Not to be too conspiratorial but one simple answer is that the US Feds asked Bloomberg to give the story legs, as a public signal to China. Either to raise the issue of China planting spyware chips on goods, or for some other political reason.
The CIA et. al. definitely have relationships with the big press outlets and stories are placed for reasons of national security. Not quite 'propaganda' but definitely for 'national cause'. The press is used as a way to communicate, as if to say 'we know this, and now the world knows, hint, hint' ...
We now have senior NSA officials disputing the story.
But I agree, it doesn't make a whole lot of sense, just an idea.
It might very well be true however and it would raise flags for a lot of companies, not just Apple and Amazon, and it could very well be a 'reality check' for corporate America.
I happen to know a little bit about how the US does some of these things, moreover, a lot of it is public information, and it wouldn't surprise me one bit if this story were essentially true and that there's a lot of lying involved.
But who knows, it's a really weird one.
It doesn't make sense for them to proactively deny it. If it was government propaganda, why would they attack the Bloomberg story. They could just say we can't confirm it, which would leave the door open to it being true. Denying it is counterproductive if it was a planted propaganda piece.
It is a fascinating story, anything is still possible, but the momentum is starting to swing against Bloomberg.
An American U2 "weather research" plane is shot down over the USSR.
The US strongly denied that the U2 was a spy plane and produced "weather research" U2s in NASA livery and a story about how the pilot's oxygen equipment malfunctioned.
...the USSR had failed to mention that the U2 pilot (Gary Powers) was alive and well, and that the definitely-a-spy-plane was recovered mostly intact. Oops!
How is this not propoganda?
It's not propaganda to inform the world that someone is infiltrating supply chain networks for the purposes of espionage. As if they are not aware already, it's a wake-up call.
If the story were utterly untrue, or it was a pernicious fabrication of information or misdirection, then it would be propaganda.
For example, some US military maneuvers in E. Asia are especially made public via mainstream media channels (even though they might be public anyhow, there's extra emphasis to make sure there's coverage) to make sure a message is sent. The popularization of a straight forward story in that case I don't think would really be propaganda.
i don't think that word means what you think it means
We've done the same thing here. When relations with the US and China were bad, the news coverage of china is very anti-china. When relations are good, the news coverage turns good ( like the generous, almost fawning, Deng news coverage in the 70s ).
Of course it's the most noticeable or obvious during war time, but propaganda is ever present during peace, it's just more subtle.
Having a story 'encouraged' in the press about hacking of supply chains for espionage is a pretty decent way of singling to all involved that the jig is up.
Ginning up anti-Chinese news over many cycles is more like propaganda, but what does that accomplish? Nothing really, unless nations are really at war and then the 'truth is the first casualty' of course.
I think the reason the press is softer on China lately is purely economic, businesses are linked, they pay ad dollars, and they can demand stuff be snuffed just like Harvey Weinstein could get stories canned via backroom arm twisting. Witness specifically the disappearance of all things Dalai Lama and Tibet, which was all the rage in Cali a decade ago and now nobody talks about it. Can't risk upsetting those Chinese dollars flowing into big projects.
The biggest difficulty in a democracy is that public opinion matters. If you do something that is widely unpopular, it means that it may cause problems for you. If you want to do something, for example put harsh trade barriers up against a country, then you want people to think, "They deserved it because they did X which is far worse".
So here's a completely fictional idea. I don't propose that this will actually happen, just that it's an example of why you might want to do this. Let's imagine that you don't like the fact that the Chinese are able to take a lot of electrical manufacturing away from the US. You know that the US can't compete because wages and working conditions have to be higher. Also, the Chinese have more control over their industry because they run a totalitarian regime.
So, you get this idea, "Let's say that we have to inspect all electrical parts outsourced to China because it is a threat to our security. We can add on a 30% tariff to cover the job." This does many things. It makes outsourcing to China very expensive and allows US manufacturers to compete. Even if companies continue to choose Chinese outsourcing, it allows you to hire a whole bunch of unskilled workers as "inspectors". Finally it creates a precedent that electronic outsourcing is "dangerous" and must be controlled by government inspections -- allowing you some sort of control over how US companies can choose to outsource. This is especially compelling if you, personally, think that you can use this to your advantage after you leave office and return to business.
So, you leak a whole bunch of information about how the Chinese suppliers are implanting spying devices into servers built by the largest and most successful US companies. And the sweet thing about it is that they probably are doing it occasionally, so all you have to do is to find a single example of it and then convince some reporters (who are journalists, not engineers) that it's happening more often and that the big businesses are engaging in a huge cover up. And because you are the government, you can round up some pretty impressive credentials (off the record, of course!) to back up your story.
Like I said, I don't think that's what's going on (and I'll fall off my chair laughing if the US government decides to do what I said), but it's a completely plausible idea. There is considerable value in manipulating public opinion in this manner (or, more likely, something a lot more subtle).
If it were true, I wouldn't be the least surprised.
But consider this - it might be absolutely fair.
For the same reason you cannot have 'free trade' between a 'state actor' and an 'open economy'. Can't work due to dumping, strategic investments, etc. etc..
So if China wants to play huge strategic games and control their economy, keep wages low, keep people utterly in the dark and under their control - for the purposes of taking away major industrial sectors to the US ... then it would be 100% fair game for the US to intervene. I don't even think they'd have to do it covertly.
I believe that there should be an x% tarrif from any nation that is not 'free market'. And then a y% tariff if they are externalizing things like pollution and human rights. After all, if China has only a 50% wage advantage due to overtly oppressed wages, then how can anyone compete? And then a z% tariff for currency manipulation.
'Tit for tat trade' is the best policy and I think that would be a great approach to China: when they enact pollution laws that are consistent with ours, then that tariff gets reduced. When they get rid of currency flow controls and allow money to cross the border as happens here, then no more %z tariff.
The truly bizarre thing about this scenario is that this is a surprise to anyone. Of course 'supply chains are infiltrated'. This is 100% happening, we know this, because 'we' i.e. Western powers do it. For gosh sakes. Given the super aggressive policies that China has going on right now - even trying to recruit and pressure ex-pat students, their 100% control of information etc. ... it should be of no surprise to anyone that they are up to this.
Even Canadian PM Trudeau, kind of the 'opposite of Trump' and actively trying to get along in China has recently banned some Chinese investment and activity by mobile phone manufacturers.
I think that any major company should probably be inspecting all hardware that comes in, and I don't doubt that this is going to be 'the new normal'.
I hope it's all just a bad story but my bet is that it leans towards the truth, and there is probably some funny business going on as well.
If Bloomberg is honest, they should apologize. Will it happen? Not likely. They are deliberately misleading.
Misleading is a mathematically high order lie. i.e. a lie about another lie that decorates the other lie into a non-lie so it can gain the support from many believers even it's not correct. In contrast, a blatant lie is a first order lie which is very clear right or wrong. It's not defendable.
That's a big difference between US/Europa MSM and the propaganda from some totalitarian regimes as I observed. Most audiance seem to be not aware of the former , and they often blieve those who know both are brainwashed by later.
I wasn't aware that Bloomberg had unequivocally been demonstrated to have mislead anyone. At the moment, Bloomberg have made some allegations and several parties have made assertions in response to those allegations.
I don't understand your final paragraph.
1. The article in the OP
The counter-stories I have seen around the Bloomberg story has been "let us parse these press releases to be certain that they say 'yes, this is flat-out wrong, there is no substance to this at all'".
If someone is saying "misleading", that someone is saying that denials as such can't be true.
"True but I'm angry 'cause the spin is so wrong" is actually quite a "head turner", whatever the actual situation.
Totally OT, but I wish there would be a policy on here (and elsewhere, but let's start small...) where a certain list of shibboleths like 'MSM' and 'HRC' and 'triggered' (just including that one to not single out any one side) would be prohibited on this site (and attempts at getting around it, like using 'M$M' instead, aggressively punished). Of course it's 'censorship' and many other bad things, but it would at least get rid of those posts that aren't being taken serious by 50% of the readership anyway, and therefore serve no purpose towards the overarching goal of having 'intelligent discussion'. If we're going to pretend we're all here to have balanced discussion and that this is no place for partisan warfare, we might as well create an environment that (tries to) reflect that.
That said, I understood MSM as Mainstream Media from context and results of 5-second web search, it was not very difficult to find this. When something becomes a concept, a name is appropriate and useful and learning new concepts and their names is one reason people are here. Why would this name offend you?
And it's only censorship for a very naive definition of the word. It's more tone policing, which ironically is one of the very phrases that would probably be put on the 'banned word list'. Which in turn indicates how it's not a very practical idea to actually implement. Maybe it should be seen more as a 'guideline to intelligent discussion', where anyone using loaded phrasing (either be it deliberately, which would signal them for not engaging in honest debate; or accidentally, which would signal them for not being informed enough to actually participate) should be 'encouraged' through social norms to learn how to better express themselves, where 'better' means in a way that de-escalates emotional flare ups rather than digging their heels in the sand, preparing for battle.
Another thing I found that it seems to me the way that you put yourself into a judge's position by deciding which is "intelligent discussion" make all the discussion un-intelligent.
Likewise, it is not controversial or even assuming to state that explicit tribalism and signaling of affiliation does not make for 'good' or 'high quality' (if you prefer those terms over 'intelligent') discussion. Sophistry is not 'intelligent' discussion. It may require high intelligence to pull off well, but it's not 'intelligent discussion'. I'm not saying which topics are 'intelligent' or not, or what position in those topics is, just that some forms of having any discussion are 'better' than others. It's a 'meta-judgement', if you will. 'Intelligent discussion' doesn't just mean 'discussion between two people who are intelligent and well informed on the subject'.
Again, what's the neutral equivalent? I mean the entities that often use some maybe unintentional but very sophisticated "deceptional" tricks( I know the word is quite strong). I’ve notice it very often but I guess a lot of readers might not aware of. I’m not assume I’m better than most readers here but just have broad connection to the other side of media and readers.
This could be said as "I hate what kind of story I read from those true facts that I told you." Which may well be - true. Apple and Amazon may have done real-denials but this sentence, at least, is maximum non-denial-denial. Bloomberg may well have burned the relationship that Appleboum had with the various people involved in this story and he's ready to say he very much hates how his name is here.
Which, if that's the only complaint, tends to give greater credence to the story. If X people are saying "false, completely!" and another portion are saying "true but spin, completely wrong focus" only one of these groups can be telling the true.
And sure, that doesn't keep Bloomberg's story from being propaganda.
The interviewee says that Bloomberg is inaccurate in that it appears to single out only SuperMicro servers. This article reinforces their claims by pointing out that not only is it an issue for SuperMicro, it’s true of the industry at large.
Bloomberg’s explanation for focusing on the SuperMicro bit is fairly clear. That’s where their sources confirmed. I’m pretty sure nowhere in the article does Bloomberg state that none of SuperMicro’s competitors have this issue. If anything, the SuperMicro incident which they have been able to find evidence for is held up as an example.
1. In first report, Bloomberg have strong specific claims: China already hacked the server used in some big companies. it's PLA who did the tampering. They have evidences/sources
2. In second report they provide weak evidence that not related to the strong claims: It's a general security issue all over the industry, A lot of hardware could be tampered, etc,etc. Although maybe exaggerated I believe it's true.
So talking about general security risk is already shifting the focus. If there's a 2nd report, it should be address the conflicts of the denial from Apple and Amazon which cause the dispute, not talking about some thing that can easily reach consensus and close related to the real controversial topic. If they want to talk general security issue, they should make it clear and better in separate time. By putting those 2 different things together, it makes an impression to average readers that 2nd part can support the 1st part. Which seems to me it’s a dishonest practise.
"Totally possible. We have been a witness, or have been involved in an investigation, not in the US by the way, but who cares. Eventually, the one who switched the box was a guy who got money to switch boxes during the shipment."
The only thing Yossi want's to clarify is that it's not specific to SuperMicro, and that therefore it's a much bigger and worse problem than if it was.
“Whereas the Bloomberg story singles out Supermicro servers, Mr. Appleboum’s sentiment is that this is an industrywide issue”
Review the site at: https://www.sepio.systems/solution/
What type of companies stand to gain from the piece?
It’s hardly a stretch to imagine a story like this materially affecting the accused companies’ stock prices, which presumably could qualify as a market moving story.
<We found it in different vendors, not just Supermicro. We found it not just in servers, in different variations, but hardware manipulation on different interfaces, mostly in network related. We found it in different devices connected to the network, even Ethernet switches. I am talking about really big what are considered to be major American brands, many compromised through the same method.
This is why I think that Supermicro has nothing to do with that. In many cases, by the way, it is not through manufacturing, it is after through the supply chain.
People think of the supply chain in a very narrow sense between the manufacturer and the customer.
Supply chain never ends. There are technicians, there are integrators, there are people that work in your facilities. We have seen after installation, after the fact attacks where someone switched something already installed. This is why Supermicro would have no idea what happens later in the supply chain.>
Actually, you can check for yourself. It's the first photo result at Mouser if you search for "signal coupler". Seems everyone has been running around trying to find a TDK HHM22137A2 on their Super Micro boards:
Why are we even debating this crap without a single shred of physical evidence?
Nation state actors enabling surveillance is defiantly plausible, but it would seem dumb to broadly deploy such an obvious, tamper-evident piece of hardware to sophisticated targets.
The easiest way to implement a backdoor for Intel CPUs is to get your own code into the Management Engine somewhere in the supply chain. That's if it doesn't have one already.
Submitted title was "Yossi Appleboum Disagrees with Bloomberg", which broke the HN guideline about titles: "Please use the original title, unless it is misleading or linkbait; don't editorialize."
This might mean high-resolution X-raying of all hardware and cryptographic signature verification of all firmware in order to prove hardware received is what was designed, and nothing else.
Are we supposed to feel sorry for or worried about the fate of one of the world's richest companies?
He was arguing that this was a kind of Trojan horse for a third party to gain access.
Is that really your position?
I've worked with these BMCs past 10 years off and on; started at a large bank automating deployment of marketdata infrastructure on HP hardware; couldn't believe how unstable and insecure they were and how much security risk they posed. Most recently at my last job, about half the BMCs from Supermicro went lemon in production; and not too long, discovered the AAAA* security bug with ILO4 on slightly older HPEs. HPE's had at least fairly responsive post-sales team and I must say their OOB BMC (ILO) improved a lot over time. SM just sucked so bad that my last employer, who had unwisely standardized on Wiwynn's and Supermicro's to save money, ditched them all for HPE this year.