I noticed that it's commonly accepted that Bloomberg's 2018 stories on the Supermicro hack were bogus, costing them a huge amount of reputational damage. However, Bloomberg stood by the stories. I'm very curious to see how this one will be received. I was never quite convinced by the naysayers or the denials by the government, Apple, or Amazon. I think it's quite likely that Bloomberg will be proven right in the end, this story having been accurate but suppressed for "secrecy" reasons all along.
Notably, one of the criticisms at the time was that Bloomberg didn't name credible sources with first-hand accounts of the events — understandably given the sensitivity. This time, it seems they have been able to do so.
Either way, I'm thrilled to see an outlet do original reporting and stand by their work in the face of universal condemnation. We are better off for having strong dissenting views informing us and expanding the narrative. I'm finding myself increasingly distrustful of the work of journalism outlets, but this (and those gone independent on Substack) gives me hope.
> it's commonly accepted that Bloomberg's 2018 stories on the Supermicro hack were bogus
Somebody owes a little apology here I think - if Bloomberg story confirms, which I now give a very good chance. Especially the "experts" that were so uniformly wrong. Schneier did recognize he was wrong, but only very matter-of-factly. I think there's more work to be done to figure out why so many people got so huge a story so wrong. I do not call for public shamings or anything, God forbid, but there should be some more work on this done than "ok, I was wrong, never mind", if turns out we had so many people get it wrong. There's a lot of trust placed in "experts" - in fact, disagreeing once with "experts" are now the grounds for a permanent ban from many platforms - and if they are getting things so wrong, we're finding ourselves in a very bad situation, information-wise.
>I was never quite convinced by the naysayers or the denials by the government, Apple, or Amazon.
When you say "naysayers" are you including other organizations who tried and failed to corroborate the original story? It's difficult to prove a negative but the Bloomberg story seems bogus to me because not a single other organization was able to find anything of the sort. If the hacking was this widespread, I tend to think someone else would be able to find something.
telecom engineer here (not on a Huawei/ZTE payroll). the reason why the original piece is extremely unlikely is the cost of keeping a conspiracy involving this many entities and requiring collaboration between them under wraps. you do not need hardware implants or even sw based backdoors when the system is fragile enough to get the same undocumented functionality without.
it is not needed because the quality of Huawei/ZTE and all the Chinese based tech vendors is so shockingly bad that no such backdoors are needed to achieve their objectives. shitty quality gives much better plausible deniability than a well designed backdoor in thoroughly tested code.
The big and only story IMO is that Huawei steals shit from other companies. I had my own work for control-plane on eNodeB stolen by colleagues in our Chinese site that then moved to Huawei. The company should be sanctioned all around the world and their CFO hopefully will rot in a US prison.
It's important to note that the entire story is no longer about just Supermicro, which (if the allegations are to be believed) was only a piece of the puzzle:
“If you think this story has been about only one company, you’re missing the point,” [FBI’s former assistant director for counterintelligence Frank Figliuzzi] said. “This is a ‘don’t let this happen to you’ moment for anyone in the tech sector supply chain.”
Perhaps the title could be adjusted to reflect that, although much of the article is still a follow-up to the earlier Supermicro story, and that is also reflected in the lede.
In particular, the article also includes allegations that Lenovo hardware used by the US military in Iraq was modified with specially-crafted backdoors:
“A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China,” Lee Chieffalo, who managed a Marine network operations center near Fallujah, Iraq, testified during that 2010 case. “That was a huge security breach. We don’t have any idea how much data they got, but we had to take all those systems off the network.”
The above quote is from a court testimony, and the article also links to a full transcript of it (in PDF):
Although this would be old news, it appears to not have been reported upon before.
In any case, these are serious allegations. Bloomberg first published them over two years ago and faced criticism for not substantiating them further when all the parties mentioned in the article denied the claims. Eventually, the coverage of the whole story subsided without any definitive conclusion with regard to its veracity. Now Bloomberg appears to be doubling-down on the allegations. Hopefully this time the claims can either be confirmed as factual or disproved for good.
It's great that we're finally getting an update to Bloomberg's 2018 article. I wish there was a more concrete stance from the US government or other US companies about this story other than flat out denials. The article suggests that affected parties have known about this issue for over a decade now. This is the security breach of the decade and we've heard nothing about it except for Bloomberg's 2018 article.
The statement from the NSA as quoted in the article was that:
> NSA cannot confirm that this incident—or the subsequent response actions described—ever occurred.
Maybe I'm reading too much into it but to me this looks as if they were in fact tacitly confirming it (at the very least, it's a steep departure from the standard "no comment" response typically employed in such situations).
It would be quite horrifying to see that NSA is unable to do such as simple thing as "can't confirm or deny" without side-channeling information. And since I can't see a reason for them to side-channel intentionally - if they wanted to confirm it, they would, there's no advantage in vague semi-confirmation for them that I can see. Thus, I prefer the option of reading too much into it.
I would note that if the NSA only "cannot confirm or deny" events that did occur, people would never believe it. For that response to work, the NSA has to practice not confirming things that did and didn't happen with regularity.
This whole thing is so wierd. More importantly, true or false I don't see bloomberg winning either way. False and they've just doubled down on a bogus story. True and they've just exposed something that's probably been kept very secret for very long by three letter government agencies that can't be very happy with them. And how the hell is this not on the front page of hn?
> True and they've just exposed something that's probably been kept very secret for very long by three letter government agencies that can't be very happy with them.
That's what being a journalist used to be about, before most of them became entertainers in service of political hacks.
> And how the hell is this not on the front page of hn?
I'm pretty sure it was buried intentionally by an admin. I watched in disbelief while older submissions with far fewer votes (thus less popular) and similar number of comments (no more or less contentious) made it to the front page at the same time.
So weird to see this post buried even though it was submitted 28 times in the last couple of hours. Is this considered too controversial or contentious?
Interesting. Can you see the story that you submitted yourself? When I look at your list of submitted stories, the last entry there is from 3 months ago. I also see some of your submissions, including those with only 1 point.
Now, I only ever submitted a couple of stories myself, but as far as I recall they start at 1 point by default, and can only be upvoted, so this is the lowest possible value. I can also see other "[flagged]", "[dupe]" and "[dead]" stories from the past couple of hours in the "newest" feed. When I click on another account's story that was "[flagged]" and is "[dead]," I can still see it listed under that account's submissions.
For the record, I doubt any such story would be buried here intentionally. Perhaps there is some other automated mechanism to remove duplicates if the linked URL matches exactly.
> Interesting. Can you see the story that you submitted yourself? When I look at your list of submitted stories, the last entry there is from 3 months ago.
It won't show up there if it was already submitted by someone else.
It’s interesting that in 2018 we didn’t see any anonymous posts confirming the story. This recent article suggests that knowledge was fairly well spread amongst government agencies and their suppliers. Impressive that the culture of secrecy remains so strong.
The real story is that OEM motherboards still have terrible security story, years later. this has as much to do with Dell or HP as it has to do with supermicro. obviously firmware needs to be open source but it also needs to be signed and trust controlled by the entity owning the computer network. only the big cloud players have that, the rest of us are still waiting for it to appear on the roadmap.
Notably, one of the criticisms at the time was that Bloomberg didn't name credible sources with first-hand accounts of the events — understandably given the sensitivity. This time, it seems they have been able to do so.
Either way, I'm thrilled to see an outlet do original reporting and stand by their work in the face of universal condemnation. We are better off for having strong dissenting views informing us and expanding the narrative. I'm finding myself increasingly distrustful of the work of journalism outlets, but this (and those gone independent on Substack) gives me hope.