
UK cyber security agency backs Apple, Amazon China hack denials - okket
https://www.reuters.com/article/us-china-cyber-britain/uk-cyber-security-agency-backs-apple-amazon-china-hack-denials-idUSKCN1MF1DN
======
wyldfire
I heard this on NPR [1] and thought it was interesting and hadn't seen it in
these articles on HN:

> When [Bloomberg] asked China's foreign ministry for a response, a lot of
> times they'll say things like, you're crazy; we know nothing about this.
> Their response was a little more nuanced and contextual in the environment
> we're in now. Basically they said, we are a victim of these kinds of
> attacks, too. And, you know, they're right. The U.S. government - it's very,
> very good at these kinds of hardware attacks.

Supporting evidence for Bloomberg's claim: NSA interdiction of US export
shipments [2].

[1] [https://www.npr.org/2018/10/04/654518383/bloomberg-
reporter-...](https://www.npr.org/2018/10/04/654518383/bloomberg-reporter-
outlines-how-chinese-microchips-infiltrated-nearly-30-u-s-com)

[2] [https://www.theguardian.com/books/2014/may/12/glenn-
greenwal...](https://www.theguardian.com/books/2014/may/12/glenn-greenwald-
nsa-tampers-us-internet-routers-snowden)

~~~
stephengillie
Are you saying the NSA bribed manufacturers in China to add these to boards -
so Americans would discover then and accuse the Chinese government of
espionage? Is this the stick to the tariff's carrot?

Remember, astronauts couldn't have met aliens on the moon, if the moon
landings were faked.

~~~
nkrisc
> Remember, astronauts couldn't have met aliens on the moon, if the moon
> landings were faked.

Now that's a debate I'd pay to watch.

------
beaker52
It could also be possible that these companies are legally bound by some sort
of investigation-related order to maintain ignorance to the presence of the
chips and that Bloomberg have just sunk an ongoing investigation/counter-
espionage operation, potentially putting an associated intelligence network at
risk.

~~~
tptacek
They're not "maintaining ignorance"; they're categorically denying it, and in
significant detail. Both Apple and Amazon produced essentially _bulleted
refutations_ of the story. That's not what you do when you're trying to brush
something off.

~~~
Alex3917
> They're not "maintaining ignorance"; they're categorically denying it

What makes you think the people denying it know about it though? E.g. if the
head of Apple security got served an NSL, wouldn't that potentially prevent
them from telling the company lawyers or the executive team?

~~~
pvg
It's a curious forum we're on where on one day there are jiggabytes spilled
over how journalists get technical things wrong and on another, they're so
reliably accurate, technology organizations making the case reporting on them
is inaccurate must have been infiltrated by men in black and have had hapless
employees flashed with a neuralyzer.

~~~
dang
Can you please not post unsubstantive comments?

HN has 5M monthly users. Obviously there isn't going to be any consistency.

~~~
pvg
It's not an 'unsubstantive' comment. There is a very large section of users
who are ardent believers in the 'Gell-Mann amnesia' effect. There are also
seemingly many, many users, as the one I'm replying to and many who've posted
similar, highly voted comments on this thread whose explanation for the
discrepancies between the reporting on this story and the company responses
amount to (in my view) to MiB but with different acronyms. I find that
curious. Maybe you don't, maybe you think those users don't overlap much or at
all, that's fair enough. But 'things people find curious about HN that you
think maybe aren't' is not 'unsubstantive' so get of my case, oppressor!

~~~
tptacek
This is a rare instance where I agree that 'dang has jumped the gun. I don't
see how your comment is insubstantial either, and I think HN's weird
relationship with the news media is worthy of comment. No reasonable person
reads the comment above to mean "literally everyone on HN has inconsistent
beliefs about the press".

~~~
pvg
Thanks, now I'm regretting not going with the pithier 'ur mom has 5M monthly
users' a little less.

------
sorokod
_“We are aware of the media reports but at this stage have no reason to doubt
the detailed assessments made by AWS and Apple,”_

This is a pretty mild statement, would not say it _backs_ Apple and Amazon.

~~~
JdeBP
Yes, it's not really backing them any more than the equally non-committal
statement from the Norwegian National Security Authority is. The Reuters
headline is not borne out by its article.

* [https://news.ycombinator.com/item?id=18146242](https://news.ycombinator.com/item?id=18146242)

~~~
SyneRyder
Australia's Department of Defence also has a rather vague statement in
response:

 _" Defence will continue to work with the ACSC [Australian Cyber Security
Centre] to continue to monitor the situation," the spokesperson said._

[http://www.abc.net.au/news/science/2018-10-05/supermicro-
mal...](http://www.abc.net.au/news/science/2018-10-05/supermicro-malicious-
chips-china-australian-government/10342006)

------
justtopost
Does it seem a little odd for the 5 eyes to be weighing in while the us gov is
silent? I am not sure how to read this but it is weird. I have never seen them
make a public statement on a hack in a way specific to specific companies (and
not others mentioned in the bloomberg article).

Even if taken at face value, it can only mean 2 things. 1. They already,
thouroughly investigated it (draw your own conclusions what they found or any
involvement) or 2. They just issued an official statement without possibly
having the time to investigate the merits of the accusation. This not only
doesn't pass the sniff test, its evidince of yet another turd on our lawn.

~~~
mattlondon
Or, 3rd option, they did it (not china) and are trying to play it down as a
non-event.

"Nothing to see here - move along!" while thinking of a new means to hide this
stuff in the server hardware...

~~~
kryogen1c
I don't think this is feasible. They are 100% going to get caught with this
tactic. If they were guilty in the way you guess, I think the likely response
would be to muddy the waters with FUD and create lots of confusion.

------
sorokod
The actual quotes in Reuters article:

 _“We are aware of the media reports but at this stage have no reason to doubt
the detailed assessments made by AWS and Apple,” "The NCSC engages
confidentially with security researchers and urges anybody with credible
intelligence about these reports to contact us"_

This is not backing.

------
akerro
Is it possible that the article on Bloomberg was state sponsored and there is
no backdoored chip under another chip?

------
hhh
If I might don the tinfoil cap, this is a mighty fine time to bring negative
light onto CN, with Dragonfly stirring the pot and a testimony from Google's
CEO next month.

------
howard941
A cowworker remarked to me earlier today that the denials don't matter, true
or false the story serves a domestic US purpose in distracting from $OTHERNEWS
(in this case the kavenaugh circus)

------
kerng
If Bloomberg has something here (which is not unlikely) it shows how
incredibly important a free press is!

------
andy_ppp
I think there is another plausible reason for denials of course. The chip
might not be _Chinese_.

~~~
supergirl
that would actually explain the strong denials and involvement of UK spy
agency. being caught with NSA chips in servers would be far worse for Apple
than with chinese chips.

------
stretchwithme
It seems unlikely that Amazon would not detect attempts to reach unauthorized
IP addresses. If you’ve used AWS security groups, you know that you can
specify what IP ranges your machines can access. While many customers aren’t
locking this access down, I’m fairly certain Amazon knows exactly what they
are doing on the AWS systems they use.

Detecting such attempts on a brand new system would spur them to identify the
source. They’d have found that chip, most likely.

~~~
rconti
Virtually any halfway competent enterprise would catch this as well. This is
network security 101.

------
zeist
I am pretty sure some security issues did happened else supermicro would have
definitely sued the reporters by now. But then the mild response by US
government and the FBI in general means that the so called attack wasn't as
sophisticated as claimed by Bloomberg.

~~~
richsherwood
On the other side of the coin, it’s possible that they have a vested interest
in keep in this quiet as it would bring attention to their own practices.

------
mtgx
I'm not sure this is necessarily a point in Apple and Amazon's favor. Also, as
another comment here mentions, the "backing" in the title seems stronger than
GCHQ's actual statement.

------
teknologist
Easy to say if they cleaned up the evidence. What's convenient about recalling
servers is that they're all neatly lined up in racks in datacenters, making
them easy to pull out and replace. Supermicro would have lists of affected
serial numbers, allowing them to take them back and make sure there aren't any
samples lingering around for independent analysis.

------
phkahler
Why would they say anything at all?

------
wetpaws
Like many people here, I did not believe this until they started denying it so
much.

------
sjcsjc
GCHQ saying it's not true makes me far more inclined to believe it.

~~~
keehun
Just to clarify your sentence, do you mean "far more inclined to believe China
did spy on Apple/Amazon, etc"? Or you're far more inclined to believe
Apple/Amazon, etc?

------
torgian
Funny how this story comes out shortly after Apple announced you can’t fully
repair the newest MacBook pros and iMac pros without their software for
“security sake”.

Coincidence? Yeah probably, and very tin-foil hat, but who knows?

~~~
rasz
There is a TON of counterfeit Apple service parts on the market. This is the
result of the only real source of parts being pulls from recycled units, and
Apple has this neat "recycle initiative" requiring subcontractors SHRED
everything and provide detailed protocols of destruction.

Most counterfeits differ in lower quality, not gorilla gorilla glass, lower
brightness not quite actual white backlight, non IPS IPS LCDs, 7 year old 4
times repackaged "brand new" batteries etc. There are also replacements with
straight up fake, dummy plastic parts thrown in, for example
[https://www.youtube.com/watch?v=TalLpLWaOV4](https://www.youtube.com/watch?v=TalLpLWaOV4).
It becomes real brand problem when Staples "fixes" your product using scam
parts.

~~~
torgian
But there are also a ton of people using real or just as good parts to repair
their macs. Those people, who can’t afford a non-warranty repair at Apple,
will be hurt the most.

It’s especially true in east Asia. Yes, there are plenty of counterfeits, but
there are also plenty of legitimate ones too.

------
we1
Can confirm. My boost mobile iPhone 6 had weird memory signatures. Most likely
Chinese malicious chips.

------
rasz
Agency spying on Amnesty International, G20 summit, tapping undersea cables
(INCENSER [https://arstechnica.com/tech-policy/2014/11/new-snowden-
docs...](https://arstechnica.com/tech-policy/2014/11/new-snowden-docs-gchqs-
ties-to-telco-gave-spies-global-surveillance-reach/)), with _multiple_ courts
pronouncing their data collection programs violated human rights
[https://venturebeat.com/2015/02/06/nsa-and-gchq-collusion-
on...](https://venturebeat.com/2015/02/06/nsa-and-gchq-collusion-on-internet-
surveillance-was-unlawful-says-u-k-court/) [https://www.theguardian.com/uk-
news/2018/sep/13/gchq-data-co...](https://www.theguardian.com/uk-
news/2018/sep/13/gchq-data-collection-violated-human-rights-strasbourg-court-
rules)) wouldnt lie to us!

------
7000skeletons
"Trust me, we know a thing or two about adding malicious chips to systems." \-
GCHQ, probably

------
yAnonymous
Ok, it definitely happened.

------
wlll
"Apple has never found malicious chips, “hardware manipulations” or
vulnerabilities purposely planted in any server." According to Apple.

If I were cynical, and I am, I could see that Apple aren't telling the whole
truth here.

If you don't want to find malicious chips in your servers, don't look. Just
destroy the ones you suspect and don't examine them.

