On Saturday morning AEDT, the news agency, which for some strange reason is characterised as being reliable, published a yarn by Jordan Robertson and Michael Riley claiming that servers made by an American company, Super Micro Computer, have been tampered with, resulting in data being leaked to China.
It's also worth noting that the story also contains some organizations refuting central claims. Some, of course, aren't worth the paper they are written on. The Chinese embassy's counter-statement, for example, is worth literally nothing. They're obviously not going to admit it.— Pwn All The Things (@pwnallthethings) February 12, 2021
A deluge of denials followed publication of the 2018 story, some couched in very strong language. But Bloomberg never issued any correction or even a clarification.
Take this paragraph as an example; it is quoting a gentleman known as Mike Janke: “'In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,' said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm. 'These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips'.
But this counter-statement is a big deal. If DHS, FBI, ODNI, and NSA are directly disputing--not merely resorting to a "no comment"--or in NSA's case saying your reporting is "befuddling", that's an indication something is wrong with the claim. pic.twitter.com/IET5wSc1UA— Pwn All The Things (@pwnallthethings) February 12, 2021
"Janke, whose firm has incubated startups with former members of the US intelligence community, said the two companies are not allowed to speak publicly about that work but they did share details from their analysis with him. He agreed to discuss their findings generally to raise awareness about the threat of Chinese espionage within technology supply chains."
So Janke heard of this addition of malicious chips from two companies whose staff (presumably) were told of it by the FBI. Then these two firms were involved in a government investigation.
Note in the following paragraph that the two companies were not allowed to speak publicly about it, but only shared details from their analysis with Janke.
As one researcher, posting under the handle Pwn All The Things on Twitter, put it, regarding another one of these devious attributions: "Notice that the claim isn't attributed *to the security firms themselves*, or to any employee of those security firms, or to anyone in the FBI. It's an adviser to those security firms. This is one source, and that source's relationship to the information is very indirect."
FWIW, my money is on this whole saga being, if you dig deeply enough, just briefings related to the 2016 supermicro bad firmware update incident filtered through so many games of telephone that it's eventually twisted itself into a story about tiny chips that never happened.— Pwn All The Things (@pwnallthethings) February 12, 2021
His entire thread is worth reading as it picks apart the story very forensically.
And he/she added: "There's also no indication as to how technical that source is, how they know the information, or how many non-technical people that information passed through before it got to that source. So there could be a *lot* of Chinese whispers between the truth and this source's knowledge."
Pwn All The Things summed up the whole article this way: "tl;dr is a source misunderstood an FBI defensive briefing on China's supply chain activities, leaked it to the press, and Bloomberg has *again* failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise."
Of Janke, this researcher said: "He's very indignant that the chips claim is true, but notice how far removed he is from the actual claim. He's not in FBI. He's not in the tech firm. He wasn't even in the briefings. And his credentials don't suggest he's an in-the-weeds technical guy.
"It's not even clear he's getting the information *directly* from someone in those briefings. It could be multiple layers of second-hand info before it reaches him."
When any major story breaks, every other publication that has any pretension to being a news outlet gets in touch with its own sources and files a follow-up. Or else, it paraphrases some part of the original and publishes that.
Technology reporters are rightly wary of Bloomberg and stories relating to Super Micro because of the 2018 dud. But still many have reported the story as it shows a trend of Bloomberg publishing stories that can move markets; these are always put out towards the end of the week, with the 2018 story landing at 7pm on a Thursday and the 2021 yarn being published at 5am on a Friday.