I heard this on NPR [1] and thought it was interesting and hadn't seen it in these articles on HN:
> When [Bloomberg] asked China's foreign ministry for a response, a lot of times they'll say things like, you're crazy; we know nothing about this. Their response was a little more nuanced and contextual in the environment we're in now. Basically they said, we are a victim of these kinds of attacks, too. And, you know, they're right. The U.S. government - it's very, very good at these kinds of hardware attacks.
Supporting evidence for Bloomberg's claim: NSA interdiction of US export shipments [2].
Are you saying the NSA bribed manufacturers in China to add these to boards - so Americans would discover then and accuse the Chinese government of espionage? Is this the stick to the tariff's carrot?
Remember, astronauts couldn't have met aliens on the moon, if the moon landings were faked.
Or maybe just those manufacturers doing their online shopping and accidentally bought those kind of comprised chips.
Yes, you can actually buy the similar looking chip on Taobao.com by searching HHM1523C1[0] or HHM1526[1]. Some vendors even claims the chips they're selling are "Imported, 100% legit".
And, of course there can be another interpretation: We (China) bugged your server, because you (the U.S.) bugged ours first.
The water is so muddy right now, maybe wait for more information?
No, I am not. I'm saying that China's foreign ministry's response sounds a little like they're saying "we are [merely] retaliating in kind." NSA has been caught adulterating computers in export interdictions and maybe this is us catching China up to the same.
I didn't bring up trade wars at all, I don't think it's necessarily related (this kind of tradecraft was likely in the works for much longer than recent trade disputes).
So plain old espionage, executed for whatever the needs of the day might be.
The fact that NSA could do it supports at least a strong possibility that the Chinese could do the same on their soil. It’s crazy to waste such excellent attack vectors, especially when Supermicro is a American and not a Chinese company.
It could also be possible that these companies are legally bound by some sort of investigation-related order to maintain ignorance to the presence of the chips and that Bloomberg have just sunk an ongoing investigation/counter-espionage operation, potentially putting an associated intelligence network at risk.
They're not "maintaining ignorance"; they're categorically denying it, and in significant detail. Both Apple and Amazon produced essentially bulleted refutations of the story. That's not what you do when you're trying to brush something off.
> They're not "maintaining ignorance"; they're categorically denying it
What makes you think the people denying it know about it though? E.g. if the head of Apple security got served an NSL, wouldn't that potentially prevent them from telling the company lawyers or the executive team?
It's a curious forum we're on where on one day there are jiggabytes spilled over how journalists get technical things wrong and on another, they're so reliably accurate, technology organizations making the case reporting on them is inaccurate must have been infiltrated by men in black and have had hapless employees flashed with a neuralyzer.
It's not an 'unsubstantive' comment. There is a very large section of users who are ardent believers in the 'Gell-Mann amnesia' effect. There are also seemingly many, many users, as the one I'm replying to and many who've posted similar, highly voted comments on this thread whose explanation for the discrepancies between the reporting on this story and the company responses amount to (in my view) to MiB but with different acronyms. I find that curious. Maybe you don't, maybe you think those users don't overlap much or at all, that's fair enough. But 'things people find curious about HN that you think maybe aren't' is not 'unsubstantive' so get of my case, oppressor!
This is a rare instance where I agree that 'dang has jumped the gun. I don't see how your comment is insubstantial either, and I think HN's weird relationship with the news media is worthy of comment. No reasonable person reads the comment above to mean "literally everyone on HN has inconsistent beliefs about the press".
> HN's weird relationship with the news media is worthy of comment
If I had said something about trusting Bloomberg or the media then sure. But that’s a completely different topic that’s not even remotely related to whether Apple’s denials on potential NSL issues are reliable.
How are those two topics not intimately related? The question of how reliable Apple's employees are is only relevant to the extent that you believe Bloomberg's reporters were competent in sourcing the story.
Apart from that not being remotely what's being said, HN is not one person, it's a lot of different people with different opinions, commenting on different articles.
I'm not sure what is 'remotely not being said' and I have some vague understanding of the idea HN is not one person.
But there are definitely two (among many) strong tribes of HN-popular belief - let's call them the Gell-Mannicheans and the National Security Epistoleros. It's weird (to me) that they rarely meet in threads on stories concerning both! That could be because they live in different timezones or have different interests. It could be that the Epistoleros are just that much more numerous or that for some people epistolerism trumps gell-mannicheism. Or something else altogether. I find it a curious thing to observe and think about - it's not some underhanded 'zomg lolz, I have caught you in logic error' comment.
At this point it's clearly down to Bloomberg / Businessweek to bring more evidence to the table, and support their story further. The other side has entirely put the ball back in Bloomberg's court. Their credibility will be severely thrashed by this if they don't.
Why limit yourself to news agencies? If trustworthiness amounted for anything, nearly all corporations big enough to have a PR department, and all governments would be out of business.
How is "we have found no evidence of..." categorically denying? They're doing exactly what parent says, turning a blind eye to it, and "truthfully" saying they haven't seen anything amiss.
The story claims that the Apple worked with the FBI to investigate the issue, and Apple is saying no such cooperation ever happened. There really is no way to square these two sides; somebody is either wrong or lying.
I have reason to believe that Apple and Amazon (and intelligence agencies) silo some data internally on a need-to-know basis wherever possible. A leaker shouldn’t be capable of leaking everything.
Sure, but it wouldn't make sense to only relay the gag order to a subset of people who were aware of an incident - that would add risk and defeat the purpose of the risk-mitigating silos that you're suggesting.
So not one of the fifteen Bloomberg sources knew about any kind of gag order or reason for Apple/Amazon to deny these claims? Just saying that seems unlikely.
> Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
That is a commonly accepted position. As any prosecutions under an NSL would presumably be kept secret in order to keep the NSL itself secret, I strongly suspect that governments in general will take a dim view of such loopholes. The aforementioned secrecy means you are unlikely to find out.
Which is actually what Reddit did with their annual transparency report. They said something along the lines of "if we haven't been gagged, we'll explicitly tell you we haven't been gagged. Otherwise..."
If the government can compel one kind of speech, it's not hard to compel others. They don't even have to make a a brand new rule for this. The companies have stated they use this technique to get around the gag order.
Judges aren't compilers who will faithfully follow all the rules as written down without deviation. They at specifically empowered to make decisions in light of new evidence, so why wouldn't they force companies to actively like if they are already adding exceptions to the first amendment?
This seems the most likely scenario to me. The official response definitely does not pass the smell test, and this is the simplest way 5 eyes has to benefit from lying.
There is plenty of precedent for the US government issuing national security letters (“NSLs”) containing gag orders for ongoing investigations, often with massive monetary penalties imposed for violations.
> There is plenty of precedent for the US government issuing national security letters (“NSLs”) containing gag orders for ongoing investigations
I don't think the U.S. government can compel companies to lie. It can, though, request them to.
If the NSA said "your servers were compromised by a state-sponsored scheme, and we'd like your co-operation in running counterintelligence operations" I think it would be fair for a company to say "yes". Particularly if part of the offer included help extracting infected hardware from said company's infrastructure.
Unless the fine is implemented as a percent of revenue, market cap or the like. Similarly, the US government once threatened to fine Yahoo $250k per day for non-compliance with PRISM. [0]
As an aside, what do you think is draconian about such a law? It seems like there are reasonable arguments for why it would be in the national best interest to keep an ongoing investigation classified. In fact it seems like an unusually straight forward application of the cliche justification “for national security reasons.”
Which Yahoo shareholders would be irate about, and the Yahoo corporation could not trivially afford to throw away regardless. That would have destroyed about 1/4 of Yahoo's profit at the time.
That would be bad enough, however the next step by the government would be to increase the fine amount, were Yahoo to hold out over time. Kick it up to $1 million per day and Yahoo would have folded no matter what. The problem is pretty straight forward: the government could push it as high as necessary to compel the result they wanted.
"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."
talks about Congress, not an executive branch. the latter can gag a person, or a company.
The First Amendment applies to all three branches of the government, not just Congress. The executive branch can attempt to obtain a gag order, but the 1st Amendment nonetheless places limits upon them.
However, the US enforces the Patriot Act that obligates US companies to turn over user data and are further legally obligated to keep the fact secret? Is it that far fetched to think they couldn't be obligated to avoid admitting (explicitly, or implicitly) something that would jeopardise ongoing espionage-related activities?
Yes, it's not really backing them any more than the equally non-committal statement from the Norwegian National Security Authority is. The Reuters headline is not borne out by its article.
"We have no reason to doubt" is not a weasel statement. "At this stage" is a weasel statement, but only in the sense that it means "We haven't investigated this or seen any evidence ourselves, and until we do we'll go with the line taken by Apple and AWS."
This can be taken as meaning "The US has given us details and asked us to deny them" - which makes no sense, IMO.
Or "The US has given us no details" - which is rather more likely.
Nobody said it was a weasel statement. Nobody said it was their job to back these companies. The claim is that, counter to the title, they have not backed these companies.
Does it seem a little odd for the 5 eyes to be weighing in while the us gov is silent? I am not sure how to read this but it is weird. I have never seen them make a public statement on a hack in a way specific to specific companies (and not others mentioned in the bloomberg article).
Even if taken at face value, it can only mean 2 things. 1. They already, thouroughly investigated it (draw your own conclusions what they found or any involvement) or 2. They just issued an official statement without possibly having the time to investigate the merits of the accusation. This not only doesn't pass the sniff test, its evidince of yet another turd on our lawn.
> Does it seem a little odd for the 5 eyes to be weighing in while the us gov is silent?
Chances are, American intelligence has been running counterintelligence operations through this network. That leaves lots of people in American intelligence who would prefer this remain a secret, without a similar restriction elsewhere.
The big question is whether it's your neighbor's turd or your neighbor's dog's turd.
Re: 1, if they investigated it then that means that "it" was something in the first place thus warranting the investigation.
Re: 2, that's the kind of thing you do when you need to inject uncertainty into the situation to buy yourself or your buddies time to tie up loose ends/burn evidence/figure out what story they'll tell the politicians.
I don't think this is feasible. They are 100% going to get caught with this tactic. If they were guilty in the way you guess, I think the likely response would be to muddy the waters with FUD and create lots of confusion.
“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,”
"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us"
If I might don the tinfoil cap, this is a mighty fine time to bring negative light onto CN, with Dragonfly stirring the pot and a testimony from Google's CEO next month.
A cowworker remarked to me earlier today that the denials don't matter, true or false the story serves a domestic US purpose in distracting from $OTHERNEWS (in this case the kavenaugh circus)
that would actually explain the strong denials and involvement of UK spy agency. being caught with NSA chips in servers would be far worse for Apple than with chinese chips.
It seems unlikely that Amazon would not detect attempts to reach unauthorized IP addresses. If you’ve used AWS security groups, you know that you can specify what IP ranges your machines can access. While many customers aren’t locking this access down, I’m fairly certain Amazon knows exactly what they are doing on the AWS systems they use.
Detecting such attempts on a brand new system would spur them to identify the source. They’d have found that chip, most likely.
I am pretty sure some security issues did happened else supermicro would have definitely sued the reporters by now. But then the mild response by US government and the FBI in general means that the so called attack wasn't as sophisticated as claimed by Bloomberg.
On the other side of the coin, it’s possible that they have a vested interest in keep in this quiet as it would bring attention to their own practices.
I'm not sure this is necessarily a point in Apple and Amazon's favor. Also, as another comment here mentions, the "backing" in the title seems stronger than GCHQ's actual statement.
Easy to say if they cleaned up the evidence. What's convenient about recalling servers is that they're all neatly lined up in racks in datacenters, making them easy to pull out and replace. Supermicro would have lists of affected serial numbers, allowing them to take them back and make sure there aren't any samples lingering around for independent analysis.
Just to clarify your sentence, do you mean "far more inclined to believe China did spy on Apple/Amazon, etc"? Or you're far more inclined to believe Apple/Amazon, etc?
Funny how this story comes out shortly after Apple announced you can’t fully repair the newest MacBook pros and iMac pros without their software for “security sake”.
Coincidence? Yeah probably, and very tin-foil hat, but who knows?
There is a TON of counterfeit Apple service parts on the market. This is the result of the only real source of parts being pulls from recycled units, and Apple has this neat "recycle initiative" requiring subcontractors SHRED everything and provide detailed protocols of destruction.
Most counterfeits differ in lower quality, not gorilla gorilla glass, lower brightness not quite actual white backlight, non IPS IPS LCDs, 7 year old 4 times repackaged "brand new" batteries etc.
There are also replacements with straight up fake, dummy plastic parts thrown in, for example https://www.youtube.com/watch?v=TalLpLWaOV4. It becomes real brand problem when Staples "fixes" your product using scam parts.
But there are also a ton of people using real or just as good parts to repair their macs. Those people, who can’t afford a non-warranty repair at Apple, will be hurt the most.
It’s especially true in east Asia. Yes, there are plenty of counterfeits, but there are also plenty of legitimate ones too.
> When [Bloomberg] asked China's foreign ministry for a response, a lot of times they'll say things like, you're crazy; we know nothing about this. Their response was a little more nuanced and contextual in the environment we're in now. Basically they said, we are a victim of these kinds of attacks, too. And, you know, they're right. The U.S. government - it's very, very good at these kinds of hardware attacks.
Supporting evidence for Bloomberg's claim: NSA interdiction of US export shipments [2].
[1] https://www.npr.org/2018/10/04/654518383/bloomberg-reporter-...
[2] https://www.theguardian.com/books/2014/may/12/glenn-greenwal...