Bloomberg is Still Reporting on Challenged Story Regarding China Hardware Hack (washingtonpost.com) 71
Erik Wemple, writing for The Washington Post: According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg's Ben Elgin has requested "discreet" input on the alleged hack. "My colleagues' story from last month (Super Micro) has sparked a lot of pushback," Elgin wrote on Nov. 19 to one Apple employee. "I've been asked to join the research effort here to do more digging on this ... and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings."
One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn't part of the reporting team that produced "The Big Hack." The goal of this effort, Elgin told the potential source, was to get to "ground truth"; if Elgin heard from 10 or so sources that "The Big Hack" was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of "The Big Hack" were "100 percent right."
According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he'd never written that report, nor is he aware of such a document. Following the publication of Bloomberg's story, Apple conducted what it calls a "secondary" investigation surrounding its awareness of events along the lines of what was alleged in "The Big Hack." That investigation included a full pat-down of Ziatek's own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.
One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn't part of the reporting team that produced "The Big Hack." The goal of this effort, Elgin told the potential source, was to get to "ground truth"; if Elgin heard from 10 or so sources that "The Big Hack" was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of "The Big Hack" were "100 percent right."
According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he'd never written that report, nor is he aware of such a document. Following the publication of Bloomberg's story, Apple conducted what it calls a "secondary" investigation surrounding its awareness of events along the lines of what was alleged in "The Big Hack." That investigation included a full pat-down of Ziatek's own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.
Re: (Score:2)
Particularly when there's (as of 17:15 UTC) no alternative source for Slashdot readers whose subscription packages happen not to include The Washington Post.
Who to believe, who to believe (Score:4, Funny)
Gee, who do I believe, the company that invented "you're holding it wrong" to explain away a defective case design, the company that's had so many "antenna-gates" and "bend-gates" that you have to ask "which one" when someone brings it up (the latest: the new iPad Pro will bend if you hold it along the edge, which you have to do, because it's "all screen"), the company that lied about tracking its users, the company that lied about slowing down older devices? Or do I believe an investigative journalist who found multiple sources confirming the hack happened?
Man, this is a hard choice.
Re: (Score:1)
Unfortunate for you, news agencies aimed at the financial industry are one of the few areas that still have the money to do investigative journalism (because people are willing to pay for something that may make them money).
If it were only Apple... (Score:3, Insightful)
Gee, who do I believe, the company that invented "you're holding it wrong"
The problem is, despite your hatred for Apple and desire to see them be wrong in all things - it's not just Apple this claim was made about. It was also made about Amazon, who refutes the story to the same degree (i.e. fully)., and some other companies.
The problem is that there is also no physical evidence - at all. You brought up the "holding it wrong" issue, to which there was copious testing and personal evidence showing there wa
Revision (Score:3)
Hello boys and girls, I'm Mr. Investigative Journalist.
And I've talked to the CEO, and he said no.
And I've talked to CEO2, and he said no.
And I've talked to several sources inside both companies, who also said no.
And I've talked to the NSA, that also said no.
And I can't find any hardware that actually has the supposed spy chip in it anywhere.
Conclusion: ALL OF THOSE PEOPLE MUST BE LYING AND I MUST BE CORRECT.
*Narrator: And he continued to wonder why people hated journalists until the end of his days*
Re: (Score:1)
Re: (Score:3)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Hmmm...I've contacted all those same people and organizations Bloomberg did. They all deny categorically they had anything to report on gene editing to produce pink unicorns. They all have an incentive to lie because it would look badly on their companies.
Conspiracy!!! And I'd have expected the government to deny it also, what with the price of pink unicorns these days.
Re: (Score:2)
They don't even have to lie.
"I'm not aware of any X" is the nonstatement that we're all gargling to the hilt.
Re: (Score:2)
https://xkcd.com/2078/ [xkcd.com]
Re: (Score:3)
The problem is because of the PATRIOT ACT, NSLs, the FISA court and the NDAA 2014 [...]
Let me stop you right there. You'd have a really good point, if not for the fact that Apple has explicitly denied being under an NSL or gag order of any sort. I'd guess that you're familiar with warrant canaries [wikipedia.org], right? So you likely already know that the government can compel companies to remain silent about a gag order, but it can't compel them to lie about being under one. Thus, if Apple is lying it's because they've chosen to do so of their own volition, not because they're being compelled to do so by a
I do know though (Score:4, Insightful)
In fact I do know for sure, because a problem of this magnitude affecting so many companies would have SOME leak - from admins working on the hardware themselves, all the way to every manager along the chain.
It faces the same problem all large scale conspiracies do, there is simply no way that many people can keep a secret.
Gee people making fortunes off China (Score:2)
and seeing the market flooded with cheap hardware they use to gather and sell your personal information, or a financial newspaper ?
Hmmmm it really is a tough call.
Re: (Score:3)
Well, chances are China DID do this. But both Apple and Amazon caught it before putting the machines into service - either during hardware inspection to make su
Re:If it were only Apple... (Score:4, Insightful)
Well, chances are China DID do this.
Most experts agree that China most likely did *NOT* do this. Not because they *wouldn't*, but a mix of they *couldn't* (the alleged component isn't in a useful position to actually *do* anything that interesting from a snooping perspective) and they would have much better ways of doing an attack (the platform in question had no protections for firmware, China could have freely replaced firmware and it would have been *much* less likely to get caught and have much greater access to actually useful data.
You have to remember both companies dumped SuperMicro as a supplier around the same time a couple of years ago
Yes and at the time, sources noted that Supermicro's download site had been hacked once with malicious firmware, and that incident reminded everyone that SuperMicro wasn't doing anything to protect the integrity of the firmware from malicious attack, and that's enough strikes to be out. There may have been a desperate 'premium' vendor in the mix too willing to compete on price with a much better product.
Re: (Score:2)
"Well, chances are China DID do this." Oh? What are the probabilities involved? Could you please show us the data supporting these probabilities?
Re:If it were only Apple... (Score:4, Insightful)
And that is the lynchpin of this entire matter. Supposedly tens of thousands of motherboards purchased by multiple companies were altered, yet not one piece of physical evidence, or even a photograph of a die, has been produced.
My research group has had some involvement with "trusted microelectronics". When the Bloomberg story first broke, we discussed between ourselves how bizarre it was that China would bother with a traceable hardware hack, when software exploits (which provide plausible deniability) have been so successful for them in the past. It made no sense to us.
Now, as the weeks have gone by, it has become clear that the story is essentially a fabrication. If it were not, hard evidence would have surfaced by now. Someone at Bloomberg wanted so much for it to be true that fact-checking and source-checking fell by the wayside. It has happened to other reputable news agencies in the past (e.g. New Republic, Rolling Stone, New York Times). When a story fits a desired narrative, all the checks and balances of good journalism fall by the wayside.
I am reminded of a scene from the movie "Shattered Glass", when a receptionist comments that the scandal with the fabricated stories by Stephen Glass could have been avoided if the New Republic had required him to provide photographs. Bloomberg should have taken that lesson to heart.
Re:Who to believe, who to believe (Score:5, Insightful)
Setting aside the logical fallacy you're engaging in by attempting to poison the well, virtually nothing about Bloomberg's story makes sense.
They say the chips were first noticed in mid-2015 at Apple and that Apple and Amazon dropped Super Micro as a supplier in response to the discovery, but Apple didn't stop using Super Micro boards until after an unrelated issue in mid-2016 and Amazon was still using Super Micro boards as recently as a few months ago. They say the chips were caught at Amazon because the chips were phoning home using the Internet, but the allegedly affected servers at Amazon weren't even connected to the Internet in the first place. They claimed that nearly 10,000 Super Micro boards were affected at Apple, but the most Super Micro boards ever in Apple's possession was nearly an order of magnitude fewer than that. They say that numerous people in the affected companies and governments of multiple nations had direct knowledge of these incidents, yet these people, companies, and governments are denying any such knowledge, even going so far as—in the case of Apple—to say so under oath to Congress while affirming that there's no gag order or NSL at play.
Meanwhile, Bloomberg is apparently unsure enough about their own reporter's story that they've sent out at least one fresh reporter, possibly more that we don't know about, to investigate the merits of the original story. Of course, their doubt isn't surprising, given that their own background source (one of their only named sources in the original article) has come out against the story because he considers it wholly implausible that the Chinese were already doing everything that he said could theoretically be possible in exactly the way he described. And while most of us here understand that extraordinary claims require extraordinary evidence, they've failed to produce evidence of any kind, extraordinary or otherwise, despite claims that would suggest there should be an abundance of evidence to choose from across a multitude of organizations (e.g. e-mails, pictures, the chips themselves, etc.).
So who are you going to believe: reporters whose own organization doubts them, whose own sources don't believe them, and whose extraordinary evidence doesn't exist, or literally everyone else who would have knowledge of the subject?
Bloomberg, on the whole, is a good news organization, and Apple has certainly had its missteps, but all signs point to this story being a mistake on Bloomberg's part.
Re: (Score:1)
Bloomberg, on the whole, is a good news organization, and Apple has certainly had its missteps, but all signs point to this story being a mistake on Bloomberg's part.
You know the best evidence it's not a mistake? Apple hasn't sued Bloomberg yet.
Apple is more than happy to sue journalists. They do it all the time to "protect trade secrets" and "stop leaks."
But they haven't sued Bloomberg over this.
Odd.
Re: (Score:1)
Defamation suits between public entities are difficult win because you not only have to prove the defamer knew the story was false, but they used it to harm the defamed.
Re: (Score:2)
You know the best evidence it's not a mistake? Apple hasn't sued Bloomberg yet.
I've heard several people suggest this is evidence of something. I'm eager to hear your attempt at reading the tea leaves.
Apple is more than happy to sue journalists. They do it all the time to "protect trade secrets" and "stop leaks."
But they haven't sued Bloomberg over this.
Odd.
I'm afraid your interpretation undermines itself.
If Apple sues journalists "all the time" to discourage leaking, then how does a lack of a suit serve as evidence of a leak? Quite the contrary, it would actually suggest the opposite: that the article was bereft of leaked info over which Apple could sue. After all, if Bloomberg's article was true, your belief about Apple's lawsuit habits w
Re: (Score:2)
That everyone else safe feeling worked for years in the West before Snowden and PRISM...
Re:Who to believe, who to believe (Score:4, Informative)
Or do I believe an investigative journalist who found multiple sources confirming the hack happened?
The one named source in the original story came forward and said his interaction should *not* have been interpreted as confirmation, and that his conversation was misrepresented. He was asked 'what's a signal coupler?' and answered with a link to a part catalog showing what a signal coupler is. Additionally he provided hypothetical explanation of how a hardware hack might work. This became 'Joe Fitzpatrick confirms this is a hacked chip found in the hardware!'
The way his response was misinterpreted caused him to understandably be skeptical of the whole article.
https://appleinsider.com/artic... [appleinsider.com]
There are plenty of reasons to be concerned about supply chain security. However this specific article is in all likelihood a completely bogus take on a much more mundane reality more widely reported about SuperMicro not being generally secure enough at the time to continue to be a supplier to certain datacenters.
Proof (Score:3)
Does anyone have a packet capture of one of these things leaking data? Or heck, slice the lid off the chip and tap into it's ROM to figure out what it's doing. That's how MAME developers cracked Capcom's CPS2 encryption system.
Re: (Score:2)
Re: (Score:3)
ZOMG!! Your link doesn't work anymore! DID THEY GET TO IT?!
Did the guberment take it down?
THIS IS AN OUTRAGEE!! WE DEMAND THE TOOTH!
Re: (Score:2)
Obligatory quote:
THIS IS AN OUTRAGEE!! WE DEMAND THE TOOTH!
YOU CAN'T HANDLE THE TOOTH!
Filter error: Don't use so many caps. It's like YELLING.
Yes, I know. It's a joke, son.
Re: (Score:3)
Re: (Score:2)
MAME developer here: we cracked CPS2 encryption with a known plaintext attack. It wasn't until much later that we burned the top off the encrypted CPU and took a photo through a microscope.
Re: (Score:2)
* industry complex claims (Score:3)
The easiest strategy to rally support and get public funding is FUD, especially creating a powerful foreign enemy by exaggeration and lies.
Our military industry complex has a track record on it: claims of WMD in Iraq leading to the trillion-dollar Iraq War that's still not quite ended.
Today, the cybersecurity industry complex is repeating the same: hacking from China. How do they prove beyond reasonable the hacks are indeed from China other than some IP addresses? How do they prove that Chinese computers are not just used as springboard from some 3rd party hackers/countries/organization? Heck, how do we know if the "hack" are not done by the same cybersecurity industry insiders for the purpose of framing anti-China sentiment and thereby rip off money from you and me?
Re: (Score:2)
"Russia and China are the real victims!"
I didn't say or know if Russia or China is real victim or not. But I do know two real victims: Iraq and you the American taxpayer.
Re: (Score:2)
"Our military industry complex has a track record on it: claims of WMD in Iraq leading to the trillion-dollar Iraq War that's still not quite ended."
No up with news, eh? The intelligence agencies were not claiming WMD. That was the neo-cons in the Bush Administration. The military-industrial complex is spending most of their effort on commercial technologies and have been for years. In fact, it has reached the point where the Pentagon is worried they won't have American suppliers for critical systems. Jesus
Do note: nobody is suing. (Score:2)
False reporting can have serious financial consequences so when it happens, companies take their well paid lawyers and sue publishers. I've heard no report of any company suing Bloomberg over this claim (which has been damaging) which leads me to conclude that the claim is legitimate.
Re: (Score:3)
If you mean "false reporting can have serious financial consequences for the newspaper", you're wrong. For news written about a large corporation/public figures isn't actionable if it's false. It's actionable if it's grossly negligent or known to the reporter to be false. Bloomburg could say "oops" and that would be the end of it. Or it certainly would have been after the initial story. I don't know how doubled-down they are now.
Re: (Score:2)
Hmmm...Apple Boardroom:
Chair: This Bloomberg report, what do we make of it?
Board Member #1: Nada, complete bullshit.
Chair: Will it affect our sales?
BM #2: Nope, no one who buys our stuff gives a flying rat's ass about Bloomberg. Besides, Bloomberg sounds like a voice in the wilderness among all the rest of the news noise.
Chair: So not worth spending our expensive legal counsel on?
BM #3: Not unless you want piss off a lot of money advertising Bloomberg's claim and inflating it out of proportion.
Chair: Okay,
BLOG is the man's NAME (Score:2)
So I vote that we stop using it as a noun, or a verb, or--FFS--a job
Follow the money (Score:1)
What would they gain vs what would they lose if they were to confirm these rumors.
For sure China would make their life very hard, giving a big advantage to the competition (the many Apple's competitors or Alibaba when it comes to Amazon). Giving the stake these companies have in china these days, this is a huge loss.
What would they gain? At this point nothing to gain, from what i see.
So.. OFC it's false.