Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bloomberg is Still Reporting on Challenged Story Regarding China Hardware Hack (washingtonpost.com)

Posted by msmash on from the state-of-things dept.

Erik Wemple, writing for The Washington Post: According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg's Ben Elgin has requested "discreet" input on the alleged hack. "My colleagues' story from last month (Super Micro) has sparked a lot of pushback," Elgin wrote on Nov. 19 to one Apple employee. "I've been asked to join the research effort here to do more digging on this ... and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings."

One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn't part of the reporting team that produced "The Big Hack." The goal of this effort, Elgin told the potential source, was to get to "ground truth"; if Elgin heard from 10 or so sources that "The Big Hack" was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of "The Big Hack" were "100 percent right."

According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he'd never written that report, nor is he aware of such a document. Following the publication of Bloomberg's story, Apple conducted what it calls a "secondary" investigation surrounding its awareness of events along the lines of what was alleged in "The Big Hack." That investigation included a full pat-down of Ziatek's own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.

16 of 71 comments (clear)

  1. Who to believe, who to believe by Anonymous Coward · · Score: 4, Funny

    Gee, who do I believe, the company that invented "you're holding it wrong" to explain away a defective case design, the company that's had so many "antenna-gates" and "bend-gates" that you have to ask "which one" when someone brings it up (the latest: the new iPad Pro will bend if you hold it along the edge, which you have to do, because it's "all screen"), the company that lied about tracking its users, the company that lied about slowing down older devices? Or do I believe an investigative journalist who found multiple sources confirming the hack happened?

    Man, this is a hard choice.

    1. Re:Who to believe, who to believe by Anubis+IV · · Score: 5, Insightful

      Setting aside the logical fallacy you're engaging in by attempting to poison the well, virtually nothing about Bloomberg's story makes sense.

      They say the chips were first noticed in mid-2015 at Apple and that Apple and Amazon dropped Super Micro as a supplier in response to the discovery, but Apple didn't stop using Super Micro boards until after an unrelated issue in mid-2016 and Amazon was still using Super Micro boards as recently as a few months ago. They say the chips were caught at Amazon because the chips were phoning home using the Internet, but the allegedly affected servers at Amazon weren't even connected to the Internet in the first place. They claimed that nearly 10,000 Super Micro boards were affected at Apple, but the most Super Micro boards ever in Apple's possession was nearly an order of magnitude fewer than that. They say that numerous people in the affected companies and governments of multiple nations had direct knowledge of these incidents, yet these people, companies, and governments are denying any such knowledge, even going so far as—in the case of Apple—to say so under oath to Congress while affirming that there's no gag order or NSL at play.

      Meanwhile, Bloomberg is apparently unsure enough about their own reporter's story that they've sent out at least one fresh reporter, possibly more that we don't know about, to investigate the merits of the original story. Of course, their doubt isn't surprising, given that their own background source (one of their only named sources in the original article) has come out against the story because he considers it wholly implausible that the Chinese were already doing everything that he said could theoretically be possible in exactly the way he described. And while most of us here understand that extraordinary claims require extraordinary evidence, they've failed to produce evidence of any kind, extraordinary or otherwise, despite claims that would suggest there should be an abundance of evidence to choose from across a multitude of organizations (e.g. e-mails, pictures, the chips themselves, etc.).

      So who are you going to believe: reporters whose own organization doubts them, whose own sources don't believe them, and whose extraordinary evidence doesn't exist, or literally everyone else who would have knowledge of the subject?

      Bloomberg, on the whole, is a good news organization, and Apple has certainly had its missteps, but all signs point to this story being a mistake on Bloomberg's part.

    2. Re:Who to believe, who to believe by Junta · · Score: 3, Informative

      Or do I believe an investigative journalist who found multiple sources confirming the hack happened?

      The one named source in the original story came forward and said his interaction should *not* have been interpreted as confirmation, and that his conversation was misrepresented. He was asked 'what's a signal coupler?' and answered with a link to a part catalog showing what a signal coupler is. Additionally he provided hypothetical explanation of how a hardware hack might work. This became 'Joe Fitzpatrick confirms this is a hacked chip found in the hardware!'

      The way his response was misinterpreted caused him to understandably be skeptical of the whole article.

      https://appleinsider.com/artic...

      There are plenty of reasons to be concerned about supply chain security. However this specific article is in all likelihood a completely bogus take on a much more mundane reality more widely reported about SuperMicro not being generally secure enough at the time to continue to be a supplier to certain datacenters.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  2. If it were only Apple... by SuperKendall · · Score: 2, Insightful

    Gee, who do I believe, the company that invented "you're holding it wrong"

    The problem is, despite your hatred for Apple and desire to see them be wrong in all things - it's not just Apple this claim was made about. It was also made about Amazon, who refutes the story to the same degree (i.e. fully)., and some other companies.

    The problem is that there is also no physical evidence - at all. You brought up the "holding it wrong" issue, to which there was copious testing and personal evidence showing there was a problem, There is nothing anywhere like that in this case, only Bloomberg is making this claim, based on a second-hand report from some source with no ties to Apple.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:If it were only Apple... by tlhIngan · · Score: 2

      The problem is that there is also no physical evidence - at all. You brought up the "holding it wrong" issue, to which there was copious testing and personal evidence showing there was a problem, There is nothing anywhere like that in this case, only Bloomberg is making this claim, based on a second-hand report from some source with no ties to Apple.

      Well, chances are China DID do this. But both Apple and Amazon caught it before putting the machines into service - either during hardware inspection to make sure the machines were built to spec, or during qualification testing where oddball traffic gets detected.

      You have to remember both companies dumped SuperMicro as a supplier around the same time a couple of years ago which is considered quite odd since SuperMicro was one of the few server board manufacturers out there

      Additionally likely is the modification was not caught by other companies, until alerted to it by Apple/Amazon that something like this happened.

      There probably is some grain of truth to the story, it's just it became a non-story because it got caught

    2. Re:If it were only Apple... by Anubis+IV · · Score: 2

      The problem is because of the PATRIOT ACT, NSLs, the FISA court and the NDAA 2014 [...]

      Let me stop you right there. You'd have a really good point, if not for the fact that Apple has explicitly denied being under an NSL or gag order of any sort. I'd guess that you're familiar with warrant canaries, right? So you likely already know that the government can compel companies to remain silent about a gag order, but it can't compel them to lie about being under one. Thus, if Apple is lying it's because they've chosen to do so of their own volition, not because they're being compelled to do so by an NSL or gag order.

    3. Re:If it were only Apple... by Junta · · Score: 3, Insightful

      Well, chances are China DID do this.

      Most experts agree that China most likely did *NOT* do this. Not because they *wouldn't*, but a mix of they *couldn't* (the alleged component isn't in a useful position to actually *do* anything that interesting from a snooping perspective) and they would have much better ways of doing an attack (the platform in question had no protections for firmware, China could have freely replaced firmware and it would have been *much* less likely to get caught and have much greater access to actually useful data.

      You have to remember both companies dumped SuperMicro as a supplier around the same time a couple of years ago

      Yes and at the time, sources noted that Supermicro's download site had been hacked once with malicious firmware, and that incident reminded everyone that SuperMicro wasn't doing anything to protect the integrity of the firmware from malicious attack, and that's enough strikes to be out. There may have been a desperate 'premium' vendor in the mix too willing to compete on price with a much better product.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    4. Re:If it were only Apple... by timholman · · Score: 3, Insightful

      The problem is that there is also no physical evidence - at all.

      And that is the lynchpin of this entire matter. Supposedly tens of thousands of motherboards purchased by multiple companies were altered, yet not one piece of physical evidence, or even a photograph of a die, has been produced.

      My research group has had some involvement with "trusted microelectronics". When the Bloomberg story first broke, we discussed between ourselves how bizarre it was that China would bother with a traceable hardware hack, when software exploits (which provide plausible deniability) have been so successful for them in the past. It made no sense to us.

      Now, as the weeks have gone by, it has become clear that the story is essentially a fabrication. If it were not, hard evidence would have surfaced by now. Someone at Bloomberg wanted so much for it to be true that fact-checking and source-checking fell by the wayside. It has happened to other reputable news agencies in the past (e.g. New Republic, Rolling Stone, New York Times). When a story fits a desired narrative, all the checks and balances of good journalism fall by the wayside.

      I am reminded of a scene from the movie "Shattered Glass", when a receptionist comments that the scandal with the fabricated stories by Stephen Glass could have been avoided if the New Republic had required him to provide photographs. Bloomberg should have taken that lesson to heart.

  3. Proof by JBMcB · · Score: 2

    Does anyone have a packet capture of one of these things leaking data? Or heck, slice the lid off the chip and tap into it's ROM to figure out what it's doing. That's how MAME developers cracked Capcom's CPS2 encryption system.

    --
    My Other Computer Is A Data General Nova III.
    1. Re:Proof by MatthiasF · · Score: 2

      ZOMG!! Your link doesn't work anymore! DID THEY GET TO IT?!

      Did the guberment take it down?

      THIS IS AN OUTRAGEE!! WE DEMAND THE TOOTH!

    2. Re:Proof by WankerWeasel · · Score: 2

      No one has been able to prove their existence (because they don't actually exist). Thousands of security folks who have these very same systems and have been completely unable to find these imaginary chips. There has yet to be any actual evidence of the existence of these chips other than a couple anonymous sources. I've got 500 anonymous sources who say Man Bear Pig exists so it must be true.

  4. Revision by SuperKendall · · Score: 2

    Hello boys and girls, I'm Mr. Investigative Journalist.

    And I've talked to the CEO, and he said no.

    And I've talked to CEO2, and he said no.

    And I've talked to several sources inside both companies, who also said no.

    And I've talked to the NSA, that also said no.

    And I can't find any hardware that actually has the supposed spy chip in it anywhere.

    Conclusion: ALL OF THOSE PEOPLE MUST BE LYING AND I MUST BE CORRECT.

    *Narrator: And he continued to wonder why people hated journalists until the end of his days*

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Revision by Killall+-9+Bash · · Score: 2

      Some of those crazy consparacy theories have been proven, by publicly released FOIA request data, to be actually true. But you just go on imagining tin foil on my head,

      https://en.wikipedia.org/wiki/...

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  5. * industry complex claims by hackingbear · · Score: 2

    The easiest strategy to rally support and get public funding is FUD, especially creating a powerful foreign enemy by exaggeration and lies.

    Our military industry complex has a track record on it: claims of WMD in Iraq leading to the trillion-dollar Iraq War that's still not quite ended.

    Today, the cybersecurity industry complex is repeating the same: hacking from China. How do they prove beyond reasonable the hacks are indeed from China other than some IP addresses? How do they prove that Chinese computers are not just used as springboard from some 3rd party hackers/countries/organization? Heck, how do we know if the "hack" are not done by the same cybersecurity industry insiders for the purpose of framing anti-China sentiment and thereby rip off money from you and me?

  6. Re:Do note: nobody is suing. by Actually,+I+do+RTFA · · Score: 2

    If you mean "false reporting can have serious financial consequences for the newspaper", you're wrong. For news written about a large corporation/public figures isn't actionable if it's false. It's actionable if it's grossly negligent or known to the reporter to be false. Bloomburg could say "oops" and that would be the end of it. Or it certainly would have been after the initial story. I don't know how doubled-down they are now.

    --
    Your ad here. Ask me how!
  7. I do know though by SuperKendall · · Score: 3, Insightful

    In fact I do know for sure, because a problem of this magnitude affecting so many companies would have SOME leak - from admins working on the hardware themselves, all the way to every manager along the chain.

    It faces the same problem all large scale conspiracies do, there is simply no way that many people can keep a secret.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley