
One of Bloomberg’s sources told them Chinese spy chip story “didn’t make sense” - millisecond
https://9to5mac.com/2018/10/09/bloomberg/
======
dangerface
It seems like the writer has a personal stake in the idea that Apple can do no
wrong, therefor Bloomberg must be lying.

As an example they claim 10 reasons not to believe Bloomberg and cite two
other pieces they have wrote, both proclaiming apples innocence.

They literally give the same reason multiple times, and the reason is little
more than "Apple wouldn't lie!". Apple has been caught lying in the past about
other things like battery life.

[https://9to5mac.com/2018/10/05/chinese-spy-
chip/](https://9to5mac.com/2018/10/05/chinese-spy-chip/)

~~~
dkonofalski
>Apple has been caught lying in the past about other things like battery life.

That's a stretch to say that they were lying. They weren't lying about the
battery life nor did they claim that they weren't changing the clock speed of
the device. They simply claimed to have different motivation for doing so
(namely, to keep older phones from completely turning off) than what others
assume was the motivation (intentionally slowing phones to gain more sales).

~~~
alanbernstein
Correct me if I'm wrong, but isn't that the response they gave after years of
flat-out denials? You may not consider that the same thing as lying, but it's
in the same family.

~~~
saagarjha
The "battery slowdown" was only in place for a year or so before it was widely
known.

------
mmaunder
This is just re reporting Pat Gray's podcast.

[https://risky.biz/RB517_feature/](https://risky.biz/RB517_feature/)

Also worth mentioning here is the background on the credibility of these
journo's that Robert Lee provides:

[https://twitter.com/RobertMLee/status/1049617855396933632?s=...](https://twitter.com/RobertMLee/status/1049617855396933632?s=19)

The most interesting tweet in that thread:

"They claimed anonymous US intelligence community sources as well. Except I
led the ICS threat discovery mission at the time at the NSA. And I had never
heard of this attack being a cyber attack. The NSA doesn’t see everything but
if the US IC is your source we would have."

He is referring to the BTC pipeline piece that these guys wrote. It claims the
pipeline explosion was a cyber attack, which has never been substantiated.

~~~
monocasa
Why would the the NSA ICS threat discovery lead at the time be able to confirm
one way or another? It seems like either way would be a "no comment" sort of
situation.

~~~
mmaunder
He is a SANS instructor, CEO of Dragos Inc and very well respected in the
infosec community. Helpful input like this, and being an educator, is why he
has that reputation.

~~~
monocasa
But like, "let me confirm off hand on twitter what classified things we did or
didn't do at the NSA", is exactly what you can't say. Why is he being allowed
to confirm/deny specific actions of the NSA?

------
millisecond
Sounds like Bloomberg was creating a bit of fiction about how something like
this could happen and backing it into validation by sources.

Particularly damning part, to me: "I sent him a link to Mouser, a catalog
where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact
coupler in all the images in the story." Clearly they didn't have an original
hacked part like some have claimed/hoped.

~~~
wang_li
It seemed incredible to me that they talked about these tiny little components
being added to systems that allowed the evil doer to take complete control of
the system. How exactly is something with 2 connections to the motherboard
going to exert dramatic influence over a CPU with 1000+ connections to the
rest of the system. Some 48-56 physical address lines, 64 data lines, and etc.
all being manipulated by the magic rice grain? I don't think so.

~~~
moftz
All you need to do is reflash the BMC firmware. You can do that over a SPI
bus, that only requires three lines (3 SPI lines + Vcc + Vss = 5 pins, just
like the part...) You don't even have to rewrite the whole firmware, just
patch the one section of code that does logins and then update the checksum if
there is one. The firmware that is flashed in the factory is likely pulled
from a read-only media and then checked against it. If you slip this implant
in, you can just have the good firmware patched X hours after first turning
on. Best case, you inject your patch into the BMC firmware before anyone can
update to the latest that doesn't work with your patch. The adversary can then
push an update to BMC again to something that can block new, good updates from
killing the backdoor. Worst case, the user updates the firmware before the
exploit is run. This patch corrupts the good, new firmware and the user has to
reflash it. BMC keeps corrupting so RMA the old server and get a new one,
maybe this one has an implant that will patch before the user can apply a good
update.

~~~
techntoke
Nice theory. Bloomberg is probably reading your comment and working on their
next article as we speak.

~~~
VectorLock
The article described this process pretty clearly.

~~~
techntoke
And who was their sources again that confirmed that these companies were
affected, when the companies themselves and now multiple intelligence agencies
say they weren't?

~~~
coupdejarnac
I love when people take intelligence agencies at face value.

I'm not sure we have enough information right now to make a judgement either
way.

------
jessriedel
I found the attempted humorous article "Here are the subjects our [science]
reporters enjoy covering the least" to be very revealing of typical reporter
attitudes

> How could [discovering exoplanet] not be dramatic? If you're an actual
> f$@!%%# astronomer, that's how. Because then you'd feel compelled to drone
> on for page after page of details on the different telescopes you used, and
> the software pipelines the data went through, and how everything was
> normalized to... Exoplanets, which are BRAND NEW WORLDS UNKNOWN TO US get
> announced with excessive details on Monte Carlo sampling and Markov chains.
> I would not have thought it possible to suck the life out of stories like
> these, but the people who have chosen to make this their life's work manage.

[https://arstechnica.com/science/2018/09/here-are-the-
subject...](https://arstechnica.com/science/2018/09/here-are-the-subjects-our-
reporters-enjoy-covering-the-least/)

In other words: "Why do these eggheads spend so much time worrying about
whether the things they think they know are actually true when they could be
talking about how it makes them feel?"

~~~
barbecue_sauce
Seems like the "journalist" does not understand the role of academic artifacts
(such as published papers) or science in general. Most academics are not
trying to drive excitement in the general population with their research, but
rather appeal to their peers, who by the very nature of their job must
evaluate methodology and formal approaches to ascertain the quality of the
findings. Sensationalizing your research before it has attained general
acceptance in your discipline (or ever) might be fine with regard to PR, but
terrible for your overall academic career.

~~~
whatshisface
That's a little too purely social - a better explanation might be that
scientists care a lot more about being right than the public, because if the
public gets something wrong they have careful scientists to set them straight,
but if the scientists collectively get something wrong they'll just be wrong
forever. As a result the measures of certainty matter far more than the
statements themselves, because a mild-mannered truth that is indeed true is
perfectly valuable while a bombastic claim in which nobody knows how confident
they should be is perfectly worthless.

~~~
rootw0rm
I think both of you are basically in agreement.

------
zymhan
"But what really struck me is that like all the details that were even
remotely technical, seemed like they had been lifted from from the
conversations I had about theoretically how hardware implants work"

Yeah that doesn't sound promising for Bloomberg.

------
bilbo0s
Reporters can't be this dumb.

> _I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003
> inch coupler. Turns out that’s the exact coupler in all the images in the
> story..._

I don't know much about technology journalism, but I would think that no one
who is a technology reporter would make a miss like that. And even if he/she
did make a miss like that, wouldn't an editor or someone higher up call that
out pretty much right away?

I can't see why this story would have been put out as is without further
investigation? Maybe some independent verification? I suppose there remains a
_slim_ possibility that the overarching theme of the story is true, and the
reporters are simply spectacularly inept. There is also the possibility that
the story is false and Bloomberg _itself_ is spectacularly inept. Other
possibilities are too terrible to contemplate. They run the gamut from simple
propaganda, which is terrible, but would not be unexpected... all the way to
out and out graft. ie - Some influential guy was short Apple.

~~~
neuromantik8086
> Reporters can't be this dumb.

Have you ever actually dealt with reporters before? From my time in science I
can attest that yes, reporters very much _are_ this dumb at times. That's the
issue with anyone who's too much of a generalist.

~~~
turingcompeteme
Bloomberg is also one of the most valuable tech companies in the world. Their
entire business model revolves around providing accurate financial
information. We happily pay $2k per month per person for it, partly because it
is such a trusted source.

Some reporters may be dumb, but if it has the Bloomberg name attached to it,
and has far reaching effects in financial markets, you can be pretty confident
that this wasn't just the work of some clueless reporter.

~~~
akimball
Mike Bloomberg himself stands to lose an enormous amount of money due to lost
business in China, as a result of this story's publication. Whether the story
is accurate or inaccurate, either way Mike is going to lose money on it. The
only business-logical thing that Bloomberg could have done with this story is
to sit on it. Clearly there are non-business motivations for this publication.
The possibilities that immediately strike me or that an overriding incentive
for this publication was provided by an outside monolithic actor or that an
ethical / public interest motivation prevailed.

------
m0skit0
Despite the comments here, there's more evidence that that story was not made
up, with real names this time at least.

[https://www.bloomberg.com/news/articles/2018-10-09/new-
evide...](https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-
hacked-supermicro-hardware-found-in-u-s-telecom)

I'm not saying it is true, but of course all parties involved will deny
everything, imagine how much it would hurt them if they acknowledged they have
been hacked.

~~~
duskwuff
There's a lot about this story that doesn't add up either. One particularly
questionable bit is:

> Appleboum said one key sign of the implant is that the manipulated Ethernet
> connector has metal sides instead of the usual plastic ones. The metal is
> necessary to diffuse heat from the chip hidden inside, which acts like a
> mini computer.

 _Every_ RJ45 jack ("Ethernet connector") I've seen used in modern networking
hardware has a metal case for EMI shielding. This isn't an indicator of
compromise. Nor does this make sense as a location for an implant -- the RJ45
jack isn't in a privileged position to access information on the server, nor
would a device located inside the jack be able to easily interact with the
network without interfering with the real Ethernet controller.

~~~
gamblor956
_Every RJ45 jack ( "Ethernet connector") I've seen used in modern networking
hardware has a metal case for EMI shielding._

Where would one acquire these metal RJ45 jacks? The ones I have are all
plastic (usually clear), with the exception of the small (copper?) metal wires
that transmit the signals. I am in fact looking at one right now on my desk
and it's definitely not metal shielded.

~~~
calbear81
It's called a shielded RJ45 jack (you can also search for a shielded ethernet
cable).

------
IronWolve
Apple dumped supermicro in 2017 for security issues. But Bloomberg really
needs to provide some information to back up their claims, this isn't a minor
issue, this is a clam of spying from China.

>Super Micro Computer Inc. SMCI, -18.58% dropped 8% in late trading Thursday
after a report said Apple Inc. AAPL, +0.93% ended its relationship with the
company after finding "a potential security vulnerability" in a data center
server provided by Super Micro.

[https://www.marketwatch.com/story/super-micro-plummets-
after...](https://www.marketwatch.com/story/super-micro-plummets-after-report-
apple-cut-ties-on-security-fears-2017-02-23)

~~~
jlarocco
Can somebody explain how their stock is dropping?

I tried to buy some over the weekend, because I think this will all blow over
like Equifax, but I got a message saying they've been suspended from trading
since August for not reporting to the SEC on time. Is it the OTC price?

------
vpribish
Ironic that an article about how bloomberg may have misunderstood and jumbled
their expert sources' info has some glaring mis-transcribed quotes!

"For example putting two pieces of silicone in a single package makes sense
when one of them is flash storage and the other is a micro controller. But an
experienced observer could easily jump to the conclusion that it’s a hardware
implant."

yeah - silicone. but more importantly: he certainly meant IN-experienced.

------
weliketocode
What's the outcome here if the expose turns out to be a farce?

Written apology from Bloomberg? Fire the reporters? SEC charges of security
fraud related to stock manipulation?

~~~
e40
This will be exactly what POTUS needs to get his AG to move against the press.
He's been threatening it since before he took office. Not saying it would
succeed, but I'd wager he'll try.

~~~
jerf
"This will be exactly what POTUS needs to get his AG to move against the
press."

If this was anything, it would be a reason to move against China.

However, several days later, we can be fairly confident in saying it isn't any
reason for the President to do anything, on the grounds that to the best of my
knowledge, he hasn't done anything. (This opinion subject to change if someone
cites something, of course. But I'd expect it would have come up in our HN
conversations by now.) If this was a conspiracy from the government to make
hay out of this news, they would have done so by now. Next day at the latest,
given the speed of the news cycle nowadays. I think we can safely discard this
theory now.

(I also see no reason to even suspect that the President thinks he needs some
sort of additional _casus belli_ against China. He seems to believe he's got
plenty already. If such things are being faked, they aren't being faked in
stories like this, but at a much different level in much different places.)

------
raintrees
I have been purposely misquoted several times in several California small town
news agencies (their agenda almost diametrically opposed to my information), I
am not particularly surprised this may be happening with Bloomberg. I have
stopped responding to requests for interviews, as I am rarely informed ahead
of time what the person's (or editor's) agenda may be, to decide if it aligns
with what I wish to contribute ammunition/fodder towards.

------
gameswithgo
What if the Chinese social engineered to get people to write this story. Meta.

In seriousness though this is starting to smell like the whole story is plain
wrong. Which is fascinating, however it came to be.

~~~
Sharlin
The Chinese... or a third party?

~~~
ldiracdelta
Why couldn't it be the Russians again! Up to their dastardly tricks.

------
mannykannot
In a way, this resembles a technique that is sometimes (but should not be)
used in the interrogation of criminal suspects: raise hypothetical questions,
and then write up the replies as if they were statements/confessions of what
actually happened.

------
perl4ever
"putting two pieces of silicone in a single package"

Is it the expert or the journalist who doesn't know the difference between
silicon and silicone?

~~~
makomk
Almost certainly the journalist, given that they're quoting something that he
said during a podcast.

~~~
perl4ever
It's not as though they're pronounced the same.

------
jackconnor
Sounds like Bloomberg painted the theory they wanted to paint, and were not
particularly subtle about covering there tracks. Assuming what this dude says
is true, this is going to be very bad and very, very expensive for them.

------
tomswartz07
>I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch
coupler. Turns out that’s the exact coupler in all the images in the story.

I did a super quick search, and sure enough, yep- the images in the article
are most likely a $0.38/each 0603 coupler.

[https://www.mouser.com/ProductDetail/TDK/HHM2510B1?qs=sGAEpi...](https://www.mouser.com/ProductDetail/TDK/HHM2510B1?qs=sGAEpiMZZMtMMXztyU6kdOGe15j15p2UXJNV928fndCH04b2xQBCoQ%3d%3d)

I'd imagine it's mostly for illustrative purposes, but Gell-Mann Amnesia
Effect in full force here.

~~~
nerdponx
_Gell-Mann Amnesia Effect_

I'd argue that all this backlash is justification for why we don't typically
have to worry about the Gell-Mann amnesia effect. When something is
egregiously wrong in the news, people talk about it, and we learn. As long as
you're reading about something that will critical and knowledgeable people
also reading it, then you should feel comfortable knowing that no backlash
means it's probably fine.

------
mzs
Technical people like to talk about technical things and non-technical
reporters are torn-up about it. Then some outlets have reasons to report one
side not in totally good faith. Here is a prior case:

>For a journalist, the fear of getting it wrong is a mortal one. Experts
loudly calling me wrongheaded were hard to shake. Many of their objections
were highly technical—and I would never pass myself off as someone with an
expert’s grasp of computer science. (Less than 24 hours after my piece went
live, The Intercept published a very long, very detailed piece that suggested
my piece was likely bunk.)…

[https://www.theatlantic.com/politics/archive/2018/10/trump-o...](https://www.theatlantic.com/politics/archive/2018/10/trump-
organizations-mystery-server/572485/)

~~~
makomk
That guy should've been more scared about getting it wrong. Every single piece
of evidence pointed to his supposed secret communications channel with a
Russian bank (and a random American health clinic for some reason) being the
simple result of run-of-the-mill mass marketing emails for Trump hotels sent
by a company that had been subcontracted to do so for years. The Intercept
even managed to obtain copies of some of the emails they'd sent. A DNS covert
channel of the sort being suggested would require the secret co-operation of
the technical staff at a company the Trump Organization didn't even have a
direct contractual relationship with - why take that risk to set up a really
terrible communications channel? Multiple outlets had apparently already
passed on the story because it didn't hold up - but that didn't matter,
because the moment he published it went viral on social media, with the
Clinton camp's tweets alone getting tens of thousands of retweets.

It would be no exaggeration to say that his decision to ignore the pesky
technical objections he didn't understand and run the story anyway did
permanent damage to the US political and news climate, that it made everyone's
beliefs about the world a little more wrong forevermore. When Clinton's
campaign tweeted to demand the FBI investigate, only one outlet - the New York
Times - dared stand up and report that the FBI had already investigated and
concluded all the evidence was consistent with it being exactly the boring
junk email server it looked like, and people are still pointing to that
article to drag the Times' reputation through the mud to this day. (Their own
public editor even criticized them for questioning and not believing!)

He created a world where not believing junk emails were secret Russian
communications was, to quote the recent New Yorker article, the equivalent of
believing "that space aliens did this".

~~~
mzs
Though not pertinent to my original comment, that newyorker article does have
a portion where experts argue that the misconfigured bulk emailer explanation
which you bring-up does not hold water:

[https://www.newyorker.com/magazine/2018/10/15/was-there-a-
co...](https://www.newyorker.com/magazine/2018/10/15/was-there-a-connection-
between-a-russian-bank-and-the-trump-campaign)

I'm saying 9to5mac as an apple enthusiast site has a reason to run the post it
did and that since technical people like to talk about technical things of
course there's someone connected to the story making those arguments then
largely non-technical reporters have trouble making sense of it all.

------
VectorLock
Can somebody hunt down one of those motherboards maybe on eBay or in their own
data centers and track down this malicious device? Putting together a test
circuit that throws the BMC firmware down it and see if anything different
comes out the other end should be a simple enough task.

~~~
bonestamp2
I like the idea. But, since hardware attacks like the one proposed are usually
fairly labor intensive and they really want them to remain undetected, chances
are good that the altered boards were only shipped to specific high value
targets.

If it's true that Amazon and Apple discovered flawed ones, all of those would
have been returned to Supermicro and likely destroyed for the most part. If
Supermicro was aware of the problem and ethical, they likely would have
contacted other customers who they suspect could have received altered boards
and replaced those boards too. I'm not saying it would be impossible to get
your hands on one, but if there's any truth to this hack, I think you'd have
to buy a ton of boards before you ever came across an altered one.

~~~
VectorLock
It doesn't seem like it would be all that labor intensive. Just change a part
on the line, from what it described. I think if they were specifically
targeting Apple & Amazon there would have to be someone complicit in
Supermicro making sure that motherboards with the special part went to the
right destinations. That seems more labor intensive than actually swapping the
modified part.

~~~
bonestamp2
> I think if they were specifically targeting Apple & Amazon there would have
> to be someone complicit in Supermicro making sure that motherboards with the
> special part went to the right destinations.

Fair enough, I guess it depends on their distribution model. When I order a
macbook from apple.com, it ships from China. So, somebody there knows it's
coming to me. Not that I'm a target, but I'd be surprised if they were
shipping a container of servers to Supermicro and then to a customer. If Apple
dropships one laptop, I assume Supermicro dropships containers.

> That seems more labor intensive than actually swapping the modified part.

Good point, assuming it was not labor intensive to modified part itself, then
swapping them out on the line would be trivial.

------
rossdavidh
This is the first criticism of Bloomberg's story that made a decent point
(along with several bad ones). I definitely believe Apple or Amazon would lie,
I definitely believe they might get told to by the feds, I definitely believe
the Chinese government has at least looked into the idea of using their hold
on the supply chain to get intelligence. The idea that there are much easier
ways to do this, however, is an important one.

~~~
techntoke
I believe Bloomberg and companies that compete with Supermicro have just as
much reason, and possibly more to lie. To continue to manipulate the markets
against white box vendors.

------
pharrington
Since the lead in this story is _maximally buried_ -

"You put hardware in a device to help you persist the software, the malware.
You don’t put hardware in a device to do the whole attack, you put hardware in
the device to unlock the keys, to elevate the privileges on the shell, to open
the network port and then you take a software or remote approach to do the
rest of the work. And I think that’s the context of that quote."

------
TimTheTinker
Here's the source 9to5mac is quoting from. It's a podcast episode, so no text:

"Risky Business Feature: Named source in "The Big Hack" has doubts about the
story": [https://risky.biz/RB517_feature/](https://risky.biz/RB517_feature/)

------
rconti
I'd have to go back and read the Apple and GCHQ (and .. was it .. Google?)
denials more closely, but...

I found it really interesting how pointed and specific the denials were,
rather than blanket denials or refusals to say anything.

I wonder if the technical details that were wrong in the article ended up
giving cover to the denials. Maybe the hack never was in hardware, and
Bloomberg totally screwed that part up, due to a misunderstanding of what it
means to "manufacture a board with vulnerabilities" and that ended up giving
inadvertent cover to those parties wishing to deny that a _hardware hack_ was
found in products in their datacenters?

EDIT:

Okay, maybe my theory's not so great.

>On this we can be very clear: Apple has never found malicious chips,
“hardware manipulations” or vulnerabilities purposely planted in any server.
Apple never had any contact with the FBI or any other agency about such an
incident. We are not aware of any investigation by the FBI, nor are our
contacts in law enforcement.

------
nicolas_t
I just wish that Super Micro shares were not otc and it would instead be
listed on nasdaq...

~~~
PhantomGremlin
You can blame Supermicro for that.

A pesky problem of missing paperwork. Apparently Supermicro thinks that filing
quarterly and annual reports is something optional, a "nice to have" rather
than a "requirement". So they haven't bothered.

Nasdaq feels otherwise, and got tired of waiting for them to get their house
in order, and so delisted Supermicro.

[https://www.marketwatch.com/story/super-micros-stock-set-
to-...](https://www.marketwatch.com/story/super-micros-stock-set-to-be-
delisted-as-filing-deadline-wont-be-met-2018-08-22)

------
drivingmenuts
This is an old story, but I can't help but think it is somehow relevant:

[https://www.politico.com/blogs/media/2013/12/the-
bloomberg-m...](https://www.politico.com/blogs/media/2013/12/the-bloomberg-
market-moving-bonus-179407)

In light of the above, something smells.

~~~
SZJX
This is interesting. No idea why you were downvoted.

