I think you are probably right. Do you think this will just putter out, or eventually Bloomberg will retract?
1 Like
I dunno.
News is a bit of a collective. Sort of like science with replication, peer review etc.
After a story breaks you get reactions from the principals. The original reporters and other digest that re-investigate, confirm, and elaborate. More detail comes out. Story develops and becomes firmer over time So on the news end it’s going to depend on if any other organizations of Bloomberg’s scale and influence decide to dig further. Seems like they’ve struck out on the usual push the story forward front, and with Bloomberg’s credibility now the focus of the story. What usually happens is people start to dig into the reporting, identify the sources, find out what happened at Bloomberg. That’s exactly what we saw with Rolling Stone
Depends on any news operation (or Bloomberg editorial) deciding to do that.
On the other end of it if there was enough of a stock reaction to this. The companies named sort of have to keep going after Bloomberg to explain/retract. They have legal and ethical obligations to stockholders that require they act. So Bloomberg might get backed into a retraction/investigation on legal or just PR pressure grounds.
Seems like it’s already fading from the headlines. Even as industry press and security people are still picking at it. So I’d imagine it’s down to Apple Google and Super micro now.
3 Likes
Bloomberg reporters get bonuses if their story moves the market. I think that explains everything about how a story like this gets published.
4 Likes
Not true at all - if they were slapped with national secrets directives they could ignore all that in a heartbeat and would be in much deeper shit if they said a word.
5 Likes
Bloomberg is one of the few news sources that still does investigative business reporting. The old saying is that all the news is lies except for business and sports, because people rely on those for betting their money. Bloomberg’s Tesla production index, for example, is unique in that it combined information about official statements, financial reports, suppliers, deliveries and registrations to provide a realistic estimate. Most news sources simply rewrite press releases to fit the ongoing narrative. Bloomberg tends to do research.
My first impression reading the article was that the hack worked by having a device concealed in a line buffer that could intercept and fake network traffic and that the line buffer was linked to the BMC which had supervisory control. Any direct attack would be minimal, but the ability to compromise patches and updates would provide leverage for a more serious attack. Obviously, others know better about what and what cannot be done to compromise a system at this component level and more about the details of which lines in and out of a server board might pass through an untrustworthy buffer.
Having worked with security people back in the 1970s, I remember the controversies about encryption back doors. One friend of mine in the business once asked, where are you getting your prime numbers? There were lots of prime numbers, but you’d do best to find your own. He was properly paranoid. Years later, it turned out that a major encryption system had an embedded key with a long sequence of zeros, knowledge of which would make breaking the system much less intractable. Was the system ever broken by the NSA? I have no idea, and I was taught FORTRAN by a guy who later was in charge of software there. Note, that this revelation was after years of official denials that the system had any embedded weaknesses.
There are all sorts of explanations for this Bloomberg article. To start with, even if there had been some breach along these lines, an untrustworthy component embedded in some major system, it is not clear that anyone would have been authorized to talk about it. Yes, Apple might be obligated by securities laws to report such a breach, but not if it was barred from doing so by some secret security order. Anyone familiar with warrant canaries knows that there are restrictions on reporting certain matters.
The Bloomberg team talked to a large number of sources and developed a belief that some compromising device, sort of as described in the article, was found in some servers. Whether the target was actually the sites stated or just sites of similar importance is hard to say. Everyone in a technical field knows stories that may or may not have happened. They are cautionary tales, almost fables. They are sometimes true, but in the repetition the details get mangled. For example, a late 19th century Harper’s article ‘Precepts for Slandering Safely’ investigates the story a Massachusetts man demanding his right to decision by wager of battle. The author could find no such case in the US, but there was one in England (Ashton vs Thornton 1818).
It is possible that this Bloomberg article is simply a manifestation of the anxieties of our age. In the 1980s, women were entering the workforce and trusting their children to day care centers. This led to the numerous day care center child abuse cases, most of which have long since been debunked. The Bloomberg article nicely fits with our modern concern with computer security as so much of our lives are now online. It also reflects our anxiety about relying on computer products produced in foreign factories under less than transparent conditions.
I wouldn’t be in a rush to dismiss the Bloomberg article’s allegations. Kennedy’s debunking doesn’t address the BMC’s critical place in managing updates and patches. The purpose of a BMC is to give hands on access without having actual hands present. The BMC itself is an obvious attack surface. I don’t expect a technical refutation of Bloomberg though. It is hard to debunk something that hasn’t been clearly described. We aren’t talking open source here.
The article lies in a murky area where sources are generally restricted and urban legends are vital parts of the field’s paranoia. The details are equally murky in that those who would know are not likely to tell, while those who might tell are not likely to know first hand. This leaves a lot of questions. Was there ever such an attack? Is it even possible or could it be proven impossible? How soon was it detected and where? If it really was a line buffer compromised, which one and what lines ran through it?
I consider the article a cautionary tale. That doesn’t mean it isn’t true.
My favorite take on cautionary tales is from ‘What Went Wrong’, the classic book about industrial accidents:
“If an incident that happened in your plant is described, you may notice that one or two details have been changed. Sometimes this has been done to make it harder for people to tell where the incident occurred. Sometimes this has been done to make a complicated story simpler but without affecting the essential message. Sometimes - and this is the most likely reason - the incident did not happen in your plant at all. Another plant had a similar incident.”
3 Likes
it was pretty obvious from the first read of that piece that it was editorial speculation at best.
besides being devoid of facts and any shred of proof, the piece isn’t even internally self consistent, and has a lot of cross contradictory speculation, it backfills, it tries on multiple possibilities in places where there should be hard facts. it makes many blanket statements and has little corroborating detail. reading it with critical thinking engaged, even without knowing tech, it is immediately obvious as bullshit.
an aware enough reader who has been taught critical thinking should see a lot of red flags for a piece reporting on an actual event as opposed to an editorial speculation.
holding reasonable skepticism in the complete absence of proof is a very sound and logical position, and the foundation of critical thinking. very few people still have this skill crucial for investigation. we live in a post intellectual era.
Not getting how could they publish something that was total BS without thoroughly fact checking it first? 
that’s a bit TOO META.
this. except i’d say they were piecing together speculation and hearsay shreds from multiple sources rather than facts, which makes it even worse.
I agree with this assessment.
these days everyone is desensitized to bullcrap. the repercussions are almost nil alas.
3 Likes
Came here for this. While the BMC may have little access to the system while the server is powered down, BMC interfaces remain active while the server is online which is most of the time. So, basically they are saying that during the rare event a server is offline, the BMC isn’t a good attack vector… But who cares? Most servers are kept online giving the BMC interface access to the drives.
BMC has the ability to alter BIOS settings, install software and firmware via RPM, MSI, VM snapshots, and custom packages across your entire network.
Oh, and a final thought on offline BMC access when the server is down, you can still change the BIOS settings to configure the system to boot from network media and that’s all you really need to take over a system.
1 Like
2 Likes
I’ll take one home medium rare with a side of parking.
1 Like
This topic was automatically closed after 5 days. New replies are no longer allowed.
