(Bloomberg) The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, is refuted by (Reuters) DHS says no reason to doubt firms’ China hack denials, and further by Apple tells Congress it found no signs of hacking attack.
Which story is true? This offers another exercise for predictors, in the weighing of evidence and comparing the veracity of sources. But let’s first consider the art world. Up until about 1870, genres of art were arranged by the French Academies in a rigid hierarchy. In reporting by U.S. based media, a hierarchy also exists, which determines priorities, depth, and accuracy.
Just by living, most people have some understanding of politics, law, and economics. The stories they read are put together mostly by people with general liberal arts educations, with competence that varies from reasonable to remarkable. Technology is at the opposite pole of incomprehension. There is no such thing as native understanding of how it works, and few care if the facts are murdered. Yet in the Bloomberg story and the Reuters response, tech has leaped all the way to the top, square in the arena of geopolitics.
This is compounded by the apparent, self-enforced differences of regular journalism and investigative journalism. In regular journalism, diligence is satisfied by consulting “sources”, who are either people in government or people with impressive job titles and credentials. But the liberal arts education of a typical reporter provides insufficient guidance for discrimination. Lacking a fund of technical knowledge that would identify the relevant credential, Reuters reporters relied exclusively on nontechnical sources. Bloomberg, with in-house competence in computer technology, did the opposite.
The errors resulting from lack of in-house competence can be subtle or egregious. But while mistakes about the latest “tech” widget or phone are usually harmless, harm does come when tech leaps to the top and collides with politics. This was so in the case of CNN, Shame! Raise Your Standards! “Russia unveils ‘Satan 2 Missile”, where inaccurate reporting risked instigating an arms-race, and for which no correction was issued.
The flaws in the Reuters stories are not as serious. But Reuters defers to authorities, without considering distorting influences:
- The statutory obligation of government authorities to protect national security investigations and foreign intelligence.
- The obligation of Apple to protect shareholder value. If Apple had supported the Bloomberg claims, it could have provoked retaliation by China against Apple’s China operations, possibly including seizure of assets, so severe as to materially impact the company.
- Lacking Bloomberg’s technical resources (Bloomberg is also a hardware company), it is difficult for Reuters to interpret technical sources. Hence an unconscious bias — excessive reliance on “authorities”, typically drawn from government and finance.
The severity of the hack is indicated by the Amazon response. Quoting Bloomberg,
The following November, Amazon sold the entire infrastructure to Beijing Sinnet for about $300 million. The person familiar with Amazon’s probe casts the sale as a choice to “hack off the diseased limb.”
In the case of Apple, some consideration by Reuters of the above issues would have offered the possibility that the consulted individuals could not publicly support the Bloomberg claims. Quoting Apple’s recently retired general counsel, Bruce Sewell (brackets mine),
“I got on the phone with him [then FBI general counsel] personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”
The denial is what anybody with a shred of fiduciary responsibility would have said. Even in retirement, it’s not Sewell’s job to wreck Apple, nor can we expect the FBI general counsel to blow a national security investigation.
(Reuters) Apple tells Congress it found no signs of hacking attack appears to solidify Apple’s denial, at the risk of perjury before Congress. But the single direct quote of the article, by Apple Vice President for Information Security George Stathakopoulos, leaves at least two loopholes:
“Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found,” he wrote in the letter provided to Reuters.
The above asserts the absence of outbound traffic, not the absence inbound traffic, or of implanted chips. Apple could have neutralized the implants by laser drilling, or by modifying the IPMI (read down) firmware.
Given the gravity of the stakes for Apple, and other U.S. interests in China, Stathakopoulos may have been given a waiver by the executive branch, with disclosure to Congress in some future closed proceeding.
The first Reuters article, relying heavily on credentials that virtually assure bias, elevates the credibility of Sewell, who is anything but a disinterested person. Here the needs of the open source intelligence, and the media are at odds. A media outlet wants an article to be taken as informative, even when it isn’t. If it were not for that need, Reuters might have mentioned the statutory secrecy requirements of a national security investigation, which reduces to null the content value.
So for open source intelligence, we have to sift and toss the drek, of which the first Reuters article mostly consists.
But the Bloomberg article is rich in facts, some of which can be checked. Could it be a total fabrication? Quoting,
In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.
17 sources hoping to short some stock would be a helluva conspiracy. It’s not worth considering. But you can do something that neither Reuters or CNN seem capable of, find a genuine expert, qualify that expert yourself, and fact-check the Bloomberg technical background. (Bloomberg has hardware experts in house.)
Silicon Valley has a grapevine. Bloomberg found 17 voices. But without a big, shiny credentials badge, how will you know someone is sufficiently knowledgeable to be useful? I’m going to tell you now.
Your qualifying question should be, “Is there a particular system on the motherboard to which the Chinese chip is likely to be attached?”
The alleged Chinese implant chips are very small, consume little energy, have low clock speeds, and have few terminals (pins). Most of a motherboard operates at extreme speeds, requiring lots of energy. This incompatibility limits the points of attachment on a Supermicro motherboard to one particular feature: the baseboard management controller chip, which implements the IPMI interface.
IPMI is old. Silicon Valley is awash with greybeards who know it well. If you aspire to technical excellence in your open source endeavors, you should add some numbers to your book. Boards are routinely x-rayed, providing interesting graphic material above and beyond the drekky clip-art typically used with such articles.
Or just stick with Marvin Gaye.