Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Insiders Say Nobody Internally Knows What's Going On With Bloomberg's China Hack Story (buzzfeednews.com)

Posted by BeauHD on from the chaos-and-confusion dept.

An anonymous reader quotes a report from BuzzFeed News: Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely all denied and expressed confusion with a report earlier this week that the company's servers had been compromised by a Chinese intelligence operation. On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report -- the result of more than a year of reporting and over 100 interviews with intelligence and company sources -- alleged that Chinese spies compromised and infiltrated almost 30 U.S. companies including Apple and Amazon by embedding a tiny microchip inside company servers. Both Amazon and Apple issued uncharacteristically strong and detailed denials of Bloomberg's claims.

Reached by BuzzFeed News multiple Apple sources -- three of them very senior executives who work on the security and legal teams -- said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them. A senior security engineer directly involved in Apple's internal investigation described it as "endoscopic," noting they had never seen a chip like the one described in the story, let alone found one. "I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. "We were given nothing. No hardware. No chips. No emails." Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation -- Bloomberg wrote that Apple "reported the incident to the FBI." A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person's purview and responsibilities are of such a high level that it's unlikely they would not have been aware of government outreach.

91 of 176 comments (clear)

  1. ah, the good old times by hjf · · Score: 2, Insightful

    Remember when people used to answer "I cannot confirm on deny that such action has taken place"?
    Nowadays they just flat out deny it. And then months later the truth comes up, heads roll, stock prices drop, investors buy the stock for pennies. Then people forget about it, stock prices go up, investors sell the stock, and make a lot of money.
    Everyone's happy. The head that rolled? Got his golden parachute. The investors? They got a lot of money. Everyone else? Don't remember a thing.

    1. Re:ah, the good old times by AmiMoJo · · Score: 5, Informative

      It's more like the opposite; the myths never die. Remember that famous slide that Snowden leaked showing the timeline of when the NSA infiltrated Apple, Google, Microsoft and various other tech companies? All denied they were helping the NSA but many people still believe that they are, even long after further slides showed that they were actually attacked and later took steps to prevent data collection based on the leaked info.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:ah, the good old times by turkeyfish · · Score: 1, Insightful

      Who needs truth now that we have Kavanaugh?

    3. Re:ah, the good old times by gnasher719 · · Score: 1

      Remember when people used to answer "I cannot confirm on deny that such action has taken place"?

      Sometimes there are stories that are just false or faked. So what else is Apple supposed to say? Now tell me, is it true that you are raping your children? Remember that any denial will prove that you are guilty. Refusing to comment will also prove that you are guilty. You might try admitting it, but I think that also proves you are guilty.

  2. Their response is the PR-friendly version of... by carlhaagen · · Score: 1

    ..."we can neither confirm nor deny the story".

  3. Not Sure What to Believe by crow · · Score: 4, Insightful

    I'm not sure what to believe here.

    In support of the story, China does have a long history of industrial espionage and other spying. Many believe that their economic rise was boosted by stolen IP.

    On the other hand, the current administration is clearly using allegations against China to balance the revelations that continue to come out about Russian interference. Many of the allegations from this administration towards China appear to be completely fabricated.

    But this allegation is much more detailed than anything the administration has been imagining, but the sources are all anonymous.

    1. Re:Not Sure What to Believe by DNS-and-BIND · · Score: 1, Insightful

      There is no way in the world that the NSA and the rest of the intelligence community are on Trump's side. In fact, they are his sworn enemies. The media, including Bloomberg, would never be on Trump's side. The media are Trump's sworn enemies. Both of them have been pushing Russia, hard, in an attempt to overthrow him. None of this makes sense.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Not Sure What to Believe by AmiMoJo · · Score: 2

      What makes me doubt it is how blatant it would have been. The Chinese government would have had to develop and manufacture this chip, and then get it installed on Supermicro boards which means either getting Supermicro in on it or getting the factory in on it, because I can't see them being able to alter the PCB CAD files and get a part added to the bill of materials without anyone noticing. I mean everything on the BOM has to be paid for, someone has to check the manufactured boards meet the layout and that all parts were correctly placed etc.

      Even if they did all that, it was bound to be discovered sooner or later and couldn't be passed off as a genuine mistake. The NSA and GCHQ at least make some effort at deniability, which is why when we see ridiculous bugs like Goto Fail we wonder if it was deliberate.

      And in the end there is no need to add an extra chip. Most firmware is riddled with security flaws anyway, just waiting to be found, or you can probably just bribe/pressure someone to insert one for you. The Chinese security services almost certainly have read access to the source code. The chip itself seems rather small to be doing much anyway, I mean 6 pins gives you power and maybe one bus like I2C or SPI to talk to something. No support hardware like timing crystals or power regulation for high performance.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Not Sure What to Believe by Zontar+The+Mindless · · Score: 2

      It's more like the intelligence community and the media are on America's side, and guess who isn't.

      --
      Il n'y a pas de Planet B.
    4. Re:Not Sure What to Believe by Anonymous Coward · · Score: 1

      The media are on their own side, and the intelligence community is, as far as I can tell, insane. You can pile as many insults on Trump as you like, and most of them will probably be fair - but the guy isn't anti-American in any sense I can see.

    5. Re:Not Sure What to Believe by sphealey · · Score: 2

      = = = What makes me doubt it is how blatant it would have been. The Chinese government would have had to develop and manufacture this chip, and then get it installed on Supermicro boards which means either getting Supermicro in on it or getting the factory in on it, because I can't see them being able to alter the PCB CAD files and get a part added to the bill of materials without anyone noticing. = = =

      There are a lot of difference factions in the government of the PRC and in the military of the PRC and in the branches of the military of the PRC. Some of those factions overlap and some compete, some have a variety of alliances for specific purposes.

      And any Western company that sets up shop in the PRC will have one of those factions involved in its business explicitly or clandestinely, whether it knows it or not. Back in the oughts I got yelled at because "my" computer system would not open CAD files received from the joint venture 'partner' in the PRC. A bit of snooping in the headers with a hex editor revealed that these were native files for a propriatary CAD system developed by and used only within the People's Liberation Army Air Force. Since I had been explictly told that there was no PRC government or military involvement in the joint venture I sent that info to our VP of business development; he never responded but we did get the drawings in DXF format the next week.

    6. Re:Not Sure What to Believe by DNS-and-BIND · · Score: 1

      LOL no. The intelligence community utterly despises the American people (this includes you). The media utterly despises us as well (guess who this includes?) If you're not a member of their tiny community, you're one of us. They number no more than the population of a small town. All of them put together would fit comfortably inside Waco, Texas. The Jacksonians are on the side of the American people, as they always have ever been.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    7. Re:Not Sure What to Believe by DNS-and-BIND · · Score: 1

      This intelligence community and media were the same ones who lied us into Iraq, remember? You seriously think they're on your side? How was your interest served by invading Iraq? If you didn't make a mint on military procurement, you're not in their ingroup and it is folly to identify with their interests. You are in their outgroup, along with the rest of us Americans.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    8. Re:Not Sure What to Believe by Zontar+The+Mindless · · Score: 1

      Projection is such a wonderful thing, isn't it?

      --
      Il n'y a pas de Planet B.
    9. Re:Not Sure What to Believe by Zontar+The+Mindless · · Score: 3, Informative

      This intelligence community and media were the same ones who lied us into Iraq, remember?

      *I* remember certain parties within the Bush Administration ignoring their intelligence agencies (and not just their own) and feeding a bunch of crap to the media that was later shown in the media to be just that—crap.

      --
      Il n'y a pas de Planet B.
    10. Re:Not Sure What to Believe by Zontar+The+Mindless · · Score: 1

      You're implying that I'm anti-American? Curious.

      --
      Il n'y a pas de Planet B.
  4. This story has the presumption that Apple by mykepredko · · Score: 4, Informative

    Engineers are not intimately involved in the design, support and software maintenance of their products.

    I've worked with Apple, Dell and HP server design teams in a past life and it would be highly unlikely that anything could be added to the products by board stuffers without being discovered.

    Typically for most vendors, the first failed products go straight to development to understand what the problem is to see if there are any design issues. One of the first thing that is done in the process is a review (usually by a junior engineer/technician) to make sure there haven't been any unapproved part substitutions - anything added at this point would be found. It should also be pointed out that Apple products have WiFi/BT built in which means FCC testing and that requires Apple to verify that the product is identical to what will be going down the line - if the PCB gets changed to add a chip without Apple's prior approval and validation by repeating the FCC testing then, based on the contracts I've seen and been a part of, Apple would be demanding huge amounts of compensation as well as making the vendor pay to roll the field.

    This doesn't mean that Apple hasn't added the chips for US/other governmental snooping just that it's highly unlikely that the manufacturing partners added something without Apple's approval.

    --
    Mimetics Inc. Twitter
    1. Re:This story has the presumption that Apple by Cmdln+Daco · · Score: 1

      The PCB layout would not be changed to include a rogue chip. An additional module would simply be added at the right place in some glue logic on the current board. The FCC would not be notified, because obviously Apple was not notified that the 'new' glue logic chip is being placed instead of the original.

    2. Re:This story has the presumption that Apple by mykepredko · · Score: 1

      Thank you for the clarification.

      --
      Mimetics Inc. Twitter
    3. Re:This story has the presumption that Apple by Antique+Geekmeister · · Score: 2

      You've raised an interesting point. Have you reviewed the article? There is a difference between "not on the manufacturer's component list" and "not part of the original design". That distinction could leave an opportunity for engineers at the subcontractor SuperMicro was using to insert the component into the circuit board design and component list, so that it would not show up as an unexpected part for a typical hardware evaluation. It would require a much deeper knowledge of the design to say "what is this comopnent doing here on the network data pathway" ?

    4. Re:This story has the presumption that Apple by mykepredko · · Score: 5, Interesting

      Two comments back.

      1. The servers in question aren't Apple hardware (that isn't set out in the article) as an AC pointed out. Doing a bit of research, the servers in question are Teradata "Extreme Data Appliances".

      2. When I was at Celestica, I was part of the team responsible for building Apple products - as a sub, you don't mess with the BoMs, much less the schematic/PCB layout without Apple review and approval without facing HUGE penalties (the least of which is losing the business). This is true for any Tier 1 vendor.

      --
      Mimetics Inc. Twitter
    5. Re: This story has the presumption that Apple by mykepredko · · Score: 2

      Pull all the shipped product back to factories, fix/modify it and return it to customers.

      --
      Mimetics Inc. Twitter
    6. Re:This story has the presumption that Apple by Antique+Geekmeister · · Score: 2

      That is an interesting point. But I'd assume that, as engineers at a subcontractor business, they probably don't care much about penalties form Apple. People will do astounding things for very small bribes or startlingly weak blackmail at the right moment form the right person. They might not have even known they were doing, they might merely have left their workstations insecure by accident.

    7. Re:This story has the presumption that Apple by mykepredko · · Score: 1

      Engineers might not care but their bosses do.

      Contract manufacturers in China have amazing networks. If, as an engineer, you do something that loses your company business or causes them fines you'll find yourself shitcanned with absolutely no chance at work.

      --
      Mimetics Inc. Twitter
    8. Re:This story has the presumption that Apple by Antique+Geekmeister · · Score: 1

      > you'll find yourself shitcanned with absolutely no chance at work.

      That's interesting. In the USA, employees caught with even criminal offenses in the workplace are often dismissed, quietly, to avoid scandal and legal backlash. The "blackballing" is often ineffective.

      Even if the "shitcanning" is true, rationally handling consequences is not something we can completely rely on to prevent criminal or foolish behavior. I'd expect lower level CAD engineer to require only a modest bribe. It can be very tempting to ignore the risks of getting caught when facing crushing student debt, medical expenses, or a family to support. At a more senior level, I've seen senior staff in several countries engage in various forms of design fraud, ignoring specifications to keep a project within budget. It's precisely why design reviews, and physical inspection, are so critical.

  5. So Which Seems More Likely? by Jahoda · · Score: 1, Flamebait

    Option A: The Chinese have compromised Supermicro, and have spy chips embedded in every major datacenter and product from companies such as Apple, Amazon, Dell, etc. These publicly traded companies are now involved in the wholesale denial of this event taking place

    Or, as someone who remembers the media blitz in the lead up to the Iraq war:

    Option B: The Trump "administration" (slogan: "Not Nazis Only Because We're Too Incompetent) desperately wants a media disinformation campaign to sway national opinion against evil china, to make these coming 25% tariffs even more palatable to people who are going to be righteously pissed following this holiday season.

    We have _already_ seen this agitprop bullshit ramping up here on compromised Slashdot this week. Anonymous Cowards, every single one. Sorry fascists, not buying it. Go fuck up someone else's industry.

    1. Re:So Which Seems More Likely? by Anonymous Coward · · Score: 1

      Option B:

      With their current relationships, the Trump administration couldn't get the media to print that the sun will rise tomorrow. They'd print eternal night was coming just to flare him up to send a few tweets and drum up clicks.

      Option C is far more likely: Military-Industrial complex in Neocon Washington wants to march to war, irrespective of administration, and is getting their propaganda arm in the MSM to pose tech bullshit stories at all cost. As you say, the play is too obvious after you've seen too many of these war-drum stories and can spot the gaps in the hack-writer's knowledge, and the obvious lack of any actual investigation.

      From the story: "preparing the device’s operating system to accept this new code". Which operating system? What kernel version? Which memory addresses? Oh you want some plausability: "take this hypothetical example: Somewhere in the Linux operating system...". Hypo-fucking-what now? Did you investigate this story or not? Did anyone tell you whether this was happening, or exactly how?

      If any serious reporter was investigating a real story, they'd fucking tell you EXACTLY which OSes had been compromised and how. Instead the Bloomberg propagandists make up hypothetical scenarios because their story is built on thin air because this is a Tech Gulf of Tonkin pile of horseshit. Oh, same outlet you get your financial data from too. Sucks to be retail today doesn't it?

    2. Re:So Which Seems More Likely? by Cmdln+Daco · · Score: 1

      We used to fight about things like vi versus emacs, and how emacs eats up 8 megs of RAM just to load. Linux was going to save the world, and the main enemy of the people was a piece of software from M$.

  6. Too much talking. Too few acting. by aglider · · Score: 5, Insightful

    Please, take a sample of those servers, open them and let a bunch of experts to investigate.
    Is it that difficult?

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re: Too much talking. Too few acting. by sound+vision · · Score: 2

      Other than the fact that that is exactly what was done, Apple has NEVER given straight talk about flaws in its consumer products, much less internal security issues.

    2. Re:Too much talking. Too few acting. by AmiMoJo · · Score: 1

      Used boards are on eBay right now. Anyone with a few hundred bucks could investigate.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Too much talking. Too few acting. by Anubis+IV · · Score: 2

      One side alleges the servers were removed back in 2015. The other side says the malicious servers never existed, but that the Super Micro servers that did exist were decommissioned in 2016 for unrelated reasons. Either way, there aren’t any servers around to open up and check.

    4. Re:Too much talking. Too few acting. by squiggleslash · · Score: 1

      The electron microscope you'll need to determine a "capacitor" is actually a CPU probably requires more than a hundred bucks.

      --
      You are not alone. This is not normal. None of this is normal.
  7. Check Calendar by aaarrrgggh · · Score: 2

    Midterm elections, or quarterly reports... so complicated!

    1. Re:Check Calendar by MatthiasF · · Score: 1

      Or year-end profits of short-sellers. Apple and Amazon's shares are at all-time highs this year.

  8. Does the chip in question even exist? by timholman · · Score: 5, Interesting

    "I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine.

    My colleagues and I were discussing this story last week. My research group has done some work in secure computing, and we were frankly surprised that someone would bother to add a compromised piece of hardware to a motherboard.

    Software intrusions always provide plausible deniability to the attacker, which is critical to state-sponsored espionage. But a hardware hack, where someone succeeds in adding a component to a motherboard without the knowledge of the designer, is far more difficult and far more dangerous. A device in hand can be reverse-engineered, and forensics performed to determine exactly when and how it was inserted into the manufacturing chain. Experts can even determine the exact IC fab in which the chip was manufactured.

    On top of that, a company that allows its manufacturing process to be compromised has essentially ruined itself. What customer would trust it again? Sure, it is possible that the Chinese government would be willing to spend the money to create a company that could be sacrificed to a state espionage effort, but the problem remains that if the espionage is uncovered, no one will trust any installed hardware purchased from them.

    Software intrusions remain extremely successful. The Chinese purportedly breached the OPM and copied all of the personnel files for every U.S. citizen with a security clearance back in 2014, but to this day no one can be entirely sure who was behind it. Likewise, Russia constantly denies its own state-sponsored hacks. For that matter, so does the U.S.A., and everyone else. Why give up such a successful exploit vector in favor of one that provides an undeniable trail back to the perpetrator?

    So exactly what is the story behind this Bloomberg article, and where is the proof that the hack actually happened? Someone needs to produce some hardware as proof. This story is definitely becoming even more interesting.

    1. Re:Does the chip in question even exist? by Jahoda · · Score: 1

      So exactly what is the story behind this Bloomberg article, and where is the proof that the hack actually happened? Someone needs to produce some hardware as proof. This story is definitely becoming even more interesting.

      Cui bono?

    2. Re: Does the chip in question even exist? by Ostracus · · Score: 1

      Well these are cloud servers, not Joe's Rat Shack computer shop. But I do see the whole thing as China's version of Stuxnet 2.0. Sort of a "we can do it too". Information leakage is important to china's economic war on the world. Kill switches can do a lot of damage too, especially if timed right with other events.

      --
      Shai Schticks:"You don't make peace with friends, you make peace with enemies"
    3. Re:Does the chip in question even exist? by DNS-and-BIND · · Score: 2

      This has happened a lot lately, don't discount it. Just about when Trump was going to end the Syrian war, Assad attacked with chemical weapons, just about the worst possible timing. When Russia should have been laying low, it did that chemical weapons poisoning in Britain, again the Russian government's timing was horrible. Iran just got caught red-handed planning a terrorist attack in France, just at the time they were about to get out of the US sanctions by bypassing them through the EU. So don't underestimate the ability of governments to time their actions poorly. This sort of thing is right up China's alley and is precisely what we would expect them to do.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    4. Re:Does the chip in question even exist? by Zontar+The+Mindless · · Score: 1

      Just about when Trump was going to end the Syrian war...

      That's a mighty long-winded way to say "Never".

      --
      Il n'y a pas de Planet B.
    5. Re:Does the chip in question even exist? by DNS-and-BIND · · Score: 1

      Oh, he was. Then the next week Assad attacked with chemical weapons, killing that idea entirely. Even though it was probably the worst thing he could have done. Trump launched missiles at Syrian airfields - earning unprecedented praise from the US media. Just goes to show you governments make terrible decisions at the worst times.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    6. Re:Does the chip in question even exist? by Narcocide · · Score: 1

      ...earning unprecedented praise from the US media.

      That's a massive overstatement, and you seem to be making a better case for the possibility that Trump and Assad's fight over Syria was a coordinated public staging of aggression.

    7. Re:Does the chip in question even exist? by AHuxley · · Score: 1

      Re "where is the proof that the hack actually happened?"

      The part about "Since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected."?

      Really smart people with investigative skills in the USA followed the "internet" use back from the chips?

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re:Does the chip in question even exist? by angel'o'sphere · · Score: 1

      Iran just got caught red-handed planning a terrorist attack in France
      Pretty unlikely. Why would Iran attack one of its biggest (if not THE BIGGEST) trade partners?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    9. Re:Does the chip in question even exist? by mentil · · Score: 1

      France tends to piss off Muslims (remember the Charlie Hebdo attack?) and Iran holds the reins of Hezbollah and other terrorist groups. There have been several Islamic terrorist attacks in France in the past few years, I haven't done research but it wouldn't surprise me if some of the attackers had ties to Iran. I suspect it's less "Iran sicced its dogs" so much as "didn't keep their dogs on a short enough leash." Also, countries go after their biggest trade partners *cough* China and USA *cough* all the time.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    10. Re:Does the chip in question even exist? by angel'o'sphere · · Score: 1

      I read up a bit on it.

      An iranian group, and some traveling iranian politician was involved, probably planned to assassinate another iranian living in France ... so: no terrorist attack.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    11. Re:Does the chip in question even exist? by DNS-and-BIND · · Score: 1

      It was notable because the press NEVER praises Trump, and yet when he attacked a country that's not at war with us, suddenly they were full of approval. Weird, eh?

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    12. Re:Does the chip in question even exist? by starman97 · · Score: 1

      It's actually quite likely, if this chip/mod/hack whatever causes a problem, the board will be pulled and sent for repair.
      Of if the board comes in for something else and the odd part is noticed, when you look at these boards all day, something different sticks out.
      Someone's going to inspect that board and do some analysis to see if it's a problem that affects thousands of other servers.
      Once one chip gets found, the datecode printed on the board will identify the factory and production date.
      That would start a purge of all the boards and a major blacklisting of the manufacturer.
      None of the big guys (Foxconn, Wistron, Inventec, Quanta etc ) would risk it, the tracking would point right back to them.

      --
      Starman97@Gmail.com (bring it on spammers)
  9. Re:BuzzFeed "News" ... Bloomberg "News" ...Clear n by Jahoda · · Score: 3, Insightful

    Oh, well, thank god then you've linked to such quality blogs proving the "Fake News" from Bloomberg whose "opposition to president Trump knows know bounds". I know blogspot and "godsavethepoints" are where I go when I'm looking for cutting edge investigative journalism and not a fart sniffing boomer echo chamber about muh fake news.

  10. Bloomberg got pwn3d by mveloso · · Score: 5, Interesting

    Quite frankly, Bloomberg got fooled by a bunch of people who, for whatever reason, gave them this story.

    Why would people do this? I can think of a bunch of reasons off the top of my head:

    * someone wanted SuperMicro to play ball, and they refused. This is payback.
    * someone wanted SuperMicro's stock to fall, and fall a lot.
    * someone wanted to demonstrate they could get the press to print anything, no matter how ridiculous.
    * someone wanted to teach Bloomberg a lesson
    * someone wanted to throw doubt on the Chinese supply chain. The one that supplies like all the electronics to the US.
    * someone wanted China to share some of the attention

    It could be all of the above. But really, the story is bullshit. The superchip is a story cooked up to fool reporters, reporters who are smart enough fool themselves into thinking they understand how computers work.

    What I'm surprised at is that they didn't ask anyone in the industry about the details. You can always theoretically wire something into a mobo and hide it. You can't practically get something that small to do everything they said it could do. Even James Patterson could tell the difference.

    1. Re:Bloomberg got pwn3d by JoeyRox · · Score: 1

      What I'm surprised at is that they didn't ask anyone in the industry about the details. You can always theoretically wire something into a mobo and hide it. You can't practically get something that small to do everything they said it could do. Even James Patterson could tell the difference.

      Bloomberg had several sources inside the industry about the details, including Apple themselves.

    2. Re:Bloomberg got pwn3d by JoeyRox · · Score: 1

      Don't think so - Bloomberg says they have 17 independent sources for this story.

    3. Re:Bloomberg got pwn3d by Anonymous Coward · · Score: 1

      The story is quite plausible though. It would be entirely possible to hook in to the BMC with a small chip and cause it to do "other" stuff than it's suppose to. The BMC (Baseboard Management Controller) exists on a motherboard as it's own fully functional standalone computer. It has its own hardware, processor, embedded operating system, network controller, etc. It's a very simple system and that simplicity makes it easy to modify it. It runs all the time and can not be turned off. Although its network controller can be "disabled" by simply not connecting a network cable to it. However, it still has full control of the whole motherboard (Firmware/BIOS and some access to external hardware on the rest of the motherboard).

    4. Re:Bloomberg got pwn3d by Lije+Baley · · Score: 1

      Bloomberg had several fake sources inside the industry about the details, including Apple themselves.

      There, fixed that for you.

      --
      Strange things are afoot at the Circle-K.
    5. Re:Bloomberg got pwn3d by hackingbear · · Score: 1

      Exactly! This reminds us the Iraqi Weapon of Mass Destruction saga. At the end, it was the Americans who supplied Iraq the few remaining chemical bombs used in Iraq-Iran war to kill Iranian civilians. Of course, we Americans don't really care if the U.S. is a hypocritical terrorist country and we just promptly showed our patriotism and paid our money.

      The American media and political institutions need to portray China as an evil empire in order to garner readership and supports from its populace; the American military industry (and cyber security) complex need to invent a new powerful foreign enemy to rid off our money.

    6. Re:Bloomberg got pwn3d by Narcocide · · Score: 1

      * all of the above?

    7. Re:Bloomberg got pwn3d by grep+-v+'.*'+* · · Score: 1
      Slightly offtopic, but item #3:

      * someone wanted to demonstrate they could get the press to print anything, no matter how ridiculous.

      Here's an article about a series of academic-journal hoaxes which were trying to get printed in the "the best journals in the relevant fields." --- Is Huge Publishing Hoax 'Hilarious and Delightful' or an Ugly Example of Dishonesty and Bad Faith?

      Of the 20, seven papers were accepted, four were published online, and three were in process when the authors [stopped.]

      "It could be all of the above. But really, the story is bullshit." -- I complete agree with you here.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    8. Re:Bloomberg got pwn3d by mentil · · Score: 1

      Or the journalist's phone line was rerouted and he talked to 17 different spooks. No matter how it shakes out, there's way more to this story.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    9. Re: Bloomberg got pwn3d by starman97 · · Score: 1

      It's also going to need to connect to both SCK and SDA and 3.3V and GND to do anything on the bus.
        Typical I2C topology only has discrete 10K pullups to VDD, can't do much with a 2 pin device that's in an 0201 package.

      --
      Starman97@Gmail.com (bring it on spammers)
  11. Deep State Disinfio by bill_mcgonigle · · Score: 2, Interesting

    If there's one thing i like about Apple it's their intense hatred for either doing the government's bidding or funding their attempts to do so.

    If there's one thing I like about the Feds it's ... ok, there's nothing I like about the Feds but one can at least recognize that the powerful interests scratch each other's backs and Michael "Disarm the Jews" Bloomberg would be happy to help the FBI, et. al. build their case that Apple /must/ be /compelled/ to make iOS spy on its users for them, because "Apple can't even be trusted with its own security."

    Look for natural alliances and opportunities to harm their common enemy. Apple isn't making me buy their walled-garden shit so on this one they're an ally of the people who want privacy and personal freedom.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  12. two and a half theories on this by goombah99 · · Score: 4, Interesting

    Here's a couple possible scenarios.

    1. The source of this is some spooky agency but they don't want people to know it was them that figured it out. SO the attribution went to Amazon discovering it. A plausible cover story at first as long as no one scratched too deep. the story was socialized within the government enough that every one believed it to be true so that's all bloomberg heard was this succefully engineered echo chamber of a story everyone believed was true. The chip part being true and the cover story of it's origin obfuscated.

    The reason this would happen in this hasty way is that for obvious reasons the Trump administration needed to get out a story that shows china is a bad trading partner. SO timing was rushed. The three letter agency would not want it's discovery revealed because it like to shield sources and methods. So the compromise was blame it on amazon.

    2. For whatever reason apple and amazon dumped some server farms or strategies. Later they realized they had dodged a bullet when the chip issue or mal frimware showed up in supermicro. They have to be really careful here because they could be sued for bad faith in the sales contracts and failure to disclose if it could be made to look like they knew for sure the Supermicro was poison. So they are trying very hard to say they had no knowledge of this (at the time) so this doesn't become a contractual issue.

    Both of these stories might be true

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re: two and a half theories on this by brunes69 · · Score: 1

      This is by far the most likely scenario.

    2. Re:two and a half theories on this by Narcocide · · Score: 1

      4. A hit job against SuperMicro?

    3. Re: two and a half theories on this by keltor · · Score: 1

      Consider the possibility that Bloomberg is not at all aware that the story is fake, but that doesn't preclude the idea that the story is still fake.

    4. Re: two and a half theories on this by mentil · · Score: 1

      And if they were fed a fake story, then they mea culpa later and Bloomberg loses face. Now who might want to damage Bloomberg's reputation AND make people wary of Chinese tech companies?

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    5. Re:two and a half theories on this by Swave+An+deBwoner · · Score: 2

      https://www.washingtonpost.com/technology/2018/10/04/china-inserted-surveillance-microchip-servers-used-by-amazon-apple-according-report/

      The report came just hours before Vice President Pence was to deliver a stinging rebuke of China in a speech at the Hudson Institute in Washington. Pence was expected to issue a range of criticisms at what the Trump administrations sees as China’s increasingly aggressive behavior, including allegations by President Trump last week that the country is interfering in the U.S. midterm elections.

  13. Re:Apple's full-court press against this story by angel'o'sphere · · Score: 3, Insightful

    Why is Apple trying so hard to deny a story that Bloomberg insists is accurate and very well sourced?
    Because the Bloomberg story is bollocks?
    No idea, but the stuff they wrote about Germanies renewable energy was usually all the time I bothered to read it: bollocks.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  14. Re:Apple's full-court press against this story by Jahoda · · Score: 2

    Why is Apple trying so hard to deny a story that Bloomberg insists is accurate and very well sourced? .... Because they all realize this has the potential to destroy the very core of their supply chains. This would be extremely disruptive and costly to their businesses

    Apple does not produce server products, foxconn produces their motherboards, and they also have one of the most secure production chains in the industry.

  15. Facts by JBMcB · · Score: 2

    That won't happen. At least it won't get reported on. Never let the facts get in the way of a good story.

    --
    My Other Computer Is A Data General Nova III.
  16. The chip is already there by Anonymous Coward · · Score: 1

    China doesn't need to add any chips, the Intel PC architecture is such a bloody mess that all China would need to do is make changes to the firmware in order to get a permanent infection that is neither detectable not reversible without additional hardware tools.

  17. Re:Should be easy to find by Megol · · Score: 1

    The obvious match would be a logic + memory chip hooked into a serial firmware ROM (EEPROM/Flash whatever) data and clock path. This need only cause some kind of vulnerability that is unlikely to be triggered unintentionally but can be triggered remotely with a series of events (data packages most likely) - very hard to detect in a live system.

    I still think this is either FUD or deliberate disinformation from some security group with some unknown agenda.

  18. Re:Apple's full-court press against this story by Jahoda · · Score: 2

    I'm not missing the anything for the anything. I wasn't born yesterday, and unlike the right-wing, I can think. Enjoy your anti-Chinese propaganda / movieland fantasy about the magical remote access chip that plugs directly into the BMI and injects code into the CPU any everything!

  19. There is No Such Agency. by Grog6 · · Score: 2

    Everything else is a Lie. :)

    Like they Could tell you.

    --
    Truth isn't Truth - Guliani
  20. Called the Clipper chip, right? by evanh · · Score: 1

    ;)
    Or maybe the carriers are in on it. ;);)

  21. Fantastic, but possible by Rick+Schumann · · Score: 1

    The device in question would have to either be fed a refclock or derive it's own clock, a PLL to either multiply the refclock or to derive it from the differential signal, have a small processor core, RAM, ROM, and some way to communicate with it, as well as being fed by one of the power rails, probably a 1.00V or 1.05V rail. In a 10nm or 14nm bare die you might be able to make it small enough and thin enough to hide between layers of the many-layer PCBs that are current technology -- or for that matter you might just make it a standard BGA surface-mount device, masquerading as a differential buffer or other differential device, like a mux, and hide it in plain sight, acting like the buffer it pretends to be, only revealing it's true purpose once it's triggered properly.

    If I were any company potentially affected by this (which in this case is basically all companies) I'd be very quiet and vague about it, too. The implications are massive.

    1. Re:Fantastic, but possible by Todd+Knarr · · Score: 1

      It'd also need connections to the PCIe bus. That's easy enough to get, but it means a lot of traces going into a single chip that oughtn't have that many incoming traces. I'm thinking it'd be easier to modify the EFI firmware and hide a small extra processor in the southbridge chip.

    2. Re:Fantastic, but possible by ezdiy · · Score: 1

      I too tend to think this would be super over-engineered and the story sounds BS. But passive, 2 terminal SMT is a place where nobody would look, whereas a huge mux chip actually "does" something and would be more "intuitive" subject of scrutiny if something is taken apart to find out where the signal comes from - and would be much cheaper to manufacture a trojanized one.

      The thing reported might be viable though, possibly as a pull resistor for data line and nothing more. Power source is not really an issue with tiny ASICs - we're talking few thousand gates, majority MROM with the malware, and about as smart as a passive RFID tag. Those can run directly from the line. Such a "resistor" can then "blink" the line at very little power cost. Engineering similair to NFC.

  22. Re: How would it get the signals? by Cmdln+Daco · · Score: 1

    Bloomberg is a bunch of journalists. It's entirely expected that their verbiage would reduce the good description gp commenter made into a 'chip'.

  23. Awaiting more facts . . . by sgt_doom · · Score: 1

    Who has the better track record for reporting factually-based truths: Bloomberg or those tech companies?

    Sadly, Bloomberg. Don't know what's going on as I haven't seen one opened --- so until that time I am withholding judgment as the hardware hacks have grown increasingly more sophisticated over the many years and have attended too many users forums in the past when technoid users discovered much of what the hardware was capable of, completely unknown to the designers.

    I remember the naysayers about an academic (believe it was at a university in North Carolina or thereabouts) who uncovered a compromised dll file in Windows which was an NSA backdoor --- and found it to be correct.

    I will continue to tune in . . .

    1. Re:Awaiting more facts . . . by AHuxley · · Score: 2, Insightful

      PRISM showed what the tech companies would say and how they would say it.

      --
      Domestic spying is now "Benign Information Gathering"
  24. Re:A third possibility by sphealey · · Score: 1

    Yeah. Once you have gone down the rabbit hole once - and the document leaks of the last 5 years have taken anyone who is technically inclined there at least once - you will have a hard time NOT thinking something like this is what happened.

  25. Re:Apple's full-court press against this story by squiggleslash · · Score: 1

    Apple does not produce server products

    Neither does Amazon. The articles have been very clear that theyr'e talking about Supermicro servers.

    This is about cloud services. Apple doesn't run its cloud on Macs, if that's what you think.

    --
    You are not alone. This is not normal. None of this is normal.
  26. Calling BS on Apple by supercell · · Score: 1
    I had shares of SMCI back in 2017 and sold them not long over these reports came out, that Apple dropped a large contract with Supermico over security concerns.

    https://www.marketwatch.com/st...

    For Apple too say there were not aware of security issues with Supermico is BS.

  27. An alternative thruth campaign? by manu0601 · · Score: 1

    This story is getting really weird. One possibility could that the thing was invented by US agencies to support the trade war with China. After all they alredy invented Sadam Hussein's WMD to support a real war.

  28. Re:Apple's full-court press against this story by gravewax · · Score: 2

    Most people don't need to be paid to think, perhaps you do? the story doesn't pass the smell test, I suspect what we have here is sources that were getting paid and hence made up something to get their money. Something of this scale doesn't stay secret and is very easily proven if true.

  29. What does Bloomberg gain from this report? by etudiant · · Score: 1

    The main question is what prompted Bloomberg to publish this story in the first place.
    They are well aware that the Chinese government carries grudges and will exact a large penalty from anyone harming China's interests.
    So why would Bloomberg, a firm that historically has tried hard to avoid offending China, publish a story designed to damage the reputation of the Chinese subcontractor base? Given the importance of China in the world financial framework, they are not an entity Bloomberg would casually offend.
    Yet they have done just that, with a very high profile story that is thus far lacking in hard evidence. What made Bloomberg, a very profit oriented firm, do that?

  30. Re:Siloed vs clearance by ezdiy · · Score: 1

    This. Possible need-to-know basis, and whoever got wind of it is gagged. Then, complete fabrication is also plausible, bloomberg isn't what it used to be when it comes to due diligence and impartiality in recent years.

  31. Re:Siloed vs clearance by mentil · · Score: 1

    So they contacted the FBI without going through Legal first? Or are you saying the anonymous source in the Legal department isn't talking because of the National Security Order (an NSL is only a request for information). Furthermore, Apple and other tech companies now have permission to give annual reports of how many NSO's they've received in the past year, so they all should've received one in 2015/16, that's easy to check.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  32. Re:BuzzFeed "News" ... Bloomberg "News" ...Clear n by Swave+An+deBwoner · · Score: 2

    Thank you for the link to Scott Adams' blog post complaining about a Bloomberg interview that he agreed to do despite believing it to be a planned "hit piece". The link to the actual excellently written and photographed Bloomberg interview that was found within Adams' blog was interesting and insightful. Hardly an example of poor journalism at Bloomberg - quite the opposite.

    I enjoyed the early and mid Dilbert comics. I'm not a fan of Adams' current "philosophical" ramblings though.

  33. Re:Siloed vs clearance by gnasher719 · · Score: 1

    The US government could produce gag orders, but the original story is that Apple employees went to the FBI. I would also like to know on which grounds there would be a gag order from the government. It doesn't make sense.

  34. Re:How would it get the signals? by Cmdln+Daco · · Score: 1

    What is this 'glue logic' you refer to?

    The right place would need bus signals and network access and power, and space for a signal coupler that looks plausible in that place.

    'Glue logic' is the stuff in between all of that, that connects all of it.

    Why would a signal coupler be needed? The 'bug' chip uses the resources of the system to communicate, in the spaces between the normal traffic.