Hacker News new | past | comments | ask | show | jobs | submit login
Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro (servethehome.com)
143 points by pjf 5 months ago | hide | past | web | favorite | 58 comments

It's an intriguing story.

Not to be too conspiratorial but one simple answer is that the US Feds asked Bloomberg to give the story legs, as a public signal to China. Either to raise the issue of China planting spyware chips on goods, or for some other political reason.

The CIA et. al. definitely have relationships with the big press outlets and stories are placed for reasons of national security. Not quite 'propaganda' but definitely for 'national cause'. The press is used as a way to communicate, as if to say 'we know this, and now the world knows, hint, hint' ...

IF you were doing this, why sabotage three American companies. Apple, Amazon, and SuperMicro. The stories about Huawei would make sense as propaganda. This is terrible propaganda, and is going to end up being bad reporting.

We now have senior NSA officials disputing the story.


Of course the government would deny.

But I agree, it doesn't make a whole lot of sense, just an idea.

It might very well be true however and it would raise flags for a lot of companies, not just Apple and Amazon, and it could very well be a 'reality check' for corporate America.

I happen to know a little bit about how the US does some of these things, moreover, a lot of it is public information, and it wouldn't surprise me one bit if this story were essentially true and that there's a lot of lying involved.

But who knows, it's a really weird one.

Of course the government would deny.

It doesn't make sense for them to proactively deny it. If it was government propaganda, why would they attack the Bloomberg story. They could just say we can't confirm it, which would leave the door open to it being true. Denying it is counterproductive if it was a planted propaganda piece.

It is a fascinating story, anything is still possible, but the momentum is starting to swing against Bloomberg.

Beyond that, a denial is actually quite rare. The 3 letter agencies usually stick with the Glomar Response, we can neither confirm nor deny, to prevent people from determining the truth by process of elimination.

Refuse to confirm or deny could have helped the US in 1960:

An American U2 "weather research" plane is shot down over the USSR.

The US strongly denied that the U2 was a spy plane and produced "weather research" U2s in NASA livery and a story about how the pilot's oxygen equipment malfunctioned.

...the USSR had failed to mention that the U2 pilot (Gary Powers) was alive and well, and that the definitely-a-spy-plane was recovered mostly intact. Oops!

> Not quite 'propaganda'

How is this not propoganda?

Because it's just an exposition of a fact (assuming it's factual).

It's not propaganda to inform the world that someone is infiltrating supply chain networks for the purposes of espionage. As if they are not aware already, it's a wake-up call.

If the story were utterly untrue, or it was a pernicious fabrication of information or misdirection, then it would be propaganda.

For example, some US military maneuvers in E. Asia are especially made public via mainstream media channels (even though they might be public anyhow, there's extra emphasis to make sure there's coverage) to make sure a message is sent. The popularization of a straight forward story in that case I don't think would really be propaganda.

> simple

i don't think that word means what you think it means

It's not conspiracy. It's standard M.O. and it most definitely is propaganda. The chinese do the same thing. When the chinese authorities want to send a signal to another country, their news coverage of the targeted country turns negative. One of the most recent examples is chinese media coverage of south korea after the THAAD deployment.

We've done the same thing here. When relations with the US and China were bad, the news coverage of china is very anti-china. When relations are good, the news coverage turns good ( like the generous, almost fawning, Deng news coverage in the 70s ).

Of course it's the most noticeable or obvious during war time, but propaganda is ever present during peace, it's just more subtle.

Sending a signal by releasing information, which is by the way truthful, isn't really propaganda in the classical sense at all. It's just a diplomatic way of communicating.

Having a story 'encouraged' in the press about hacking of supply chains for espionage is a pretty decent way of singling to all involved that the jig is up.

Ginning up anti-Chinese news over many cycles is more like propaganda, but what does that accomplish? Nothing really, unless nations are really at war and then the 'truth is the first casualty' of course.

I think the reason the press is softer on China lately is purely economic, businesses are linked, they pay ad dollars, and they can demand stuff be snuffed just like Harvey Weinstein could get stories canned via backroom arm twisting. Witness specifically the disappearance of all things Dalai Lama and Tibet, which was all the rage in Cali a decade ago and now nobody talks about it. Can't risk upsetting those Chinese dollars flowing into big projects.

> Ginning up anti-Chinese news over many cycles is more like propaganda, but what does that accomplish?

The biggest difficulty in a democracy is that public opinion matters. If you do something that is widely unpopular, it means that it may cause problems for you. If you want to do something, for example put harsh trade barriers up against a country, then you want people to think, "They deserved it because they did X which is far worse".

So here's a completely fictional idea. I don't propose that this will actually happen, just that it's an example of why you might want to do this. Let's imagine that you don't like the fact that the Chinese are able to take a lot of electrical manufacturing away from the US. You know that the US can't compete because wages and working conditions have to be higher. Also, the Chinese have more control over their industry because they run a totalitarian regime.

So, you get this idea, "Let's say that we have to inspect all electrical parts outsourced to China because it is a threat to our security. We can add on a 30% tariff to cover the job." This does many things. It makes outsourcing to China very expensive and allows US manufacturers to compete. Even if companies continue to choose Chinese outsourcing, it allows you to hire a whole bunch of unskilled workers as "inspectors". Finally it creates a precedent that electronic outsourcing is "dangerous" and must be controlled by government inspections -- allowing you some sort of control over how US companies can choose to outsource. This is especially compelling if you, personally, think that you can use this to your advantage after you leave office and return to business.

So, you leak a whole bunch of information about how the Chinese suppliers are implanting spying devices into servers built by the largest and most successful US companies. And the sweet thing about it is that they probably are doing it occasionally, so all you have to do is to find a single example of it and then convince some reporters (who are journalists, not engineers) that it's happening more often and that the big businesses are engaging in a huge cover up. And because you are the government, you can round up some pretty impressive credentials (off the record, of course!) to back up your story.

Like I said, I don't think that's what's going on (and I'll fall off my chair laughing if the US government decides to do what I said), but it's a completely plausible idea. There is considerable value in manipulating public opinion in this manner (or, more likely, something a lot more subtle).

I don't think your idea is too far out.

If it were true, I wouldn't be the least surprised.

But consider this - it might be absolutely fair.

For the same reason you cannot have 'free trade' between a 'state actor' and an 'open economy'. Can't work due to dumping, strategic investments, etc. etc..

So if China wants to play huge strategic games and control their economy, keep wages low, keep people utterly in the dark and under their control - for the purposes of taking away major industrial sectors to the US ... then it would be 100% fair game for the US to intervene. I don't even think they'd have to do it covertly.

I believe that there should be an x% tarrif from any nation that is not 'free market'. And then a y% tariff if they are externalizing things like pollution and human rights. After all, if China has only a 50% wage advantage due to overtly oppressed wages, then how can anyone compete? And then a z% tariff for currency manipulation.

'Tit for tat trade' is the best policy and I think that would be a great approach to China: when they enact pollution laws that are consistent with ours, then that tariff gets reduced. When they get rid of currency flow controls and allow money to cross the border as happens here, then no more %z tariff.

The truly bizarre thing about this scenario is that this is a surprise to anyone. Of course 'supply chains are infiltrated'. This is 100% happening, we know this, because 'we' i.e. Western powers do it. For gosh sakes. Given the super aggressive policies that China has going on right now - even trying to recruit and pressure ex-pat students, their 100% control of information etc. ... it should be of no surprise to anyone that they are up to this.

Even Canadian PM Trudeau, kind of the 'opposite of Trump' and actively trying to get along in China has recently banned some Chinese investment and activity by mobile phone manufacturers.

I think that any major company should probably be inspecting all hardware that comes in, and I don't doubt that this is going to be 'the new normal'.

I hope it's all just a bad story but my bet is that it leans towards the truth, and there is probably some funny business going on as well.

>I want to be quoted. I am angry and I am nervous and I hate what happened to the story.

If Bloomberg is honest, they should apologize. Will it happen? Not likely. They are deliberately misleading.

Misleading is a mathematically high order lie. i.e. a lie about another lie that decorates the other lie into a non-lie so it can gain the support from many believers even it's not correct. In contrast, a blatant lie is a first order lie which is very clear right or wrong. It's not defendable.

That's a big difference between US/Europa MSM and the propaganda from some totalitarian regimes as I observed. Most audiance seem to be not aware of the former , and they often blieve those who know both are brainwashed by later.

If Bloomberg is honest, they should apologize. Will it happen? Not likely. They are deliberately misleading.

I wasn't aware that Bloomberg had unequivocally been demonstrated to have mislead anyone. At the moment, Bloomberg have made some allegations and several parties have made assertions in response to those allegations.

I don't understand your final paragraph.

Multiple Bloomberg sources have claimed to have been misrepresented in their articles.[1][2] How has Bloomberg not mislead anyone?

1. The article in the OP 2. https://twitter.com/riskybusiness/status/1049429881031819264

If X is saying "that story is misleading", X is not saying "that story is flat-out wrong".

The counter-stories I have seen around the Bloomberg story has been "let us parse these press releases to be certain that they say 'yes, this is flat-out wrong, there is no substance to this at all'".

If someone is saying "misleading", that someone is saying that denials as such can't be true.

"True but I'm angry 'cause the spin is so wrong" is actually quite a "head turner", whatever the actual situation.

Serveral parties such as...

"US/Europa MSM"

Totally OT, but I wish there would be a policy on here (and elsewhere, but let's start small...) where a certain list of shibboleths like 'MSM' and 'HRC' and 'triggered' (just including that one to not single out any one side) would be prohibited on this site (and attempts at getting around it, like using 'M$M' instead, aggressively punished). Of course it's 'censorship' and many other bad things, but it would at least get rid of those posts that aren't being taken serious by 50% of the readership anyway, and therefore serve no purpose towards the overarching goal of having 'intelligent discussion'. If we're going to pretend we're all here to have balanced discussion and that this is no place for partisan warfare, we might as well create an environment that (tries to) reflect that.

You are getting dangerously close to promoting censorship of speech. It is true acronyms are often used to the detriment of the discussion, because lots of people may have difficulty understanding the intended meaning. Or the meaning is deliberately clouded in using acronyms. The better policy for this site would be, if one uses any ambiguous acronyms the first time in the discussion, explain them the first time you use them.

That said, I understood MSM as Mainstream Media from context and results of 5-second web search, it was not very difficult to find this. When something becomes a concept, a name is appropriate and useful and learning new concepts and their names is one reason people are here. Why would this name offend you?

You're missing the point. Of course I know what 'MSM' means. What I'm saying is that by banning certain phrases that people use to signal something beyond the dry meaning of the word, you get better discussions because it reduces the (overt) tribalism. If someone would write for example (((Jake))) when referring to someone named Jake in some context (just for clarity, this is just a random name used for the sake of the example), that's not a case of 'oh you just need to know what it means', it's a case of someone using symbols or tone to signal an underlying sentiment while still being able to deny that you actually mean all the baggage that is implied. Sort of like you're doing now, where you're reducing 'MSM' as just another abbreviation (I don't think you're doing it deliberately, you probably just don't realize the broader context, not accusing you - but I'm still cautious).

And it's only censorship for a very naive definition of the word. It's more tone policing, which ironically is one of the very phrases that would probably be put on the 'banned word list'. Which in turn indicates how it's not a very practical idea to actually implement. Maybe it should be seen more as a 'guideline to intelligent discussion', where anyone using loaded phrasing (either be it deliberately, which would signal them for not engaging in honest debate; or accidentally, which would signal them for not being informed enough to actually participate) should be 'encouraged' through social norms to learn how to better express themselves, where 'better' means in a way that de-escalates emotional flare ups rather than digging their heels in the sand, preparing for battle.

Are you saying Mainstream Media is not neutral? Where you get that impression? or just your personal opinion? If it's not neutral, what's the neutral equivalent? Where do you see tribalism?

Another thing I found that it seems to me the way that you put yourself into a judge's position by deciding which is "intelligent discussion" make all the discussion un-intelligent.

The abbreviation 'MSM' is very much not neutral, yes. I haven't done a survey, but I do not think it's controversial that it's a term used by certain online subcultures (just like many others from all sides, again I am not picking sides here, it's just that this abbreviation started this whole sub-thread). Feel free to disagree, but I've seen it used in parody/stereotype mocking of such groups enough to know that I'm not the only one who would see it like that.

Likewise, it is not controversial or even assuming to state that explicit tribalism and signaling of affiliation does not make for 'good' or 'high quality' (if you prefer those terms over 'intelligent') discussion. Sophistry is not 'intelligent' discussion. It may require high intelligence to pull off well, but it's not 'intelligent discussion'. I'm not saying which topics are 'intelligent' or not, or what position in those topics is, just that some forms of having any discussion are 'better' than others. It's a 'meta-judgement', if you will. 'Intelligent discussion' doesn't just mean 'discussion between two people who are intelligent and well informed on the subject'.

OK. At least I understand more where you idea comes from. I'm not a fan of any subculture but a fan of truth nothing but truth.

Again, what's the neutral equivalent? I mean the entities that often use some maybe unintentional but very sophisticated "deceptional" tricks( I know the word is quite strong). I’ve notice it very often but I guess a lot of readers might not aware of. I’m not assume I’m better than most readers here but just have broad connection to the other side of media and readers.

I want to be quoted. I am angry and I am nervous and I hate what happened to the story.

This could be said as "I hate what kind of story I read from those true facts that I told you." Which may well be - true. Apple and Amazon may have done real-denials but this sentence, at least, is maximum non-denial-denial. Bloomberg may well have burned the relationship that Appleboum had with the various people involved in this story and he's ready to say he very much hates how his name is here.

Which, if that's the only complaint, tends to give greater credence to the story. If X people are saying "false, completely!" and another portion are saying "true but spin, completely wrong focus" only one of these groups can be telling the true.

And sure, that doesn't keep Bloomberg's story from being propaganda.

Why would this article lead to the conclusion that Bloomberg should apologize?

The interviewee says that Bloomberg is inaccurate in that it appears to single out only SuperMicro servers. This article reinforces their claims by pointing out that not only is it an issue for SuperMicro, it’s true of the industry at large.

Bloomberg’s explanation for focusing on the SuperMicro bit is fairly clear. That’s where their sources confirmed. I’m pretty sure nowhere in the article does Bloomberg state that none of SuperMicro’s competitors have this issue. If anything, the SuperMicro incident which they have been able to find evidence for is held up as an example.

Bloomberg already use the story in a wrong way which the original source didn't agree. But let's go deeper:

1. In first report, Bloomberg have strong specific claims: China already hacked the server used in some big companies. it's PLA who did the tampering. They have evidences/sources

2. In second report they provide weak evidence that not related to the strong claims: It's a general security issue all over the industry, A lot of hardware could be tampered, etc,etc. Although maybe exaggerated I believe it's true.

So talking about general security risk is already shifting the focus. If there's a 2nd report, it should be address the conflicts of the denial from Apple and Amazon which cause the dispute, not talking about some thing that can easily reach consensus and close related to the real controversial topic. If they want to talk general security issue, they should make it clear and better in separate time. By putting those 2 different things together, it makes an impression to average readers that 2nd part can support the 1st part. Which seems to me it’s a dishonest practise.

Hopefully this doesn't wind up as another "BadBIOS", where nobody produces any real technical evidence that it's true.

BadBIOS wasn’t real? It sounded so innovative! My day is ruined and my disappointment is immeasurable.

The fact that years later people still don't know that BadBIOS wasn't "real" speaks volumes about how this whole incident is going to be remembered. All of the sensational claims get reported everywhere while the eventual retractions are largely ignored.

In the case of BadBIOS there was no retraction. The person who claimed to have found it kept on insisting he did, but he never posted the malware. He just kept on making unverifiable claims and posting meaningless spectrograms and ignoring calls to just show us the code he says he has.

What if every single scientific discovery in history was forwarded to a bunch of public-facing guys who said, "Nope, this isn't true." Where would we be then? Remember Galileo? Every single person technical person worth their salt owes themselves the favor of doing their own research, and forming their own opinions. I don't know if BadBIOS is real or not, but until I've done my own research and reached my own conclusions, I (politely!) refuse to take other people's opinion on the matter. Unverified claims? By who? I refuse to believe what amounts to speculation, conjecture and hearsay by any party! Also, please think about "The Streisand Effect" (https://en.wikipedia.org/wiki/Streisand_effect) when you make posts deferring to debunking by a supposed authority. All I know is that before you posted, I was not interested in BadBIOS... now I am... and I'm going to do my own research on the matter.

Well, there's nothing in this article that would suggest that... This article confirms such attacks have happened already:

"Totally possible. We have been a witness, or have been involved in an investigation, not in the US by the way, but who cares. Eventually, the one who switched the box was a guy who got money to switch boxes during the shipment."

The only thing Yossi want's to clarify is that it's not specific to SuperMicro, and that therefore it's a much bigger and worse problem than if it was.

The story may be simpler than initially thought.

“Whereas the Bloomberg story singles out Supermicro servers, Mr. Appleboum’s sentiment is that this is an industrywide issue”

Review the site at: https://www.sepio.systems/solution/

What type of companies stand to gain from the piece?

Apparently Bloomberg’s bonus plan for its journalists includes provisions for rewarding stories that “move the market”. One could argue that this sounds like potentially a perverse incentive that could reward questionably sourced stories such as this for the journalists themselves, rather than a specific company gaining.

It’s hardly a stretch to imagine a story like this materially affecting the accused companies’ stock prices, which presumably could qualify as a market moving story.

> https://www.businessinsider.com/bloomberg-reporters-compensa...

You can really tell when somebody gets 100% of their news from HN... They don’t do that anymore, partially due to that 5 year old article (which was reposted on HN yesterday?...)

As far as I can tell there is no evidence that the practice has stopped

Yeah the guy is obviously talking his book.


<We found it in different vendors, not just Supermicro. We found it not just in servers, in different variations, but hardware manipulation on different interfaces, mostly in network related. We found it in different devices connected to the network, even Ethernet switches. I am talking about really big what are considered to be major American brands, many compromised through the same method.

This is why I think that Supermicro has nothing to do with that. In many cases, by the way, it is not through manufacturing, it is after through the supply chain.

People think of the supply chain in a very narrow sense between the manufacturer and the customer.

Supply chain never ends. There are technicians, there are integrators, there are people that work in your facilities. We have seen after installation, after the fact attacks where someone switched something already installed. This is why Supermicro would have no idea what happens later in the supply chain.>

Where's the board? The original Bloomberg story showed pictures of a motherboard. Supermicro motherboards are not rare. Why hasn't one with this strange 6-pin chip surfaced?

Those were never pictures of the board or the chip. The images are credited to an illustrator. The report itself never mentioned 6-pin. And if you listen to the Risky Business podcast, the chip image is actually a signal coupler sold via Mouser Electronics, that Joe Fitzpatrick sent the journalists a link to when they asked him "what does a signal amplifier or coupler look like".



Actually, you can check for yourself. It's the first photo result at Mouser if you search for "signal coupler". Seems everyone has been running around trying to find a TDK HHM22137A2 on their Super Micro boards:


This is what I’ve been wondering all along.

Did I miss something here? Is there a positive-ID photo of the impacted chips/packages anywhere?

Agree. Picture or it didn’t happen.

Why are we even debating this crap without a single shred of physical evidence?

If Yossi was ex KGB or CIA instead of ex Mossad, would it modify your perception of the veracity of his statements?

A second lie to cover up the first lie. Keep it rolling, Bloomberg. We are watching with a smile.

Whether or not it’s a lie, you would be a fool to think your hardware is safe.

It is hilarious that a non-revelation like this goes banannas, while blobs of mostly unknown code from places like Computrace have been embedded in most PCs for 20 years.

Nation state actors enabling surveillance is defiantly plausible, but it would seem dumb to broadly deploy such an obvious, tamper-evident piece of hardware to sophisticated targets.

Yes. Intel Management Engine.

The easiest way to implement a backdoor for Intel CPUs is to get your own code into the Management Engine somewhere in the supply chain. That's if it doesn't have one already.

The actual title is Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro.

Right. We changed it back.

Submitted title was "Yossi Appleboum Disagrees with Bloomberg", which broke the HN guideline about titles: "Please use the original title, unless it is misleading or linkbait; don't editorialize."


For any Fortune 500 (Google, Apple, HP, etc.), have certain staff work covertly under shell subsidiaries but develop close rapport with key vendors (as said subsidiary), make straw purchases and do comprehensive (bordering on intrusive) supply-chain surveillance and auditing, because the targets on the side of the parent corp's "boat" paints them as easy marks for industrial/economic espionage/sabotage/monitoring. Not only does this help confuse/disinform competitors, but it can make attacks by state and other actors more difficult.

This might mean high-resolution X-raying of all hardware and cryptographic signature verification of all firmware in order to prove hardware received is what was designed, and nothing else.


So you are suggesting that the purpose of the Bloomberg piece is to actually get access to Apple's data centers? Seems a bit conspiracy minded to me. If that was the end goal, surely there would be easier ways than having your "agent" be quoted in an article regarding the root problem and then hoping that his company is hired to provide inspection services.

I suppose his broad point is: we should be wary of third party inspectors.

So what if they do look in Apple's datacenter?

Are we supposed to feel sorry for or worried about the fate of one of the world's richest companies?

his point was about apple customer security, so your question doesn't hold.

He was arguing that this was a kind of Trojan horse for a third party to gain access.

It sounds like you are saying that richness itself is a justification for mistreatment.

Is that really your position?

Well, while I agree that it's an industry wide problem, it's kind of obvious why Supermicro has been singled out out of all vendors making enterprise servers with BMCs -- Supermicro is the cheapest, no-frill whitebox vendor. I'm pretty sure that other big tech companies like Google have greater control over their hardware, custom design them; most financial clients I've worked with would simply never touch these generic boxes with a 10 foot pole. For lesser enterprise tech companies like Apple whose datacenters are filled with cheap generic Chinese servers they penny-pinch from noname companies like Supermicro, Wiwynn with bare minimal, unstable, insecure mgmt BMC's with little or no control of their own (to save money).

I've worked with these BMCs past 10 years off and on; started at a large bank automating deployment of marketdata infrastructure on HP hardware; couldn't believe how unstable and insecure they were and how much security risk they posed. Most recently at my last job, about half the BMCs from Supermicro went lemon in production; and not too long, discovered the AAAA* security bug with ILO4 on slightly older HPEs. HPE's had at least fairly responsive post-sales team and I must say their OOB BMC (ILO) improved a lot over time. SM just sucked so bad that my last employer, who had unwisely standardized on Wiwynn's and Supermicro's to save money, ditched them all for HPE this year.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact