Hacker News new | comments | ask | show | jobs | submit login
Apple CEO Tim Cook Calling for Bloomberg to Retract Its Chinese Spy Chip Story (buzzfeednews.com)
530 points by minimaxir 4 months ago | hide | past | web | favorite | 317 comments



Is it precedented for a news organization to double down like this in the case where a reporter just makes stuff up Stephen Glass style?

Because barring a Stephen Glass scenario, what's fascinating here is that no matter which side is right, this is evidence of some sort of mysterious power play.

Either Apple was hacked, they know, and are denying, which is evidence of them being under the thumb of U.S. national security.

Or, they were hacked and an internal team knows and Cook doesn't, which is evidence of U.S. national security having powerful influence inside of Apple.

Or, they weren't hacked, and Bloomberg is doubling down, which at this point would mean that someone has successfully hacked their journalistic verification processes to an extreme level.

In all three of those cases, it points to a level of attacker competence that I'm not normally inclined to believe in.


Tim Cook would have to know. If there is something like a NSL involved, Apple's legal team would have already reviewed it. That same legal team would also be advising Cook on what he publicly says since he is an officer in the company. He could lose his job or be fined for saying false information in the press (think about what happened to Musk) so its in his and his legal team's best interest to only say true things in the press or at least spin things so they aren't blatantly false. An NSL compels you to say nothing. You can neither confirm nor deny anything and its probably against the law for him to outright lie about the situation in the eyes of the SEC so he has to either be spinning things, omitting things, or outright telling the truth. The Bloomberg piece is fantastic but that kind of attack vector does exist however narrow it may be. I don't know why Bloomberg seems to want to double down on this. They are either incredibly stupid and are involved in some murder-suicide plot against Supermicro or they are telling the truth but maybe a little misguided.


Just for clarity, there are some cases where the CEO is in fact left out of the loop specifically so they aren't in jeopardy of lying to shareholders. But typically it is the chief counsel who is informed in these scenarios. It is significant the Apple statements have been clear to rule out that possibility.


Apple has a new chief counsel. Hmm the plot thickens


Old one was in place at the time of these alleged events and has publicly denied it as well.[1]

[1] https://www.macrumors.com/2018/10/05/sewell-says-fbi-never-h...


Is he under the same burden to tell the truth, legally speaking, as the current chief counsel?


Probably ethical violation to lie (lawyers)


Feudatory obligation is feudatory obligation, senior execs almost always have feudatory obligations.


Do you perhaps mean fiduciary?


feu·da·to·ry

owing feudal allegiance to.

"they had for a long period been feudatory to the Norwegian Crown"

So yes, if the old chief counsel was a subject in a feudal society, this all checks out.


dyslesia for the win


> If there is something like a NSL involved, Apple's legal team would have already reviewed it.

Apple's official statement clearly said, they're not under any form of NSL or gag order.

The prevailing logic seems to be that US courts still believe the government can't force you to say something against your will, only prevent you from saying something.


And how would the CEO know what sort of NSL some datacenter employees are under?


That's not how it works. The company at large works with the government to figure out and certify who can receive NSL/FISA, and those folks have an internal process to make sure they're compliant with the law as they execute it.


The original claim is that Apple conducted it's own investigation and refused to cooperate with the FBI on the matter.

They (apple) have refuted this claim and said they're also not under any form of NSL or gag order.

Your suggestion is that both accounts are false, and that a secret government run investigation was run without Apple management's knowledge, but involving Apple datacenter staff, who are in fact under some form of NSL/gag order?

Perhaps you should go work for Bloomberg, they'll run your theory as gospel next week.


I'm not saying I don't believe they could be telling the truth, but why should we should take their word for it?


Are you asking Apple, or Bloomberg?


I meant Apple, but the broader implication is that we can't trust either party with the information we have now.


I mean Apple's account seems a lot more believable to me. I know we all want Jason Bourne to be real, but he isn't.


Why trust Apple over Bloomberg? What if the hack were so bad (e.g. a keylogger + who knows what else) that none of the tech giants would ever admit it?


It's not about trust (at least for me). It's about the credibility of the account. "Journalists got something wrong" is a lot easier for me to believe than "there is a massive conspiracy to cover something up and there just so happens to be no evidence of it besides our say so."


Hmm. The involvement of Elemental is enough evidence for me. A then 200-person startup with maybe 10 hardware engineers and lots of government clients would be a great target. It makes me thing the hack was real. Why else would Bloomberg have even bothered to report about Elemental?


So, are you saying that if a big journalism outlet wants to convince you that a world-shaking hack has occurred, all they have to do is name a plausible target? Interesting. My standards of evidence are higher.


It's not necessarily all or nothing.

It could be that the actual story is something at some small company, which ballooned into a shit storm of assumptions and embellishment.


I'm not saying I believe either party in this mess, but to be fair Occam's Razor is used very often to disregard legitimately viable conspiracy theories.


Then Apple would simply say nothing.

Saying nothing is Apple's thing. No one would question them saying nothing.


> Apple's official statement clearly said, they're not under any form of NSL or gag order.

Except that a NSL can (legally) command the recipient to lie about it.


> Except that a NSL can (legally) command the recipient to lie about it.

Do you have a source for this statement? As far as I'm aware, you can be compelled to remain silent but not compelled to give a false statement.


You can be compelled to act exactly as you would as if the NSL had not been issued, and indeed they seem to contain language to that effect. A reasonable response would be to adopt a policy of "no comment" and most do, but if you have previously responded to questions about NSLs in the negative, you would then be required to continue doing the same.

Q: Have you received an NSL? A: No. Q: Now have you received an NSL? A: Still nope. (Government issues NSL) Q: What about now? A: No comment.

^ This would be a clear canary indication that an NSL has been issued, which is in directly contradiction of the terms of the secrecy requirements laid out in the NSL. The only reasonable response (aside from supporting the ACLU and EFF to end this nonsense) is to adopt the "no comment" policy early, which most do. However Apple has now broken that strategy, if they haven't already.


Apple made a statement, that they have are not under NSL/gag. They don’t routinely make these statements, and they weren’t asked directly about it.

They therefore are not “acting exactly as they would” without a NSL.


They’ve made similar statements in the past, e.g. regarding patriot act requests in 2013.


Canaries only make sense if the company actually cares about letting their customers know about a possible NSL. They might not be legal as it's a pretty obvious wink wink nudge nudge that they received one. Apple and Amazon are big enough that they aren't going to mess around with utopian EFF rhetoric and will do whatever is required them by the law. None of the big boys care about "don't be evil" mantras anymore. They care about what keeps the stock price up and the federal government off their ass.


How exactly do canaries work, then? Isn't the point there that you have a canary that you remove later?


I think the point gp was trying to make is that canaries are not working. Schneier for example has publicly doubted their effectivity.


Canaries don’t work. National secrecy laws treat a canary exactly as outright violating the gag order.


Do you have a citation for this? Ideally one written by a lawyer.


Reference ?


Has anyone been prosecuted for acting similar to your example?


A NSL can compel the recipient's silence in the form of a gag order, but the government cannot compel speech outside of very particular circumstances, such as consumer warning labels, that don't include verifiably false statements.[0] Thus the concept of warrant canaries, though they haven't been challenged in court.[1] There are other articles on both out there, but the EFF links are decent starting points if you're interested in reading further.

Making an explicitly false statement to preserve the silence about an NSL or its subject matter goes well beyond a gag order. The gag order compels your silence; it doesn't compel you to become an active participant in maintaining that silence beyond not acting to break it, let alone persuading people to believe any explanations or stories to explain it or shield the investigation the letter is a part of.

But there's another issue beyond the constitutional problems with trying to order Apple or its officers to make verifiably false statements about the existence of Chinese spy chips: any statement about said spy chips would constitute a material fact to shareholders. And it'd be a a really big one with an effect potentially measured in billions of dollars of market value, multiplied by the fact that Apple lied and destroyed every iota of credibility on privacy issues they've developed over the years. Making that statement--even if ordered to do so by an NSL--would be a blatant breach of the their fiduciary duty to shareholders and SEC regulations.

Even if compelled to do so, Apple (or its officers) literally can't make that false statement. They'd have no choice but to fight an NSL that orders them to make false statements, and even if they lost, they'd limit themselves to "no comment." So while they might be under a gag order on a given subject due to an NSL, if they're commenting about it, we can reasonably accept those comments as true. Or, at minimum, that they are their own words rather than the government's. As a hypothetical, it's plausible that they could be lying about the chips; but if so, it would be because of their own deliberate decision to do. Not that that's very likely, of course.

0. https://www.eff.org/deeplinks/2014/04/warrant-canary-faq

1. https://www.eff.org/issues/national-security-letters


An NSL cannot force you to lie. You can say "no comment", and that's how it's always been handled. Why would they vehemently deny an NSL (with all the risks involved) when "no comment" would suffice ?


Is that still true though? The NSL already compel speech in that they limit what you can say. We already have secret courts making decisions that we find out about years later.

At this point the major wall has been breached in terms of rights, altering speech for national security, and we can no longer trust anything. If the secret courts decided they were going to compel active speech instead of compelling negative speech, what mechanism would let us know of the change? I don't think there is any


Most people in this thread have zero experience with national security issues, and the ACLU/EFF opinions are more what those organizations feel should be the constitutional interpretation, not what actual circumstance is. You certainly can be compelled to say certain things to keep classified information secret, at risk of federal prison or worse, and this is the same law that is being abused for NSLs.


I’ve seen you make this claim several times in this thread, but haven’t provided any evidence. Can you provide a source that says that the federal government can compel false statements as part of national security demands?


I was curious about this as well and did a bit of searching around (I didn't dig that deeply and IANAL) and found this:

https://www.yalelawjournal.org/forum/warrant-canaries-and-di...

Specifically Section IV, subsection C

"Canaries and the First Amendment Status of Compelled Lies"


That sounds like a pretty nightmarish tactic ...

Is there a way where the government could either purposefully disclose classified information (or retroactively classify it) so as to force certain individuals into making particular statements or denials via the threat that if they said otherwise they would be guilty of disclosing classified information ...?


That is not what compel speech means.


Do you have a reference for this? There is apparently case law from the 1970s' where SCOTUS ruled that the government cannot compel someone to speak against their wishes.


>> its probably against the law for him to outright lie about the situation in the eyes of the SEC

Didn't some leaked documents show that a 'shadow' judicial status has been created ( under post 9/11 histeria ) where, in the interest of national security, firms are allowed and even required to lie about things?


Do you remember what those documents were, or how they might be found online? (being curious, not confrontational)


See the wiki page for the FISA court [0]

I haven’t read anything that says people/companies must lie, but I have read that they cannot divulge information due to gag orders. (See the court case Microsoft vs US Government [1] )

[0] https://en.m.wikipedia.org/wiki/United_States_Foreign_Intell...

[1] https://en.wikipedia.org/wiki/Microsoft_v._United_States_(20...


Thanks for the sources. I've definitely seen/know of the gag order business. It was the suggested extension to that I'm curious about ("firms are allowed and even required to lie about things").


No.


Nope.


I think it's possible to set things up so that leaders of the companies are shielded from the knowledge on purpose. GM notoriously set up their lawsuit handling legal unit to shield knowledge of problems, among other things with the ignition switch [0]. This was a very specifically organized system where they tried to keep the knowledge of agreements on lawsuits from being visible up the chain - it was no accident. So big companies can and will do this when it suits them. I think this was clearly unethical, but I suspect it's common.

0: http://www.abajournal.com/news/article/attorneys_fired_by_gm...


> An NSL compels you to say nothing.

Is that true in this case? My understanding is that NSLs are a subpoena with an accompanying gag order _about the subpoena_. I haven't heard of a case where an NSL was used to restrict speech in the manner you're suggesting. In other words, I believe an NSL could be used to hide government interest in such a breach, but not to hide the fact of the breach.

This is one of the main differences between the US and UK approach to classified information; there's no official secrets act in the US.


It's also possible Bloomberg's sources are lying to them. It's not unwarranted for intelligence agencies to leak things to the press deliberately to create a story.


It seems irresponsible to leak information that could be so damaging to multiple American companies just to prop up a single tech journalist.


I doubt they're trying to prop up a single tech journalist. If I had to speculate on intelligence agency motivations I'd speculate that they're trying to attack SuperMicro.


> An NSL compels you to say nothing. You can neither confirm nor deny anything

Ordinarily, yes. But what if this was double secret NSL?


I'm not sure NSL's are like meat/cheese layers on hamburgers.

What's the NSL equivalent of adding bacon?


Prior restraint, I think.


Also Supermicro is not even a chinese company. It's based in San Jose and founded by taiwanese american...


All of their manufacturing is in China along with everyone else.


Gruber made a good point: They aren't quite doubling down as hard as they could.[1] They said their reporters spoke with a lot of people and spent a long time on the story. They checked the boxes in the journalistic process, so to speak.

But they didn't detail, like, that there was substantial corroboration of specific details like Apple working with the FBI. That leaves open possibilities that it came from just one source or that the reporters mixed up some details. Whereas the company/govt denials are very detailed and clear to rule out any possibility of misinterpretation. Bloomberg's "double down" is nowhere near that level.

[1] https://daringfireball.net/linked/2018/10/19/cook-calls-for-...


Also in the mix is the possibility that Bloomberg's "17 sources" consist of a only a few that claim first-hand knowledge, supplemented by a larger circle of people who were briefed about it.

If so, the rest of the 17 are just echoing what the inner group told them, without having done substantial independent verification.


Out of the 17 at least one says that the Bloomberg’s article “has no sense.” Apparently Bloomberg first just asked him “what kind of attack were possible” he explained to them that and then he reads the article that claims that exactly that kind of attack was actually performed. But he claims that for the stated goals that attack would be the least practical:

https://iphone.appleinsider.com/articles/18/10/08/security-r...


My guess is that a lot of the 17 are just adding color or confirming individual parts that don't add up to the whole. For instance, they must have had at least one source who told them about the factory with chinese-speaking workers that orders chinese pastries instead of donuts and has separate meetings/announcements for people who don't speak English. Those details help sell the article - and help create an impression that innocuous immigrant workers who enjoy delicious bright yellow pastries are some kind of nefarious 5th column - but do absolutely nothing to establish the central claim. If they had 3 sources on the donuts-and-meetings thing and include those in the 17 that only leaves 14 for the important stuff, and so on. Dial in far enough and I bet there's only one or two dubious sources for the big picture, while everyone else is in their own little information silos not knowing anything but their own part.


After spending the last 10 months day trading, my gut tells me that it's probably the later case, where Bloomberg is doubling down, their journalistic verification processes would seem to be next to nothing at this point... not only Bloomberg, but many other "news" outlets.

I'm saying this because I've noticed quite a few 'hit' pieces, coming out of these "news" agencies that seem to have no other agenda than affecting the price of publicly traded stock in these companies.

One moment "this or that" is the worst possible thing that could happen to company A, and the next moment, it's just not as bad as everyone would have you believe... it's like they themselves want to push the stock price down so they can buy cheap shares, and then pump the price back up again so they can sell at a profit... strangest news cycles I've ever seen on this stuff... and it happens repeatedly all the time... analyst A at Financial Institution B "downgrades" stock X, and then sometime later comes a complete reversal...


I don't agree with the "journalistic process being hacked" as being the only line there, as it implies some deliberate power play by bad actors which would omit said integrity.

It seems plausible that it's more along the lines of "journalistic process being broken" for this type of article, that all parties might be acting in good faith and that there is some level of misunderstanding.


There's also the possibility of the malicious part being the journalist himself.


Shouldn't part of the journalistic process include making sure one guy isn't going off the rails and making stuff up? I guess that could be part that's broken.


The Clinton administration and CIA tried to deny the China-Boeing technology transfer incident. But others in the CIA were concerned, raised the issue and were later proven right.

I asked people in the CIA about the Bloomberg story and their response seemed to indicate that the story is real.

There’s immense pressure to deny this story for several reasons.


> I asked people in the CIA about the Bloomberg story and their response seemed to indicate that the story is real.

Like the Bloomberg article, your comment is unsourced - or anonymously so, which is only an infinitesimally larger notch better.

(But I presume you were merely being sarcastic; or trolling.)


There's zero evidence at all, none, not one example of any of these hacked devices, it's all "someone I know seems to think this story could be real" which is propelling this whole BS forward based on stupid rumors and hearsay rather than actually evidence. Let's hold ourselves to a higher standards here.


Man, I asked people in the CIA and they said it was false! I also talked to my people at the NSA and they said they've never heard of you.


China is Apple's most important market. They have a huge motivation to deny it, as it could cost them doing business there.


Ah! Someone gets it.


I think this is the Boeing incident the above comment is talking about.

https://www.wired.com/story/us-china-cybertheft-su-bin/

I wondered why the United States does not care about such state sponsored violations of intellectual property, going as far as to deny the crime.


A hardware hack like this is extremely easy to verify. If it is indeed true, just produce the hard evidence and be done with it. The fact that they have not been able to do so makes the story just unbelievable.


Who are you? Why should anything you say be believed?


Care to talk about your background?


Note that's a new account...I assume the answer to your question is no.


You don't need to resort to spooky forces to imagine why Apple wants to deny an attack on their security. It damages the value of the company, especially in a time when they try to market themselves as security conscious.


If the Bloomberg story is true 30 US companies were targeted by this hack, not just Apple or Amazon. Adding in the government agencies as well that’s a huge number of people who must know about this, at least in the hundreds and possibly over a thousand. In addition there must be thousands of these hacked boards all over the place, including discarded faulty and test units, to be found and checked by experts. There’s no way all of them could have been accounted for. Also if the US was hacked this way, what about other countries? There must be evidence all over the place.

For Apple to believe that they could get away with outright bare faced lying about this, they would have to be very confident none of those people across dozens of ogrganisations would either break ranks or mistakenly corroborate the story, and none of the copious physical evidence would ever be found.

The question is, do you believe that’s the sort of risk they are likely to take?


What damages the company more is leadership that lies about or covers up hard truths they are ethically and legally obligated to share. That would be more damning than a breach.


and yet PR departments routinely resort to salami tactics or evasion even if they have obviously messed up. This isn't really out of the ordinary, and I think jumping to conclusions about the US government controlling Apple is a bigger leap.


this is evidence of some sort of mysterious power play.

Why not just 'reporters talked to a bunch of sources and those sources are wrong or were misinterpreted or were given undue weight/credence by the reporters'. It's unusual and the news org processes are supposed to catch this but it's not that hard to imagine them occasionally failing in some mildly improbable way without any kind of 'hacking to an extreme level' or collusion between companies and spooks.


Gruber's theory that someone in the administration wants to turn up the heat on China and is feeding Bloomberg disinformation, while wild, makes the most sense.


You don't even need to go that far. Someone Bloomberg trusted has his own motivations for not being honest. Maybe that individual wanted to stoke fears of China. Or they were having a laugh. I have no way of knowing at this point.


> Either Apple was hacked, they know, and are denying, which is evidence of them being under the thumb of U.S. national security.

You'd think the accusers would be able to produce the chip if that were the case.

> Or, they were hacked and an internal team knows and Cook doesn't, which is evidence of U.S. national security having powerful influence inside of Apple.

More plausible but again - there should be hard evidence of this.


In the Rolling Stone UVA rape story, they initially backed the reporter when doubts began to arise (not full double down) before backing away when the story began to collapse. It's a good example to consider here - earnest journalist, eager source stretching the truth to either make a point or please the journalist.

The story we published was one woman’s account of a sexual assault at a UVA fraternity in October 2012 – and the subsequent ordeal she experienced at the hands of University administrators in her attempts to work her way through the trauma of that evening. The indifference with which her complaint was met was, we discovered, sadly consistent with the experience of many other UVA women who have tried to report such assaults. Through our extensive reporting and fact–checking, we found Jackie to be entirely credible and courageous and we are proud to have given her disturbing story the attention it deserves.

Three days later they retracted the story.


Late to the thread, but one of the alternate theories I heard was that it's not the US national security asserting influence, but rather the Chinese government as nearly the entire supply chain and manufacturing exists there.


It could simply be classified


That's not how the classification system works.


Nobody here knows how these cases truly work. There's some precedent where you can find gag orders, which make people think that Cook would simply go the "No Comment" route, but to assume those are a blanket procedure for everything is incredibly narrow-minded.

When it comes to National Security, combined with the most valuable company in the US, all assumptions should be off the table. Apple has many reasons to publicly dismiss the claims: their business in China, their marketing as a security-conscious company, etc. They also operate under immense secrecy. Apple has unmarked buildings, top secret projects, a culture of secrecy within the company. They are the type of company that would have innovative approaches when dealing with national security matters.

It would be odd for Tim Cook to knowingly lie about this situation. If definitive proof came out that the chips were bugged and he had knowledge of it, then he could be punished. But, at the same time, if he were able to prove that he lied in the name of National Security, it could be instantly excusable.


This is paranoid nonsense. There is no federal law or precedent which could force a corporate officer to actively lie.


Can you explain more? Why?


Smart money is always on the news media being #fakenews.


Or they have NSL letter in progress and Cook was forced to ask them for denial, since we throw so many different scenarios without evidence.


Interesting tidbit from the linked twitter post:

"Something is wrong. Blanket denials from companies, NCSC and DHS are v. unusual. The only precedent for this is a 2014 Bloomberg article, by the same author, which claimed NSA exploited Heartbleed, and was vigorously knocked down with zero follow up by Bloomberg or correction."

https://twitter.com/nicoleperlroth



I think it's in the best interest of the US not to turn this case into international relations nightmare.

> I mean, this is just intense now. On record statements from four different huge players in this field, clearly and forcefully stating there was no hardware-based backdoor inserted by PLA with regard to Apple and Amazon.

https://twitter.com/hatr/status/1048859348489916417


Long story short, this is really wanting me to obtain the gerbers for the motherboards I use, and verify the parts on the board are the parts listed. This the basis of open source hardware.

The next step is to obtain firmware for each chip, and compile and load it on all programmable chips. Again, but open source firmware.

Then moving up, we need an open source OS, which we have.

The last area is having open source silicon... but given that it's $10m minimum for a basic fab, this isn't happening anytime soon. Although, FPGAs could supplant some hardware. Then we'd need the synthesis code for the design.

Long story short, is there a way to make a trustworthy OS if you don't trust the underlying hardware? Is that even possible?


I wonder if you could solve the fab issue with some sort of xray based checksum that is reproducible by third parties (maybe universities?)


An xray or optical inspection would never be able to detect the doping of the silicon so it's possible to alter the behavior of the chip in such a way as to allow an attacker to cripple something like Intel's random number generator RdRand yet have this be basically undetectable in software.


University security would not be adequate for the purposes of attestation for the level of stringency required. Universities are primarily academic environments that specialize in narrowly focused ideas and they hold up poorly to eg nation state level exploitation.

You're building something for the purposes of verification, not manufacturing; it doesn't need to actually build working chips, it just needs to scan them. So you don't need the same level of exacting precision throughout the design+fabrication process. And so it's easier to build in not just 1 "ooh, interesting", you could build in 1,000. I really do think so.

We now have precedent that maybe there's vested interest in hiding stuff. So security requirements would be so high as to make the project unviable because of its domain obscurity.

The above said, very interesting idea. I like it.

It's a very difficult problem domain though.


>Although, FPGAs could supplant some hardware.

But wouldn't you want the FPGAs to be open source, too?


Oh, indeed! What I'm saying is that if hardware was FPGA, we could reprogram with recompiled/resysnthesized FPGA code and upload with better-trusted code (think of binary reproducibility).

We still have to deal with 'trusting the compiler(synthesizer)' but with iceStorm, we're a good way there. It's still ugly around the edges, but I think this is one of the better ways forward in creating a fully supported FPGA platform (thinking the difference in microprocessor dev prior and after GCC inclusion of Atmels).


"vigorously knocked down" is quite disingenuous when there is only one denial from the accused party.


I doubt anyone will see my comment since I am a few hours late. BUT, I want to say, despite what bloomberg AND apple say, here is why I think Bloomberg failed on this report, and didn't do enough to PROVE their claims were accurate.

They made the flat out claim that AWS sold its Chinese infrastructure because of the hack. But this is flat out not true, anyone who actually knows anything about the Chinese goverment knows that AWS, same as Microsoft, cannot operate out of China. They are required to have a PARTNER to operate in China. I worked for Microsoft during the deployment to China, and we too had to have a partner. We were essentially "leasing" our technology for them to run it.

http://www.miit.gov.cn/n1146295/n1146557/n1146619/c4860613/c...

"According to the China Telecommunication Regulation, providers of cloud services—infrastructure as a service (IaaS) and platform as a service (PaaS)—must have value-added telecom permits. Only locally registered companies with less than 50 percent foreign investment qualify for these permits. To comply with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies licensed from Microsoft.

Microsoft Azure operated by 21Vianet (Azure China 21Vianet) is a physically separated instance of cloud services located in mainland China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. "

So this to me proves that Bloomberg didn't fact check this story enough, and there are holes in it. Does this mean that China DIDN'T try anything? No, but this leaves me to question Bloombergs sources and not fact checking their reports, as there is obvious misinformation in it.

EDIT: I googled AWS China, and this is the FIRST link. https://www.amazonaws.cn/en/about-aws/china/

And at the bottom it covers all the same legality stuff. So again, its like they didn't even bother to research AWS China for 10 seconds.


> anyone who actually knows anything about the Chinese goverment knows that AWS, same as Microsoft, cannot operate out of China. They are required to have a PARTNER to operate in China.

IIRC, the Bloomberg article is consistent with this. AWS sold their business interests to that partner.


I done think you read the article. It says they sold it via a partnership.


Man, I am now 90% convinced that someone intentionally misled Bloomberg. It looks like this may end up being an extremely embarrassing episode for them.


It's all just speculation but this seems like the exact kind of story you would want in order to pass some legislation to prevent foreign manufactured chips being used by USG.


I find that theory very problematic though, because A: it's not terribly necessary B: the government did not particularly jump on this as it would have if this was coordinated propaganda, and let's be honest C: if you want to make that case there's probably 25 equally large, true stories that could be published if the intelligence agencies were willing to burn a few sources or something as they seemed to in this story. It's not as if the espionage status-quo is "nobody's hacking anybody else, because everyone's afraid of the consequences if they do"; what public evidence we have suggests the status quo is more akin to a free-for-all.

Heck, just the HN replies to previous discussion on this story had some comments from people who had jobs for a while detecting espionage on their boards, which were created precisely because some was found prior to that. For instance: https://news.ycombinator.com/item?id=18138699 You could make more hay with that story than a faked-up one. There's no need to lie for propaganda's sake, because the truth would be more than adequate! (The propaganda element would be in the spin and claims about the scale of the problem, not the brute facts, which certainly exist.)

If this ever was government propaganda, they changed their mind before finishing the job and hung Bloomberg out to dry.

At the moment, the best theory that seems to fit all the facts, including the comments from people who were interviewed for the story, is a not-sufficiently-technical reporter very motivated to tell this story (perhaps because of the reward for stories that move the markets?) who compounded confusion upon confusion in a domain they were suffering from Dunning-Kruger until they were able to write that story. And presumably, similar problems in the fact-checking and editorial staff. I'm still not guaranteeing this, but I'm giving it at least 75% at this point.


I like this answer the best but your comment about the government setting up Bloomberg does make me wonder. Bloomberg (the man) may very well be preparing to challenge Trump for the presidency and this could all be the Trump administration playing games.


I'm all for globalism but that's one area where the best strategy is probably to keep production inside the borders. Not that I'd condone misleading the press to create a case for the legislation.


Yes, manufacture the high security chips on one of the many 7nm fabs in the US.

I suppose it also follows that the fab and design should be staffed only as NOFORN? That rules out the lead on the Apple silicon team.

I don’t think you understand how this works. This isn’t a nationalism vs globalism thing.


You're the one that jumped from no foreign production to no "foreign" employees. Of course there's a difference between a factory operating under the supervision of the People's Liberation Army and an immigrant working in a lead role at a company.

My comment is basically a pre-reaction to nationalists who would want to use this situation as an excuse to bring as much manufacturing work home as possible, even if it doesn't make sense (and if this were all a ruse, it would be a good way to get the White House on board.) Granted, it would also be pretty dumb to trust your adversary (from a national defence perspective) to build your weapons for you. Which is what the US is doing to a certain degree. Of course this is about globalism, because it's what lead to this situation in the first place. But nationalism, importantly, is not the solution. That's what I hope people take away from this.


Who is the adversary, though? You assume chinese nationals in the PLA are. Are chinese nationals in California working for Apple the enemy, too? What about chinese nationals in China not in the PLA that just work on the line?

My point via the contrived example is they countries are fictions and so is citizenship and presence in one or “possession” of one is no way a litmus test for “adversary” or even a reasonable proxy.

“China” isn’t a person, and so “China” can’t be an adversary. (Even if it could, that would be dumb, for reasons explained above.)


It's also "the exact kind of story you would want" in order to:

  - PR a HW verification firm.
  - manipulate a stock
  - and many more


The reason I'm wildly speculating in this particular direction is that Bloomberg is claiming lots of unspecified high level government employees are their source.


And potentially a group of people. Maybe I am giving Bloomberg too much credit at this point, but their article cites a number of sources -- albeit anonymous ones -- and I think it could very well be a coordinated effort from a group of interested parties.


See what one of the sources says:

https://risky.biz/RB517_feature/

He showed the “emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.”

Another text about that source:

https://iphone.appleinsider.com/articles/18/10/08/security-r...


They have become a disappointment for me. A lot of misleading articles, paid promotional content, and so on. Now this one... I have blocked them completely from my social media and news sources.


Oh, so you know what the truth is in this case? Good for you! /s


Bloomberg listed a lot of entities in that article and every single one that wasn't anonymous has all but called Bloomberg outright frauds over it. They have all sorts of anonymous sources telling them anything and everything about this supposed plot yet none of them provided any shred of evidence to back up their claims.

Where's the smoking gun here? Why don't we have die shots of this thing? Why hasn't anyone on this very forum seen the C&C traffic from it phoning home to see if it was a target? Nothing about their explanation even seems remotely plausible. Why on earth would the attacker ever do something as obvious and annoying to deal with as what they supposedly did with altering the layout of the board and adding components instead of just backdooring the BMC? Are we supposed to believe that they were simultaneously competent enough to pull off Bloomberg's fairytale but too incompetent to have an altered BMC load backdoored firmware internally instead of off of an EEPROM chip on the board?

I'm not saying that we should rush to conclusions but Bloomberg has provided absolutely no sources with any shred of credibility. There's nothing to substantiate anything so why should the default stance be anything other than to consider that article a piece of cyberpunk fanfiction?


Enough people have access to Supermicro boards that this should have been found by now. Adding a part seems unnecessary just to add a back door. Intel CPU chips already have built-in back doors; you just have to enable them.


Exactly, why can't any of their sources just swipe one of the unpopulated PCBs? Even just having a physical circuit board with 6 extra pads added onto it would at least give a hint of truth to their claims.


What do you expect Bloomberg to do? Give up their sources? I'm sure they will have no trouble getting new stories if they did that, right? Given the size of the story and their commitment to it I would bet they were duped. There are many who would like to see them lose credibility, who would like to further escalate trade war with China, or who simply shorted some stocks... Or all of the above. But that's a bet, not an opinion. I do however have a problem with someone taking sides so eagerly, without admitting that they don't have a clue. Or if they do, please enlighten us. I'm sure their sources are better than Bloombergs.


Here's what I expect them to do. Show me a real picture of the chip. Show me some samples of the malicious traffic. Show me some code that they found, tell us which server models they found the affected hardware in. Somebody should have SOME shred of information on this, but there is none. You don't just sell thousands of servers, and not have a few of them that end up getting shipped to someone else, or have a few that end up in someone's test lab, or home lab.

Somebody should be able to produce SOMETHING without giving up their sources. Why can't they produce any of this?


Because it's easier to share words than steal hardware that may be classified due to it's security implications.

Which is easier? Telling me what you saw in someone else's safe, or giving me it's contents?


If this story is as real as Bloomberg wants us to think, there are too many tampered motherboards in circulation for them to have all been vacuumed up by someone with a clearance.

A random technician in a datacenter is under no obligation not to leak one unless he holds (or held) a clearance and has agreed to the terms of it.

Example - back when internet worms like SQL slammer were a thing, classification was a huge point of contention among gov security. At least in some agencies, because they were due to a vulnerability in a gov system, the IT/security staff were unable to discuss it with outside, uncleared people, because the vulnerability aspect made it classified. At the same time, knowledge of said worms and backdoors was public all over the news, and no reporters ever went to jail for discussing it.

This isn't so different - it only takes one person without a clearance to dig up one of these chips and publish pictures, and they can do so legally. The fact that it hasn't happened tells me this isn't a widespread problem.


Probably sharing a pic of the contents would suffice.


I do not and I never stated I do. What I am saying is that I already had many reasons to stop trusting them and now they have another dubious article out there. I don't have the time nor the patience to investigate each of their articles and it's not like they are the only source of news out there. I've had enough with them already and that's the whole point of my comment.


Could it be foreign propaganda?


I would be surprised if Bloomberg fell for foreign propaganda. I don't think they'd write an article like this without American sources within, or related to, the companies involved.

It's possible there was a game of telephone or something else where the sources Bloomberg spoke with somehow ended up believing foreign propaganda, but I'm a bit skeptical of that.


embarrassing, or will they just ignore it and never publish a retraction? I have the feeling they'll just ignore it. Like they have with all of the other totally false Apple stories.

Bloomberg is unreliable when it comes to Apple.


If someone misled them, Tim Cook should be aware of it considering they claim to have multiple sources at Apple. It would have to a pretty big conspiracy for those sources alone to be tied to some outside attempt at disinformation.

Either that or Bloomberg is lying.


Bloomberg?

Sounds more like Bloomberg was the messenger and is being silenced.


If Bloomberg was "being silenced," we...all wouldn't be talking about this.

I'm aware how pedantic this may come across, but words matter, and in cases like this it seems dreadfully important not to fuel or even create conspiracy theories through carelessly (or perhaps carefully) chosen phrasing.

It's possible that Bloomberg got everything right, and that the vigorous denials from the cited companies and the objections from their own named sources and the actual denials (rather than "non-denial denials") from government agencies and the continued lack of corroboration from any other independent investigative or journalistic organizations is all part of a massive coordinated conspiracy to discredit this reporting, which this same international cross-government/corporate cabal somehow couldn't just stop from getting out. But is it likely? Really?


Not silenced, but discredited. A preemptive strike against future exposes.


It’s fascinating to see this story unfold. On one end you have Bloomberg doubling down on their claims, and here you have Apple making a move that shows their confidence in their claims.

For a while I was buying the subpoena theory, but this action clearly doesn’t fall under that, and they would be setting themselves up for serious liability / damage claims if it were true.

Either there is some gross miscommunication going on inside Apple and Tim Cook is not properly informed - which is very unlikely at this point - or there might be less truth to Bloomberg’s story.

The frustrating thing is, we’ll probably never know the answer.


Given the hack involves hardware I'm quite inclined to believe Apple and all the strong denials.


I concur. If it really is a chip being inserted on a board, then that's hard evidence that can be verified by cracking open the hardware and looking for said chip.


And Apple -- being, in part, a hardware company -- has extensive tools and expertise at their disposal to investigate any hardware abnormality. If they've concluded that everything is normal, I'm inclined to believe them.


Cook is claiming everything is normal, but that doesn't necessarily mean that's what Apple actually knows and believes.

It is also possible that they have investigated, did find tampering, and are still publicly denying it.


Cook has made this claim in a way that exposes the company, and probably himself, to a lot of legal grief if it later becomes evident that he's not being truthful.

What does Bloomberg have at stake, in comparison? Nothing, apparently, since they don't seem to value their reputation enough to back up their reporting with evidence.


I believe the Bloomberg story because of their report that the malicious chip was originally found on hardware owned by Elemental, which at the time was a small startup company that had government clients.

The hardware was found when Elemental was acquired by AWS and they did a more thorough hardware security review. Elemental would have been a good target because of their government clients but was/is not large enough to be noteworthy otherwise. This is where I trust the Bloomberg story. Saying, "Amazon, FB, Apple got hacked" is one thing. Including a then-200 person startup company in the mix is another. To me it serves as evidence that the hack was real.


There is no reason to believe than Tim Cook or any executive would be aware of anything.

In large companies with a hundred thousand employees and contractors, barely anyone is aware of anything.

Ask a thousand people about project something and they will assert in good faith that they have never heard of it. It doesn't mean that it doesn't exist, just that you didn't find the handful of people who knows about it.


>There is no reason to believe than Tim Cook or any executive would be aware of anything.

The minute this story hit publication you can bet internal security teams at Apple would have validated it and submitted findings to Tim Cook. At this point Tim Cook, along with his legal team, has all the facts as they pertain to Apple and Apple suppliers and every component inside Apple devices. You don't come out without a strong denial like that unless you are sure you can back it up.


Unless there are moles on both sides inside of Apple, and the PRC-malicious-chip-installation moles managed to destroy evidence and silence witnesses. That sounds vaguely fantastic, but "PRC installing malicious chips on server motherboards and Anonymous Sources discovering those chips and leaking news to Bloomberg" is already well into spy vs. spy territory.


Bloomberg said that Apple changed supplier over the rogue chip. To hide this the mole to non-mole ratio inside Apple would have to be very high. Unbelievably high.


Yeah, that is typically the case, sure. But you are comparing business-as-usual operations to an incident investigation. Sure, Tim Cook likely new nothing or very little about the organization's business dealings with Super Micro before the story broke, but not now. If this story is true, the implications for Apple are huge. It makes them look inept and creates a large problem that must be solved. Tim Cook would be very aware of any potential problem at this point.


This. Apple is a large enough, and competent enough, organization to investigate this internally.

Some will say "but the people involved have a gag order, and nobody investigating, including tim cook or legal knows". This doesn't make any sense.

People without a clearance are not obligated to keep it a secret, and can investigate for themselves. So either everyone competent to investigate this has a clearance and/or is gagged (i.e., many thousands of people) and if that were the case it'd almost certainly make to Tim Cook's radar.

Or not that many people are gagged, and Apple has thousands of engineers that could be looking into this, and they found nothing. I find that much more plausible.


Or the hack is so bad that Apple has no idea what was compromised...


Let's drift into some wild speculation here.

Suppose this was a malicious attack, and PRC intelligence within SuperMicro and perhaps even Apple are responsible for these machines getting shipped and installed by Apple. Let's further suppose that the plot was uncovered by US counterintelligence.

Why the heck would US counterintelligence operate inside of Apple, discover security vulnerabilities that affect Apple in particular, hide this discovery from Apple's senior management, and then go on to leak it to Bloomberg while continuing to cover it up on the inside of Apple?

There is a reasonable-ish explanation for this. US counterintelligence usually falls under the purview of the FBI, and the FBI has had a couple public spats with Tim Cook over the years. Given Apple's commitment to user privacy, it's reasonable to presume that Tim Cook would not knowingly allow the FBI to infiltrate Apple. It's also reasonable to assume that, given any number of motives both virtuous and vicious, the FBI would have a vested interest in infiltrating Apple. In this scenario, notifying Apple management about these issues would risk revealing sources and methods.

At this point, the only remaining question is: why wouldn't the moles just quietly inform Apple management about the issue? Clearly, Apple personnel who are in the business of receiving and installing server hardware would have a defensible cover for poking around and raising questions about weird chips that mysteriously appeared on the hardware. There are possible explanations for this, but at that point we're just compounding conspiracy theories on conspiracy theories.


>>> Apple personnel who are in the business of receiving and installing server hardware...

Contractors who worked in some datacenters 5 years ago and have long left?


I'm flabbergasted that you are being downvoted. I have the same opinion as you, but to the point where i think it's almost fact... executives at a company that size (# of employees) don't know anything.

It's up to Bloomberg to prove their hypothesis is true, but don't see how Apple can say it's without a doubt untrue.


You mean, there haven't been a few weeks for someone, ANYONE at Apple to say "hey, Tim, you know, about that hack..."


I bet there aren't many people who have access to Tim. And not many people who have access to people who have access to Tim, and so on.


>Tim Cook is not properly informed - which is very unlikely at this point

Humor me, why is this unlikely? Why is it not possible that (whatever three letter agency) grabbed a few engineers, told them to do X without talking to anyone else, at the risk of them and their families getting disappeared to a black site?

Besides, in security controlled jobs it's perfectly normal to not be allowed to disclose what you're working on even to your direct superior. This idea that Tim Cook / Apple PR must know everything that's going on at Apple is kinda ridiculous.


Well, who scrubbed the emails? Who scrubbed the data center record? And the financial records and shipping records? Who hid the motherboards?

It’s going to take more than a couple engineers to cover this up completely.

Also, if the consequence for talking about this is being disappeared, why weren’t the Bloomberg reporters disappeared some time during the year they were working on the story?

And why exactly would a three letter agency do this to protect Apple?

It just doesn’t make any sense.


They're not doing it to protect Apple, they're doing it to protect their sources and methods within Apple. Tim Cook isn't a huge friend of the FBI (http://time.com/4262480/tim-cook-apple-fbi-2/) so if the FBI has a counterintelligence op embedded within Apple, they're going to want to hide it from Cook.


I think the idea that he has to know everything going on ahead of time or when it happens is certainly infeasible.

But while I'm not promoting some kind of executive supremacy, I don't feel it's a big stretch that the CEO can get properly informed of specific goings on of the company if the issue really lands on her or his plate. Even if there's some hole, having zero evidence that something weird may have happened on several thousand servers seems odder than anything.


That they must know everything is ridiculous, that they must be able to find out anything less so.

If the CEO can't find out (almost -thinking medical stuff) anything by asking then that company has a problem as do it's shareholders.


> Why is it not possible that (whatever three letter agency) grabbed a few engineers, told them to do X without talking to anyone else...

Even if that were possible it wouldn't account for all the discrepancies here. Bloomberg claimed that Apple worked with the FBI on an investigation and returned thousands of servers. Apple has strongly denied that which casts doubt on the rest of it as well.


> This idea that Tim Cook / Apple PR must know everything that's going on at Apple is kinda ridiculous.

He doesn't have to know everything, but he sure as hell would know "a foreign government is implanting spy chips into the hardware that is being sold to us".


A foreign spy agency isn't going to walk around with a sign saying, hey we planted this. The spy's sole purpose is to make sure Tim doesn't know about it.


So this spy doesn’t want Tim to know about it, but does want Bloomberg to know about it?


Because Cook would have known about the results of the security audits that were performed.


Accounting has audits too and there is still accounting fraud, mis-statements, theft.

We're commenting on Hacker News and we're believing that Tim is all knowing because of a security audit... against some malicious actor with the resources of a foreign state??


The flaw in your logic doesn't lie in your assertion, but the opposite:

If it's indeed possible for some powerful forces to coerce some engineers into accomplishing certain goals, how possible is it for the same said forces to coerce some other people into accomplishing some other goals?

https://en.wikipedia.org/wiki/Disinformation


In the past, Apple has lied about a severe security incident involving Super Micro hardware.

In 2016 Super Micro Senior Vice President of Technology himself said Apple found "infected firmware." It was so bad that Apple "discontinued future business [with Super Micro] as a result of a compromised internal development environment". Strangely Apple at the time was denying the whole thing: https://appleinsider.com/articles/17/02/23/server-firmware-s... But today, 2 years later, in a statement denying the current spy chip saga, Apple now appears to acknowledge this 2016 security incident, while minimizing it: they say it was "an infected driver on a single Super Micro server in one of our labs" (https://www.apple.com/newsroom/2018/10/what-businessweek-got...)

Why would Apple deny then 2 years later confirm this security incident?

As usual, the truth is probably somewhere in the middle. It is very possible the anonymous sources at Apple who support the spy chip story are not technical persons and are confusing this 2016 incident with the spy chip incident (in fact it's what Apple theorizes in their statement.) It is very possible the spy chip does exist and was found at some companies, just not at Apple.

I also find it very interesting that the FBI, the one organization allegedly at the center of this saga investigating the spy chip, has remained completely silent, neither confirming nor denying the story.


In the past, these Bloomberg reporters have misreported on NSA exploiting Heartbleed. Here is the Washington Post giving them shit about it:[1]

As for the 2016 incident, read Apple's denial more closely. They denied finding infected firmware on servers purchased from SuperMicro. What happened is someone in the design lab (not in production) downloaded infected firmware from SM's support site, where it was "still hosted".[2] While you might say Apple could have been clearer at the time, that is nothing like the very strong, clear, detailed denials at hand here.

[1] https://www.washingtonpost.com/blogs/erik-wemple/wp/2014/04/...

[2] https://arstechnica.com/information-technology/2017/02/apple...


> Bloomberg reporters have misreported on NSA exploiting Heartbleed

Bad source given. The WP relies on NSA officials denying they used heartbleed. You believe that?


Half the people's reactions here rely on them believing the US Security Apparatus and large corporations are... honest.

God, people.


Isn't Bloomberg a large corporation itself?


I give their journalism arm a bit more credence than Apple's PR arm, let's put it that way.


Not even infected firmware, an infected Windows driver package. Which, although embarrassing for Supermicro, is a lot less sophisticated or unusual an attack than anything being claimed.


> someone in the design lab (not in production) downloaded infected firmware from SM's support site

Other than the claim that the infected firmware is "still hosted there" (which beggars belief) that sounds more like an engineer was spearphished and fooled into downloading firmware from what he believed to be the SM support site.


FYI "still" meant as of the time of the follow-up reporting in 2016, not today. I think it's believable that SuperMicro's support site got hacked. But I agree that was an incident on par with a sole developer installing malware on their system, not a supply chain compromise or major security incident with production systems.


Isn't hacking the support site a supply chain compromise?

Much discussion about software supply chain attacks was around the role of NPM as a vector, which can be thought of as a source of "drivers" that make various products and services work, similar to the role that a support site for a physical manufacturer plays.


I meant the supply chain for their data center. But I won’t split hairs.. yes support site compromise is a supplier problem and probably a factor in Apple shifting away. But clearly Apple had more protections in place for their production systems than what some dev installed in the design lab. So I think Apple’s denial is fair.


This is why public statements need a high level of detail to set the record straight.


Still waiting for WashPost to disclose their owner's deals with the CIA whenever it publishes a post about the CIA...


There’s also that one time they published 16 anti-Sanders articles in 16 hours, probably because his ideas would reduce Amazon’s profits. [0]

[0] https://www.democracynow.org/2016/3/11/headlines/washington_...


A news website publishes many articles about hot topics. Is 16 a lot or a littler? Is that more or less than pro-Sanders or anti/pro-Clinton articles? DemocracyNow had nothing to say about that.

Even though a complaint whose only evidence is one hand-assembled image shouldn't be taken seriously as an evidence-backed analysis, here goes:

WaPo's response to that cherry-picking accusation (which included some strange cherries, like "Sanders stands up to Clinton's interruptions" being called a negative story): https://www.washingtonpost.com/news/the-fix/wp/2016/03/08/ha...

and the complaints ignored pro-Sanders and anti-Clintion articles from those same days. https://www.google.com/search?q=site:washingtonpost.com+clin...


Thank you for the extra context. The reality is much less harsh than the article would have me believe.


Why would you type just part of the quote from Apple?

"Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."

And the AppleInsider article was updated to reflect the information that Apple provided in its press release. So there's no there there.


> I also find it very interesting that the FBI, the one organization at the center of this saga who is allegedly investigating the spy chip, has remained completely silent, neither confirming nor denying the story.

The FBI has a policy of never publicly commenting on ongoing investigations. You might remember certain exceptions to that policy causing an uproar about two years ago.


If you read the The Information article[1], an Apple spokesperson says that Apple was “not aware of...infected firmware found on the servers purchased from this vendor”, but they’re not really denying that there was some kind of incident.

1: https://www.theinformation.com/articles/apple-severed-ties-w...


I would expect that if it's fabricated, Bloomberg will have to face a slew of defamation suits from the named companies.

If it's real, the absence of those suits may tell us something too...


One element of such a case would be showing that the claims are untrue. Discovery on that question would dig deep into all sorts of areas that no one besides Bloomberg would want dug into.


> no one besides Bloomberg would want dug into

Well no one at those companies maybe, but I sure would. Transparency is the only way truth will be known here, and that's against the nature of secret sources and against the nature of Apple in general. If only there were an independent arbiter we could trust that could view both sides in confidence and provide an independent ruling, but there's too much statecraft involved for that to happen.


> I would expect that if it's fabricated, Bloomberg will have to face a slew of defamation suits from the named companies.

I'm not sure defamation is the right word here—"X was attacked by a foreign government" isn't defamation.


It could be. Particularly of the foreign government, but also of the supposed target especially if security of the kind that was claimed to be compromised is key to their business reputation.


Just think of the repercussions if that was proven to be true. Any company could sue any reporter for reporting that they had a exploit, true or not.


Well, yes, you can sue for anything. The barrier here isn't that publishing that a firm is subject to an exploit is specially categorically immune from defamation liability, but the regular standards for defamation, which in the US include falsity, a certain measure of responsibility for the falsity (which carries based on whether public figure or a matter of public interest are involved), and actually damaging publication.


> It could be.

That's not going to win huge legal battles.


What they denied was that the servers were used in production. They also said they didn't find the firmware on the server as shipped from Supermicro, it was downloaded from their website [1].

>Update: A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple's design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro's support site—and that firmware is still hosted there.

Apple issued the following official comment:

Apple is deeply committed to protecting the privacy and security of our customers and the data we store. We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware. We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor.

>I also find it very interesting that the FBI, the one organization at the center of this saga who is allegedly investigating the spy chip, has remained completely silent, neither confirming nor denying the story.

That's not true. Christopher Wray, in a congressional hearing, said "be careful what you read" in a response to a question about the story [2].

[1] https://arstechnica.com/information-technology/2017/02/apple...

[2] https://www.cnbc.com/2018/10/10/fbi-director-wray-on-super-m...


«Christopher Wray, in a congressional hearing, said "be careful what you read"»

Like philwelch mentioned, the FBI has a policy of never publicly commenting on ongoing investigations. Wray's statement—extremely vague and neither confirming nor denying the story—thus implies there is an ongoing investigation... Hmm.


It really doesn't and for exactly this reason. If you never comment on ongoing investigations, you also can't ever deny a non-existent investigation, or a lack of denial is confirmation.


That is neither a confirmation nor a denial, although it is obnoxious. Who is this guy, Chairman of the Fed? A simple "I can't comment on ongoing investigations" would have sufficed. Instead, he's warning Congress about their reading habits? It sounds like something JEH would have said...


Christopher Wray is the Director of the FBI


Yes we know. Hence the reference to JEH...


I really have little doubt that the Chinese are integrating their spy chips into computer hardware going to the big four or even the pentagon. It's probably how they stole the designs to the f-35[you know that plane that costs over a trillion dollars to develop]. It would catastrophic if apple knew or even acknowledges the possibility of the Chinese having a backdoor into their servers and would result in massive shift in policy[+profit].

The NSA has been known to intercept electronics in shipping and putting in their own specialized pcb board replacements with microphones, cameras, etc. and are _very_ hard to detect. Hell the Russian even went back to typewriters for security purposes[0]. It would be foolish to think that the Chinese/Russians aren't doing the same thing to us.

[0]:https://www.telegraph.co.uk/news/worldnews/europe/russia/101...


> you know that plane that costs over a trillion dollars to develop

From my understanding, it's the joint cost of the program over its projected lifetime over the next 50+ years. Not the cost of getting it up in the air.


I find it extremely hard to believe that China is inserting magic backdoor chips into all of our computer hardware. What's much more likely is that they were able to bribe or threaten some engineers into giving information away. That's been a common tactic since spying became a thing.


Doesn't even have to be an engineer. You gather intelligence wherever you can. The Chinese are at least as smart as I am, and for me, the guy who runs the xerox machine or cleans the office will do nicely, thank you very much. I don't need some high powered engineer. So I'm almost positive they don't either.

It seems like putting magical chips into computers is one of the most difficult methods of acquiring what at the root would be the same intelligence.


This[0] is a backdoor that was discovered _only_ through reading patents on the chip. It gave the highest possible privilege(ring -4) to the user by simply running an undocumented cpu register. It would be incredibly easy to hide something like this within one of the 100 of thousands of computers that go to the big 4 or even the pentagon.

I'd imagine people at the pentagon select randomly from a number of computers coming in and do some chip analysis like this[1] but I can only speculate and they probably can't stop all the hardware backdoors this way.

Anybody that would be caught disclosing highly classified information would probably be found and promptly hanged(or get in some sort of freak car accident). They probably have some serious counterintelligence to catch the leaks. Once again I am only speculating.

[0]:https://www.youtube.com/watch?v=_eSAF_qT_FY [1]:https://www.youtube.com/watch?v=0Z4aF-qiziM


The existence of the Via C3 "backdoor" was actually documented in the official datasheet, along with the correct MSR bit to enable/disable it. See page A-10 in appendix A: http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia... Apparently the researchers either couldn't find a copy or didn't notice that part.


Do you think it’s really that hard to phish a defense contractor or hack them? Huge threat surface: mediocre OPSEC, lots of layers not involved but with access, and really bad SharePoint discipline. If I had to guess, most of their “cyber” is being sold, not used internally.

Why would you burn a hardware hack like that for plans?


And Bloomberg is standing by the story.

All of the people who think that Apple is being misled coerced by the government into denying factual reports, I want to know how that belief is squared with the _lack_ of a retraction. If the government is powerful enough to get Apple to go to these lengths in defense of a falsehood, why can't they convince Bloomberg to retract?


At this point I don't think Apple is lying or the Bloomberg story is accurate, but I do think that some hypothetical coercion of Apple would be much much much less problematic than the government literally forcing a press organization to publish false information.


Perhaps the answer is that Bloomberg were mislead, either by intentional state agents* or by a reporter who recklessly mis-understood and/or cherry-picked sources?

* not necessarily from the US.


Because "free press", "they are attacking the press", yadda yadda yadda.


I don't see any reason why the Trump administration and the intelligence community would ever want Apple to deny the reports. On the contrary, I think they would love it if Apple/Amazon came out and said that they were hacked so it can give further justification to the trade war and further paint China as a sinister threat to US security.


I think Bloomberg was probably irresponsible to publish the Chinese spy chip story, whether it was true or false! Here's why:

* If the story is false, it's irresponsible because it causes severe monetary and reputational damage to companies that do not deserve it (e.g. Supermicro's stock is still down ~ 40%).

* If the story is true, it's a MAJOR breach of classified information from US intelligence operations; operations which I assume (without evidence to the contrary) are operating in good faith -- in the interest of the US and its citizens. Breaching classified information of such ongoing investigations to trace supply chains of spy chips could very well compromise those investigations (which would be irresponsible to risk).

So either way, it's irresponsible IMO.

P.S. IMO you cannot justify leaking this kind of info by comparing to Snowden, for example, because Snowden was a whistle-blower revealing information about operations that compromised citizens rights, which even congress was lied to about.


> If the story is true, it's a MAJOR breach of classified information from US intelligence operations; operations which I assume (without evidence to the contrary) are operating in good faith -- in the interest of the US and its citizens. Breaching classified information of such ongoing investigations to trace supply chains of spy chips could very well compromise those investigations (which would be irresponsible to risk).

Meh. I'm a former SIGINT guy and I think that democracy is well-served by investigative journalists (who are not cleared and have no ethical obligation to protect classified information) trying to dig up the classified details of sources and methods that are ultimately being employed in the taxpaying citizens' name.

Clearly there are going to be times when the intel community is going to have sharp differences of opinion about what the public needs to know, e.g. with the Snowden-related disclosures or whatever else. The point is that continued journalistic attempts to divulge the details of classified programs constitutes an effective check on the potential excesses of these programs and has the additional salutatory effect of making people in the intel community more OPSEC-conscious.


I'm definitely with you when we're talking about journalists acting as a check-and-balance against information or operations that are ultimately harming or betraying the public.

It's just that I've just seen no such evidence that there's any Snowden-style 'betrayals of the public' happening in this particular instance. Maybe I'm wrong, and maybe I'm overly trusting, but I like to default to innocence until evidence of guilt is on the table.


Hold on. If a reporter is uncovers hostile, state-sponsored corporate espionage in extant, US hardware, it's "shockingly irresponsible" to report that? The putative fact that our supply chain is so totally compromised is immediately relevant to everyone. I'm sorry-not-sorry if that's inconvenient for the FBI and Tim Cook.

In a context where the geopolitical and commercial forces would all strongly prefer that such things never come to light, I'm on the side of more sunlight, not less.


It's not that the information is irrelevant, it's that knee-jerk responses to leaked information may be worse than coordinated and planned responses to national security threats.

Shining a light on this too early (assuming this wasn't an intentional "leak") could be akin to applying antibiotics to an infection prior to actually knowing what exactly the infection consists of, and discontinuing the treatment too soon (we all know how short the attention span of our news cycles are).

It doesn't seem unreasonable to analogize fighting spy networks to fighting an evasive infection: If you attack the infection with a half-baked or inconsistent treatment, you risk just breeding stronger infections that are even better at evading you.

Maybe I trust the US intelligence agencies too much, but it seems likely that they know what they're doing here. And so far, I've seen no evidence contrary to my default assumption that they're operating in best faith for the interests of the US and its citizens in this case.


Agreed. There are times when it is ethical for a news organization to either delay or scrap publishing a story with national security implications ... but the standard for that should be very high. This doesn't feel like it is one of those. If the facts as reported are true then it is newsworthy and should be reported. If the facts as reported are not true, then it is a colossal screw-up on the part of the paper as this will cause billions in monetary and reputational damage to all parties concerned.


> If the story is true, it's a MAJOR breach of classified information from US intelligence operations; operations which I assume (without evidence to the contrary) are operating in good faith -- in the interest of the US and its citizens. Breaching classified information of such ongoing investigations to trace supply chains of spy chips could very well compromise those investigations (which would be irresponsible to risk).

Unless those counterintelligence operations were, by intention and policy, the original source of the story in the first place. I could easily imagine an FBI agent essentially telling Bloomberg, "Hey, we discovered this security vulnerability, but the only sustainable solution is to convince the tech industry to move hardware manufacturing out of PRC control--we'll feed you the story but don't say it came from us."


That's a really great point! That's a good third option I didn't really properly consider: Perhaps this is the intended means of propagating this information into actions across the industry, in which case Bloomberg definitely did nothing wrong here.


IMO the only intelligence info the press should really try to protect is foreign sources and methods. People could die--either sources directly, if they are exposed, or victims of future attacks that could have been prevented if the source/method had not been burned.

But intelligence info it absolutely makes sense for the press to cover, is evidence of foreign intelligence activities that were domestically discovered.

In this case, the "source" of the discovery would presumably some employee of Apple or Amazon, and their "method" of discovery would be inspecting their own systems. While I can understand why the govt might want to keep that classified, I think it's well within the realm of what citizens would like to know, without obvious and direct risk to lives.


You have no idea what journalism represents if you think a report on something like that should be qualified as "irresponsible."

Daniel Ellsberg leaked such "major classified information" (the Pentagon Papers) about the Vietnam war, which ended-up stopping the war in Vietnam (mind you for the better...).

If the NSA has been using the Chinese' own spy chip against US citizens, it's the journalists' responsibility to report that to the public.


> may take a huge stock market and reputation hit

I think you can use the past tense here.


Fixed!


It's not irresponsible at all if the story is true. Bloomberg has no responsibility to Supermicro's stock (or anyone else's). They also aren't responsible for protecting classified information.

But the story probably isn't true.


I'm not trying to argue that Bloomberg did anything illegal, so lets stay away from that red herring. I'm talking about whether their action was morally right; granted, morality and civic duty is a much more ambiguous topic, and I'm open to the possibility that my position is incorrect here.

To make an analogy: What if a newspaper was given sensitive personal information about someone that was legal to publish, but could have damaging effects to that person and the population as a whole if published too soon? Do newspapers have a civic responsibility to hold off on publishing information that would only be damaging to everyone (at least until it's safe to do so)?


Private people can have secrets, the government shouldn't.

I don't think they did anything immoral by publishing (unless they believed what they wrote to be false).


> Private people can have secrets, the government shouldn't.

That's a rather extreme claim, isn't it?

Are you saying that governments should widely publish all defense research? Are you saying governments should widely publish and distribute military plans before putting them into action? Are you saying governments should publish the locations of all defensive and offensive weaponry, as well as constant position updates of all military submarines?

That kind of openness would be suicidal. I agree that governments should encourage transparency, but not when that transparency would endanger lives etc.


It's not immoral if what's being reported is in the public interest. It's questionable when it's something like "Brad and Angelina are breaking up", but obviously not illegal.


Why isn't the story true?

It's the involvement of Elemental (now AWS Elemental) that really sticks out to me. Back in 2015 they were a 200 person startup with government clients. Perfect target for an attack. How else do you explain Elemental's involvement? If they weren't hacked, they would be too small of a company to even be worth mentioning. Bloomberg wouldn't have bothered.


Let's just say the Bloomberg reporting is accurate for the sake of discussion. They claimed it wasn't ONLY Apple, but also the NSA, CIA, military and other critical defense/intelligence systems used some of these boards. Do we think those "entities" wouldn't do whatever they had to do in order to keep that secret, legal or not, to preserve national security? What would the public response be if everyone knew our major national security systems were breached? I think it would cause a panic immensely larger than if we knew Apple was breached.

I do agree with others that Apple has a hell of a lot to lose if this story proves to be true, but I think that's really more of a footnote compared to what will happen if the article proves to be true in its entirety. The data Apple has is nowhere near as critical as the data the NSA/CIA/MIC have.


“Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”


OTOH, Joe Fitzpatrick, one of the few named sources, is very very doubtful of the veracity of the story.

Blog interview with Joe Fitzpatrick: https://risky.biz/RB517_feature/

https://appleinsider.com/articles/18/10/08/security-research...


that's a credible perspective but let's not be vague: fitzpatrick wasn't a primary source, he is an expert on hardware implants who was consulted by the reporter prior to the original publication.


Fitzpatrick wasn't a primary source, but somehow his theories on how an implant could theoretically be implemented appeared in the Bloomberg story, as details of how it was actually implemented. This seems really fishy.


Reading between the lines, Fitzpatrick's claim is that other primary sources could be fictitious, and the writer fabricated them based on interviews with him.


Shades of Operation Mockingbird (1953), and "The CIA and the Media". http://www.carlbernstein.com/magazine_cia_and_media.php

Of course, whether the story is true or not matters, but at least as important is who Bloomberg's source is - as that goes to motive for releasing this information (true or false). And it isn't just Bloomberg who will be asking these kinds of questions.


Well, Bush did say this ended in 1976 [1] "In February 1976, George H. W. Bush, the recently appointed Director of the CIA, announced a new policy: 'Effective immediately, the CIA will not enter into any paid or contract relationship with any full-time or part-time news correspondent accredited by any U.S. news service, newspaper, periodical, radio or television network or station.'{13} He added that the CIA would continue to 'welcome' the voluntary, unpaid cooperation of journalists."

So there you go. Proof positive.

+ 1 On Mockingbird btw, I was reading the comments before I posted it myself.

[1]https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1m...


+1 for the Bernstein ref. Had it mind, but couldn't remember the deets.


Really interesting twist in a crazy story that's gotten this far. I'm interested in seeing how this all plays out, Bloomberg's reaction, etc.

At this point I don't know what to think, so I'm waiting for the consensus.


So interesting.

With a year of reporting on this story Bloomberg has a LOT of unpublished info. If they are correct they should have a ton of information to back up the claims in their story, including plenty of stuff to put the lie to some/many of the specific denials Apple has made.

Maybe they are waiting, to let Apple hang itself with strong, detailed, public proclamations. Then, bam! They publish all their proof, blowing up Apple's denials, forcing Cook and many other to resign, etc.

Or... they've actually got nothing. In that case they won't be able to refute Apple. Either they slink away, hoping everyone forgets, or issue a massively embarrassing retraction.

I'm fascinated to see what happens. I think we'll know in the next few weeks or months at the most.


They might have nothing, but even so, celebrate.[1]

[1]:https://www.washingtonpost.com/blogs/erik-wemple/wp/2014/04/...


Looks like a similar pattern and the author is the same as with this "Big Hack". But I don't see any hard evidence to say that Bloomberg is completely wrong, either. Just that NSA etc. have officially denied it (which you assume they would).


Is the following a possible explanation?

* Random Apple engineer finds the implant.

* Goes directly to FBI without telling boss at Apple.

* FBI gags the engineer, says "Do not even tell your boss about this, it's national security and we're handling it".

* Bloomberg catches wind of this (maybe the same engineer leaks to them?), publishes their story.

* Engineer is now freaked, goes back to FBI and says "Are you really sure I shouldn't tell by boss?" and they say "Yes, we're sure, you are legally bound to secrecy".

I don't know how security teams, the FBI, or national security work. But that's the only scenario that comes to my mind which would explain both sides being completely sure of their version of the story.


> Goes directly to FBI without telling boss at Apple.

This is really hard to believe. An engineer who found this bug at Apple would most likely be praised for finding it. It is a huge discovery. What motivation would he have to not tell his manager?


Not only that, but also when thinking about the process of discovering an issue this big, I doubt a single engineer or team would have identified it on their own. Designing servers is a big undertaking and this part would only be identified as malicious in a couple of ways.

If some engineer finds a part on the board that is not in the BOM, I doubt their first thought would be to report it to the FBI. There would likely be some long email thread bouncing around multiple teams trying to determine if some design change was missed.


> would most likely be praised for finding it. It is a huge discovery.

Seriously, history, recent and otherwise, is littered w/the ghosts and carcasses of employees who were anything but rewarded for identifying problems great and small.

Oftentimes the safest thing to do is to pretend that one saw/heard/knows nothing while hoping that someone else has the steel to sound the alarm.

And for this sort of situation, there's too much at stake and are too many known and unknown stakeholders involved to blindly believe that this would be an exception to what I wrote above.

On a separate but related note, for those playing the "conspiracy theory" game: - On October 4th, Bloomberg releases The Big Hack story; and - On the same day, VP Pence gives a speech at the Hudson Institute about...? China being a bad actor which indulges in all sorts of behavior (that the United States would never ever engage in or condone).[1]

Factor in the "trade war" and long-ongoing attempts to 'encourage' companies to rethink their supply chains/ relocate production...

[1] https://www.hudson.org/events/1610-vice-president-mike-pence...


Hmm... flags and more down-votes, but still no counterarguments or questions. (Dang, what's up with that?)

Anyway, here's a September article from Axios entitled, "The Trump administration's secret anti-China plans" https://www.axios.com/trump-administration-anti-china-campai...

From the article: "The broadside against China — which is planned to be both rhetorical and substantive — will be "administration-wide,"" [emphasis added] ""The push is coming from the national security apparatus," the source added."

Personally, I hope no products are compromised, ever. That's probably not the case, and either way, the average person won't care much in the short term. Busy w/other stuff, they probably don't remember this story today, if they even heard about it. Businessweek is, after all, a business magazine targeted at a pretty specific audience.

As for whether Bloomberg's story is part of a wider campaign, I don't know and don't believe I've said otherwise. It doesn't really matter to me, as I know that a game is on and that it isn't unreasonable to use such a story while playing. I've seen and heard all sorts of curious things in the last few years. Nothing about today's environment tells me that I'll have fewer such occurrences.

Toodles, kids.


It wouldn't be one engineer. Bloomberg says that they have three senior sources inside Apple.


What does "senior" mean? In the tech industry efveryone with 2yrs experience is "senior", and everyone on salary is an "executive"

More

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: