Not necessarily received, but at least seen them and verified that the described thing actually exists. If they don't even have a single frigging photo that they can show us (up until now they have only shown CGI renderings that they fabricated themselves showing how it might have looked), then that seems to imply that they haven't done any due diligence.
> Not necessarily received, but at least seen them and verified that the described thing actually exists. If they don't even have a single frigging photo that they can show us (up until now they have only shown CGI renderings that they fabricated themselves showing how it might have looked), then that seems to imply that they haven't done any due diligence.
I don't know about you, but I certainly couldn't get a photo of the motherboard of a dev server I work with every day, let alone take a reporter to go take a look at it. That doesn't mean I don't have accurate information to base a story on, and it doesn't mean someone else can't corroborate that information.
Reporting isn't about gathering physical evidence, it's about gathering and cross-checking testimony and documents. If credible people in the government and an NGO testify that there was a poison gas attack at a certain ___location, a reporter can legitimately write an article about it. That reporter isn't going to sit on the story until they go to the attack site, collect samples, and sent them to a lab; nor should they.
If you're not holding that motherboard in your hands, then you definitely "don't have accurate information to base a story on" if that story is about inserted extra hardware - the story Bloomberg reported relies on analysis of that motherboard. If you find an anomaly in the dev server but can't open it up to look at the motherboard, then you can blow the whistle that something weird is happening, but you're not qualified to be a source for what Bloomberg claimed unless you have seen some evidence about the actual hardware.
As you say, reporting is about cross-checking documents. In this case, the relevant documents would be the technical details of that malware - photos of the motherboard with the inserted hardware, schematics and analysis of where and how the inserted chip connects to the "real" parts, dumps of the firmware alterations, microscopy analysis of the extra chip after decapping it. Instead, Bloomberg provided "this is where it could have been" CGI illustration and "this is how the mechanism might have been" description of the process. All details about the attack seem to be made up by Bloomberg, they're not based on any real hard data from their sources.
This implies that none of their sources had (or provided to Bloomberg) sufficient detail to assume that this is what happened - if the sources say "well, there was a major supply-chain attack but we're not giving the details" then that's not sufficient to report what the Bloomberg article did, making up the details without knowing them. If the sources provided enough detail to Bloomberg, then this is the point where Bloomberg should release those details to the public.
> If you're not holding that motherboard in your hands, then you definitely "don't have accurate information to base a story on" if that story is about inserted extra hardware - the story Bloomberg reported relies on analysis of that motherboard.
I disagree. What if you have a the text of a government report describing the reactions to its discovery in detail (e.g. "an implant was found attached to the BMC of some Supermicro boards, here's our plan for securing the supply chain against implants as small as 1x1mm...")? What if they were shown a report but not given a copy? What if you have consistent testimony from five credible people whose backgrounds check out who read the only copy of the report in a secure reading room? What if all that is verbally confirmed by other insiders?
> In this case, the relevant documents would be the technical details of that malware - photos of the motherboard with the inserted hardware, schematics and analysis of where and how the inserted chip connects to the "real" parts, dumps of the firmware alterations, microscopy analysis of the extra chip after decapping it.
The Bloomberg reporters aren't security researchers. All of the stuff you describe is well outside their areas of expertise or what they can be reasonable expected to do. They're doing their job if they report what they learn from others, it's not their job to perform research or replicate research themselves.
Journalism is more like history than archeology, but a lot of people seem to want it to be the other way around.
