Hacker News new | past | comments | ask | show | jobs | submit login
Apple tells Congress it found no signs of hacking attack (reuters.com)
81 points by okket on Oct 8, 2018 | hide | past | favorite | 70 comments

Just to throw something extra into the mix - infosec podcast Risky Business managed to track down a source (apparently a trusted source of 15 years) who provided photos to them of what the source claimed was "extra unlabelled components on sensitive buses" they'd found on a teardown they conducted of a Supermicro board.

And then, the source retracted the statement and said the photos were from different equipment, and that they didn't find hardware backdoors on Supermicro equipment.

This page on the Risky Business site explains their correction in more detail.


Generally Risky Business is pretty good (they had some great inside info on the "hack" of the 2016 Australian Census), so I find this an intriguing and interesting extra datapoint. If Risky Business can be misled this way, maybe this is how Bloomberg could be misled too.

Not to go ‘too tinfoil’ here, but couldn’t that also imply the source was discovered and harassed/served a gag, or something of that sort? (Purely as devil’s advocate speculation)

I don't get that feeling in this specific case, but I'm wary of speculating. Patrick (the guy who hosts the podcast) and the source are probably the only two people who actually know.

That said - listening to the podcast, where he interviews someone (who is not the source) and asks them near the end "Have you heard anything about this over the last few years? Have you heard any rumours or anything to suggest China is behaving in this way?" It is a really awkward silence and very nervous laugh, with a vague reply about having seen news reports. That bit is around 22:07 in the podcast if you want to skip ahead. Then maybe go research a bit about who the interviewee is.

> Have you heard anything about this over the last few years?

Am I the only one? I don't take my recollection on this as fact, but I remember a story from a year or two ago that a large company (like Apple, Google, or Amazon) would take photographs of the boards they ordered before they were shipped (likely from China) and compare it to what was delivered. The way it was described was more like that was their security protocol because of suspicions/risks of it being tampered with in transit.

Interesting. I’ll give it a listen. Thanks for the reference time as well.

How much of Apple's business is in China now? What about Amazon? Would Apple publicly deny these allegations to appease China so they can continue doing business there?

Interesting. I don't think Apple world make a sworn statement to Congress if they weren't absolutely sure it was true.

Look like I may have been wrong--perhaps this was a false story planted by certain US officials to slander China. Did Bloomberg get played?

I don't think it was a sworn statement by Apple officials. Just a letter.

Apple has 123,000 employees. It is possible that only small security group within the company knows about the issue and has been gagged.

When a person represents a company to Congress to make a statement on an issue, they are required to be someone who can make that statement accurately. Were this not the case, we’d have hearings with a lineup of janitors from Facebook, Apple, Google, etc —- all swearing on their lives that all is well in their respective kingdoms.

Didn't some other USA official lied the congress?

Not wittingly.

Yeah, right.

Never happened.

Could a national security gag order even cover a sworn statement to Congress?

More likely they told Congress the truth, but the Congress is also under a national security gag and they put out a false statement about what Apple declared...

Guys, you are worse than the ZeroHedge and similar conspiracy forums...

> More likely they told Congress the truth, but the Congress is also under a national security gag and they put out a false statement about what Apple declared...

So the secret is so important that congress is under a gag order. The two highly valued companies in the US ( Apple and AMZN ) has a gag order. But litle old bloomberg doesn't have a gag order. Isn't that a bit unbelievable?

> Guys, you are worse than the ZeroHedge and similar conspiracy forums...

Doesn't this apply to bloomberg and the media as well? The entire country is immersed in conspiracy. Not sure why you are attacking HN and zerohedge in particular. What's with the sudden attack on social media with attacks like "conspiracy"?

What do you expect of us? The discussion has to involve conspiracies because the story deals with conspiracy. Either bloomberg is right and the chinese ( or possibly other actors ) are involved in a conspiracy to spy on us in ingenious ways. Or bloomberg is wrong and they are involved in a conspiracy ( knowingly or not ) to spread disinformation. Or it could be a misunderstanding.

Free press?

Again the only thing they said that they have not uncovered any sings of hacking based on whatever endpoint and other security systems they have in place. No vendor has ever claimed they can can detect 100% best solutions can detect 98-99% given the number of exploits this depending on operating system means from many thousands to millions of exploits that will not be detected.

Apple has been pretty clear in their statements and it's a given that they can't detect 100% of outgoing malicious data from their network. But they are denying much more: the servers with the altered boards entering their supply chain, Apple's rapid removal and replacement of all those servers, and so on.

"Stathakopoulos repeated Apple’s statements to the press that it never found malicious chips or vulnerabilities purposely planted in any server or been contacted by the Federal Bureau of Investigation (FBI) about such concerns. He said he would be available to brief Congressional staff on the issue this week." I have not seen "they are denying much more: the servers with the altered boards entering their supply chain". All statements I've read are worded very carefully.

I am not trying to pick a fight, but Apple's statement says...

* They never found mailicious chips planted on any server

* They never found a vulnerability planted on any server

* They were never contacted by the FBI about malicious chips or vulnerabilities

* They are willing to state this before congress

In my opinion, this disagrees with the biggest pieces of the Bloomberg piece. Does the word "purposefully" really negate Apple's statement? It could be a matter of opinion, my opinion is that it does not.

That they are willing to talk to Congress, to my mind, speaks to how far they are willing to go on this. IMHO, if they were under some kind of gag order they wouldn't be pushing this hard.

"They never found malicious chips planted on any server" this literally means they have never found chips planted on any server. They did not say we have conducted review of 100% of servers or anything else related to the scope or types of checking they have done. Again everything is worded very carefully. Same for every other statement you posted. If you pay attention to DHS statement they again worded it very carefully they have never stated that DHS never found any evidence they only said that Apple never did.

I find it hard to believe China would risk their industry by doing something like this where the device has "hard" evidence on spying. They can just find a security flaw on the software and use that.

It does not have to be China behind the hardware devices, if they are real, just because they were planted in China. It could be Russia, Iran or any other agency with enough money to pay off the supply chain. Heck, even Escobar would have done this if he was alive. Didn't he buy military Submarines at one point?

the hardest part is predict which batch of motherboards will be assembled and delivered to which customer.

According to Bloomberg, Supermicro has 4 contract factories for motherboards production in China. But Supermicro itself assemble in US/Taiwan only.

> I find it hard to believe China would risk their industry

Do you think Apple will start producing iPhones in Apple Park's basement?

Time for Bloomberg to add a little more detail to their claims now, surely?

It would be really nice for Bloomberg to either offer more evidence or tell us they have lost confidence in the article. Likely they will do neither.

> Likely they will do neither

Right, they likely have already gotten everything they wanted from the article, there's no reason for them to damage their reputation by 'losing confidence' in it, and providing more evidence to support the article won't net them as much publicity/clicks/whatevers as working on the Next Big Article will.

You realize Bloomberg doesn't really make any money from 'clicks', right? They are a data provider, and as such, have a pretty strong incentive to ensure their data is accurate.

That fits under the "whatever" category.

But the incentives are very different. Bloomberg makes almost all of their income from the Bloomberg terminal. Their TV network, their news website, everything else, is solely in service to their primary business.

The percentage of revenue that comes from advertising for Bloomberg is vanishingly small. Companies follow incentives, and in this case, I think we can reasonably conclude that Bloomberg thought the article was 100% accurate (not saying it is though, I think it's too soon to tell).

If Apple and Amazon can be put under a NSL gag, why wouldn't they also put Bloomberg under it? They had the whole of an year to do it.

It is not like PR department of Apple received NSL gag, it is like small security group within Apple that found the bug has been gagged.

So nor Apple executives, nor PR department honestly know about the bug. They deny it because from their perspective there was no breach.

The somewhat paranoid, but possibly correct conclusion here, just like with some of the other recent "acts of chaos" (election tampering, and other misinformation campaigns) is to "Blame Russia".

This might be one of the simpler explanations - Russia planted the data / evidence / sources to Bloomberg, with the sole objective being to sow chaos in the world. This, to me, is the only explanation where it makes sense that both sides think they're right - Bloomberg really did have those sources and Apple et al really didn't find any evidence of this tampering.

(Rewind to the hours after the presidential election - those who were blaming Russia already were labeled as kooks, right?)

I also thought about that.

The problem with this theory is that Bloomberg says that many of it's sources are US officials.

Hardware implants are more widespread than one would think: https://newcompendium.com/2018/10/the-chinese-chip-is-just-t...

I have watched multiple hearings on the US Senate Judiciary Committee in the last few years, and was surprised how many people managed to do both, not to lie and not to reveal the truth, by making huge statements with extremely carefully picked up wording.

Previous discussion from 10 hours ago: https://news.ycombinator.com/item?id=18163325 (31 comments)

So... were Bloomberg just bare-face lying, then?

That would be insane. I can easily think of scenarios under which they were purposely fed false information, alternatively got the story mostly (but not quite) right, or got it right but put ongoing activities at risk by publishing now.

How would it be insane?

This is a very common pattern. American media publishes outlandish stories and the only evidence is "anonymous sources" and highly partisan agents. Iraqi soldiers killed babies in incubators. Iraq has 10_000 aluminum tubes. Iran is arresting all its Jews. China has camps with millions of people imprisoned.

The only thing insane about the whole affair is that no matter how many times it happens, virtually every time, Americans are quick to believe these reports and display virtually no skepticism. The problem isn't Bloomberg by any stretch of the imagination.

> China has camps with millions of people imprisoned

This appears to be actually true in Xinyang?

> Iraq aluminium tubes


It appears that they did try to buy the tubes, and they could be used for nuclear weapons (that's why they were embargoed) - but the evidence did not support that interpretation of their purpose.

A deeper point: journalism considers accurate reporting to be reporting that "X said Y" if X did, in fact, say Y. It does not consider itself bound to independently investigate the truth of that - indeed, attaching the reporters's assessment that the source is lying could be considered bias!

> This appears to be actually true in Xinyang?

According to what evidence?

The entire story is based off remarks from an anonymous UN official on a random UN committee. [1] In classic style remarks from anonymous and highly partisan sources are repeated endlessly until they "become" true. There's absolutely zero concrete evidence that can be verified.

The deeper point is that Americans are trapped inside a propaganda bubble. Their outlandish understanding of the world is based on nothing more than gossip repeated over and over by their press. It's no better than Russia; the only difference is that most Russians know full well what's going on and are very skeptical of such claims.

On a deeper level I suspect Americans need to believe this nonsense, that there must be an external enemy to hate. It's not that they are deceived by the media, it's that they want to be deceived.

[1] https://grayzoneproject.com/2018/08/23/un-did-not-report-chi...

IMHO overenthusiastic journalists got fed wrong/incomplete information. Also, every detail is plausible, but at whole, this scenario is just improbable. Details can be deceiving.

For a prior incident, see https://en.wikipedia.org/wiki/BadBIOS

Why? Is this the only other possible explanation?

They're a news agency. They claim to have 13 sources. If they found them to be credible, they wouldn't be lying by publishing this. Just wrong.

Kremlin surely is behind this psyOps attack to undermine the credibility of Western media. Trump. Both. China too.

If Apple found no signs of hacking only tells us that their SIEM isn't good enough.

This spy stuff is Inception IRL.

Sure. Completely unthinkable that journalists saw a "market moving" story [0] that passed the plausibility test in details, found some anonymous sources and went for it.

[0] "Bloomberg News Pays Reporters More If Their Stories Move Markets" https://news.ycombinator.com/item?id=18162440

Sure, completely unthinkable that the NSA and big companies are attempting to cover up a story of hacking and surveillance. <rolls eyes>

This story has been out less than 72 hours? Most of them over a weekend.

Let's let the researchers get back to work today and start actually looking for physical evidence.

Personally, I'm MORE worried with all the denials rather than less.

If there was nothing to the story, I would expect Apple to say "We don't know anything about this" and then simply ignore the ongoing kerfuffle--especially on a weekend.

The fact that they seem to be in full on PR mode at the highest levels on a weekend is somewhat worrying.

Apple is trying to position itself as the only major tech company that keeps your data private, and this story threatens to undermine that story. So no surprise the PR department is full at work.

What else would you expect them to do ?

One thing I learned from this Bloomberg story is, that the human mind seems hardwired to prefer conspiracy theories over facts and is very bad at taking probabilities in account.

This is a boat entirely of the NSA's making.

They compromised RSA, remember that?

They wiretapped everybody, remember that?

They stole internal corporate communications, remember that?

And, in all cases, the NSA was doing things far worse than the tech folks even imagined. And, in all cases, there were denials all around. Until there weren't.

So, one one side we have Bloomberg: a company who makes a living digging up market moving information. A company whose bottom line is going to be affected by this. A company who will be on the receiving end of no end of lawsuits if they are wrong.

On another side, we have the NSA, the PLA, the KGB, etc., all of whom are known to be malicious actors who would all do exactly what was described.

And, on another side, we have a whole bunch of rich companies that stand to lose quite a lot if it comes out that they were significantly compromised, or, worse, actually cooperated with any of the above entities.

I think my Bayesian priors are quite well calibrated, thanks.

After a few weeks, if we still don't have physical evidence in hand, I'll update my priors.

We don't have facts here, just competing claims.

From what I've read such attack would be possible, and I think that if it happened no-one would acknowledge it. This allegedly happened 3 years ago so no-one is going to find physical evidence anyway.

They key is that it would be possible so the important thing here is for everyone to take appropriate defensive measures.

> We don't have facts here, just competing claims.

This is not a case of competing claims. Believing that publicly traded companies would vehemently lie instead of keeping silence or use weasel words is essentially preferring conspiracy theories.

Presenting such a case without hard, verifiable evidence is ludicrous and only works because many people are susceptible for a bad company/bad government conspiracy narrative.

Believing that publicly traded companies would not lie is rather naive.

This allegedly happened 3 years ago so there aren't going to be any physical evidence anyway and everyone knows it.

> Believing that publicly traded companies would not lie is rather naive.

You know that shareholders can sue the company if they lie publicly? That is the reason why they usually keep silent or use weasel words.

As mentioned, how are you going to prove who's lying?

Why would anyone sue Apple over this? If anything a lie would help the company as acknowledging a hack would hit the share price.

Nothing will happen, no-one is going to prove or disprove anything, and this will quietly be forgotten.

> As mentioned, how are you going to prove who's lying?

As I mentioned, the proof lies with the accuser. See

"Presenting such a case without hard, verifiable evidence is ludicrous and only works because many people are susceptible for a bad company/bad government conspiracy narrative."

If you think this is a he said/she said case, then you are deep into conspiracy territory.

That's not a reply...

It's not the human mind, it's a particular ideology. What's at work here is an ideology that must find enemies, the more heinous the better, in order to justify its own heinous actions.

This is a ridiculous theory.

that depends on how you define "lying".

Is telling partial truth lying?

By combining multiple truth as one fabricated piece, is it lying?

Do you think the picture they used to present the chip is real? They certainly didn't claim the picture is for demonstration only, not the real thing.

> Is telling partial truth lying?

Are we in kindergarten? Off course it is lying.

So lets say Luke and I are troubleshooting a production issue. Luke and Chewbacca recently did some some work on the relevant parts of the code. I ask Luke: "Luke, this is really odd, didn't we ran the test suite and it passed without any problems?"

And Luke says "we did and and it passed" knowing full well that Chewbacca marked some tests with #[ignore] annotation and one of those ignored tests covers the exact functionality that is now failing in production.

I call telling partial truth intellectual dishonesty and for all practical purposes it is indistinguishable from lying.

Lying requires intent.

If I repeat a lie that I’m told, I’m merely being a dupe.

Consciously repeating a lie requires intent. Consciously telling half truth requires intent.

Indeed. There’s a really weird gray area too where someone should know that it’s a lie, but doesn’t fact check because it’s too comfortable.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact