• The top story of the day is The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. (Bloomberg)
  
  The story is that a tiny chip - smaller than a grain of rice - was added to certain SuperMicro motherboards, used by companies including Apple and Amazon and various US government departments, that would subvert the security of the BMC module (a sort of remote control for servers) and allow hackers arbitrary remote access.
  
  The story has been corroborated by official statements from Apple and Amazon.
  
  No, wait, not corroborated, what's the other one? Excoriated.
  
  They did everything but declare Bloomberg anathema and launch a holy war, and I wouldn't be all that surprised if that happens tomorrow.
  
  Apple

  Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
  
  On this we can be very clear: Apple has never found malicious chips, "hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

  Amazon

  Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.
  
  As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
  
  There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

  So far there is no independent verification of any of Bloomberg's claims. All their sources are anonymous, and none have spoken to any other news outlet.
  
  There's basically two ways this can go: Either two of the world's largest companies just invited regulators and class-action lawyers to tapdance on their heads, or Bloomberg just proved once again that those layers and layers of fact-checkers are less use than a fishnet umbrella on the Moon.
  
  Serve the Home is dubious and adds this:

  First and foremost, I think we need to call for an immediate SEC investigation around anyone who has recently taken short positions or sold shares in Supermicro. With the accompanying Supermicro stock price hit that was foreseeable prior to the story, if anyone knew the story would be published, and acted on that non-public or classified information, the SEC needs to take action. There seems to have been over 20 people that knew about this.

  
  This article by the grugq [seriously] delves deeper.  His conclusion: BMC is an active threat in itself, but the Bloomberg story fails in achieving even basic standards of verification.
  
  My take on all this - provisional, pending actual evidence - is that Bloomberg got played.  And they got played because they are morons.
  
  No-one interested in getting a security story out would take it to Bloomberg - they are completely and utterly incompetent to evaluate such claims, or even to research the story.
  
  Any actual security researcher would have a field day with this.  Any skilled security researcher would have it blown wide open inside a week.  Bloomberg took three years to report on it, and at the end, they still have nothing to show but anonymous hearsay.
  
  Who perpetrated the hoax, and for what reasons, is an open question, and we may see hints based on which three letter agency shows up to ask pointed questions of the idiots at Bloomberg.
  
  As a side note: Any tech journalist who is still reporting this as "well sourced" is not to be trusted about anything, not even reading press releases verbatim.
  
  
• Nokia is making phones again. (AnandTech)
  
  More than that, they seem to be making really good phones.

• Spain just made jokes illegal. (TechDirt)
  
  
• France just made the truth illegal. (TechDirt)
  
  
• Facebook's staff are mindless twatwaffles. (Axios)
  
  
• A team of left-wing scholars who still retain intellectual integrity planted a series of fake articles in peer-reviewed academic journals - including a study of rape culture in dogs and a hastily-edited chapter from Mein Kampf.
  
  They only managed to trick feminist and post-modernist journals, not serious sociology journals, but even so they were only found out when Twitter account @RealPeerReview, which is dedicated to puncturing pseudo-intellectual puffery, started digging into the dog rape article and uncovered the skeletons in the closet.

Posted by: Rick C at Saturday, October 06 2018 12:35 AM (Q/JG2)

Hide Comments | Add Comment