1. 84

  2. 20

    On the one hand, the article has moments that make it seem dubiously sourced.

    On the other hand, I’m reminded of a conference I went to years ago where some genius from NSA was harranguing me about the security dangers of non-US born programmers working in US firms or on open source projects. I asked him why he was not more worried about Chinese built motherboards and he refused to believe me that the USA depended on imports of Chinese motherboards.

    1. 21

      “The dangers of non-US born programmers working on open source projects”?

      The spook mentality is something to behold.

      1. 3

        It is well known that Linus is a Russian spy and goes by the name Linyos Torovoltos. :)

        The link above was submitted recently here.

        1. 2

          I recall, from Linus’s autobiography, that he claimed that his parents were fans of the soviet union & until their divorce he was raised as a red-diaper baby. Obviously, that hasn’t made him into a stalinist as an adult, but if somebody wanted to spin it that way more seriously I’m sure they could. (I recall back in the naughts some microsoft fanboys trying to make those claims & paint the whole open source movement with that brush, but I don’t think they were very successful.)

        2. 1

          It was kind of jarring - I am not born in USA either!

          1. 1

            And you come over here with that foreign thinking devising things like RTLinux that jeopardize the profits of domestic, closed-source, RTOS vendors. That’s exactly the kind of thing our non-corrupt, capitalist government was worried about! ;)

        3. 3

          I think I don’t trust this article on its face value at all. Bloomberg could be telling a fake story on the demand of someone who wants to further his agenda against Chinese hardware. Also they might partake in a stock manipulation scheme, it was very effective if that’s the case.

          Going to wait and see what’s happening before I conclude anything from here.

          1. 6

            I really really really doubt it. Bloomberg in particular is financial news, its reporters are constantly seeing how (to quote Matt Levine) Everything Is Shareholder Fraud. Publishing something like this with willful negligance would open them up to soooooo many lawsuits.

            Not to mention that Bloomberg is beholden to basically no one, as an organization. They make huge amounts of money selling their stuff. While Businessweek is being pushed to be more self-sufficient, there’s still a lot of value in them being trustworthy.

            Also making up a story, publishing it in a major outlet, and profiting off of a stock trade afterwards. Oh my god that is a “go directly to jail do not pass go do not collect $200” move, especially if you’re just a journalist and not a multi-billionaire. And these people know it, because they’re the ones reporting on other people doing this kind of thing!

            I’m not saying the story is most definitely right, but it’s a serious outfit.

            1. 4

              Yeah, the idea that either Businessweek itself or the author is fabricating this story is hard to swallow – if they did, then somebody’s making incredibly poor decisions.

              On the other hand, I could absolutely buy the idea that they’ve been fed fabricated evidence. This story exists at the intersection of international relations, espionage, and big business. I can imagine some Angelton-esque character whose paranoia only became pathological after they got in a position of power who suddenly decided that supply chain meddling by chinese intelligence is inevitable & decided to try to trigger an outright ban by orchestrating a high-profile story. (After all, once upon a time our president campaigned on heavily limiting chinese imports, so it’s possible that somebody in intelligence capable of faking convincing-looking Apple & Amazon documentation thought it’d be an easy sell.)

                1. 1

                  Author doesn’t seem to mention particular Bloomberg stories that those authors wrote that turned out to be false.

                  It’s not outside the realm of possibility but I find it hard to believe that there’s a pattern of a couple authors making stuff up in multiple stories for that outfit – or even reporting stories that end up being wrong due to misleading sources, unless they’ve got damned good excuses. I’ll believe it when I see the stories he’s talking about.

                  (BadBIOS is getting mentioned in that thread, but BadBIOS was broken by Ars Technica, right? Anyhow, the whole BadBIOS story was – accurately – reported as “this one researcher thinks this is happening, and other researchers think it’s possible but probably bullshit” in all the coverage I saw. While it was questionably newsworthy, that coverage wasn’t wrong or misleading, unless you only read the headlines – which are almost always wrong & misleading, even in good articles.)

            1. 9

              These are strong & specific denials. Either the spokespeople aren’t clued in, or somebody at Bloomberg screwed up really bad. All these parties (maybe with the exception of the representative of chinese intelligence) are going to face problems if they need to walk back claims like this.

              1. 11

                It’s certainly a market-moving claim. Right now supermicro’s stock is down 50%.

                1. 9

                  At least in Amazon’s case the denial is not from a spokesperson, but rather the AWS CISO:


                  I agree with your characterization of this denial as both strong and specific.

                  Full disclosure - I work for Amazon in security, but the retail part. I know nothing of this issue other than what has been stated publically above.

                  1. 5

                    Grugq has weighed in & compiled some of the strands. I’m not a security guy but most of what he’s said on other subjects makes sense to me so I basically trust his judgement to be reasonable. He’s pulled up a couple things I hadn’t seen yet.

                    1. 1

                      agree. It’s going to be fascinating to watch this unfold.

                  2. 11

                    This is just the tip of the iceberg. I have a previous write-up that goes into detail on ASIC subversion based on what I learned from people who do and counter it for a living. It’s mostly used for misleading buyers about performance, counterfeiting, etc. Main guy I talked to said he hadn’t seen it done for attacks before. So, the gap between methods of counterfeiters and needs of infiltrators is starting to get narrower. You’ll see a lot of attacks if these two groups start collaborating, esp on analog/RF level.

                    “Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent”

                    Also, am I the only person thinking I was in the wrong part of tech? Goodness, that’s a nice profit per unit. ;)

                    1. 11

                      You know its a good story when In-Q-Tel is involved

                      1. 8

                        And they aren’t even the focus!

                      2. 7

                        With more than 900 customers in 100 countries by 2015, Supermicro offered inroads to a bountiful collection of sensitive targets.

                        Although the investigators couldn’t be sure they’d found every victim, a person familiar with the U.S. probe says they ultimately concluded that the number was almost 30 companies.

                        Supermicro had three primary manufacturers constructing its motherboards, two headquartered in Taiwan and one in Shanghai. When such suppliers are choked with big orders, they sometimes parcel out work to subcontractors. […] Eventually, that person says, they traced the malicious chips to four subcontracting factories that had been building Supermicro motherboards for at least two years.

                        Even given the nature of how this hack was pulled off, via subcontractors used when handling large orders, fewer than 30 companies impacted seems suspiciously small. Small enough that either this attack was directly targeting some or most of these companies or the total number of companies affected hasn’t been adequately determined.

                        1. 3

                          That seems suspicious as does the glaring failure to mention the intel/dell/ etc, as far as I know, make their boards in the same factories.

                          1. 2

                            I doubt the attack is that wide spread. It was targeted at a certain SKU. This isn’t a dragnet operation but something very targeted. Dragnet would be something very widely deployed, like common wifi enabled mcus.

                        2. 6

                          If there was a big neon sign floating in the sky blinking on and off saying “These baseboard processors and complex boot programs are a REALLY BAD IDEA!” while alarms sound, it would not be more obvious.

                            1. 4

                              The Register has in my opinion written a thoughtful response https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/ which discusses the possible truth or mislead that this article may involve, for example implications to the autors’ extra dividends or market influence.

                              1. 7

                                While this register article mentions market-shift-driven bonuses as a reason to cover the story (in a single paragraph in the middle of the third page), it dismisses the idea that the story would have been fabricated or even exaggerated for this purpose:

                                The publisher employs roughly 2,000 journalists, who are encouraged to work together and share information through their Bloomberg Terminals, with many layers of editing and fact checking, and it has a zero tolerance on errors: it is inconceivable that it would publish a story this huge that wasn’t watertight.

                                It’s worth reading since it points out some holes in the denials that weren’t immediately obvious – these denials are a lot weaker than they appeared to me initially. On the other hand, it also points out that the first clues that there was a case here were discovered in an informal conference in CIA territory. (This points to an interesting possiblity: what if the supermicro snoop chips are real but aren’t Chinese?)

                                1. 2

                                  what if the supermicro snoop chips are real but aren’t Chinese

                                  It would be so funny if it turned out the bugs were real but came from somewhere completely random and unexpected like, oh, I dunno, let’s say Belgium.

                                  It would be even funnier if it transpired that Bloomberg have accidentally ratted out an NSA operation.

                                  1. 1

                                    It’s early days but my money is on a 5eyes (/7eyes/12eyes/whatever it is now) operation. It’s really weird that Apple, Amazon, and SuperMicro are all on the same page & their take is so different from Bloomberg’s, and it’s especially weird that the GCHQ came out and released a public statement supporting the Apple/Amazon/SuperMicro take. That’s like if the NSA released a public statement saying Tesco’s hadn’t cooked their books: the preconditions for the existence of a statement imply a motivation seemingly-incompatible with the statement being true (though one would expect GCHQ to know this so… double-cross anyone?).

                                    Tentative model (somebody congratulate me in 6 months if I’m right): these are post-TAO-leak NSA-designed implants given to GCHQ by the NSA, who had their agents put them on boards, so that the GCHQ can intercept Apple & Amazon traffic (probably recordings from SIRI and Alexa) and sell them back to the NSA in exchange for the NSA’s material from the british isles, commonwealth countries, and whoever they’re worried about this week.

                              2. 4

                                Looks like GCHQ (!) has made a public statement backing Apple and Amazon’s denials. I find that quite… odd.

                                1. 1

                                  The Federales say, they could have stopped it any day.

                                2. 3

                                  The Department of Homeland Security has issued a statement.

                                  1. 3

                                    The fact that both GCHQ in the UK as well as DHS in the USA speak out on this issue probably only serves to increase the suspicion that something underhanded is going on. It does raise questions about who is - or are - behind any possible shenanigans. Now all we need is some Barbra Streisand as background music and the picture is complete…

                                    1. 1

                                      Yeah… The GCHQ & DHS shouldn’t have any special information about this, unless they’re involved.

                                  2. 2

                                    Apple has written a letter to Congress denying the Bloomberg article.

                                    1. 2

                                      Bogost has weighed in. He hasn’t said anything that we haven’t said in this thread, but it’s nice to see that a mainstream publication aimed at non-techies is covering this in a way that highlights the political & economic implications.

                                      1. 2

                                        This is very scary indeed. Thanks for sharing.