
Apple tells Congress it found no signs of hacking attack - okket
https://www.reuters.com/article/us-china-cyber-apple/apple-tells-congress-it-found-no-signs-of-hacking-attack-idUSKCN1MH0YQ
======
SyneRyder
Just to throw something extra into the mix - infosec podcast Risky Business
managed to track down a source (apparently a trusted source of 15 years) who
provided photos to them of _what the source claimed_ was "extra unlabelled
components on sensitive buses" they'd found on a teardown they conducted of a
Supermicro board.

And then, _the source retracted the statement_ and said the photos were from
different equipment, and that they didn't find hardware backdoors on
Supermicro equipment.

This page on the Risky Business site explains their correction in more detail.

[https://risky.biz/RB516_feature/](https://risky.biz/RB516_feature/)

Generally Risky Business is pretty good (they had some great inside info on
the "hack" of the 2016 Australian Census), so I find this an intriguing and
interesting extra datapoint. If Risky Business can be misled this way, maybe
this is how Bloomberg could be misled too.

~~~
brennebeck
Not to go ‘too tinfoil’ here, but couldn’t that also imply the source was
discovered and harassed/served a gag, or something of that sort? (Purely as
devil’s advocate speculation)

~~~
SyneRyder
I don't get that feeling in this specific case, but I'm wary of speculating.
Patrick (the guy who hosts the podcast) and the source are probably the only
two people who actually know.

That said - listening to the podcast, where he interviews someone (who _is
not_ the source) and asks them near the end "Have you heard anything about
this over the last few years? Have you heard any rumours or anything to
suggest China is behaving in this way?" It is a _really_ awkward silence and
very nervous laugh, with a vague reply about having seen news reports. That
bit is around 22:07 in the podcast if you want to skip ahead. Then maybe go
research a bit about who the interviewee is.

~~~
pfranz
> Have you heard anything about this over the last few years?

Am I the only one? I don't take my recollection on this as fact, but I
remember a story from a year or two ago that a large company (like Apple,
Google, or Amazon) would take photographs of the boards they ordered before
they were shipped (likely from China) and compare it to what was delivered.
The way it was described was more like that was their security protocol
because of suspicions/risks of it being tampered with in transit.

------
jnbiche
Interesting. I don't think Apple world make a sworn statement to Congress if
they weren't absolutely sure it was true.

Look like I may have been wrong--perhaps this was a false story planted by
certain US officials to slander China. Did Bloomberg get played?

~~~
simion314
Didn't some other USA official lied the congress?

~~~
jake_the_third
Not wittingly.

~~~
mtgx
Yeah, right.

------
jpkeisala
I find it hard to believe China would risk their industry by doing something
like this where the device has "hard" evidence on spying. They can just find a
security flaw on the software and use that.

~~~
draugadrotten
It does not have to be China behind the hardware devices, if they are real,
just because they were planted in China. It could be Russia, Iran or any other
agency with enough money to pay off the supply chain. Heck, even Escobar would
have done this if he was alive. Didn't he buy military Submarines at one
point?

------
jackweirdy
Time for Bloomberg to add a little more detail to their claims now, surely?

~~~
cmiles74
It would be really nice for Bloomberg to either offer more evidence or tell us
they have lost confidence in the article. Likely they will do neither.

~~~
craftyguy
> Likely they will do neither

Right, they likely have already gotten everything they wanted from the
article, there's no reason for them to damage their reputation by 'losing
confidence' in it, and providing more evidence to support the article won't
net them as much publicity/clicks/whatevers as working on the Next Big Article
will.

~~~
mruts
You realize Bloomberg doesn't really make any money from 'clicks', right? They
are a data provider, and as such, have a pretty strong incentive to ensure
their data is accurate.

~~~
craftyguy
That fits under the "whatever" category.

~~~
mruts
But the incentives are very different. Bloomberg makes almost all of their
income from the Bloomberg terminal. Their TV network, their news website,
everything else, is solely in service to their primary business.

The percentage of revenue that comes from advertising for Bloomberg is
vanishingly small. Companies follow incentives, and in this case, I think we
can reasonably conclude that Bloomberg thought the article was 100% accurate
(not saying it is though, I think it's too soon to tell).

------
21
If Apple and Amazon can be put under a NSL gag, why wouldn't they also put
Bloomberg under it? They had the whole of an year to do it.

~~~
coolspot
It is not like PR department of Apple received NSL gag, it is like small
security group within Apple that found the bug has been gagged.

So nor Apple executives, nor PR department honestly know about the bug. They
deny it because from their perspective there was no breach.

------
nakedrobot2
The somewhat paranoid, but possibly correct conclusion here, just like with
some of the other recent "acts of chaos" (election tampering, and other
misinformation campaigns) is to "Blame Russia".

This might be one of the simpler explanations - Russia planted the data /
evidence / sources to Bloomberg, with the sole objective being to sow chaos in
the world. This, to me, is the only explanation where it makes sense that both
sides think they're right - Bloomberg _really did have those sources_ and
Apple et al _really didn 't find any evidence of this tampering_.

(Rewind to the hours after the presidential election - those who were blaming
Russia already were labeled as kooks, right?)

~~~
21
I also thought about that.

The problem with this theory is that Bloomberg says that many of it's sources
are US officials.

------
alcanatara
Hardware implants are more widespread than one would think:
[https://newcompendium.com/2018/10/the-chinese-chip-is-
just-t...](https://newcompendium.com/2018/10/the-chinese-chip-is-just-the-tip-
of-the-iceberg/)

------
krn
I have watched multiple hearings on the US Senate Judiciary Committee in the
last few years, and was surprised how many people managed to do both, not to
lie and not to reveal the truth, by making huge statements with extremely
carefully picked up wording.

------
okket
Previous discussion from 10 hours ago:
[https://news.ycombinator.com/item?id=18163325](https://news.ycombinator.com/item?id=18163325)
(31 comments)

------
Valmar
So... were Bloomberg just bare-face lying, then?

~~~
draugadrotten
Kremlin surely is behind this psyOps attack to undermine the credibility of
Western media. Trump. Both. China too.

If Apple found no signs of hacking only tells us that their SIEM isn't good
enough.

This spy stuff is Inception IRL.

~~~
okket
Sure. Completely unthinkable that journalists saw a "market moving" story [0]
that passed the plausibility test in details, found some anonymous sources and
went for it.

[0] "Bloomberg News Pays Reporters More If Their Stories Move Markets"
[https://news.ycombinator.com/item?id=18162440](https://news.ycombinator.com/item?id=18162440)

~~~
bsder
Sure, completely unthinkable that the NSA and big companies are attempting to
cover up a story of hacking and surveillance. <rolls eyes>

This story has been out less than 72 hours? Most of them over a weekend.

Let's let the researchers get back to work today and start actually looking
for physical evidence.

Personally, I'm _MORE_ worried with all the denials rather than less.

If there was nothing to the story, I would expect Apple to say "We don't know
anything about this" and then simply ignore the ongoing kerfuffle--especially
on a weekend.

The fact that they seem to be in full on PR mode at the highest levels on a
weekend is somewhat worrying.

~~~
unilynx
Apple is trying to position itself as the only major tech company that keeps
your data private, and this story threatens to undermine that story. So no
surprise the PR department is full at work.

What else would you expect them to do ?

~~~
okket
One thing I learned from this Bloomberg story is, that the human mind seems
hardwired to prefer conspiracy theories over facts and is very bad at taking
probabilities in account.

~~~
ElBarto
We don't have facts here, just competing claims.

From what I've read such attack would be possible, and I think that if it
happened no-one would acknowledge it. This allegedly happened 3 years ago so
no-one is going to find physical evidence anyway.

They key is that it would be possible so the important thing here is for
everyone to take appropriate defensive measures.

~~~
okket
> We don't have facts here, just competing claims.

This is not a case of competing claims. Believing that publicly traded
companies would vehemently lie instead of keeping silence or use weasel words
is essentially preferring conspiracy theories.

Presenting such a case without hard, verifiable evidence is ludicrous and only
works because many people are susceptible for a bad company/bad government
conspiracy narrative.

~~~
ElBarto
Believing that publicly traded companies would not lie is rather naive.

This allegedly happened 3 years ago so there aren't going to be any physical
evidence anyway and everyone knows it.

~~~
okket
> Believing that publicly traded companies would not lie is rather naive.

You know that shareholders can sue the company if they lie publicly? That is
the reason why they usually keep silent or use weasel words.

~~~
ElBarto
As mentioned, how are you going to prove who's lying?

Why would anyone sue Apple over this? If anything a lie would help the company
as acknowledging a hack would hit the share price.

Nothing will happen, no-one is going to prove or disprove anything, and this
will quietly be forgotten.

~~~
okket
> As mentioned, how are you going to prove who's lying?

As I mentioned, the proof lies with the accuser. See

"Presenting such a case without hard, verifiable evidence is ludicrous and
only works because many people are susceptible for a bad company/bad
government conspiracy narrative."

If you think this is a he said/she said case, then you are deep into
conspiracy territory.

~~~
ElBarto
That's not a reply...

