Because barring a Stephen Glass scenario, what's fascinating here is that no matter which side is right, this is evidence of some sort of mysterious power play.
Either Apple was hacked, they know, and are denying, which is evidence of them being under the thumb of U.S. national security.
Or, they were hacked and an internal team knows and Cook doesn't, which is evidence of U.S. national security having powerful influence inside of Apple.
Or, they weren't hacked, and Bloomberg is doubling down, which at this point would mean that someone has successfully hacked their journalistic verification processes to an extreme level.
In all three of those cases, it points to a level of attacker competence that I'm not normally inclined to believe in.
owing feudal allegiance to.
"they had for a long period been feudatory to the Norwegian Crown"
So yes, if the old chief counsel was a subject in a feudal society, this all checks out.
Apple's official statement clearly said, they're not under any form of NSL or gag order.
The prevailing logic seems to be that US courts still believe the government can't force you to say something against your will, only prevent you from saying something.
They (apple) have refuted this claim and said they're also not under any form of NSL or gag order.
Your suggestion is that both accounts are false, and that a secret government run investigation was run without Apple management's knowledge, but involving Apple datacenter staff, who are in fact under some form of NSL/gag order?
Perhaps you should go work for Bloomberg, they'll run your theory as gospel next week.
It could be that the actual story is something at some small company, which ballooned into a shit storm of assumptions and embellishment.
Saying nothing is Apple's thing. No one would question them saying nothing.
Except that a NSL can (legally) command the recipient to lie about it.
Do you have a source for this statement? As far as I'm aware, you can be compelled to remain silent but not compelled to give a false statement.
Q: Have you received an NSL?
Q: Now have you received an NSL?
A: Still nope.
(Government issues NSL)
Q: What about now?
A: No comment.
^ This would be a clear canary indication that an NSL has been issued, which is in directly contradiction of the terms of the secrecy requirements laid out in the NSL. The only reasonable response (aside from supporting the ACLU and EFF to end this nonsense) is to adopt the "no comment" policy early, which most do. However Apple has now broken that strategy, if they haven't already.
They therefore are not “acting exactly as they would” without a NSL.
Making an explicitly false statement to preserve the silence about an NSL or its subject matter goes well beyond a gag order. The gag order compels your silence; it doesn't compel you to become an active participant in maintaining that silence beyond not acting to break it, let alone persuading people to believe any explanations or stories to explain it or shield the investigation the letter is a part of.
But there's another issue beyond the constitutional problems with trying to order Apple or its officers to make verifiably false statements about the existence of Chinese spy chips: any statement about said spy chips would constitute a material fact to shareholders. And it'd be a a really big one with an effect potentially measured in billions of dollars of market value, multiplied by the fact that Apple lied and destroyed every iota of credibility on privacy issues they've developed over the years. Making that statement--even if ordered to do so by an NSL--would be a blatant breach of the their fiduciary duty to shareholders and SEC regulations.
Even if compelled to do so, Apple (or its officers) literally can't make that false statement. They'd have no choice but to fight an NSL that orders them to make false statements, and even if they lost, they'd limit themselves to "no comment." So while they might be under a gag order on a given subject due to an NSL, if they're commenting about it, we can reasonably accept those comments as true. Or, at minimum, that they are their own words rather than the government's. As a hypothetical, it's plausible that they could be lying about the chips; but if so, it would be because of their own deliberate decision to do. Not that that's very likely, of course.
At this point the major wall has been breached in terms of rights, altering speech for national security, and we can no longer trust anything. If the secret courts decided they were going to compel active speech instead of compelling negative speech, what mechanism would let us know of the change? I don't think there is any
Specifically Section IV, subsection C
"Canaries and the First Amendment Status of Compelled Lies"
Is there a way where the government could either purposefully disclose classified information (or retroactively classify it) so as to force certain individuals into making particular statements or denials via the threat that if they said otherwise they would be guilty of disclosing classified information ...?
Didn't some leaked documents show that a 'shadow' judicial status has been created ( under post 9/11 histeria ) where, in the interest of national security, firms are allowed and even required to lie about things?
I haven’t read anything that says people/companies must lie, but I have read that they cannot divulge information due to gag orders. (See the court case Microsoft vs US Government  )
Is that true in this case? My understanding is that NSLs are a subpoena with an accompanying gag order _about the subpoena_. I haven't heard of a case where an NSL was used to restrict speech in the manner you're suggesting. In other words, I believe an NSL could be used to hide government interest in such a breach, but not to hide the fact of the breach.
This is one of the main differences between the US and UK approach to classified information; there's no official secrets act in the US.
Ordinarily, yes. But what if this was double secret NSL?
What's the NSL equivalent of adding bacon?
But they didn't detail, like, that there was substantial corroboration of specific details like Apple working with the FBI. That leaves open possibilities that it came from just one source or that the reporters mixed up some details. Whereas the company/govt denials are very detailed and clear to rule out any possibility of misinterpretation. Bloomberg's "double down" is nowhere near that level.
If so, the rest of the 17 are just echoing what the inner group told them, without having done substantial independent verification.
I'm saying this because I've noticed quite a few 'hit' pieces, coming out of these "news" agencies that seem to have no other agenda than affecting the price of publicly traded stock in these companies.
One moment "this or that" is the worst possible thing that could happen to company A, and the next moment, it's just not as bad as everyone would have you believe... it's like they themselves want to push the stock price down so they can buy cheap shares, and then pump the price back up again so they can sell at a profit... strangest news cycles I've ever seen on this stuff... and it happens repeatedly all the time... analyst A at Financial Institution B "downgrades" stock X, and then sometime later comes a complete reversal...
It seems plausible that it's more along the lines of "journalistic process being broken" for this type of article, that all parties might be acting in good faith and that there is some level of misunderstanding.
I asked people in the CIA about the Bloomberg story and their response seemed to indicate that the story is real.
There’s immense pressure to deny this story for several reasons.
Like the Bloomberg article, your comment is unsourced - or anonymously so, which is only an infinitesimally larger notch better.
(But I presume you were merely being sarcastic; or trolling.)
I wondered why the United States does not care about such state sponsored violations of intellectual property, going as far as to deny the crime.
For Apple to believe that they could get away with outright bare faced lying about this, they would have to be very confident none of those people across dozens of ogrganisations would either break ranks or mistakenly corroborate the story, and none of the copious physical evidence would ever be found.
The question is, do you believe that’s the sort of risk they are likely to take?
Why not just 'reporters talked to a bunch of sources and those sources are wrong or were misinterpreted or were given undue weight/credence by the reporters'. It's unusual and the news org processes are supposed to catch this but it's not that hard to imagine them occasionally failing in some mildly improbable way without any kind of 'hacking to an extreme level' or collusion between companies and spooks.
You'd think the accusers would be able to produce the chip if that were the case.
> Or, they were hacked and an internal team knows and Cook doesn't, which is evidence of U.S. national security having powerful influence inside of Apple.
More plausible but again - there should be hard evidence of this.
The story we published was one woman’s account of a sexual assault at a UVA fraternity in October 2012 – and the subsequent ordeal she experienced at the hands of University administrators in her attempts to work her way through the trauma of that evening. The indifference with which her complaint was met was, we discovered, sadly consistent with the experience of many other UVA women who have tried to report such assaults. Through our extensive reporting and fact–checking, we found Jackie to be entirely credible and courageous and we are proud to have given her disturbing story the attention it deserves.
Three days later they retracted the story.
When it comes to National Security, combined with the most valuable company in the US, all assumptions should be off the table. Apple has many reasons to publicly dismiss the claims: their business in China, their marketing as a security-conscious company, etc. They also operate under immense secrecy. Apple has unmarked buildings, top secret projects, a culture of secrecy within the company. They are the type of company that would have innovative approaches when dealing with national security matters.
It would be odd for Tim Cook to knowingly lie about this situation. If definitive proof came out that the chips were bugged and he had knowledge of it, then he could be punished. But, at the same time, if he were able to prove that he lied in the name of National Security, it could be instantly excusable.
"Something is wrong. Blanket denials from companies, NCSC and DHS are v. unusual. The only precedent for this is a 2014 Bloomberg article, by the same author, which claimed NSA exploited Heartbleed, and was vigorously knocked down with zero follow up by Bloomberg or correction."
> I mean, this is just intense now. On record statements from four different huge players in this field, clearly and forcefully stating there was no hardware-based backdoor inserted by PLA with regard to Apple and Amazon.
The next step is to obtain firmware for each chip, and compile and load it on all programmable chips. Again, but open source firmware.
Then moving up, we need an open source OS, which we have.
The last area is having open source silicon... but given that it's $10m minimum for a basic fab, this isn't happening anytime soon. Although, FPGAs could supplant some hardware. Then we'd need the synthesis code for the design.
Long story short, is there a way to make a trustworthy OS if you don't trust the underlying hardware? Is that even possible?
You're building something for the purposes of verification, not manufacturing; it doesn't need to actually build working chips, it just needs to scan them. So you don't need the same level of exacting precision throughout the design+fabrication process. And so it's easier to build in not just 1 "ooh, interesting", you could build in 1,000. I really do think so.
We now have precedent that maybe there's vested interest in hiding stuff. So security requirements would be so high as to make the project unviable because of its domain obscurity.
The above said, very interesting idea. I like it.
It's a very difficult problem domain though.
But wouldn't you want the FPGAs to be open source, too?
We still have to deal with 'trusting the compiler(synthesizer)' but with iceStorm, we're a good way there. It's still ugly around the edges, but I think this is one of the better ways forward in creating a fully supported FPGA platform (thinking the difference in microprocessor dev prior and after GCC inclusion of Atmels).
They made the flat out claim that AWS sold its Chinese infrastructure because of the hack. But this is flat out not true, anyone who actually knows anything about the Chinese goverment knows that AWS, same as Microsoft, cannot operate out of China. They are required to have a PARTNER to operate in China. I worked for Microsoft during the deployment to China, and we too had to have a partner. We were essentially "leasing" our technology for them to run it.
"According to the China Telecommunication Regulation, providers of cloud services—infrastructure as a service (IaaS) and platform as a service (PaaS)—must have value-added telecom permits. Only locally registered companies with less than 50 percent foreign investment qualify for these permits. To comply with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies licensed from Microsoft.
Microsoft Azure operated by 21Vianet (Azure China 21Vianet) is a physically separated instance of cloud services located in mainland China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. "
So this to me proves that Bloomberg didn't fact check this story enough, and there are holes in it. Does this mean that China DIDN'T try anything? No, but this leaves me to question Bloombergs sources and not fact checking their reports, as there is obvious misinformation in it.
EDIT: I googled AWS China, and this is the FIRST link.
And at the bottom it covers all the same legality stuff. So again, its like they didn't even bother to research AWS China for 10 seconds.
IIRC, the Bloomberg article is consistent with this. AWS sold their business interests to that partner.
Heck, just the HN replies to previous discussion on this story had some comments from people who had jobs for a while detecting espionage on their boards, which were created precisely because some was found prior to that. For instance: https://news.ycombinator.com/item?id=18138699 You could make more hay with that story than a faked-up one. There's no need to lie for propaganda's sake, because the truth would be more than adequate! (The propaganda element would be in the spin and claims about the scale of the problem, not the brute facts, which certainly exist.)
If this ever was government propaganda, they changed their mind before finishing the job and hung Bloomberg out to dry.
At the moment, the best theory that seems to fit all the facts, including the comments from people who were interviewed for the story, is a not-sufficiently-technical reporter very motivated to tell this story (perhaps because of the reward for stories that move the markets?) who compounded confusion upon confusion in a domain they were suffering from Dunning-Kruger until they were able to write that story. And presumably, similar problems in the fact-checking and editorial staff. I'm still not guaranteeing this, but I'm giving it at least 75% at this point.
I suppose it also follows that the fab and design should be staffed only as NOFORN? That rules out the lead on the Apple silicon team.
I don’t think you understand how this works. This isn’t a nationalism vs globalism thing.
My comment is basically a pre-reaction to nationalists who would want to use this situation as an excuse to bring as much manufacturing work home as possible, even if it doesn't make sense (and if this were all a ruse, it would be a good way to get the White House on board.) Granted, it would also be pretty dumb to trust your adversary (from a national defence perspective) to build your weapons for you. Which is what the US is doing to a certain degree. Of course this is about globalism, because it's what lead to this situation in the first place. But nationalism, importantly, is not the solution. That's what I hope people take away from this.
My point via the contrived example is they countries are fictions and so is citizenship and presence in one or “possession” of one is no way a litmus test for “adversary” or even a reasonable proxy.
“China” isn’t a person, and so “China” can’t be an adversary. (Even if it could, that would be dumb, for reasons explained above.)
- PR a HW verification firm.
- manipulate a stock
- and many more
He showed the “emails he sent to Bloomberg, prior to the story’s publication, that said the hardware back-dooring the article described “didn’t make sense”.”
Another text about that source:
Where's the smoking gun here? Why don't we have die shots of this thing? Why hasn't anyone on this very forum seen the C&C traffic from it phoning home to see if it was a target? Nothing about their explanation even seems remotely plausible. Why on earth would the attacker ever do something as obvious and annoying to deal with as what they supposedly did with altering the layout of the board and adding components instead of just backdooring the BMC? Are we supposed to believe that they were simultaneously competent enough to pull off Bloomberg's fairytale but too incompetent to have an altered BMC load backdoored firmware internally instead of off of an EEPROM chip on the board?
I'm not saying that we should rush to conclusions but Bloomberg has provided absolutely no sources with any shred of credibility. There's nothing to substantiate anything so why should the default stance be anything other than to consider that article a piece of cyberpunk fanfiction?
Somebody should be able to produce SOMETHING without giving up their sources. Why can't they produce any of this?
Which is easier? Telling me what you saw in someone else's safe, or giving me it's contents?
A random technician in a datacenter is under no obligation not to leak one unless he holds (or held) a clearance and has agreed to the terms of it.
Example - back when internet worms like SQL slammer were a thing, classification was a huge point of contention among gov security. At least in some agencies, because they were due to a vulnerability in a gov system, the IT/security staff were unable to discuss it with outside, uncleared people, because the vulnerability aspect made it classified. At the same time, knowledge of said worms and backdoors was public all over the news, and no reporters ever went to jail for discussing it.
This isn't so different - it only takes one person without a clearance to dig up one of these chips and publish pictures, and they can do so legally. The fact that it hasn't happened tells me this isn't a widespread problem.
It's possible there was a game of telephone or something else where the sources Bloomberg spoke with somehow ended up believing foreign propaganda, but I'm a bit skeptical of that.
Bloomberg is unreliable when it comes to Apple.
Either that or Bloomberg is lying.
Sounds more like Bloomberg was the messenger and is being silenced.
I'm aware how pedantic this may come across, but words matter, and in cases like this it seems dreadfully important not to fuel or even create conspiracy theories through carelessly (or perhaps carefully) chosen phrasing.
It's possible that Bloomberg got everything right, and that the vigorous denials from the cited companies and the objections from their own named sources and the actual denials (rather than "non-denial denials") from government agencies and the continued lack of corroboration from any other independent investigative or journalistic organizations is all part of a massive coordinated conspiracy to discredit this reporting, which this same international cross-government/corporate cabal somehow couldn't just stop from getting out. But is it likely? Really?
For a while I was buying the subpoena theory, but this action clearly doesn’t fall under that, and they would be setting themselves up for serious liability / damage claims if it were true.
Either there is some gross miscommunication going on inside Apple and Tim Cook is not properly informed - which is very unlikely at this point - or there might be less truth to Bloomberg’s story.
The frustrating thing is, we’ll probably never know the answer.
It is also possible that they have investigated, did find tampering, and are still publicly denying it.
What does Bloomberg have at stake, in comparison? Nothing, apparently, since they don't seem to value their reputation enough to back up their reporting with evidence.
The hardware was found when Elemental was acquired by AWS and they did a more thorough hardware security review. Elemental would have been a good target because of their government clients but was/is not large enough to be noteworthy otherwise. This is where I trust the Bloomberg story. Saying, "Amazon, FB, Apple got hacked" is one thing. Including a then-200 person startup company in the mix is another. To me it serves as evidence that the hack was real.
In large companies with a hundred thousand employees and contractors, barely anyone is aware of anything.
Ask a thousand people about project something and they will assert in good faith that they have never heard of it. It doesn't mean that it doesn't exist, just that you didn't find the handful of people who knows about it.
The minute this story hit publication you can bet internal security teams at Apple would have validated it and submitted findings to Tim Cook. At this point Tim Cook, along with his legal team, has all the facts as they pertain to Apple and Apple suppliers and every component inside Apple devices. You don't come out without a strong denial like that unless you are sure you can back it up.
Some will say "but the people involved have a gag order, and nobody investigating, including tim cook or legal knows". This doesn't make any sense.
People without a clearance are not obligated to keep it a secret, and can investigate for themselves. So either everyone competent to investigate this has a clearance and/or is gagged (i.e., many thousands of people) and if that were the case it'd almost certainly make to Tim Cook's radar.
Or not that many people are gagged, and Apple has thousands of engineers that could be looking into this, and they found nothing. I find that much more plausible.
Suppose this was a malicious attack, and PRC intelligence within SuperMicro and perhaps even Apple are responsible for these machines getting shipped and installed by Apple. Let's further suppose that the plot was uncovered by US counterintelligence.
Why the heck would US counterintelligence operate inside of Apple, discover security vulnerabilities that affect Apple in particular, hide this discovery from Apple's senior management, and then go on to leak it to Bloomberg while continuing to cover it up on the inside of Apple?
There is a reasonable-ish explanation for this. US counterintelligence usually falls under the purview of the FBI, and the FBI has had a couple public spats with Tim Cook over the years. Given Apple's commitment to user privacy, it's reasonable to presume that Tim Cook would not knowingly allow the FBI to infiltrate Apple. It's also reasonable to assume that, given any number of motives both virtuous and vicious, the FBI would have a vested interest in infiltrating Apple. In this scenario, notifying Apple management about these issues would risk revealing sources and methods.
At this point, the only remaining question is: why wouldn't the moles just quietly inform Apple management about the issue? Clearly, Apple personnel who are in the business of receiving and installing server hardware would have a defensible cover for poking around and raising questions about weird chips that mysteriously appeared on the hardware. There are possible explanations for this, but at that point we're just compounding conspiracy theories on conspiracy theories.
Contractors who worked in some datacenters 5 years ago and have long left?
It's up to Bloomberg to prove their hypothesis is true, but don't see how Apple can say it's without a doubt untrue.
Humor me, why is this unlikely? Why is it not possible that (whatever three letter agency) grabbed a few engineers, told them to do X without talking to anyone else, at the risk of them and their families getting disappeared to a black site?
Besides, in security controlled jobs it's perfectly normal to not be allowed to disclose what you're working on even to your direct superior. This idea that Tim Cook / Apple PR must know everything that's going on at Apple is kinda ridiculous.
It’s going to take more than a couple engineers to cover this up completely.
Also, if the consequence for talking about this is being disappeared, why weren’t the Bloomberg reporters disappeared some time during the year they were working on the story?
And why exactly would a three letter agency do this to protect Apple?
It just doesn’t make any sense.
But while I'm not promoting some kind of executive supremacy, I don't feel it's a big stretch that the CEO can get properly informed of specific goings on of the company if the issue really lands on her or his plate. Even if there's some hole, having zero evidence that something weird may have happened on several thousand servers seems odder than anything.
If the CEO can't find out (almost -thinking medical stuff) anything by asking then that company has a problem as do it's shareholders.
Even if that were possible it wouldn't account for all the discrepancies here. Bloomberg claimed that Apple worked with the FBI on an investigation and returned thousands of servers. Apple has strongly denied that which casts doubt on the rest of it as well.
He doesn't have to know everything, but he sure as hell would know "a foreign government is implanting spy chips into the hardware that is being sold to us".
We're commenting on Hacker News and we're believing that Tim is all knowing because of a security audit... against some malicious actor with the resources of a foreign state??
If it's indeed possible for some powerful forces to coerce some engineers into accomplishing certain goals, how possible is it for the same said forces to coerce some other people into accomplishing some other goals?
In 2016 Super Micro Senior Vice President of Technology himself said Apple found "infected firmware." It was so bad that Apple "discontinued future business [with Super Micro] as a result of a compromised internal development environment". Strangely Apple at the time was denying the whole thing:
But today, 2 years later, in a statement denying the current spy chip saga, Apple now appears to acknowledge this 2016 security incident, while minimizing it: they say it was "an infected driver on a single Super Micro server in one of our labs" (https://www.apple.com/newsroom/2018/10/what-businessweek-got...)
Why would Apple deny then 2 years later confirm this security incident?
As usual, the truth is probably somewhere in the middle. It is very possible the anonymous sources at Apple who support the spy chip story are not technical persons and are confusing this 2016 incident with the spy chip incident (in fact it's what Apple theorizes in their statement.) It is very possible the spy chip does exist and was found at some companies, just not at Apple.
I also find it very interesting that the FBI, the one organization allegedly at the center of this saga investigating the spy chip, has remained completely silent, neither confirming nor denying the story.
As for the 2016 incident, read Apple's denial more closely. They denied finding infected firmware on servers purchased from SuperMicro. What happened is someone in the design lab (not in production) downloaded infected firmware from SM's support site, where it was "still hosted". While you might say Apple could have been clearer at the time, that is nothing like the very strong, clear, detailed denials at hand here.
Bad source given. The WP relies on NSA officials denying they used heartbleed. You believe that?
Other than the claim that the infected firmware is "still hosted there" (which beggars belief) that sounds more like an engineer was spearphished and fooled into downloading firmware from what he believed to be the SM support site.
Much discussion about software supply chain attacks was around the role of NPM as a vector, which can be thought of as a source of "drivers" that make various products and services work, similar to the role that a support site for a physical manufacturer plays.
Even though a complaint whose only evidence is one hand-assembled image shouldn't be taken seriously as an evidence-backed analysis, here goes:
WaPo's response to that cherry-picking accusation (which included some strange cherries, like "Sanders stands up to Clinton's interruptions" being called a negative story):
and the complaints ignored pro-Sanders and anti-Clintion articles from those same days.
"Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
And the AppleInsider article was updated to reflect the information that Apple provided in its press release. So there's no there there.
The FBI has a policy of never publicly commenting on ongoing investigations. You might remember certain exceptions to that policy causing an uproar about two years ago.
If it's real, the absence of those suits may tell us something too...
Well no one at those companies maybe, but I sure would. Transparency is the only way truth will be known here, and that's against the nature of secret sources and against the nature of Apple in general. If only there were an independent arbiter we could trust that could view both sides in confidence and provide an independent ruling, but there's too much statecraft involved for that to happen.
I'm not sure defamation is the right word here—"X was attacked by a foreign government" isn't defamation.
That's not going to win huge legal battles.
>Update: A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple's design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro's support site—and that firmware is still hosted there.
Apple issued the following official comment:
Apple is deeply committed to protecting the privacy and security of our customers and the data we store. We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware. We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor.
>I also find it very interesting that the FBI, the one organization at the center of this saga who is allegedly investigating the spy chip, has remained completely silent, neither confirming nor denying the story.
That's not true. Christopher Wray, in a congressional hearing, said "be careful what you read" in a response to a question about the story .
Like philwelch mentioned, the FBI has a policy of never publicly commenting on ongoing investigations. Wray's statement—extremely vague and neither confirming nor denying the story—thus implies there is an ongoing investigation... Hmm.
The NSA has been known to intercept electronics in shipping and putting in their own specialized pcb board replacements with microphones, cameras, etc. and are _very_ hard to detect. Hell the Russian even went back to typewriters for security purposes. It would be foolish to think that the Chinese/Russians aren't doing the same thing to us.
From my understanding, it's the joint cost of the program over its projected lifetime over the next 50+ years. Not the cost of getting it up in the air.
It seems like putting magical chips into computers is one of the most difficult methods of acquiring what at the root would be the same intelligence.
I'd imagine people at the pentagon select randomly from a number of computers coming in and do some chip analysis like this but I can only speculate and they probably can't stop all the hardware backdoors this way.
Anybody that would be caught disclosing highly classified information would probably be found and promptly hanged(or get in some sort of freak car accident). They probably have some serious counterintelligence to catch the leaks. Once again I am only speculating.
Why would you burn a hardware hack like that for plans?
All of the people who think that Apple is being misled coerced by the government into denying factual reports, I want to know how that belief is squared with the _lack_ of a retraction. If the government is powerful enough to get Apple to go to these lengths in defense of a falsehood, why can't they convince Bloomberg to retract?
* not necessarily from the US.
* If the story is false, it's irresponsible because it causes severe monetary and reputational damage to companies that do not deserve it (e.g. Supermicro's stock is still down ~ 40%).
* If the story is true, it's a MAJOR breach of classified information from US intelligence operations; operations which I assume (without evidence to the contrary) are operating in good faith -- in the interest of the US and its citizens. Breaching classified information of such ongoing investigations to trace supply chains of spy chips could very well compromise those investigations (which would be irresponsible to risk).
So either way, it's irresponsible IMO.
P.S. IMO you cannot justify leaking this kind of info by comparing to Snowden, for example, because Snowden was a whistle-blower revealing information about operations that compromised citizens rights, which even congress was lied to about.
Meh. I'm a former SIGINT guy and I think that democracy is well-served by investigative journalists (who are not cleared and have no ethical obligation to protect classified information) trying to dig up the classified details of sources and methods that are ultimately being employed in the taxpaying citizens' name.
Clearly there are going to be times when the intel community is going to have sharp differences of opinion about what the public needs to know, e.g. with the Snowden-related disclosures or whatever else. The point is that continued journalistic attempts to divulge the details of classified programs constitutes an effective check on the potential excesses of these programs and has the additional salutatory effect of making people in the intel community more OPSEC-conscious.
It's just that I've just seen no such evidence that there's any Snowden-style 'betrayals of the public' happening in this particular instance. Maybe I'm wrong, and maybe I'm overly trusting, but I like to default to innocence until evidence of guilt is on the table.
In a context where the geopolitical and commercial forces would all strongly prefer that such things never come to light, I'm on the side of more sunlight, not less.
Shining a light on this too early (assuming this wasn't an intentional "leak") could be akin to applying antibiotics to an infection prior to actually knowing what exactly the infection consists of, and discontinuing the treatment too soon (we all know how short the attention span of our news cycles are).
It doesn't seem unreasonable to analogize fighting spy networks to fighting an evasive infection: If you attack the infection with a half-baked or inconsistent treatment, you risk just breeding stronger infections that are even better at evading you.
Maybe I trust the US intelligence agencies too much, but it seems likely that they know what they're doing here. And so far, I've seen no evidence contrary to my default assumption that they're operating in best faith for the interests of the US and its citizens in this case.
Unless those counterintelligence operations were, by intention and policy, the original source of the story in the first place. I could easily imagine an FBI agent essentially telling Bloomberg, "Hey, we discovered this security vulnerability, but the only sustainable solution is to convince the tech industry to move hardware manufacturing out of PRC control--we'll feed you the story but don't say it came from us."
But intelligence info it absolutely makes sense for the press to cover, is evidence of foreign intelligence activities that were domestically discovered.
In this case, the "source" of the discovery would presumably some employee of Apple or Amazon, and their "method" of discovery would be inspecting their own systems. While I can understand why the govt might want to keep that classified, I think it's well within the realm of what citizens would like to know, without obvious and direct risk to lives.
Daniel Ellsberg leaked such "major classified information" (the Pentagon Papers) about the Vietnam war, which ended-up stopping the war in Vietnam (mind you for the better...).
If the NSA has been using the Chinese' own spy chip against US citizens, it's the journalists' responsibility to report that to the public.
I think you can use the past tense here.
But the story probably isn't true.
To make an analogy: What if a newspaper was given sensitive personal information about someone that was legal to publish, but could have damaging effects to that person and the population as a whole if published too soon? Do newspapers have a civic responsibility to hold off on publishing information that would only be damaging to everyone (at least until it's safe to do so)?
I don't think they did anything immoral by publishing (unless they believed what they wrote to be false).
That's a rather extreme claim, isn't it?
Are you saying that governments should widely publish all defense research? Are you saying governments should widely publish and distribute military plans before putting them into action? Are you saying governments should publish the locations of all defensive and offensive weaponry, as well as constant position updates of all military submarines?
That kind of openness would be suicidal. I agree that governments should encourage transparency, but not when that transparency would endanger lives etc.
It's the involvement of Elemental (now AWS Elemental) that really sticks out to me. Back in 2015 they were a 200 person startup with government clients. Perfect target for an attack. How else do you explain Elemental's involvement? If they weren't hacked, they would be too small of a company to even be worth mentioning. Bloomberg wouldn't have bothered.
I do agree with others that Apple has a hell of a lot to lose if this story proves to be true, but I think that's really more of a footnote compared to what will happen if the article proves to be true in its entirety. The data Apple has is nowhere near as critical as the data the NSA/CIA/MIC have.
Blog interview with Joe Fitzpatrick: https://risky.biz/RB517_feature/
Of course, whether the story is true or not matters, but at least as important is who Bloomberg's source is - as that goes to motive for releasing this information (true or false). And it isn't just Bloomberg who will be asking these kinds of questions.
So there you go. Proof positive.
+ 1 On Mockingbird btw, I was reading the comments before I posted it myself.
At this point I don't know what to think, so I'm waiting for the consensus.
With a year of reporting on this story Bloomberg has a LOT of unpublished info. If they are correct they should have a ton of information to back up the claims in their story, including plenty of stuff to put the lie to some/many of the specific denials Apple has made.
Maybe they are waiting, to let Apple hang itself with strong, detailed, public proclamations. Then, bam! They publish all their proof, blowing up Apple's denials, forcing Cook and many other to resign, etc.
Or... they've actually got nothing. In that case they won't be able to refute Apple. Either they slink away, hoping everyone forgets, or issue a massively embarrassing retraction.
I'm fascinated to see what happens. I think we'll know in the next few weeks or months at the most.
* Random Apple engineer finds the implant.
* Goes directly to FBI without telling boss at Apple.
* FBI gags the engineer, says "Do not even tell your boss about this, it's national security and we're handling it".
* Bloomberg catches wind of this (maybe the same engineer leaks to them?), publishes their story.
* Engineer is now freaked, goes back to FBI and says "Are you really sure I shouldn't tell by boss?" and they say "Yes, we're sure, you are legally bound to secrecy".
I don't know how security teams, the FBI, or national security work. But that's the only scenario that comes to my mind which would explain both sides being completely sure of their version of the story.
This is really hard to believe. An engineer who found this bug at Apple would most likely be praised for finding it. It is a huge discovery. What motivation would he have to not tell his manager?
If some engineer finds a part on the board that is not in the BOM, I doubt their first thought would be to report it to the FBI. There would likely be some long email thread bouncing around multiple teams trying to determine if some design change was missed.
Seriously, history, recent and otherwise, is littered w/the ghosts and carcasses of employees who were anything but rewarded for identifying problems great and small.
Oftentimes the safest thing to do is to pretend that one saw/heard/knows nothing while hoping that someone else has the steel to sound the alarm.
And for this sort of situation, there's too much at stake and are too many known and unknown stakeholders involved to blindly believe that this would be an exception to what I wrote above.
On a separate but related note, for those playing the "conspiracy theory" game:
- On October 4th, Bloomberg releases The Big Hack story; and
- On the same day, VP Pence gives a speech at the Hudson Institute about...? China being a bad actor which indulges in all sorts of behavior (that the United States would never ever engage in or condone).
Factor in the "trade war" and long-ongoing attempts to 'encourage' companies to rethink their supply chains/ relocate production...
Anyway, here's a September article from Axios entitled, "The Trump administration's secret anti-China plans" https://www.axios.com/trump-administration-anti-china-campai...
From the article: "The broadside against China — which is planned to be both rhetorical and substantive — will be "administration-wide,"" [emphasis added] ""The push is coming from the national security apparatus," the source added."
Personally, I hope no products are compromised, ever. That's probably not the case, and either way, the average person won't care much in the short term. Busy w/other stuff, they probably don't remember this story today, if they even heard about it. Businessweek is, after all, a business magazine targeted at a pretty specific audience.
As for whether Bloomberg's story is part of a wider campaign, I don't know and don't believe I've said otherwise. It doesn't really matter to me, as I know that a game is on and that it isn't unreasonable to use such a story while playing. I've seen and heard all sorts of curious things in the last few years. Nothing about today's environment tells me that I'll have fewer such occurrences.