
One Year After ‘The Big Hack’ - geogra4
https://pxlnv.com/blog/one-year-after-big-hack/
======
mroche
I admit when this story dropped I got caught up in it. It was my first time
purchasing/managing server hardware and I had just finished getting our 6 node
configuration of MicroBlades up and running. The board picture Bloomberg had
as the banner of their story exactly matched that of what I had spent over a
year and a half getting my university to order on our (a club’s) behalf.

Suffice it to say all logic went out the door that day. A friend and I
inspected each of the blades visually, but didn’t see anything. I then called
SuperMicro support and asked about the report. The person on the other side
had one of the most tired, frustrated, and depressed sounding voices I’d ever
heard. All they could do was point me at the company’s official statement on
their website, which was down for a considerable portion of time that day.

As a Tier 2 vendor, SuperMicro makes decent stuff. A bit rough around the
edges and doesn’t come with all the goodies and support you get from Tier 1
vendors like Dell, but man can you bulk buy their gear. At the time, we were
able to get 6 blades and a chassis for ~$20K USD (2x10 core Xeon w/64GB
memory). Dell had us at about $15K for a weaker configuration of a single
blade, and HP wasn’t even on the map.

------
temac
> Bloomberg

> After being annihilated after the story’s publication, Supermicro’s stock
> has bounced back.

You can quickly form a theory that would be interesting to investigate...

~~~
xeromal
My first thought was that investors have pretty small short term memories as
evidenced by any kind of major event that tanks a stock. Most seem to recover
after the issue is forgotten in 2-3 weeks.

------
brunoTbear
I think this was a remarkable piece of journalism. Bloomberg standing by it,
to me, speaks of a national security source that they cannot identify. Imagine
the struggle of the journalists to pull together a story of national security
interest with a source they cannot reveal.

I work in this industry. I know guys who did this kind of work. I found the
Bloomberg piece credible then, and I find it credible now.

The rule of deny everything makes sense. Of course every downstream player has
denied. Good for them for doing so. And good for Bloomberg as an institution
for standing by journalists who got a good story and hopefully moved the cost
needle for carrying out these kinds of insidious attacks.

------
busterarm
Bloomberg has done a lot since then to further call their credibility into
question.

As far as I'm concerned, it's about as reliable as the Weekly World News.

I'm just waiting for their version of the Batboy article. Except maybe this
was it.

------
brudgers
Bunnie Huang's talk on supply chain security helped me form an opinion on the
probability of Bloomberg's claims.
[https://www.bunniestudios.com/blog/?p=5519](https://www.bunniestudios.com/blog/?p=5519)
YMMV.

~~~
pfranz
I was trying to find the last time I commented on this story (wasn't sure if
it was done here or elsewhere). I remember reading an article a few years
prior to the Bloomberg story where Apple had talked about photographing their
server components as part of their supply chain security. Someone replied that
the article could have fit Bloomberg's timeline of events and could have been
a reaction specifically to what Bloomberg had been reporting on. I see the
talk you linked is from Feb 2019. I'd be curious to hear about interest or
measures taken prior to Bloomberg's timeline.

------
stanski
Sounds like they got taken in by this Yossi Appleboum fellow and the story was
too juicy to pass up, evidence be damned.

From their perspective, it probably worked because of the attention they
received.

------
sneak
Meanwhile, we have actual photographs of US intel agencies repackaging
intercepted Cisco routers, new in box, freshly compromised, being shipped
abroad, and there was much less media coverage.

~~~
crmrc114
Yeah but we are the good guys? right?

There is a select amount of cognitive dissonance required to support domestic
implants in our hardware then call out the chinese when they do the exact same
thing.

~~~
imgabe
Maybe not the "good guys" in an absolute sense, but as a US citizen, I would
expect the US to be more aligned with my interests than the Chinese
government.

All countries are attempting to spy on each other. Of course they are. If you
expect your country not to because of some misguided belief that this would
make them a "good guy" you're just asking for your country to be weaker than
others.

It's not cognitive dissonance. That's like saying, "Gee you don't like when
the other team scores a goal, but you sure are happy when your team does it!"

~~~
jakobegger
If your own government sends you a manipulated device, is that really better
than a foreign government sending you a manipulated device?

~~~
imgabe
You pay taxes to your government, right? Is that really better than sending
your money to a foreign government?

Of course a manipulated device isn't ideal, but if it's one where I at least
have _some_ say in the government and that can in a lot of cases be trusted to
respect human rights that's better.

I mean are you actually asking if it's better to be ruled by the US government
than the Chinese government? It is possible to go see for yourself.

~~~
jakobegger
First of all, I don't live in the US.

I pay taxes to my government so that they build infrastructure, run public
services, etc. Foreign governments normally don't do anything for me, so I
don't pay them taxes (unless I'm travelling or doing business abroad, etc)

I can think of no scenario where it would be acceptable that my government
intercepts and manipulates a device that I ordered. If they would do that, I
would protest and complain loudly.

Also, I'm not "ruled" by my government. The government provides services and
creates laws for the people. I don't live in a dictatorship.

------
aalleavitch
The problem is that if everyone involved in this aside from Bloomberg is doing
their jobs correctly, we would never know the truth either way. This is not a
thing anyone involved would actually want us to know.

------
cryptozeus
“What does that say about Bloomberg’s integrity“

Nothing, news has become entertainment for the longest time now. Anything with
anonymous source and no evidence should be counted as someone’s daydream of
becoming sci-fi writer.

------
panpanna
I think this story was fabricated or at least built around a misunderstanding.

With that said... given the opportunities the Chinese have it would be plain
crazy if they haven't at least tried similar things.

------
fnord77
seems like physical evidence would prove this story. Has anyone other than
supermicro's 3rd party auditor xrayed the chip in question?

~~~
jakelazaroff
You don’t think that if the story were true and could be easily proven,
Bloomberg would have done it?

~~~
fatbird
One possible explanation for Bloomberg's actions is that they have
corroboration of Appleboum's claims that they can't reveal publicly. One
source without proof would never be able drive a story like this, but if they
had multiple, independent corroborating sources, they might feel confident
enough to publish; maybe they hoped public corroboration would follow.

~~~
jakobegger
Or a journalist saw a chance to get famous quickly and didn't bother to verify
the sources.

The story was so good that everyone wanted it to be true and nobody said that
it looks like an incoherent mess.

~~~
fatbird
No journalist gets to publish stories on their own. Stories always have
internal review with at least the relevant editor, and big stories get
multiple levels. The authors worked on it for months. If this was a case of
rushing it out without enough verification, then there's many more than just
the two journalists at fault.

Which is totally possible, but normal journalistic practices already exist to
prevent just what you suggest, and are the norm, not the exception.

