Notes on the Bloomberg Supermicro supply chain hack story:
Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.
The story is based on anonymous sources, and not even good anonymous sources. An example is this attribution:
a person briefed on evidence gathered during the probe says
That means somebody not even involved, but somebody who heard a rumor. It also doesn't the person even had sufficient expertise to understand what they were being briefed about.
The technical detail that's missing from the story is that the supply chain is already messed up with fake chips rather than malicious chips. Reputable vendors spend a lot of time ensuring quality, reliability, tolerances, ability to withstand harsh environments, and so on. Even the simplest of chips can command a price premium when they are well made.
(Via Errata Security)
The truth on this story is still revealing itself. I do know that I already tire of it.
Robert Graham's article is the strongest critique of the Bloomberg story I've read. My skeptical nature tends to agree with him until more facts are known.
Also on: