Hacker News new | past | comments | ask | show | jobs | submit login

So, when looking at this, we have to remember that reporters aren't analysts; they're not expected to have subject-specific background and make personal judgement calls as to what the underlying truth is. If you want that you can certainly get it - for a much higher price than a newspaper. That's what firms like Gartner are for.

Reporters to a very large extent report what sources say. Their judgement comes in considering the credibility of the source.

In this case they got a number of "credible" but anonymous sources. What they need to do now is make a choice:

a) burn the sources: publish the names and start investigating them and why they might have fed false information to Bloomberg. This will make it harder for them to get stories in the future, and may be considered a breach of journalistic ethics by some, but it also makes it less likely that people will try to play them like this in the future.

b) try to find some on-the-record sources for their story.




This is a case of c) Reporters were completely reckless. They bought a small 0402 decoupling capacitor, put it on pencil tip, and then claimed that it was a chip that could hack your device.

Any EE worth their salt knows exactly what 0402 decoupling capacitors do, and that there's no way you can hack from that angle. It has to do where that particular chip is placed: usually on power-lines... not really signal-traces.

The fact that all known security forces are denying the story (not just big companies like Apple... but also Homeland Security), means that the reporters likely misunderstood what their sources were trying to say. They published a bad story, exaggerating a molehill into a mountain.

-----------

The thing is: we all know that BMCs are very insecure. A lot of the problem is that the Bloomberg article is pointing at lol 0402 decoupling capacitors, when any security researcher worth their salt is looking at the BMC instead.

There are too many technical details in the Bloomberg article that were outright WRONG. Its a clear cut case of reporters misunderstanding things and focusing on the wrong thing.


A lot of people got hung up on the photos, but did the text actually state what they were or were they just "for illustrative purposes" like stock photos?


I wish news services would stop placing pictures "for illustrative purposes". Either show the real thing, or don't show anything at all. Otherwise, people who aren't experts in the subject domain will have no way to determine which aspects of the picture matches reality, and will implicitly assume most of them do (the alternative, unseeing a picture, is harder).

I know I had this problem in this particular case. I assumed the chip on the photo was real, and only learned on HN that it wasn't.


Bloomberg never indicated that the imaged chip wasn't the backdoor chip. The article repeatedly suggests that they're actually showing the backdoor chip.

https://assets.bwbx.io/images/users/iqjWHBFdfxIU/iNO3klzCOEj...

This image is captioned "Microchips found on altered motherboards in some cases looked like signal conditioning couplers."

You can easily find the article yourself here https://www.bloomberg.com/news/features/2018-10-04/the-big-h...


The source material is still on Bloomberg's website. Look at it, its a 0402 Decoupling Capacitor: https://www.bloomberg.com/toaster/v2/charts/85c4e100b7ab4a8b...

The full article here: https://www.bloomberg.com/news/features/2018-10-04/the-big-h...

-------

As for what that thing is... its this (or something like this): https://www.digikey.com/product-detail/en/avx-corporation/W2...

That's an 8-pin decoupling capacitor. But there are "really" only 2-pins. The 8-pins are there to reduce resistance and inductance.

----------

Its very clear what happened. One expert probably said something like "The Chinese are using small chips to hack us". And a 2nd expert said "The smallest chip I know of is the 0402 chip-capacitor".

The reporters then combined the two expert opinions into an incorrect statement. I would NOT be surprised if the Chinese were using small chips to hack BMCs of SuperMicro (although there's no evidence of it... it would have at least been a believable story).

But as soon as I saw the above graphic, I just WTF'd at Bloomberg. The infographic was about as misleading and WRONG as you can get.


It literally says, in the very picture you linked to, that the chips were built to disguise as coupling capacitors.


I'm not sure if you understand my point then.

Decoupling capacitors perform a very specific, and very easy to see function. They have two pins: C+ and C-, and the capacitor tries to keep C+ and C- at roughly the same voltage level across time. In particular, Decoupling capacitors are fully passive (non-powered) devices.

Ex: If the C+ and C- pins are 3V (on the average), then a decoupling capacitor will help keep the voltage stay at 3V. The mechanical analogue would be a flywheel: it helps regulate the voltage and prevents voltage spikes.

-------------

It makes NO SENSE for a chip to disguise itself as a decoupling capacitor. There are lots of other chips that would be a better disguise. The fundamental premise and explanation is a joke to begin with.

Like, how are you supposed to hack into a computer at the electrical level using only two pins?

Mind you: an intelligent chip-level hacking device needs... at minimum... Power, and Ground. Bam, you already used up the two pins that a decoupling capacitor has... and you haven't even touched memory or other issues yet.

Clearly, the reporters have gotten something wrong. I can believe that the reporters maybe have a real story here, but they are wandering into technical details that they clearly do NOT understand. Clearly, a mistake or misunderstanding is somewhere in that explanation.

At very least, a chip-level attacker would need... I dunno, maybe 3 or 4 pins, at the minimum. I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.


> I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.

Your instincts seem to have deceived you. There's a top-level comment with a variety of replies that discusses a 2-pin device to snoop or modify data to an I2C device, and plenty of other literature documenting the feasibility of such devices.


The distinction there is the type of device. Caps are not used on data lines. The parent comment is talking particularly about how the Bloomberg article kept referencing the attack vector as a disguised cap.

The comment that you are referring to used a 2-pin device in place of the pull-up resistor on the SDA line of an I2C bus. That does seem fascinating and I would like to read more about it but I still have a lot of reservations about real-world applications.


Caps can be used on data lines to filter out high frequency noise, as it forms an RC lowpass filter with the source impedence (see here for an example: https://jretest.com/understanding-data-signals/ ), although I do not know enough about motherboard design to know whether these caps are needed on any of the data lines.


On a motherboard the data is being carried at high frequency.


c) report it as what it is: unsubstantiated hearsay.

A story can be interesting and relevant but impossible to prove, and you can still report it honestly by simply making it clear what came from an anonymous source and what is verifiable fact. But it's very easy (and appears to have happened all over the place in this particular article) to cite what someone tells you as fact without making it clear you're just reporting what somebody said.

In fact, the article in a couple of places appends "sources say" at the end of some statement, making you think you're reading a fact until you've reached the end of the sentence. Which IMHO is a "journalism anti-pattern".


Regarding this last point, I'd call it a "dark pattern" in journalism - it's intentionally designed to trick readers.


This common dark pattern has a name for those interesting in reading news critically: https://en.wikipedia.org/wiki/Weasel_word


Most of the top-tier publications actually do make a point of hiring people with subject-specific expertise. I first noticed this when The New York Times' lead medical correspondent was identified as Lawrence K. Altman M.D., because he really had earned a medical degree before heading into journalism.

In my own journalistic travels, I've worked alongside legal reporters who graduated from Harvard Law School, Wall Street reporters who earned certification as Chartered Financial Analysts, tech reporters who majored in computer science at Stanford, etc. That doesn't make them instantly right about everything. But it does mean they have the training to parse conflicting claims.

I'm not sure about the credentials of the specific Bloomberg reporters on this one. But Bloomberg does have budget and resources to hire subject experts to report on complex subjects.


> [T]hey're not expected to have subject-specific background [...] Their judgement comes in considering the credibility of the source.

Which they are unqualified to do if they do not have subject-specific background.


The journalist behind the Theranos expose, John Carreyrou, does not have a bio medical or startup/VC background.


Unqualified does not mean incorrect or wrong, and somebody who is unqualified can employ the services of somebody who is in order to overcome that deficiency.


“If someone says it’s raining & another person says it’s dry, it’s not your job to quote them both. Your job is to look out of the fking window and find out which is true.”

https://twitter.com/Klujypop/status/1018217609010012160




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: