
Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro - pjf
https://www.servethehome.com/yossi-appleboum-disagrees-bloomberg-is-positioning-his-research-against-supermicro/
======
sonnyblarney
It's an intriguing story.

Not to be too conspiratorial but one simple answer is that the US Feds asked
Bloomberg to give the story legs, as a public signal to China. Either to raise
the issue of China planting spyware chips on goods, or for some other
political reason.

The CIA et. al. definitely have relationships with the big press outlets and
stories are placed for reasons of national security. Not quite 'propaganda'
but definitely for 'national cause'. The press is used as a way to
communicate, as if to say 'we know this, and now the world knows, hint, hint'
...

~~~
WillPostForFood
IF you were doing this, why sabotage three American companies. Apple, Amazon,
and SuperMicro. The stories about Huawei would make sense as propaganda. This
is terrible propaganda, and is going to end up being bad reporting.

We now have senior NSA officials disputing the story.

[https://www.macrumors.com/2018/10/10/nsa-senior-advisor-
ques...](https://www.macrumors.com/2018/10/10/nsa-senior-advisor-questions-
businessweek-story/)

~~~
sonnyblarney
Of course the government would deny.

But I agree, it doesn't make a whole lot of sense, just an idea.

It might very well be true however and it would raise flags for a lot of
companies, not just Apple and Amazon, and it could very well be a 'reality
check' for corporate America.

I happen to know a little bit about how the US does some of these things,
moreover, a lot of it is public information, and it wouldn't surprise me one
bit if this story were essentially true and that there's a lot of lying
involved.

But who knows, it's a really weird one.

~~~
WillPostForFood
_Of course the government would deny._

It doesn't make sense for them to proactively deny it. If it was government
propaganda, why would they attack the Bloomberg story. They could just say we
can't confirm it, which would leave the door open to it being true. Denying it
is counterproductive if it was a planted propaganda piece.

It is a fascinating story, anything is still possible, but the momentum is
starting to swing against Bloomberg.

~~~
village-idiot
Beyond that, a denial is actually quite rare. The 3 letter agencies usually
stick with the Glomar Response, we can neither confirm nor deny, to prevent
people from determining the truth by process of elimination.

~~~
rangibaby
Refuse to confirm or deny could have helped the US in 1960:

An American U2 "weather research" plane is shot down over the USSR.

The US strongly denied that the U2 was a spy plane and produced "weather
research" U2s in NASA livery and a story about how the pilot's oxygen
equipment malfunctioned.

...the USSR had failed to mention that the U2 pilot (Gary Powers) was alive
and well, and that the definitely-a-spy-plane was recovered mostly intact.
Oops!

------
jjcc
_> I want to be quoted. I am angry and I am nervous and I hate what happened
to the story. _

If Bloomberg is honest, they should apologize. Will it happen? Not likely.
They are deliberately misleading.

Misleading is a mathematically high order lie. i.e. a lie about another lie
that decorates the other lie into a non-lie so it can gain the support from
many believers even it's not correct. In contrast, a blatant lie is a first
order lie which is very clear right or wrong. It's not defendable.

That's a big difference between US/Europa MSM and the propaganda from some
totalitarian regimes as I observed. Most audiance seem to be not aware of the
former , and they often blieve those who know both are brainwashed by later.

~~~
gerdesj
_If Bloomberg is honest, they should apologize. Will it happen? Not likely.
They are deliberately misleading._

I wasn't aware that Bloomberg had unequivocally been demonstrated to have
mislead anyone. At the moment, Bloomberg have made some allegations and
several parties have made assertions in response to those allegations.

I don't understand your final paragraph.

~~~
platinumrad
Multiple Bloomberg sources have claimed to have been misrepresented in their
articles.[1][2] How has Bloomberg not mislead anyone?

1\. The article in the OP 2\.
[https://twitter.com/riskybusiness/status/1049429881031819264](https://twitter.com/riskybusiness/status/1049429881031819264)

------
Canada
Hopefully this doesn't wind up as another "BadBIOS", where nobody produces any
real technical evidence that it's true.

~~~
xvector
BadBIOS wasn’t real? It sounded so innovative! My day is ruined and my
disappointment is immeasurable.

~~~
platinumrad
The fact that years later people still don't know that BadBIOS wasn't "real"
speaks volumes about how this whole incident is going to be remembered. All of
the sensational claims get reported everywhere while the eventual retractions
are largely ignored.

~~~
Canada
In the case of BadBIOS there was no retraction. The person who claimed to have
found it kept on insisting he did, but he never posted the malware. He just
kept on making unverifiable claims and posting meaningless spectrograms and
ignoring calls to just show us the code he says he has.

~~~
peter_d_sherman
What if every single scientific discovery in history was forwarded to a bunch
of public-facing guys who said, "Nope, this isn't true." Where would we be
then? Remember Galileo? Every single person technical person worth their salt
owes themselves the favor of doing their own research, and forming their own
opinions. I don't know if BadBIOS is real or not, but until I've done my own
research and reached my own conclusions, I (politely!) refuse to take other
people's opinion on the matter. Unverified claims? By who? I refuse to believe
what amounts to speculation, conjecture and hearsay by any party! Also, please
think about "The Streisand Effect"
([https://en.wikipedia.org/wiki/Streisand_effect](https://en.wikipedia.org/wiki/Streisand_effect))
when you make posts deferring to debunking by a supposed authority. All I know
is that before you posted, I was not interested in BadBIOS... now I am... and
I'm going to do my own research on the matter.

------
ismail
The story may be simpler than initially thought.

“Whereas the Bloomberg story singles out Supermicro servers, Mr. Appleboum’s
sentiment is that this is an industrywide issue”

Review the site at:
[https://www.sepio.systems/solution/](https://www.sepio.systems/solution/)

What type of companies stand to gain from the piece?

~~~
giobox
Apparently Bloomberg’s bonus plan for its journalists includes provisions for
rewarding stories that “move the market”. One could argue that this sounds
like potentially a perverse incentive that could reward questionably sourced
stories such as this for the journalists themselves, rather than a specific
company gaining.

It’s hardly a stretch to imagine a story like this materially affecting the
accused companies’ stock prices, which presumably could qualify as a market
moving story.

> [https://www.businessinsider.com/bloomberg-reporters-
> compensa...](https://www.businessinsider.com/bloomberg-reporters-
> compensation-2013-12)

~~~
AmericanChopper
You can really tell when somebody gets 100% of their news from HN... They
don’t do that anymore, partially due to that 5 year old article (which was
reposted on HN yesterday?...)

~~~
Illniyar
As far as I can tell there is no evidence that the practice has stopped

------
basicplus2
TLDR:

<We found it in different vendors, not just Supermicro. We found it not just
in servers, in different variations, but hardware manipulation on different
interfaces, mostly in network related. We found it in different devices
connected to the network, even Ethernet switches. I am talking about really
big what are considered to be major American brands, many compromised through
the same method.

This is why I think that Supermicro has nothing to do with that. In many
cases, by the way, it is not through manufacturing, it is after through the
supply chain.

People think of the supply chain in a very narrow sense between the
manufacturer and the customer.

Supply chain never ends. There are technicians, there are integrators, there
are people that work in your facilities. We have seen after installation,
after the fact attacks where someone switched something already installed.
This is why Supermicro would have no idea what happens later in the supply
chain.>

------
Animats
Where's the board? The original Bloomberg story showed pictures of a
motherboard. Supermicro motherboards are not rare. Why hasn't one with this
strange 6-pin chip surfaced?

~~~
SyneRyder
Those were never pictures of the board or the chip. The images are credited to
an illustrator. The report itself never mentioned 6-pin. And if you listen to
the Risky Business podcast, the chip image is actually a signal coupler sold
via Mouser Electronics, that Joe Fitzpatrick sent the journalists a link to
when they asked him "what does a signal amplifier or coupler look like".

[https://risky.biz/RB517_feature/](https://risky.biz/RB517_feature/)

[https://appleinsider.com/articles/18/10/08/security-
research...](https://appleinsider.com/articles/18/10/08/security-researcher-
cited-in-bloombergs-china-spy-chip-investigation-casts-doubt-on-storys-
veracity)

Actually, you can check for yourself. It's the first photo result at Mouser if
you search for "signal coupler". Seems everyone has been running around trying
to find a TDK HHM22137A2 on their Super Micro boards:

[https://au.mouser.com/_/?Keyword=signal+coupler](https://au.mouser.com/_/?Keyword=signal+coupler)

------
lvs
Did I miss something here? Is there a positive-ID photo of the impacted
chips/packages anywhere?

~~~
creeble
Agree. Picture or it didn’t happen.

Why are we even debating this crap without a single shred of physical
evidence?

------
patrickg_zill
If Yossi was ex KGB or CIA instead of ex Mossad, would it modify your
perception of the veracity of his statements?

------
ezVoodoo
A second lie to cover up the first lie. Keep it rolling, Bloomberg. We are
watching with a smile.

~~~
0x8BADF00D
Whether or not it’s a lie, you would be a fool to think your hardware is safe.

~~~
Spooky23
It is hilarious that a non-revelation like this goes banannas, while blobs of
mostly unknown code from places like Computrace have been embedded in most PCs
for 20 years.

Nation state actors enabling surveillance is defiantly plausible, but it would
seem dumb to broadly deploy such an obvious, tamper-evident piece of hardware
to sophisticated targets.

~~~
Animats
Yes. Intel Management Engine.

The easiest way to implement a backdoor for Intel CPUs is to get your own code
into the Management Engine somewhere in the supply chain. That's if it doesn't
have one already.

------
JdeBP
The actual title is _Yossi Appleboum on How Bloomberg is Positioning His
Research Against Supermicro_.

~~~
dang
Right. We changed it back.

Submitted title was "Yossi Appleboum Disagrees with Bloomberg", which broke
the HN guideline about titles: "Please use the original title, unless it is
misleading or linkbait; don't editorialize."

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
anon49124
For any Fortune 500 (Google, Apple, HP, etc.), have certain staff work
covertly under shell subsidiaries but develop close rapport with key vendors
(as said subsidiary), make straw purchases and do comprehensive (bordering on
intrusive) supply-chain surveillance and auditing, because the targets on the
side of the parent corp's "boat" paints them as easy marks for
industrial/economic espionage/sabotage/monitoring. Not only does this help
confuse/disinform competitors, but it can make attacks by state and other
actors more difficult.

This might mean high-resolution X-raying of all hardware and cryptographic
signature verification of all firmware in order to prove hardware received is
what was designed, and nothing else.

------
tooltalk
Well, while I agree that it's an industry wide problem, it's kind of obvious
why Supermicro has been singled out out of all vendors making enterprise
servers with BMCs -- Supermicro is the cheapest, no-frill whitebox vendor. I'm
pretty sure that other big tech companies like Google have greater control
over their hardware, custom design them; most financial clients I've worked
with would simply never touch these generic boxes with a 10 foot pole. For
lesser enterprise tech companies like Apple whose datacenters are filled with
cheap generic Chinese servers they penny-pinch from noname companies like
Supermicro, Wiwynn with bare minimal, unstable, insecure mgmt BMC's with
little or no control of their own (to save money).

I've worked with these BMCs past 10 years off and on; started at a large bank
automating deployment of marketdata infrastructure on HP hardware; couldn't
believe how unstable and insecure they were and how much security risk they
posed. Most recently at my last job, about half the BMCs from Supermicro went
lemon in production; and not too long, discovered the AAAA* security bug with
ILO4 on slightly older HPEs. HPE's had at least fairly responsive post-sales
team and I must say their OOB BMC (ILO) improved a lot over time. SM just
sucked so bad that my last employer, who had unwisely standardized on Wiwynn's
and Supermicro's to save money, ditched them all for HPE this year.

