Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Sunday, 07 October 2018 17:56

Bloomberg China spying claims fast losing their sheen

Bloomberg China spying claims fast losing their sheen Pixabay

It has taken just three days for the Bloomberg claims about China spying on US firms through the implant of chips on server mainboards sold by the US firm, Supermicro, to lose most of their sheen.

In its story, Bloomberg claimed security testing by Amazon in 2015 had revealed the existence of tiny chips that were not part of the original mainboard design and that this led to an extensive investigation by US Government agencies which found servers built using these boards in data centres belonging to the Department of Defence, on warships, and for processing data being handled by CIA drones.

The agency said that major banks were also using servers made by Supermicro and that the government investigation led to several companies getting rid of the Supermicro equipment.

Detailed denials by Amazon and Apple, two of the companies said to have been victims, were partly responsible, as were statements from the UK National Cyber Security Centre and the US Department of Homeland Security. A former Apple executive has also added to the doubts around the story.

Some people who tried to benefit from the claims, which were made by reporters Jordan Robertson and Michael Riley, ended up with egg on their faces.

Few, if any, "experts" considered the political implications of the Bloomberg claims and their timing. Of course, China was being put in the spotlight and many Western "experts" tend to have a somewhat blinkered view when it comes to this country. More on this later.

British security consultant Kevin Beaumont, who was among the early sceptics, pointed out in a tweet that Robertson and Riley had put out a story some years ago, claiming that the US Government had prior knowledge of the Heartbleed bug, a serious vulnerability in OpenSSL, before it was announced.

He said, when the story was denied, Bloomberg did not issue any follow-up.

Other security researchers pointed out that Bloomberg had claimed three years ago that a pipeline explosion in Turkey was an early case of "cyber war", a somewhat dubious claim.

Cris "SpaceRogue" Thomas, a former member of the L0pht Heavy Industries hacking collective and now a researcher with Tenable Network Security, wrote, that while the explosion could be what the reporters in question claimed it to be, "without additional facts from someone other than an ‘unnamed source familiar with the incident who asked not to be identified” I will have my doubts. Until those facts are presented I’ll go back to reading my Microsoft Patch Tuesday reports".

[Thomas runs a project known as Cybersquirrel1, which he initiated in 2013, to debunk claims of cyber war coming from various sources.]

One of those who tried to capitalise on the claims made by Robertson and Riley and ended up having to retract his own claims, was Patrick Gray, an Australian who produces a weekly marketing podcast on security.

Gray appears to have been so excited by the Bloomberg claims that he put out a special issue of his podcast, which included the claim that one of his "sources" had found just such chips on a SuperMicro mainboard and had even showed him pictures that were said to be from a teardown of such a board.

"These photos showed an unlabelled integrated circuit the source said was likely a hardware back door. Further, the source said there were other problems with the SuperMicro gear, including vulnerable firmware and security functions that just didn’t work properly," Gray claimed.

But this so-called source, whom Gray said he had known for about 15 years, then changed his/her tune and said the photos were from different equipment. While retracting his claims, Gray did not mention if there were other such sensational bits of information he had been fed by the same source over the years and used in his podcasts.

Gray is not the first self-styled security expert to trip over something like this, in the rush to be first to propagate misinformation without proper checks.

Last year, Brian Krebs, a former employee of the Washington Post, quietly took down a story in which he used material from a Washington-based security firm known as InGuardians, claiming that a man of Russian origin was behind the leak of NSA exploits to a group known as the Shadow Brokers.

Krebs did not offer any explanation for removing the story. When iTWire quizzed him as to the reasons for his taking down the article, he did not provide a reply, indulging instead in personal slurs. Krebs' agenda in writing up the InGuardians "research" was questioned by well-known security blogger Marcy Wheeler.

And, finally, to the politics around the Bloomberg claims. Last year, when the US Government was hyping up the alleged Russian involvement in the 2016 presidential elections, three big newspapers — The New York Times, The Wall Street Journal and the Washington Post — tied the Russian security firm, Kaspersky Lab, to the Brokers.

The claims were taken at face value — even though there were numerous questions around them — and provided sufficient impetus for the US to push Kaspersky out of doing business with the public sector.

The Bloomberg claims come in the midst of a bid by the Trump administration to launch a trade war with China. Claims of sabotage in the supply chain would help to drive that narrative and provide a basis for government to act. I have yet to see any Western commentator raise this angle of the story.

So how did the Chinese contractor who supplied the alleged doctored mainboards ensure that they ended up at any particular company? Are we to believe that thousands of these servers were contacting a command-and-control server and all this activity went unnoticed by the NSA for so many years?

There are numerous other holes in the Bloomberg story. But let me leave it there and urge those who try to capitalise on such stories to adopt at least 10% of Beaumont's scepticism. The man would have made a fine journalist.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments