> If you're not holding that motherboard in your hands, then you definitely "don't have accurate information to base a story on" if that story is about inserted extra hardware - the story Bloomberg reported relies on analysis of that motherboard.
I disagree. What if you have a the text of a government report describing the reactions to its discovery in detail (e.g. "an implant was found attached to the BMC of some Supermicro boards, here's our plan for securing the supply chain against implants as small as 1x1mm...")? What if they were shown a report but not given a copy? What if you have consistent testimony from five credible people whose backgrounds check out who read the only copy of the report in a secure reading room? What if all that is verbally confirmed by other insiders?
> In this case, the relevant documents would be the technical details of that malware - photos of the motherboard with the inserted hardware, schematics and analysis of where and how the inserted chip connects to the "real" parts, dumps of the firmware alterations, microscopy analysis of the extra chip after decapping it.
The Bloomberg reporters aren't security researchers. All of the stuff you describe is well outside their areas of expertise or what they can be reasonable expected to do. They're doing their job if they report what they learn from others, it's not their job to perform research or replicate research themselves.
Journalism is more like history than archeology, but a lot of people seem to want it to be the other way around.
I disagree. What if you have a the text of a government report describing the reactions to its discovery in detail (e.g. "an implant was found attached to the BMC of some Supermicro boards, here's our plan for securing the supply chain against implants as small as 1x1mm...")? What if they were shown a report but not given a copy? What if you have consistent testimony from five credible people whose backgrounds check out who read the only copy of the report in a secure reading room? What if all that is verbally confirmed by other insiders?
> In this case, the relevant documents would be the technical details of that malware - photos of the motherboard with the inserted hardware, schematics and analysis of where and how the inserted chip connects to the "real" parts, dumps of the firmware alterations, microscopy analysis of the extra chip after decapping it.
The Bloomberg reporters aren't security researchers. All of the stuff you describe is well outside their areas of expertise or what they can be reasonable expected to do. They're doing their job if they report what they learn from others, it's not their job to perform research or replicate research themselves.
Journalism is more like history than archeology, but a lot of people seem to want it to be the other way around.