
Apple Bloomberg Congressional Letter - wglb
https://www.documentcloud.org/documents/4995755-Apple-Bloomberg-Congressional-Letter.html
======
mtw
At this point, it seems like Apple and Amazon have hard facts and Bloomberg
has more tales of "he said"/"she said" and didn't cross check. The journalists
halved Supermicro stock value, they have a responsibility to prove this
actually happened.

~~~
coldcode
[https://appleinsider.com/articles/18/10/08/security-
research...](https://appleinsider.com/articles/18/10/08/security-researcher-
cited-in-bloombergs-china-spy-chip-investigation-casts-doubt-on-storys-
veracity)

One guy named as a source in the original article does not accept the story as
written.

~~~
wlesieutre
What the source actually said, according to that article:

 _When asked what, exactly, he found strange about Bloomberg 's claims,
Fitzpatrick said, "It was surprising to me that in a scenario where I would
describe these things and then he would go and confirm these and 100% of what
I described was confirmed by sources."_

You could take that to mean "Bloomberg took a scary hypothetical and pretended
it was real," but if they _did_ have other sources telling them "There are
these backdoor chips in servers" this is exactly what you'd expect Bloomberg
to do: go to a security expert and ask "Hey, does this really work?"

It doesn't particularly read like evidence one way or another to me.

~~~
4684499
If you want evidence, you should ask BBG for it first, who has provided none
at the moment, even the picture they used is likely for illustration only, and
they didn't make any declaration about that.

Technically possible doesn't mean it happened. You could be punched by your
wife, does that mean she did punch you? Sorry for the inappropriate analogy,
but you get the idea.

------
ckastner
> If any of the reported details cited above were true, we would have every
> interest—economic, regulatory, and ethical—to be forthcoming about it.

That's the key argument.

This isn't just a "your word against mine" type of thing. Were this issue
true, then it could represent a significant legal risk to Apple.

Categorically denying something that can easily be proven by an external audit
(a scenario that they cannot rule out might happen), as strongly worded as
they did (excerpt below), would open them up to a huge legal liability in
_addition_ to the security issue itself, and for no real upside.

> In the end, our internal investigations directly contradict every
> consequential assertion made in the article—some of which, we note, were
> based on a single anonymous source. Apple has never found malicious chips,
> “hardware manipulations” or vulnerabilities purposely planted in any server.

~~~
saudioger
They're already on the hook for an enormous liability if it's true, so lying
about it isn't really the worst option if there's even a small chance it
avoids the issue.

After seeing what VW did with emissions, I wouldn't say any huge corporate
cover-up is out of the question. Especially considering this situation would
be very bad even if did happen and they were 100% truthful about it (it would
create huge problems with China for them and their supply chain).

We just can't reasonably make conclusions either way yet.

~~~
SpikeDad
Not even the same. The VW coverup was to coverup a specific, fraudulent
behavior by the company in an attempt to commit fraud.

The Apple situation is basically a reporter with no named sources saying that
Apple itself was fooled by outside sources. There's a HUGE difference between
willful fraud (VW) and corporate embarrassment (Apple IF it was true).

~~~
saudioger
Well my point is that it could be corporate embarrassment AND willful fraud to
cover up the corporate embarrassment. They have a huge incentive to lie,
because even if they were truthful from the beginning and this did happen...
it would be very bad for them.

I also think this goes far beyond "embarrassment" — this is something that
could potentially destroy Apple's supply chain.

------
thrower123
There's something fishy going on here. I don't really think that Bloomberg
would fabricate the story out of whole cloth, so there has to be something
there somewhere. It's possible that they were duped, but if they didn't make
some efforts to corroborate the story, that would be shockingly poor
journalism, the kind of thing you expect from the National Enquirer, not a
major financial paper.

On the other side, it doesn't take much of a lapse in QA to let a single bad
part through, when you are dealing with billions of components like Apple is.

~~~
saudioger
My understanding is that while the sources were left anonymous, they were
definitely confirmed as intelligence agents by Bloomberg... so if they were
duped, it's a pretty serious (propaganda-level?) duping.

~~~
WillPostForFood
This is where Bloomberg is already caught playing little loose with the truth.
They are saying they have 17 sources, some of which are intelligence
officials, but that doesn't mean they have 17 people confirming the specifics
of these incidents. Apple's response notes that the accusation is reliant on a
/single/ anonymous source. Intelligence officials may have simply confirmed
that China is interested and tried to do this kind of thing.

~~~
Bartweiss
As Greenwald pointed out years ago, it's sensible for readers to ask _why_
sources are anonymous.

If they're saying something inconvenient to their government or employer,
that's neutral or even positive for their credibility. If they're saying
something convenient but classified or otherwise not-for-release, that's
generally neutral; 'authorized leaking' is an established practice. But if
they're saying something that won't cause them problems and isn't a secret,
then it's strange. It raises the possibility that they're anonymous because
the claim isn't _true_ and they don't want to be embarrassed, or even that the
story writer encouraged anonymity to hide the weakness of the source.

If Bloomberg is saying "we used 17 sources including intelligence officials
and an anonymous source who confirmed the hack", well, easy money says the key
anonymous source doesn't measure up to the other 16.

------
okket
Maybe relevant: Here is a podcast with Joe Fitzpatrick, one of the sources
named in the Bloomberg article, who expresses doubts about the "Big Hack"
story:

[https://risky.biz/RB517_feature/](https://risky.biz/RB517_feature/)

------
fhood
Until someone produces some actual compromised hardware, I'm leaning towards
Apple on this one. I don't know what is going on, and I fully trust that
Bloomberg was very confident in the story, but for Apple to deny this so
strongly, repeatedly and vehemently indicates to me that they are telling what
they believe to be the truth as well.

~~~
kickopotomus
This is what I am thinking as well. The initial denial could be due to a gag
order if the investigation is ongoing or if the information was simply deemed
classified. However, to go to these lengths to deny the story makes me feel
that Bloomberg may not have gotten all the facts straight.

------
DenisM
Perhaps someone created a disinformation campaign against Bloomberg? That
would fit the facts we observe - Bloomberg is adamant in their story and
Apple/Google are adamant it’s entirely false.

~~~
rdlecler1
This is the best solution I’ve heard yet. On the one hand I can’t believe
apple would make such a strong categorical denial of it wasn’t a false story.
At the same time, a Bloomberg reporter is not going to risk a career unless
they had strong conviction with their sources and Bloomberg is not going to
risk their reputation unless they felt the sources were solid and fully
vetted.

------
creeble
Once again, this is easy for Bloomberg to prove: X-Ray or it didn't happen.
Fake news. Surely the factory produced more than a few of these mobos. All the
world needs is an X-Ray of one board with the magical chip.

~~~
394549
> Once again, this is easy for Bloomberg to prove: X-Ray or it didn't happen.
> Fake news. Surely the factory produced more than a few of these mobos. All
> the world needs is an X-Ray of one board with the magical chip.

That's not true, and fundamentally misunderstands what journalists' job is.
They're _reporters_ not researchers: they _report_ on information in testimony
and documents they acquire, they _don 't_ do the research to to create that
information themselves. They _cross-check_ testimony and documents between
multiple sources to verify the information, they _don 't_ replicate research.

Bloomberg doesn't have a bugged motherboard to X-ray. Per their story, all of
those were owned by other entities. There's very little reason to expect that
they have an example, since they weren't a target and the people they talked
to were likely not authorized to hand over their employees property. Given
that, it's unlikely they even asked for one since it would have been a foolish
request.

------
tptacek
If nothing else, this has to put to rest the "gag order" or "NSL" conspiracy
theory.

------
qaq
OK so no material details are provided in this letter. I am not aware of a
single f500 company that was not breached at some point so we have not found
any servers because we have various security tools installed is not really
meaningful. Scanning outbound connections is not a meaningful defense in this
case there are legitimate outbound connections going to say China and given
China's ability to capture any inbound traffic there are def. ways to ex-
filtrate data without raising any flags.

~~~
danaris
...But as I understand it, the Bloomberg report states that specific pieces of
hardware were found _by Apple_ , and Apple states that they have found no such
thing.

~~~
qaq
This all depends on what gag orders are in place if the Apple source was off
on having precise information of who discovered what etc. To me the language
of all Apple communications so far look to be very carefully worded same for
DHS.

~~~
bun_at_work
I think you make a reasonable point here, but it doesn't change the facts
about what reasonable attack surfaces are, made elsewhere.

For example, why place a detectable piece of hardware onto the MoBo, instead
of just installing malicious firmware? The hardware piece is going to be
limited in capabilities and much easier to detect. Given the level of access
required for this "hack," it makes more sense to just write the bad firmware
to do all the tricks. Especially since, as far as I understand, the malicious
chip modifies the firmware anyway.

There are far too many reasons to be skeptical of the article, and the parties
involved have motives that are very easy to trust.

~~~
394549
> For example, why place a detectable piece of hardware onto the MoBo, instead
> of just installing malicious firmware?

Because the supply-chain may be verifying the integrity of the firmware?
Firmware is "detectable" too. It's detection is probably easier because so
much of computing is software focused nowadays.

Hardware implants have certain advantages: no one may be looking for them and
they're extremely resistant to removal attempts.

------
busterarm
Breaking: [https://finance.yahoo.com/news/evidence-hacked-supermicro-
ha...](https://finance.yahoo.com/news/evidence-hacked-supermicro-hardware-
found-150152882.html)

------
plg
what an awful looking letterhead design, I'm surprised

~~~
Terretta
That’s funny, I sent it to a colleague saying how nice it was to see something
so simple yet distinctive.

------
Greetz899
For me it seems that there are more coincidential elements here than what is
apparent - for example the disappearance of the Interpol chief, etc.
[https://newcompendium.com/2018/10/the-chinese-chip-is-
just-t...](https://newcompendium.com/2018/10/the-chinese-chip-is-just-the-tip-
of-the-iceberg/)

------
_Codemonkeyism
Surely this Apple execs would be the first execs to ever lie.

I'm interested by the Bloomberg follow up or if they fold.

------
jasonlotito
Let's say Bloomberg did its due-diligence is telling the truth. That doesn't
mean Apple here can't also be telling the truth as they see it. Bloomberg
could have spoken to a few select individuals who shared things only they
knew. I don't see any reason they couldn't have kept this hidden from others,
allowing the upper management plausible deniability. These people lower on the
totem pole could report to the government, and upper management could deny all
day long.

Couple this with my own personal experience with Apple sharing personal data
it had no right to share, and the fact that only a single person signed this
letter, and Bloomberg still not backing down, Apple has a way to go. They
could start by having every person would would remotely be involved with
something like this (from top to bottom) signing a legally binding letter
attesting that Bloomberg's story is not true. Until you have this, it only
takes one individual who hid something from Seniors to make this true.

------
21
Obviously people started to investigate this hack too much, so the US
government forced Apple using a NSL to write a letter to Congress denying that
any such hack occured. The Congress probably knows the truth, but they are
also under NSL.

Expect letters to Congress from Amazon and the 30 other hacked companies.

It's the only way to kill this story, after they made the unbelivable mistake
of forgetting to NSL Bloomberg despite having requests from them to comment on
this story for months. Somebody is getting Guantanamoed over this slip.

~~~
jsjohnst
NSL can not compel you to lie, it can only compel you to stay silent. There’s
decently extensive case law to support that.

~~~
ben_w
I’m not a lawyer, I’ve merely read news stories about how NSLs and associated
court cases are overly-secret
([https://en.m.wikipedia.org/wiki/Lavabit](https://en.m.wikipedia.org/wiki/Lavabit)).

Given what was reported in the Lavabit case, how sure are you that there is no
secret caselaw which does, in fact, require companies to lie?

~~~
jsjohnst
Look up the case law surrounding “compelled speech” if you’d like more
details.

