Slashdot Mirror
Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting (techcrunch.com)
TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.
Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."
"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."
"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
The problem with the discovery of the extra chip is the need to use the internet to send back the data.
Advanced AV and firewalls along with really skilled staff selected on merit are going to notice that "extra" data moving out from deep in their secure networks.
Thats why most advanced nations have resort to different methods to collect their data.
1. Short distance data transmission thats not on the internet.
2. Staff/visitors/friends/a person with split loyalty on the inside to collect data later in a way that's never detected as an outgoing internet connection.
3. The use of a PRISM like big brand understanding to move the data out.
What could have happened?
1. NSA and GCHQ found the chips early and often and then created vast amounts of junk information to see how the networks and chips sent the junk data out.
2. The clandestine services found the chip and have been using it for their own missions but did not stop it as it was a free spying tool.
3. Very different and unexpected nations found the chips and have been using it as a free spy tool.
4. Criminals, faith groups, cults, ex and former clandestine services staff and groups doing industrial espionage have found the chip and used it for their own data collection?
5. National police forces found the chips and wanted to try a way to get around crypto.
The real fail with this is having to use the internet and never get detected.
Smart people with real skills will notice extra data on their secure networks.
Domestic spying is now "Benign Information Gathering"
I'm inclined to believe the story. I was able to enter factories in China where supposedly companies wanted to protect their "Intellectual Property" (I'm not going to name who, but big known brands), take photos and do whatever I wanted, all because the landlord (who is my friend) also has government connections. No one is going to report it and no one is going to say anything. I was treated like a king visiting his kingdom. This seems to be pretty typical in China. I've also witnessed machines being copied right next to the Germans installing theirs.
So I can see the Chinese government easily pulling this off. Employees are easily bribed, threatened and/or coerced into doing things. Most don't want any problems with the government. Anyone can believe what they want, I've seen it first hand and anyone telling you otherwise is lying through their teeth. They could easily build another production and R&D line to secretly add whatever they want in the same damn factory, the corporate management would never know what it's for nor would they dare ask. The only revealing factor would be Chinese gossip, because they like to talk and show off.
It's fairly trivial to exfiltrate data *slowly* from a server.
For example, TCP sequence numbers are supposed to be random, as are emphereal ports. Nobody is expecting those to follow certain rules. Nobody stick your data in the third bit of any of those random numbers and nobody will ever know. You can exfiltrate one bit per connection. On a busy server, that's like having a dial up ssh connection with root access to the machine.
You may have heard about the network-based Spectre variant that was recently released. Like all Spectre variants, it's based on detecting tiny changes in the average time something takes - the average response time to a network request, in that case.
With server grade gigabit and ten gigabit Ethernet cards having TCP offload on board, an attacker with BMC access can manipulate the existing TCP traffic in ways that the machine's own kernel can't even see.
You don't want to download gigabytes of data this way (unless you can hide it in thousands of gigabytes of legitimate traffic), but you only need 2048 bits to exfiltrate the private key that gives you everything.