Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bloomberg is Still Reporting on Challenged Story Regarding China Hardware Hack (washingtonpost.com)

Posted by msmash on from the state-of-things dept.

Erik Wemple, writing for The Washington Post: According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg's Ben Elgin has requested "discreet" input on the alleged hack. "My colleagues' story from last month (Super Micro) has sparked a lot of pushback," Elgin wrote on Nov. 19 to one Apple employee. "I've been asked to join the research effort here to do more digging on this ... and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings."

One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn't part of the reporting team that produced "The Big Hack." The goal of this effort, Elgin told the potential source, was to get to "ground truth"; if Elgin heard from 10 or so sources that "The Big Hack" was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of "The Big Hack" were "100 percent right."

According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he'd never written that report, nor is he aware of such a document. Following the publication of Bloomberg's story, Apple conducted what it calls a "secondary" investigation surrounding its awareness of events along the lines of what was alleged in "The Big Hack." That investigation included a full pat-down of Ziatek's own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.

6 of 71 comments (clear)

  1. Who to believe, who to believe by Anonymous Coward · · Score: 4, Funny

    Gee, who do I believe, the company that invented "you're holding it wrong" to explain away a defective case design, the company that's had so many "antenna-gates" and "bend-gates" that you have to ask "which one" when someone brings it up (the latest: the new iPad Pro will bend if you hold it along the edge, which you have to do, because it's "all screen"), the company that lied about tracking its users, the company that lied about slowing down older devices? Or do I believe an investigative journalist who found multiple sources confirming the hack happened?

    Man, this is a hard choice.

    1. Re:Who to believe, who to believe by Anubis+IV · · Score: 5, Insightful

      Setting aside the logical fallacy you're engaging in by attempting to poison the well, virtually nothing about Bloomberg's story makes sense.

      They say the chips were first noticed in mid-2015 at Apple and that Apple and Amazon dropped Super Micro as a supplier in response to the discovery, but Apple didn't stop using Super Micro boards until after an unrelated issue in mid-2016 and Amazon was still using Super Micro boards as recently as a few months ago. They say the chips were caught at Amazon because the chips were phoning home using the Internet, but the allegedly affected servers at Amazon weren't even connected to the Internet in the first place. They claimed that nearly 10,000 Super Micro boards were affected at Apple, but the most Super Micro boards ever in Apple's possession was nearly an order of magnitude fewer than that. They say that numerous people in the affected companies and governments of multiple nations had direct knowledge of these incidents, yet these people, companies, and governments are denying any such knowledge, even going so far as—in the case of Apple—to say so under oath to Congress while affirming that there's no gag order or NSL at play.

      Meanwhile, Bloomberg is apparently unsure enough about their own reporter's story that they've sent out at least one fresh reporter, possibly more that we don't know about, to investigate the merits of the original story. Of course, their doubt isn't surprising, given that their own background source (one of their only named sources in the original article) has come out against the story because he considers it wholly implausible that the Chinese were already doing everything that he said could theoretically be possible in exactly the way he described. And while most of us here understand that extraordinary claims require extraordinary evidence, they've failed to produce evidence of any kind, extraordinary or otherwise, despite claims that would suggest there should be an abundance of evidence to choose from across a multitude of organizations (e.g. e-mails, pictures, the chips themselves, etc.).

      So who are you going to believe: reporters whose own organization doubts them, whose own sources don't believe them, and whose extraordinary evidence doesn't exist, or literally everyone else who would have knowledge of the subject?

      Bloomberg, on the whole, is a good news organization, and Apple has certainly had its missteps, but all signs point to this story being a mistake on Bloomberg's part.

    2. Re:Who to believe, who to believe by Junta · · Score: 3, Informative

      Or do I believe an investigative journalist who found multiple sources confirming the hack happened?

      The one named source in the original story came forward and said his interaction should *not* have been interpreted as confirmation, and that his conversation was misrepresented. He was asked 'what's a signal coupler?' and answered with a link to a part catalog showing what a signal coupler is. Additionally he provided hypothetical explanation of how a hardware hack might work. This became 'Joe Fitzpatrick confirms this is a hacked chip found in the hardware!'

      The way his response was misinterpreted caused him to understandably be skeptical of the whole article.

      https://appleinsider.com/artic...

      There are plenty of reasons to be concerned about supply chain security. However this specific article is in all likelihood a completely bogus take on a much more mundane reality more widely reported about SuperMicro not being generally secure enough at the time to continue to be a supplier to certain datacenters.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  2. Re:If it were only Apple... by Junta · · Score: 3, Insightful

    Well, chances are China DID do this.

    Most experts agree that China most likely did *NOT* do this. Not because they *wouldn't*, but a mix of they *couldn't* (the alleged component isn't in a useful position to actually *do* anything that interesting from a snooping perspective) and they would have much better ways of doing an attack (the platform in question had no protections for firmware, China could have freely replaced firmware and it would have been *much* less likely to get caught and have much greater access to actually useful data.

    You have to remember both companies dumped SuperMicro as a supplier around the same time a couple of years ago

    Yes and at the time, sources noted that Supermicro's download site had been hacked once with malicious firmware, and that incident reminded everyone that SuperMicro wasn't doing anything to protect the integrity of the firmware from malicious attack, and that's enough strikes to be out. There may have been a desperate 'premium' vendor in the mix too willing to compete on price with a much better product.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. I do know though by SuperKendall · · Score: 3, Insightful

    In fact I do know for sure, because a problem of this magnitude affecting so many companies would have SOME leak - from admins working on the hardware themselves, all the way to every manager along the chain.

    It faces the same problem all large scale conspiracies do, there is simply no way that many people can keep a secret.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Re:If it were only Apple... by timholman · · Score: 3, Insightful

    The problem is that there is also no physical evidence - at all.

    And that is the lynchpin of this entire matter. Supposedly tens of thousands of motherboards purchased by multiple companies were altered, yet not one piece of physical evidence, or even a photograph of a die, has been produced.

    My research group has had some involvement with "trusted microelectronics". When the Bloomberg story first broke, we discussed between ourselves how bizarre it was that China would bother with a traceable hardware hack, when software exploits (which provide plausible deniability) have been so successful for them in the past. It made no sense to us.

    Now, as the weeks have gone by, it has become clear that the story is essentially a fabrication. If it were not, hard evidence would have surfaced by now. Someone at Bloomberg wanted so much for it to be true that fact-checking and source-checking fell by the wayside. It has happened to other reputable news agencies in the past (e.g. New Republic, Rolling Stone, New York Times). When a story fits a desired narrative, all the checks and balances of good journalism fall by the wayside.

    I am reminded of a scene from the movie "Shattered Glass", when a receptionist comments that the scandal with the fabricated stories by Stephen Glass could have been avoided if the New Republic had required him to provide photographs. Bloomberg should have taken that lesson to heart.