Oct 9, 2018

Go deeper: Bloomberg's fraying "secret chips" story

Photo: Alfexe/via Getty Images

Last Thursday Bloomberg reported that authorities were investigating Supermicro, which manufactures server motherboards, for shipping equipment implanted with chips that China could use to spy on users.

The big picture: The piece was a bombshell, but a raft of vehement denials from everyone involved — including Apple and Amazon, which Bloomberg claimed discovered the secret chips in their own servers — has made the story increasingly hard to believe.

Why it matters: If the piece is a mistake, it is not a small one. Shares in Supermicro stock dropped more than 50% after the story, wiping away nearly $600 million in market cap. But this isn’t just about one firm’s fortunes — the kind of sabotage described in the story, if real, could compromise major institutions.

  • Supermicro products — and the web and cloud services fueled by them — are used by defense, banks, hospitals and other groups.
  • A state election official who spoke to Codebook was concerned that state accounts might have been made vulnerable to attack.

It's hard to believe that Amazon, Apple and Supermicro are all fabricating their emphatic denials of the Bloomberg story.

  • Some users dismissed the denials on Twitter, declaring “I can’t trust corporations” — a distrust that many tech companies have brought upon themselves.
  • But lawyers who spoke to Codebook said the detailed denials wouldn’t just be a public relations issue if incorrect or fudged.
  • “The companies [would] risk enforcement by the FTC for engaging in a deceptive act that is likely to harm consumers,” emailed David Vladeck, Georgetown professor and former head of the Federal Trade Commission’s Bureau of Consumer Protection, adding, “I am strongly disinclined to think they are lying.”
  • Apple would only have compounded its woes Monday by repeating its claims in a letter to two congressional committees.
  • Homeland Security and the British cybersecurity office, the National Cyber Security Centre also denied knowledge of Bloomberg’s claims.

The big question: Flustered cybersecurity pros have been left wondering how much of the story is accurate. The expert consensus is that it's more likely that Bloomberg is wrong than that the companies and government agencies are lying.

  • One key voice disapproving of the piece is security researcher Joe FitzPatrick, who is quoted in the story. According to the Risky Business podcast, FitzPatrick says he emailed Bloomberg before the article was published that their story "didn't make sense."

Bloomberg noted in a statement sent to Codebook Tuesday that Joe FitzPatrick had no direct knowledge that the story was incorrect.

  • "The specific ways the implant worked were described, confirmed, and elaborated on by our primary sources who have direct knowledge of the compromised Supermicro hardware. Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials, and his direct quote in the story describes a hypothetical example of how a hardware attack might play out, as the story makes clear."

Early Friday, one lawmaker’s office hinted to Codebook that Bloomberg's article might be accurate — but backtracked later in the day. Also on Friday, Sen. Gary Peters (Mich.) sent a letter to Secretary of Defense Jim Mattis asking about armed forces’ knowledge and exposure.

Our thought bubble: It’s possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign. The two are not equivalent — the firmware problem was quickly dealt with.

Glass houses disclaimer: Reporters make mistakes. Codebook makes mistakes. Sources are sometimes wrong. And good journalism often necessitates anonymous sources.

Editor's note: This story has been updated with new comment from Bloomberg.

Go deeper

Zuckerberg says Trump’s “shooting” tweet didn’t violate Facebook’s rules

Mark Zuckerberg at the 56th Munich Security Conference in Munich, Germany on February 15. Photo: Abdulhamid Hosbas/Anadolu Agency via Getty Images

Facebook did not remove President Trump's threat to send the National Guard to Minneapolis because the company's policy on inciting violence allows discussion on state use of force, CEO Mark Zuckerberg explained in a post on Friday.

The big picture: Zuckerberg's statement comes on the heels of leaked internal criticism from Facebook employees over how the company handled Trump's posts about the Minneapolis protests and his unsubstantiated claims on mail-in ballots — both of which Twitter has now taken action on.

Updated 38 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 7:30 p.m. ET: 5,916,464— Total deaths: 364,357 — Total recoveries — 2,468,634Map.
  2. U.S.: Total confirmed cases as of 7:30 p.m. ET: 1,744,258 — Total deaths: 102,709 — Total recoveries: 406,446 — Total tested: 16,099,515Map.
  3. Public health: Hydroxychloroquine prescription fills exploded in March —How the U.S. might distribute a vaccine.
  4. 2020: North Carolina asks RNC if convention will honor Trump's wish for no masks or social distancing.
  5. Business: Fed chair Powell says coronavirus is "great increaser" of income inequality.
  6. 1 sports thing: NCAA outlines plan to get athletes back to campus.

Trump says he spoke with George Floyd's family

President Trump in the Rose Garden on May 29. Photo: Win McNamee/Getty Images

President Trump told reporters on Friday that he had spoken with the family of George Floyd, a black resident of Minneapolis who died after a police officer knelt on his neck on Monday.

Driving the news: Former Vice President Joe Biden said via livestream a few hours earlier that he, too, had spoken with Floyd's family. The presumptive Democratic presidential nominee implored white Americans to consider systemic injustices against African Americans more broadly, Axios' Alexi McCammond reports.