Slashdot Mirror
Apple Insiders Say Nobody Internally Knows What's Going On With Bloomberg's China Hack Story (buzzfeednews.com)
An anonymous reader quotes a report from BuzzFeed News: Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely all denied and expressed confusion with a report earlier this week that the company's servers had been compromised by a Chinese intelligence operation. On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report -- the result of more than a year of reporting and over 100 interviews with intelligence and company sources -- alleged that Chinese spies compromised and infiltrated almost 30 U.S. companies including Apple and Amazon by embedding a tiny microchip inside company servers. Both Amazon and Apple issued uncharacteristically strong and detailed denials of Bloomberg's claims.
Reached by BuzzFeed News multiple Apple sources -- three of them very senior executives who work on the security and legal teams -- said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them. A senior security engineer directly involved in Apple's internal investigation described it as "endoscopic," noting they had never seen a chip like the one described in the story, let alone found one. "I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. "We were given nothing. No hardware. No chips. No emails." Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation -- Bloomberg wrote that Apple "reported the incident to the FBI." A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person's purview and responsibilities are of such a high level that it's unlikely they would not have been aware of government outreach.
Reached by BuzzFeed News multiple Apple sources -- three of them very senior executives who work on the security and legal teams -- said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them. A senior security engineer directly involved in Apple's internal investigation described it as "endoscopic," noting they had never seen a chip like the one described in the story, let alone found one. "I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. "We were given nothing. No hardware. No chips. No emails." Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation -- Bloomberg wrote that Apple "reported the incident to the FBI." A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person's purview and responsibilities are of such a high level that it's unlikely they would not have been aware of government outreach.
Remember when people used to answer "I cannot confirm on deny that such action has taken place"?
Nowadays they just flat out deny it. And then months later the truth comes up, heads roll, stock prices drop, investors buy the stock for pennies. Then people forget about it, stock prices go up, investors sell the stock, and make a lot of money.
Everyone's happy. The head that rolled? Got his golden parachute. The investors? They got a lot of money. Everyone else? Don't remember a thing.
We're in the Mariana trench of fake news here.
How much more obvious can one make it?
Get out while you still can. I mean it!
It's the US government.
..."we can neither confirm nor deny the story".
Rape apologist!
I'm not sure what to believe here.
In support of the story, China does have a long history of industrial espionage and other spying. Many believe that their economic rise was boosted by stolen IP.
On the other hand, the current administration is clearly using allegations against China to balance the revelations that continue to come out about Russian interference. Many of the allegations from this administration towards China appear to be completely fabricated.
But this allegation is much more detailed than anything the administration has been imagining, but the sources are all anonymous.
Engineers are not intimately involved in the design, support and software maintenance of their products.
I've worked with Apple, Dell and HP server design teams in a past life and it would be highly unlikely that anything could be added to the products by board stuffers without being discovered.
Typically for most vendors, the first failed products go straight to development to understand what the problem is to see if there are any design issues. One of the first thing that is done in the process is a review (usually by a junior engineer/technician) to make sure there haven't been any unapproved part substitutions - anything added at this point would be found. It should also be pointed out that Apple products have WiFi/BT built in which means FCC testing and that requires Apple to verify that the product is identical to what will be going down the line - if the PCB gets changed to add a chip without Apple's prior approval and validation by repeating the FCC testing then, based on the contracts I've seen and been a part of, Apple would be demanding huge amounts of compensation as well as making the vendor pay to roll the field.
This doesn't mean that Apple hasn't added the chips for US/other governmental snooping just that it's highly unlikely that the manufacturing partners added something without Apple's approval.
Mimetics Inc. Twitter
Option A: The Chinese have compromised Supermicro, and have spy chips embedded in every major datacenter and product from companies such as Apple, Amazon, Dell, etc. These publicly traded companies are now involved in the wholesale denial of this event taking place
Or, as someone who remembers the media blitz in the lead up to the Iraq war:
Option B: The Trump "administration" (slogan: "Not Nazis Only Because We're Too Incompetent) desperately wants a media disinformation campaign to sway national opinion against evil china, to make these coming 25% tariffs even more palatable to people who are going to be righteously pissed following this holiday season.
We have _already_ seen this agitprop bullshit ramping up here on compromised Slashdot this week. Anonymous Cowards, every single one. Sorry fascists, not buying it. Go fuck up someone else's industry.
Please, take a sample of those servers, open them and let a bunch of experts to investigate.
Is it that difficult?
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
>
Or maybe they received a National Security Letter. Or had a standard NDA. Hell if I was senior at Apple I'd lie to keep my piece of the pie.
So far Apple has made two official, vehement denials and now we have this unofficial back-channel denial as well. This is highly unusual for Apple, one of the most secretive companies in the world. Engineers don't give these types of anonymous accounts without approval from executives, because doing so guarantees they will lose their jobs...so we can interpret these anonymous accounts as the third official denial from Apple.
Why is Apple trying so hard to deny a story that Bloomberg insists is accurate and very well sourced? And why are other tech companies like Amazon doing the same? Because they all realize this has the potential to destroy the very core of their supply chains. This would be extremely disruptive and costly to their businesses. It would take years for them to move production out of China and scale it to the level they need.
In other words their businesses are facing an existential crises.
It's the size of a grain of salt, or the size of a signal couple, and yet has power lines and bus lines and network lines routed into it. It can change the OS to make it modifiable, erm, somehow.
Should be easy to find, simply look for the signal coupler with all the PCB tracks running into it, that's running hot (because of the processing it does).
How about locating the "Ontario based security testing facility" referred to even.
There's lots of ways of testing the sniff of this story without relying on Apple.
Midterm elections, or quarterly reports... so complicated!
Maybe it's a hoax.
My colleagues and I were discussing this story last week. My research group has done some work in secure computing, and we were frankly surprised that someone would bother to add a compromised piece of hardware to a motherboard.
Software intrusions always provide plausible deniability to the attacker, which is critical to state-sponsored espionage. But a hardware hack, where someone succeeds in adding a component to a motherboard without the knowledge of the designer, is far more difficult and far more dangerous. A device in hand can be reverse-engineered, and forensics performed to determine exactly when and how it was inserted into the manufacturing chain. Experts can even determine the exact IC fab in which the chip was manufactured.
On top of that, a company that allows its manufacturing process to be compromised has essentially ruined itself. What customer would trust it again? Sure, it is possible that the Chinese government would be willing to spend the money to create a company that could be sacrificed to a state espionage effort, but the problem remains that if the espionage is uncovered, no one will trust any installed hardware purchased from them.
Software intrusions remain extremely successful. The Chinese purportedly breached the OPM and copied all of the personnel files for every U.S. citizen with a security clearance back in 2014, but to this day no one can be entirely sure who was behind it. Likewise, Russia constantly denies its own state-sponsored hacks. For that matter, so does the U.S.A., and everyone else. Why give up such a successful exploit vector in favor of one that provides an undeniable trail back to the perpetrator?
So exactly what is the story behind this Bloomberg article, and where is the proof that the hack actually happened? Someone needs to produce some hardware as proof. This story is definitely becoming even more interesting.
Oh, well, thank god then you've linked to such quality blogs proving the "Fake News" from Bloomberg whose "opposition to president Trump knows know bounds". I know blogspot and "godsavethepoints" are where I go when I'm looking for cutting edge investigative journalism and not a fart sniffing boomer echo chamber about muh fake news.
Quite frankly, Bloomberg got fooled by a bunch of people who, for whatever reason, gave them this story.
Why would people do this? I can think of a bunch of reasons off the top of my head:
* someone wanted SuperMicro to play ball, and they refused. This is payback.
* someone wanted SuperMicro's stock to fall, and fall a lot.
* someone wanted to demonstrate they could get the press to print anything, no matter how ridiculous.
* someone wanted to teach Bloomberg a lesson
* someone wanted to throw doubt on the Chinese supply chain. The one that supplies like all the electronics to the US.
* someone wanted China to share some of the attention
It could be all of the above. But really, the story is bullshit. The superchip is a story cooked up to fool reporters, reporters who are smart enough fool themselves into thinking they understand how computers work.
What I'm surprised at is that they didn't ask anyone in the industry about the details. You can always theoretically wire something into a mobo and hide it. You can't practically get something that small to do everything they said it could do. Even James Patterson could tell the difference.
If there's one thing i like about Apple it's their intense hatred for either doing the government's bidding or funding their attempts to do so.
If there's one thing I like about the Feds it's ... ok, there's nothing I like about the Feds but one can at least recognize that the powerful interests scratch each other's backs and Michael "Disarm the Jews" Bloomberg would be happy to help the FBI, et. al. build their case that Apple /must/ be /compelled/ to make iOS spy on its users for them, because "Apple can't even be trusted with its own security."
Look for natural alliances and opportunities to harm their common enemy. Apple isn't making me buy their walled-garden shit so on this one they're an ally of the people who want privacy and personal freedom.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Here's a couple possible scenarios.
1. The source of this is some spooky agency but they don't want people to know it was them that figured it out. SO the attribution went to Amazon discovering it. A plausible cover story at first as long as no one scratched too deep. the story was socialized within the government enough that every one believed it to be true so that's all bloomberg heard was this succefully engineered echo chamber of a story everyone believed was true. The chip part being true and the cover story of it's origin obfuscated.
The reason this would happen in this hasty way is that for obvious reasons the Trump administration needed to get out a story that shows china is a bad trading partner. SO timing was rushed. The three letter agency would not want it's discovery revealed because it like to shield sources and methods. So the compromise was blame it on amazon.
2. For whatever reason apple and amazon dumped some server farms or strategies. Later they realized they had dodged a bullet when the chip issue or mal frimware showed up in supermicro. They have to be really careful here because they could be sued for bad faith in the sales contracts and failure to disclose if it could be made to look like they knew for sure the Supermicro was poison. So they are trying very hard to say they had no knowledge of this (at the time) so this doesn't become a contractual issue.
Both of these stories might be true
Some drink at the fountain of knowledge. Others just gargle.
Assuming for argument that the substitution described in the Bloomberg article occurred, the group within Apple working on it may (a) have higher security clearances than Tim Cook and the VP of Communications (b) be under national security letter gag orders to say nothing to anyone including their bosses. In which case the executive levels of Apple management may sincerely believe that the situation did not happen when it actually did.
That won't happen. At least it won't get reported on. Never let the facts get in the way of a good story.
My Other Computer Is A Data General Nova III.
What's so hard about this? It was "hackers" with "hacks". That's all you need to know. Instant credibility! Worse, it's state-backed "hackers" from China. That's double the scare right there. Because everybody knows "hackers" are scary and hey, so is China.
That's been the industry standard for 30+ years, why start with the scepticism now?
China doesn't need to add any chips, the Intel PC architecture is such a bloody mess that all China would need to do is make changes to the firmware in order to get a permanent infection that is neither detectable not reversible without additional hardware tools.
What is this 'glue logic' you refer to?
The right place would need bus signals and network access and power, and space for a signal coupler that looks plausible in that place. And a signal coupler that appears to have the usual 5 or 6 pins, but actually has a lot more concealed underneath, and wires running from those nearby tracks to the signal coupler somehow hidden.... and some way of not getting hot.
So of course you'd need to reroute PCB signals for this to be hidden. Wires would be a dead giveaway.
Perhaps its more like a USB attack??? Not as Bloomberg describe, but a USB controller chip doing something like COTTONMOUTH??? Or an ethernet tap? But then how would it change the underlying OS to be modifiable as described in the article.
I'm with aglider on this, there are supposed to be loads of these motherboards around (according to the article), it should be easy to spot the hot signal coupler with the odd wiring and see.
Disinformation campaigns attempting to distrupt and scare political teams relying on Apple hardware, all those shiney silver iPhone and laptops..
Everything else is a Lie. :)
Like they Could tell you.
Truth isn't Truth - Guliani
n/t
The three terminal component shown in the article sitting on a fingertip looks exactly like a three terminal ceramic resonator. It costs less a crystal typically used for an oscillator. It is also less accurate but sometimes good enough.
;) ;);)
Or maybe the carriers are in on it.
The device in question would have to either be fed a refclock or derive it's own clock, a PLL to either multiply the refclock or to derive it from the differential signal, have a small processor core, RAM, ROM, and some way to communicate with it, as well as being fed by one of the power rails, probably a 1.00V or 1.05V rail. In a 10nm or 14nm bare die you might be able to make it small enough and thin enough to hide between layers of the many-layer PCBs that are current technology -- or for that matter you might just make it a standard BGA surface-mount device, masquerading as a differential buffer or other differential device, like a mux, and hide it in plain sight, acting like the buffer it pretends to be, only revealing it's true purpose once it's triggered properly.
If I were any company potentially affected by this (which in this case is basically all companies) I'd be very quiet and vague about it, too. The implications are massive.
Someone stumbled across an NSA project and are laying all the blame on China.
Everyone is denying everything in the hope that it goes away because if it turns out that it IS a three letter agency project, the pitchforks are going to come back out.
The NSA has long and very publicly revealed that such chips exist. It's very odd for Apple to claim they've never heard of such things. That reduces Apple's credibility. However, you'd think Apple would know if they requested an FBI investigation. That reduces Bloomberg's credibility.
This is strange. We need a thorough investigation of this story's sources. We also need to educate Apple.
not if they were made to sign a gag order. then they COULDN't tell you the truth, and how they are acting would fall right in line with how they should act under a gag order. deny, deny, deny. use your brain ffs.
Who has the better track record for reporting factually-based truths: Bloomberg or those tech companies?
Sadly, Bloomberg. Don't know what's going on as I haven't seen one opened --- so until that time I am withholding judgment as the hardware hacks have grown increasingly more sophisticated over the many years and have attended too many users forums in the past when technoid users discovered much of what the hardware was capable of, completely unknown to the designers.
I remember the naysayers about an academic (believe it was at a university in North Carolina or thereabouts) who uncovered a compromised dll file in Windows which was an NSA backdoor --- and found it to be correct.
I will continue to tune in . . .
Check it out gais.. chinese pawns EVERYWHERE.
I love you Ameritards have removed all meaning from the word fake.
BIGLY.
Hows the weather in the PLA sweatshop?
https://www.marketwatch.com/st...
For Apple too say there were not aware of security issues with Supermico is BS.
This story is getting really weird. One possibility could that the thing was invented by US agencies to support the trade war with China. After all they alredy invented Sadam Hussein's WMD to support a real war.
The main question is what prompted Bloomberg to publish this story in the first place.
They are well aware that the Chinese government carries grudges and will exact a large penalty from anyone harming China's interests.
So why would Bloomberg, a firm that historically has tried hard to avoid offending China, publish a story designed to damage the reputation of the Chinese subcontractor base? Given the importance of China in the world financial framework, they are not an entity Bloomberg would casually offend.
Yet they have done just that, with a very high profile story that is thus far lacking in hard evidence. What made Bloomberg, a very profit oriented firm, do that?
Thank you for the link to Scott Adams' blog post complaining about a Bloomberg interview that he agreed to do despite believing it to be a planned "hit piece". The link to the actual excellently written and photographed Bloomberg interview that was found within Adams' blog was interesting and insightful. Hardly an example of poor journalism at Bloomberg - quite the opposite.
I enjoyed the early and mid Dilbert comics. I'm not a fan of Adams' current "philosophical" ramblings though.
It certainly seems plausible, but I'm going to take it as anti-China propaganda until the hardware is produced.
The claims make me think that the hardware only acts as an initial vector for a network attack. A tiny surface mount chip riding the SMBus data and clock lines?
âoeI will tell you this, Russia: If youâ(TM)re listening, I hope youâ(TM)re able to find the 30,000 emails that are missing,â
Donald Trump inviting a hostile foreign power to commit a crime July 2016
Perhaps you should reconsider your position