68 comments

[ 4.7 ms ] story [ 113 ms ] thread
If the story is not true Apple and Amazon should sue Bloomberg for misleading the public and hurting their reputations.
I am sure Bloomberg had some lawyers in the room when they made that decision.
From what I read in "Bad Blood" (the book about the Theranos fiasco) of what WSJ does before publishing investigative reports, you can be 100% that they did.
They have a photograph of the chip and scores of (unfortunately anonymous) sources.

It sounds like some researcher found weird traffic, eventually found there is a chip on some of these servers that wasn't in the original gerber files, and this chip is doing something, and beyond that a lot of people are speculating about who and what.

Apple and Amazon deny that the story is correct. That doesn't mean that there isn't a chip there and they now know what it is doing but are prohibited from saying much beyond the story as a published whole is not true.

Was there a picture of the chip released? I have been trying to follow and last I seen was it seemed the pictures in the article was likely an artists representation of the chip. Did an actual picture get released or was there confirmation the picture they released was the real chip? Thank you
FTA: ”... it's not clear if this is a real photograph or a Bloomberg-made mockup.”
It’s reasonably clear that the chip shown in the article is very unlikely to be any kind of microcontroller/semiconductor.

It’s embedded in ceramic. Such devices need to be fired at very high temperatures which a semiconductor wouldn’t be able to withstand.

You can make two half ceramic pieces and cement them together nearly seamlessly with a semiconductor inside. This was common before DIP packages.
I was going to say, the number of ways to make something look like a ceramic component are more relevant.
In any case, someone who can make a malicious IC die look like a balun could just as easily add their die to the EEPROM package that's intended to be there.

It makes no sense for state-level bad guys to create disguised packages and add them to boards at the assembly house. There are any number of other links in the supply chain where they could accomplish the same goal with an actual nonzero chance of getting away with it.

The key benefit of injecting at the assembly house is that it means you can target the injections based on the final customer. This reduces the footprint of the attack, which reduces the chances of your exploit being publicly exposed, and reduces the risks inherent in scaling up a highly specialised top secret supply chain.
You're arguing against compromising the boards, right?
No.

I'm pointing out an advantage in putting the exploit into the supply chain as late as possible, such that it can be selected for based on customer.

Compromising the motherboard may be a good approach if the boards have some amount of customisation for each customer.

No it wasn’t? They used to use gold caps.

You could absolutely use a novel manufacturing technique to make something that looks like the picture in the article.

It wouldn’t make much sense to do so, because that part doesn’t even belong on a computer motherboard, it’s an RF component.

That’s fair enough, I don’t think that process would work here though?

I also don’t understand why you would do that. Given the ceramic part in question doesn’t look like anything that would be on a motherboard, and has been identified as an RF component.

Bloomberg pays reporters more if their story moves markets:

https://news.ycombinator.com/item?id=18162440

> “It isn’t news unless it’s true. At Bloomberg News, the most important news is actionable. That means we strive to be first to report surprises in markets that change behaviour and we put a premium on reporting that reveals the biggest changes in relative value across all assets.”
This is a very reasonable policy that doesn't sugar coat much.

Bonus for moving markets -> Incentive to report on highest possible value stories.

High value stories -> Bloomberg gains reputation/highest possible value to stock holders.

Are you suggesting the reporters turned in a story they knew to be false, in pursuit of a bonus? However large the bonus Bloomberg pays, it is surely paltry in comparison to a reporter's reputation.
Many reporters have written many stories they knew to be false in the past, even without this incentive. So I am not sure what your claim is.
The claim is that Bloomberg reporters value Integrity over Money
Bloomberg says they did a year of reporting, and over 100 interviews, and have around 17 sources. It's hard to believe all those sources conspired to fabricate this story, along with the evidence, and conned the reporters. Bloomberg clearly found something, but if Apple and Amazon are right (I wouldn't assume that; aggressive denials are par for the course), what did they find?
Then again, Bloomberg's details are really only vague hints.

To me these are currently only allegations from one source. When a board is given out to security researchers to publish an independent analysis I'll believe it. The perfect way to be credible to me would be to give a talk at some security conference. There's no investigation of the supply chain, which would have been quite interesting.

But the more I think about it, the more I think that all of this, if true, would be much too serious to even publish, really.

Considering the article points fingers at China, I wonder if their evidence was manufactured by someone. Without proof (like a board) or the names of actual witnesses or hard documents or something, its basically unverifiable, like claiming Area 51 has aliens. Without proof it's indistinguishable from fiction.
It would be like claiming Area 51 has aliens after over 100 interviews with 17 people familiar with the aliens, including two at Lockheed Martin and three at Boeing.
None of whom are identified on the record.
Far more plausible that alien stories though.
> Considering the article points fingers at China, I wonder if their evidence was manufactured by someone.

What is the connection?

> Without proof (like a board) or the names of actual witnesses or hard documents or something, its basically unverifiable, like claiming Area 51 has aliens.

A Bloomberg article based on a year of reporting, 100 interviews, etc. is as likely as aliens? Hmmm ... I feel I can distinguish it pretty easily.

It reminds me of Genoa on newsroom. I won't spoil it for those who haven't seen the show, and highly recommend watching it if you haven't. You don't even have to be into the news or politics, I haven't watched the news or read a newspaper in over 5 years and I very much enjoyed the show.
Who has what incentive here? The US has an incentive to damage China'a reputation, but not so much if it takes down Apple and Amazon with it. Apple and Amazon have an incentive to limit or hide information suggesting they're leaking data - is that enough smoke?

Otherwise, if Bloomberg have been misled by a concocted story, who has the ability to generate enough false sources/etc to engineer it? Seems like the scale puts it beyond a solid PR effort from a competitor?

17 sources who may all be drawing from the same source, or at least (inadvertently) confirming each other (e.g. source 2 has heard vague information from source 4 and 6, and reports that to Bloomberg, source 5 has then heard vague information from source 2 and 4, and reports that to Bloomberg). Without more information, I'm not sure we can really say it's more than one source (Bloomberg).
That's theoretical; it could be said about any group of sources on any story. Is there anything to back it up here? Do their descriptions of the sources support that theory, as a small (but still very insufficient) start?
It's definitely speculation, but I notice the article did fail to clearly demonstrate that it's anything different...
> aggressive denials are par for the course

Aggressive denials yes, but not at the level of specificity that Apple and Amazon have gone to.

Bold claims from newspaper is also par for the course, and Bloomberg benefits from the attention, especially if in the end they can just say “the problem was insignificant, but we were in good faith, we’re not engineers after all”

If we want to disregard what Apple’s denial, we can also disregard Bloomberg’s claim until someone sues someone else and an investigation brings out actual facts.

This whole business reminds me of the Newsweek reporter who was sure that Satoshi Nakamoto was some random Japanese guy in the Bay Area that she apparently found by looking up "Satoshi Nakamoto" in a phone book. The guy she found was a retired EE who had held a security clearance at Lockheed or someplace like that. He was an elderly recluse whose English skills weren't the best, so when he thought she was asking about classified material, he muttered something like, "I don't work on that anymore," and shut the door in her face. Jackpot, right?

In the old days an editor would step in at some point to save these ink-stained wretches from themselves, but that's pre-Internet thinking.

You don't think Bloomberg had an editor review the story before publication?
You think Newsweek did?
I would like to know more about how things worked in "the old days".
In the case if newsweek, it was still wild speculations. Bloomberg mentions sources in the intelligence community and provides a lot of details. I am as much in the dark as anyone else but it doesn't feel nearly as wild as the newsweek story.
All this assertion / denial stuff is getting tiresome. If this compromise was implemented at a significant scale, and people in-the-know have figured out how it functions, it shouldn't be too hard to get hold of one and provide a demo.
absence of an example device is a strong strike against the Bloomberg article.
Would you assume the NSA would distribute it to newsrooms like flagrance samples? Particularly if the leak was unauthorized.
Really? If we assume everything reported was true, would the sources involved be in a position to hand over a server to the reporters?
No need to have somebody hand over a server. If the implant happened in two segments of the supply chain as the article claims, it shouldn't be very difficult to find one.
The burden of proof is on the accuser.
The burden's on Bloomberg for accusing China of implanting the devices, or it's on the tech companies accusing Bloomberg of being full of --it, though? Looks like a standoff until we hear more
And now I'm angry at myself for not thinking of this. So much of this story was sitting like a grain of sand in my brain, but I couldn't put my finger on it
If you understand what this does, there's no such thing as an insignificant scale.
The point about scale, is that if this happened at the scale that is being claimed, it shouldn't be too hard to find a compromised unit.
The scale being claimed is a mere four factories, subcontractors of Supermicro's actual contractors, who were only used when demand exceeded those contractors' own capabilities.
Does bloomberg have a compromised motherboard so we can independently verify the claim?
> Does bloomberg have a compromised motherboard so we can independently verify the claim?

It's unreasonable to expect that they would. Bloomberg News is full of journalists, not security researchers. They gather testimony and documents, not physical evidence.

Furthermore, the servers in question would have been owned by others: Apple, Amazon, the US Government. It's very unlikely that whatever sources Bloomberg talked to would have had the authorization to legally hand over the servers in question.

I'm expecting third party experts to come out of the woodworks with "look at what we found / didn't find!"

Is there something I'm missing that makes this difficult?

Yes - finding the servers in question from the correct lots.
It probably comes down to how common the alleged problem boards are. If these devices only ended up in a small percentages of boards produced it might be very difficult to find a board that even had it.
If you knew some of your assets had been compromised..

BUT you KNEW that they were compromised BEFORE you put them into service,

and you made changes that allowed you to spy back on the spyers..

you would deny that the assets had been compromised in the first place.

Surely if something was compromised, you'd end the relationship with that supplier? You wouldn't have much incentive, especially cross-border, to bust them in action.
Busting them in action wouldn't be of any worth, feeding them false or misleading information would be. Never underestimate governments and their desire to know as much as possible about their friends and enemies and feed them with information.
Most brilliant. These people can conjuring up a fancy spy story while having no idea how a chip is made at all. And is very amusing to see mass acceptance.
It could be the whole thing is FUD being sowed by someone with an interest in trolling US companies. Russia, for example, for whatever reasons which are beyond me.
Curious. They had mentioned 30 companies. Where are the other 28? Has anything been said about them?