Using an attiny85 uC, a couple resistors, a cap, and a couple diodes I had laying around, I was able to wire up a two terminal "device" that pretty much acts like a 5k pull up resistor on a I2C line.... But when you pass data through the signal line (SDA) wire it can read and modify it. It is crude and very limited, but it works (only at lower I2C data rates in this case, but hey, it's a cheap hack).
A nation state adversary could trivially miniaturize this to the size and form of an SMT resistor, and use a much more capable uC in the process.
Im not saying that this substantiates the Bloomberg story in any way.
Just saying it's a great (black hat) idea, and it works.
It would surprise me a little if this weren't used in the wild by somebody.
Some hack targets multiple megacorporations that also lead the technical revolution and all those companies go out of their way to explicitly deny anything ever happened? Undetected arbitrary code execution is one thing, but what was the exfil plan that also avoids a totally separate detection system?
On top of that, these authors are known publishers of bad technical stories?
Possible was never the problem, but the total lack of evidence and massive unlikeliness just doesn't add up.
However there's a massive disparity between that and actually modifying the bus data, pattern matching data going across it, delivering a payload effectively (watch how flakey serial busses get at high speeds), miniaturising and packaging the entire exploit, compromising supply chains and board reviews and inspection.
For an analogy, it's like donning a yellow jacket, necking half a bottle of whisky then carrying a bazooka across the whitehouse lawn.
I don't and never will buy this attack vector. They could have easily infiltrated the chipset manufacturer, but no they went through a huge number of difficult steps which leave thousands if not million of smoking guns around which are all traceable back to the source. Hmm...
Making the main board fail arbitrarily would be easy, but controlling the board or exfiltrating data is hard.
"communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard." is hard only in the sense that it takes some effort, however, this requires pretty much the same capabilities and skills as every engineered malware we've encountered, so you can assume that every serious adversary can do it, not only nation state adversaries but many serious commercial pentesting companies and cybercrime teams have demonstrated such capabilities.
I can imagine an attacker that can make the "hard" software required but doesn't have the capability to insert that modified hardware within a supply chain - as in, it's not even assumption, for pretty much every intelligence agency it's known that they can easily do software which "would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard" - even just counting things that have failed (because we've detected and analyzed and attributed them), there's clear evidence that they can do it because they've done it many times.
I literally can't imagine an agency that can pull off the supply chain attack but doesn't have the capability to write software to control the board and exfiltrate data.
Now specific targeted attacks is more believable, at that point though I'd think a one off MITM hardware swap would be more likely.
When you say you created a two terminal device; do you mean you have a PCB (or equivalent) with two IO pads which you soldered to the pads which would normally be occupied by I2C pull-up R, but on a different PCB.
Basically, I'm wondering how the attiny85 was powered.
Given your description, I'm guessing you made a local power well which floated on the SDA line similar to how a boost cap works in a buck regulator (or more generally a charge pump). This is also approximately how a one-wire device works, like say the DS28E07.
To turn a 0->1 strengthen the pull-up equivalent which is in parallel to the uC circuit. I could probably add a simple feedback circuit to make sure the pull-up is just strong enough to keep SDA above VOH_min which should help prevent the I2C driver from getting damaged. To turn 1->0 open the pull-up equivelent and let the bit leak down.
Assuming standard I2C, I just need to make sure by uC is fully booted and ready to go by the end of the start bit. Should be doable.
I think I mostly convinced myself I could build one too. Of course any board I want to attack probably uses a SPI ROM, so roughly the same idea, but in a series termination resistor. :)
You guys are overthinking this. Server motherboard PCBs are usually 4-8 layers with GND and VCC planes available near any component. The hackers, according to Bloomberg, modified the motherboards, so presumably they would simply add vias to the GND and VCC planes to power their rogue chip. You don't gain much by going the trouble of making the chip self-powered by leeching current from the SPI line... The vias that bring power to the chip can be hidden within layers (it's a standard thing to do) It would not even be detectable by a visual inspection. You would have to x-ray the PCB to detect it.
I'm with the GP. I've said it before (https://news.ycombinator.com/item?id=18146566): the presumed hack described by Bloomberg is actually not that hard, and perfectly doable. All the attacker has to do is compromise the PCB manufacturer. Actually not even that. He would swap a box of legit PCBs with a box of compromised PCBs when they are in transit from the PCB manufacturer to the assembler. The assembler (the one who solders components on the PCB) wouldn't suspect a thing because normally PCBs are just passive things. No chip. No logic. No firmware. Just stupid layers of copper that either work (conduct electricity) or don't. That's why no one pays attention to PCB manufacturers and instead supply chain security is focused on everything higher in the chain: the providers of components, the assemblers, the distributors, etc.
This Supermicro rogue chip story is in fact an attack much less advanced than some real-world attacks we have seen, like Stuxnet which exploited four(!) zerodays...
The NSA was also actively using COTTONMOUTH II  which was a USB header for a motherboard that could be inserted into the supply chain and provided a long range transceiver for software implants to bypass airgapped networks.
Ten years on I would not be surprised that the Chinese have a similar tool in an even smaller form factor. People seem to be treating this like a futuristic sci-fi plot.
And sandwich it between the PCB layers. No way to find even upon close up inspection without Xraying the board itself, and even interpreting the Xray image of modern multilayer board would be a nontrivial task. I dont think Supermicro did it, at least for statistically meaningful set of boards.
I don't know how you would even detect that, short of decapping and scanning the die in.
It might be useful if nobody knows your doing it, but other than that it’s mostly pointless especially if you compromise every sample.
please do elaborate on this uC that will be the size of an SMT resistor, in a 2 lead package.
How did you get an ostensible power terminal (for pull up) and two terminals for MiTM (input and output) from two terminals? Assuming a situation where there are other pullups on the wire, how did you assert the low state (short to ground) without a connection to ground?
How good is the idea while you could be caught with physical evidence?
Corporations are state actors in China, and their actions have worldwide repercussions.
They are investigated for intentional business practices, not for secret hacks by unknown entities.
Just because you're a news organization, you can't simply escape with "Oh, my bad". This had real implications on stock prices of so many companies and wiped off shareholder value on many of them, including Super Micro.
If Bloomberg's story was false, they shouldn't just walk away like that because "it's the free press".
Afaik that whole Bloomberg/Super Micro thing was similarly set up, referring to "anonymous intelligence/industry services", not even naming the company that supposedly did the security audit.
People have to realize that these kinds of narratives are often pushed by parties in the West, with a vested interest, just as much as it happens in the supposedly "propaganda riddled" East.
It's for those same reasons that the amendments to the Smith-Mundson act, which happened back in 2013, haven't seen any widespread attention or even mention anywhere in the mainstream  because the good guys don't do "propaganda", they do "interventions"  and "information campaigns" .
But once again surely other brands, Western companies included, are also spying, but it doesn't change the fact that Huawei does it too.
I found very infrequent calls to HiCloud (Huawei's cloud service), almost always using a HiCloud enabled app where it would make perfect sense to communicate with the service.
On the other hand, I seen third party apps (none of which were pre installed) almost constantly firing requests to analytics and ad services. Microsoft Edge was the worst culprit - virtually every action I took (opening menus, tabs, etc) triggered a request to vortex.data.microsoft.com. Spotify calls Scorecard Research in the background often, even if it appears not to be running. Google calls the connectivity check service very frequently (even when network conditions aren't changing). The BBC iplayer apps (when ostensibly not running) refresh channel and config data frequently in the background.
I see a lot of rhetoric calling out Huawei phones for being spyware ridden trash, but honestly my own research this week suggests that the privacy controls on the phone work well and that third party apps are more of a privacy threat.
"Third Party apps are not privacy respecting and sending data to Google" -> yes nothing new, we're not talking about the spyware you can install from the playstore yourself, you have a lot of choice there too indeed, we're talking about pre-installed apps.
Even if Huawei didn't do this willingly the Chinese government doesn't operate by open rule of law. If the Party decides they will comply then they will comply. No news outlet will report on it. Social media will be censored. None of us in the west will ever know. There is no court to appeal to because the courts are under the thumb of the Party. Huawei is required to hire Party members as employees - Huawei leadership might not even be aware of it for plausible deniability reasons.
This is the direct result of the State apparatus that the Party in China has built for itself. They can cry all the rivers they want about Huawei; it's their own fault. Even if nothing nefarious is going on the suspicion alone has a huge impact.
To address the whataboutism: The whole issue around NSA revelations is entirely because that sort of thing isn't supposed to be possible in the USA (and nominally wrt NSA is only supposed to be valid when it involves foreign individuals). Individuals and companies regularly challenge government over-reach so there are at least some checks and balances, even if they aren't as strong as we'd like. Apple can choose to fight a court order. Trump's executive orders can be blocked.
Now imagine a new story claiming someone sued to block Xi Jinping's executive order in China. Such a scenario is absolutely laughable.
There is a difference between China and the West. To pretend they're the same is to pretend a bicycle is identical to a semi. They're both methods of transportation with wheels that carry cargo but there is a wide gulf in practice.
edit: As for the Supermicro story, who knows. The attack is certainly theoretically possible. Whether such an attack took place is another matter and so far no one has provided a tampered board as evidence.
The only way to be reasonably sure it isn't happening is to sample the final product, tearing down every individual component to verify everything (down to the traces on boards and gates on chips). That's a lot of work, expensive, and time-consuming. Most manufacturers probably don't bother. That applies regardless of where the product is assembled unless your own factories are producing every single component.
From the thread there:
“this will only happen with phones that are meant to stay in china, and also using software made for the chinese market. if your phone is shipped outside of china or has google play services, they're fine”
“It's only Chinese roms that don't have Google play store. This has been known for awhile and honestly this while ep 2 shit is nothing new.”
Anyway, is any phone-home spying? What if it phones US servers, say Google's? Unfortunately I can't think of a popular brand that doesn't spy on its users (no matter what the reasons are).
I have examined network traffic from my Chinese noname phone, and it also sends data to Chinese servers and to Google.
Also when you visit most websites, there will be a request to Google's data collector service.
Conor Friedersdorf summarized matters very nicely years ago, and it's a shame so few people seem to have paid attention:
> The very weakest case for withholding a source’s name is when 1) powerful officials 2) with a clear incentive to lie 3) use anonymity to spread a self-serving narrative 4) without accountability 5) on a matter of great consequence.
A reporter on an international affairs beat can't possibly dismiss sources as broad as the State Department or CIA - which makes it very possible to rotate through mouthpieces as they're proven unreliable. (And that's usually when clear dishonesty is found, not just plausibly-mistaken claims.) And anonymity is usually protected even when a source is found to having knowingly mislead journalists, which means a dishonest source is only burned for a single reporter or outlet and can go seek out a new audience. Multiply the number of mid-level employees at a major government body by the number of reputable news orgs and this starts to look completely sustainable.
It's something (reputable) news accountability groups have been upset about for years, but no one seems to have solved it. Conventional wisdom appears to be that publications are scared they'll lose source access completely if they start unmasking dishonest USG sources.
It's actually worse, the power dynamics are completely lopsided: He/she can't disgruntle his governmental sources or else there's the very real possibility of being cut out of the loop/any access at all in the future.
Which isn't a great prospect for any journalist because you can't get any "scoops" when your competitors have privileged access to information.
In-depth interviews, early story tip-offs, and 'approved' leaks with accurate content aren't just a way to distribute information and build connections with reporters, they're a way to cultivate dependence. If 95% of unverified content is accurate, a reporter who can't get pithy 'official' quotes or advance warning on stories will consistently produce worse output than those who can.
It seems like a few particularly famous publications can push back because they're too big to shut out, though their individual reporters often still fold. (e.g. the NYT on Iraqi WMDs.) And there's a bit of room for dedicated 'dissenting' sources like The Intercept and CounterSpin, because they can curate a reputation as leak recipients and then fill out the rest of their schedule with media analysis instead of breaking news. But overall, first-line sources seem to be very effectively trapped by this pattern.
This is an important part of Herman/Chomsky's "Propaganda Model" of media.
In the SuperMicro example, the same shadowy government organizations you accuse of conspiring to build a narrative against China are some of the people who debunked this story.
They're not inviting anyone into Langley, and if this were a claim about e.g. cyberattacks on Ukraine we might not expect evidence. But for something evaluated domestically, especially with physical evidence like SuperMicro, it's relatively common for intelligence sources to point to people who can confirm key elements. That might be a non-government firm which examined the physical evidence, a non-intelligence researcher who can assess the context of a factual claim, or an affected business which can verify what they experienced.
When a CIA source told Judy Miller that Iraq was buying aluminum tubes to centrifuge uranium, they claimed that Oak Ridge nuclear scientists had confirmed their assessment of what the tubes were for. They hadn't, but she apparently didn't bother to check.
When "U.S. officials" told the Washington Post that Russian Grizzly Steppe malware had infected the US electric grid, they provided the name of the utility company which had been attacked - Burlington Electric. Again, this was untrue (the code was found on one laptop unconnected to 'the grid'), but the reporter involved didn't check.
In the SuperMicro case, there doesn't seem to have even been a name given to check, just vague assertions that some company had performed an audit. That ought to have been a warning sign, but it looks like Bloomberg accepted source diversity in place of concrete or verifiable details - we're told of six national security officials, three Apple insiders, two AWS sources (and a partridge in a pear tree).
Without that, it's just hearsay, hearsay by agencies who have deceit as part of their job description and as such should be taken with a massive grain of salt.
Imho they've also become shy about openly sharing sources because it allows them plausible deniability, they don't want an Iraq style curveball  all over again, where the attribution of the misinformation can be too easily traced back straight to them.
They don’t share sources because simply it would reveal the sources. It has nothing to do with plausible deniability because they don’t care whether you believe them or not. The governments do and that’s all that matters.
There are certainly examples of mainstream media as a whole getting behind a story like lead-up to Iraq War but this is something different.
The fake Hitler diaries would be one of the really major examples of this, where Stern, Newsweek and the Sunday Times ran the primary stories, and lots of other publications ran stories about the stories in those three.
And that's also a major example of the main sources taking a lot of flack afterwards, with firings, lawsuits, and books and movies about it afterwards, but it's not clear if it actually harmed the newspapers themselves. E.g. Murdoch has suggested the Sunday Times actually profited from it in the long run as Stern paid them back what they paid for access, and it boosted their subscription numbers even after the hoax was revealed.
As long as 1.) it's a rare event and 2.) the publication gives the appearance, and perhaps the reality of, throwing the guilty and those in the wrong place at the wrong time under the bus, putting better processes in place, apologizing profusely,and being very introspective about the whole affair, people tend to forgive and forget--or at least forget. And their peers probably have at least a bit of "there but for the grace..." about the whole thing anyway.
I'm being a bit snarky about throwing people under the bus. Usually there are people who are guilty mostly in a "the buck stops here" sort of way. But, in most of the recent cases I can think of, there were individuals in the news organizations who so wanted stories to be true that they were at best inept in a way it's not clear they understood even in retrospect.
Meh. I'm in the camp that believes Karl Rove pulled off one of his greatest dirty tricks of all time.
Now if that's the story... I'm not saying Karl Rove is an angel or anything, but this seems like he's 10% bad and CBS news and every media source that stuck behind them is 90% bad.
Why not make a document that ostensibly validates that and bake in the fact that it was a forgery to be revealed so that all focus is on the forgery and not the facts that Bush shirked his service?
It's a brilliantly devious move and exactly the type of thing Rove would do (e.g., bugging his own office and then accusing his opponent of the misdeed, etc. etc)
I distinctly remember the overall landscape of the time being that the mainstream media was constantly poo-pooing bloggers and internet sources for not having the "journalistic standards" of themselves. It's quite an attention-getter to prove by their own actions that their only real journalistic standard is keeping their positions of power and promoting a preselected narrative.
In the context of all that, it seems a little weak to whine that they were set up by a Republican dirty trickster. They had just spent the last few years claiming that they were the only news source that could be trusted because they were the only ones competent enough to properly fact-check sources exactly like that.
Reporters to a very large extent report what sources say. Their judgement comes in considering the credibility of the source.
In this case they got a number of "credible" but anonymous sources. What they need to do now is make a choice:
a) burn the sources: publish the names and start investigating them and why they might have fed false information to Bloomberg. This will make it harder for them to get stories in the future, and may be considered a breach of journalistic ethics by some, but it also makes it less likely that people will try to play them like this in the future.
b) try to find some on-the-record sources for their story.
Any EE worth their salt knows exactly what 0402 decoupling capacitors do, and that there's no way you can hack from that angle. It has to do where that particular chip is placed: usually on power-lines... not really signal-traces.
The fact that all known security forces are denying the story (not just big companies like Apple... but also Homeland Security), means that the reporters likely misunderstood what their sources were trying to say. They published a bad story, exaggerating a molehill into a mountain.
The thing is: we all know that BMCs are very insecure. A lot of the problem is that the Bloomberg article is pointing at lol 0402 decoupling capacitors, when any security researcher worth their salt is looking at the BMC instead.
There are too many technical details in the Bloomberg article that were outright WRONG. Its a clear cut case of reporters misunderstanding things and focusing on the wrong thing.
I know I had this problem in this particular case. I assumed the chip on the photo was real, and only learned on HN that it wasn't.
This image is captioned "Microchips found on altered motherboards in some cases looked like signal conditioning couplers."
You can easily find the article yourself here https://www.bloomberg.com/news/features/2018-10-04/the-big-h...
The full article here: https://www.bloomberg.com/news/features/2018-10-04/the-big-h...
As for what that thing is... its this (or something like this): https://www.digikey.com/product-detail/en/avx-corporation/W2...
That's an 8-pin decoupling capacitor. But there are "really" only 2-pins. The 8-pins are there to reduce resistance and inductance.
Its very clear what happened. One expert probably said something like "The Chinese are using small chips to hack us". And a 2nd expert said "The smallest chip I know of is the 0402 chip-capacitor".
The reporters then combined the two expert opinions into an incorrect statement. I would NOT be surprised if the Chinese were using small chips to hack BMCs of SuperMicro (although there's no evidence of it... it would have at least been a believable story).
But as soon as I saw the above graphic, I just WTF'd at Bloomberg. The infographic was about as misleading and WRONG as you can get.
Decoupling capacitors perform a very specific, and very easy to see function. They have two pins: C+ and C-, and the capacitor tries to keep C+ and C- at roughly the same voltage level across time. In particular, Decoupling capacitors are fully passive (non-powered) devices.
Ex: If the C+ and C- pins are 3V (on the average), then a decoupling capacitor will help keep the voltage stay at 3V. The mechanical analogue would be a flywheel: it helps regulate the voltage and prevents voltage spikes.
It makes NO SENSE for a chip to disguise itself as a decoupling capacitor. There are lots of other chips that would be a better disguise. The fundamental premise and explanation is a joke to begin with.
Like, how are you supposed to hack into a computer at the electrical level using only two pins?
Mind you: an intelligent chip-level hacking device needs... at minimum... Power, and Ground. Bam, you already used up the two pins that a decoupling capacitor has... and you haven't even touched memory or other issues yet.
Clearly, the reporters have gotten something wrong. I can believe that the reporters maybe have a real story here, but they are wandering into technical details that they clearly do NOT understand. Clearly, a mistake or misunderstanding is somewhere in that explanation.
At very least, a chip-level attacker would need... I dunno, maybe 3 or 4 pins, at the minimum. I haven't thought about it much, but its instinctively obvious that the 2-pins of a decoupling capacitor is insufficient to do any kind of hacking.
Your instincts seem to have deceived you. There's a top-level comment with a variety of replies that discusses a 2-pin device to snoop or modify data to an I2C device, and plenty of other literature documenting the feasibility of such devices.
The comment that you are referring to used a 2-pin device in place of the pull-up resistor on the SDA line of an I2C bus. That does seem fascinating and I would like to read more about it but I still have a lot of reservations about real-world applications.
A story can be interesting and relevant but impossible to prove, and you can still report it honestly by simply making it clear what came from an anonymous source and what is verifiable fact. But it's very easy (and appears to have happened all over the place in this particular article) to cite what someone tells you as fact without making it clear you're just reporting what somebody said.
In fact, the article in a couple of places appends "sources say" at the end of some statement, making you think you're reading a fact until you've reached the end of the sentence. Which IMHO is a "journalism anti-pattern".
In my own journalistic travels, I've worked alongside legal reporters who graduated from Harvard Law School, Wall Street reporters who earned certification as Chartered Financial Analysts, tech reporters who majored in computer science at Stanford, etc. That doesn't make them instantly right about everything. But it does mean they have the training to parse conflicting claims.
I'm not sure about the credentials of the specific Bloomberg reporters on this one. But Bloomberg does have budget and resources to hire subject experts to report on complex subjects.
Which they are unqualified to do if they do not have subject-specific background.
You, not the general concept of the reader, but you personally neya. You stop trusting Bloomberg's reporting. That's the consequence. Their reputation suffers.
Why do threads like this on HN always have such a desire for retribution?
Did you know that?
Like most sales goals, it seems reasonable. And then you remember that when it comes to pay, some people will do anything.
It _could_ work – if the editors are espeically on the hunt for bogus stories.
The policy of rewarding them for moving the market simply removes the intervening steps and directly rewards them.
In concept, this only makes it worse. How much worse depends on how compensated they are, which I don't know. (e.g., if the bonus is $50 and your boss buys you a latte the next morning, it's not really that big a deal, vs. if it's $25,000 and everyone knows it's a fast track to promotions it's a pretty significant problem)
I, personally, am sick of being lied to. Single source reportage violates journalism 101; they really should suffer some consequences, just as someone should pay for the 2008 bubble, the Iraq war (Bill Kristol ... finally losing one of his platforms) and any number of other examples of the managerial class' screw ups from the last 20 years.
Let's say the Bloomberg article incurred 50% loss of revenues after it was published for Super Micro. (just making up numbers for the sake of the argument). Following this, Super Micro would have to scale down their operations and potentially fire people.
That's just the same thing as sending a DMCA request on Youtube for something that is someone's own work. Currently it's "free" to do so, but don't you think there should be consequences in destroying someone's else business / reputation / work? How would you feel if it happened to you?
False reports harm Bloomberg, as it erode their trustworthiness and trustworthiness is very nearly their only actual value/product. False reporting is inherently its own repercussion/consequence here.
This is different from DMCA as that has power granted to it by law, not by inherent trust. DMCA does also have consequences for fake claims, so it's a false equivalency here anyway.
Seeing a situation where one person/group does something that negatively affects another group without consequence tends to have this emotional response from emotionally healthy individuals.
Where do you see a problem with this type of response?
"It is impractical because it is a descending spiral ending in destruction for all. The old law of an eye for an eye leaves everyone blind."
Or maybe a good place for someone with knowledge to show why it's a bad idea and what the arguments are that have been struggled with.
One person getting irked because another happily destroys reputation without any consequence is natural. Reputation is too important.
A single person wanting to see consequence does not create a mob that firebombs their offices.
An idea has to start somewhere.
But that doesn't mean we should outlaw speech... Because speech leads to good things a lot more often than firebombing mobs.
Those people we can put in jail. Only those.
The rest are helpful or neutral, even if you don't agree with them. Democracy (in any form) grows stronger with dissent/speech.
Given their doubling down, unless we assume they somehow didn't ask their legal department, I would bet they have enough sources for the information that they think they're not at risk of being prosecuted for libel or slander.
But they didn't.
I guess if you sue every news outlet for Rumours then Apple would be basically suing everyone. My problem is, why Apple and Amazon has such as "restrained" action to Bloomberg. May be the story isn't true, but something do smells fishy to me.
All 3 have issued firm denials rarely given from companies today. I don't think any of them have been restrained at all.
Although I do agree A lack of legal action is in no way an admission that the story was accurate, I just thought they should do something more.
The way Bloomberg presented it in the article is as if they had entire story backed by facts. That was my takeaway they sounded pretty sure save for presenting the evidence. Now, what you do if press outright misrepresents the facts and presents fictional story as if it was entirely factual.
Of course the power dynamic between an ordinary joe and broadcasters is far different than between large corporations and broadcasters. This and worries around sponsors means there is already considerable self censorship when criticizing the latter. But I would not be surprised if industry lobbyist ultimately craft legislation to allow the former while preventing the latter through some high bar liability laws in such away that they get five already sympathetic SCOTUS justices to sign on.
Are you sure it isn't Bloomberg who was misled? Is that more or less likely than a billion dollar company declining to confirm a story that would cost them hugely? In lieu of proof either way, what punishment do you think is just -- and for whom?
A "Lie" is something that is easy to falsify with consensus.
A "Lie Lie" is not a lie but a statement intend to mislead people, difficult to get caught, easy to find a lot of lie believer to defend, eventually make a technical evidence based debate into a religious belief based debate. It's a lie about lie or a decoration upon a "lie" so the "lie" can not be categorized as a lie.
There are signatures of "Lie Lie"：
* Claim there's a proof instead of provide the proof. actually any claimed proof often is not a proof but just claimers' belief.
* The claims are mixed topics some legitimate and defendable possibility along with some thing that really happened. In simple words mix truth with lie so later the can defend truth topics.
* When they give proof, they will provide the one that there are less controversial topics but not the needed ones.
* Shift the focus to defendable topics so the undefendable part(i.e. belief based part)
* Usually attached with moral high grounded good cause such as "raised the public awareness of threat from an oppressive regime" just as an example, so the "Lie Lie" teller can convince themselves and their friends, coworkers the claimers are decent people.
*The claimers themselves believe the claims so they can claim they are not lying but they don't think they are using deceptive narratives to sell their beliefs.
Most activists are "Lie Lie" tellers. The problem of our society is a lot of journalists become activists involved into ideological fight but pretend they are providing truth.
Hah! What makes you think they should be accountable after we elected a President on the basis of fake news stories?
What are the consequences for a public figure deliberately lying?
What about accidentally lying? What if they are a private figure?
If we're going to have consequences for this sort of stuff, we'd need to lock up most of the people in government, and the employees of every single PR department.
If companies didn't lose money over this report, this is pretty moot. It's just embarrassing for Bloomberg.
If companies did lose money, the next step is proving that they knowingly went with a poorly-sourced story. That would require discovery, which may be fruitful.
Now how that plays out and where that line is, have at that debate until the end of time.
Also read NYTimes or another news source instead of Bloomberg.
Does anyone pay attention to the media in China? It's an equally bad actor.
Now seriously, Bloomberg lost a lot of credibility publishing this. Let's see if they say anything about it in the coming days.
Gell-Mann Amnesia Effect.
In order to figure out which servant was stealing from him, Napier instructed each to go in the shed and pet a magic rooster that he claimed could reveal to him who the thief was. In reality, Napier covered the rooster in soot. Thus he could identify the culprit-- it was the only servant who exited the shed without soot on their hands.
Here, you correctly applied one sense of the Gell-Mann amnesia effect-- a novelist's speculation about experts' inability/refusal to generalize their criticism of a news item within their field to the entire newspaper that contains it. In practice, however, "Gell-Mann amnesia effect" is a gambit that giving a proper name to rank speculation will cause the speculation to propagate as if it were an insight gleaned from a robust research project. If you had understood that part you would have used the rank speculation only an entry point for a comment that provided greater insight (or at least further rank speculation), rather than an insightful phenomenon unto itself.
Edit: In other words, you've emerged from the shed without anything other than someone's rank speculation masquerading as research. This makes it clear you've fallen for the 2nd-order effect of the term.
Also be wary of: Overton window
Crichton himself noted the irony of it by using the famous name to attach greater importance to it. Yet he noted it is true that we will quickly forget when reading other stories and himself has called for turning away from media.
Finally Overton's Window for me is about framing debate and can be applied over broad areas.
Something tells me they won't.
Edit: I forgot about this case, where they lost at trial.
Not sure about whether Bloomberg was knowingly publishing false stories. But lawsuits causing media to bankrupt have precedence before - Gwarker Media, that was.
Aside from this I consider "Bloomberg is over" a gross exaggeration".
Furthermore one mistake if mistake it is doesn't justify banning that publication from hacker news.
Furthermore who are you to be talking about banning anyone from this site in any case.
You get lots of down votes because there are so many reasons to downvote this post not because of some conspiracy.
And because if it had been a government push, it would have been accompanied by a government PR push on other fronts. But I saw no evidence the government picked up this story in particular, or even hardly referenced it. Being now months later we can also observe the government has not lifted a finger to substantiate this storyline or pull Bloomberg's bacon out of the increasingly hot fire.
The theory that this was government-pushed falls down on the ground that even if the government or some aspect of it wanted to push this narrative, this is not even remotely their best choice on how to do it.
Basic informational hygiene is that the claim is garbage until proven otherwise, "credibility" notwithstanding. There is not only not a single positive reason to believe this story, there is mounting evidence that it should not be believed.
Seriously, though, it seems that your idea of "basic informational hygiene" conflicts with a basic security posture in this case. We don't have to assume Super Micro has never been hacked, so I don't know why we would assume that. More in keeping with the topic of this thread, we don't have to assume the State Department (or whoever) has never caused a story to be published or discredited, so I don't know why we would assume that.
We're on the internet, a medium in which information can be trivially exchanged. Easily-defeated heuristics like "authority" and "credibility" are meaningless, if not harmful, when individual claims can (and should!) be evaluated on their own merits.
Basic security posture, sure, but nobody's arguing that we should change that and pretend that Supermicro is completely safe. Nothing is ever completely safe.
..but we're talking about a very specific claim which already has a number of gaping holes blown into it.
At this point I wonder if they should stop protecting their sources on this story and see if that shakes out any truth.
The problem with that is of course that it erodes trust for future sources, and potentially puts these sources at personal risk. But if not doing so starts putting the entire publication into question, that might be a risk they have to take.
That would be a mistake. Don't just throw your sources to the wolves if you couldn't prove their story.
They should press their sources for proof, or stronger evidence. If they can't find any then they should issue a retraction.
But if what was reported was actually true the best thing that can happen now, for Bloomberg and the public, is for their sources to step forward voluntarily with proof.
Admittedly, that will take a lot of courage in today's political climate, but if it's not all just bullshit, highly principled people may do it.
What I would like to know is what the Bloomberg reporters expected would happen as a result of this story?? Did they think Supermicro and Apple would just admit it? Then what?
Sometimes the reason for reporting evidence you have is to motivate other people to display evidence they have but don't know was interesting or useful until they saw your story.
That's why so often a single public allegation leads to an avalanche of similar allegations.
(Waves hands and puts on tinfoil hat)
Check mate, atheists.
But who is, John Doe who dies on a grenade?
This could happen, for example, with a tabletop exercise. I know the military does these, so it's not unlikely the CIA does them too. The CIA dreamt up a scenario where a US company's hardware was compromised by China, and simulated their response for training. Since it's just an exercise, it obviously wasn't as secret, so employees would have probably not feared to talk about it loudly at e.g. lunch break. Someone overhears, it, runs to bloomberg and we have the situation we have now.
Not the only scenario, but something along these lines is my theory.
If it really didn't happen, how could a reputable news agency get a report so wrong? What exactly is going on here?
Money quote: "You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them.
"In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know."
1 - http://larvatus.com/michael-crichton-why-speculate/
Mind you, simplifying with a degree of accuracy is difficult and top writers like those with the Economist do it better than most. With tech stuff, I find more poor and incomplete explanations than I do outright errors. Mind you, back when I provided commentary for a lot of news stories, there were some reporters I always dreaded calls from because I knew steering them in the right direction was going to take an hour out of my life.
The writing is good and interesting, until to read for a year and realize that formula is pretty much the same, and you can predict the arc of the article after reading a paragraph.
The result of this audit does not inform about anything related to the allegations published by Bloomberg.
I think it's more about re-building confidence by showing that Supermicro products on sale now can be trusted.
The reporter may have emailed a few dozen security researchers to verify the story, but those who don't believe in the story are less likely to reply (and the reporter is more likely to ignore them), leading to a sampling bias.
It's easy to see how security researchers could go off on a tangent about the insecurities of IMPI and other out of band management systems. Which'd sound like an endorsement to the reporter.
Who knows what really happened.
But, yes, even reporters that you know want to write a story that will be interesting to readers. As a source, feel free to provide educational background but be really careful about speculating about things if you don’t want that speculation in print.
An on the record conversation isn’t the same as an informal background chat with the same person over drinks. And I’m a bit careful even then.
"but that kind of attack has never been seen in the wild and is highly unlikely"
"but large tech companies have teams that vet the hardware they use on a unit by unit basis and would notice something like that"
I got into a brief argument in comments here not too long ago about the saying "you can't prove a negative" which got bogged down in (what I considered to be) pedantic semantics; what we mean in practice is this kind of "negative." Instead of the conspiracy-minded folks providing proof that powerful, shadowy forces have come out in force against Bloomberg to discredit and suppress their reporting on an actual national security incident, they're demanding that skeptics prove that they haven't. And how can we do this? The complete lack of evidence for this happening might just mean that the shadowy, powerful forces are really good at hiding their tracks. We can posit that if they were really that powerful, they'd have suppressed the original reporting, but we can't prove that Bloomberg didn't just get lucky, or that their diligent, plucky reporters didn't somehow catch the Deep State off-guard for just a moment. We can point out that generally when we see this kind of story, other reporters in other organizations would have corroborated and even expanded the story by now, and that other reporters have said that they've tried and failed to do so. But that might mean the conspiracy is covering their tracks. That they've got to them. That the rest of the journalistic world is IN ON THE CONSPIRACY, MAN.
But it's also possible that the reason it increasingly looks like Bloomberg got played is that, well, Bloomberg got played. Like a cigar, sometimes a bad article is just a bad article.
Bloomberg here will blame its source and take no responsibility.
All business are "in the business of making money", that's what being a business is. What sets them apart is how they make it. In the case of media companies is, precisely, by getting the story right. A publisher that doesn't is more likely to lose influence and readership as time goes by. For a publication like Bloomberg, more so.
So yeah, they do care. That doesn't mean they don't fall for scams or bad reporting. They do, but it's in their best interest not to do so. In this case, I'm sure Bloomberg is already frantically calling all the reporter sources. They should have done it before the piece was published, sure, and they'll sure blame the reporter and the sources, but I think it's disingenuous to think they just shrug these things off.
Strongly disagree. Media companies make money by publishing stories that people want to hear about.
Almost any article about Russia is a counter example to this.
Ideally yes, but nowdays it seems to be rather; by getting the story framed exactly as their corporate owner wants them to frame it.
Yes, they'll slowly loose credibility and in fact that is happening, but the process takes decades and is not likely to affect current reporters, if they lied in service of the status quo.
Overall Bloomberg as a company does not sustain itself on news revenue.
We don't really know anything about Bloomberg's sources we do know the nature of all the parties denying any of this is true.
I think this might just be another case of unintentional consequences from incentives.
In my experience, there are two types of firms you can almost always find "friendly" auditors: law firms and small specialized "boutique" firms (accounting, consulting, etc). Who conducted this review? A boutique law firm.
I'm not saying that it's not possible for the situation you described to have happened, just that it would be an extreme outlier.
Given all this attention, don't you think that Bloomberg would have issued a retraction by now if it was simply the case of an overzealous reporter?
It's also possibly permanently going to be unclear whether this is factually accurate unless someone discovers a compromised system or the sources for the reporters provide enough information on why they believe what they do to actually investigate.
I'd believe more that Super Micro is trying to save it's stock value, more than I'd believe government intervention. Of course, it could also just be faulty intelligence. Guess we'll have to wait and see what Bloomberg does with respect to whether they can get their sources on the record.
Because no matter what the audits say, this article caused a widespread feeling of mistrust towards Chinese-manufactured electronics.
Absolutely possible, even somewhat plausible but unlikely. Conspiracies are hard to maintain "2 can keep a secret if 1 of them is dead".
You could outright threaten someone with any number of means to get them to comply with your wishes, this is how espionage often works at a state level "ho ho, you like underage boys Mr. Smith, we have these photos of you, you will help us spy on your government!" or "You owe us much monies from your gambling, you can give us information or we make your life very difficult", simply using sex to ease someone into complying (sexpionage both as blackmail and as reward/entrapment. A possible famous case of the blackmail route was with the NSA in 1960, see: https://en.wikipedia.org/wiki/Martin_and_Mitchell_defection ), finding actual irregularities in someone's finances and threatening to go after them for it etc.
Again, possible and somewhat plausible but probably just a journalist fabricating a source or being misled by one. Yellow Journalism is a thing after all https://en.wikipedia.org/wiki/Yellow_journalism and if you look at papers in the 19th century you see all sorts of outright fabrications just to sell papers, like the Great Moon Hoax https://en.wikipedia.org/wiki/Great_Moon_Hoax
An oft repeated trope that holds no place in the repertoire of someone that's read history.
Look as recently as the Manhattan Project for an example starkly to the contrary of your assertion.
Large groups of people can conspire. It does happen, more than we can ever know.
It didn't stay too secret, Soviet atomic spies penetrated the program.
Emil Julius Klaus Fuchs for example was convicted of supplying information from the American, British, and Canadian Manhattan Project to the Soviet Union during and shortly after the Second World War https://www.wikiwand.com/en/Klaus_Fuchs
https://www.wikiwand.com/en/Atomic_spies has other info about the spying attempts during the time.
I would've liked to hear this directly from the company doing the audit, without Super Micro's own "interpretation".
The second thing that bothers me about this story is that it was Supermicro that paid for the audit. Maybe there was no one else going to do it, or maybe they just thought to get ahead of anyone else trying to review their chips. I don't know, but it doesn't sit well with me.
Only recently we saw at least two major tech companies skirt FCC's privacy monitoring by paying themselves for the audits: Google and Facebook. Both had multiple major privacy scandals in the past couple of years, but somehow all of these privacy issues were completely missed by the companies auditing them.
So I guess yes you can bypass Super Micro if you're a customer.
I seem to remember a very hostile and skeptical attitude from HN against Binance doing exactly this sort of thing when they announced the results of their paid-for "audit" of Tether financials. Why aren't we treating Super Micro's report of the audit the same way?
It's just crazy conspiracies all the way down.
Or possibly the leaker made a horrible mistake regarding facts?
Or possibly there is indeed a conspiracy to cover up a hardware backdoor?
These are tough times my friend.