
Apple CEO Tim Cook Calling for Bloomberg to Retract Its Chinese Spy Chip Story - minimaxir
https://www.buzzfeednews.com/article/johnpaczkowski/apple-tim-cook-bloomberg-retraction
======
tunesmith
Is it precedented for a news organization to double down like this in the case
where a reporter just makes stuff up Stephen Glass style?

Because barring a Stephen Glass scenario, what's fascinating here is that no
matter which side is right, this is evidence of some sort of mysterious power
play.

Either Apple was hacked, they know, and are denying, which is evidence of them
being under the thumb of U.S. national security.

Or, they were hacked and an internal team knows and Cook doesn't, which is
evidence of U.S. national security having powerful influence inside of Apple.

Or, they weren't hacked, and Bloomberg is doubling down, which at this point
would mean that someone has successfully hacked their journalistic
verification processes to an extreme level.

In all three of those cases, it points to a level of attacker competence that
I'm not normally inclined to believe in.

~~~
moftz
Tim Cook would have to know. If there is something like a NSL involved,
Apple's legal team would have already reviewed it. That same legal team would
also be advising Cook on what he publicly says since he is an officer in the
company. He could lose his job or be fined for saying false information in the
press (think about what happened to Musk) so its in his and his legal team's
best interest to only say true things in the press or at least spin things so
they aren't blatantly false. An NSL compels you to say nothing. You can
neither confirm nor deny anything and its probably against the law for him to
outright lie about the situation in the eyes of the SEC so he has to either be
spinning things, omitting things, or outright telling the truth. The Bloomberg
piece is fantastic but that kind of attack vector does exist however narrow it
may be. I don't know why Bloomberg seems to want to double down on this. They
are either incredibly stupid and are involved in some murder-suicide plot
against Supermicro or they are telling the truth but maybe a little misguided.

~~~
stephenr
> If there is something like a NSL involved, Apple's legal team would have
> already reviewed it.

Apple's official statement clearly said, they're _not_ under any form of NSL
or gag order.

The prevailing logic seems to be that US courts still believe the government
can't force you to say something against your will, only prevent you from
saying something.

~~~
garmaine
> Apple's official statement clearly said, they're not under any form of NSL
> or gag order.

Except that a NSL can (legally) command the recipient to lie about it.

~~~
vageli
> Except that a NSL can (legally) command the recipient to lie about it.

Do you have a source for this statement? As far as I'm aware, you can be
compelled to remain silent but not compelled to give a false statement.

~~~
garmaine
You can be compelled to act exactly as you would as if the NSL had not been
issued, and indeed they seem to contain language to that effect. A reasonable
response would be to adopt a policy of "no comment" and most do, but if you
have previously responded to questions about NSLs in the negative, you would
then be required to continue doing the same.

Q: Have you received an NSL? A: No. Q: Now have you received an NSL? A: Still
nope. (Government issues NSL) Q: What about now? A: No comment.

^ This would be a clear canary indication that an NSL has been issued, which
is in directly contradiction of the terms of the secrecy requirements laid out
in the NSL. The only reasonable response (aside from supporting the ACLU and
EFF to end this nonsense) is to adopt the "no comment" policy early, which
most do. However Apple has now broken that strategy, if they haven't already.

~~~
saagarjha
How exactly do canaries work, then? Isn't the point there that you have a
canary that you remove later?

~~~
garmaine
Canaries don’t work. National secrecy laws treat a canary exactly as outright
violating the gag order.

~~~
Godel_unicode
Do you have a citation for this? Ideally one written by a lawyer.

------
parliament32
Interesting tidbit from the linked twitter post:

"Something is wrong. Blanket denials from companies, NCSC and DHS are v.
unusual. The only precedent for this is a 2014 Bloomberg article, by the same
author, which claimed NSA exploited Heartbleed, and was vigorously knocked
down with zero follow up by Bloomberg or correction."

[https://twitter.com/nicoleperlroth](https://twitter.com/nicoleperlroth)

~~~
sandyarmstrong
For the lazy:
[https://twitter.com/nicoleperlroth/status/104901890298483507...](https://twitter.com/nicoleperlroth/status/1049018902984835072)

~~~
krn
I think it's in the best interest of the US not to turn this case into
international relations nightmare.

> I mean, this is just intense now. On record statements from four different
> huge players in this field, clearly and forcefully stating there was no
> hardware-based backdoor inserted by PLA with regard to Apple and Amazon.

[https://twitter.com/hatr/status/1048859348489916417](https://twitter.com/hatr/status/1048859348489916417)

~~~
crankylinuxuser
Long story short, this is really wanting me to obtain the gerbers for the
motherboards I use, and verify the parts on the board are the parts listed.
This the basis of open source hardware.

The next step is to obtain firmware for each chip, and compile and load it on
all programmable chips. Again, but open source firmware.

Then moving up, we need an open source OS, which we have.

The last area is having open source silicon... but given that it's $10m
minimum for a basic fab, this isn't happening anytime soon. Although, FPGAs
could supplant some hardware. Then we'd need the synthesis code for the
design.

Long story short, is there a way to make a trustworthy OS if you don't trust
the underlying hardware? Is that even possible?

~~~
billylindeman
I wonder if you could solve the fab issue with some sort of xray based
checksum that is reproducible by third parties (maybe universities?)

~~~
MertsA
An xray or optical inspection would never be able to detect the doping of the
silicon so it's possible to alter the behavior of the chip in such a way as to
allow an attacker to cripple something like Intel's random number generator
RdRand yet have this be basically undetectable in software.

------
Kocrachon
I doubt anyone will see my comment since I am a few hours late. BUT, I want to
say, despite what bloomberg AND apple say, here is why I think Bloomberg
failed on this report, and didn't do enough to PROVE their claims were
accurate.

They made the flat out claim that AWS sold its Chinese infrastructure because
of the hack. But this is flat out not true, anyone who actually knows anything
about the Chinese goverment knows that AWS, same as Microsoft, cannot operate
out of China. They are required to have a PARTNER to operate in China. I
worked for Microsoft during the deployment to China, and we too had to have a
partner. We were essentially "leasing" our technology for them to run it.

[http://www.miit.gov.cn/n1146295/n1146557/n1146619/c4860613/c...](http://www.miit.gov.cn/n1146295/n1146557/n1146619/c4860613/content.html)

"According to the China Telecommunication Regulation, providers of cloud
services—infrastructure as a service (IaaS) and platform as a service
(PaaS)—must have value-added telecom permits. Only locally registered
companies with less than 50 percent foreign investment qualify for these
permits. To comply with this regulation, the Azure service in China is
operated by 21Vianet, based on the technologies licensed from Microsoft.

Microsoft Azure operated by 21Vianet (Azure China 21Vianet) is a physically
separated instance of cloud services located in mainland China, independently
operated and transacted by Shanghai Blue Cloud Technology Co., Ltd.
("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data
Center Co., Ltd. "

So this to me proves that Bloomberg didn't fact check this story enough, and
there are holes in it. Does this mean that China DIDN'T try anything? No, but
this leaves me to question Bloombergs sources and not fact checking their
reports, as there is obvious misinformation in it.

EDIT: I googled AWS China, and this is the FIRST link.
[https://www.amazonaws.cn/en/about-
aws/china/](https://www.amazonaws.cn/en/about-aws/china/)

And at the bottom it covers all the same legality stuff. So again, its like
they didn't even bother to research AWS China for 10 seconds.

~~~
AlexCoventry
> anyone who actually knows anything about the Chinese goverment knows that
> AWS, same as Microsoft, cannot operate out of China. They are required to
> have a PARTNER to operate in China.

IIRC, the Bloomberg article is consistent with this. AWS sold their business
interests to that partner.

------
fhood
Man, I am now 90% convinced that someone intentionally misled Bloomberg. It
looks like this may end up being an extremely embarrassing episode for them.

~~~
aero142
It's all just speculation but this seems like the exact kind of story you
would want in order to pass some legislation to prevent foreign manufactured
chips being used by USG.

~~~
lwansbrough
I'm all for globalism but that's one area where the best strategy is probably
to keep production inside the borders. Not that I'd condone misleading the
press to create a case for the legislation.

~~~
sneak
Yes, manufacture the high security chips on one of the many 7nm fabs in the
US.

I suppose it also follows that the fab and design should be staffed only as
NOFORN? That rules out the lead on the Apple silicon team.

I don’t think you understand how this works. This isn’t a nationalism vs
globalism thing.

~~~
lwansbrough
You're the one that jumped from no foreign production to no "foreign"
employees. Of course there's a difference between a factory operating under
the supervision of the People's Liberation Army and an immigrant working in a
lead role at a company.

My comment is basically a pre-reaction to nationalists who would want to use
this situation as an excuse to bring as much manufacturing work home as
possible, even if it doesn't make sense (and if this were all a ruse, it would
be a good way to get the White House on board.) Granted, it would also be
pretty dumb to trust your adversary (from a national defence perspective) to
build your weapons for you. Which is what the US is doing to a certain degree.
Of course this is about globalism, because it's what lead to this situation in
the first place. But nationalism, importantly, is not the solution. That's
what I hope people take away from this.

~~~
sneak
Who is the adversary, though? You assume chinese nationals in the PLA are. Are
chinese nationals in California working for Apple the enemy, too? What about
chinese nationals in China not in the PLA that just work on the line?

My point via the contrived example is they countries are fictions and so is
citizenship and presence in one or “possession” of one is no way a litmus test
for “adversary” or even a reasonable proxy.

“China” isn’t a person, and so “China” can’t be an adversary. (Even if it
could, that would be dumb, for reasons explained above.)

------
stingraycharles
It’s fascinating to see this story unfold. On one end you have Bloomberg
doubling down on their claims, and here you have Apple making a move that
shows their confidence in their claims.

For a while I was buying the subpoena theory, but this action clearly doesn’t
fall under that, and they would be setting themselves up for serious liability
/ damage claims if it were true.

Either there is some gross miscommunication going on inside Apple and Tim Cook
is not properly informed - which is very unlikely at this point - or there
might be less truth to Bloomberg’s story.

The frustrating thing is, we’ll probably never know the answer.

~~~
parliament32
>Tim Cook is not properly informed - which is very unlikely at this point

Humor me, why is this unlikely? Why is it not possible that (whatever three
letter agency) grabbed a few engineers, told them to do X without talking to
anyone else, at the risk of them and their families getting disappeared to a
black site?

Besides, in security controlled jobs it's perfectly normal to not be allowed
to disclose what you're working on even to your direct superior. This idea
that Tim Cook / Apple PR _must_ know everything that's going on at Apple is
kinda ridiculous.

~~~
jmull
Well, who scrubbed the emails? Who scrubbed the data center record? And the
financial records and shipping records? Who hid the motherboards?

It’s going to take more than a couple engineers to cover this up completely.

Also, if the consequence for talking about this is being disappeared, why
weren’t the Bloomberg reporters disappeared some time during the year they
were working on the story?

And why exactly would a three letter agency do this to protect Apple?

It just doesn’t make any sense.

~~~
philwelch
They're not doing it to protect Apple, they're doing it to protect their
sources and methods within Apple. Tim Cook isn't a huge friend of the FBI
([http://time.com/4262480/tim-cook-apple-fbi-2/](http://time.com/4262480/tim-
cook-apple-fbi-2/)) so if the FBI has a counterintelligence op embedded within
Apple, they're going to want to hide it from Cook.

------
mrb
In the past, Apple has lied about a severe security incident involving Super
Micro hardware.

In 2016 Super Micro Senior Vice President of Technology himself said Apple
found "infected firmware." It was so bad that Apple "discontinued future
business [with Super Micro] as a result of a compromised internal development
environment". Strangely Apple at the time was denying the whole thing:
[https://appleinsider.com/articles/17/02/23/server-
firmware-s...](https://appleinsider.com/articles/17/02/23/server-firmware-
security-incident-in-2016-forced-apple-to-sever-ties-with-vendor-super-micro)
But today, 2 years later, in a statement denying the current spy chip saga,
Apple now appears to acknowledge this 2016 security incident, while minimizing
it: they say it was "an infected driver on a single Super Micro server in one
of our labs" ([https://www.apple.com/newsroom/2018/10/what-businessweek-
got...](https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-
about-apple/))

Why would Apple deny then 2 years later confirm this security incident?

As usual, the truth is probably somewhere in the middle. It is very possible
the anonymous sources at Apple who support the spy chip story are not
technical persons and are confusing this 2016 incident with the spy chip
incident (in fact it's what Apple theorizes in their statement.) It is very
possible the spy chip does exist and was found at some companies, just not at
Apple.

I also find it very interesting that the FBI, the one organization allegedly
at the center of this saga investigating the spy chip, has remained completely
silent, neither confirming nor denying the story.

~~~
abalone
In the past, these Bloomberg reporters have misreported on NSA exploiting
Heartbleed. Here is the Washington Post giving them shit about it:[1]

As for the 2016 incident, read Apple's denial more closely. They denied
finding infected firmware on servers purchased from SuperMicro. What happened
is someone in the design lab (not in production) downloaded infected firmware
from SM's support site, where it was "still hosted".[2] While you might say
Apple could have been clearer at the time, that is nothing like the very
strong, clear, detailed denials at hand here.

[1] [https://www.washingtonpost.com/blogs/erik-
wemple/wp/2014/04/...](https://www.washingtonpost.com/blogs/erik-
wemple/wp/2014/04/23/bloomberg-celebrates-challenged-story-on-the-nsa-and-
heartbleed-bug/?noredirect=on&utm_term=.80bc2dac8b45)

[2] [https://arstechnica.com/information-
technology/2017/02/apple...](https://arstechnica.com/information-
technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-
bad-firmware-update/)

~~~
ams6110
> someone in the design lab (not in production) downloaded infected firmware
> from SM's support site

Other than the claim that the infected firmware is "still hosted there" (which
beggars belief) that sounds more like an engineer was spearphished and fooled
into downloading firmware from what _he believed to be_ the SM support site.

~~~
abalone
FYI "still" meant as of the time of the follow-up reporting in 2016, not
today. I think it's believable that SuperMicro's support site got hacked. But
I agree that was an incident on par with a sole developer installing malware
on their system, not a supply chain compromise or major security incident with
production systems.

~~~
philipodonnell
Isn't hacking the support site a supply chain compromise?

Much discussion about software supply chain attacks was around the role of NPM
as a vector, which can be thought of as a source of "drivers" that make
various products and services work, similar to the role that a support site
for a physical manufacturer plays.

~~~
abalone
I meant the supply chain for their data center. But I won’t split hairs.. yes
support site compromise is a supplier problem and probably a factor in Apple
shifting away. But clearly Apple had more protections in place for their
production systems than what some dev installed in the design lab. So I think
Apple’s denial is fair.

------
wpdev_63
I really have little doubt that the Chinese are integrating their spy chips
into computer hardware going to the big four or even the pentagon. It's
probably how they stole the designs to the f-35[you know that plane that costs
over a trillion dollars to develop]. It would catastrophic if apple knew or
even acknowledges the possibility of the Chinese having a backdoor into their
servers and would result in massive shift in policy[+profit].

The NSA has been known to intercept electronics in shipping and putting in
their own specialized pcb board replacements with microphones, cameras, etc.
and are _very_ hard to detect. Hell the Russian even went back to typewriters
for security purposes[0]. It would be foolish to think that the
Chinese/Russians aren't doing the same thing to us.

[0]:[https://www.telegraph.co.uk/news/worldnews/europe/russia/101...](https://www.telegraph.co.uk/news/worldnews/europe/russia/10173645/Kremlin-
returns-to-typewriters-to-avoid-computer-leaks.html)

~~~
jschwartzi
I find it extremely hard to believe that China is inserting magic backdoor
chips into all of our computer hardware. What's much more likely is that they
were able to bribe or threaten some engineers into giving information away.
That's been a common tactic since spying became a thing.

~~~
wpdev_63
This[0] is a backdoor that was discovered _only_ through reading patents on
the chip. It gave the highest possible privilege(ring -4) to the user by
simply running an undocumented cpu register. It would be incredibly easy to
hide something like this within one of the 100 of thousands of computers that
go to the big 4 or even the pentagon.

I'd imagine people at the pentagon select randomly from a number of computers
coming in and do some chip analysis like this[1] but I can only speculate and
they probably can't stop all the hardware backdoors this way.

Anybody that would be caught disclosing highly classified information would
probably be found and promptly hanged(or get in some sort of freak car
accident). They probably have some serious counterintelligence to catch the
leaks. Once again I am only speculating.

[0]:[https://www.youtube.com/watch?v=_eSAF_qT_FY](https://www.youtube.com/watch?v=_eSAF_qT_FY)
[1]:[https://www.youtube.com/watch?v=0Z4aF-
qiziM](https://www.youtube.com/watch?v=0Z4aF-qiziM)

~~~
makomk
The existence of the Via C3 "backdoor" was actually documented in the official
datasheet, along with the correct MSR bit to enable/disable it. See page A-10
in appendix A:
[http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia...](http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemiah%20Datasheet%20R113.pdf)
Apparently the researchers either couldn't find a copy or didn't notice that
part.

------
cwyers
And Bloomberg is standing by the story.

All of the people who think that Apple is being misled coerced by the
government into denying factual reports, I want to know how that belief is
squared with the _lack_ of a retraction. If the government is powerful enough
to get Apple to go to these lengths in defense of a falsehood, why can't they
convince Bloomberg to retract?

~~~
allemagne
At this point I don't think Apple is lying or the Bloomberg story is accurate,
but I do think that some hypothetical coercion of Apple would be much much
much less problematic than the government literally forcing a press
organization to publish false information.

~~~
dannyw
Perhaps the answer is that Bloomberg were mislead, either by intentional state
agents* or by a reporter who recklessly mis-understood and/or cherry-picked
sources?

* not necessarily from the US.

------
electrograv
I think _Bloomberg was probably irresponsible to publish the Chinese spy chip
story, whether it was true or false!_ Here's why:

* If the story is _false_ , it's irresponsible because it causes severe monetary and reputational damage to companies that do not deserve it (e.g. Supermicro's stock is still down _~ 40%_ ).

* If the story is _true_ , it's a MAJOR breach of classified information from US intelligence operations; operations which I assume (without evidence to the contrary) are operating in good faith -- in the interest of the US and its citizens. Breaching classified information of such ongoing investigations to trace supply chains of spy chips could very well compromise those investigations (which would be irresponsible to risk).

So either way, it's irresponsible IMO.

P.S. IMO you cannot justify leaking this kind of info by comparing to Snowden,
for example, because Snowden was a whistle-blower revealing information about
operations that compromised citizens rights, which even congress was lied to
about.

~~~
blueboo
Hold on. If a reporter is uncovers hostile, state-sponsored corporate
espionage in extant, US hardware, it's "shockingly irresponsible" to report
that? The putative fact that our supply chain is so totally compromised is
immediately relevant to everyone. I'm sorry-not-sorry if that's inconvenient
for the FBI and Tim Cook.

In a context where the geopolitical and commercial forces would all strongly
prefer that such things never come to light, I'm on the side of more sunlight,
not less.

~~~
electrograv
It's not that the information is irrelevant, it's that knee-jerk responses to
leaked information may be worse than coordinated and planned responses to
national security threats.

Shining a light on this too early (assuming this wasn't an intentional "leak")
could be akin to applying antibiotics to an infection prior to actually
knowing what exactly the infection consists of, and discontinuing the
treatment too soon (we all know how short the attention span of our news
cycles are).

It doesn't seem unreasonable to analogize fighting spy networks to fighting an
evasive infection: If you attack the infection with a half-baked or
inconsistent treatment, you risk just breeding stronger infections that are
even better at evading you.

Maybe I trust the US intelligence agencies too much, but it seems likely that
they know what they're doing here. And so far, I've seen no evidence contrary
to my default assumption that they're operating in best faith for the
interests of the US and its citizens _in this case_.

------
cronix
Let's just say the Bloomberg reporting is accurate for the sake of discussion.
They claimed it wasn't ONLY Apple, but also the NSA, CIA, military and other
_critical_ defense/intelligence systems used some of these boards. Do we think
those "entities" wouldn't do _whatever_ they had to do in order to keep that
secret, legal or not, to preserve national security? What would the public
response be if everyone knew our major national security systems were
breached? I think it would cause a panic immensely larger than if we knew
Apple was breached.

I do agree with others that Apple has a hell of a lot to lose if this story
proves to be true, but I think that's really more of a footnote compared to
what will happen if the article proves to be true in its entirety. The data
Apple has is nowhere near as critical as the data the NSA/CIA/MIC have.

------
sharemywin
“Seventeen individual sources, including government officials and insiders at
the companies, confirmed the manipulation of hardware and other elements of
the attacks. We also published three companies’ full statements, as well as a
statement from China’s Ministry of Foreign Affairs. We stand by our story and
are confident in our reporting and sources.”

~~~
gvb
OTOH, Joe Fitzpatrick, one of the few named sources, is very very doubtful of
the veracity of the story.

Blog interview with Joe Fitzpatrick:
[https://risky.biz/RB517_feature/](https://risky.biz/RB517_feature/)

[https://appleinsider.com/articles/18/10/08/security-
research...](https://appleinsider.com/articles/18/10/08/security-researcher-
cited-in-bloombergs-china-spy-chip-investigation-casts-doubt-on-storys-
veracity)

~~~
woodrowbarlow
that's a credible perspective but let's not be vague: fitzpatrick wasn't a
primary source, he is an expert on hardware implants who was consulted by the
reporter prior to the original publication.

~~~
duskwuff
Fitzpatrick wasn't a primary source, but somehow his theories on how an
implant could _theoretically_ be implemented appeared in the Bloomberg story,
as details of how it was _actually_ implemented. This seems really fishy.

------
cmurf
Shades of Operation Mockingbird (1953), and "The CIA and the Media".
[http://www.carlbernstein.com/magazine_cia_and_media.php](http://www.carlbernstein.com/magazine_cia_and_media.php)

Of course, whether the story is true or not matters, but at least as important
is who Bloomberg's source is - as that goes to motive for releasing this
information (true or false). And it isn't just Bloomberg who will be asking
these kinds of questions.

~~~
RaceWon
Well, Bush did say this ended in 1976 [1] "In February 1976, George H. W.
Bush, the recently appointed Director of the CIA, announced a new policy:
'Effective immediately, the CIA will not enter into any paid or contract
relationship with any full-time or part-time news correspondent accredited by
any U.S. news service, newspaper, periodical, radio or television network or
station.'{13} He added that the CIA would continue to 'welcome' the voluntary,
unpaid cooperation of journalists."

So there you go. Proof positive.

\+ 1 On Mockingbird btw, I was reading the comments before I posted it myself.

[1][https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1m...](https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Operation_Mockingbird.html)

------
androidgirl
Really interesting twist in a crazy story that's gotten this far. I'm
interested in seeing how this all plays out, Bloomberg's reaction, etc.

At this point I don't know what to think, so I'm waiting for the consensus.

------
jmull
So interesting.

With a year of reporting on this story Bloomberg has a LOT of unpublished
info. If they are correct they should have a ton of information to back up the
claims in their story, including plenty of stuff to put the lie to some/many
of the specific denials Apple has made.

Maybe they are waiting, to let Apple hang itself with strong, detailed, public
proclamations. Then, bam! They publish all their proof, blowing up Apple's
denials, forcing Cook and many other to resign, etc.

Or... they've actually got nothing. In that case they won't be able to refute
Apple. Either they slink away, hoping everyone forgets, or issue a massively
embarrassing retraction.

I'm fascinated to see what happens. I think we'll know in the next few weeks
or months at the most.

~~~
htk
They might have nothing, but even so, celebrate.[1]

[1]:[https://www.washingtonpost.com/blogs/erik-
wemple/wp/2014/04/...](https://www.washingtonpost.com/blogs/erik-
wemple/wp/2014/04/23/bloomberg-celebrates-challenged-story-on-the-nsa-and-
heartbleed-bug/)

~~~
sooheon
Looks like a similar pattern and the author is the same as with this "Big
Hack". But I don't see any hard evidence to say that Bloomberg is completely
wrong, either. Just that NSA etc. have officially denied it (which you assume
they would).

------
apeace
Is the following a possible explanation?

* Random Apple engineer finds the implant.

* Goes directly to FBI without telling boss at Apple.

* FBI gags the engineer, says "Do not even tell your boss about this, it's national security and we're handling it".

* Bloomberg catches wind of this (maybe the same engineer leaks to them?), publishes their story.

* Engineer is now freaked, goes back to FBI and says "Are you really sure I shouldn't tell by boss?" and they say "Yes, we're sure, you are legally bound to secrecy".

I don't know how security teams, the FBI, or national security work. But
that's the only scenario that comes to my mind which would explain both sides
being _completely sure_ of their version of the story.

~~~
xGrill
> Goes directly to FBI without telling boss at Apple.

This is really hard to believe. An engineer who found this bug at Apple would
most likely be praised for finding it. It is a huge discovery. What motivation
would he have to not tell his manager?

~~~
jsoc815
> _would most likely be praised for finding it. It is a huge discovery._

Seriously, history, recent and otherwise, is littered w/the ghosts and
carcasses of employees who were anything but rewarded for identifying problems
great and small.

Oftentimes the safest thing to do is to pretend that one saw/heard/knows
nothing while hoping that _someone else_ has the steel to sound the alarm.

And for this sort of situation, there's too much at stake and are too many
known and unknown stakeholders involved to blindly believe that this would be
an exception to what I wrote above.

On a separate but related note, for those playing the "conspiracy theory"
game: \- On October 4th, Bloomberg releases _The Big Hack_ story; and \- On
the same day, VP Pence gives a speech at the Hudson Institute about...? China
being a bad actor which indulges in all sorts of behavior (that the United
States would never ever engage in or condone).[1]

Factor in the "trade war" and long-ongoing attempts to 'encourage' companies
to rethink their supply chains/ relocate production...

[1] [https://www.hudson.org/events/1610-vice-president-mike-
pence...](https://www.hudson.org/events/1610-vice-president-mike-pence-s-
remarks-on-the-administration-s-policy-towards-china102018)

~~~
jsoc815
Hmm... flags and more down-votes, but still _no counterarguments_ or
questions. (Dang, what's up with that?)

Anyway, here's a _September_ article from Axios entitled, "The Trump
administration's secret anti-China plans" [https://www.axios.com/trump-
administration-anti-china-campai...](https://www.axios.com/trump-
administration-anti-china-campaign-2c17776d-ad80-4a79-b6a7-912927059833.html)

From the article: "The broadside against China — which is planned to be both
_rhetorical_ and substantive — will be _" administration-wide,"_" [emphasis
added] ""The push is coming from the national security apparatus," the source
added."

Personally, _I hope no products are compromised, ever_. That's probably not
the case, and either way, the average person won't care much in the short
term. Busy w/other stuff, _they probably don 't remember this story today, if
they even heard about it._ Businessweek is, after all, a business magazine
_targeted at a pretty specific audience_.

As for whether Bloomberg's story is part of a wider campaign, I don't know and
don't believe I've said otherwise. _It doesn 't really matter to me_, as I
know that a game is on and that it isn't unreasonable to use such a story
while playing. I've seen and heard all sorts of curious things in the last few
years. Nothing about today's environment tells me that I'll have fewer such
occurrences.

Toodles, kids.

------
AnthonyMouse
The interesting thing about this story is that everyone is hopping up and down
trying to figure out if it's true, but the one thing everybody agrees with is
that the attack is practical. Whether it happened in this specific case or
not, what are we doing to prevent it from happening in general?

~~~
zaphar
I was under the impression they all agree it's theiretically possible but
wildly impractical to pull off.

~~~
AnthonyMouse
The wildly impractical parts are some of the specific details, e.g. the
logistics of getting a specific board to a specific customer without involving
enough people that it creates a high risk of getting caught.

But if you just backdoored a random 10,000 boards out of ten million and let
them go to 10,000 random customers, you would get internal access to thousands
of random companies, and at least some of them would be interesting.

------
tango24
> “We turned the company upside down,” Cook said. “Email searches, data center
> records, financial records, shipment records. We really forensically whipped
> through the company to dig very deep and each time we came back to the same
> conclusion: This did not happen. There’s no truth to this.”

Wow, ok then..

------
vectorEQ
hardware implants are why people do chip decapping and hardware assurance.
this practice is more old than cybersecurity itself. even IF this story is
false, the fact is that some actors implant chips into many many devices.
these come from china, but ofcourse the contractors who make these chips
aren't neccesarily only serving their own masters - that is an assumption. And
lets not start about how hypocritical it is to put everything on china all the
time while western governments just implement the same backdoors and data
harvesting techniques in software. lawful intercept is a documented way to do
it, but there's plenty undocumented. (as that once also was.)

if you doubt this information, look on youtube for 'chip decapping defcon' and
see how 2 british persons show how they do this kind of assurance work and
show how people have already found these kind of implants many many many times
before.!

------
nil_pointer
Tim Cook has called China the biggest and most important market for Apple.
With this in mind, of course he wants the story retracted. Appeasing China is
the most important thing for Apple. It definitely doesn't mean the Bloomberg
story isn't true, though.

~~~
GeorgeTirebiter
Exactly. Why hasn't Apple sued Bloomberg?

------
exabrial
This is turning out to be one of the most bizarre news stories ever

------
hugh4life
If it turns out to be false, should the SEC look into it?

~~~
jsoc815
Possibly, but in all likelihood, no.

I know that some people here like to get hung up on literal interpretations
and stated missions, but _they really shouldn 't_. (Sorry, can't get into it
here.)

For many reasons, there isn't a lot of good that would come from them making a
big deal about this _among the general public._ Feel free to see my earlier
post.[1]

[1]
[https://news.ycombinator.com/item?id=18141186](https://news.ycombinator.com/item?id=18141186)

~~~
jsoc815
Seriously, how is a public SEC investigation going to benefit the "integrity"
of the system and "inspire confidence among investors"?

If the story is both fake and some grand market manipulating plot, most people
involved are 1) going to hope that the public forgets that this story ever
was; and 2) deal w/this privately.

But since some clearly disagree, I eagerly await your well-informed case.

------
raarts
If the Chinese can infect hardware, and they obviously can, they could also
infect phones. Where are phones manufactured? How easy would it be to move the
manufactoring back to the US?

All this is a PR and business Armageddon.

------
weliketocode
There are so many conspiracy theories around how the story could be true, but
seemingly no theories about what happens if the story is false.

------
bigbluedots
Now would be the time for Bloomberg to publish some of the hare evidence they
have from the year-long investigation. Let's see it.

~~~
panda888888
The involvement of Elemental is enough evidence for me. A then 200-person
startup with maybe 10 hardware engineers and lots of government clients would
be a great target. It makes me thing the hack was real.

------
appleiigs
What happens to Tim Cook if Bloomberg is correct?

~~~
Pharmakon
He utterly loses the confidence of his shareholders and customers, and
probably leaves Apple. I don’t know if this story is true or not, but I doubt
he’s going to be in a position to be proven outright wrong. I’d he were, I
think he’d be keeping shtum.

~~~
brynjolf
He lied to congress before about tax. I think he will be fine. He is a
seasoned and perpetual liar.

------
mohammedbin
Something I posted elsewhere -

I highly doubt Bloomberg would run this story without a lot of faith in this.
Michael Bloomberg has strongly hinted at plans to run for president on a
democratic ticket and it's in his interest to undermine trumps anti-china
agenda and something you can expect his eponymous news org to help him with.

~~~
jimmydef
Journalistic freedom in the US has allowed American journalists and news
organisations to publish a lot of untruths. The hurdle to prosecute for
slander and libel is much much higher in the US than many other European
countries. We can debate its pros and cons but that's the way it is currently
and Michael Bloomberg would not be affected in the slightest even if it turns
out the story is all toss.

This is especially so in the current "China threat" political climate in the
US. China is essentially a boogieman in the US right now and attacking it has
proven to be a great generator of votes for politicians.

~~~
mohammedbin
I agree with all you said but it seems that you misunderstood what I was
trying to convey (or I what you were trying to convey)

I'm saying Bloomberg the publication is likely right about the story because
they are taking a stand that hurts Bloomberg the persons presidential
aspirations. They wouldn't have ran it unless it really was something.

------
oh-kumudo
Likely Bloomberg is wrong. There is enough time for them to offer concrete
evidence just for the sake of spinning more drama and hype. The attention they
are getting by proving Apple/Amazon is lying would be incredible.

Yet, there is nothing except denial and then silence.

Without going too far into the conspiracy realm, the answer right now is that
they can't. The longer they still quiet, the bigger joke they will become.

------
reilly3000
I don't understand why China would do such a thing, when they have a pretty
effective dragnet on US cell towers and routing equipment (alleged to me by a
security expert). Hardware seems like such a fragile and expensive hack. That
said, even if the story is a complete fiction it does help shine light the
surveillance state that has emerged in China, and its global ambitions.

------
tw1010
Has anyone written a blog about the game theory of this whole ordeal? Feels a
bit like the snowdrift game.

~~~
why_only_15
I feel like we don't really know enough what is happening. It is very
possible, as another commenter mentioned, that both sides are acting in good
faith.

------
Stryder
There is a distinct whiff of the aroma of propaganda around this one.

------
pastor_elm
Bloomberg says they have THREE senior sources at Apple. Why would they
retract? My guess is Cook is fishing for the leaker.

------
Rainymood
Remember that article where Bloomberg employees get paid more if their stories
move markets? Yeah ...

------
grillvogel
guys the government and corporations all told us that it wasn't true, we have
to believe them. they wouldn't lie about this.

~~~
elicash
Let me ask you the question this way.

What evidence would have to be produced for you to disbelieve the Bloomberg
reporting?

------
Sephr
[comment deleted]

~~~
jim-greer
In the US a plantiff must prove negligence or malicious intent to win a libel
case. That's a very high bar.

------
qubax
Something like this only happens when there is a rift within the
elite/intelligence community.

Both apple and bloomberg are heavily back by intelligence and elite community.

Bloomberg would never have published this story without the approval or
permission of some section of the intelligence community. And apple/amazon/etc
would never have come out against it as strongly without the approval or
permission of some section of the intelligence community.

Seems like after Trump's election, there is a war between globalist pro-china
elites and the nationalist anti-china elites.

This story, saudi journalist story, north korea, china, russia, europe,
brexit, etc... There is a rift within the elites. We'll never know the behind
the scenes full story but it should be interesting to see how things unfold.
Are we on the cusp of a global paradigm shift or will the old guard win and
maintain power?

------
crimsonalucard
We live in a fantasy world, a world of illusion. The great task in life is to
find reality.

------
rajacombinator
If Apple is proven wrong, will they have to retreat from the rapacious anti-
consumer design and pricing decisions of recent years? If so - wishful
thinking, I know ... - I’m hoping they get btfo by Bloomberg.

------
moocowtruck
i'd rather these big companies like apple faceboook google, to own up to their
security breaches and waste less time on bloomberg crap

~~~
cirenehc
Allegations of a security breach is useless without evidence backing it up. So
far, Bloomberg has provided zero evidence.

~~~
paleotrope
Yeah, someone needs to cough up a compromised board here. Otherwise the whole
story stinks.

------
newscracker
With all the strong denials so far, my guess is that heads are going to roll
at Bloomberg and that there may be retractions. Worst case, Bloomberg gets
caught as publishing fake news endangering entire countries and companies, and
closes shop in shame. There’s too much at stake for Bloomberg here.

Hopefully someone at the top at Bloomberg is taking this seriously and looking
at some quick and decisive actions. These back and forth exchanges don’t seem
to be working well in Bloomberg’s favor as far as perceptions are concerned.
Bloomberg might also find itself an outcast in the tech circles.

~~~
fipple
LOL. Bloomberg is not going to "close shop in shame" over this. I seriously
have no idea what set of assumptions you must be using to think that this is
even in the realm of possibility. It's like saying "worst case, an asteroid
hits us in 20 minutes."

~~~
karmelapple
Agreed that they won’t close shop over this, although it could be similar to
how Dan Rather stepped down from CBS over the document controversy.

[https://en.wikipedia.org/wiki/Killian_documents_controversy](https://en.wikipedia.org/wiki/Killian_documents_controversy)

~~~
ghaff
The thing with the Killian documents case is that, while CBS (presumably)
didn't knowingly run a false story, they were very negligent in their sourcing
and verification. They wanted the story to be true too much. [ADDED: We don't
know at this time whether the same can be said of Bloomberg, assuming the
story unravels.]

Other news organizations were also pretty mad at CBS over this. There was a
story around W's National Guard service that actually didn't depend on the
Killian documents. But once those documents were determined to be fake, it
pretty much blew up the reporting around the story generally.

