A deep dive into the technical feasibility of Bloomberg's controversial "Chinese backdoored servers" story

#1

Originally published at: https://boingboing.net/2019/01/16/someone-must-be-lying.html

1 Like
#2

Occam’s razor continues to suggest that Bloomberg took a realistic/plausible hypothetical and ran with it as fact while confusing a lot of technical details in the process?

Edit: The comments sections of all previous coverage on this are filled with people making this argument more eloquently than I can.

8 Likes
#3

Technically, it seems quite feasible to snoop on the data on the system, or at least the network traffic on the machine itself. But I don’t see how this could be happening without anyone noticing the exfiltration of the data. An excessive amount of time, effort and expertise is directed at finding unauthorized transmissions into and out of certain data centers.

3 Likes
#4

I don’t trust Bloomberg’s reporting on hacking anymore. They’ve had too many articles where they said that an organization was hacked, but never produced evidence to those organizations. In our case, they said that we were hacked, didn’t respond to our requests for evidence or a verifiable source, and even a clean bill of health after a $50,000 computer and network audit. There also wasn’t any log of unusual logins to O365, AWS or other cloud services. They’ve done this often enough where they really need some independent verification that they can use as a source.

4 Likes
#5

You had two reporters who’ve written dubious stories before and really wanted to believe this one was true. They pestered hundreds of people till they found some who played along and said it might be possible, which they turned into it happened.

The real failure here was Bloomberg’s editorial team - and now their reputation for tech reporting is garbage.

7 Likes
#6

Bloomberg is carpet bagging on that. This doesn’t need to have been a hoax to have been untrue. Multiple sources could have been mistaken, on different parts of the story. And Bloomberg could have misinterpreted that information.

People can be wrong without lying. Famed debunker Joe Nickell always stresses that his starting point in anything is “I believe that you believe it”, but also stresses that just because a witness/source believes something doesn’t make it true or accurate.

There’s a couple of details that I saw repeatedly in coverage of this that point to a pretty simple explanation.

Several commenters have pointed to a speculative conference on what an attack like this would look like that happened at roughly the time, and featuring some people associated with the organizations or otherwise connected to the story.

Several of the named companies did experience reported confirmed breaches in similar servers at around the same time.

The details in Bloomberg’s original report are internally inconsistent, and un-clear. Some of them match those earlier known hacks, some of them match very well with published speculation about how something like this would work.

Noone. Not even Bloomberg, has been able to provide a compromised board, documentary evidence that the attack took place, or a named source confirming that it did.

Several of Bloomberg’s sources, named and un-named, have in fact come out to clarify that their statements were either speculative/background. Or discussion of known public hacks.

So what I think is going on here is a combination of well distributed research on feasibility and format and industry rumor based on conferences, and earlier breaches. Bloomberg’s reporters misinterpreted the situation. Taking those industry rumors, confirming them with speculative/technical information on how it would work. And then trying to fit it all into a plausible narrative, came up with the published story.

The people reporting the hack are not lying or hoaxing. It is what they believe, based on what they have heard. Or their interpretation of what they have heard. Because none of them were directly involved in the proposed hack, or claimed meetings about it. If Bloomberg had that sort of source, they would have something to independently confirm that these events even took place.

The people providing “confirmation”, who seem to only have been able to confirm that it was possible and how. Are not lying or hoaxing because they acurately reported that it was possible and how.

But a lack of journalistic standards on the part of the reporters (who apparently have a reputation in this regard). And a lack of editorial expertise on the part of Bloomberg. Allowed the two things to be shoved together, fit to a narrative. And boom you’ve got a news story that we’re still hemming and hawing about. Because noone can independently confirm it.

This is exactly how bigfoot, ufo and conspiracy stories get put together and make it into the news as plausible. I see far too much here that’s recognizable from the bunk world to buy it with what Bloomberg’s been able to provide as defense.

9 Likes
#7

Oh please. It’s no big mystery. It’s a classic case of confirmation bias, plain and simple.

Just as cops and prosecutors often latch onto a suspect early in their investigation and then ignore all the counter indications that they might have latched onto the wrong person, so too the Bloomberg reporters made a mistake early on and then were unable to see all the evidence that they were barking up the wrong tree. Confirmation bias is an occupational hazard for reporters who spend months or a year investigating a big story. And Bloomberg is continuing to stonewall on the issue because their reputation is on the line, plus the editors who greenlit the story are just as susceptible to confirmation bias as the reporters.

The only mystery here is why someone as smart as Cory Doctorow is unable to see what is so obvious to everyone else. Maybe his tendency to think the worst of large corporations is preventing him from realizing that this one time, Amazon and Apple are telling the truth?

9 Likes
#8

i agree. two layers deep. :+1:


:frowning: but how can conspiracy not be real, only real adds up? \s

none of the security experts i read at the time said hardware attacks were impossible.

they said it was impossible to have happened as bloomberg described and then went on to discuss exactly why this story was a blatant fabrication and how actual attacks could occur and be detected and mitaged.

everything adds up perfectly. not everyone was duped. critical reading, logical analysis, fact checking, these are our safeguards to being easily deceived.

3 Likes
#9

Hello,

I see no validity in Doctorow’s assertion that this is due to Supermicro’s motherboard designs being proprietary, and that the only solution is to use open source designs for motherboards.

Open source is not a magical panacea for security vulnerabilities. Both closed source and open source code can have bugs in them, and it takes skilled people to fix, test and validate that a bug has been squashed.

The Open Compute project is a source of open source hardware designs, but it is not a magic fix for vulnerabilities.

1 Like
closed #10

This topic was automatically closed after 5 days. New replies are no longer allowed.