explanation.
At very least, a chip-level attacker would need... I dunno, maybe 3 or 4 pins, at the minimum. I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.
> I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.
Your instincts seem to have deceived you. There's a top-level comment with a variety of replies that discusses a 2-pin device to snoop or modify data to an I2C device, and plenty of other literature documenting the feasibility of such devices.
The distinction there is the type of device. Caps are not used on data lines. The parent comment is talking particularly about how the Bloomberg article kept referencing the attack vector as a disguised cap.
The comment that you are referring to used a 2-pin device in place of the pull-up resistor on the SDA line of an I2C bus. That does seem fascinating and I would like to read more about it but I still have a lot of reservations about real-world applications.
Caps can be used on data lines to filter out high frequency noise, as it forms an RC lowpass filter with the source impedence (see here for an example: https://jretest.com/understanding-data-signals/ ), although I do not know enough about motherboard design to know whether these caps are needed on any of the data lines.
On a motherboard the data is being carried at high frequency.
c) report it as what it is: unsubstantiated hearsay.
A story can be interesting and relevant but impossible to prove, and you can still report it honestly by simply making it clear what came from an anonymous source and what is verifiable fact. But it's very easy (and appears to have happened all over the place in this particular article) to cite what someone tells you as fact without making it clear you're just reporting what somebody said.
In fact, the article in a couple of places appends "sources say" at the end of some statement, making you think you're reading a fact until you've reached the end of the sentence. Which IMHO is a "journalism anti-pattern".
Regarding this last point, I'd call it a "dark pattern" in journalism - it's intentionally designed to trick readers.
This common dark pattern has a name for those interesting in reading news critically: https://en.wikipedia.org/wiki/Weasel_word
Most of the top-tier publications actually do make a point of hiring people with subject-specific expertise. I first noticed this when The New York Times' lead medical correspondent was identified as Lawrence K. Altman M.D., because he really had earned a medical degree before heading into journalism.
In my own journalistic travels, I've worked alongside legal reporters who graduated from Harvard Law School, Wall Street reporters who earned certification as Chartered Financial Analysts, tech reporters who majored in computer science at Stanford, etc. That doesn't make them instantly right about everything. But it does mean they have the training to parse conflicting claims.
I'm not sure about the credentials of the specific Bloomberg reporters on this one. But Bloomberg does have budget and resources to hire subject experts to report on complex subjects.
> [T]hey're not expected to have subject-specific background [...] Their judgement comes in considering the credibility of the source.
Which they are unqualified to do if they do not have subject-specific background.
The journalist behind the Theranos expose, John Carreyrou, does not have a bio medical or startup/VC background.
Unqualified does not mean incorrect or wrong, and somebody who is unqualified can employ the services of somebody who is in order to overcome that deficiency.
“If someone says it’s raining & another person says it’s dry, it’s not your job to quote them both. Your job is to look out of the fking window and find out which is true.”
https://twitter.com/Klujypop/status/1018217609010012160
>What are the consequences for Bloomberg for this incompetence?
You, not the general concept of the reader, but you personally neya. You stop trusting Bloomberg's reporting. That's the consequence. Their reputation suffers.
Why do threads like this on HN always have such a desire for retribution?
Their reporters are compensated based off of whether or not they move markets.
Did you know that?
(https://www.businessinsider.com/bloomberg-reporters-compensa...)
If people stop trusting their stories, they won't move markets.
That doesn't seem like a bad goal. It incentivizes stories that are important to their target market, and provides an easy way to measure that.
Or you can apply Goodhart's Law[0] and try to picture how wrong that can also go.
[0] https://en.wikipedia.org/wiki/Goodhart%27s_law
> That doesn't seem like a bad goal.
Like most sales goals, it seems reasonable. And then you remember that when it comes to pay, some people will do anything.
The thing is – if you have such an incentive and you are faced with the choice between reporting a boring truth or a spiced up lie, you will go for the later. And that has nothing to do with journalism anymore.
It _could_ work – if the editors are espeically on the hunt for bogus stories.
This was the opening story on their homepage. There us no way the editors (and the legal department) did not scrutinize it thoroughly.
Just because it passes legal muster doesn't mean it's ethical. And I think that's one of the things that people are calling for.
It's a shame Bloomerg isn't public. The retraction could earn someone a big bonus.
Unless their reporters are trading stocks of stories they cover, that's a non-issue.
The reason trading on stocks they cover is bad is that it creates an incentive to create news that may not be true to move the market, thus indirectly rewarding them with financial benefit.
The policy of rewarding them for moving the market simply removes the intervening steps and directly rewards them.
In concept, this only makes it worse. How much worse depends on how compensated they are, which I don't know. (e.g., if the bonus is $50 and your boss buys you a latte the next morning, it's not really that big a deal, vs. if it's $25,000 and everyone knows it's a fast track to promotions it's a pretty significant problem)
I can see how it incentivises sensationalism though. I was a tech magazine editor. I did my utmost to check the veracity of stories. I would have hated to think that my journalists were being incentivised to exaggerate.
> Why do threads like this on HN always have such a desire for retribution?
I, personally, am sick of being lied to. Single source reportage violates journalism 101; they really should suffer some consequences, just as someone should pay for the 2008 bubble, the Iraq war (Bill Kristol ... finally losing one of his platforms) and any number of other examples of the managerial class' screw ups from the last 20 years.
Hundreds of locked-in AAPL shareholders who react with venom to anyone perceived to be hurting their financial performance, irrespective of truth or morality. (Same is true for FB and GOOG.)
> Why do threads like this on HN always have such a desire for retribution?
Let's say the Bloomberg article incurred 50% loss of revenues after it was published for Super Micro. (just making up numbers for the sake of the argument). Following this, Super Micro would have to scale down their operations and potentially fire people.
That's just the same thing as sending a DMCA request on Youtube for something that is someone's own work. Currently it's "free" to do so, but don't you think there should be consequences in destroying someone's else business / reputation / work? How would you feel if it happened to you?
Bloomberg has no intrinsic power over the revenue of Super Micro. They only have that influence because people trust them. People only trust them because their reports tend to be trustworthy.
False reports harm Bloomberg, as it erode their trustworthiness and trustworthiness is very nearly their only actual value/product. False reporting is inherently its own repercussion/consequence here.
This is different from DMCA as that has power granted to it by law, not by inherent trust. DMCA does also have consequences for fake claims, so it's a false equivalency here anyway.
>Let's say the Bloomberg article incurred 50% loss of revenues after it was published for Super Micro.
Except none of this happened, so it's a straw man.
And if it did, and SM were damaged, they would sue. That's how the justice system works.
> Why do threads like this on HN always have such a desire for retribution?
Seeing a situation where one person/group does something that negatively affects another group without consequence tends to have this emotional response from emotionally healthy individuals.
Where do you see a problem with this type of response?
> Where do you see a problem with this type of response?
"It is impractical because it is a descending spiral ending in destruction for all. The old law of an eye for an eye leaves everyone blind."
Or maybe a start to the democratic process to encourage lawmakers to discover nuance and legislate.
Or maybe a good place for someone with knowledge to show why it's a bad idea and what the arguments are that have been struggled with.
One person getting irked because another happily destroys reputation without any consequence is natural. Reputation is too important.
A single person wanting to see consequence does not create a mob that firebombs their offices.
I feel like there's an argument to be made that every firebombing mob started with a single person wishing some consequence.
An idea has to start somewhere.
Well yes.
But that doesn't mean we should outlaw speech... Because speech leads to good things a lot more often than firebombing mobs.
Those people we can put in jail. Only those.
The rest are helpful or neutral, even if you don't agree with them. Democracy (in any form) grows stronger with dissent/speech.
Bloomberg is in the process of re-reporting the story according to Erik Wemple. They've assigned a new reporter to find out what's going on.
https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/...
It apparently wasn't the first time these reporters had gone off the rails.[1]
[1]https://twitter.com/RobertMLee/status/1049617855396933632
One was also the author of the fake NSA Heartbleed exploit story, which Bloomberg stood by: https://twitter.com/nicoleperlroth/status/104901890298483507...
So why are we giving these reporters the time of day, then? They've demonstrably published crap and not retracted it. That reduces their credibility to nil in my mind.
Any good sources on the NSA Heartbleed exploit story? A very quick search only gives me he said (Bloomberg) - he said (NSA) stories.
I believe the current line there, at least in the US, is whether they knowingly ran factually inaccurate information.
Given their doubling down, unless we assume they somehow didn't ask their legal department, I would bet they have enough sources for the information that they think they're not at risk of being prosecuted for libel or slander.
The bar for libel and slander is very high. I also think it’s civil and not criminal, so there would be no prosecution in any case, they would just get sued.
SuperMicro, Apple, Amazon, and others could sue Bloomberg.
But they didn't.
I guess if you sue every news outlet for Rumours then Apple would be basically suing everyone. My problem is, why Apple and Amazon has such as "restrained" action to Bloomberg. May be the story isn't true, but something do smells fishy to me.
Apple isn't going to win a libel case because some source lied or made a mistake, and calling more attention to it is bad PR. It's extremely unlikely that Bloomberg team did this with malicious lies.
> But they didn't.
Yet.
All 3 have issued firm denials rarely given from companies today. I don't think any of them have been restrained at all.
This is the same logic Musk applied to “pedo guy” and it was just as ridiculous then. A lack of legal action is in no way an admission that the story was accurate.
Accusing two Trillion dollar company with allegation on a national security level from a reasonably respected Business Journal is not the same as Mush calling another guy pedo.
Although I do agree A lack of legal action is in no way an admission that the story was accurate, I just thought they should do something more.
I believe freedom of speech and press is one thing but when you present serious and very specific allegations you should be able to back them up with comparably serious and specific proofs ("extraordinary claims require extraordinary evidence"). Otherwise we are crossing the boundary between fact and fiction.
The way Bloomberg presented it in the article is as if they had entire story backed by facts. That was my takeaway they sounded pretty sure save for presenting the evidence. Now, what you do if press outright misrepresents the facts and presents fictional story as if it was entirely factual.
Any individual merely accused of a salacious crime has his face spread all over the evening news just to pump ratings. Guilt, innocence, evidence or trial outcome are utterly irrelevant. So it's quite wide spread.
Of course the power dynamic between an ordinary joe and broadcasters is far different than between large corporations and broadcasters. This and worries around sponsors means there is already considerable self censorship when criticizing the latter. But I would not be surprised if industry lobbyist ultimately craft legislation to allow the former while preventing the latter through some high bar liability laws in such away that they get five already sympathetic SCOTUS justices to sign on.
Why does there need to be something more? Do you trust Bloomberg the same amount you did bebfore the story was published? Are you buying just as many Businessweeks as before?
Are you sure it isn't Bloomberg who was misled? Is that more or less likely than a billion dollar company declining to confirm a story that would cost them hugely? In lieu of proof either way, what punishment do you think is just -- and for whom?
I personally think the reward system related current human evolution punishes blunt liars, but reward "Lie Lie" teller.
A "Lie" is something that is easy to falsify with consensus.
A "Lie Lie" is not a lie but a statement intend to mislead people, difficult to get caught, easy to find a lot of lie believer to defend, eventually make a technical evidence based debate into a religious belief based debate. It's a lie about lie or a decoration upon a "lie" so the "lie" can not be categorized as a lie.
There are signatures of "Lie Lie":
* Claim there's a proof instead of provide the proof. actually any claimed proof often is not a proof but just claimers' belief.
* The claims are mixed topics some legitimate and defendable possibility along with some thing that really happened. In simple words mix truth with lie so later the can defend truth topics.
* When they give proof, they will provide the one that there are less controversial topics but not the needed ones.
* Shift the focus to defendable topics so the undefendable part(i.e. belief based part)
* Usually attached with moral high grounded good cause such as "raised the public awareness of threat from an oppressive regime" just as an example, so the "Lie Lie" teller can convince themselves and their friends, coworkers the claimers are decent people.
*The claimers themselves believe the claims so they can claim they are not lying but they don't think they are using deceptive narratives to sell their beliefs.
Most activists are "Lie Lie" tellers. The problem of our society is a lot of journalists become activists involved into ideological fight but pretend they are providing truth.
> What are the consequences for Bloomberg for this incompetence? I mean, there needs to be something..
Hah! What makes you think they should be accountable after we elected a President on the basis of fake news stories?
> Let's say Super Micro is right and there were no malicious hardware at all for sure. What are the consequences for Bloomberg for this incompetence? I mean, there needs to be something..
What are the consequences for a public figure deliberately lying?
What about accidentally lying? What if they are a private figure?
If we're going to have consequences for this sort of stuff, we'd need to lock up most of the people in government, and the employees of every single PR department.
It's difficult to sue a news organization, but you can sue them for false reporting if you prove two things A) actual malice occurred and B) you suffered economic damages.
If companies didn't lose money over this report, this is pretty moot. It's just embarrassing for Bloomberg.
If companies did lose money, the next step is proving that they knowingly went with a poorly-sourced story. That would require discovery, which may be fruitful.
What if there is some truth to such /similar allegations and Bloomberg knows that SunMicro would never sue, discovery and all. If during discovery it is shown that SunMicro dropped the ball 7 years or 5 months ago, it's no good news for their stockholders.
I presume Bloomberg will release their raw data and pay for the audit. I’ve been wrong before.
I think it is possible to have enough information to run a story, but still be wrong, and a "my bad" can suffice.
Now how that plays out and where that line is, have at that debate until the end of time.
Write that you do not trust Bloomberg on twitter/facebook/linkedin. If you have a blog, write about it. I am going to.
Also read NYTimes or another news source instead of Bloomberg.
I doubt anything will happen to Bloomberg. If the journalists are found to have fabricated the story, they will probably let go. Even if bloomberg was to suffer financially or legally, some billionaire or company would bail or buy them out like what happened with Rolling Stone or WashingtonPost in the past few years. Well Bloomberg wouldn't even need outside help since their owner and namesake is one of the wealthiest men in the world. These large news companies are pretty much untouchable since they are viewed as systematically important and are backed by the wealthy class.
Thats all the shorts were doing to tesla.. create fake news to affect the stock price.. whats the difference? (Serious question)
It's up to SuperMicro to sue for libel.
Using the press to manipulate stock prices has been the standard practice for as long as these two institutions exist. You can go way back to the last years of the 19th century and will find that there was already a thriving business going on between stock manipulators and the press.
Nothing. The public had already forgotten this matter.
"It's capitalism, let's all compete. But wait, if you're getting better than me you're the enemy. " It goes both ways. US Capitalism vs meets Chinese Capitalism with C.
Does anyone pay attention to the media in China? It's an equally bad actor.
Now seriously, Bloomberg lost a lot of credibility publishing this. Let's see if they say anything about it in the coming days.
If they are wrong about this, they can be wrong about anything.
Gell-Mann Amnesia Effect.
TIL
You've been identified by Napier's "Black Rooster."
In order to figure out which servant was stealing from him, Napier instructed each to go in the shed and pet a magic rooster that he claimed could reveal to him who the thief was. In reality, Napier covered the rooster in soot. Thus he could identify the culprit-- it was the only servant who exited the shed without soot on their hands.
Here, you correctly applied one sense of the Gell-Mann amnesia effect-- a novelist's speculation about experts' inability/refusal to generalize their criticism of a news item within their field to the entire newspaper that contains it. In practice, however, "Gell-Mann amnesia effect" is a gambit that giving a proper name to rank speculation will cause the speculation to propagate as if it were an insight gleaned from a robust research project. If you had understood that part you would have used the rank speculation only an entry point for a comment that provided greater insight (or at least further rank speculation), rather than an insightful phenomenon unto itself.
Edit: In other words, you've emerged from the shed without anything other than someone's rank speculation masquerading as research. This makes it clear you've fallen for the 2nd-order effect of the term.
Also be wary of: Overton window
By saying I did not pet the rooster you are saying that I misapplied it in way that was lying. This is odious. They published a story not considering the feasability of it. People who knew better called them out.
Crichton himself noted the irony of it by using the famous name to attach greater importance to it. Yet he noted it is true that we will quickly forget when reading other stories and himself has called for turning away from media.
Finally Overton's Window for me is about framing debate and can be applied over broad areas.
I agree with your point, but that seems like a really weird and strained analogy.
>If Bloomberg's story was false, they shouldn't just walk away like that because "it's the free press".
So failure is fine, as long as it's Silicon Valley.
Imagine what the world would be like if journalists investigating stories had to be 110% certain of their work? That if someone said, "that's not true" they'd have to ditch the story altogether?
This controversy, and the aftermath (which isn't over, hence it's in the news today) sounds like "working as intended".
>This had real implications on stock prices of so many companies
Can you provide some references of the "so many" companies that were effected by this? What do you suggest as punishment?
What were the consequences of running bitcoin stories as the bubble peaked? A couple rich journalists no doubt.
The companies/shareholders being affected by this are free to sue the paper over defamation.
Something tells me they won't.
They're free to sue the paper, but it'd be futile because the standard for such lawsuits to succeed in the US basically requires Bloomberg to have known that the claims were false. Just (say) completely ignoring normal journalistic practices to get a juicy scoop would not be enough.
Well, Rolling Stone settled over the UVA rape story. Then again, that settlement is rather small in the grand scheme of things. Given the nature of the case, maybe it was cheaper than going to trial.
https://www.nytimes.com/2017/06/13/business/media/rape-uva-r...
Edit: I forgot about this case, where they lost at trial. https://www.nytimes.com/2016/11/08/business/media/in-rolling...
As I recall, Rolling Stone got done on a (somewhat dubious) technicality - the jury decided that them adding the disclaimer counted as republishing the article after they knew it was false. If it wasn't for that they'd most likely have got away with it despite all the astoundingly bad reporting.
> They're free to sue the paper, but it'd be futile because the standard for such lawsuits to succeed in the US
Not sure about whether Bloomberg was knowingly publishing false stories. But lawsuits causing media to bankrupt have precedence before - Gwarker Media, that was.
Maybe Super Micro could demand a full-page retraction, just to put the record straight in public. Either that or Super Micro could sue them for $1 just to get a point across. If Bloomberg were wrong they need to admit it.
Nothing. I was downvoted to oblivion less than a week when I said Bloomberg is over and Hackernews should embargo them and people shouldn't click them. Edit: and the downvote brigade is here again, downvoting and not giving a word of explanation. Are you paid by Bloomberg?
I downvote people that whine about downvoting. I downvote people who accuse everyone who disagrees with them of being shills.
Aside from this I consider "Bloomberg is over" a gross exaggeration".
Furthermore one mistake if mistake it is doesn't justify banning that publication from hacker news.
Furthermore who are you to be talking about banning anyone from this site in any case.
You get lots of down votes because there are so many reasons to downvote this post not because of some conspiracy.
When the state department tells you to write a story you write the story, or face the real prospect of the end of access which will be the end your journalism career. Not an ideal system for anyone, except the state department.
As I've now said multiple times and I've not seen anyone argue against very strongly at all, there is no reason to believe this was a government-pushed story, because there are plenty of equally bad or worse things that are known to be true that could easily have been used instead. There are abundant examples of corporate and governmental espionage of this sort, in all directions. Indeed, when the article was first posted, many HN posters were skeptical precisely because they could name two or three much better ways to do it, some provided examples, and some told stories of having found these better examples already in the field.
And because if it had been a government push, it would have been accompanied by a government PR push on other fronts. But I saw no evidence the government picked up this story in particular, or even hardly referenced it. Being now months later we can also observe the government has not lifted a finger to substantiate this storyline or pull Bloomberg's bacon out of the increasingly hot fire.
The theory that this was government-pushed falls down on the ground that even if the government or some aspect of it wanted to push this narrative, this is not even remotely their best choice on how to do it.
Something like that happening would be an even juicier story than the one they published. I totally buy that some people in the government lied to some credulous reporters to get a false story they wanted out there. But there are tons of reporters out there, some of them are easy to trick, and leaning on reporters is likely to trigger their Woodward and Bernstein fantasies and result in some huge blowback. I'm not going to say that I find the level of incompetence you're assigning impossible, just that I find it unlikely.
Anything to back that up ?
Oh sure, that's what we need backup for, some random comment on a social news site. Not some hardware firm's claims that they haven't been hacked, nor some news media firm's claims that they were.
Just because bloomberg hasn't backed up their story yet doesn't mean this claim is off the hook too.
Your snark aside, Bloomberg made these claims, it's on them to back it up. Not the other way around. So far, not a single fact has surfaced that lends those claims any credence.
I personally have learned more about the supply chain for various big tech firms. I have learned that something like what the original story described is possible, in that USA-based firms have no reliable way to prevent such hacking. That doesn't mean I believe Bloomberg's version, but then again I rarely do. I'm just not in such a hurry to believe SuperMicro's version either... We don't have to act as if we know what really happened. I don't see why anyone would be so sure that GP's speculation above about the State Department is unfounded either.
The general case of hardware being backdoored is believable, but the problems come down to, not just the lack of any kind of corroborating evidence, but the nature of these specific claims themselves having some hard-to-believe holes in them.
https://www.servethehome.com/investigating-implausible-bloom...
Basic informational hygiene is that the claim is garbage until proven otherwise, "credibility" notwithstanding. There is not only not a single positive reason to believe this story, there is mounting evidence that it should not be believed.
Haha, "credibility". A thing which does not exist.
Seriously, though, it seems that your idea of "basic informational hygiene" conflicts with a basic security posture in this case. We don't have to assume Super Micro has never been hacked, so I don't know why we would assume that. More in keeping with the topic of this thread, we don't have to assume the State Department (or whoever) has never caused a story to be published or discredited, so I don't know why we would assume that.
Hence the scare quotes :)
We're on the internet, a medium in which information can be trivially exchanged. Easily-defeated heuristics like "authority" and "credibility" are meaningless, if not harmful, when individual claims can (and should!) be evaluated on their own merits.
Basic security posture, sure, but nobody's arguing that we should change that and pretend that Supermicro is completely safe. Nothing is ever completely safe.
..but we're talking about a very specific claim which already has a number of gaping holes blown into it.
These reporters cover tech and ostensibly do not need access to the State Department. Nevermind the fact that the reporters who do cover the State Dept still enjoy access despite continuing to publish unflattering stories about the govt.
There has to be more to this story that we don't know. Bloomberg has a lot to lose by publishing such a harsh claim that's not extremely fact-checked. Reliable newspapers generally don't throw around anonymous government sources without doing background checks on these people. I have little doubt that they got the information from who they say they did.
At this point I wonder if they should stop protecting their sources on this story and see if that shakes out any truth.
The problem with that is of course that it erodes trust for future sources, and potentially puts these sources at personal risk. But if not doing so starts putting the entire publication into question, that might be a risk they have to take.
> At this point I wonder if they should stop protecting their sources on this story and see if that shakes out any truth.
That would be a mistake. Don't just throw your sources to the wolves if you couldn't prove their story.
They should press their sources for proof, or stronger evidence. If they can't find any then they should issue a retraction.
The "should have" pressed the sources for hard proof, or found examples in the wild of adulterated servers before publishing the story. That ship has sailed, of course.
But if what was reported was actually true the best thing that can happen now, for Bloomberg and the public, is for their sources to step forward voluntarily with proof.
Admittedly, that will take a lot of courage in today's political climate, but if it's not all just bullshit, highly principled people may do it.
What I would like to know is what the Bloomberg reporters expected would happen as a result of this story?? Did they think Supermicro and Apple would just admit it? Then what?
If the sources are willing to step forward now, why wouldn't they before?
Sometimes the reason for reporting evidence you have is to motivate other people to display evidence they have but don't know was interesting or useful until they saw your story. That's why so often a single public allegation leads to an avalanche of similar allegations.
If this is actually a thing, it's probably 5 eyes that has the most invested in the tech.
(Waves hands and puts on tinfoil hat)
Check mate, atheists.
You might, if you can with certainty say: oh, look, this was a propaganda op by these agents of this TLA.
Yeah that's fair, and an avenue they should take first.
I would love to see a board in hand.
Even if Bloomberg's story is completely true, Apple / Amazon / Super Micro might have no other choice, but to firmly deny it. Because in that case, it's United States vs. China, not just some publisher vs. a few publicly traded companies. When national security interests and international relationships between two largest economies in the world are at stake, it's not Tim Cook or Jeff Bezos, who get to decide, what can be publicly shared, and what cannot.
You're claiming they can be compelled to lie.
If the story was true, only a few people in each company would have been aware of these vulnerabilities, and they might not have been allowed to talk to anyone about them by FBI. Then, even if others were informed, they would have to pretend, that they were not.
same can be said for "bush did 911" lmao
If it's a national security risk they might not have needed to be compelled to lie at all, but decided to do so themselves. This would be big enough to damage their entire supply chain if they did publicly verify it as truth.
You're claiming they'd commit fraud.
who would prosecute them for it if it is national security related?
Yes.
https://en.wikipedia.org/wiki/National_security_letter#Conte...
Doesn't compel anybody to lie.
Welcome to reality. National intrrrdts trump freedoms.
> it's not Tim Cook or Jeff Bezos, who get to decide
But who is, John Doe who dies on a grenade?
The national security adviser to the president of the United States is the one, who would have to deal with this publicly, if such information was confirmed by some of largest companies in the US. And he might as well prefer to deal with it privately, if it was true.
Not correct. Instead of denying it, they could either confirm it, or non-denial deny it. They would not knowingly issue specific and categorical denials that are lies.
In the cases as this, if you don't firmly deny everything, you basically confirm that it's true. And people responsible for issuing categorical denials might have had no awareness of any vulnerabilities, even if they actually existed.
I don't see why people discard the scenario where both the sources and supermicro are right, but there's been a misunderstanding.
This could happen, for example, with a tabletop exercise. I know the military does these, so it's not unlikely the CIA does them too. The CIA dreamt up a scenario where a US company's hardware was compromised by China, and simulated their response for training. Since it's just an exercise, it obviously wasn't as secret, so employees would have probably not feared to talk about it loudly at e.g. lunch break. Someone overhears, it, runs to bloomberg and we have the situation we have now.
Not the only scenario, but something along these lines is my theory.
> Reliable newspapers generally don't throw around anonymous government sources
Huh...
The question I have is: is it possible that there was such an incredible threat to national security that even an auditor could be convinced by a federal agency to give a false report?
If it really didn't happen, how could a reputable news agency get a report so wrong? What exactly is going on here?
WRT the how could they get it so wrong question, I guess it's time for the obligatory link to Michael Crichton's essay "Why Speculate?" and his discussion of the "Murray Gell-Mann Amnesia Effect" [1]
Money quote: "You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them.
"In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know."
1 - http://larvatus.com/michael-crichton-why-speculate/
There really are some publications where you can read an article on a topic you're familiar with and they get it right. For instance I have a subscription to The Economist and sometimes their coverage is a bit shallow. And sometimes it repeats an expert consensus I disagree with. But most of the time the coverage is as good as it can be in the number of paragraphs allotted and sometimes it's downright excellent[1]. You probably have to actually pay money for high quality reporting.
[1]https://www.economist.com/briefing/2018/12/01/the-semiconduc...
And I’m guessing a lot of people here conflate simplifying for a mainstream audience as getting it wrong because they’ve omitted a lot of details.
Mind you, simplifying with a degree of accuracy is difficult and top writers like those with the Economist do it better than most. With tech stuff, I find more poor and incomplete explanations than I do outright errors. Mind you, back when I provided commentary for a lot of news stories, there were some reporters I always dreaded calls from because I knew steering them in the right direction was going to take an hour out of my life.
Funny I’ve had the opposite experience with the economist. Whenever they touch my area of expertise they demonstrate their substantial ignorance and inability to fact check even the simplest things.
Except for almost any article about Russia.
The Economist is good, but tiring. They are sort of like an old school “chamber of commerce” republican version of NPR.
The writing is good and interesting, until to read for a year and realize that formula is pretty much the same, and you can predict the arc of the article after reading a paragraph.
Just don't try to cancel your subscription ... Suddenly they become impossible to communicate with.
Not that Michael Crichton should be treated as an authority on truth in reporting. He believed there was a vast worldwide conspiracy to defraud poor innocent oil companies by manufacturing evidence of global warming.
For reference here is a Michael Crichton speech on the topic: https://www.heartland.org/_template-assets/documents/publica...
Michael Crichton himself doesn't need to be any type of authority for the reasoning in that specific quote to make sense.
The point is that "the baloney you just read" is not necessarily baloney if your "expertise" derives from conspiracy theory blogs and propaganda.
AKA the Reddit Effect. Everyone on Reddit posts as if they know what they're talking about when, in reality, they only have a cursory knowledge of it and yet the entire site is somehow treated as a curated collection of high-quality, factual information.
This is right! I think there is another, perhaps unrelated Reddit effect. Blogs and some news sites pick up on Reddit and then feed them what they know will be popular on Reddit. The cycle continues. That's why Reddit is so good for astroturfing.
Don’t think HN is any different.
For whatever reason, HN is different to me because, when discussions center around the things that I actually have expertise in, the information tends to be mostly correct. Every now and then some nonsense slips in but, for the most part, keeping people from being able to downvote and upvote everything eventually leads to a pretty informed view of whatever the topic is. Even in instances where I disagree with something, there's usually a well-reasoned response that includes some support whereas, with Reddit, it's just a bunch of unfounded statements with no backup whatsoever.
HN is generally correct about established computer science and tech stuff. Anything frontier or controversial (e.g. bitcoin) or outside the narrow domain of typical Silicon Valley startups gets the exact same ignorant herd response. The point is that when the topic aligns with the expertise of the community you get quality, whereas when the topic varies you get ignorance and BS spoken just as authoritatively. Always be aware of the latter outcome!
Good point. I think it's probably the case when a community is self-selected vs. when it's open for anyone to both create and contribute.
I saw AskHistorians and thought that it was exactly that. I thought I would put together a small collection of subreddits that produce similar quality content. Little did I know that the rest of the website is memes and the same flavor-of-the- month jokes recycled on every post...
I would expect newspapers to be more knowledgable about politics and international relations than scientific topics like physics. The latter is too broad a category, the former is usually the paper's primary focus.
Politics and International relations are opinion fields, not fact fields. It's impossible to be wrong about things that are impossible to falsify.
I wouldn't quite say that. Some aspects are opinions, but there's plenty of facts. Such as "House Reps A and B are cooperating on a bill regarding X" - that's a fact. What your position on X is, whether the bill is a good or bad idea, and why A and B are cooperating on it are opinions.
To be clear, this is not an actual 'effect' that anyone has done any research on to demonstrate it exists or has real implications. It's just something that some pop-science writer idly speculated about once, so I question why you would introduce it into this discussion.
Brilliant. Thanks for sharing this.
An auditor would not have found anything because the alleged attack occurred several years ago and would most likely have been targeted at a limited number of boards, which would have been seized a long time ago.
The result of this audit does not inform about anything related to the allegations published by Bloomberg.
I think it's more about re-building confidence by showing that Supermicro products on sale now can be trusted.
It's rather easy for someone to mislead a BP reporter who understands little about the technical details but is very eager to publish something shocking.
The reporter may have emailed a few dozen security researchers to verify the story, but those who don't believe in the story are less likely to reply (and the reporter is more likely to ignore them), leading to a sampling bias.
And/or the people who did reply gave a response of something along the lines of “Its technically possibly but...” and the author ignored everything after the but.
I see how this could have happened yes. Especially if the reporter was not clear on the angle of the questions.
It's easy to see how security researchers could go off on a tangent about the insecurities of IMPI and other out of band management systems. Which'd sound like an endorsement to the reporter.
Who knows what really happened.
TBH if you’re talking to a reporter, thats a bad way to answer a question. “It’s technically possible” is the sort of sound bite someone will grab while ignoring the 5 minute spiel on IPMI and bus interfaces etc. that follows. Be very careful about giving short quotable statements in plain English that you don’t want to see in print.
That's fair, I think it's also fair to point out that the people with the technical know-how about these things aren't often talked to by the press. I mean how many stories do you see about hardware tampering like this? They might not be very well versed in how to communicate with them. Also I know that I have a tendency to enjoy talking through possibilities and scenarios and so could see myself (I'm not a hardware or security expert at all but the points stands) discussing at length how such a thing COULD work and just being excited to talk about a field I am well versed in. A reporter could then take that as my signing off on that it DID happen.
It’s definitely a skill. I’ve caught myself saying something juicy that was off on a tangent or a bit misleading. Usually I’ll realize it and ask the reporter not to use it and they’ll honor that.
But, yes, even reporters that you know want to write a story that will be interesting to readers. As a source, feel free to provide educational background but be really careful about speculating about things if you don’t want that speculation in print.
An on the record conversation isn’t the same as an informal background chat with the same person over drinks. And I’m a bit careful even then.
What would go after the but? Third parties don't know whether a board was exploited.
"but unless I was able to inspect the board I wouldn't believe it's happening"
"but that kind of attack has never been seen in the wild and is highly unlikely"
"but large tech companies have teams that vet the hardware they use on a unit by unit basis and would notice something like that"
The problem with this line of reasoning -- "how do we know that each denial isn't just a sign of more coercion from powerful forces" -- isn't that it's impossible. It's that that it's unfalsifiable.
I got into a brief argument in comments here not too long ago about the saying "you can't prove a negative" which got bogged down in (what I considered to be) pedantic semantics; what we mean in practice is this kind of "negative." Instead of the conspiracy-minded folks providing proof that powerful, shadowy forces have come out in force against Bloomberg to discredit and suppress their reporting on an actual national security incident, they're demanding that skeptics prove that they haven't. And how can we do this? The complete lack of evidence for this happening might just mean that the shadowy, powerful forces are really good at hiding their tracks. We can posit that if they were really that powerful, they'd have suppressed the original reporting, but we can't prove that Bloomberg didn't just get lucky, or that their diligent, plucky reporters didn't somehow catch the Deep State off-guard for just a moment. We can point out that generally when we see this kind of story, other reporters in other organizations would have corroborated and even expanded the story by now, and that other reporters have said that they've tried and failed to do so. But that might mean the conspiracy is covering their tracks. That they've got to them. That the rest of the journalistic world is IN ON THE CONSPIRACY, MAN.
But it's also possible that the reason it increasingly looks like Bloomberg got played is that, well, Bloomberg got played. Like a cigar, sometimes a bad article is just a bad article.
The media falls for bullshit all the time, Weapons of mass destruction, incubator babies in Kuwait, etc. They are in the business of making money and not getting the story right and since there is hardley any consequences for them why would they care?
Bloomberg here will blame its source and take no responsibility.
> They are in the business of making money and not getting the story right
All business are "in the business of making money", that's what being a business is. What sets them apart is how they make it. In the case of media companies is, precisely, by getting the story right. A publisher that doesn't is more likely to lose influence and readership as time goes by. For a publication like Bloomberg, more so.
So yeah, they do care. That doesn't mean they don't fall for scams or bad reporting. They do, but it's in their best interest not to do so. In this case, I'm sure Bloomberg is already frantically calling all the reporter sources. They should have done it before the piece was published, sure, and they'll sure blame the reporter and the sources, but I think it's disingenuous to think they just shrug these things off.
> In the case of media companies is, precisely, by getting the story right.
Strongly disagree. Media companies make money by publishing stories that people want to hear about.
"In the case of media companies is, precisely, by getting the story right."
Almost any article about Russia is a counter example to this.
> What sets them apart is how they make it. In the case of media companies is, precisely, by getting the story right.
Ideally yes, but nowdays it seems to be rather; by getting the story framed exactly as their corporate owner wants them to frame it.
Yes, they'll slowly loose credibility and in fact that is happening, but the process takes decades and is not likely to affect current reporters, if they lied in service of the status quo.
Bloomberg makes money (a lot of!) from selling terminals, not news. There is literally no point in losing credibility on a story like this. Credible third-party information is the core of the business model and the news department takes that very seriously.
If newspapers were in it for the money they wouldn't be newspapers. It's not an incredibly lucrative business.
Correlation != causation. The fact that most newspapers aren't lucrative doesn't mean they don't value profit.
Bloomberg News is not a newspaper. The company makes money from selling terminals not news (although the terminal contains news, but it's easy to see that sensationalism is not what the customers pay for).
No one had to pay to read the SuperMicro story (the original one that started all this).
Sure, but they let everyone read this specific story for free. They could have easily kept it behind their paywall.
Overall Bloomberg as a company does not sustain itself on news revenue.
I think the most likely explanation is that Bloomberg got played by the sources who perhaps wanted to trade on the price action the story would obviously cause.
We don't really know anything about Bloomberg's sources we do know the nature of all the parties denying any of this is true.
I find that highly unlikely. Since Supermicro was kicked out of the NASDAQ, I would expect their trading to be much thinner. It would be trivial for regulators to spot some inside trades. And if the sources are indeed intelligence officials, I'd expect their financials to be under special scrutiny.
Everyone named in the article took a price hit that week. If you knew this article was coming you'd be well positioned for easy profit.
It wasn't only Supermicro that took a hit but also any company using their products (AWS etc)
Nope. The only named source in the article said on Twitter that the journalist reported speculation about possible attacks as facts. The story was fabricated by the journalist. How it got through fact-checking, I don't know.
That doesn't mean people didn't feed the journalist heavy handed speculation to make a profit from short positions.
When your writers are rewarded for stories that move the market[1], it's going to be tempting to go for the sensational and to omit information that weakens the story.
I think this might just be another case of unintentional consequences from incentives.
[1]: https://www.businessinsider.com/bloomberg-reporters-compensa...
I think this is very realistic. These days prices move purely on speculation much more than they do on metrics like P/E. A source could have been in a short position, then after taking profit after the article was released could have bought up cheap shares. Thinking about the readership of Bloomberg, anything they publish will have a much larger market impact than an article in Ars. I think Bloomberg was played like a fiddle.
When I worked as an attorney for a bank one of my jobs was to "manage" the audit engagements. When an audit has serious findings you can almost guarantee that's just the tip of the iceberg. On the other hand, an audit or review without any findings just means the company under review had some combination of good lawyers and friendly auditors.
In my experience, there are two types of firms you can almost always find "friendly" auditors: law firms and small specialized "boutique" firms (accounting, consulting, etc). Who conducted this review? A boutique law firm.
Plausible deniability? Perhaps the ramifications were so huge (maybe for Apple and others) they would have gone bankrupt in lawsuits. So maybe this is a easier way to bail them out. Just using a tinfoil hat here.
It's definitely easier for a reporter to be a little over eager with a story and run it before being fully vetted than it is to co-opt federal agencies and independent auditors.
I'm not saying that it's not possible for the situation you described to have happened, just that it would be an extreme outlier.
That's true, but why hasn't Bloomberg retracted the article yet? It's been two months since the piece was published.
Given all this attention, don't you think that Bloomberg would have issued a retraction by now if it was simply the case of an overzealous reporter?
Given the nature of their doubling down upfront about it, it could be quite problematic for them to admit they were Very Wrong.
It's also possibly permanently going to be unclear whether this is factually accurate unless someone discovers a compromised system or the sources for the reporters provide enough information on why they believe what they do to actually investigate.
If they were to publicly say they were wrong then suddenly that would be News the way the original reporting was. If they don't then only specialty publications will cover the failure to pan out.
Bloomberg rewards their "journalists" for moving markets and use the promise of market leading scoops as the carrot to win subscriptions. An admission of generating fake news hurts their core business deeply.
Could a TLA have silenced the real results? Sure, but that seems pretty unlikely. The US Government is not afraid to call out China for real or perceived threats right now (see tariffs). So the government itself silencing this would be pretty counter-intuitive.
I'd believe more that Super Micro is trying to save it's stock value, more than I'd believe government intervention. Of course, it could also just be faulty intelligence. Guess we'll have to wait and see what Bloomberg does with respect to whether they can get their sources on the record.
Looking back at this after the Huawei scandal, it seems very likely it was a preliminary step to create a negative impression regarding Chinese manufacturing. Bloomberg could have been lied to, or been chosen to deliver false stories for propaganda. Of course it could be irrelevant (there were tensions regardless) but given how everything looks weird, it probably wasn't.
Because no matter what the audits say, this article caused a widespread feeling of mistrust towards Chinese-manufactured electronics.
>is it possible that there was such an incredible threat to national security that even an auditor could be convinced by a federal agency to give a false report?
Absolutely possible, even somewhat plausible but unlikely. Conspiracies are hard to maintain "2 can keep a secret if 1 of them is dead".
You could outright threaten someone with any number of means to get them to comply with your wishes, this is how espionage often works at a state level "ho ho, you like underage boys Mr. Smith, we have these photos of you, you will help us spy on your government!" or "You owe us much monies from your gambling, you can give us information or we make your life very difficult", simply using sex to ease someone into complying (sexpionage both as blackmail and as reward/entrapment. A possible famous case of the blackmail route was with the NSA in 1960, see: https://en.wikipedia.org/wiki/Martin_and_Mitchell_defection ), finding actual irregularities in someone's finances and threatening to go after them for it etc.
Again, possible and somewhat plausible but probably just a journalist fabricating a source or being misled by one. Yellow Journalism is a thing after all https://en.wikipedia.org/wiki/Yellow_journalism and if you look at papers in the 19th century you see all sorts of outright fabrications just to sell papers, like the Great Moon Hoax https://en.wikipedia.org/wiki/Great_Moon_Hoax
A US intelligence agency nowadays would just issue a National Security Letter and force you to not say anything otherwise you go to jail. Most people really don't want to go to jail. An intelligence agency would really only resort to blackmail or extortion if they were operating in a foreign country where they couldn't outright bribe someone.
I imagine that is defeated by simply saying "I refuse to lie", which could be career suicide but it's still an option. I can see how legally they could say "you can't reveal that information, it's a matter of national security" but I don't quite think we're at the point in America where they can go "Say this or go to prison".
> Conspiracies are hard to maintain
An oft repeated trope that holds no place in the repertoire of someone that's read history.
Look as recently as the Manhattan Project for an example starkly to the contrary of your assertion.
Large groups of people can conspire. It does happen, more than we can ever know.
>Look as recently as the Manhattan Project'
It didn't stay too secret, Soviet atomic spies penetrated the program.
Emil Julius Klaus Fuchs for example was convicted of supplying information from the American, British, and Canadian Manhattan Project to the Soviet Union during and shortly after the Second World War https://www.wikiwand.com/en/Klaus_Fuchs
https://www.wikiwand.com/en/Atomic_spies has other info about the spying attempts during the time.
What bothers me most about this article is that it's based around what "Super Micro says" -- why would I care about what Supermicro says? They are the ones being accused of having backdoors in their chips.
I would've liked to hear this directly from the company doing the audit, without Super Micro's own "interpretation".
The second thing that bothers me about this story is that it was Supermicro that paid for the audit. Maybe there was no one else going to do it, or maybe they just thought to get ahead of anyone else trying to review their chips. I don't know, but it doesn't sit well with me.
Only recently we saw at least two major tech companies skirt FCC's privacy monitoring by paying themselves for the audits: Google and Facebook. Both had multiple major privacy scandals in the past couple of years, but somehow all of these privacy issues were completely missed by the companies auditing them.
"A person familiar with the analysis told Reuters it had been conducted by global firm Nardello & Co and that customers could ask for more detail on that company’s findings."
So I guess yes you can bypass Super Micro if you're a customer.
I saw that, but it's not nearly enough. Why isn't the report made public? Why do we have to take Super Micro's word for it?
I seem to remember a very hostile and skeptical attitude from HN against Binance doing exactly this sort of thing when they announced the results of their paid-for "audit" of Tether financials. Why aren't we treating Super Micro's report of the audit the same way?
HN people know that moving off of AWS is going to be a pain.
I keep asking the same thing "how could a reputable news agency get a report so wrong?" They said they have many sources, they double checked things. But the denials from the various places have been SO 100% unbelievably "NO NEVER HAPPENED" that it's hard to know what's going on. If it really never did happen, why did so many people lie about this to reporters? What was the end game? It seems impossible that the reporters just made it all up, doesn't it? But maybe someone paid them to make it all up!
It's just crazy conspiracies all the way down.
Or could an auditor simply miss it? If the functionality were part of another legitimate chip?
Could it be, whoever supplied the information to begin with was just trying to burn the news org?
Or possibly the leaker made a horrible mistake regarding facts?
Or possibly there is indeed a conspiracy to cover up a hardware backdoor?
These are tough times my friend.
So correct me if I'm wrong, but the most sinister part of the story in how some might assume SuperMicro is a Chinese or a MainlandChinese-founded company. It came right around the time ZTE, Huawei and others were facing renewed scrutiny. So you can imagine how easy it is to read the story and just think "oh, another Chinese company got busted".
It's also easy to read this as a smear campaign against Chinese companies.
Well the big difference is it's reasonable to assume a Mainland Chinese company could get banned or sanctioned in some manner.
Now just to be fair, from what I read, there was a lot of Super Micro drama going on beforehand which likely magnified the pessimism.
Btw if you search for 'supermicro "is a chinese"' you will find some people that do think that.
Arresting CFOs seems to be the more popular technique now...
[EDIT:] this is a real thing that happened recently https://www.aljazeera.com/news/2018/12/canada-arrests-cfo-ch...
Which makes the idea that a US intelligence agency is setting up Supermicro really dumb on its face. The reality is that the company is poorly run and has a lot of resources and background in Taiwan.
If there’s a nefarious nation-state plot, it’s more likely a Chinese one intended to demonstrate their ability to disrupt commerce. Any of the big vendors (HP[E], Lenovo, Dell, etc) are toast without their offshore partners.
Has Bloomberg even replied to the "Uhm, WTF you talking about Willis" responses from Apple/Amazon? I don't recall seeing one. I wonder what they will say now..
How can they just make up a story like this and it can slide?
Sort of. They doubled down with a second related article after the responses from Apple and Amazon, in which they briefly mention the rebuttals: https://www.bloomberg.com/news/articles/2018-10-09/new-evide...
To be super cynical: They got their ad revenue from the story, why would they care?
The reputation hit from being wrong is much bigger than the ad revenue from this one story. Bloomberg has been a very reputable and trusted source and wouldn't willingly throw that away
The story was given legs because Bloomberg has generally been a credible organization. They are tainted if they don't firmly explain their side, and forever anything they report will be coupled with "they were the ones behind that debunked SuperMicro thing".
Clickbait and manufactured stories is a dead end tactic, so they certainly do care, and they certainly have some reasoning. Perhaps they were intentionally mislead.
It would be worth mentioning that the particular journalists behind this story (nevermind Bloomberg as a whole) have been caught pushing nonsense before[1].
On top of that, the story itself has a number of technical implausibilities that render it difficult to believe.[2]
[1]: https://twitter.com/RobertMLee/status/1049617855396933632
[2]: https://www.servethehome.com/investigating-implausible-bloom...
It’s doubtful that the ad revenues on even a highly-clicked story outweighed the cost of paying the reporters for the year they worked on this story, nevermind the costs of the editors and lawyers who pitched in over that year, or the reporting expenses (e.g. travel). Also, it’s well-known that Bloomberg’s news division is heavily subsidized by Bloomberg’s terminal customers.
Evaluating this is tricky. On the one hand, Bloomberg claims it's a well sourced article, not a single person's unsubstantiated claim. On the other, Super Micro claims an audit showed nothing, but then they have an incentive to be less than honest, or to have performed a very superficial check. And couldn't an audit simply miss the issue if the malicious functionality were embedded in an otherwise legitimate chip?
Either way, it seems like Bloomberg really should have pushed for a particular example, e.g. "look at this on model X boards for confirmation"
I am more inclined to believe Super Micro at this point. It is not just them that are denying this. Apple and Amazon have denied it as well and Apple even went so far as to write a letter to Congress[0]. With a hardware attack like the one that Bloomberg reported, there should be some actual physical evidence out in the wild but nothing has been found to date. I think that they really failed with regards to due diligence.
[0]: https://www.scribd.com/document/390401381/Letter-October-8th...
Super Micro didn't perform the audit of themselves (that would be silly), it was done by Nardello & Co as per the article.
Yes, but the level of detail requested for the audit would be dictated by Super Micro. For example, if the request was to audit boards against the design specs, the audit would never catch something inserted during the design phase. Nor would it catch malicious functionality inserted as part of a legitimate chip. It seems like the potential number of attack vectors is extremely high if the design &/or manufacture process has been subverted.
Alternatively, if there was no attack, it becomes exceedingly difficult to prove the negative. But that also leaves us with the perplexing situation of multiple sources-- 17 from different companies and NSA-- deceiving Bloomberg reporters. Or Bloomberg reporters themselves deceiving everyone. In the later case the motives are clear. It's a career-making story that can't easily be disproved. In the former case the motives are less clear: a desire to smear Super Micro? Who benefits? A desire to stoke anti-China fear? It's all very strange.
The elephant in the room is that detecting hardware backdoors will remain practically impossible due to the closedness and secrecy of the industry.
Especially for backdoors installed only on few servers.
Yet, open schematics, publicly available hi-resolution pictures and public, peer-reviewed, automated inspection are potentially possible.
I'd be super interested in the follow up, and not just for monetary reasons[1]
I mean, my impression is that there has been a lot of news trying to stir up US vs China animosity; I mean, I'm sure that a lot of industrial/state espionage happens, but the renewed focus just seems a little suspicious to me at a time when our government is trying to distract us from possible Russian interference in our election.
Makes me wonder about huawei - is this all just our government trying to take the heat off their Russian allies? I mean, it wouldn't even need to be made up in that case, I'm sure that if you looked, you could find plenty of sketchy things Chinese companies are already doing.
But that was the weird thing about this supermicro thing... it was really pretty easily disprovable. Like... there are a lot of really smart people in the field looking for this sort of thing. If it was a lie to begin with, why pick one that can be shown to be false, when there are so many other possibilities that can't be proved either way?
Man, I hope I live long enough to read good history books about this era.
[1]I bought a bunch of SMCI when the story first broke; Aside from buying and using a lot of SuperMicro I simply didn't believe that they would be the only company effected if the story was true. When the story broke, I though that someone had probably found something, and that as people tore apart hardware looking, we would find something from other manufacturers, too. As nobody has found anything yet? I now think the story is just false. I know smart people are looking. (software/firmware compromises may not be as durable, but they are a lot easier to implement.) Either way, my SMCI holdings are up a few grand at a time when the rest of my portfolio is looking pretty sad.
> the renewed focus just seems a little suspicious to me at a time when our government is trying to distract us from possible Russian interference in our election
That might be a reasonable suspicion if Bloomberg were a pro-Trump publication. It is anything but. Its editorials and opinion pages bash the current administration almost daily, and there have been rumors recently that Michael Bloomberg is preparing to sell his stake in order to run for president in 2020 (after deciding not to run in 2016 because that could have split the opposition to Trump).
I think if you dangle government sources, even "anonymous" ones, in front of a reporter like Jordan Robertson, you are gonna get a story, regardless of the editorial slant of the paper.
Of course, my crazy conspiracy story doesn't explain Robertson's industry sources. It could be, as others have said, a misunderstanding (I mean, we all know IPMI is run through with exploits; no conspiracy there. You just don't put your IPMI on an untrusted network. ) and it doesn't explain his continuing to stand with the story even after the giant and poorly controlled security community has been set to tearing apart motherboards.
Really, that last bit points to... if not incompetence, at least to him not understanding how this sort of thing works.
Their stock price increased 30% from the drop after the publication of the article, but still 20% down from before the article. Though most of that is probably tech stocks tanking. So they are probably close to where they would have been without the article.
If you were a bad-faith source you would have anticipated this and profited from the movement in both directions. Short when the article is released, then take your profit and buy at an artificially low price.
But did they find malicious chips elsewhere? And what is their definition of motherboard, chips and malicious?
All of these statements seem to be pretty well crafted. It is entirely possible that they found components that don't belong, but don't consider them malicious without the underlying payload that gets uploaded.
Who's this 3rd party Nardello & Co.? A google search leads to a New York based law firm[1]? If so, what's their technical capability to conduct this technical assessment?
[1]: https://www.nardelloandco.com/en/
For what it's worth, no security experts believe the Super Micro story.
The reasons have nothing to do with whether or not it would be technically possible. That is irrelevant. The point is that the alleged events did not happen.
Bloomberg got the ads revenue, and people who read Bloomberg won't stop doing that just because of this.
The only thing changed is the lower cosine distance between China and hacking in the English corpus, as well as people's minds.
It's much more than that.
They have destructed 100's of billions of dollars of capital.
supermicro was not worth that much.
They have dragged Apple into it, and with Apple, the entire NASDAQ.
So, yes, they have destroyed 100s of billions.
lets just say what bloomberg claims, was happening, really happened. this audit does nothing to disprove that. considering how many they sell and how many their mentioned clients have. picking a few at random to check is junk science. considering the adversary only needs one to be operating inside the datacenter.
That's exactly what I was thinking too.
Assuming it did happen, it would have focused on a small batch of servers to a small batch of clients.
They wouldn't have been installing this hack on every single server they produced.
So unless they pull every server for every major client and check, simply checking their warehouse stock proves nothing.
You know what really kills a relationship? Distrust.
Something our intelligence community has been fostering for... Well, what timeframe do I specify? But the past 15 - 20 years have brought something of a nadir.
And the corporate world isn't faring much if any better.
Reassurances don't seem very reassuring, these days...
> Let's say Super Micro is right
Yet we still don't know whether this is the case, so it's not even clear whether "consequences" are in order and whether incompetence is at play.
You can't prosecute someone because "if they had stolen money from me, that would be theft."
Seems like a lot of people don't know who to believe. Me too. Hasn't anyone pulled a few Supermicro boards and confirmed that this chip exists? It was reported that the chip might be inside the wafers, but still, that would make finding this a clear smoking gun.
I read this as "We've conducted a thorough review and made sure we've covered all tracks"
We have investigated ourselves and found nothing wrong.
YUP.
Unless SuperMicro hires an independent, third-party auditor, the ball is still in their court.
First sentance in the linked article.
"Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards."
Further down
"A person familiar with the analysis told Reuters it had been conducted by global firm Nardello & Co and that customers could ask for more detail on that company’s findings."
Does that firm have any technical acumen? Or just a supermicro contract for a result?
These days most of American media stories about China, Russia etc are probable fakes. Only mass boycott of Western MSMs can fix the situation with these terrible weapons of psyops and propaganda.
Is anyone at all surprised that a company investigated itself and found nothing wrong? It might be true, it might be false, but there's an obvious conflict of interest here.
They did not investigate themselves. The audit was performed by Nardella & Co as stated in the article.
What are the odds that Bloomberg ran this story under pressure/collusion from Supermicro competitor(s) in Taiwan, US fed govt or other business actors trying to tarnish China's image? That they would knowingly run such a big story without commensurate easily verified evidence and reliable sources is irrationally foolish for such a large news shop.
good job
This is weird, actually. I mean, a journalist lying for profit? Never happens.
>Computer hardware maker Super Micro Computer Inc told customers
of course they will
"Fake but accurate"?
Are all this people going to bill Bloomberg for the costs of the tests? They prob should
Not sure I believe this. Would anything bad happen to them if they just lied about it? Probably not. Unless they stepped on some politician's foot somehow.
Who is “they”?
Bloomberg reporters clearly need retraining. As I've stated a few times regarding this story, "photo or it didn't happen". It's a pretty simple standard, maybe Bloomberg will think about applying it now.
Or maybe someone else will come up with a new conspiracy to punk them.
"Photos or it didn't happen" isn't as easy to obtain as one might think. Best case is obtaining documents that corroborate this whole thing.
So let me get this straight... Super Micro hired a firm, who then asked the manufacturers, "Hey guys can we please have your design files for your PCBs" and then they looked at the parts list and said, "Nope, no dedicated backdoor chips here" ?
They didn't really do a thorough examination of the devices in question, but asked the manufacturer for the CAD files?
You should really do thorough examination of the article it's really short. They did examine hardware both in production and already sold to Apple and Amazon samples.
Well what I was wondering was, what did they examine to be exact? Did they decap chips and reverse engineer them?
The article as you say, is really short. Too short, there isn't really any information in it, besides "Trend micro said this, take their word for it"...
Why are you keep using "Trend micro"? Did you realize that's a totally different company?
Oh, my bad... Doesn't really change much though.
From the article: “Nardello tested samples of motherboards in current production and versions that were sold to Apple Inc and Amazon.com Inc, which were both named in the article, the person said.”
At some point it is up to Bloomberg to show something. It isn’t possible to show a negative in this case.
Well the article doesn't mention how or what was tested. The article doesn't really state what they tested for... Did they swing a dead chicken over the board while chanting "Evils reveal yourself", did they decap chips? Did they just install trend-micro antivirus and let it run?
Again from the article: “A person familiar with the analysis told Reuters it had been conducted by global firm Nardello & Co and that customers could ask for more detail on that company’s findings.”
So ask if you are interested.
Trend Micro ???
People worry about malicious chips in instances like this and I mean it's a valid concern but one method of attack I've always thought would be effective and extremely dangerous is strategic placing a component in a circuit that, if it fails, disables the entire device then you simply need a way to activate it.
Radio.
Design a circuit, or better something that appears to be a capacitor and functions as a capacitor but has a small internal compartment at say the top so that it performs at less than what it is rated for but has a small circuit that over-volts via a joule thief and causes a failure. Have the trigger be a small receiver that activates at a certain frequency probably in the ELF or SLF range with just a few bits needed as the activation key.
Put that into the supply chain of whatever industry and when you want to disrupt to cause economic damage, or even as part of causing a bit of chaos preceding a military attack, fire up your ELF station and start pumping out the few bits of data to activate.
ELF will penetrate hundreds of meters of water, it should reach inside most buildings and even if you only had something like a 5% success rate you'd disable a LOT of whatever you'd installed them in. If it's networking hardware, you could likely cripple anything that relies on the internet by causing considerable distributed failures.
I don't know about anyone else, but I did not like your comment because it mixes up tons of technical and high-level detail and also does so in incredibly long form.
You could have reduced the idea to "instead of embedding microchips in other microchips, why not make a device that simply allows one to disable the device remotely? Surely the size requirements would be much smaller"
Instead you go semi-technical about something you know semi-nothing about.
Only problem with LF stuff is that you need a pretty big antenna. You would be better off designing a chip with an RF section that operates in the GHz range so you can get away with a tiny microstrip antenna or with the antenna inside the chip.
I will admit radio is not my thing, that works too though and then you can make it a much larger activation key, even just bytes instead of bits would exponentially increase odds of not having an accidental activation which should make it not get set off by a router or microwave and you could probably activate it simply by flying over with a slightly modified cargo or passenger aircraft that looks business as normal but just belches high-power bursts of the activation signal.
Dude I think you need to understand more about radio before writing about it.
This comment breaks the site guidelines. We ban accounts that do that, so please review https://news.ycombinator.com/newsguidelines.html and follow the rules when posting here.
Care to actually point out a flaw instead of replying with a low-value comment that serves no purpose other than stroking your own ego?
Yes, another user has already established ELF would be bad. Microwave would work completely fine however.
A 34.9 mm x 9 mm strip antenna would work more than adequately. Transmission from a geostationary satellite, or better a passing aircraft, could penetrate most non-metal structures (at least into the outer rooms) and would work.
You could easily fit the entire circuit into capacitors used in many power supplies, taking out a power supply is enough to take out hardware long enough to begin an attack (especially if combined with digital attacks on the grid and other critical infrastructure) or to simply cause some sort of economic damages.
And actually, there's a certain type of Atari power brick that is prone to destroying Atari computers as they are highly prone to failure which causes excess voltage being pumped into the machine as the last act of the power supply. The dreaded 'ingot' power supply (part number C061982). Do you know how many people open up wall warts/power bricks? Basically zero and many are actually un-serviceable as they are epoxied shut.
Please stop posting comments with nasty swipes or other flamebait in them, regardless of how bad some other comment is.
https://news.ycombinator.com/newsguidelines.html