Hacker News new | past | comments | ask | show | jobs | submit login
Apple tells Congress that it has found no sign of microchip tampering (theverge.com)
62 points by nwrk on Oct 8, 2018 | hide | past | favorite | 36 comments

I can definitely entertain the possibility that Bloomberg was lying in their reporting, as like all media reports what's written should be taken with a reasonable grain of salt.

But to intentionally publish such an inflammatory article, knowing to be false, which implicates two of America's most influential corporates just seems like absolute professional suicide to me.

The story can be false or misleading without the reporters lying. They may simply have believed their sources and chosen not to question them too closely. That's more common than reporters making things up.

There's the story about how Bloomberg pays its reporters if they "move markets".

Would that create the appropriate incentive to explain this behavior?

People are having a bit of a field day with that, but how is it any different from any other paper which gives bonuses for stories which move subscriptions? Or simply the fact that a journalist's career progress is basically pegged to the importance of their stories?

It's a niche-specific metric for rewarding the same thing every publication does - reader interest. If a reader is interested in a financial article, pretty much by definition it will alter their market behaviour.

I actually agree, as with all journalism, that there is some incentive to write exaggerated articles. But it rarely causes respectable journalists to fabricate stories, and I can't see how this would be any different.

Also the ones calling no fouls are the primary targets and would be most affected by this as one of their selling points is their security levels.

Independent 3rd party review is needed.

Hanlon's razor.

Think Three Days of the Condor. They printed it, but CIA cleaned up most of its mess, or is in frantic cleaning mode right now. Suppose Story is true, but Bloomberg mangled couple of facts, and didnt know about bigger picture.

- Chinese did in fact make firmware implants, but purely software based (no chips).

- hacks were highly targeted, aimed at Elemental (CIA drone feeds) AMAZON (aws) APPLE (iCloud).

Both denied by Apple in 2016, "Apple spokesperson has denied there was any security incident", but "miraculously" confirmed right now https://www.apple.com/newsroom/2018/10/what-businessweek-got..., admitting 2016 deny was a lie after all, but we arent lying this time, promise!

- CIA detected these attacks early and managed to inject itself into the data patch between hacked systems and China. Just imagine the power of welding such a tool. You have the ability to cut the hack at any moment you like, block certain information from leaking, INJECT your own misinformation, and most importantly you get to keep all the data being exfiltrated. Win win win win.

- and all of a sudden some stupid unpatriotic journalists spoil one of your biggest, most successful counter intelligence operations.

We still don't know what's actually happening here. There are a number of possibilities.

One is that there is some secret keeping happening. Either only a handful of people actually know and they aren't talking and the people issuing denials aren't them, or there is some kind of significant pressure from the US or China to keep this quiet and the companies are complying.

Or there could be some kind of misunderstanding. The story is half true but some details are wrong so people are looking in the wrong places or asking the wrong people. This happens sometimes with anonymous sources. You get fifteen people confirming most of the details but only one is offering the name of the company or some specific detail of the attack and that person got that detail wrong, something like that.

Or the entire story could be unadulterated crap. The problem with this one is that we can't ever be really sure it was the case, and it will be at least a couple of months without any form of hard evidence or corroboration before it makes sense for people to stop looking for it.

One other possibility -- someone wanted make China look bad and made up the whole story... and had enough resources to paint a plausible enough story that Bloomberg believed it.

This is certainly a possibility, but I would assume someone with the resources to pull this off is smart enough to realize that it would quickly be discovered if the whole thing is bs, especially as the story involves some of the US's most valuable and powerful companies.

Also, why the need to make up a false story to make China look bad? There are plenty real issues that make China look bad. Before I get accused of some anti-China bias, the same could be said of the US. If I wanted to make the US look bad I'd focus on any myriad of foreign policy or domestic concerns that show it's failings before I concocted a story that would soon be discovered to be a fabrication.

But that seems even more bizarre. Who has the resources to do that but not the resources to come up with a cleaner frame up than this? If the aim is to make China look bad, why target a US company (Supermicro) instead of a Chinese company like Huawei or Lenovo?

If the responsible party is not American (or is American but has a vendetta against America too), then why not? After all, the allegations said that some very high profile American companies were compromised from the hack, so why not involve another one?

Besides, it's more shocking if the Chinese hacked an American manufacturer rather than a Chinese one (where they would't necessarily have to "hack" anything, just compel the manufacturer to do it)

The most extraordinary part of Bloomberg’s story is that they have so many sources. How can they get 17 people to talk about something of this caliber? Especially if Apple and Amazon are constrained with gag orders to the point where they have to lie?

You don't know who's lying. And you have no way to at the moment.

Bloomberg would not be lying purposely but they might got "owned". Those corporation might have been instructed to lie, and they might have an interest to.

when I get media reports, I generally consider them 90% as true when talking vanguard reporting sites (NYT, WaPo, LATimes, WSJ, etc.). Editors are notorious for drilling down and not wanting to print unless they’re fairly confident. While papers have an incentive to publish “riviting” stories, journalists (and their editors) have a much larger incentive not to get caught with egg on their face. Take for example the reaction a few years ago from This American Life’s reaction to a false story they got (and more importantly the length of repsone they went into to correct it).

To put into context, I usually take peer reviewed reports as 95% as true (academic standards are even higher). Use those benchmarks as you will to adjust your priors.

I'm probably wrong, but for the life of me I can't help but wonder if there's weasel-wording going on.


> Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards.


> Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server.

Why did they say "purposely planted" here? Were they trying to exclude the possibility of malicious chips being accidentally planted in any server? Is that even a thing? If so, why? If not, then why include those qualifiers if they are unnecessary?

Saying "vulnerabilities purposely planted" just means that their servers may have had bugs like heartbleed in the past.

Supermicro BMCs had security vulnerabilities in the past as well -- which were presumably not purposefully planted.

Thanks, that makes sense for vulnerabilities. But what about "malicious chips"? I have such a hard time ignoring the fact that it modifies that phrase too. Should I be?

I don't think "malicious chips" was a quote from Apple - Apple's letter mentioned "the existence of malware or other malicious activity." adding "Nothing was ever found." - which is pretty broad.

Every webstory is quoting that same excerpt - if the entire letter was printed somewhere, I can't find it.

Thanks for pointing this out! Yeah, that is pretty broad.

It "modifies that phrase too", in what sense? Ostensibly the only way an unknown chip could be introduced into a data-center in such a way, and of all of them Apple's, would be with malicious intent, surely?

People are – I think – getting too hung up on possible "weasel words" in Apple's and Amazon's denials. Think about it for a moment: What good would it do Apple if it turned out that Bloomberg was essentially correct in their reporting, that Apple knew this, but that Apple had worded their denial carefully such that it could be argued that it was not technically untrue by some very narrow and literal reading of it? Would shareholders and the public forgive Apple if that were the case? Would trust in Apple stay intact? Would a judge rule in favour of Apple in case of a law suit? If the answer to all of these questions is no, the consequences for Apple would be the same as if they had lied.

Oct 4th 2018: https://www.youtube.com/watch?v=mYAHPPXmcts

Not sure what to make of the current hardware backdoor story, anon sources are practically useless, but I study this stuff and the VP is being charitable on the real subjects.

It appears that Bloomberg News pays reporters more if their stories move markets: https://news.ycombinator.com/item?id=18162440

One can only wonder if this story is due to the other.

A commenter there said that Bloomberg abolished this practice several years ago.

"before the congress"... pff how that is any kind of truth-detector?

Not that long time ago the bosses of tobacco industry sweared that smoking have nothing todo with cancer..

words come and go.. and noone listens. or remembers.

btw there's no bad advertisement, only a missing one..

This entire situation is really bizarre.

"it' found no signs of hardware tampering. What about an outside party, or someone who isn't covered as being 'it'.

Sounds like some weasel wording to me, and of course they can't admit it because of their huge push to be seen as a 'secure' company to store your data with.

I wouldn't want to be the lawyer at apple found guilty of contempt of congress.

Weasel wording is what a bad salesman does. It doesn't fly in court or in congress.

What flies in any court is claiming ignorance while having any possible evidence of the contrary destroyed or not documented at all in the first place.

I think this was a warning to some companies to return their fab processes to the USA or at least vouch to better the anti-tampering verification methods to protect from foreign state actors.

If the breaches are confirmed there will be a lot more damage to the stock market, but it all depends on how that would happen. I really hope they don't throw the baby out along with the bathwater.

If they are found to have lied to congress (Or to have feign ignorance at the matter) there will probably be stock implication, but very little in the way of punishment from the government.

If a lawyer knowingly lies to congress it's grounds for disbarment. I wouldn't risk it for any company, tho IANAL

As a lawyer I can say that companies use weasel wording all the time, to everyone, even for stupidly small reasons.

When you are that large, nobody bothers bringing contempt charges.


(The statute of limitations for charging Clapper has now run out.)

The “under oath” part is just farce now.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact