Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bloomberg is Still Reporting on Challenged Story Regarding China Hardware Hack (washingtonpost.com)

Posted by msmash on from the state-of-things dept.

Erik Wemple, writing for The Washington Post: According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg's Ben Elgin has requested "discreet" input on the alleged hack. "My colleagues' story from last month (Super Micro) has sparked a lot of pushback," Elgin wrote on Nov. 19 to one Apple employee. "I've been asked to join the research effort here to do more digging on this ... and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings."

One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn't part of the reporting team that produced "The Big Hack." The goal of this effort, Elgin told the potential source, was to get to "ground truth"; if Elgin heard from 10 or so sources that "The Big Hack" was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of "The Big Hack" were "100 percent right."

According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he'd never written that report, nor is he aware of such a document. Following the publication of Bloomberg's story, Apple conducted what it calls a "secondary" investigation surrounding its awareness of events along the lines of what was alleged in "The Big Hack." That investigation included a full pat-down of Ziatek's own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.

37 of 71 comments (clear)

  1. Who to believe, who to believe by Anonymous Coward · · Score: 4, Funny

    Gee, who do I believe, the company that invented "you're holding it wrong" to explain away a defective case design, the company that's had so many "antenna-gates" and "bend-gates" that you have to ask "which one" when someone brings it up (the latest: the new iPad Pro will bend if you hold it along the edge, which you have to do, because it's "all screen"), the company that lied about tracking its users, the company that lied about slowing down older devices? Or do I believe an investigative journalist who found multiple sources confirming the hack happened?

    Man, this is a hard choice.

    1. Re:Who to believe, who to believe by Anubis+IV · · Score: 5, Insightful

      Setting aside the logical fallacy you're engaging in by attempting to poison the well, virtually nothing about Bloomberg's story makes sense.

      They say the chips were first noticed in mid-2015 at Apple and that Apple and Amazon dropped Super Micro as a supplier in response to the discovery, but Apple didn't stop using Super Micro boards until after an unrelated issue in mid-2016 and Amazon was still using Super Micro boards as recently as a few months ago. They say the chips were caught at Amazon because the chips were phoning home using the Internet, but the allegedly affected servers at Amazon weren't even connected to the Internet in the first place. They claimed that nearly 10,000 Super Micro boards were affected at Apple, but the most Super Micro boards ever in Apple's possession was nearly an order of magnitude fewer than that. They say that numerous people in the affected companies and governments of multiple nations had direct knowledge of these incidents, yet these people, companies, and governments are denying any such knowledge, even going so far as—in the case of Apple—to say so under oath to Congress while affirming that there's no gag order or NSL at play.

      Meanwhile, Bloomberg is apparently unsure enough about their own reporter's story that they've sent out at least one fresh reporter, possibly more that we don't know about, to investigate the merits of the original story. Of course, their doubt isn't surprising, given that their own background source (one of their only named sources in the original article) has come out against the story because he considers it wholly implausible that the Chinese were already doing everything that he said could theoretically be possible in exactly the way he described. And while most of us here understand that extraordinary claims require extraordinary evidence, they've failed to produce evidence of any kind, extraordinary or otherwise, despite claims that would suggest there should be an abundance of evidence to choose from across a multitude of organizations (e.g. e-mails, pictures, the chips themselves, etc.).

      So who are you going to believe: reporters whose own organization doubts them, whose own sources don't believe them, and whose extraordinary evidence doesn't exist, or literally everyone else who would have knowledge of the subject?

      Bloomberg, on the whole, is a good news organization, and Apple has certainly had its missteps, but all signs point to this story being a mistake on Bloomberg's part.

    2. Re:Who to believe, who to believe by Junta · · Score: 3, Informative

      Or do I believe an investigative journalist who found multiple sources confirming the hack happened?

      The one named source in the original story came forward and said his interaction should *not* have been interpreted as confirmation, and that his conversation was misrepresented. He was asked 'what's a signal coupler?' and answered with a link to a part catalog showing what a signal coupler is. Additionally he provided hypothetical explanation of how a hardware hack might work. This became 'Joe Fitzpatrick confirms this is a hacked chip found in the hardware!'

      The way his response was misinterpreted caused him to understandably be skeptical of the whole article.

      https://appleinsider.com/artic...

      There are plenty of reasons to be concerned about supply chain security. However this specific article is in all likelihood a completely bogus take on a much more mundane reality more widely reported about SuperMicro not being generally secure enough at the time to continue to be a supplier to certain datacenters.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re:Who to believe, who to believe by Anonymous Coward · · Score: 1

      Bloomberg, on the whole, is a good news organization, and Apple has certainly had its missteps, but all signs point to this story being a mistake on Bloomberg's part.

      You know the best evidence it's not a mistake? Apple hasn't sued Bloomberg yet.

      Apple is more than happy to sue journalists. They do it all the time to "protect trade secrets" and "stop leaks."

      But they haven't sued Bloomberg over this.

      Odd.

    4. Re:Who to believe, who to believe by Anonymous Coward · · Score: 1

      Defamation suits between public entities are difficult win because you not only have to prove the defamer knew the story was false, but they used it to harm the defamed.

    5. Re:Who to believe, who to believe by Anubis+IV · · Score: 1

      You know the best evidence it's not a mistake? Apple hasn't sued Bloomberg yet.

      I've heard several people suggest this is evidence of something. I'm eager to hear your attempt at reading the tea leaves.

      Apple is more than happy to sue journalists. They do it all the time to "protect trade secrets" and "stop leaks."

      But they haven't sued Bloomberg over this.

      Odd.

      I'm afraid your interpretation undermines itself.

      If Apple sues journalists "all the time" to discourage leaking, then how does a lack of a suit serve as evidence of a leak? Quite the contrary, it would actually suggest the opposite: that the article was bereft of leaked info over which Apple could sue. After all, if Bloomberg's article was true, your belief about Apple's lawsuit habits would have us conclude that Apple should have sued Bloomberg by now. Thus, the fact that Apple hasn't sued already would suggest (but not prove) that Bloomberg's article isn't true.

      That said, I don't ascribe to your belief that "Apple is more than happy to sue journalists" "all the time". If they did, wouldn't they have sued Gizmodo after Gizmodo acquired a lost iPhone prototype? That didn't happen. Nor did Apple sue anyone these last several years each time parts, pictures, and technical diagrams have leaked in the weeks leading up to major product announcements. Nor did anyone get sued when private builds for unannounced products were discovered to be accessible from outside their network and developers were able to document new features and product details in advance of the product's announcement. In fact, the last time I'm aware of Apple suing journalists was way back in 2004, when, as you suggested, they sued in order to combat a leak that had occurred.

      I'm not saying it never happens, but I'm not aware of any lawsuits against journalists in the post-Jobs era of Apple, so—at least from my viewpoint—a lack of a lawsuit here is just par for the course. Besides which, what's Apple supposed to sue them for if the story is false? The best I can figure is defamation or libel, but it's incredibly bad PR for the world's most popular brand to pick on the little guys for saying mean things. And if the story is true, what are they supposed to sue them for? I can't think of anything.

      To me, not suing is the only thing that makes any sense, regardless of if the article is true or not.

    6. Re:Who to believe, who to believe by AHuxley · · Score: 1

      Re "everyone else who would have knowledge of the subject?"
      That everyone else safe feeling worked for years in the West before Snowden and PRISM...

      --
      Domestic spying is now "Benign Information Gathering"
  2. Re:ok by tepples · · Score: 1

    Particularly when there's (as of 17:15 UTC) no alternative source for Slashdot readers whose subscription packages happen not to include The Washington Post.

  3. If it were only Apple... by SuperKendall · · Score: 2, Insightful

    Gee, who do I believe, the company that invented "you're holding it wrong"

    The problem is, despite your hatred for Apple and desire to see them be wrong in all things - it's not just Apple this claim was made about. It was also made about Amazon, who refutes the story to the same degree (i.e. fully)., and some other companies.

    The problem is that there is also no physical evidence - at all. You brought up the "holding it wrong" issue, to which there was copious testing and personal evidence showing there was a problem, There is nothing anywhere like that in this case, only Bloomberg is making this claim, based on a second-hand report from some source with no ties to Apple.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:If it were only Apple... by tlhIngan · · Score: 2

      The problem is that there is also no physical evidence - at all. You brought up the "holding it wrong" issue, to which there was copious testing and personal evidence showing there was a problem, There is nothing anywhere like that in this case, only Bloomberg is making this claim, based on a second-hand report from some source with no ties to Apple.

      Well, chances are China DID do this. But both Apple and Amazon caught it before putting the machines into service - either during hardware inspection to make sure the machines were built to spec, or during qualification testing where oddball traffic gets detected.

      You have to remember both companies dumped SuperMicro as a supplier around the same time a couple of years ago which is considered quite odd since SuperMicro was one of the few server board manufacturers out there

      Additionally likely is the modification was not caught by other companies, until alerted to it by Apple/Amazon that something like this happened.

      There probably is some grain of truth to the story, it's just it became a non-story because it got caught

    2. Re:If it were only Apple... by Anubis+IV · · Score: 2

      The problem is because of the PATRIOT ACT, NSLs, the FISA court and the NDAA 2014 [...]

      Let me stop you right there. You'd have a really good point, if not for the fact that Apple has explicitly denied being under an NSL or gag order of any sort. I'd guess that you're familiar with warrant canaries, right? So you likely already know that the government can compel companies to remain silent about a gag order, but it can't compel them to lie about being under one. Thus, if Apple is lying it's because they've chosen to do so of their own volition, not because they're being compelled to do so by an NSL or gag order.

    3. Re:If it were only Apple... by Junta · · Score: 3, Insightful

      Well, chances are China DID do this.

      Most experts agree that China most likely did *NOT* do this. Not because they *wouldn't*, but a mix of they *couldn't* (the alleged component isn't in a useful position to actually *do* anything that interesting from a snooping perspective) and they would have much better ways of doing an attack (the platform in question had no protections for firmware, China could have freely replaced firmware and it would have been *much* less likely to get caught and have much greater access to actually useful data.

      You have to remember both companies dumped SuperMicro as a supplier around the same time a couple of years ago

      Yes and at the time, sources noted that Supermicro's download site had been hacked once with malicious firmware, and that incident reminded everyone that SuperMicro wasn't doing anything to protect the integrity of the firmware from malicious attack, and that's enough strikes to be out. There may have been a desperate 'premium' vendor in the mix too willing to compete on price with a much better product.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    4. Re:If it were only Apple... by timholman · · Score: 3, Insightful

      The problem is that there is also no physical evidence - at all.

      And that is the lynchpin of this entire matter. Supposedly tens of thousands of motherboards purchased by multiple companies were altered, yet not one piece of physical evidence, or even a photograph of a die, has been produced.

      My research group has had some involvement with "trusted microelectronics". When the Bloomberg story first broke, we discussed between ourselves how bizarre it was that China would bother with a traceable hardware hack, when software exploits (which provide plausible deniability) have been so successful for them in the past. It made no sense to us.

      Now, as the weeks have gone by, it has become clear that the story is essentially a fabrication. If it were not, hard evidence would have surfaced by now. Someone at Bloomberg wanted so much for it to be true that fact-checking and source-checking fell by the wayside. It has happened to other reputable news agencies in the past (e.g. New Republic, Rolling Stone, New York Times). When a story fits a desired narrative, all the checks and balances of good journalism fall by the wayside.

      I am reminded of a scene from the movie "Shattered Glass", when a receptionist comments that the scandal with the fabricated stories by Stephen Glass could have been avoided if the New Republic had required him to provide photographs. Bloomberg should have taken that lesson to heart.

    5. Re:If it were only Apple... by gtall · · Score: 1

      "Well, chances are China DID do this." Oh? What are the probabilities involved? Could you please show us the data supporting these probabilities?

  4. Proof by JBMcB · · Score: 2

    Does anyone have a packet capture of one of these things leaking data? Or heck, slice the lid off the chip and tap into it's ROM to figure out what it's doing. That's how MAME developers cracked Capcom's CPS2 encryption system.

    --
    My Other Computer Is A Data General Nova III.
    1. Re:Proof by NuclearCat · · Score: 1

      Yes for sure, here it is: http://some.private.site.at.ap...

    2. Re:Proof by MatthiasF · · Score: 2

      ZOMG!! Your link doesn't work anymore! DID THEY GET TO IT?!

      Did the guberment take it down?

      THIS IS AN OUTRAGEE!! WE DEMAND THE TOOTH!

    3. Re:Proof by WankerWeasel · · Score: 2

      No one has been able to prove their existence (because they don't actually exist). Thousands of security folks who have these very same systems and have been completely unable to find these imaginary chips. There has yet to be any actual evidence of the existence of these chips other than a couple anonymous sources. I've got 500 anonymous sources who say Man Bear Pig exists so it must be true.

    4. Re:Proof by Areyoukiddingme · · Score: 1

      Obligatory quote:

      THIS IS AN OUTRAGEE!! WE DEMAND THE TOOTH!

      YOU CAN'T HANDLE THE TOOTH!

      Filter error: Don't use so many caps. It's like YELLING.

      Yes, I know. It's a joke, son.

    5. Re:Proof by _merlin · · Score: 1

      MAME developer here: we cracked CPS2 encryption with a known plaintext attack. It wasn't until much later that we burned the top off the encrypted CPU and took a photo through a microscope.

  5. Re:All the News that's fit to hype by Anonymous Coward · · Score: 1

    Unfortunate for you, news agencies aimed at the financial industry are one of the few areas that still have the money to do investigative journalism (because people are willing to pay for something that may make them money).

  6. Re:Coverup Is Working You Say? by Killall+-9+Bash · · Score: 1

    +1 informative racism

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  7. Revision by SuperKendall · · Score: 2

    Hello boys and girls, I'm Mr. Investigative Journalist.

    And I've talked to the CEO, and he said no.

    And I've talked to CEO2, and he said no.

    And I've talked to several sources inside both companies, who also said no.

    And I've talked to the NSA, that also said no.

    And I can't find any hardware that actually has the supposed spy chip in it anywhere.

    Conclusion: ALL OF THOSE PEOPLE MUST BE LYING AND I MUST BE CORRECT.

    *Narrator: And he continued to wonder why people hated journalists until the end of his days*

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Revision by Killall+-9+Bash · · Score: 2

      Some of those crazy consparacy theories have been proven, by publicly released FOIA request data, to be actually true. But you just go on imagining tin foil on my head,

      https://en.wikipedia.org/wiki/...

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    2. Re:Revision by gtall · · Score: 1

      Hmmm...I've contacted all those same people and organizations Bloomberg did. They all deny categorically they had anything to report on gene editing to produce pink unicorns. They all have an incentive to lie because it would look badly on their companies.

      Conspiracy!!! And I'd have expected the government to deny it also, what with the price of pink unicorns these days.

    3. Re:Revision by Falos · · Score: 1

      They don't even have to lie.

      "I'm not aware of any X" is the nonstatement that we're all gargling to the hilt.

    4. Re:Revision by Falos · · Score: 1

      https://xkcd.com/2078/

  8. Gee people making fortunes off China by Crashmarik · · Score: 1

    and seeing the market flooded with cheap hardware they use to gather and sell your personal information, or a financial newspaper ?

    Hmmmm it really is a tough call.

  9. * industry complex claims by hackingbear · · Score: 2

    The easiest strategy to rally support and get public funding is FUD, especially creating a powerful foreign enemy by exaggeration and lies.

    Our military industry complex has a track record on it: claims of WMD in Iraq leading to the trillion-dollar Iraq War that's still not quite ended.

    Today, the cybersecurity industry complex is repeating the same: hacking from China. How do they prove beyond reasonable the hacks are indeed from China other than some IP addresses? How do they prove that Chinese computers are not just used as springboard from some 3rd party hackers/countries/organization? Heck, how do we know if the "hack" are not done by the same cybersecurity industry insiders for the purpose of framing anti-China sentiment and thereby rip off money from you and me?

    1. Re:* industry complex claims by gtall · · Score: 1

      "Our military industry complex has a track record on it: claims of WMD in Iraq leading to the trillion-dollar Iraq War that's still not quite ended."

      No up with news, eh? The intelligence agencies were not claiming WMD. That was the neo-cons in the Bush Administration. The military-industrial complex is spending most of their effort on commercial technologies and have been for years. In fact, it has reached the point where the Pentagon is worried they won't have American suppliers for critical systems. Jesus, go back the 60's, you'd fit right in.

  10. Do note: nobody is suing. by Gravis+Zero · · Score: 1

    False reporting can have serious financial consequences so when it happens, companies take their well paid lawyers and sue publishers. I've heard no report of any company suing Bloomberg over this claim (which has been damaging) which leads me to conclude that the claim is legitimate.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Do note: nobody is suing. by Actually,+I+do+RTFA · · Score: 2

      If you mean "false reporting can have serious financial consequences for the newspaper", you're wrong. For news written about a large corporation/public figures isn't actionable if it's false. It's actionable if it's grossly negligent or known to the reporter to be false. Bloomburg could say "oops" and that would be the end of it. Or it certainly would have been after the initial story. I don't know how doubled-down they are now.

      --
      Your ad here. Ask me how!
    2. Re:Do note: nobody is suing. by gtall · · Score: 1

      Hmmm...Apple Boardroom:

      Chair: This Bloomberg report, what do we make of it?

      Board Member #1: Nada, complete bullshit.

      Chair: Will it affect our sales?

      BM #2: Nope, no one who buys our stuff gives a flying rat's ass about Bloomberg. Besides, Bloomberg sounds like a voice in the wilderness among all the rest of the news noise.

      Chair: So not worth spending our expensive legal counsel on?

      BM #3: Not unless you want piss off a lot of money advertising Bloomberg's claim and inflating it out of proportion.

      Chair: Okay, who's up for lunch?

  11. BLOG is the man's NAME by Provocateur · · Score: 1

    So I vote that we stop using it as a noun, or a verb, or--FFS--a job

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  12. I do know though by SuperKendall · · Score: 3, Insightful

    In fact I do know for sure, because a problem of this magnitude affecting so many companies would have SOME leak - from admins working on the hardware themselves, all the way to every manager along the chain.

    It faces the same problem all large scale conspiracies do, there is simply no way that many people can keep a secret.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  13. Re:GO FELATE PUTIN YOU BITCHSKI by hackingbear · · Score: 1

    "Russia and China are the real victims!"

    I didn't say or know if Russia or China is real victim or not. But I do know two real victims: Iraq and you the American taxpayer.

  14. Follow the money by Anonymous Coward · · Score: 1

    What would they gain vs what would they lose if they were to confirm these rumors.

    For sure China would make their life very hard, giving a big advantage to the competition (the many Apple's competitors or Alibaba when it comes to Amazon). Giving the stake these companies have in china these days, this is a huge loss.
    What would they gain? At this point nothing to gain, from what i see.

    So.. OFC it's false.