Oh man, guess we have to do supermicro chip saga again

tl;dr is a source misunderstood an FBI defensive briefing on China's supply chain activities, leaked it to the press, and bloomberg has *again* failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.

Ok lets do a thread breaking the article down into its constituent parts to see why it's BS. For reference, the article is here: https://www.bloomberg.com/features/2021-supermicro/

Articles like this are constructed out of parts. There are a series of claims attributed to collections of sources, grouped into an overall story. The way to read them is to read carefully to break out the specific claims and the corresponding sourcing.

The thing you are looking for with each claim is:
1) what is the specific claim
2) who is making the claim
3) What the source(s) basis for that claim is
4) the level of indirectness of that source from the claim (i.e. first-hand expert knowledge, second-hand etc)

And based on that you can make an assessment of the source(s) credibility to make the assertion.

So if you start at the top, we have claim #1: China exploits products made by supermicro, according to 14 former law-enforcement and intelligence officials.

Notice that this claim isn't /how/ China exploits supermicro products. Just /that/ it exploits supermicro products. It's *not* a claim about inserting little chips. The sourcing for that claim is a lot of people, and those people are perhaps in a position to know it.

Claim #2: a few supermicro workers were surveilled by the US under FISA authorities. The sourcing for this claim is different: it's now just five of those officials. But the group is former LE & IC officials, so that's a specific claim they might reasonably know.

Either way, if *five* former IC/LE officials are leaking to the press details about specific targets of FISA surveillance, then LE/IC has serious problems: that's a lot of former officials leaking classified information.

Next we get to the big claim, claim #3: The FBI enlisted the private-sector to help analyzing supermicro equipment *containing chips* in 2018 or so.

But notice here what the sourcing is: "an advisor to two security firms that did the work"

Notice that the claim isn't attributed *to the security firms themselves*, or to any employee of those security firms, or to anyone in the FBI. It's an advisor to those security firms. This is one source, and that source's relationship to the information is very indirect.

There's also no indication as to how technical that source is, how they know the information, or how many non-technical people that information passed through before it got to that source. So there could be a *lot* of Chinese-whispers between the truth and this source's knowledge

The next several paragraphs narrate you through some generic background, and then we get to here. This story is brought to you by interviews with 50 people or so. And look at their credentials! LE, IC, military, Congress and the private sector!

But be careful: this paragraph isn't actually telling you anything useful. A lot of folks are *super unreliable* narrators of technical details, and it doesn't in and of itself break down which sources confirmed which claims.

Then we get to here. A very important paragraph, and a named source. Mike Janke, a former Navy SEAL who co-founded a VC firm, who says two companies he advise were briefed by FBI about the chips.

A quick look at his description tells you this is very likely the unnamed "advisor to the private sector firms" source from earlier. Dates line up, sourcing matches, and if there was another guy in his position, they'd have been able to list *two* sources at the earlier claim.

He's very indignant that the chips claim is true, but notice how far removed he is from the actual claim. He's not in FBI. He's not in the tech firm. He wasn't even in the briefings. And his credentials don't suggest he's an in-the-weeds technical guy.

It's not even clear he's getting the information *directly* from someone in those briefings. It could be multiple layers of second-hand info before it reaches him.

We then have a ton more background narration, until we get to here:

Here we have seven former officials who had been briefed about China having device-hacking capabilities.

Key observation here: these officials were on the *receiving* end of the briefing, not the *delivering* side. An indication that these officials are senior but not technical.

Seven is a lot, so the broad stroke claim is reasonably sourced. But it's important to understand technical details can get lost in translation. For example: are these really "adding chips" or are they "firmware implants". To a senior official, perhaps not an obvious distinction

The closest we get to a reliable source on "adding chips" is here

Here, finally, we have someone who actually was *in* one of the briefings, and who, as CISO, might actually be able to tell the difference between adding a chip vs a generic supply chain attack warning, or warnings about firmware.

But notice that even here this depends on a chain of information we don't see: specifically, what specifically did FBI see, did that info get mangled between there and the briefing, did the briefer miscommunicate it, and did Kumar misunderstand it. Still a *lot* of indirection.

Then we have this guy: Mike Quinn, briefed by USAF and saying the added chips were "blended into the trace on a multilayered board".

But that's not "adding a chip". That's just backdooring the hardware. And when you put it all together, sounds a lot like backdoored device firmware going through multiple layers of Chinese-whispers.

It's also worth noting that the story also contains some organizations refuting central claims. Some, of course, aren't worth the paper they are written on. The Chinese embassy's counter-statement, for example, is worth literally nothing. They're obviously not going to admit it.

But this counter-statement is a big deal. If DHS, FBI, ODNI, and NSA are directly disputing--not merely resorting to a "no comment"--or in NSA's case saying your reporting is "befuddling", that's an indication something is wrong with the claim.

And back in 2018, the supermicro chips story asserted Amazon and Apple were affected. Both of those companies made *very* direct counter-statements, saying about as loudly as corporations can that the claims were just BS.

Apple's counter-statement very directly said Bloomberg's report was just wrong, and that their "best guess" was Bloomberg had got confused with an incident in 2016 that Apple concluded was accidental and not a targeted attack, and in any case, not about tiny chips.

Amazon's counter-statement was that they had repeatedly told Bloomberg's reporters that the story was wrong, and that at no time, past or present, had Amazon found any issues relating to modified hardware or malicious chips in supermicro products.

This story is too big, and the refutations too blunt and too numerous to support on this level of third- and fourth-hand sourcing. If they have documents: go for it. Make fools of Apple, Amazon, FBI, NSA, DHS and ODNI by publishing them. Otherwise, this story should not have run.

A useful observation when assessing Apple and Amazon's counter-statements https://twitter.com/JoeUchill/status/1360260299530661889

FWIW, my money is on this whole saga being, if you dig deeply enough, just briefings related to the 2016 supermicro bad firmware update incident filtered through so many games of telephone that it's eventually twisted itself into a story about tiny chips that never happened.

Adding to the bottom of this thread, Apple's response in 2018 to Congress asking about the original Bloomberg story. https://www.scribd.com/document/390401381/Letter-October-8th-Version