By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
I was going to write about the one-year anniversary of Bloomberg’s “The Big Hack” fiasco, but Nick Heer, writing at his excellent Pixel Envy, has done the job for me:
Unfortunately, a year later, we’re still no closer to understanding what happened with this story. Bloomberg still stands by it, but hasn’t published a follow-up story from its additional reporting. No other news organization has corroborated the original story in any capacity. After being annihilated after the story’s publication, Supermicro’s stock has bounced back.
Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware. We don’t know what role, if any, Bloomberg’s financial services business played in the sourcing and publication of this story, since they were also users of Supermicro servers. We don’t know the truth of what is either the greatest information security scoop of the decade or the biggest reporting fuck-up of its type.
What does that say about Bloomberg’s integrity?
As Heer points out, a year ago, co-author Michael Riley himself tweeted, “That’s the unique thing about this attack. Although details have been very tightly held, there is physical evidence out there in the world. Now that details are out, it will be hard to keep more from emerging.”
With not one shred of evidence emerging in a year, it seems very clear that this was, in fact, “the biggest reporting fuck-up of its type”.
And yet Bloomberg stands by it.
★ Monday, 7 October 2019