Hacker News new | comments | ask | show | jobs | submit login
AWS CEO Jassy follows Apple in calling for retraction of Chinese spy chip story (cnbc.com)
461 points by magoghm 3 months ago | hide | past | web | favorite | 267 comments



There should be hundreds of thousands or millions of these hacked motherboards, and nobody has found a single one despite hardware geeks worldwide searching like it was Willy Wonka's final golden ticket. This story was bogus, it most likely came from a ton of rumors that got conflated, hence why they had to go with anonymous sources as opposed to any physical evidence. I'd be surprised if Bloomberg has any credibility in tech journalism by the end of the year, and a good chance they may end up stuck in a courtroom trying to defend the decision to run this piece (on the front page, no less) for a long, long time.


"There should be hundreds of thousands or millions of these hacked motherboards"

No, the boards would be selectively hacked.

And we know it happens because 'we' do it as well.

Surely there is evidence floating around but it's also unlikely that companies would want to admit the breach.

I kind of believe Apple and Amazon though, there's too much risk if they were to be caught lying.

This is a weird one ...


Bloomberg claims that there is evidence floating around - unless they're bluffing, they should be able to show evidence of at least one such motherboard, instead of CGI graphics showing how it might look.

Have they seen any actual hard evidence? Noone is disputing that the described attack vector is possible, but if Bloomberg has not properly verified if it actually has happened, then their article becomes a lie; and if they have properly verified it (as opposed to blindly trusting unnamed sources), why are they seemingly unable to show any hard evidence or details to the public?


If their sources are from the intelligence community do you really expect them to handover physical chips to the journalists they leak to?


If the intelligence community expects what they say to be reported as fact, then they need to pony up at least something to verify their claims. Otherwise the news media is just a mouthpiece for the intelligence community. That's particularly bad because one of their jobs is to be a check against just such behavior.


> Otherwise the news media is just a mouthpiece for the intelligence community.

Ah, the Mockingbird sings...


But it likely isn't the IC saying it so much as a whistleblower saying.


Does that somehow mean they should be less skeptical and not require more evidence before publishing the whistleblower assertions as fact? Do whistleblowers, by asserting that they are whistleblowers even without evidence, deserve more trust in this scenario for some reason?


I agree with you, now its normal practice to blame someone without evidence. Intelligence communities around the world are major source of "fake news" and media manipulate. My understanding is that "whistleblowers" are part of experiments done by intelligence communities to gauge public response on certain activities(might be illegal ,immoral) and with passage of time we forget and accept theses practices as new normal.


It doesn't reduce the requirement for evidence, but it's a very realistic "why" when it comes to why they haven't produced any physical evidence.


Of course intelligence agencies would never do such a thing as have one of their officers pretend to be a whistleblower in order to trick the news media into publishing their propaganda. /s


I'd be very careful about the term "the intelligence community", that is the "community" which told the world the WMD story in Iraq.


That would be politicians who ignored any of the "IC" analysis that contradicted their claims, and made up their own conclusions from dubious sources of "raw" intelligence like Ahmed Chalabi.


Bullshit. Straight from the CIA's NIE, page 9:

> High Confidence:

> Iraq is continuing, and in some areas is expanding, its chemical, biological, nuclear and missile programs contrary to UN resolution.

> Iraq could make a nuclear weapons in months to a year if it acquired sufficient weapons-grade fissile material.

https://www.scribd.com/doc/259216899/Iraq-October-2002-NIE-o...

I'm not sure where this "the IC is this blameless group that only looks like they screw up because of those pesky politicians" meme came from, but it has no basis in reality.


Don't bother trying - its not possible in todays political climate for people to be enlightened as to just how much damage has been done to the world by the 'intelligence' community. The CIA is the #1 source of conflict and trouble in the world - but American citizens have a very hard time with the self-reflection required to see this fact. This is by design: their society has been engineered to allow the secret spooks to rule, comfortably, without interference from public policy makers.

Time and again, we see the CIA, and other of US' TLA-agencies, directly causing world turmoil - and yet a blind eye is turned, because "at least its our guys doing it", etc.

The world would be a much, much better place if American citizens paid more attention to what their spy masters are doing in the world. Secrecy is the lynchpin of all corruption: the fact that American's worship their secret-keeping institutions as beyond reproach, the reason we have so much turmoil in the world.


>> The world would be a much, much better place if American citizens paid more attention to what their spy masters are doing in the world.

It doesn't work like that... "at least its our guys doing it" isn't some honest maxim we spout off in American fervor. It's akin to Winston knowing that when the 2-minutes-hate starts, whether you are into it or not, you stand up and blend in. Otherwise, those spy masters you mention make your life very uncomfortable, or take it away entirely. We just live here man, you don't think we actually are in charge and can make any difference...do you?


>We just live here man, you don't think we actually are in charge and can make any difference...do you?

Is it a democracy or not? Are you a brave people, or are you really a nation of cowards?

The world burns while Americans do everything they can to not take responsibility for their government.


No it's not a democracy and never has been, the system of government here is a democratic republic. Misunderstanding America seems to be a very hip thing to do these days. Most of us do exactly what you do in your respective country: try to look out for our family each day. We're neither aware nor responsible for 99% of the rest of what goes on around the globe. Most of us don't care, because we have our own problems to worry about.

The talking heads you see on TV telling you "America thinks XYZ", or "America won't stand for <foo>!", are just that...talking heads. They aren't us, we don't know them, they don't come over and share meals...they are just a few elite that can't shut their mouth in front of a camera. It's just as shitty here as it is where you are from, most likely.

Now we have lots of propaganda. You know, like the USSR and North Korean propaganda... mantras that say we are the bravest, most "free", most prestigious people on the planet. It's just propaganda though, no one that lives here believes that nonsense. If they do, they just got off the boat...give them a year and their tune will change.

disclaimer: I'm an unhappy veteran.


"The body of the NIE contained several qualifiers that were dropped in the executive summary. The fact that the State Department’s Bureau of Intelligence and Research disagreed with the conclusions was not highlighted.

As the draft NIE went up the intelligence chain of command, the conclusions were treated increasingly definitively. Only the summary of the NIE was partially declassified, and it omitted most of the reservations and nonconforming evidence. The fact that the NIE concluded that there was no operational tie between Saddam and al Qaeda did not offset this alarming assessment."

https://www.rand.org/content/dam/rand/pubs/research_reports/...

I wouldn't call the IC or even the CIA "blameless" for Iraq either and I don't appreciate you putting the word in my mouth (we also probably share a generally sour view of the CIA - they have done too many godawful destabilizing things around the world). The IC weren't the ones ordering the troops to invade any country on flimsy politically-massaged evidence though.


I disagree with the other guy - definitely continue to bother trying.


I always wonder why are sources from the intelligence community regarded as distinct? They're fairly integrated, I'd regard them as just one source.


These were supposedly targeted attacks. Why would Bloomberg have access to AWS and Apple internally designed boards?


> internally designed boards

What? The allegations are against super micro boards produced in China.


Super Micro builds custom designed boards for other businesses given the right quantities. It's a huge part of their business; I wouldn't be surprised if it's bigger than their white box boards.

One of the allegations was that special purpose video encoder boards from a hardware startup that Amazon acquired (Elemental) were targeted. These aren't off the shelf boards that anyone can buy.


Because the sources in AWS and Apple who reported this issue to Bloomberg have access to the boards they're reporting about?

What details and evidence about these boards have these sources provided to Bloomberg? Are there any details or evidence?


Not if they've been destroyed or handed over to the authorities.


"It should be taken as fact because I can't prove it."

How about no.


No, just that the a absence of evidence isn't the evidence of absence.

There's next to no way that Bloomberg's sources would still have access to the boards, and that should be considered given all of the calls here to see them.


You just need ONE board to be able to prove it. Surely Bloomberg or their sources can get their hand on a single piece?


So if a newspaper wanted evidence that your company fucked up you would go and dismantle company property to discredit your employer knowing that it's likely to damage them and ruin you.


> So if a newspaper wanted evidence that your company fucked up you would go and dismantle company property to discredit your employer knowing that it's likely to damage them and ruin you.

The informant may have perfectly accurate information but be completely unable to provide physical evidence. For instance: they could have been briefed on the matter, but still have no physical access to the datacenter or to the location where the compromised servers were taken to.

A lot of the demands for physical proof make the false assumption that someone who knew about the spy chips and talked to Bloomberg would have had physical access to an example. That's simply not the case. How many of us work as software engineers in Fortune 500 companies, and how many of us could walk into one of our employer's datacenters and take a photo of the motherboard of a particular machine that we frequently work with? Not many, I'd imagine.


Well, if you're Apple/Amazon you have the SEC and your shareholders ready to ruin your life if you say anything that could even be interpreted as a lie. So, in this hypothetical you may not want to, but you will definitely feel forced to.


You can also have the government out to ruin your life if you don't cooperate.

See: Joseph Nacchio and Qwest


> You can also have the government out to ruin your life if you don't cooperate.

What if it's the Chinese government that's putting pressure on Apple and Amazon? What would Tim Cook do if he was told on no uncertain terms that Apple would be kicked out of China and its iPhone production lines shuttered if it confirmed this story? Even if the chance they'd go through with their threats is small, it's an enormous risk to Apple and taking it would be hard to justify to its shareholders. FAANG companies are clamoring for access to the Chinese market, and that gives the Chinese government a lot of leverage.


A possibility straight out of a thriller novel - and definitely exciting!

I don't think it likely though because such a nuclear option from the CN government would have the effect of basically destroying their position in the global supply chain.


I can't believe that the government would blackmail Tim Cook into writing such a strongly worded rebuttal and then, weeks later when the story is not making the front pages anymore, have him write a call for retraction which brings this story back in the news cycle. That makes zero practical sense. That's the problem with many conspiracy theories: they make it seem like the people pulling the strings are incredibly clever and powerful while at the same time completely clueless and coming up with extremely complex plans to achieve mundane goals.

I could believe it if the denials so far felt incomplete or ambiguously worded as if they were tiptoeing around something that they were not allowed to disclose. I could believe it if all we had coming from Apple and Amazon was the usual lawyer-speak "I won't confirm of deny" bullshit. Instead we've had completely unambiguous "this is completely false and never happened". If it turns out to be a lie it's going to be devastating for the trust in Apple or Amazon.

I mean think about it, if for some reason the US or Chinese agencies wanted to downplay or shift the blame they had so many easier ways to do it that would put them in an awkward position if somebody manages to prove the existence of these backdoored mobos. If the best spin they could come up with was "just deny everything and make sure to do so at a regular interval so people are constantly aware of our denial" they really need better PR people.


> I could believe it if the denials so far felt incomplete or ambiguously worded as if they were tiptoeing around something that they were not allowed to disclose. I could believe it if all we had coming from Apple and Amazon was the usual lawyer-speak "I won't confirm of deny" bullshit. Instead we've had completely unambiguous "this is completely false and never happened".

Well, at this point everybody is watching for weasel words, so a categorical denial is the only thing the government can demand that wouldn't provoke suspicion.

> If it turns out to be a lie it's going to be devastating for the trust in Apple or Amazon.

Oh, please. Companies have had millions of credit card numbers stolen, and nothing happens.

Apple and Amazon would get a bit of bad press. The tech folks wouldn't trust them any less than they already do. And it would blow over in a couple weeks at worst.

At this point, my Bayesian priors are lowering on Bloomberg, but they are not necessarily going up on Amazon or Apple.


If you want to blow a whistle, yes. If not dismantle, at least photograph the object. If your employer retaliates, you can make good money in speaker fees retelling the story, or get a job at a company that wants to be known for good hardware security.


Getting a job is not necessarily a reason to jeopardize a whole career in the intelligence community. People in public service sometimes have feelings about serving their country.


> would go and dismantle company property

since when taking a photo of the claimed motherboard with a foreign spy chip on it is considered as "dismantle" company property?

> discredit your employer knowing that it's likely to damage them and ruin you

I thought those huge number AAPL and AMZN investors deserve some truth.


They were internally designed boards that Super Micro simply manufactured. Why would Bloomberg be able to put their hands on a custom board like that?


The story is weird, and yes, they should be able to produce a board, surely. They maybe got caught with their pants down.

But it doesn't matter - this is happening 100% guaranteed.

'We' do it and China has become far more aggressive in these areas these days ... so if they could be doing it, they would be.

Someone should come up with a bit of proof though.


evidence is usually required for statements like

" this is happening 100% guaranteed."

I don't know what brave new world we have entered where journalists, or even online users for that matter, make confident claims about things for which there is no physical evidence.


A very close friend of mine led customer support for a large American IT company in the middle east where US federal agents were posed as support staff.

I worked at a large high-tech firm with business in the middle east, including content-filtering solutions and we were basically 'required' to work with Western governmental entities of a 'security nature'.

The US has massive clandestine projects in this regard and some of them are not so secret - consider the recent Wikileaks: [1]

"The US intelligence agency has been involved in a concerted effort to write various kinds of malware to spy on just about every piece of electronic equipment that people use. That includes iPhones, Androids and computers running Windows, macOS and Linux."

[1] https://www.independent.co.uk/life-style/gadgets-and-tech/ne...

All countries with active spy/clandestine agencies are spying on one another using malware, spyware, hardware hacking, phishing, social engineering, whatever. And many firms are complicit to one degree or another.

That Apple or AWS etc. may have been compromised with a specific attack makes for a really weird story - but that this is happening in general is a non-story - of course it is. It's not about this specific attack really.


I promise you that my dad works at microsoft and he has a chip I add to my ps4 to make it play Xbox games, you can't see it because it's too small becaise he also secretly works for the new. He taught me how to program the chips and I can do anything with them.


> And we know it happens because 'we' do it as well.

What's the logic in this? This is like saying Saudis must be Christians because we are Christians as well


No it’s not. It’s much more like saying the Saudis probably killed the journalist because we do it too.


not sure why you are so downvoted on this (maybe less drama next time) but more or less right.

More specifically though, the Snowden docs showed how the usa does this kind of stuff on a one-off basis.


Honestly, less drama, fair enough...but sadly it's not drama, it's fact albeit in small numbers, this 100% happened as we found out from Snowden docs and other leaks! That wasn't really the point i was trying to make though, and if it's happened or not doesn't really need to hold true for the basis of my comparison to hold true as a basis of english arguments.

Also, I gave up hunting karma on HN a while back, i'd rather speak my mind honestly than be artificially censored by chasing a number.


and IIRC, that it was/is the "preferred" method because it's easier to pull off/harder to detect than most other methods.


The implication here is more "we know its possible because we do it".


But surely there's at least a few thousand of the hacked boards? The article mentioned a data center and entire companies being targeted. All it would take is someone to dig up some junked boards, unless they were intentionally destroyed to hide evidence. Unlike 0 days or other issues, this seems like it would be easy to reproduce. Just need to find the boards.


You only want to slip in as few of these implants as possible to get in. You obviously want to hit as many networks as possible but only for targets that actually make sense. Hitting a DoD network has higher value than hitting the Mormon church's streaming servers. If these implants are real, they aren't cheap and the less that are in the wild, the less chance someone will find one on accident. If the implant actually could take over the BMC firmware, that could give you access to not only the OS running on that server but everything else on the network so the actual number of implants needed for an attack on a network/datacenter are low compared to how many machines are on there.


Any evidence of this theory?


No evidence that this alleged attack was highly-targeted, but it is pretty much SOP now, since the history of Stuxnet [1] publicly revealed the strategy. I was initially impressed the Bloomberg's story, but the longer this drags on with no independent proof, and given the one of the author's previous infosec reporting gaffe with no follow through, I've dismissed the story's veracity to a low probability.

[1] https://en.wikipedia.org/wiki/Stuxnet#History


No evidence whatsoever. Just all speculation based on previous targeted malware attacks that are public knowledge.


Things are hacked often with a specific facility or installation in mind. It could be as little has a handful and that'd be enough to compromise a lot.

I actually don't care what the truth [edit: truth of this specific BMRG story] is - the West needs a 'wake up call' on this one and any company installing hardware should be inspecting everything that comes in.

Too much lax security out there, sadly, the US gov I don't think is competent enough in this area to provide guidelines.

I wish there was a CIO right in the White House cabinet, who could work with the Valley + Security experts to provide minimum guidelines for everyone, and to make everyone aware of certain things.

I'm glad the internet was designed to be 'open first' but not glad it was designed to be almost inherently insecure as well. 'Open but Secure' by default would be nice :)


> I actually don't care what the truth is

Why are you in this thread at all then?


Because 'the truth of the Bloomberg story' is not important - what matters is 'what's actually happening' in the world. And this kind of hacking is definitely happening irrespective of how right/wrong the Bloomberg report is.


So why are you rambling on about unrelated pet topics in HN threads?


Do you truly believe his point to be unrelated, this isn't a debate about GP's tone?

I think what parent touches on in their "tangent" is indeed the most important thing to come out of this story.


I do truly believe it to be unrelated and veering into attractive-but-unsubstantiated conspiracy territory.


The United States spends 10's of billions of dollars spying on it's enemies. They hack, install spyware, require backdoors, use phishing, social engineering. So does China, Russia etc. and this is not a conspiracy.


It IS a conspiracy.

What you said is not a conspiracy theory.


Ha ha yes, you're right!


I think you mean conspiracy theory.

Of course this event is a conspiracy.


The Apple and Amazon statements were bulletproof, and would very likely guarantee them shareholder lawsuits if they were in fact falsified. Additionally, the SEC would likely investigate if this did happen (since it would be fraud with harmed investors looking for blood)


> Additionally, the SEC would likely investigate if this did happen

The phone companies all denied providing metadata to the NSA when the story first came out. I couldn't find the WaPo article from the same week, which I remembering reading in hardcopy, but here's a cite for the same from NPR: https://www.npr.org/templates/story/story.php?storyId=540913.... Did the SEC sue Verizon here?


Yeah I don't think those are really related. Apple was exceptionally clear that this simply didn't happen. Verizon is very careful about how they word that to say they didn't turn them over to the NSA, while omitting all of the other three letter agencies (DIA, FBI, DOJ, etc).

Compare that with Apple's statement, which is forcefully blunt and has no wiggle room:

    On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
The fact that they then asked Bloomberg to retract the story is also going a step further. The next step would be a libel lawsuit against Bloomberg, but that would be the thermonuclear option.

All of that said, the BMC on supermicro boxes is running a super old unpatched Linux and is absolutely chock full of exploits:

https://www.cvedetails.com/google-search-results.php?q=super...

I had to root one several years ago to fix a broken server we couldn't take out of service for $reasons.


The next step would be a libel lawsuit against Bloomberg

I'm waiting for the libel lawsuit. The absence of one is something I can't reconcile and leads me to thinking perhaps Apple doesn't want to through the discovery process for such a lawsuit which leads me to wonder why they wouldn't...


There aren't really any upsides for a libel lawsuit from Apple tbh, but I guess it just depends on how much Cook wants that retracted. As spiteful as he was, I'd suspect Jobs would have aggressively taken this approach.


Original Verizon statement: https://www.ft.com/content/d70c2ce2-e519-11da-80de-0000779e2...

They're very careful to say that they never turned phone records over to the NSA - who's to say they didn't turn phone records over to the DoJ, FBI, or any other agency, which then bounced them over to the NSA? I think they do have an out here. Plus, I'm not certain the SEC would sue over a matter of national security, even if Verizon was directly lying.


Is there, though? Take the latest Google example where they were less than forthcoming about user data that was accessed. Did anything ultimately happen to them? I think the same would happen in this case. If it were found, I'm sure they could quickly come up with some BS excuse that it was the best way to prevent the potential damage from being greater, that all along they had been investigating and doing whatever they could to mitigate the damage, yada yada yada. Then cue massive outrage. Followed by everyone else using their thing products as usual


"weird" is right

That such a potentially damaging allegation has not been met with a more forceful (read: lawyerly) response is "weird". That this dropped in one publication with quite a bit of detail is "weird". The timing of the responses, the rumors of trouble at SuperMicro, the timeframe of the alleged compromised boards. It's all weird.

I'm waiting for the other shoe to drop on this one.


> it's also unlikely that companies would want to admit the breach.

No comment is the proper action for no admission. However, Tim Cook and Andy Jassy put out public statements if they were willingly lying, they will be prosecuted by SEC


Would the pr team even know if it was true


How would you verify this theory?


>most likely came from a ton of rumors that got conflated, hence why they had to go with anonymous sources

Just noting that anonymous sources aren't unknown sources — if Bloomberg says that these are people working in US Intelligence then they've very likely validated it, but are protecting their identities by request.

Also worth noting that Amazon and Apple have a tremendous amount to lose here. That doesn't mean they're lying, but based no what we know, they have more incentive to lie than Bloomberg does. Also possible that they're already working with the government and have been asked to lie about it due to national security.

Totally possible that Bloomberg was intentionally mislead or flat-out wrong either way. It just sounds like they've done the due diligence of checking with an abundance of sources, so it would be odd. They've made mistakes before, but I don't know that they've ever made one of this magnitude. The decision to publish or not publish a story like this isn't something that one person working at Bloomberg does on a whim, many people are involved.

All other things aside, I tend to trust journalists more than corporations. There's not a lot of room to jump to a conclusion either way. Very solid 'maybe' territory all around.


Let’s size up the options.

Bloomberg is wrong. Apple and Amazing have every incentive to strongly deny the story.

Bloomberg is right. Multiple employees up to executive level at 30 US companies and the government know about it and are actively leaking to Bloomberg about it. Numerous boards are out there at 30+ companies as physical evidence. There’s no way Apple and Amazon could risk denying this so strongly. It’s already being widely leaked - according to Bloomberg - the cat is well and truly out of the bag and wailing it’s ass off.

It just doesn’t make any sense for Apple and Amazon to put their reputations on the line in that second scenario.


Or option 3: Bloomberg is was fed false information by the US government to cultivate distrust of Chinese sourced electronics. Not a bad tactic if you want to prevent Chinese infiltration in sensitive industries while also using it for political and economic leverage.


Option 4: Bloomberg is working on another story and the government is trying to taint their credibility by feeding them false information, so nobody will believe them when the real story comes out.

(I just wanted to point out all options)


Option 5: A journalist that really wants to land a scoop has a hunch that something is going on, and collects all the rumors and theories about hardware hacks, blurs the lines between speculation and facts, creates a plausible narrative that is too good to pass, and somehow persuades the editor that a dozen sketchy rumors must be enough to run a story.


That's why editors exist. Then, the journalist could also have been fed information that was fed to their leaky source in order to find out who the leaker would be.

OTOH, no experienced intelligence professional would leak information they are not absolutely sure other people have.


If they were instructed to do so by the government they would not really have a choice, which would very likely produce leaks.

If true, this is vastly different from the government requesting a backdoor or various warrant canaries, this would be an actual national security threat.


Is there any mechanism that the government can use to force you to lie? I know they can keep you silent but forcing you to say anything, true or otherwise, feels like a huge 1st amendment issue as the government can't typically compel speech, can it? I'm not a lawyer so curious on the perspective of someone who might know the details better.


Under certain circumstances the government can force a person or corporation to produce speech that is true - for instance, they are allowed to force you to file your taxes. However, there has never been a case to my knowledge where the government has been able to compel a lie - and any attempt to do so would immediately be subject to a legal case over constitutionality.


It would also be compelled speech, and from what I've read,

> governments have the right to mandate corporate speech “if the information in the disclosure is reasonably related to a substantial governmental interest and is purely factual.”

(https://www.reuters.com/article/us-otc-speech/when-the-gover...)

Since that would not be the case here, I do not believe it would be legally defensible for the government to compel false statements out of both Apple and Amazon.

(IANAL, so do take this with a grain of salt)


Why would it have to be compelled?

The government could say "look here, this is an actual national security issue" and Apple, Amazon, etc could say "oh shit, you're right - how can we help?"

If this were a real national security risk, what incentive would Apple, Amazon, etc have to tell divulge the truth rather than cooperating with the government? This is vastly different than saying no to a requested NSA backdoor.


Actually, that's not the latest news on that. I looked up that case on scotusblog & it was vacated based on the result of "National Institute of Family and Life Advocates v. Becerra" which I believe overturns the 9th Circuit's ruling on this although I'm not totally sure. Regardless, you're right. No ruling has held the government has the right to compel factually incorrect speech.


Or the government told them to strongly deny the allegations and the fact that the government can do that is just one of the many powers that we already know get granted to intelligence agencies in secret by rubber-stamp classified court systems not held publicly accountable and already infamous for suppressing criticism of their practices under the guise of national security. If the three letter agencies don't want Bloomberg reporting on a hardware hack, they already have the power to tell Amazon and Apple that they can't legally confirm the story. I see no plausible reason why they couldn't get a judge to tell them they had to make it look sincere.


Apple has been known to use warrant canaries and other methods of communicating when they have had to cooperate with intelligence bureaus. They've never come out and lied because the government told them to, at least, not that has been proven.


Do a search on the case law around “compelled speech”. tl;dr the government can force you to not talk, but they can’t force you to blatantly lie either. As an example, check out the difference between the denials of PRISM vs this.


> they have more incentive to lie than Bloomberg does

The other way around. Apple and Amazon have very strong incentives to tell the truth. This has significant implications for their business (i.e. stock price) and if there is one thing that executives want to avoid, it's SEC filings based on false information given to the market.

Meanwhile, Bloomberg has the reputation of journalists with patchy histories of security news reporting. Perhaps they've been fed a line by government sources, but there is little financial incentive to fix any errors.


While something like this will no doubt be damaging to some large American tech companies, it is way worse for China. Are they really going to potentially devastate their entire economy over the long term over such an easy to detect hack?


> Are they really going to potentially devastate their entire economy over the long term over such an easy to detect hack?

That didn't make the NSA afraid of targeted interception campaigns.

I believe that secret services are doing everything we normal people dream of already, including stuff such as the hardware injections either in the Supermicro case or in the stuff the NSA did, and a good bunch more which we don't even know of yet.

Cyber warfare is all too real now.


We already know that they're constantly trying to hack American IP. Our economies are symbiotic. Hurting theirs would be hurting our own.


> hardware geeks worldwide searching like it was Willy Wonka's final golden ticket.

The stuff of dreams for security researchers.


I doubt Bloomberg is that eager to dig a hole for itself. I wouldn't be surprised if someone with a vendetta was feeding them cooked information and fabricating a lot of very convincing evidence. That's pure speculation, but I just don't belligerent Bloomberg would run such an explosive story unless they were convinced it was true.


> they had to go with anonymous sources as opposed to any physical evidence

What do you mean by the second part of this? Bloomberg should have received examples of comprised boards?


Not necessarily received, but at least seen them and verified that the described thing actually exists. If they don't even have a single frigging photo that they can show us (up until now they have only shown CGI renderings that they fabricated themselves showing how it might have looked), then that seems to imply that they haven't done any due diligence.


> Not necessarily received, but at least seen them and verified that the described thing actually exists. If they don't even have a single frigging photo that they can show us (up until now they have only shown CGI renderings that they fabricated themselves showing how it might have looked), then that seems to imply that they haven't done any due diligence.

I don't know about you, but I certainly couldn't get a photo of the motherboard of a dev server I work with every day, let alone take a reporter to go take a look at it. That doesn't mean I don't have accurate information to base a story on, and it doesn't mean someone else can't corroborate that information.

Reporting isn't about gathering physical evidence, it's about gathering and cross-checking testimony and documents. If credible people in the government and an NGO testify that there was a poison gas attack at a certain location, a reporter can legitimately write an article about it. That reporter isn't going to sit on the story until they go to the attack site, collect samples, and sent them to a lab; nor should they.


If you're not holding that motherboard in your hands, then you definitely "don't have accurate information to base a story on" if that story is about inserted extra hardware - the story Bloomberg reported relies on analysis of that motherboard. If you find an anomaly in the dev server but can't open it up to look at the motherboard, then you can blow the whistle that something weird is happening, but you're not qualified to be a source for what Bloomberg claimed unless you have seen some evidence about the actual hardware.

As you say, reporting is about cross-checking documents. In this case, the relevant documents would be the technical details of that malware - photos of the motherboard with the inserted hardware, schematics and analysis of where and how the inserted chip connects to the "real" parts, dumps of the firmware alterations, microscopy analysis of the extra chip after decapping it. Instead, Bloomberg provided "this is where it could have been" CGI illustration and "this is how the mechanism might have been" description of the process. All details about the attack seem to be made up by Bloomberg, they're not based on any real hard data from their sources.

This implies that none of their sources had (or provided to Bloomberg) sufficient detail to assume that this is what happened - if the sources say "well, there was a major supply-chain attack but we're not giving the details" then that's not sufficient to report what the Bloomberg article did, making up the details without knowing them. If the sources provided enough detail to Bloomberg, then this is the point where Bloomberg should release those details to the public.


> If you're not holding that motherboard in your hands, then you definitely "don't have accurate information to base a story on" if that story is about inserted extra hardware - the story Bloomberg reported relies on analysis of that motherboard.

I disagree. What if you have a the text of a government report describing the reactions to its discovery in detail (e.g. "an implant was found attached to the BMC of some Supermicro boards, here's our plan for securing the supply chain against implants as small as 1x1mm...")? What if they were shown a report but not given a copy? What if you have consistent testimony from five credible people whose backgrounds check out who read the only copy of the report in a secure reading room? What if all that is verbally confirmed by other insiders?

> In this case, the relevant documents would be the technical details of that malware - photos of the motherboard with the inserted hardware, schematics and analysis of where and how the inserted chip connects to the "real" parts, dumps of the firmware alterations, microscopy analysis of the extra chip after decapping it.

The Bloomberg reporters aren't security researchers. All of the stuff you describe is well outside their areas of expertise or what they can be reasonable expected to do. They're doing their job if they report what they learn from others, it's not their job to perform research or replicate research themselves.

Journalism is more like history than archeology, but a lot of people seem to want it to be the other way around.


I would say exactly that.


If not received explicit examples, at the very least they should have been given some potentially affected SKUs to examine off-the-shelf boards.


Or gone to AWS/Apple and club and asked them to investigate before publishing...


According to Bloomberg Apple and AWS had already investigated thoroughly, had talked to the government, and their executives were the ones who had leaked to Bloomberg in the first place.


Published along the initial story were strong refutations from Apple, Amazon, Super Micro and Chinese Goverment. Some of them suggested that this is not the fist request from Bloomberg, so much that companies got annoyed to refute baseless speculations (see Apple response). So Bloomberg consulted with the companies and published despite the strong denials from all sides.


They did. Apple said they did 3 separate times, and in all times found absolutely nothing. Bloomberg chose to publish the story anyway.


We all know somebody has to be obtaining these boards, finding the alleged malicious grains of rice and testing them to see if they are in fact just passive components?

Where are they? Where is their presentation of finding nothing?


Will they name their anonymous sources if it turns out they were played by them?


Probably if they could prove it - but it's hard to imagine what they could find that would constitute proof.


Bloomberg probably has its own political agenda (guess who's administration is behind this?) for fabricating such elaborated fake news.


Exactly- where are they?! The Bloomberg story made verifiable claims (perhaps not exactly falsifiable due to their nature), so where is the verification?

It's so strange to see people continue running with "they wouldn't have doubled down unless they were really certain, so it must be true".


Assuming the story is real it is quite obvious that there aren't that many compromised motherboards. It wouldn't make sense and it would make the attack easier to detect and to publicly incriminate the culprit.

As the attack is said to have been discovered 3 years ago it is also not surprising that housekeeping has already been done a long time ago.


Supermicro is a fairly large player (4th largest) and they still manufacture servers. If this story were indeed true, none of these companies or any other company buy their servers. The story is simply fake news.


Big companies are now scandal proof. No amount of negligence or criminality is bad enough to bring one down.

Wells Fargo committed millions of counts of bank fraud, yet they still exist and people buy their services.

BP destroyed a large part of the economy and ecosystem in the Gulf of Mexico, yet they still exist and people buy their products. One of their top lawyers just became Assistant Attorney General for the Department of Justice’s Environment and Natural Resources Division.

VW built millions of cars with hardware designed to fake emissions testing data, yet they still exist and people buy their services.


Crimes are committed by individuals, not companies. If execs at VW break the law, you go after the execs, you don’t put the whole company in jail or turf out all it’s employees on the streets.


HSBC laundered nearly a billion dollars for terrorists and Mexican cartels. Which execs faced any legal repercussions again?

https://www.forbes.com/sites/afontevecchia/2012/07/16/hsbc-h...


I’m not saying there shouldn’t be repercussions, check my comment again, but there’s no point putting the bank tellers out of work because their bosses, bosses, bosses, bosses boss broke the law.


I'd be on board with this position if it was applied consistently. But it's not. Companies take political action, companies take credit for innovation, etc. The whole basis of a company is that it limits the liability of the people who own it.


Who knows.

Obviously no-one would have publicised this, so if you weren't involved you would have had no idea. The story does report that Amazon completely dropped Supermicro as a supplier following this alleged hack (that should be verifiable even if the reason given would obviously be different).


>I'd be surprised if Bloomberg has any credibility in tech journalism

If the tech world turns their back on Bloomberg, I'll give them more credibility; not less.


I'm curious too. This seems like a sides thing, and of course a lot of people are anti-tech these days. But, to side with the publisher of garbage tech journalism just because you don't like tech seems a little counter-productive. You can hate tech people without willfully believing things you know are false.


I’m curious; why?


(disclaimer: I worked at AWS from 2008 to 2014 as Technology Evangelist, and know Andy Jassy personally)

I know nothing specific about the issue per se, but I am convinced that Andy Jassy is speaking the truth here, for two reasons:

1) I've never seen a company as obsessed with security as AWS, and/or with such a big budget for security.

2) There's so many actors/employees involved in the audits, security, etc, that convincing some of them to "hide" a fact like this would be just too risky for a company that big. If that were really the case, I would rather work on a contingency plan, assuming that sooner or later the "leak" would come out.

There is a tiny chance that something bad happened, and that Amazon's magic PR twist managed to still provide a truthful statement (Steve Schmidt) while hiding that. "A chance", because of the various back and forth business between AWS and Chinese companies. "Tiny", because other scenarios are much more probable and plausible.

This looks like a very poor example of journalism, on Bloomberg's side.

On a different note, I still believe that weird/illegal stuff keeps going on between companies and governments worldwide, for the simple reason that these things keep coming up when there's a new leak, or when secrecy on certain classified documents gets lifted or expires.


Creating an illusion of security does not mean that something is actually secure.

Here's an example - AWS VPC connections only supports IKEv1. (https://forums.aws.amazon.com/thread.jspa?threadID=252723) (https://docs.aws.amazon.com/vpc/latest/adminguide/Introducti...)

IKEv1 vs. IKEv2: https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvem...


If we reverse the roles, we notice how little information you actually provide except your own opinions.


expressing yourself on an online forum is vastly different from publishing that bloomberg article with those very specific accusations.

also want to know who are "we" here? please stop representing other people without their explicit consent.


If you can disclose, what kind of security audits do you perform on your server hardware?


I'd like to know this as well. Not many can match the resources that AWS has so what actual checks are they doing of the hardware they receive from overseas suppliers?

There is going to be "don't tip your security hand" reticence to share so I doubt we'll get any straight answers.


https://en.wikipedia.org/wiki/Alex_Stamos#Yahoo!

Any move like this would start with the CEO. We have no idea if it’s a “hack” or a hush-hush back door provided by the feds. Let Bezos the pentagon lapdog give official statements instead.


Gruber doesn't get posted on HN much for some reason but he found a great tidbit on this: The reporters were flippantly dismissive of the (strong and repeated) company denials.[1]

Jordan Robertson was on TV saying companies have no "advantage" in "confirming" his reporting because "no consumer data [was] stolen." He seems to take very casually the distinction between "not disclosing" something and outright lying and engaging in an industry-wide conspiracy about it. He later tried to walk back that line but it's an interesting window into their mindset. It doesn't strike me as particularly strong journalistic reasoning.

[1] https://daringfireball.net/linked/2018/10/22/jassy-bloomberg...


The lack of confirming evidence is a strong sign the Bloomberg reporters were played. It's interesting to wonder who might have done that though -- US businesses who might gain? Those from within the administration?

Regardless of the truthfulness of the report, the damage is done and the hack story fits in well for the protectionist trajectory the US is taking.


It's certainly not the case that the US government has been above disinformation campaigns aimed at its own citizens even in the recent https://www.wired.co.uk/article/mirage-men https://www.dailygrail.com/2013/06/a-fractured-hall-of-mirro... or very recent https://www.nytimes.com/2017/12/16/us/politics/pentagon-prog... past. Though of course there would be much more political risk in lying to Bloomberg News than in using up and throwing away an old ufologist loser like Paul Bennewitz. (Still, it's even a little suprising how, in a country which avows military patriotism as strongly as the USA, the USAF can contribute to the destruction of a patriotic WWII veteran, then publicly gloat about it afterwards, and absolutely no-one gives two shits.)


What evidence do you have that AATIP was a disinformation campaign? The UFO story was extremely weird, but I've seen no evidence that the Pentagon fabricated the footage, or somehow coerced Fravor into lying on primetime TV.

Moreover, what would the Pentagon gain by running a UFO psy-op?


> Moreover, what would the Pentagon gain by running a UFO psy-op?

I've always wondered whether the magnitude of UFO sighting reports make it more difficult to glean intelligence about US aircraft/reconnaissance research. If, for example, Area 51 was responsible for cutting edge stealth aircraft research, it would be much more difficult to spy on the program through the civilian population if real sightings are indistinguishable from the flood of alien UFO sightings.


I've read that during the Project Blue Book era, the CIA was worried the Soviets might fuel rumors of UFOs, so that civilian observations of Soviet aircraft would get chalked up to aliens by a gullible public, and reports of unusual activity would be discredited.

I don't have the citation on hand but the declassified PBB files are available on the Internet Archive.


> Moreover, what would the Pentagon gain by running a UFO psy-op?

Space Force


Stalking / necroposting on this item: https://news.ycombinator.com/item?id=6749247

You'd mused on how bad the PR disaster would prove, of Google's YouTube/G+ integration, back in November of 2013.

Five years later, that integration has been reversed, and Google are in the process of killing off G+.

Trust in Silicon Valley as a whole is low, Apple's CEO has just called for a national data privacy law in the US, and the idea of adopting a new Google product doomed to be killed shortly after is now a cheap punch line.

Google itself doesn't appear to be financially damaged, but that can take a long time to set in.


There's no need to think so big. The people who thought they might gain might have very well been Bloomberg reporters, who really wanted to believe their story was true because it would have been the scoop of a lifetime. They really should have done their homework properly instead of trying to craft a story.

Of course, if it turns out they deliberately mislead, then that makes it worse, and it was very imprudent thinking that they wouldn't be caught.


Supermicro short sellers?


Unless Bloomberg are really amateurs it had to be a very credible source to make them publish the story even though Apple & friends had told them multiple time that it wasn't true. They trusted their source more that the word of the putative victims. And since then they haven't shown any hint of doubting it either.


Because bloomberg failed at basic jounalism, we will likely never know.


An easy way Bloomberg could support their story: allow one or more of their "senior insider" sources at Apple/Amazon to speak with another outlet (AP, NYT, whoever) who agrees to maintain their anonymity.


One of the interviewees did speak (though he's not apple or amazon), and said that Bloomberg completely misrepresented what he said to support this theory, which he totally disagrees with: https://9to5mac.com/2018/10/09/bloomberg/


The article you linked states, Bloomberg says:

> Joe FitzPatrick was not one of these 17 individual primary sources that included company insiders and government officials,


Oh, he was one of the named sources. Good catch, though that doesn't change the point.


The entire story is an elaboration of a hypothetical example Fitzpatrick gave in consultation. That the final article is an exact match is seriously problematic.


How would that actually support anything though? I don't understand how this entire story has any legs without physical evidence. People can say things to multiple people, but that doesn't make what they're saying more true, right?


It would support two things that are currently in doubt (1) the idea that Bloomberg ran the story with actual information from actual insiders at Apple/Amazon (I've seen upvoted comments in multiple HN threads suggesting fabrication and whether the journalists have a history of it) and (2) that Bloomberg did not confuse or extrapolate the claims in their story from much more minor security incidents, such as the one Apple had previously disclosed re:Supermicro (such confusion/extrapolation seems to be the most likely explanation for everything we've seen imho but many other outcomes wouldn't surprise me).


Who their sources choose to speak to is not up to Bloomberg.


Ok, "encourage and facilitate"


That would be catastrophic for Bloomberg - if a news org is seen as more interested in protecting its reputation than protecting its sources, no sensitive source would speak to it again. They can easily eat the hit of one potentially bad story. They can't eat the hit of 'dicks around with sources'.


Well, they would obviously get consent from the sources first, rather than simply sharing their names with the other outlets.


A source contacts a journalist offering sensitive information with the expectation that their anonymity will be zealously protected. Then the journalist comes back to the source asking they risk compromising their anonymity further by talking to an entirely different news organization. This would qualify as 'dicking with sources' and no sane journalist would normally do this, for both professional ethical and business reasons.

What you're suggesting involves both violating the trust of the source and creating the impression the news organization needs its competitors to establish its credibility. I can't imagine this is anything short of a complete non-starter for Bloomberg, an actual serious news organization.


Bloomberg might be a serious financial news organization but its credentials as a serious tech news organization are very much questionable at this point.

I agree that it seems tricky for them to go to their sources and ask them to talk to some other news org however.


yeah, right.


2016 report by ARS Technica: https://arstechnica.com/information-technology/2016/03/repor...

2017 followup by ARS Technica: https://arstechnica.com/information-technology/2017/02/apple...

So the story is 2 years old from a reporting standpoint.


But the article points that Apple wanted to protect themselves from some much more widely know threats:

"Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.

As we've previously reported, the National Security Agency is known to intercept and modify equipment before it reaches the hands of its intended customers."

...

"The report comes as Apple fights the US government over whether it should have to write new software to help investigators unlock an iPhone used by a terrorist."


Dodgy firmware is nothing new, it’s just compromised code after all.


According to Bloomberg, that's how everything started:

> Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally. Government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one U.S. official. This created an invaluable opportunity for intelligence agencies and the FBI—by then running a full investigation led by its cyber- and counterintelligence teams—to see what the chips looked like and how they worked.

If this was true, the public denials wouldn't surprise me at all.


And if that's how the Bloomberg article had ended, with well known and previously reported firmware issues, we wouldn't be having this discussion.


If Bloomberg ends up retracting the story, then the new question, for me, is how did this happen? Was it simply Bloomberg trying to get views? Or is it more interesting, like did their "sources" intentionally give them a fake story in order to hurt their credibility? Or was it to cast doubt on the anti-China stories in general?


It should be pointed out that Bloomberg authors get bonuses if they write stories that move the market:

https://www.businessinsider.com/bloomberg-reporters-compensa...

Not saying that was necessarily a motivation here, but it's worth pointing out.


Keep parroting this if you want, but that ended in 2014.


I find inescapable the conclusion that Bloomberg was a patsy in all this, somehow. Their story is panning out to be a more and more bald-faced lie by the day, and the accusations they made weren't exactly quiet or ignorable either. I actually find it easier to imagine a grand conspiracy to make Bloomberg print this story than I can imagine every journalist there suddenly forgetting every bit of integrity and common sense they ever had.


Well, Canada is in the process of chosing which companies to buy their 5G telecom stuff from. The US feds were strongly suggesting not to go Chinese. This is very useful in that regard.


I can’t help resist the thought: this was planted for political purposes.

1. If people buy the narrative, it works as anti-China talking points and we continue to villanize China and look for US to step up manufacturing of tech.

2. If it blows up and backfires, we get to villanize journalism as a profession and push for government takeover of media to ensure honest and integrity above profit (eg fakenews).

By planted story, I mean insiders or impostors feeding lies to journalists- tho I would hope Bloomberg would know how to vet a source?


Agree on 2. If only someone in the US administration really hated what he calls "Fake News" by established media and "Made-up anonymous sources".

"Won't anybody think of the poor economy! These unfounded stories are doing direct damage. Disclose your sources to the government or lose your Real News License."


I think you’re both grossly overestimating just how popular this story is beyond the tech world. This is hardly on the radar of most people, and not likely to move them to support any new laws or initiatives.


Any reason for these calls for retraction?

It's not like there aren't false stories about what happens at Apple or Amazon regularly, not that they're usually about hacking but the public calls for retraction seem somewhat as unique as the story.


Agreed. The pointed denials make the whole thing even weirder.


But this is about hacking / being hacked.

You would be sure to see a denial in that case.


The denials seem convincing. And yet the story seems very much plausible. US NSA does these kinds of attacks, why not China?

> They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories

If that's really the case then it seems likely that their source may have indeed deceived them. But don't they have multiple sources?

> The article also claims ... we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center.

Bloomberg's source for this claim must be distinct from the Israeli security researcher, right?

Perhaps, if this was a Russian HUMINT attack, it's another glorious success for GRU.


Plausible doesn’t mean “it happened.” It’s plausible that a convicted thief might steal again; that doesn’t give a news outlet to write, “anonymous sources said Joe Thief stole something from Target.” No evidence at all other than “Joe Thief” could have conceivably stolen something just because he happened to be at Target.

A lot of things are “plausible” but accusing people of having done the thing versus, it would be possible doesn’t rise to the standards necessary to maintain journalistic integrity.

Enough with printing anonymously sourced speculation as fact! Good journalists get sources on the record and, if they use anonymous sources, use them for background and not as primary sources. See Woodward and Berstein’s work on Watergate on how to use anonymous sources correctly.


The NSA has never done something on this scale. With sec researchers looking at _everything_ right now it would have been uncovered by now. The major point in this story wasn't a hardware hack, it was a hardware hack on a MASSIVE scale, a scale that would have to be treated as an act of war against the _rest of the world_.

If this article were true it would have been the first public volley in WWIII.


The number of implants doesn't need to be that great. If you are already tapped into Supermicro's supply chain and ordering system, then you can already figure out when a bulk of servers passing through manufacturing are going out to a certain customer. Bribe someone or have an agent on the floor slip in the implant during assembly. Maybe the gerber files for the boards already have the necessary pads built-in for debug, maybe someone is swapping in modified gerbers. Maybe the implant is installed totally after hours when the boards are already built or when they are on their way to the final assembly facility.


Why would this be treated as an act of war?

Spy work happens all the time; it's a normal state of affairs. One country or company stealing secrets from another country or company happened today, whether or not the Bloomberg report holds water.

It's only the first volley in WWIII if world militaries choose to escalate in response.


The NSA works with the advantages they have, and likewise for China. For example, PRISM involves tapping communications within American service providers like Google and Facebook, which is an advantage to the NSA because these are American companies that are subject to US law, FISA warrants, etc, and yet foreign adversaries still use these services. China's advantage is manufacturing--the manufacturing is in China, within the control of the Chinese government, and yet the manufactured hardware is still exported to China's foreign adversaries--and the way to exploit that is to do something exactly like what Bloomberg is reporting.


It’s really starting to smell like Bloomberg got played hard here. To preserve their journalistic integrity they either need to produce some supporting evidence real fast or admit they screwed up and retract the story.


Smells more and more like something 4chan would do.


I said it recently in different words and I'll say it again. There is no good ending for Bloomberg in this story, or at least for the reporters on the story and the editor who let it run. The longer it digs its heels in adamantly and doesn't retract this story, the worse it's going to get. Its deep pockets can handle a huge scandal and embarrassment for a while, but it'll face the ignominy of being ignored by sources in many circles if it doesn't act quickly (one of the ways, perhaps, would be to reveal more information that can be verified by third parties). It's as sticky a situation as it gets, and it will define/decimate Bloomberg for the future.


What's more plausible in this scenario: One or two journalists run a fake story, possibly for financial gain or simply notoriety, or that hundreds and even thousands of engineers and managers across multiple tech companies are all complicit in the most elaborate and coordinated corporate conspiracy in history, all just to hide the fact that they were breached...


It's possible that the hack wasn't that big (targeted to only certain boards) and that the higher-ups at the companies don't know the details


I’m curious how the internal meeting (at the newspaper) goes, when they have no actual proof, such as an actual compromised device. How could you possibly publish such a huge/important story without that smoking gun?

We live in too much of a scientific/fact driven period of time to allow this to be taken seriously in my opinion.


With the "trade war" going on I wouldn't be surprised if this was intentionally put out in order to reduce the us dependency on china.


Overpriced corrupt vendors are likely hurting to open compute designs and hardware.


Why was Google not affected by these Supermicro motherboards?


From my scouring some time ago on Ebay Google seems to use board designs modified and produces to their specs from some Taywan nonames. So while they also can potentially be similarly attacked, it wouldn't be the same attack.

Wrt. the subj of the Bloomberg story - back in 90ies Russian FSB would comb through the internals of every PCs they bought for their use. That though was before Intel ME :)


This story probably came from someone in the national security establishment who has zero understanding of the underlying technology but has a vested interest in the red scare..


What's up with calling these division leads as "CEO"? Do they only answer to the board elected by shareholders?


Sounds like they are running scared? Could this be a cover up do you think?


Surely at least a few of these boards should be floating around, can't Bloomberg or others dig up a few physical examples? Unlike software 0 days or other more ephemeral issues this should be hard to conceal and easy to reproduce.


It's not fake news unless you hurt me!


[flagged]


This is a pretty cavalier comment for a brand new poster. Welcome to Hacker News, where deep discussion is welcome.

The issue with trust in journalism is a real one, and as "deepfakes" and the current problems with the perceptions of "fake news" and "anything I don't like to hear is probably made up", the question of faith/trust in journalism and reporting is huge.

I don't think trust in journalism should go down. I think that when journalists and publications are caught with misleading or inaccurate stories, it should be in their interest to catch the problems and self-correct. The name of an institution is its integrity: It is built over time, and can lose its value quicker than it gains it.

There are correct ways to do journalism.


Aye, only when the incentives align. The proliferation of clickbait, native ads, and lack of consequences (social or otherwise) for poor vetting or lying outright...

“Journalistic integrity” is quickly on its way to becoming a pejorative term, if it’s not already there.


Unfortunately it's not in their interest to self-correct, it's only in their interests to generate clicks.


[flagged]


So how should have Apple and Amazon acted if they were indeed truly innocent? Their behavior seems to be very consistent with what they are saying.


Maybe let's let the justice system figure things out?


Is the justice system involved in any way at this point? Or are you suggesting that Apple and Amazon should sue for libel or something like that?


that's interesting, I didn't consider the possibility the government would start this story to possibly justify searching tech premises...


The main issue is that most of their stuff is manufactured in China, they see themselves taking a huge hit in profitability if the US all the sudden forced them to only do stuff in the US because of security.


Yup. Their entire business success, their 1 trillion dolar story, all their "shareholder value" can be summed up by:

"we don't build anything, the Chinese build it for us".

Time to pay the piper.


You don't need to coin a phrase - they laser-etch this split right onto the product: https://i.imgur.com/lHMIz5N.jpg


[removed]


If that's the only question then the answer for every major company is "guilty". I don't think doing business in china means that Bloomberg gets to make up a bunch of BS from mysterious anonymous sources without a single piece of physical evidence, wiping out billions in market value, and just call it a day and we're all supposed to believe it because they use the word "China". I think we can probably hold them, and ourselves, to a higher standard of journalism. Though, clearly there is a huge market for China-hating technopanic, no matter how little evidence or credibility there may be, since some people will literally believe anything if they think it's done in China.


It isn't really plausible that Bloomberg made up the story. They had to have a high degree of confidence to publish it. The question we all need to be asking is why they had that high degree of confidence. Where their information came from and whether or not those sources had ulterior motives to lead Bloomberg astray.

I have to imagine Bloomberg is also trying to find out why their story has not matched statements by the companies alleged to be involved so starkly. There is a story here, but what that story actually is is definitely in question.


Yeah, my hunch (like yours) is that everyone involved--Bloomberg, Apple, AWS--believes, in good faith, in what they have stated, and have collected more than enough evidence to back those statements. Since there's a contradiction, the truth is probably fairly weird, if it's enough to provide so much conflicting evidence both ways.

The least weird conclusion is that Bloomberg connected too many dots the wrong way around and are embarrassed to admit it.


For a good example of how reporters can be mislead, or can mislead themselves by buying too heavily into a narrative, and not examining alternatives with enough scrutiny, read about the Killian Documents Controversy (about George W Bush's military service, reported by Dan Rather 60 Minutes); or read about "A Rape On Campus" (the Rolling Stone article that was retracted in its entirety):

https://en.wikipedia.org/wiki/Killian_documents_controversy

https://en.wikipedia.org/wiki/A_Rape_on_Campus

In both cases, it seemed to me that the reporters involved crafted a story in their heads about what happened, and then only sought information that confirmed their story while ignoring information that contradicted it. The Duke Lacrosse case is an example of the same thing happening in a criminal prosecution:

https://en.wikipedia.org/wiki/Duke_lacrosse_case

Another theme that I've seen is experts giving an interview about some very specific/narrow topic, which is then spun, taken out of context, or generally misquoted by reporters and presented as something different. This happened with document verification in the Killian controversy, and also seems to have happened with this Bloomberg story, according to another comment in the thread: https://news.ycombinator.com/item?id=18278023 . In the Killian case, document examiners explicitly told CBS that they were relying on poor material that could not be authenticated (see Wikipedia section "Response of the document examiners"), but CBS went ahead and characterized the documents as having been authenticated by experts.


I totally agree, I think they cobbled together bits and pieces and kind of put it together based on what they could find. The one guy they interviewed who is willing to talk said explicitly that this is what happened to him: https://9to5mac.com/2018/10/09/bloomberg/


It's not clear how much oversight Bloomberg has over the detailed process that the journalists used to get their information, aside from what they presented to Bloomberg. Based on accounts from some people they talked to, it sounds like the journalists involved are conspiracy-types who will take any bit of speculative information and run with it.


> Though, clearly there is a huge market for China-hating technopanic, no matter how little evidence or credibility there may be, since some people will literally believe anything if they think it's done in China.

China has only itself to blame for this.

If you threaten the nuclear option over an airline listing Taiwan as a country on their US website, what will people expect from you over an issue that could cost you billions in business?

It opens them up to exactly this kind of story, because it gives people reason to expect coerced speech. The price of censorship and coercion is a complete loss of credibility. Which means the debate continues over a story where the denials could otherwise have put the matter to rest already.


What bothers me is that we have no proof and everything is vague. The motherboard needs to account for the chip at the PCB traces level to work right? Did anybody saw a weird 6 traces converging at a point for no reason on all the motherboards on the market? What is the exact model? Which bus it is fed from? Give me the name of the bus instead of vague journalistic stuff! Send pictures, output captures, anything.


> Did anybody saw a weird 6 traces converging at a point for no reason on all the motherboards on the market?

You do ask some good questions, but if apple can dropship my one macbook pro from China when I order it, I suspect they could dropship 1 (or many) of these boards to Apple, Amazon, etc when ordered. In other words, they wouldn't have to produce all of them with this special chip. Hell, they might only need to send one to each customer to infiltrate their network. If Apple ordered thousands of these, I doubt they would xray each one (assuming they're multi-layered boards).


You seem to forget how difficult it is to manufacture a single unit of a mother board to achieve the effect you're imagining. Do you really think they have a production line where every week or so they create a different mother board adding this circuit? Why in the world would they create these additional costs, and is it even economically justifiable? This whole story seems each day worse, just like believing in Big Foot.


> Do you really think they have a production line where every week or so they create a different mother board adding this circuit?

No, I do not think that. I assume they hand modify a few boards at a time, just like the NSA.

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...

Modifying every single board would violate one of the tenants of spying... it would make it much more likely for the implant to be detected.


The whole point of inserting malicious hardware for shadowy intelligence-related reasons is that you do it either out of government coercion or via government funding.

I don't know why it's so implausible that Chinese intelligence is using the Chinese tech industry to carry out their operations when American intelligence uses the American tech industry to carry out their operations. Nobody said PRISM was fake news because why would Apple and Google and Facebook invest in it; the actual investment came from NSA and the cooperation of these companies is via top secret FISA warrants. China doesn't even need to maintain the pretense of legality that the NSA does.

Again, I don't think the Bloomberg story by itself is credible anymore, but I also don't think it's as implausible as you are making it sound.


If the board house has copies of the gerbers, which they should, someone could easily edit those to introduce a spot for the implant. And if they already have all of the drawings, they can just add those empty pads into the design so any inspection wouldn't raise alarm. Then install the actual implant post-inspection. Maybe they get lucky by just re-purposing unused pads from the original design and route the traces to where ever.


The device in the photographs is essentially a fancy multi-layer ceramic cap. It can't contain a silicon die without a manufactured cavity and a lid. There is no way to do that in such a small package.


This seemingly trenchant observation ignores how much AWS (and Apple) have to lose in all their markets if it turns out they are insistently, loudly, publicly lying to everyone, including their shareholders and congress.


Hardware hacks have physical evidence. Where is the evidence for this story?


Are you suggesting both apple and amazon are covering up the truth?


Not just covering up the truth. Doing so knowing that getting caught would open them up to a huge public backlash and possibly legal culpability, even though if Bloomberg is correct about 30 companies are affected, the government knows all abou it, and dozens of Apple, AWS and other insiders and experts are actively talking to Bloomberg and sharing details left right and centre already.

How does anybody think Apple and AWS would calculate they could get away with lying like this, when Bloomberg says it’s already widely known and widely being leaked? So where are all these insiders that are blabbing? How come they’re not talking to any other journalists? What about the security experts Bloomberg says are also in on it and willing to talk?

If Bloomberg is right, this story should be wide open by now. Instead ....nothing. Not a single scrap of corroborating evidence for this supposedly widely known and broadly leaked issue.


are they aware statements like this confirm it?

If it were false the case would fall under libel and slander.

Someone is obfuscating truths here


Libel and defamation lawsuits are tricky because one would need to prove that Bloomberg ran the story knowing it was false or ran the story with "reckless disregard" for the factual accuracy of the reporting and prove that the article resulted in damage to the plaintiff.

Many dubious articles go unchallenged because it's often not worth pursuing legal action.


It's not like these companies don't have the money or legal resources to do it though.


Why did these demands for retraction take so long?


They quadruple-checked all their audits to make sure they were actually accurate in saying "nothing here".


Precisely. Worst thing would be to realize later you overlooked something and have to issue a correction.

And a story with this many moving pieces, you’ve got a lot of ground to cover. It’s so very hard to prove the absence of something.


That’s well and good and all...but it’s in Amazon and Apple’s best interest to deny everything.


It is? They're both public companies. If they get caught having strongly denied something that's true, that's worse than no comment, and the inevitable stock market motion and shareholder lawsuits that will result.


I still haven't heard a compelling argument for that. The only plausible reasons I've heard for Apple and Amazon lying about that are because they're being pressured by the American and/or Chinese governments. And if that's what's going on they're really going the extra mile with these calls for retraction.

I don't really buy it, if they really wanted to gaslight Bloomberg they could do it more subtly and without putting themselves in such an awkward position if strong contradicting evidence came to light.


As a press outlet they have a pretty solid defense in the first amendment


Well yes, haha, but if they knew or should've known that what they were reported was false and it causes monetary damages, then they can be taken to civil court. So, if they are sued they will be fighting to prove that they believed this article was true when they published it. Since Joe Fitzpatrick, one of the sources, has already come out and said that he speculated some hypotheticals that then made it into the story as fact, it doesn't seem that hard to prove that they published something they weren't sure was fact, which did cause a lot of monetary damages to quite a few companies.


It's the same thing as "Funding secured!"


except that: bloomberg is a press outlet, musk isn't, and bloomberg has no responsibility to the shareholders of the companies they covered, whereas musk is CEO.


They pay their journalists bonuses if they move the market. That gives some pretty perverse incentives to the journalists.


Omg this is true, I thought you were being hyperbolic. This is one of the most disgusting things I've ever heard in journalism, https://www.businessinsider.com/bloomberg-reporters-compensa...


What's perverse about it? Bloomberg decided that the market is a good way to measure impact of their stories. They're business reporters, so that makes sense. The incentive is not directional; it doesn't rely on reporters causing a stock to lose value or gain it.


> The incentive is not directional

The magnitude matters. Meaning journalists have an incentive to stretch the truth in either direction, as long as it'll get a reaction. A journalist now has to weigh this monetary incentive against their other incentives for being non-hyperbolic, truthful journalists.


The business insider article linked above makes it sound like a relatively nuanced measure. If the article makes a big splash but then gets wiped away by follow-up reporting, it doesn't sound like it gets rewarded.

Think about articles that don't move the market: did they contain novel, important information? If so, why didn't the market move?

It seems like this incentive encourages prioritizing stories which are unreported and meaningful.


Imagine paying reporters by how many people they got arrested. Sure would result in some terrible criminals being locked up, but it may well result in innocent people going to prison as well.


That sounds like a bad system but I don't understand its relation to business reporters releasing stories that move the market


IANAL but running a story about how a bunch of companies' products are insecure if Bloomberg knew it was false and those companies could show that Bloomberg knew it was false could be libel.


The first amendment doesn't protect you against libel or ham to your reputation.


Tell that to Gawker.


Gawker was bankrupted because they were stupid -- they were ordered by a judge to take down a video, and defied that court order. If you knowingly and intentionally defy a court order, and then gloat about how you're doing it, you're going to get burnt by any judge, no matter how willing they are to listen to your core argument.

More

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: