The Journalists Have Been Hacked
On October 4, 2018 I read an article. As I read it I thought:
This is it. This is the most consequential article of this decade. When the dust has settled on this scoop, everything else will pale in comparison.
The piece described in detail how Chinese spies had gained access to seemingly every computer network of any significance by including extra circuitry in the hardware it had produced for computer makers:
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.
This piece was reported in Bloomberg who stands by the story.
United States corporations have spent decades outsourcing their supply chains. Much of that includes doing assembly-work in China. Contrary to the current administration’s insistence, building those capabilities doesn’t happen overnight. You need to make not only the machines but the machines that make the machines. And you need to train people to use them. What took decades to build in China could take a decade to build here. And what do you do in the meantime? We still need servers. Do we keep using infected machines and infected networks that beam our data back to China?
It turns out we don’t have to worry about those questions because the story is almost certainly false. I don’t make that judgment lightly. I have unordered reasons:
- The named companies vociferously denied it—under penalty of SEC violations. Bloomberg hosts the denials, and they leave no room for doubt. If these statements are false, those making them would be sued into oblivion. Apple even doubled down on its statements accusing Bloomberg of getting its story entirely wrong and affirming the truth of their denials.
- As noted by John Gruber at Daring Fireball, the timeline is weird:
[Bloomberg:] Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. […] Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally.
Gruber: What sense does it make that Apple discovered a profound security problem in Super Micro motherboards in May 2015, so serious that the company reported it to the FBI, but then didn’t sever ties with Supermicro until at least eight months later? That timeline makes no sense.
- No one else has been able to corroborate anything Bloomberg reported. Buzzfeed reported:
The United States Department of Homeland Security, the UK’s National Cyber Security Center, NSA Senior Adviser for Cybersecurity Strategy Rob Joyce, former FBI general counsel James Baker, and US Director of National Intelligence Dan Coats have all said variously that they either have no reason to doubt the denials of the companies mentioned in the Bloomberg story or that they’ve seen no evidence supporting its claims. And some sources named in the story have raised questions about it and how their remarks were used.
- The Department of Homeland Security denied it.
- A good bit of time has passed and nothing has happened. The markets don’t seem to penalized anyone. We haven’t heard of anyone pulling out their motherboard and finding extra bits on their computers that shouldn’t be there.
- The sophistication of the attack seems out of step with what real incidents of spy hacking from China. They aren’t this subtle.
I lied about the order. Here is one of the best reasons to doubt Bloomberg’s story:
FITZPATRICK: But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked.
GRAY: So I guess what you are saying here is, the report, I mean all of the technical details of the report, you’d covered that ground with that reporter.
FITZPATRICK: Yeah, I had conversations about all the technical details and various contexts. But there are a lot of filters that happen, you know? When I explain hardware things even to software people, I don’t expect people to get it the first time and I don’t expect people to be able to describe it accurately all the time. So there is definitely a lot of telephone exchange happening
GRAY: OK but why did that make you feel uneasy? Could it be the case that you know that the technical things you told him lined up perfectly with the technical things that some of these 17 of the anonymous sources told him?
FITZPATRICK: You know, I’m just Joe. I do this stuff solo. I am building hardware implants for phones to show off at conferences. I’m not a pro at building hardware implants. I don’t work for any nation or any state building and shipping these as products. I feel like I have a good grasp at what’s possible and what’s available and how to do it just from my practice. But it was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100 percent of what I described was confirmed by sources.
GRAY: And that’s what he was telling you through this process?
FITZPATRICK: That’s what I read in the article.
GRAY: OK, right. You find that a bit strange? That every single thing you seem to tell him, or a large proportion of what you told him, was then confirmed by his other sources.
FITZPATRICK: Yeah, basically. Either I have excellent foresight or something else is going on.
It is my humble suspicion that some people with an agenda took Joe Fitzpatrick’s story about what was theoretically possible and sought to get it published as truth. The administration has certainly been trying very hard to convince the public that trade with China is bad. The Bloomberg story is merely one example of a series of such attempts. And it was possible because journalism has been hacked.
Even today, journalism does employ some number of serious reporters with standards. This seems good, but as I have written in the context of college admissions, once you codify your process, you’ve inadvertently published a guide to how to break through your process.
Additionally, I might remind you that the Trump Administration already knows this, and has used it to get The New York Times to smear its enemies on its behalf. As a reminder, all you have to do is tell the Times something newsworthy and then get two other seemingly independent sources to verify the same. Reporters think they are triangulating to find the truth, but you are the one placing the vertices of the triangle for them to draw.
Buzzfeed, recently, didn’t wait for the triangle. They reported the following scorching lede:
President Donald Trump directed his longtime attorney Michael Cohen to lie to Congress about negotiations to build a Trump Tower in Moscow, according to two federal law enforcement officials involved in an investigation of the matter.
Notice that the last bit of this lede covers Buzzfeed itself as an organization. They are not saying that Trump actually did this. They are merely relating what “two federal law enforcement officials” said. If those two officials have an agenda, that’s no fault of Buzzfeed’s. Buyer beware. But don’t blame Buzzfeed online. This is a trick used by institutions no less prestigious than The Atlantic, NPR, and PBS. All prefer to let sources speak rather than make judgments of fact themselves. Indeed, that’s what many of them think good reporting is.
— BuzzFeed News (@BuzzFeedNews) January 19, 2019
I don’t know whether Buzzfeed got taken for a ride by it’s sources, but it certainly seems possible that someone had an agenda and sought to manipulate the conversation. This will continue to happen. Will journalists wise up?