
AWS CEO Jassy follows Apple in calling for retraction of Chinese spy chip story - magoghm
https://www.cnbc.com/2018/10/22/aws-ceo-jassy-follows-apple-calls-for-spy-chip-story-retraction.html
======
jackconnor
There should be hundreds of thousands or millions of these hacked
motherboards, and nobody has found a single one despite hardware geeks
worldwide searching like it was Willy Wonka's final golden ticket. This story
was bogus, it most likely came from a ton of rumors that got conflated, hence
why they had to go with anonymous sources as opposed to any physical evidence.
I'd be surprised if Bloomberg has any credibility in tech journalism by the
end of the year, and a good chance they may end up stuck in a courtroom trying
to defend the decision to run this piece (on the front page, no less) for a
long, long time.

~~~
sonnyblarney
"There should be hundreds of thousands or millions of these hacked
motherboards"

No, the boards would be selectively hacked.

And we know it happens because 'we' do it as well.

Surely there is evidence floating around but it's also unlikely that companies
would want to admit the breach.

I kind of believe Apple and Amazon though, there's too much risk if they were
to be caught lying.

This is a weird one ...

~~~
paxys
You just need ONE board to be able to prove it. Surely Bloomberg or their
sources can get their hand on a single piece?

~~~
michaelmrose
So if a newspaper wanted evidence that your company fucked up you would go and
dismantle company property to discredit your employer knowing that it's likely
to damage them and ruin you.

~~~
fjsolwmv
If you want to blow a whistle, yes. If not dismantle, at least photograph the
object. If your employer retaliates, you can make good money in speaker fees
retelling the story, or get a job at a company that wants to be known for good
hardware security.

~~~
rbanffy
Getting a job is not necessarily a reason to jeopardize a whole career in the
intelligence community. People in public service sometimes have feelings about
serving their country.

------
simonebrunozzi
(disclaimer: I worked at AWS from 2008 to 2014 as Technology Evangelist, and
know Andy Jassy personally)

I know nothing specific about the issue per se, but I am convinced that Andy
Jassy is speaking the truth here, for two reasons:

1) I've never seen a company as obsessed with security as AWS, and/or with
such a big budget for security.

2) There's so many actors/employees involved in the audits, security, etc,
that convincing some of them to "hide" a fact like this would be just too
risky for a company that big. If that were really the case, I would rather
work on a contingency plan, assuming that sooner or later the "leak" would
come out.

There is a tiny chance that something bad happened, and that Amazon's magic PR
twist managed to still provide a truthful statement (Steve Schmidt) while
hiding that. "A chance", because of the various back and forth business
between AWS and Chinese companies. "Tiny", because other scenarios are much
more probable and plausible.

This looks like a very poor example of journalism, on Bloomberg's side.

On a different note, I still believe that weird/illegal stuff keeps going on
between companies and governments worldwide, for the simple reason that these
things keep coming up when there's a new leak, or when secrecy on certain
classified documents gets lifted or expires.

~~~
brynjolf
If we reverse the roles, we notice how little information you actually provide
except your own opinions.

~~~
dis-sys
expressing yourself on an online forum is vastly different from publishing
that bloomberg article with those very specific accusations.

also want to know who are "we" here? please stop representing other people
without their explicit consent.

------
abalone
Gruber doesn't get posted on HN much for some reason but he found a great
tidbit on this: The reporters were flippantly dismissive of the (strong and
repeated) company denials.[1]

Jordan Robertson was on TV saying companies have no "advantage" in
"confirming" his reporting because "no consumer data [was] stolen." He seems
to take very casually the distinction between "not disclosing" something and
outright lying and engaging in an industry-wide conspiracy about it. He later
tried to walk back that line but it's an interesting window into their
mindset. It doesn't strike me as particularly strong journalistic reasoning.

[1] [https://daringfireball.net/linked/2018/10/22/jassy-
bloomberg...](https://daringfireball.net/linked/2018/10/22/jassy-bloomberg-
should-retract)

------
fanzhang
The lack of confirming evidence is a strong sign the Bloomberg reporters were
played. It's interesting to wonder who might have done that though -- US
businesses who might gain? Those from within the administration?

Regardless of the truthfulness of the report, the damage is done and the hack
story fits in well for the protectionist trajectory the US is taking.

~~~
leoc
It's certainly not the case that the US government has been above
disinformation campaigns aimed at its own citizens even in the recent
[https://www.wired.co.uk/article/mirage-
men](https://www.wired.co.uk/article/mirage-men)
[https://www.dailygrail.com/2013/06/a-fractured-hall-of-
mirro...](https://www.dailygrail.com/2013/06/a-fractured-hall-of-mirrors/) or
very recent [https://www.nytimes.com/2017/12/16/us/politics/pentagon-
prog...](https://www.nytimes.com/2017/12/16/us/politics/pentagon-program-ufo-
harry-reid.html) past. Though of course there would be much more political
risk in lying to Bloomberg News than in using up and throwing away an old
ufologist loser like Paul Bennewitz. (Still, it's even a little suprising how,
in a country which avows military patriotism as strongly as the USA, the USAF
can contribute to the destruction of a patriotic WWII veteran, then publicly
gloat about it afterwards, and absolutely no-one gives two shits.)

~~~
sterlind
What evidence do you have that AATIP was a disinformation campaign? The UFO
story was extremely weird, but I've seen no evidence that the Pentagon
fabricated the footage, or somehow coerced Fravor into lying on primetime TV.

Moreover, what would the Pentagon gain by running a UFO psy-op?

~~~
akiselev
_> Moreover, what would the Pentagon gain by running a UFO psy-op?_

I've always wondered whether the magnitude of UFO sighting reports make it
more difficult to glean intelligence about US aircraft/reconnaissance
research. If, for example, Area 51 was responsible for cutting edge stealth
aircraft research, it would be much more difficult to spy on the program
through the civilian population if real sightings are indistinguishable from
the flood of alien UFO sightings.

~~~
sterlind
I've read that during the Project Blue Book era, the CIA was worried the
Soviets might fuel rumors of UFOs, so that civilian observations of Soviet
aircraft would get chalked up to aliens by a gullible public, and reports of
unusual activity would be discredited.

I don't have the citation on hand but the declassified PBB files are available
on the Internet Archive.

------
Steko
An easy way Bloomberg could support their story: allow one or more of their
"senior insider" sources at Apple/Amazon to speak with another outlet (AP,
NYT, whoever) who agrees to maintain their anonymity.

~~~
jackconnor
One of the interviewees did speak (though he's not apple or amazon), and said
that Bloomberg completely misrepresented what he said to support this theory,
which he totally disagrees with:
[https://9to5mac.com/2018/10/09/bloomberg/](https://9to5mac.com/2018/10/09/bloomberg/)

~~~
appleiigs
The article you linked states, Bloomberg says:

> Joe FitzPatrick was not one of these 17 individual primary sources that
> included company insiders and government officials,

~~~
jackconnor
Oh, he was one of the named sources. Good catch, though that doesn't change
the point.

~~~
kevin_thibedeau
The _entire_ story is an elaboration of a hypothetical example Fitzpatrick
gave in consultation. That the final article is an exact match is seriously
problematic.

------
IOT_Apprentice
2016 report by ARS Technica: [https://arstechnica.com/information-
technology/2016/03/repor...](https://arstechnica.com/information-
technology/2016/03/report-apple-designing-its-own-servers-to-avoid-snooping/)

2017 followup by ARS Technica: [https://arstechnica.com/information-
technology/2017/02/apple...](https://arstechnica.com/information-
technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-
bad-firmware-update/)

So the story is 2 years old from a reporting standpoint.

~~~
simonh
Dodgy firmware is nothing new, it’s just compromised code after all.

~~~
krn
According to Bloomberg, that's how everything started:

> Apple made its discovery of suspicious chips inside Supermicro servers
> around May 2015, after detecting odd network activity and firmware problems,
> according to a person familiar with the timeline. Two of the senior Apple
> insiders say the company reported the incident to the FBI but kept details
> about what it had detected tightly held, even internally. Government
> investigators were still chasing clues on their own when Amazon made its
> discovery and gave them access to sabotaged hardware, according to one U.S.
> official. This created an invaluable opportunity for intelligence agencies
> and the FBI—by then running a full investigation led by its cyber- and
> counterintelligence teams—to see what the chips looked like and how they
> worked.

If this was true, the public denials wouldn't surprise me at all.

~~~
simonh
And if that's how the Bloomberg article had ended, with well known and
previously reported firmware issues, we wouldn't be having this discussion.

------
clamprecht
If Bloomberg ends up retracting the story, then the new question, for me, is
how did this happen? Was it simply Bloomberg trying to get views? Or is it
more interesting, like did their "sources" intentionally give them a fake
story in order to hurt their credibility? Or was it to cast doubt on the anti-
China stories in general?

~~~
jahlove
It should be pointed out that Bloomberg authors get bonuses if they write
stories that move the market:

[https://www.businessinsider.com/bloomberg-reporters-
compensa...](https://www.businessinsider.com/bloomberg-reporters-
compensation-2013-12)

Not saying that was necessarily a motivation here, but it's worth pointing
out.

~~~
justtopost
Keep parroting this if you want, but that ended in 2014.

------
wyldfire
The denials seem convincing. And yet the story seems very much plausible. US
NSA does these kinds of attacks, why not China?

> They offered no proof, story kept changing, and showed no interest in our
> answers unless we could validate their theories

If that's really the case then it seems likely that their source may have
indeed deceived them. But don't they have multiple sources?

> The article also claims ... we conducted a network-wide audit of SuperMicro
> motherboards and discovered the malicious chips in a Beijing data center.

Bloomberg's source for this claim must be distinct from the Israeli security
researcher, right?

Perhaps, if this was a Russian HUMINT attack, it's another glorious success
for GRU.

~~~
bcruddy
The NSA has never done something on this scale. With sec researchers looking
at _everything_ right now it would have been uncovered by now. The major point
in this story wasn't a hardware hack, it was a hardware hack on a MASSIVE
scale, a scale that would have to be treated as an act of war against the
_rest of the world_.

If this article were true it would have been the first public volley in WWIII.

~~~
moftz
The number of implants doesn't need to be that great. If you are already
tapped into Supermicro's supply chain and ordering system, then you can
already figure out when a bulk of servers passing through manufacturing are
going out to a certain customer. Bribe someone or have an agent on the floor
slip in the implant during assembly. Maybe the gerber files for the boards
already have the necessary pads built-in for debug, maybe someone is swapping
in modified gerbers. Maybe the implant is installed totally after hours when
the boards are already built or when they are on their way to the final
assembly facility.

------
duxup
Any reason for these calls for retraction?

It's not like there aren't false stories about what happens at Apple or Amazon
regularly, not that they're usually about hacking but the public calls for
retraction seem somewhat as unique as the story.

~~~
panda888888
Agreed. The pointed denials make the whole thing even weirder.

------
code4tee
It’s really starting to smell like Bloomberg got played hard here. To preserve
their journalistic integrity they either need to produce some supporting
evidence real fast or admit they screwed up and retract the story.

~~~
kristianov
Smells more and more like something 4chan would do.

------
newscracker
I said it recently in different words and I'll say it again. There is no good
ending for Bloomberg in this story, or at least for the reporters on the story
and the editor who let it run. The longer it digs its heels in adamantly and
doesn't retract this story, the worse it's going to get. Its deep pockets can
handle a huge scandal and embarrassment for a while, but it'll face the
ignominy of being ignored by sources in many circles if it doesn't act quickly
(one of the ways, perhaps, would be to reveal more information that can be
verified by third parties). It's as sticky a situation as it gets, and it will
define/decimate Bloomberg for the future.

------
jonbronson
What's more plausible in this scenario: One or two journalists run a fake
story, possibly for financial gain or simply notoriety, or that hundreds and
even thousands of engineers and managers across multiple tech companies are
all complicit in the most elaborate and coordinated corporate conspiracy in
history, all just to hide the fact that they were breached...

~~~
panda888888
It's possible that the hack wasn't that big (targeted to only certain boards)
and that the higher-ups at the companies don't know the details

------
sbr464
I’m curious how the internal meeting (at the newspaper) goes, when they have
no actual proof, such as an actual compromised device. How could you possibly
publish such a huge/important story without that smoking gun?

We live in too much of a scientific/fact driven period of time to allow this
to be taken seriously in my opinion.

------
markoutso
With the "trade war" going on I wouldn't be surprised if this was
intentionally put out in order to reduce the us dependency on china.

~~~
techntoke
Overpriced corrupt vendors are likely hurting to open compute designs and
hardware.

------
ariwilson
Why was Google not affected by these Supermicro motherboards?

~~~
trhway
From my scouring some time ago on Ebay Google seems to use board designs
modified and produces to their specs from some Taywan nonames. So while they
also can potentially be similarly attacked, it wouldn't be the same attack.

Wrt. the subj of the Bloomberg story - back in 90ies Russian FSB would comb
through the internals of every PCs they bought for their use. That though was
before Intel ME :)

------
nova22033
This story probably came from someone in the national security establishment
who has zero understanding of the underlying technology but has a vested
interest in the red scare..

------
tinkerteller
What's up with calling these division leads as "CEO"? Do they only answer to
the board elected by shareholders?

------
Paraesthetic
Sounds like they are running scared? Could this be a cover up do you think?

------
jorblumesea
Surely at least a few of these boards should be floating around, can't
Bloomberg or others dig up a few physical examples? Unlike software 0 days or
other more ephemeral issues this should be hard to conceal and easy to
reproduce.

------
the_other_guy
It's not fake news unless you hurt me!

------
nil_pointer
[removed]

~~~
jackconnor
If that's the only question then the answer for every major company is
"guilty". I don't think doing business in china means that Bloomberg gets to
make up a bunch of BS from mysterious anonymous sources without a single piece
of physical evidence, wiping out billions in market value, and just call it a
day and we're all supposed to believe it because they use the word "China". I
think we can probably hold them, and ourselves, to a higher standard of
journalism. Though, clearly there is a huge market for China-hating
technopanic, no matter how little evidence or credibility there may be, since
some people will literally believe anything if they think it's done in China.

~~~
ocdtrekkie
It isn't really plausible that Bloomberg made up the story. They had to have a
high degree of confidence to publish it. The question we all need to be asking
is why they had that high degree of confidence. Where their information came
from and whether or not those sources had ulterior motives to lead Bloomberg
astray.

I have to imagine Bloomberg is also trying to find out why their story has not
matched statements by the companies alleged to be involved so starkly. There
is a story here, but what that story actually is is definitely in question.

~~~
philwelch
Yeah, my hunch (like yours) is that everyone involved--Bloomberg, Apple, AWS--
believes, in good faith, in what they have stated, and have collected more
than enough evidence to back those statements. Since there's a contradiction,
the truth is probably fairly weird, if it's enough to provide so much
conflicting evidence both ways.

The least weird conclusion is that Bloomberg connected too many dots the wrong
way around and are embarrassed to admit it.

------
fredgrott
are they aware statements like this confirm it?

If it were false the case would fall under libel and slander.

Someone is obfuscating truths here

~~~
panopticon
Libel and defamation lawsuits are tricky because one would need to prove that
Bloomberg ran the story knowing it was false or ran the story with "reckless
disregard" for the factual accuracy of the reporting _and_ prove that the
article resulted in damage to the plaintiff.

Many dubious articles go unchallenged because it's often not worth pursuing
legal action.

~~~
CosmicShadow
It's not like these companies don't have the money or legal resources to do it
though.

------
sneak
Why did these demands for retraction take so long?

~~~
jackconnor
They quadruple-checked all their audits to make sure they were actually
accurate in saying "nothing here".

~~~
macintux
Precisely. Worst thing would be to realize later you overlooked something and
have to issue a correction.

And a story with this many moving pieces, you’ve got a lot of ground to cover.
It’s so very hard to prove the absence of something.

------
Overtonwindow
That’s well and good and all...but it’s in Amazon and Apple’s best interest to
deny everything.

~~~
greglindahl
It is? They're both public companies. If they get caught having strongly
denied something that's true, that's worse than no comment, and the inevitable
stock market motion and shareholder lawsuits that will result.

------
kevinmchugh
As a press outlet they have a pretty solid defense in the first amendment

~~~
steve19
They pay their journalists bonuses if they move the market. That gives some
pretty perverse incentives to the journalists.

~~~
kevinmchugh
What's perverse about it? Bloomberg decided that the market is a good way to
measure impact of their stories. They're business reporters, so that makes
sense. The incentive is not directional; it doesn't rely on reporters causing
a stock to lose value or gain it.

~~~
sooheon
> The incentive is not directional

The magnitude matters. Meaning journalists have an incentive to stretch the
truth in either direction, as long as it'll get a reaction. A journalist now
has to weigh this monetary incentive against their other incentives for being
non-hyperbolic, truthful journalists.

~~~
kevinmchugh
The business insider article linked above makes it sound like a relatively
nuanced measure. If the article makes a big splash but then gets wiped away by
follow-up reporting, it doesn't sound like it gets rewarded.

Think about articles that don't move the market: did they contain novel,
important information? If so, why didn't the market move?

It seems like this incentive encourages prioritizing stories which are
unreported and meaningful.

------
wpdev_63
I really have little doubt that the Chinese are integrating their spy chips
into computer hardware going to the big four or even the pentagon. It's
probably how they stole the designs to the f-35[you know that plane that costs
over a trillion dollars to develop]. It would catastrophic if apple knew or
even acknowledges the possibility of the Chinese having a backdoor into their
servers and would result in massive shift in policy[+profit].

The NSA has been known to intercept electronics in shipping and putting in
their own specialized pcb board replacements with microphones, cameras, etc.
and are _very_ hard to detect. Hell the Russian even went back to typewriters
for security purposes[0]. It would be foolish to think that the
Chinese/Russians aren't doing the same thing to us.

[0]:[https://www.telegraph.co.uk/news/worldnews/europe/russia/101...](https://www.telegraph.co.uk/news/worldnews/europe/russia/10173645/Kremlin-
returns-to-typewriters-to-avoid-computer-leaks.html)

~~~
hn_throwaway_99
Saying "The Chinese are probably doing something bad" is very different from
the very specific accusations that were made; "The Chinese are doing the same
thing to us" is not a news story - what was reported by Bloomberg _was_ a news
story.

My point is that hand wavy "they have to be spying somewhere" is in no way a
defense for the Bloomberg story. My reason why I'm very skeptical of the story
is that I think it would be possible that SOMEONE would have physical evidence
of it (given that it was a hardware hack) that they could show. So far
Bloomberg hasn't really shown anything to back up their story.

~~~
jackconnor
"Well it sounds like it could be real, so it's probably true" \- I'm not sure
why anyone thinks this is an acceptable counter-argument.

