Your browser is not supported. Please update it.

14 December 2018

SuperMicro hits Bloomberg with audit results, geo-pol bites Huawei further

So, there’s still no smoking gun. Bloomberg doesn’t have one of these suspect-servers in its storage cupboards, nor does it have logs that might prove the associated command and control servers that were supposedly responsible. Similarly, there’s not web-logs that prove that one of these apparent servers was leaking secrets or talking to sketchy strangers in internet chatrooms, and to the best of our knowledge, the only damage that has been done by the supposed attack is that which has been wrought on SuperMicro’s share price.

Apple and Amazon saw brief dips in their prices, caught up in the allegations, but have since seemed unscathed – although both have suffered declines in share price since the accusations. However, most technology firms have been damaged in this manner, thanks to the lingering fears of a trade war between the US and China – something Huawei is all too aware of, currently.

For anyone in the IoT business (and that means nearly everyone in the next decade, whether they know it yet), seeing the opening moves in what looks like a geopolitical chess match, where major vendors are pawns, should be deeply concerning. The idea that a deployment could be thrown into turmoil due to a capricious tariff or sweeping legislation should have the bean-counters panicking.

For all manner of applications, there are low-power wireless devices that have an expected ten-year battery life. That it looks like national legislation could flip-flop on the issue is a major disincentive for potential IoT adopters. Imagine if non-domestic chipsets were banned, or a law passed that meant data could not travel over non-domestic networks. It would be carnage.

Of course, one hopes that the political machine is acting in the best interests of the electorate and citizenry, but you only have to tune into the US congressional hearings regarding Facebook or Google to get a sense of the leadership’s understanding of technology. It’s an insight that doesn’t inspire confidence.

To return to SuperMicro, the third-party security firm called in to hunt for clues, Nardello & Co., should have had plenty to go on – an apparently cast-iron claim that there’s a problem, rather than a vague suspicion or hunch from a sysadmin that something was amiss with their server farm. Had Nardello come out with anything, the online news community would have leapt at the chance to have a second crack at the nation-state-shenanigans whip.

But no such evidence has been found. SuperMicro appears vindicated, and Bloomberg looks to be in the wrong. SuperMicro can’t go out and lie about such things, for fear of the SEC doing its best impression of a ton of bricks, and nor would Nardello want to tarnish its reputation by being found to be wrong.

However, this is still not quite absolute proof that Bloomberg was in the wrong. There may well have been a handful of servers that were targeted and compromised, meaning that SuperMicro would not have found them by targeting its own stock. Such servers could still be out in the wild.

Similarly, the companies targeted might not have found the guilty kit yet, especially if they are not sure what they should be looking for – sifting through their logs, hunting for a needle in a haystack that might well be made out of needles itself. An attack as sophisticated as this would presumably be pretty good at hiding itself from the in-house security or sysadmins.

Nonetheless, it’s not looking good for Bloomberg, which is still sticking to its guns. “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources,” it says.

Of course, Bloomberg can’t really call into question the validity of its own sources, but there’s no good way of knowing if the outlet was intentionally mislead by people looking to stoke up fears of a Chinese invasion – feeding snippets to journalists on multiple fronts, constructing a credible looking deceit. Huawei’s ongoing 5G bans, now in three of five of the ‘Five Eyes’ countries, as well as Japan and Australia, with BT announcing it was ripping and replacing Huawei gear in its EE mobile networks, is evidence of this fear.

We’ve still not come across any convincing evidence that Huawei is anymore a threat to your national security than any other vendor, unless you take the view that the Chinese government would at some point compel Huawei to take hostile actions – something that Western nations and vendors have never done, no sir, Scout’s honor, and would never do.

Given the US government’s apparent hostility to Huawei, it’s strange that Finnish Nokia and Swedish Ericsson are essentially being rubberstamped for those contracts, instead of a US vendor. Of course, such a replacement doesn’t really exist, and having NATO buddies in the telecoms world is certainly a better choice than your rival superpower holding all the cards – except that Huawei is already a major player here, and until now at least, showed no signs of being damaged in that regard.