Amazon Has Pulled Ads From Bloomberg Over Controversial 'Big Hack' Chinese Spy Story; Apple Has Not Invited Outlet's Reporters To a Product Event Next Week (buzzfeednews.com) 119
Both Amazon and Apple are taking retributive measures against Bloomberg, which in a report earlier this month alleged that some motherboards used by these companies were hacked by China. From a report: Amazon pulled its fourth quarter advertisements on Bloomberg's website, a move some within the media giant think is retribution for its controversial story alleging that Chinese spies hacked into the online retailer's servers. According to a source in position to know, Amazon's digital media buyer, Initiative, informed Bloomberg's sales staff on October 16 that it would cancel its ad buys for the fourth quarter due to budget cuts. Internally, the source said, the staff received that decision, made only eight days after a previous communication with Initiative confirming that the ads would run, as a direct response to Amazon's displeasure over the October 4 story. (Amazon announced Thursday that its marketing expenses for Q3 2018 were 3.3 billion dollars, up more than 800 million dollars from the year before.) [...] According to multiple sources, Bloomberg was not invited to Apple's fall product event next week in Brooklyn. Further reading: In an Unprecedented Move, Apple CEO Tim Cook Calls For Bloomberg To Retract Its Chinese Spy Chip Story.
But no lawsuit.... (Score:4, Insightful)
They don't want to go through discovery, they just want to bury the news.
Re: (Score:2, Interesting)
They don't want to go through discovery, they just want to bury the news.
You mean bullshit; because the entire article was bullshit.
It reeks of a hatchet job planted by Trump's camp followers going after "Leftist Apple" and the "Chinese".
Re: (Score:1)
ya a hatchet job and bloomberg is helping trump lol .... how warped is your mind?
Re:But no lawsuit.... (Score:4, Insightful)
You're accusing Bloomberg planting a pro-Trump hatchet job against Apple and "the Chinese"?
You're accusing a highly-reputable business news company of planting a political hatchet job that doesn't mention politics?
Most absurdly, you're accusing a magazine owned by Leftist politician Michael Bloomberg of running PRO-TRUMP stories?!
There's something wrong with you.
Re: (Score:1, Interesting)
You're accusing Bloomberg planting a pro-Trump hatchet job against Apple and "the Chinese"?
You're accusing a highly-reputable business news company of planting a political hatchet job that doesn't mention politics?
Most absurdly, you're accusing a magazine owned by Leftist politician Michael Bloomberg of running PRO-TRUMP stories?!
There's something wrong with you.
Logical Fallacy: Appeal to absurdity.
Slapping a chip on a board won't do anything like what they claimed it would do; they would need to completely redo the board for the needed connections to get the desired effects and that would be obvious by visual inspection--not just a piece of dust on the board. (Even if the chip contained something small like BIOS tweaks to upload a malicious payload to the CPU. ) Then they would need to enable remote connections through the firewall and bypass the IDS for the ch
Re: (Score:2)
There's something wrong with you.
Nothing wrong with him at all. He's paid by his Russian overlords to spew FUD on western websites. The man's gotta eat right?
Re:But no lawsuit.... (Score:4, Informative)
Re:But no lawsuit.... (Score:5, Insightful)
I think companies are also a little reluctant to sue mainstream press, even when they think they've been hit with a hatchet job. Like any group, the press don't like attacks against their own from outside. They might call each other left/right wing mouthpieces, but they'll put that aside if anyone starts going after the freedom of the press as a whole. A big company is better off just dragging the news agencies name through the mud. The competing news agencies won't mind too much (or might even join in) and a lawsuit is going to be difficult to win and cost the company more than they get.
Re: (Score:2)
It would be difficult to actually succeed with a lawsuit, as they would first have to demonstrate that they've suffered some material harm from this. Realistically, if anyone had a chance of doing that, it would be Super Micro as opposed to Apple or Amazon. Neither Apple or Amazon have seen their stock fluctuate wildly enough that it would be easy to point to this story as the only (or even primary) cause. Super Micro on the other hand had their price drop to about half of what it was prior to the announcement.
I think companies are also a little reluctant to sue mainstream press, even when they think they've been hit with a hatchet job. Like any group, the press don't like attacks against their own from outside. They might call each other left/right wing mouthpieces, but they'll put that aside if anyone starts going after the freedom of the press as a whole. A big company is better off just dragging the news agencies name through the mud. The competing news agencies won't mind too much (or might even join in) and a lawsuit is going to be difficult to win and cost the company more than they get.
That's a perfect, and reasonable, explanation.
Thanks!
Re:But no lawsuit.... (Score:5, Funny)
That's a perfect, and reasonable, explanation.
I agree - there's no place for that sort of thing on Slashdot.
Re: (Score:2)
That's a perfect, and reasonable, explanation.
I agree - there's no place for that sort of thing on Slashdot.
;-)
Re: (Score:3)
Well personally I don't see legitimate libel or slander suits against press organizations as limiting press freedoms; at least not in the US - where proving the statement is true is a sufficient defense of either of those civil actions.
I also think the media gets a pass on using weasel words like "alleged", and "claims" etc. I am fine with it as long as they name their sources - tell me who claims or who alleges blah blah put a spy chip on the motherboards or he sexually assaulted her or whatever. We can
Re: (Score:2)
Demanding reporters name anonymous sources so that they can have their lives ruined is about the stupidest thing you could possibly come up with to say about the situation, regardless of what you think really happened.
Re: (Score:2)
No I am not saying they have to name their anonymous sources. I am saying they either take responsibility for the information being factual or don't report it. Named sources are responsible for their statements antonymous sources; are not news worthy unless the can be corroborated.
An anonymous source says such and such and da da duh happened -> NOT NEWS
This reporter learned from an anonymous source that blah blah may have happened, after investigating the matter $NEWSORG found the following evidence to
Re: (Score:2)
a lawsuit is going to be difficult to win and cost the company more than they get.
Uhm... Apple/Amazon don't care about that. Their brand is everything to them, and if they have/had acase: I'm sure their lawyers would be all over it.
Bloomberg's story might not be 100% accurate, but there's probably some truth to it that these companies NEED to hide that would come out in the lawsuit which would could damage their bottom line ---- better to keep it quiet and cast as much doubt as possible.
Also; I'm
Re: (Score:2)
Which is interesting. Other buried bodies they want to keep hidden or is there actually some truth to the story? Technologically, the attack would be possible. I could do this myself, except for the miniaturization and hiding in a signal-filter. (A signal-filter has no business being in an SPI-connection, BTW.)
The only thing that did not make sense to me was the claim that the attack-devices in later cases were hidden inside the PCB. That makes no sense at all as it is easier to detect (X-Rays, maybe even s
Re: (Score:2)
Hidden inside the motherboard, or inside an ethernet socket on the motherboard?
If really inside, yeah, that is not a big deal to achieve. Remember, without all the plastic and the leads most microcontrollers would fit on a pinhead. It would be no big deal to slap an unpackaged micro with only bond wires stuck between two comm pads. No need to worry about altering the flash or whatever, you're not fiddling with the CPU; you're just monitoring network data and sometimes inserting packets. If you also have the
Re: (Score:2)
The claim was inside the PCB. The Ethernet socket lacks the connections for this attack. You can do others via the Ethernet socket though, especially if the ever-vulnerable Intel remote management engine is present. Still can be found easily via industrial x-ray. Nobody has that at home, but students, for example, may be able to access one at their university.
Re: (Score:2)
This is pretty easy to do with the right resources. If you cannot see that, then you have no place in this discussion. You basically need an SOC with integrated Ethernet PHY. Of course, you need the naked chip and you need to program it in that form, and you need to be able to bond it. Still within reach of a university chip lab with some industry connections for example.
100% of their hardware is compromised. (Score:1)
You must be a complete cretin to still not realize this. 100% of all consumer-available computers are fully backdoored. Get it through your thick skulls already.
Re: (Score:2)
Re: (Score:2)
With you personally? Probably not. With company employing you? Almost certainly.
Re: (Score:2)
With you personally? Probably not. With company employing you? Almost certainly.
Also, they might have a beef with the government that protects you. You know, the one that keeps them from driving a tank over your house?
Re: (Score:1)
> The Chinese government is much less likely to have a beef with me.
You don't understand China the slightest. They are brutal, uncivilized and crazy serious about total control. E.g. the past weekend their riot police beat up 14-16 y.o. kids at a Beijing venue for the heinous crime of daring to stand up and clap during the official "live" concert of Hatsune Miku, that japanese anime hologram pop idol.
Strangely, the incident story and video weren't even published on the Mikufan.com news hubsite, but only
Re: (Score:2)
Re: (Score:2)
No, it is not. First, there is no sane reason to do it, as it is not needed for anything. You are not that important and what you do on your computer is not either. Second, the more hardware backdoors you deploy, the higher the risk somebody finds them. And third, actually using a backdoor always comes with a significant detection risk as well. And last, NOBUS backdoors are very, very hard to get right and anything else can be found and used by other attackers. That would be an extreme catastrophe and is j
Re: (Score:2)
If you invite neighbors to your house to a party but one of them decides to take a shit on the living room floor you will not invite them again, especially when they blame a dog nobody have ever seen (chip) without even a single strand of hair (evidence).
Well you obviously would because not inviting that person somehow in your mind makes the lie true...
Amazon had Bloomburg ads? (Score:1)
I knew they had featured products and the like, but I didn't remember Amazon having ad ads. Maybe that is for non-Prime members (not virtue signaling, I swear, though perhaps that would really be more vice-signaling).
It is their only recourse (Score:1)
It's the only way to hold so-called news reporters to any sort of standard.
Why should Apple or Amazon continue to deal with Bloomberg when Apple and Amazon think they've been the victim of false reporting?
Re: (Score:2)
Winning a libel suit requires proving intentional falsehood motivated by malice.
Re:Kohath you're a fucking moron lol. (Score:5, Informative)
It's almost certainly not intentionally false and provably motivated by malice. If the story is merely false, it isn't (legally) libel.
Re: (Score:2)
Hulk Hogan lawsuit wasn't a libel suit.
Re: (Score:2)
Nope
Re: (Score:2)
No. [nytimes.com] The lawsuit never included a defamation claim [documentcloud.org].
Re: (Score:2)
Winning a libel suit requires proving intentional falsehood motivated by malice.
True, but Apple or Amazon wouldn't have to win. If a judge decided "Apple, you lose.The whole story was total nonsense, but you cannot prove it was motivated by malice.", that's all that Apple would want.
Re: (Score:2)
If they sue, they get accused of the same "you are trying to bury the truth" cries.
This way, they get to make their point and save money
Re: (Score:3)
It's the only way to hold so-called news reporters to any sort of standard.
Why should Apple or Amazon continue to deal with Bloomberg when Apple and Amazon think they've been the victim of false reporting?
I agree.
Plus, it's their ad money, and therefore totally their choice to spend it, or not, where they wish.
Re: (Score:2)
Re: (Score:1)
Cite your sources or go fuck yourself.
This story was reported widely in Feb of 2017 (Score:5, Informative)
Feb 2017
https://appleinsider.com/artic... [appleinsider.com]
https://www.macrumors.com/2017... [macrumors.com]
https://arstechnica.com/civis/... [arstechnica.com]
Their claims that they knew nothing of this security issue from Supermicro has all the appererances of a PR cover up
Re: (Score:2, Informative)
Bad firmware != deliberately vulnerable hardware.
More recent research (Score:5, Informative)
The thing is, just recently LOTS of news orgs, and the government itself could find no evidence of what was reported - and both Apple and Amazon did not just give PR responses, but much stronger responses that would lead to large fines if they were lying.
Since everyone else on Earth is unable to verify the story, it's far more likely Bloomburg really screwed up.
Re: (Score:2)
If they had reacted to a few blogs post/Tech articles in 2017 they would have had the Streisand Effect [wikipedia.org] on the matter.
Supermico announced in early 2017 that it lost TWO large data-center customers in 2016 over security issues. Apple being one, Amazon probably being the other. Their stock took a huge hit in early 2017 when thei
Re: (Score:3)
Those are totally separate issues though. One was companies leaving Supermicro because they sucked, which is a far different matter than Chinese spy-grains being embedded on motherboards (which again exactly ZERO people can produce physical evidence of).
Re: (Score:3)
There was no attempt at that time to refute the stories by Apple and others at that time.
You're confusing two different incidents. The reason there wasn't an attempt to refute the 2016 firmware incident you're talking about is because it actually happened. Apple has even talked about it publicly. From Apple's response to Bloomberg [bloomberg.com]:
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
The 2016 firmware incident in which a single SuperMicro server in a test environment received a malware update is real. The 2015 hardware incident alleged by Bloomberg—in which a malicious chip was physically placed on the boards—has zero factual basis as
Re: (Score:2)
The thing is, just recently LOTS of news orgs, and the government itself could find no evidence of what was reported - and both Apple and Amazon did not just give PR responses, but much stronger responses that would lead to large fines if they were lying.
Since everyone else on Earth is unable to verify the story, it's far more likely Bloomburg really screwed up.
Would Apple and Amazon be subjected to large fines if they were blatantly lying? Under what law? The SEC and stockholders/lawyers would only go after them if the stock price had been affected, and even in those cases, the fines are less than wrist-slaps. There is basically little real penalty for Apple and Amazon to vociferously deny everything. On the other hand, a less than full denial could result in a PR hit.
It's possible that Bloomberg reporters totally made up the story or substantially modified t
Re: (Score:2)
What would happen if Apple and/or Amazon came out and said they found evidence of a hack? Wouldn't the fallout from that be bad and very far reaching
In what way? It hasn't been far reaching so far for many companies leaking tens of millions of customer records with a lot more sensitive data than Apple or Amazon even have. The companies carry on after a small fine. The SEC fine would be far worse and further reaching if they were lying (just ask Musk). Would Apple be worse off with a small fine or Tim Co
Re:This story was reported widely in Feb of 2017 (Score:5, Informative)
No, *that* was a problem of failing to provide adequate protection of their servers and download site from fake firmware. From all reports, this was enough to scare Apple off as a customer, but didn't actually get anywhere to have a chance to actually infiltrate anything. This is a class of attack that can be mitigated, and it is correct to select a different vendor for having better security practices to prevent an external attacker that has no business relationship with the supplier from getting in.
Bloomberg's accusation is that there was a *hardware* attack where a chip was injected and that the attack actually landed and spent a significant time having compromised the datacenters.
This is a whole different implication:
-An entity with a business relationship vetted by the supplier would have been the one to execute, suggesting the supplier is at best inadequate in vetting their partners and at worst (and the bloomberg *heavily* hints it this in mildly racist ways) complicit in the attack.
-Such an attack landed successfully for a significant duration.
As a few have pointed out, the far safer bet would be a firmware attack, as with the alleged approach it would be far more expensive, less likely to hit, and upon detection has no plausible deniability. The artcile smells fishy, and no other investigation can find a hint of anything to corroborate the claims.
Re:This story was reported widely in Feb of 2017 (Score:4, Informative)
The issue you're talking about is an unrelated incident dealing with firmware, NOT the hardware issue that Bloomberg is reporting.
The firmware incident from 2016 that you're talking about is indeed what led Apple to dump SuperMicro. That said, Apple has been open about that incident and even mentioned it explicitly in their initial response to Bloomberg's article, suggesting that—as you just did—Bloomberg confused the 2016 situation with the hardware incident alleged by Bloomberg. I would have hoped you'd have known better, since I already told you all of this [slashdot.org] just a few weeks ago.
As for what the firmware incident involved, in short, SuperMicro let a board get by them that had malware on it. As far as Apple could tell, it was an incidental infection that wasn't targeted at them in any way, but it pointed to such a lapse in SuperMicro's QA process that SuperMicro could no longer be trusted as a supplier. Again, that's a separate issue from Bloomberg's claims that there were malicious chips physically placed on boards back in 2015.
A good review of the technology (Score:3)
https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
"Perhaps the animation is an artist’s concept only, but this is just the right place to compromise the BMC.
That's the Security Group at the University of Cambridge Computer Laboratory, and they take no prisoners (;-))
Happens all the time (Score:3, Insightful)
Neither Apple nor Amazon owe Bloomberg or anyone else ads. When an advertiser pulls ads from someone like Sean Hannity or Rosie in a blatant attempt to hurt those outlets, everyone here cheers. But Apple pulls ads from Bloomberg and the cries of unfairness are loud. Some people here will "never buy Apple" because, you know, Chinese slave labor and all that. You get to do that. You have that right. You get to make a political decision about where you spend your money. So do Apple and Amazon. It's nothing more complicated than that.
Re: (Score:2)
Show me the data (Score:5, Insightful)
If SuperMicro is guilty of this, then all Bloomberg has to do is go online, but some boards and pay MIT or some other school with the facilities to find the malicious chips. That seems pretty logical right?
If the chips actually exist, they should be pretty easy to identify. Just cross reference the chips and the drivers and verify what is OEM, Chinese or otherwise and then reverse engineer them and simulate the hack.
This is not a difficult thing to do.
I know of a NATO government organization that has pulled the power from a stack of Nutanix servers because of this article. I asked them to prove to me that the story had any merit other than FUD and they explained that they pulled the plug because they need proof there is no merit not the other way around.
I think SuperMicro should sue the shit out of Bloomberg over this. So should Nutanix and every other company financially effected by this article. Then Bloomberg will be forced to either prove their claims ... at which point we can all apologize and thank them or they can suffer the hundreds of millions in losses over publishing this rubbish.
Re: (Score:2)
Lets assume the story is true. It is quite possible Bloomberg does not have the hardware and the witnesses may not be able to get to any either at this time. Of course, the story could also be false, but this is not the way to show that.
Re: (Score:2)
Why do it now? When they've got the affected companies going apeshit and making these kinds of insanely-strong statements about how they insist on the right of rich assholes to magically prove a negative through command voice, they might as well wait until it dies down a little, then dump the evidence on them. Right now it is still churning under its own power, why would they possibly want to shorten the time frame that it plays out over?!
Nobody is suing anybody, because discovery. They all know supermicro
Conspiracy theory time? (Score:3, Interesting)
I'd guess that the story is true and the affected megacorps are trying to cover it up. I'd guess that these megacorps are cooperating with the TLAs investigating the issue, and don't want the story made public because they'd rather not go public about a data breach (at least not individually and earlier than necessary), which the TLAs would also prefer in this case. So the media would be both compromising the investigation and bringing bad PR to the victims by reporting on this.
In a couple years we'll probably hear that it was all true and the affected companies will jointly disclose the data breach.
Re: (Score:2)
Which could be a very real possibility...
Re: (Score:2)
If the NSA intervened, you wouldn't know. If they already did intervene, you don't know, I don't know.
If in the future some truth about the NSA is revealed in public, we won't even have a way to distinguish it from an air force weather balloon. There is no way to know that stuff.
What is weird, really weird, is that they already made a statement in this case.
Re: (Score:2)
If the NSA intervened, you wouldn't know. If they already did intervene, you don't know, I don't know.
Remember: The government can or could compel a company to stay silent. They cannot compel a company to lie. If Apple says anything, then you know they haven't been ordered by the government to keep quiet, and what they say is what Apple wants you to hear, not what the government wants you to hear.
Re: (Score:2)
Possibly. There would be very strong economic incentives to lie, as such a backdoor would basically compromise anything "cloud", and may cost them hundreds of billions. That is not small money and may pose an existential risk. Of course, it is also possible the story is false.
I fear that at this time there is no way to really find out. If true, the compromised hardware will already have been removed and destroyed very quietly. If false, how do you prove that?
The one thing I can say is that the attack would
Re: (Score:2)
I'd guess that the story is true and the affected megacorps are trying to cover it up.
It seems that Apple learned about the story from the newspaper, then asked the relevant employees "did you find anything and contact the FBI", then asked the FBI "did any of our employees contact you", and the FBI knew nothing, and the employees knew nothing. "Trying to cover it up" is a bit ridiculous when Bloomberg could just release the evidence (which they probably don't have).
Re: (Score:2)
Would shareholders be able to sue if the megacorps were legally compelled to keep quiet by a Patriot act request?
Age of paranoia (Score:3)
Re: (Score:2)
I'm not sure, your account is pretty new, you might be a furren infill traitor, here to insert manimal propaganda.
Re: (Score:2)
Don't trust anyone over a four-digit ID.
Re: (Score:1)
Sounds like blowback (Score:2)
This feels like (Score:2)
If it wasn't true, they wouldn't be overreacting so much.
Hell no (Score:2)