Slashdot Mirror
In an Unprecedented Move, Apple CEO Tim Cook Calls For Bloomberg To Retract Its Chinese Spy Chip Story (buzzfeednews.com)
John Paczkowski and Joseph Bernstein, reporting for BuzzFeed News: Apple CEO Tim Cook, in an interview with BuzzFeed News, went on the record for the first time to deny allegations that the company was the victim of a hardware-based attack carried out by the Chinese government. And, in an unprecedented move for the company, he called for a retraction of the story that made this claim. Earlier this month Bloomberg Businessweek published an investigation alleging Chinese spies had compromised some 30 US companies by implanting malicious chips into Silicon Valley bound servers during their manufacture in China. The chips, Bloomberg reported, allowed the attackers to create "a stealth doorway" into any network running on a server in which they were embedded. Apple was alleged to be among the companies attacked, and a focal point of the story. [...] "We turned the company upside down," Cook said. "Email searches, datacenter records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this." A Bloomberg spokesperson said, "We stand by our story and are confident in our reporting and sources."
... he would be suing, not asking for a retraction.
I'd be willing to bet this is actually true and the companies don't want to publically admit it and have to recall billions are dollars in tech and they probably convinced the government it would be detrimental to the companies and rhwbeconomy for it to happen as well.
Lets be real here. China, Russia, Japan, Taiwan, and even the Grand ol USA are all trying to do the exact same thing. There is exactly ZERO chance that over the last decade Apple was not the target of one of the above listed nations trying to inject compromised hardware into their supply chain. That is not a riff on Apple, they are a major international company, they are a target. What is a nock on Apple is that Cook is a child like idiot who denies an obvious problem. Cook could have been believed if he said that Bloomberg had misidentified the vendor, or maybe timeline, or maybe response, or maybe the specific product. But to flat out deny that essentially any nation state had ever compromised their supply chain is pathetic.
... those who deny do so because they would endanger their profit in China ? I don't know how far manufacturers such Supermicro can go. But we've seen intel and AMD go pretty far with their "CPU in the CPU". So I'm more likely to buy the technical possibility, and doubt about the denial. But doubt anyway.
Totof
I don't think 'unprecedented' means what the sub thinks it means.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Because such findings would be documented, since the allegation is that they *discovered* such chips.
XML is like violence. If it doesn't solve the problem, use more.
idk... sounds fishy to me. If someone says "Dude, your car's gas tank has a hole in it", do you go search your email and financial records to see it it's true? Why not go to your fucking car and examine the gas tank and see if there's a hole?
I was reading in Ars Technica an article about Russian spies hacking athlete's doping test results. In the comment section someone I suspect to be a Russian troll was expressing mild outrage at the fact that Ars ran an article on that subject but hadn't yet mentioned anything about the Chinese chip hacking conspiracy, linking to the Bloomberg article. Both the quasi-science-fiction Bloomberg article allegations and the circumstances that led me to read it make me suspicious that it is probably fabricated. I don't think that Bloomberg journalists lied, but I consider it likely that they were fed false information that ended up in that article.
Why would you bother injecting hardware in a supply chain (which would be very expensive, on the order of millions of dollars per machine) when you can just hack their machines from the Internet?
The SuperMicro BMC story is just as ludicrous - if you can reach the device, nobody updates the firmware and even if you do, there are still various Dropbear SSH and embedded HTTP server bugs. Why even bother installing a chip when you can just reprogram the firmware to dial home.
Custom electronics and digital signage for your business: www.evcircuits.com
A company suing someone for libel / defamation is completely different from suing someone for copying your designs.
Has there been libel / defamation in the past?
How many times did Apple sue someone for libel / defamation in the past, again?
Zero times? Why would they start now?
This is more about owning a fleet of thousands of cars across states and continents and then someone says "Dude, your car's gas tank had a hole punched in it by a police officer before it shipped to you from China". Then you do indeed go through the financial records and say "dude, we never purchased a car directly from China, moreover, nobody ever noticed a leak and nobody even reported a puddle of gas in any of our parking lots"
Custom electronics and digital signage for your business: www.evcircuits.com
Even with time, if he doesn't have the clearance, then the answer he gets from within is that it didn't happen.
And yet, when it comes time for him to gather some evidence of that, it won't be available to him. His colleagues will have to apologize to him for telling him things that they know have to tell him were only rumors, or that the database holding the logs got accidentally deleted. Reports will go missing.
But still, you'd never have evidence of what didn't happen anyways, you'd only have documentation of the steps you took to check.
There is exactly ZERO chance that over the last decade Apple was not the target of U.S. of A. trying to inject compromised hardware into their supply chain
Fixed that for you.
As revealed in the Snowden leaks, the USA has been proven to do spying against its own citizens and against other countries in particular China, whereas all the Chinese hacking accusations so far are coming from the American cybersecurity companies (or its five eye partners) who have deep interested in framing a powerful foreign enemy, just like the military industrial complex accused Iraq of hiding WMDs before the Iraq War.
What is a nock on Apple is that Cook is a child like idiot who denies an obvious problem
And you have knowledge of this problem, and Tim Cook is an "idiot" because how? Because you are super sure that this must be the case? Because you see through the lies of Tim Cook to the truth of the incompetence of Apple Inc?
But to flat out deny that essentially any nation state had ever compromised their supply chain is pathetic.
Sure thing, internet dude. Whatever you say. You know the truth
You know I miss the days when stories like this would pop up and the first thing everyone would do is produce actual proof. The story literally says that China planted chips in their servers, but since the planted would have happened before the actual knowing where the board was going, they would have had to planted thousands of chips into boards in hopes of hitting a good target. So that said, finding one of these chips out in the wild shouldn't be that difficult and yet, zero people have produced an actual chip to show the story true. We literally have the Fermi paradox here. SMB would have had to produce tens of thousands of these boards that would have ended up everywhere from some CIA bunker to some NAS server in a rando University. At some point, someone, somewhere would have uncovered this and barring some complex and massive cover story conspiracy, would have seen this story and ran to side with Bloomberg to validate their claim. And yet that has not happened
So there is obviously something up here.
One, it isn't as widespread as Bloomberg paints and the Chinese got incredibly lucky with where their hacked boards went in that they're all sitting in Apple/Amazon/CIA places where no one in their right mind would come forward.
Two, it isn't as widespread as Bloomberg paints and there's maybe 1,000 - 100 boards out there and only one actually hit the target and the rest will be like finding a needle in a haystack.
Three, it is as widespread as Bloomberg paints it and everyone is a complete moron at finding these things.
Four, it is as widespread as Bloomberg paints it and the Chinese have invented a completely inconceivable clandestine process for hiding chips that far exceeds anything previously thought possible.
Five, China has somehow invaded every aspect of the reseller market for these boards and anything that's left their intended target has been brought back via these channels to China to prevent the boards from leaking out to other sources.
And hell there's likely more outcomes here than I'm covering but the point remains that given the massive claims that Bloomberg has made, some sort of hard proof should turn up and yet none has. That lack of hard proof makes me seriously question the accuracy of the story. It's an incredible claim, none the less, but count me as non-believer till I see some hard proof here. There's people who will see Cook's request as some sort of "proof" but that's just the deep down cynicism talking. This massive claim has been made, and Bloomberg really needs to back it up with something. And not that weak sauce story they printed about the researcher who found blah-blah-blah on the Ethernet port. Yeah, we all already knew about that trick. No I want to see this duplicitous capacitor or resistor looking chip that's somehow so well made that you can't tell the difference between it and an actual cap/resistor and somehow invades the board enough to leak useful info or make susceptible to an outside actor in a way that's undetectable. Because the engineering feat required to get that done isn't something I would normally attribute to Chinese scientist.
Yes, Apple and Amazon have both sued SMB before for crappy firmware. And if the story said, "They're putting super hidden firmware inside the board" I'll be honest with you, I'd be on the believer side having beers with the buds there. But this chip thing is a whole another level. Bloomberg needs to put up or shut up at this point. I'll be more than happy to eat my words if proof come across the table till then, I just don't buy this story.
The claim is that it happened in 2015, on servers that would be decommisioned by now.
Part of the claim was that Apple reported the discovery.
So it would be 'Ford says they had gas tanks with holes in them in their 2015 F150s" and Ford saying "We checked and show no documentation supporting this claim". They didn't have to start recalling all F150s to check gas tanks for whole because some random person claimed that *Ford* claimed it. There would be an expectation that the accusation would be supported by some sort of evidence.
Here, the one named source of the original story came forward to say that he was the one who provided an actual picture of a signal coupler, and that the tone of the interviewer was basically that some *other* expert had answered 'hmm.. maybe a signal coupler?' and hypothesis upon hypothesis added up to 'we have *confirmed* that this specific pictured chip is a chinese plant'.
The most likely theory was that in 2015 SuperMicro had some accindental infection on something, and that a security team said 'other vendors have better security practices'. These 'reporters' for bloomberg, however, weren't satisfied and went running vague idea through multiple sources divorced from the actual occurrence and each time asking 'well, hypothetically...' and then presenting the result as fact.
XML is like violence. If it doesn't solve the problem, use more.
Did you read the aricle?
The article did not say "we suspect a nation state has the capability to compromise Apple's supply chain". Nor did the article did not say "a nation state has at some point compromised Apple's supply chain". Either of these could be forgiven.
The article said "this specific nation state compromised Apple's supply chain in this exact way with this exact method during this time window". It was *extremely specific*, and provably false.
According to the Supreme Court case Sullivan vs. NYT, it's really hard for a public company or public personality to win a libel case. You have to prove the reported acted with malice or knowledge they were false when they were reported. If they think it's true, that's good enough. So, any politician (for example) pretty much has the burden to prove intent to harm.
A private person has better protection according to Gertz vs. Robert Welch. Basically, the idea is that any public figure (or major corporation) can counteract false news (as Cook is) by presenting evidence. But that a private person has a much harder time getting a counternarrative out there.
Your ad here. Ask me how!
Assuming it's false. And if it is false, why isn't Apple out there actually proving that it's false, rather than oh-so-gently asking for a retraction (pretty please)?
I got this email from Corvalent's mailing list (Corvalent is an industrial/embedded manufacturer). Had some of their insight into the whole ordeal which i found interesting.
What is Corvalent’s Insight on Hardware Hacking?
“It is our technical opinion that modifications of hardware, firmware and/or software are all possible ways to interfere with the normal operation of boards. Each of them has advantages and disadvantages, including technical complexity, ease of detection, and cost of implementation,” said Martin Rudloff, Corvalent’s CTO. “Typically this means that for someone to deploy an attack of the scope reported by Bloomberg in its Super Micro feature, the target must be specific and worthwhile in order to justify the high cost involved. Targeting only one or a few major companies would also minimize the risk of discovery.”
“Without deeper knowledge of the hardware and the software running on a server, information gathered from it may not allow a thief to decode or understand what the data means. And without knowing the end users’ security measures, we find it unlikely that the information could be forwarded to an external recipient,” added Rudloff.
Curiosity kicked in when we were discussing the level of difficulty in modifying the RJ45, so we decided to open one and check it out firsthand. As you can see below, it is very hard to open the metal enclosure without damaging it. The interior is fully packed, leaving little space to add additional circuitry. A fully assembled modified unit would probably be a better choice, but would involve the highly sophisticated effort of tapping into the supply chain and replacing the original parts with counterfeits.
Should we Question Such a Significant Story?
Bloomberg is a trusted new source with impeccable standards for truth and accuracy in reporting. Even so, it is possible that the story is incorrect. Sources provided data they understood to be accurate and truthful based on reports seen by them only; however, these were not shared with Bloomberg directly. There are technical inconsistencies to consider as well.
It should be possible to detect oddities in network traffic coming from a BMC behaving in unexpected ways. Alterations to the kernel and software stack should also set off alarms during or after system boot.
The chip pictured in the Bloomberg story fits on the tip of a pencil, yet it purportedly holds enough data to replace the data extracted from the BMC, alter the existing OS, and implement backdoor system access. This means the chip must either be larger than pictured or is using new lithography.
Why go to the trouble of placing a new chip on the board instead of a backdoor version of one already certified as part of the design?
Strong and specific denials by Amazon and Apple – different from the usual ‘we do not discuss issues of security as a matter of policy’– further stress the story’s validity.
Yes the story is specific, and Cooks response was general. "There's no truth to this." As per my first statement, that response does not mean, that Bloomberg got "A" detail wrong." There's no truth to this." His statement implies ALL of the details were wrong. He is not just saying that the particular components were not compromised. He is saying that none of Apples components were ever compromised. Which is the nonsensical part. His response is broader than the specific story.
"Husband to the press: Umm .. I don't know what you're talking about, but we've never called the police." The "never" is the problem. Given the size of their business it is impossible for them to never have had someone break in.
Yep.. thats says everything I need to know.
Assuming it's false. And if it is false, why isn't Apple out there actually proving that it's false, rather than oh-so-gently asking for a retraction (pretty please)?
And how do you prove that something never happened? Bloomberg claims that at least three Apple employees informed them that compromised server were found. Both Bloomberg and Apple say that Bloomberg then informed Apple, Apple investigated, and found no evidence of any of this happening. They don't even know which employees, so they can't even ask them. So, there is a giant conspiracy to keep Apple upper management from finding out about this or there is a giant conspiracy keeping not just all Apple employees that know about this from speaking out publically, but also the other "almost 30 companies" that these chips were also found out according to Bloomberg, including Amazon, Elemental, and the US government. Plus the security company in Canada that supposedly found the chips in question when Amazon found strangeness and sent them to be checked out. Amazon has also stated they have found no evidence of this ever happening and have no idea what Bloomberg is talking about, right in the original article.
You're an idiot.
They already did issue press releases about it. Bloomberg didn't retract even in the face of denials and zero evidence. Apple stepped it up by asking for a retraction. Bloomberg is again stubborn. So why should it surprise you that Apple would eventually sue for libel?
There is no evidence, and everyone has denied anything happened or that there was even an investigation. So either everyone including Apple, Amazon, the FBI and DHS are lying, or it is one huge conspiracy. Which one has the potential to be true?
I would suggest the authors of that story are either being played, or just don't care if they make it all up. Considering the amount of baseless and false accusations against many public officials lately, it seems entirely likely the story has no legs.
1. Rent a virtual server or infect a PC in China, use that to hack whatever. The logs will show a China IP. (available for anyone)
2. Spoof the IP at the ISP level (available for the ISP of the server)
3. Mess with routing and make the traffic for the Chinese IP go to your device (available for ISP of the server, a transit ISP and/or national agencies).
... I am starting to believe that the most plausible explanation to this story is that Bloomberg did receive word from genuine agency members, which were following orders to spread a rumor damaging Chinese business and promoting the sales of devices that are back-doored by US agencies.
I would still assume also the Chinese use such tampering techniques, but not in the precise way described.
"the fact that they haven't sued Bloomberg for libel/defamation means that it's real and it happened"
It may not be libelous because a) it's true, but also because b) Bloomberg had reason to believe it was true, or c) Bloomberg thought it would not be damaging to Apple (for instance, because they had long since stopped using Supermicro products). In addition it may be libelous yet not a net gain to go to court because then Bloomberg gets to do discovery on why Apple severed their relationship with Supermicro in the first place. News organizations love to get libel suits because of the oportunity to use discover to research.
You can't have it both ways. Either it is "provably false" (according to parent there), or "you can't prove a negative". If it's the latter (as you claim it), then it's not "provably false."
Either way, I'm in the happy place of being correct, which is the best thing in the world (being right on the Internet, that is).