[throwaway290342]

Okay, crazy tinfoil hat time: what if this story is a plant from a particular part of the Chinese government (like PLA Unit 61398), designed to give the impression of the ability to disrupt global supply chains and to build respect through fear?

If all of these unnamed sources are unnamed because they were adversarial members impersonating government officials, then that would make a little more sense why current government bodies are not just staying mum, but actually denying knowledge of the story.

With the software attacks being much more feasible as the Ars article points out than a hardware attack, then it would also make it so that the vehement denials from affected companies would be true as well. The whole thing could be a large disinformation campaign to strike at the very core of what many would otherwise consider reasonable security.

[saudioger]

I can't cite this case specifically, but normally it would be incredibly difficult to impersonate a government official as a source.

In my experience verifying a source means weeding out that possibility before publishing... e.g, cross-checking data from a third party (background checks, employment history, social media accounts, public records), then photos of credentials, video chats, etc. Then you cross-reference information with other sources on the story, etc... conspiracy is possible, but unless Bloomberg is inflating the number of sources it has, it would have to be a massive undertaking (state-sponsored).

Anonymous doesn't typically mean someone just calls up and says something and then it's off to the presses. They know exactly who gave them the information, but they're protecting the identities.

Maybe claims of "fake news" would be a lot less common if more people knew what went into verifying information before a major news outlet publishes a story.

[stevehawk]

What has truly surprised me in all of this is the skepticism expressed about this being plausible. Most nerd sites are rife with thoughts on how insecure things are and hypothetical ideas on how something could be compromised but all of a sudden this one isn't possible? We know the US Gov't has done it in transit but it's ridiculous to think a state owned manufacturer wouldn't do it on the factory line?

We know this very state does it to laptops brought into the country by corporate execs (https://www.securityinfowatch.com/blog/10861870/keeping-secr...) but again, there's no way they'd do it on a factory line?

I don't get it. Are we so confident that Amazon, Google, and Apple wouldn't fall for this that we refuse to believe it? I know everyone is saying "show us a compromised board!" but it's very likely that the our Gov't would ask that either (a) those boards be left in place or put in a honeypot so the enemy doesn't know that we know or (b) get handed over to them for forensics, etc and probably destroyed.

For the most part in my nerd circle of friends I've noticed that the only ones that believe the Bloomberg story are the ones that were or currently are in the intelligence community. Everyone else thinks it's Bloomberg being dumb because of that whole "they pay journalists based on how they change stock prices" article.

[creeble]

I don't hear skepticism on plausibility.

I just hear skepticism based on lack of actual evidence, as there has been, to date, exactly zero. For a hardware back that could only have been done at a large scale.

[kickopotomus]

This is why I am skeptical. I will not presume to know how Supermicro and Elemental operate but I find it unlikely that this would go unnoticed by both of them. The guys I work with raise hell if CRCs on firmware images don't match, much less a BOM change. There are a lot of QA breakdowns that have to happen after manufacturing for this sort of attack to be successful. Could it happen? Sure, but there should be some sort of available evidence. What about the rest of Elemental's customers? Did the government manage to quietly take all of their servers as well?

[bdamm]

Eh... it's not quite that simple. Checking the firmware before it goes into the device is not the issue. It's after the firmware is in the (integrated) device that it's an issue. How do you check that? You have to boot the device to calculate the CRC. Now assume that the device's bootloader is compromised and that the device actually has more internal storage than you thought. Now what? Ensuring correctness of firmware to verify the device won't do something you've never seen it do is quite difficult.

[kickopotomus]

I just brought up the CRCs as an example of due diligence. This attack, as I understand it, hinges on a design and BOM change to the board. So my question is how did that change manage to make it past both Supermicro and Elemental?

[vel0city]

Depending on what the chip did, the CRC on a firmware image may not actually change. If the chip was just listening to the SPI lines to the BMC's load, it could just inject additional data into the stream. The flash chip on the board could be 100% legit, but the final image loaded on to the BMC might be malicious. Do you really CRC the entire BMC environment after boot, or just check the image when you go to update the BMC?

[tracker1]

I think that most rational people hold a state of natural disbelief to conspiracies in general. For example, 10 years ago, the thought of a government slurping up all network communications into large collections of data storage for later analysis seemed so unlikely. The cost of storage, the expanse, the inability to make any effective querying against the data... just made it seem highly unlikely.

Then you come to find out it's actually happening. It just seems like such a huge thing that's hard to comprehend. I, personally believe it's entirely plausible.

[newuser12344]

Yes! I am amazed at the general attitude of skepticism expressed in response to the Bloomberg article.

BTW, Amazon doesn't know anything about security. Every day I observe examples of people who work there, wittingly or unwittingly, doing things to erode any security that might happen to be in place. It's almost entirely run by below average people scrapped up and recruited from the dregs of third world countries.

[jack6e]

But the effect of that would be to cause massive distrust of Chinese suppliers and cause a shift away from electronics being produced there. IC and cyber experts generally identify the Chinese as using intelligence operations for primarily economic purposes, as compared to Russian/Iranian/North Korean objectives being military or political. A Chinese military intelligence agency using cyber espionage to intentionally disrupt one of the most significant export industries of the Chinese economy does not seem likely, nor does it seem to provide such an out-sized strategic benefit as to be worth the economic cost.

[throwaway290342]

Good point, I agree with that thinking. But the actual execution of such a hardware-based attack would surely be discovered at some point anyway, and risk the same negative outcome. So then that would leave the only possible conclusion that the story just isn't true at all. In the end, none of it makes clear sense...

[jack6e]

The difference is two-fold: actively planting a fake story means that first, the espionage is fake and thus no real intelligence can be gathered, so the only benefit is the hypothetical respect you suggested; second, the story will definitely get out, thus the potential for the negative effect is innately 100%. However, as a real intelligence operation the cost/benefit analysis is inverted, because there is a real, tangible benefit to extracting possibly sensitive commercial and national security information. And while an eventual discovery is always a possibility, it seems care was taken to ensure it would only be a small possibility, and that in any case it would be in the future, hopefully after a large amount of useful data is extracted.

So in the planted story hypothesis, there is certainty of negative outcomes with only the potential for positive outcomes, and those only intangible, while in the this-is-real hypothesis, there is near certainty of some tangible benefit with good probability of significant tangible benefit, with only a potential, distant, deniable risk of negative outcome.

[tracker1]

I would say that given the amount of motherboard variants, even gene rationally that have varying differences, especially in component supplies, it was pretty unlikely to see the issue. I mean, while some may take a MB out and inspect it thoroughly, most that I'm aware of, will plug it in and if it works, leave it there.

[jmull]

I think it's plausible there's a disinformation campaign behind this strange story and that Bloomberg were the eager dupes.

But unnamed sources are known to the reporters and as "senior national security officials" they should be easy to verify and difficult to fake.

My guess is it's a subgroup of one of the agencies running a relatively independent operation to boost distrust of China. A rather inexperienced or at least incompetent group, based on how awkwardly it's gone over.

(Not that I've come to any conclusions... I think there's more info to come on this.)

[wycy]

It seems like this would be a really bad idea. Scaring companies away from buying Chinese-manufactured products couldn't possibly be worth the respect through fear.

[C1sc0cat]

Why would he do this its going to damage china economically and diplomatically.

[nakedrobot2]

No.

A better tinfoil hat theory is that the whole story was fabricated by Russia, to (you know, as always) sow chaos.

[freeflight]

No need for that much tinfoil, this came in parts straight from the Pentagon [0] and Bloomberg's "specialist", Tavis Ormandy, turned out to have a vested interest in selling "cyber security" related products aimed at supposedly fixing exactly these kinds of supply chain problems [1].

Imho The Register also points out some interesting details about this whole thing [2]

It's not really that surprising, fits perfectly into Trump's narrative of "They took our manufacturing, it's time to take it back to the US!". Gotta start somewhere, telling everybody China is selling a lot of bad apples seems like a simple enough start.

[0] https://s3.amazonaws.com/static.militarytimes.com/assets/eo-...

[1] https://web.archive.org/web/20170721190725/http://www.sepio....

[2] https://www.theregister.co.uk/2018/10/04/supermicro_bloomber...

[gjm11]

Do you mean someone else rather than Tavis Ormandy? As someone else has already pointed out, he's at Google Project Zero (which isn't in the business you describe) and I don't think he's ever worked for the company whose brochure you linked to, and so far as I can see he's been pretty rude about the Bloomberg story.

[nova22033]

Tavis Ormandy works for Google project zero. Are you saying he has a vested interest?