Something I've never been able to wrap my head around is the scale at play with the Supermicro story.
If the story is that a small handful of motherboards that were destined to be shipped to cloud providers from Supermicro had some remote monitoring / control capabilities (of varying types opportunistically applied) added to them at the behest of the Chinese government that sounds completely plausible and incredibly hard to verify and/or defend against.
I say plausible as we know that US intelligence agencies have conducted similar actions:
What if all extant examples of these boards are in some NSA laboratory? Bloomberg could plausibly have sources that know of the boards but don't have the ability to steal one of the boards for Bloomberg.
(Emphasis on plausibly, which is not the same as probably.)
If the story is that a small handful of motherboards that were destined to be shipped to cloud providers from Supermicro had some remote monitoring / control capabilities (of varying types opportunistically applied) added to them at the behest of the Chinese government that sounds completely plausible and incredibly hard to verify and/or defend against.
I say plausible as we know that US intelligence agencies have conducted similar actions:
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...
And that's without even direct access to the manufacturing floor (as in the Supermicro case).