
What Businessweek got wrong about Apple - rakkhi
https://www.apple.com/au/newsroom/2018/10/what-businessweek-got-wrong-about-apple/
======
Jerry2
Both Apple and Amazon have released VERY STRONG denial statements that bring
the whole Bloomberg narrative into question. It's also convenient that no one
has yet been able to verify or find any of these mysterious Chinese chips on
any of the Supermicro servers in the wild.

So what is the real story here? Did Bloomberg reporters deliberately deceive
everyone or were they deceived by the US IC ("intelligence community") as a
way to scare technology companies from doing business in China?

Someone at the SEC should scrutinize SMCI shorts at the very least.

~~~
sterlind
Remember when Clapper gave the "least untruthful answer possible" about
domestic bulk collection? [0]

It's naive to think Apple and Amazon _couldn 't_ lie in response to the
article, if the intelligence was highly-classified. They may be under
extremely strict gag orders (e.g. "give no response whatsoever, including
silence, other than denial") and protected by promises of indemnity, as telcos
were in the wake of the NSA disclosures.

Bloomberg is exquisitely specific and detailed about the chip, including
photos and placement (on the baseboard management bridge, disguised as a
shielding element.) There's two possibilities, then: someone cajoled dozens of
officials across several companies to lie to Bloomberg, or the tech companies
have been cajoled into lying.

Either way, the proof is in the pudding: every hardware pentesting shop will
be going after these boards like they're looking for golden tickets. Either
we'll get our die shot, or Bloomberg's getting their pants sued off.

0\.
[https://m.youtube.com/watch?v=Jkb5FKlETqY](https://m.youtube.com/watch?v=Jkb5FKlETqY)

~~~
yourapostasy
> ...every hardware pentesting shop will be going after these boards like
> they're looking for golden tickets.

The way the original story was written, it suggested that four subcontractors
were identified, and almost 30 targets selected, with the implied suggestion
that either the boards were custom special order boards, or destined for a
specific lot order made by a customer. If true, then it is unlikely these
boards will be found in the wild except by slipping through those almost 30
targets into the used market.

Supermicro has about 600 board SKUs, so finding these needles in the haystack
is likely more feasible by approaching data centers offering to help find the
boards for free, in return for allowing the pentesting firms to take physical
possession of such found boards.

The story did reveal that the original "tell" that gave away the chip was odd
but not obviously malicious at first glance network traffic, and that the
suspected intent was implementing an Advanced Persistent Threat model. The
article also mentioned the chips were connected with the BMC, but it wasn't
specified in the article whether or not the chips got out onto the Net.

So finding the boards in the wild probably will focus upon finding them in the
same manner, over the network. Power down the server, let the BMC stay powered
on, and watch for unwarranted network activity. Or boot a Linux on a stick
that deliberately does as little as possible and premises networking allows it
to do just enough routing out to the Net to capture traces of what
unauthorized network traffic is trying to do, and watch for unwarranted
network activity, in case the chip design is clever, and hides its activity
until it detects the mainboard is already running before trying to inject its
network payloads onto the mainboard's network interfaces.

What are others' thoughts on how to find these "golden ticket" boards?

~~~
dvfjsdhgfv
That's the interesting bit. Having done so much to hide the exploit your most
important aim is to hide it's presence. Anything that would just "connect to a
Chinese server" would be discovered immediately. If the Bloomberg story is
true, the network traffic scheme must have been extremely sophisticated to
fool so many network security specialists at top companies for such a long
time.

This, or the story is false, purposely or not.

~~~
ytjohn
Most places I know of isolate their OOB management network, requiring a vpn or
jumpbox to access it. However, if someone did let their OOB network full
outbound access, I could see this slipping through. I could imagine that
simply going to a CDN or cloud provider like AWS/Cloudfront/cloudflare/akamai
with a dns lookup along the lines of updates.supermicro.cdn-front.com wouldn't
be too suspicious. At that point, you'd be looking for dns lookups and not
firewall hits.

If you are blocking outbound, I could still this going unnoticed if you're not
actively reviewing denials.

But, if you are properly watching dns lookups from OOB and it's anything other
than necessary services (ntp, ldap, syslog), then this would get picked up
pretty quickly.

~~~
fulafel
Sounds like many things would have to go right in the defender's court.
Optimism is not a good defense strategy :)

~~~
ytjohn
Heh. One colleague has "Hope is not a valid deployment strategy" as a
signature.

Most places might be blocking this type of activity by default. For most of
our security audits, it's just assumed that the SM IPMI or Dell idrac is
vulnerable to one exploit or another. We mitigate that by controlling the
traffic. I feel this is common practice in most places that understand vlans
and firewalls.

However, while blocking is easy, being aware of something like this is on
another level altogether. Unicorn jumping over a rainbow level rare. You
really have to be logging outbound attempts and dns lookups. Where I work,
there is a full security team and they are at an insane level where they log
the allowed traffic. One told me that the allowed traffic is more interesting
than the denied traffic. Denied just tells them what we anticipated, while
active helps them establish a pattern and look for deviations.

~~~
dvfjsdhgfv
That's my point. Security people were analyzing network traffic for decades
trying to spot something that doesn't fit, host-wise, pattern-wise or even
packet-wise (see The Museum of Broken Packets[0], for example). And someone
managed to somehow hide all this traffic from security experts working for
Amazon and Apple, for months or years? I'm very curious to see how.

[0] [http://lcamtuf.coredump.cx/mobp/](http://lcamtuf.coredump.cx/mobp/)

~~~
fulafel
I think you misread - "Unicorn jumping over a rainbow level rare" was about
catching it, not missing it.

------
baxtr
_In an appearance this morning on Bloomberg Television, reporter Jordan
Robertson made further claims about the supposed discovery of malicious chips,
saying, “In Apple’s case, our understanding is it was a random spot check of
some problematic servers that led to this detection.” As we have previously
informed Bloomberg, this is completely untrue. Apple has never found malicious
chips in our servers. Finally, in response to questions we have received from
other news organisations since Businessweek published its story, we are not
under any kind of gag order or other confidentiality obligations._

It can’t get much clearer than that. The whole story is quite weird. I don’t
know who should be believed but I’ve never read any such vehement denial. If
Apple is lying they risk quite a bit of credibility here

~~~
_Codemonkeyism
Free get out of jail card: Three letter agency force me.

------
IOT_Apprentice
From 2016: Report: Apple designing its own servers to avoid snooping Apple
suspects that servers are intercepted and modified during shipping.

"Apple has long suspected that servers it ordered from the traditional supply
chain were intercepted during shipping, with additional chips and firmware
added to them by unknown third parties in order to make them vulnerable to
infiltration, according to a person familiar with the matter," the report
said. "At one point, Apple even assigned people to take photographs of
motherboards and annotate the function of each chip, explaining why it was
supposed to be there. Building its own servers with motherboards it designed
would be the most surefire way for Apple to prevent unauthorized snooping via
extra chips." [https://arstechnica.com/information-
technology/2016/03/repor...](https://arstechnica.com/information-
technology/2016/03/report-apple-designing-its-own-servers-to-avoid-snooping/)

~~~
solarkraft
Eh? Instead of verifying an existing design they'll just make one themselves?
That could be compromised too?

~~~
princekolt
Because using a 3rd party design you have to ask or guess what each chip does,
and they might not want to tell you everything for IP reasons. When you create
your own board, you know what every little chip and trace does exactly, and
it's a lot easier to detect a rogue chip.

------
chillax
The Norwegian National Security Authority
([https://nsm.stat.no/english/](https://nsm.stat.no/english/)) is quoted in a
norwegian paper today saying they knew about problems with Super Micro since
at least june. [https://www.vg.no/nyheter/i/xRkLep/storavis-hevder-kina-
inst...](https://www.vg.no/nyheter/i/xRkLep/storavis-hevder-kina-installerte-
spionverktoey-i-maskinvare)

~~~
Jerry2
What exactly did they know? Did they check anything themselves or did they
hear the same story from the US IC that Bloomberg also heard?

Supermicro servers are extremely popular in data centers. Yet no one has
noticed anything and no one has found any malicious chips in them. Unless the
Chinese secret services also hacked all of the firewalls, someone would have
picked up some outgoing packets that are going to Chinese C&C servers. And
those would have been scrutinized and chased down. A company I interned at
this past summer was scrutinizing every client on their internal network. They
would have easily detected a machine that was connecting to an IP outside the
subnet, for example.

This whole story is just fishy and every company mentioned in that Bloomberg
piece is not only denying it, but strongly denying it ever happened. And
Bloomberg reporters have zero evidence... except for some stories from
"anonymous sources".

~~~
cm2187
The article suggested the chips were hidden under components. You would have
to tear apart the motherboard and know what to expect exactly. The number of
companies who do this kind of audit must be in the single digit if any.

Now the article may or may not be a hoax, but a few years ago the NSA was
exposed doing exactly that. So at the very least it is credible.

As for detection, I’d rather expect this devices to be activated on demand,
like creating a backdoor, rather than sending streams of data from all
servers, most of which (per the article) will be owned by an adult website or
a mormon church which aren’t exactly strategic activities.

~~~
rickycook
well, the article said that amazon noticed pings to c&c servers in its beijing
datacentre. it did also say that these were more sophisticated hardware
attacks but didn’t make it clear if these chips were also found

~~~
cm2187
Yes, sorry, agree. On stealthness, the article mentioned that “ _In one case,
the malicious chips were thin enough that they’d been embedded between the
layers of fiberglass onto which the other components were attached_ ” but also
says that the chips came in different sizes so some could have been easier to
detect.

------
whatever1
I mean what was the alternative? To admit that your supply chain is
compromised and blame directly the government of the country where you produce
(and sell to a level) all of your hardware?

That would be a huge blow in the credibility of the company and would raise
serious questions on why they did not move the manufacturing elsewhere.

~~~
IshKebab
If this were true I would have expected some corporate waffle like "Apple
takes supply chain security very seriously and regularly audits suppliers. We
cannot comment on internal security matters but customers should be assured
that blah blah blah."

I wouldn't have expected this extremely strong denial which is one step short
of outright calling Bloomberg liars.

~~~
whatever1
No offense, but I think that your suggested statement would only lead to
serious escalation for media enquiries, especially since this story came 2
days after the interview of the Apple CEO [1], where he underlined that
privacy (and the relevant security measures) constitutes the core value of the
company.

[1]
[https://www.youtube.com/watch?v=VD1cP8SK3Q0](https://www.youtube.com/watch?v=VD1cP8SK3Q0)

~~~
Arn_Thor
If Apple or Amazon are found to have lied in their statements I think they
could be in serious legal trouble with both their customers but also (sadly,
more importantly) their stock holders.

~~~
_Tev
More trouble than if they pissed China off enough to threaten Apple's
manufacturing in China?

------
Bryan_Tiernan
It's hard to say what the truth is here, but what I will say is if that
Bloomberg reporter doesn't have substantial evidence to prove that claim he
could be in serious trouble. SuperMicro's stock was down 50% straight after
that articles release, and it's not looking so hot right now either. He could
be looking down the barrel of an SEC investigation very soon.

------
_pmf_
> "As a matter of practice, before servers are put into production at Apple
> they are inspected for security vulnerabilities and we update all firmware
> and software with the latest protections."

They do not have equipment to detect this kind of attack, period. It's not
viable for each device, and it's not even viable for sampling a subset of
devices from a given production batch. Some components are physically
inaccessible and would require desoldering of other components to even access
them in any way.

These kinds of attacks cannot be generically detected in any economically
feasible way; it must be prevented by drastically clamping down the supply
chain and the logistics chain.

------
charlysl
Regardless of whether this particular case is true or not, given the crucial
role of computer systems in so many key institutions, it seems to me extremely
risky to trust Chinese suppliers not to try to compromise critical
infrastructure.

Then again, I understand that it could be argued that, if this is confirmed,
to me it would seem quite rash from the Chinese, given that they would have
known all along that such a scheme would be discovered sooner or later. It is
one thing to plant a device as part of a spy operation, quite another to
consistently compromise a whole supply chain.

Whichever is the case, the national interest and commercial interests seem to
be seriously incompatible with one another when it comes to outsourcing such
critical infrastructure to China, this seems obvious to me, regardless of the
China policy of who is in government in US.

------
RepAgent
> Despite numerous discussions across multiple teams and organisations, no one
> at Apple has ever heard of this investigation.

If this is some kind of ongoing national security issue with nondisclosure
requirement authorized by the Director of the FBI, like this big breach could
be, people involved are not allowed to talk about it even inside their
company.

Of course it would be advisable to inform higher ups in the Apple so that they
would not issue a denial.

------
jdorfman
Stupid legal question, could this end up becoming a defamation lawsuit?

~~~
CalChris
Similar question, but should BW turn out to be correct and Apple was for lack
of a better word, lying, aren't they on the hook as a public company?

~~~
Tomte
Matt Levine likes to say that "everything is securities fraud".

~~~
hyperrail
Funnily enough, he actually covered this angle yesterday!

 _Regular readers know that a major theme of this newsletter is Everything Is
Securities Fraud, so in that vein, let us consider a hypothetical. What if:_

 _1\. Everything in the Businessweek story is true, Chinese spies planted
hardware backdoors in computers built and used by major American companies,
and the FBI investigated along with those companies and discovered the
backdoors._

 _2\. It is a national-security secret and the companies were instructed by
the FBI never to acknowledge it._

 _3\. The companies are patriotically but falsely denying the hack._

 _If that is true—and I have no particular reason to think it is, it’s just
the sort of hypothetical we like around here—then, obvious question: Is it
securities fraud? (Assuming that the hack is potentially material to the
companies’ business?) I do not think that the securities laws explicitly allow
companies to make false statements of material fact if required for national
security, but you could see giving them a pass here._

[https://www.bloomberg.com/view/articles/2018-10-04/computer-...](https://www.bloomberg.com/view/articles/2018-10-04/computer-
spies-hacked-reality)

~~~
cm2187
Pushing the conspiracy theory just for the sake of argument. You could imagine
that some employees have been in contact with the NSA about these chips and
been told that they cannot disclose anything to their employers. The
management of Apple would deny the claim in good faith. It would be hard to
make a claim that Apple meant to mislead investors.

------
doe88
I would say one specific detail (I haven't looked at it though) would
challenge the truth of the rebuttal of both Amazon and Apple is that if it is
confirmed that both have severed ties with Supermicro around the same time,
the coincidence would really seem odd then.

------
mcqueenjordan
AWS Reply: [https://aws.amazon.com/blogs/security/setting-the-record-
str...](https://aws.amazon.com/blogs/security/setting-the-record-straight-on-
bloomberg-businessweeks-erroneous-article/)

------
partiallypro
DoD contracts for the military require the hardware to be sourced and made in
the US to prevent compromise. I wonder if one day we will see the DoD require
any Cloud contractor that has DoD datacenters to source from the US or NAFTA
countries...and what impact that would have. I've heard ramblings about a lot
of companies moving their manufacturing and sourcing from China to Vietnam
already.

------
hacknat
Companies don’t give vehement denials like this unless they’re telling the
truth. People claiming gag orders are crazy, mostly for thinking that Apple,
or anyone else for that matter, would ever sign a document forcing them to lie
to their customers (I’m not saying they wouldn’t lie, just that they wouldn’t
sign anything that would force them to do so).

~~~
ItsMe000001
That makes no sense. What do you think is the difference in "denial levels"?
Kind of like Dragonball-Z power levels? Does a "vehement denial" cost the one
making it any more than a "meek denial"? If making "vehement denials", coming
at exactly the same cost as less strong denials, are more effective, you would
just have made all PR companies/people extremely happy - they get a stringer
weapon for free. All the have to do is issue "vehement denials" instead of
just "denials" and a larger share of the population believes them (for no
valid reason). Especially when the public has no way to get the "real truth"
but can only watch a Dragonball-Z style "strong statement" vs "incredibly
strong statement" showdown.

> _People claiming gag orders are crazy, mostly for thinking that Apple, or
> anyone else for that matter, would ever sign a document forcing them to lie
> to their customers_

Why do you think a "gag order" is something that has to be signed off on by
the one getting it? That too does not make any sense. An order is issued by
someone who has more power, here, the government. You don't have to sign
anything for the order to exist. "Gag order" has "order" right in the name.

~~~
brorfred
I saw figures that Bloomberg had 17 sources for this story. For that to in nay
way be realistic, this must be a deliberate leak by the US government. Why
would they put such a strong gag order on Apple/Amazon and then leak the
information themselves? It makes no sense.

~~~
ItsMe000001
Then it would make no sense for it to not be true either, unless one assumes
the government to spread lies to damage those companies, which also makes no
sense.

------
onetimemanytime
Very strong denial. Frankly, if true and Apple is saying this kind of a "no"
shareholders will sue.

Two possibilities: Left hand doesn't know (or can't know) what the right hand
is doing at Apple. Top secret?

Bloomberg was a victim of a hoax, some nation state (huh huhm!) wants to
target China for something so they need a story.

Based on what I've read here these past days, I'm leaning towards the second
one. Apple can hire the best or all Infosec companies in the world if security
was compromised. In other words, they'd know by now, even if they missed it
originally. Cat and mouse and all...

~~~
fossuser
Maybe someone is trying to trash Super Micro’s stock? Seems like this would be
a good way to do it.

Though simplest explanation would be the journalist is confused and the
sources inside the company aren’t very good.

~~~
onetimemanytime
SEC (and anyone else) can see the short positions, dumb move.

Plus, Bloomberg journos weren't born yesterday. This story must've been vetted
to the highest levels...looks like they've been working for a year or so on
it. It's not like they heard it at Starbucks while waiting in line. They are
sources and sources.

Now a nation state can provide multiple sources from different alphabet
agencies to Bloomberg.

------
writepub
Bloomberg needs to make a statement about all of this, either doubling down or
issuing an apology. Either ways, we need a follow up and conclusion. Can we
HN-ers tweet-request them (politely) to follow up?

------
aylmao
This article sounded a bit weird to me from the technical level, but I just
assumed it could be lack of clear understanding on the nitty-gritty from the
journalist, or just me not knowing about hardware enough to know what's
possible and how.

Given this is all getting a little fishy I'll share what had me thinking:

1\. The article mentions "they were capable of doing two very important
things: telling the device to communicate with one of several anonymous
computers elsewhere on the internet..."

Servers tend to run on VPNs. This being a dormant backdoor is believable, but
then the article mentions:

> "American investigators eventually figured out who else had been hit. Since
> the implanted chips were designed to ping anonymous computers on the
> internet for further instructions, operatives could hack those computers to
> identify others who’d been affected."

Which makes me believe the devices were active and somehow circumvented
corporate VPNs. I'm unsure how undetectable this could be using the system's
network stack (or if it would be possible at all)-- would the claim then be
that this tiny device shipped with a whole TCP/IP layer and some sort of very
powerful wireless capability?

2\. It continues with: "and preparing the device’s operating system to accept
this new code"

Is this possible? Where would a device like this need to be wired to be able
to write to memory with some arbitrary payload to do this? From the pictures
it looks like it has 6 pins maximum-- could this do? If so, wouldn't this mean
this device would need to do some next-level signal processing that would
probably require advanced computation? Could said computation be done by a
processing unit that fits the size of this chip?

Moreover, assuming it takes control of the OS independently would imply
there's some decent amounts of memory in here, to hold the payload, etc. no?
But if it's just a backdoor that doesn't take control of the OS, then how is
it communicating over the internet with other machines like the article
claims?

Again, I might be wrong and things that I don't think possible might. I'm
mostly just curious to know if my intuition is too naive. Please comment below
if you know more about these things than I do.

EDIT: I was really disappointed that the article itself didn't go into these
technicalities, because IMO this would be an impressive feat and newsworthy by
itself. The lack of alternative coverage in sources more close to technical
expertise was weird to me.

~~~
JdeBP
About halfway down, the Bloomberg article mentions a BMC, a baseboard
management controller. This is an existing part of mainboard design that has
been around for just under a couple of decades. Read up about IPMI and BMCs,
what they do and what their capabilities are. Then consider the threat,
explained elsewhere on Hacker News several times, of simply supplying an extra
ROM chip containing different firmware for that processor to run.

Focussing on the technical is focussing on the wrong thing. Bloomberg's point
was not that BMCs can do this, nor that they can be made to do this. People
have discussed these on-board systems and their problematic natures rather
widely. It was that the supply chain is vulnerable, and that (on the
assumption that Bloomberg is right) this problem with the supply chain is no
longer a hypothetical case of what an attacker government _could_ do, but is
now a documented case of what one government _has done_ , a few years ago.

------
okket
FYI: "Britain’s national cyber security agency said on Friday it had no reason
to doubt the assessments made by Apple and Amazon that refuted a Bloomberg
story that their systems contained malicious computer chips inserted by
Chinese intelligence. [...]"

[https://www.reuters.com/article/us-china-cyber-britain/uk-
cy...](https://www.reuters.com/article/us-china-cyber-britain/uk-cyber-
security-agency-backs-apple-amazon-china-hack-denials-idUSKCN1MF1DN)

------
chasd00
Incredibly interesting story and discussion, this is why i come to this site.

Isn't this practice known, if not common, in the infosec/intelligence
communities at the nation level? There's lots of stories of hardware exploits
in copy machines, faxes, etc that took place during the Cold War.

~~~
SpicyLemonZest
It's a known practice, but security-sensitive organizations have supply chain
management that's typically understood to prevent it from happening on a large
scale.

------
xmly
The rice is indeed small, but it is not small on an IC chip. When people check
the chip, they usually use a tool called microscope, like this
[https://goo.gl/1XK4YK](https://goo.gl/1XK4YK).

~~~
xmly
And there is xray to detect what is inside a chip like this:
[https://www.youtube.com/watch?v=XXDsM3mUv3Y](https://www.youtube.com/watch?v=XXDsM3mUv3Y)

These are quite mature and popular technique.

Rice is too big to be unnoticed....

~~~
rasz
No, you cant inspect inside chips with this Xray machine, its used for
inspecting solder joints under the package.

------
GordonS
The cynic in me wonders about the plausibility of all this.

Firstly, why would you add a new chip to a board, rather than alter an
existing one? That would be essentially undetectable.

Secondly, why Bloomberg? It's an odd organisation to get a scoop on something
like this.

Thirdly, they talk of the PLA approaching plant owners and such; to do all
this, a lot of people would need to know about it, from the top to the bottom.
I imagine that would be very difficult to keep secret.

Finally, the timing is very suspicious - it comes with midterms approaching,
and Trump and China arguing over trade tarrifs; it would serve the political
narrative well for China to be painted as the 'bugbear de jour', and this also
plays to the MAGA crowd.

~~~
mrb
« _Firstly, why would you add a new chip to a board, rather than alter an
existing one?_ »

Altering the flash chip would be too obvious. Looking at the flash image
(dumping it) or chip (x-raying it) would be the first thing anyone would do if
they suspected something fishy. Swapping a flash chip with a compromised one
is a textbook 101 supply chain attack...

However a small rogue chip sitting on the SPI link (between the flash chip and
the BMC) can be very sneaky: it can replace legit code with evil code ONLY
when the BMC is booting up and loading code from flash. The rogue chip would
not do that when the flash is read for verification (think dieselgate: a VW
car disabled cheats when it detected lab testing conditions!)

Also Bloomberg talks about this rogue chip being sometimes hidden within(!)
the fiberglass layer of the PCB. This is the ultimate stealthy attack. No one
expects the bare PCB itself to be already compromised by a backdoor even
before components are soldered on it...

~~~
solarkraft
Great insight. Thank you.

------
avryhof
Political mind games.

Right now, most of the tech industry, and a good portion of the news media are
at odds with the executive branch of the government.

This article puts at least one popular news outlet against several tech
industry giants. Divide.

What comes after divide? ...and who has the most to gain? I doubt it's
_actually_ our executive branch. I think they could be getting played just as
much as Bloomberg and the Tech industry.

------
yAnonymous
Consider that Apple also stated this a few years back:

>"We have never heard of PRISM. We do not provide any government agency direct
access to our servers, and any government agency requesting customer data must
get a court order."

Their whole business is built around lying to customers.

------
deft
My personal theory is this is a ploy to get people to believe Trump's anti-
china narrative meant to distract from the Russia narrative.

~~~
chvid
As an outside observer of us politics it seems to me that the democrats want
Russia as an external enemy whereas the republicans want China. Perhaps now it
seems like the republicans have the upper hand but it is not obvious how it is
going to end.

------
kerng
This will be interesting to follow, it's very unlikely there is not some truth
to this. The fact that Apple and others are pushing so strongly against the
story (very defensive) which makes me believe they are hiding something for
sure.

------
ElBarto
They complain too much...

Apple apparently entirely dropped Supermicro as a supplier over a few weeks
when they were planning a large order(source: theregister.co.uk).

The ones who should strongly deny such a story, if it is indeed incorrect, are
Supermicro. Is there a statement from them?

Edit: yes, there is. They are "not aware of any investigation". That tells me
all I need to know...

~~~
Macuyiko
They did: [https://www.bloomberg.com/news/articles/2018-10-04/the-
big-h...](https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-
amazon-apple-supermicro-and-beijing-respond)

~~~
ElBarto
Yes saw that and edited.

