The issue with the Bloomberg article was not plausibility. The issue was that they made concrete claims without concrete evidence. And they did not make any sort of reasonable rebuttal to the...
The issue with the Bloomberg article was not plausibility. The issue was that they made concrete claims without concrete evidence. And they did not make any sort of reasonable rebuttal to the denials of the alleged victims.
The real problem with all of this fuss is that it’s very difficult to epistemically navigate the truth when you can’t assume the epistemic state and motives of the parties involved (because they don’t want you to know). If some contractor for the Chinese government really did carry out something like this and compromise Supermicro boards, they wouldn’t admit it. Supermicro surely wouldn’t admit it. Amazon, Apple, etc., would they admit it? The NSA or other security apparatuses? Would they admit it? I doubt they want the public or their adversaries to know what they know. Even if Bloomberg’s claims were true, it was terrible journalistically because it was entirely speculative.
Anyone can speculate about anything. Investigative journalism is held to a higher standard, which Bloomberg failed to meet by a long shot.
As for the technology, it exists and has existed, and security threat models are so complex that it’s difficult to imagine that some state actors haven’t tried implementing them. The real issue of public interest is whether these implementations have been detected in the real world, and who are the victims and what damage has been inflicted (or continues to be inflicted if undetected). The only conclusion I can draw from all this is that the field of trusted computing is probably lucrative right about now.
The issue with the Bloomberg article was not plausibility. The issue was that they made concrete claims without concrete evidence. And they did not make any sort of reasonable rebuttal to the denials of the alleged victims.
The real problem with all of this fuss is that it’s very difficult to epistemically navigate the truth when you can’t assume the epistemic state and motives of the parties involved (because they don’t want you to know). If some contractor for the Chinese government really did carry out something like this and compromise Supermicro boards, they wouldn’t admit it. Supermicro surely wouldn’t admit it. Amazon, Apple, etc., would they admit it? The NSA or other security apparatuses? Would they admit it? I doubt they want the public or their adversaries to know what they know. Even if Bloomberg’s claims were true, it was terrible journalistically because it was entirely speculative.
Anyone can speculate about anything. Investigative journalism is held to a higher standard, which Bloomberg failed to meet by a long shot.
As for the technology, it exists and has existed, and security threat models are so complex that it’s difficult to imagine that some state actors haven’t tried implementing them. The real issue of public interest is whether these implementations have been detected in the real world, and who are the victims and what damage has been inflicted (or continues to be inflicted if undetected). The only conclusion I can draw from all this is that the field of trusted computing is probably lucrative right about now.