Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Worries Spy Technology Has Been Secretly Added To Computer Servers It Buys (businessinsider.com)

Posted by BeauHD on from the check-it-once-check-it-twice dept.

An anonymous reader writes: According to Business Insider, "[Apple] worries that some of the equipment and cloud services it buys has been compromised by vendors who have agreed to put "back door" technology for government spying, according to a report from The Information's Amir Efrati and Steve Nellis." With many of its cloud-based services like iTunes, the App Store, and iCloud requiring enormous data center to operate, Apple hasn't been able to build all the data centers it needs, and has instead been using services from its rivals, namely Amazon Web Services and Microsoft. Google recently landed Apple as a customer for the Google Cloud Platform. "Meanwhile, [Apple] has embarked on yet another attempt to build more of its own data centers to handle all of that, called Project McQueen, reports Jordan Novet at VentureBeat, and the project is having a rough go of it, reports The Information." Apple suspects that backdoors have been added to many of the servers it has been ordering from others. "At one point, the company even had people taking photographs of the motherboards in the computer servers it was using, then mark down exactly what each chip was, to make sure everything was fully understood."

16 of 251 comments (clear)

  1. Here's a solution... by R3d+M3rcury · · Score: 4, Insightful

    I know it's a crazy idea, but maybe if Apple built their own servers, they wouldn't have to worry about that. Maybe they could even sell a few of them to other companies.

    Nah. Crazy idea. Forget I mentioned it.

    1. Re:Here's a solution... by Space+cowboy · · Score: 4, Interesting

      Anyone who read the article would realise that they were planning on doing exactly that. There is, in fact, a 6-prong plan to make Apple entirely independent of third parties. Part of this involves designing and building their own servers.

      Personally I'd be interested in knowing if they're going to use ARM processors... Those A9X are pretty darn good in terms of computing power per watt.

      --
      Physicists get Hadrons!
    2. Re:Here's a solution... by ArchieBunker · · Score: 5, Informative

      Guess you didn't read about the NSA program where they intercept hardware during shipping and install backdoors or othewise cause tampering.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:Here's a solution... by 93+Escort+Wagon · · Score: 5, Interesting

      Anyone who read the article would realise that they were planning on doing exactly that.

      Assuming what you say plays out - and I read it exactly the same way you did - it will be interesting to see if, at some point, Apple decides to re-enter the server market. I mean, if they're going to be building their own servers anyway, why not see if you can sell a few? There might be people willing to spend the necessary bucks for an Apple-built server, given their stance on privacy and the current lack of trust many techies have for the US government (or most other governments, for that matter).

      --
      #DeleteChrome
    4. Re:Here's a solution... by JoeyRox · · Score: 4, Funny

      Apple could start rebuilding its own Xservers but it wouldn't be able to afford the purchase price :)

    5. Re:Here's a solution... by lgw · · Score: 5, Interesting

      So you can buy Chinese components and be hacked by the PRC.

      Or go to any Five-Eyes nation, and get the same experience. Ditto Russia. Anywhere else, bribery is all the NSA needs.

      Unless you're fabricating everything, and writing you're own microcode, there's always a chance someone is going to slip a backdoor in somewhere.

      That won't help. One of your key employees works for the NSA. It's practical to introduce a change to a mask (after all reviews etc) that subverts the on-chip random number generator, which is all the NSA really needs. There's real worry this has already happened at Intel (I can't remember whether the Snowden revelations included this, or it just seemed logical to crypto geeks).

      There were long discussions on Bruce Schneier's blog about how building a hardware RNG from discrete components you soldered together yourself was the only way to be sure (resistor thermal noise is a pretty good hardware entropy source).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    6. Re:Here's a solution... by FrozenGeek · · Score: 5, Funny

      My favourite quote from Armeggedon: Russian components, American components, all made in Taiwan.

      --
      linquendum tondere
  2. So join the rest of us by Cederic · · Score: 4, Informative

    Assume your cloud service provider isn't secure.

    Fuck backdoors, you can't vet their security or admin staff, you can't adequately audit their processes, you can't believe the marketing bullshit they produce.

    So assume they're not secure.

    How you deal with it isn't paranoia. Don't be bloody stupid.

    Encrypt your data at rest. Control the keys yourself.
    Encrypt your data in transit. Control the keys yourself.
    Encrypt your keys. Fuck it, go whole hog if you're that worried about it.

    But Apple aren't in any different position to anybody else, and photographing motherboards? Fuck me, get a life.

    1. Re:So join the rest of us by Anonymous Coward · · Score: 5, Interesting

      Once I worked for an industrial supplier. An international transport company was stealing our chips and inserting their own low-lifespan knockoffs. We would have never known if our customers didn't tell us. They found out by base-lining machines and realizing that some of the new chips coming in had markings that were in a different font.

      If they didn't take pictures of their known-good equipment to compare against, no one would have known and we would have taken the fall for selling bad equipment.

  3. The times, they are a-changin' by 93+Escort+Wagon · · Score: 5, Insightful

    You guys remember when we'd read about some random individual doing paranoid crap like this, and our first response would be to make fun of the wacko?

    Those were the good old days...

    --
    #DeleteChrome
  4. Re:What a shame by Gussington · · Score: 5, Insightful

    It's quite sad that in the United States of America, of all places, this is now a legitimate and very real concern. What in the hell happened to this country?

    At what point in your version of history has industrial espionage never been a concern?

  5. Re:What a shame by Anonymous Coward · · Score: 5, Interesting

    The same thing that happens to every country.

    You see, there is a subset of humans that are interested in having power over other humans. That is their primary drive. Over time such people infect all levels of government, law enforcement, and the upper tier of wealthy business controllers. Each and every day, they find ways of using the power they have to gain even more power, and they never get tired of doing this, and they never give up when defeated.

    Your privacy is a degree of personal power that you would like to keep for yourself. Unfortunately, they want it, and you can't both have it. So, they have taken it.

    Everything that you (and the majority of your social class) aren't willing to violently defend will eventually be taken from you.

  6. Wow ... by gstoddart · · Score: 5, Insightful

    "At one point, the company even had people taking photographs of the motherboards in the computer servers it was using, then mark down exactly what each chip was, to make sure everything was fully understood."

    You know, 15 years ago, give or take, this would have been considered the most absurd tin-foil hat bullshit imaginable.

    Suddenly, we find ourselves in a world where this makes total sense ... which scares the shit out of me.

    It's like the nasty dystopian future, but without cool skater chicks and designer digital drugs.

    --
    Lost at C:>. Found at C.
    1. Re:Wow ... by Solandri · · Score: 5, Insightful

      It was absurd paranoia back then because 30 years ago we were in a Cold War against an opponent notorious for limiting its citizens' freedoms and spying on everything they were doing. Our leaders had to constantly portray themselves as the polar opposite of that, or risk being voted out of office. Even after the Cold War ended, that mentality lingered.

      Then 15 years ago, 9/11 happened. And suddenly it became "important" for the government to know everything you were doing and saying in private, because Terrorism! It's pretty sad when you start to think the Cold War days were better.

  7. can't do anything much with encrypted data by raymorris · · Score: 5, Insightful

    While encryption in transit is good, unfortunately encryption on the server is typically more theatre/ marketing than it is useful security. There are only two things you can do with properly encrypted data - decrypt it or send it to someone who can decrypt it. If the server can decrypt it, and the concern is that the server may be compromised, there's little point in encrypting it.

    As a random example, let's consider the data of which users have purchased which songs on itunes. Apple uses that to know which songs you're allowed to stream. If it's encrypted, their server-side software can't do the lookup , so that can't be encrypted (or the server has to have the key, which amounts to the same thing).

    Essentially the only data that can be usefully encrypted is files sent from a customer's device which Apple doesn't want to read or understand, they just want to send back the exact same binary blob that they received. That CAN be encrypted before it's sent to Apple. But any data that Apple needs to query, change, record, or de-duplicate can't really be usefully encrypted, in general.

    It's an annoying problem, and a hard problem. There was a theory about encrypting data in such a way that you could do some very limited statistical processing on it without being able to actually read the data, but it's pretty limited so approximately nobody uses it. The one major use for data "encrypted" on the server is passwords, where you store a hash and can compare whether the password the person entered is the same as the stored hash. Though that's an important use case, it's only one use case. There aren't too many use cases for storing data you can't retrieve.

  8. Re:What a shame by cstdenis · · Score: 5, Funny

    Pre-industrial history of course.

    --
    1984 was not supposed to be an instruction manual.