Apple Demands Retraction Of Bloomberg's Big 'Chip Infiltration' Story; Bloomberg Has Some Explaining To Do
from the not-looking-good dept
A few weeks ago, Bloomberg published a giant story claiming that Chinese spies did a somewhat daring supply chain hack on American big tech firms. The gist of the story was that servers from Super Micro had hidden chips that somehow were then used by Apple and Amazon (not to mention the US government), that allowed someone in China to access certain data. The story was a blockbuster that got everyone talking. But, almost as soon as it came out, a bunch of people started raising questions about the story. While the Bloomberg reporters claimed over a dozen sources, both Apple and Amazon came out with incredibly strong denials. Way stronger than is common in these situations. And while I know some cynical people insist that companies will lie about this stuff all the time, that is not actually true. Some companies may misrepresent things, or try to play down stories, but outright fabrication is not at all common (and the consequences of a company doing it would be severe). And here, both Amazon and Apple's denials were so clear, so specific and so adamant that it raised serious questions about the reporting.
Since there was so much confusion over it all, we held off on writing about it, figuring more information would come out in the days and weeks after the initial story. And so far, nearly all of the "additional info" has only served to raise significantly more questions about Bloomberg's reporting. Various government and intelligence agencies all claimed they had no evidence to support these claims. Again, some will argue that they are lying, and (again) while those agencies may have a history of misrepresenting things, the denials here were clear and unequivocal. The UK's National Cyber Security Centre (a part of GCHQ) said they completely supported Apple and Amazon that no such attack occurred. The US Department of Homeland Security said the same thing. Dan Coats, the US Director of National Intelligence said the US intelligence community has seen no evidence of such an attack, which certainly undermines the Bloomberg story. Some of the folks quoted in the Bloomberg article even questioned the accuracy of the article with one going so far as to say the article that he is named in... "didn't make sense."
Also, as reporter Nicole Perlroth noted, one of the reporters on the Bloomberg story -- Michael Riley -- had also done a story back in 2014 making bold claims that the NSA had exploited the Heartbleed bug, and multiple other reports ripped that story to shreds, with multiple people denying it and no one else confirming it.
Now, with this story, Apple has done something it's never done before: asked Bloomberg for a retraction of the article. That's a pretty big move -- and Bloomberg says it still stands by its reporting (as it did with the Heartbleed story).
However, at this point, Bloomberg has whittled away whatever benefit of the doubt there was left and set fire to the scraps. It's difficult to believe that Bloomberg's story was accurate, and the company and its reporters owe everyone an explanation -- or at least some additional evidence to support the reporting. I don't doubt that there is a kernel of truth in the story -- but given the vehement and thorough response from everyone, it certainly seems likely that the reporters on the Bloomberg piece misunderstood something big, leading to misreporting of things in a way that leads to a very inaccurate picture of what's going on. Bloomberg should, at the very least, appoint someone else to go through the work put in by reporters Michael Riley and Jordan Robertson, and explore whether or not the story really is accurate, and why it is that basically everyone is saying it's not.
Reporters can, and do, make mistakes. How they respond to such mistakes is the real marker of the ethics they and the organizations they work for hold. Considering Bloomberg stood by that Heartbleed story, perhaps we shouldn't expect such a reckoning at the publication -- but, at the very least, it's going to lead plenty of people to write off Bloomberg as a credible source on issues like these, and that's unfortunate, given that there are some really big and important stories having to do with computer security right now. Having one major publication show itself to be untrustworthy in its coverage would be very bad.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: espionage, hacked chips, jordan robertson, michael riley, security, supply chain, surveillance
Companies: amazon, apple, bloomberg, super micro
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yes, but first they must be an actual reporter
Listen to various chats, fueled by who knows what, believe it (for who knows why), publish and double down. Include the names of people who said that the initial info didn't make any sense, and clam up when the list of people that clearly knows better.
That is hardly a mistake. That is bad reporting. Bad publishing too.
[ link to this | view in chronology ]
Re: Yes, but first they must be an actual reporter
[ link to this | view in chronology ]
Re: Bad reporting. Bad publishing
Even journalistic icons like the New York Times and Washington Post have a long well-documented history of big "errors" ... including Pulitzer Prize for blatantly fabricated news stories.
Very unwise to automatically presume that the American corporate media are scrupulously honest in their reporting.
[ link to this | view in chronology ]
Re: Yes, but first they must be an actual reporter
So a couple dim journalists got played by some sources who have a murky agenda. They ran with the story without asking some other experts about the plausibility of the story. One of the keys of the story as I heard it was there was an extra chip on the motherboard.
Anyone who has ever looked at a motherboard would realized that a good inspection would catch this and the QA department would reject them as not meeting the specifications. Manufacturers will have a specification attached to the contract even if it 'use model xxx as specified in the supplier's document yyy attached'. This is something anyone in manufacturing would be familiar with and would be familiar with incoming inspection procedures.
[ link to this | view in chronology ]
Re: Re: Yes, but first they must be an actual reporter
i found the report interesting as i've wondered how we could deal with such a situation were it to happen. the us government has been accused of intercepting and tampering with packages and software. can we trust any other state actor not to be doing the same?
[ link to this | view in chronology ]
First rule of spycraft
[ link to this | view in chronology ]
Since there was so much confusion over it all, we held off on writing about it, figuring more information would come out in the days and weeks after the initial story.
I noticed that, and had to follow the story over at Ars. On a completely unrelated note, has anyone ever had to get a latte at a strip-mall Starbucks because their local coffee shop's espresso machine was on the fritz?
[ link to this | view in chronology ]
Denials everywhere...
And here, both Amazon and Apple's denials were so clear, so specific and so adamant that it raised serious questions [whether they were ordered by the government to deny it].
[ link to this | view in chronology ]
Re: Denials everywhere...
[whether they were ordered by the government to deny it].
That is not happening. Like, that's tinfoil hat land. It's not happening. Companies might refuse to comment, or they might give some mealy mouthed answer. But the government wouldn't (couldn't) order companies to deny something, nor would the companies comply if they did.
[ link to this | view in chronology ]
Re: Re: Denials everywhere...
Otherwise we might have to conclude you're nothing more than a shillbot, a regulated "opposition" at the command of the powers that be.
[ link to this | view in chronology ]
Re: what magical palantir
I've worked in large public tech companies at high levels. I've been in meetings with NSA representatives, who came to ask "favors". Ask. Not demand.
The US government cannot, and does not, tell private firms what to say. And if they tried, the first thing the company would do is file a lawsuit over it (a very public one).
Mike is correct. To think otherwise is uninformed fantasy.
[ link to this | view in chronology ]
Re: Re: what magical palantir
Why do you say "very public"? When they sue over gag orders it's done in secret "Doe vs. government" form. People once thought that the government couldn't issue gag orders (apparently having somewhere got the idea somewhere that it's illegal for congress to make a law abridging the freedom of speech).
[ link to this | view in chronology ]
Re: Re: Re: what magical palantir
They can't tell you that you MUST say Y.
[ link to this | view in chronology ]
Re: Re: what magical palantir
[ link to this | view in chronology ]
Re: Re: Re: what magical palantir
They can demand it, but enforcing the demand is another thing entirely. If Apple spoke out, how would the government shut it down? They probably couldn't get the courts to enforce the demand. The accepted legal distinction is they can instruct you not to speak, or to not express details, but they can not force you to lie. They can't even force you to express a government position with your own voice (IE, if forced professionally to say things you can express that this information is coming from the government rather than your own opinion or is your choice to express the information.)
So without launching an all out campaign of personal blackmail and disappearances, given the number of people who would end up knowing, they can't enforce that demand.
And given that Bloomberg should have evidence if this was actually true, such a campaign would be rapidly fruitless.
[ link to this | view in chronology ]
Re: Re: Denials everywhere...
That doesn't preclude the possibility of "hey Amazon, you get an awful lot of business from the government. It'd be a shame if that business were to go away, wouldn't it?"
I'm not saying either way, because I don't know either way. I thought the Bloomberg story was suspicious when it came out, and I thought it more than a little strange that Bloomberg is where it would be. But you seem far too confident in something that I doubt you can have personal knowledge of.
[ link to this | view in chronology ]
Re: Re: Denials everywhere...
The Government *could* "order" such. And it'd be "leaked" inside of fifteen minutes.
[ link to this | view in chronology ]
Re: Re: Denials everywhere...
However, I know that the large outfit I work for has lost track of things, and often does not know what all of its people are doing.
So *if* the story that is being denied is true, then a very small number of people at Apple need to be involved. "Three people can keep a secret...if two of them are dead!"
[ link to this | view in chronology ]
Re: Re: Re: Denials everywhere...
But an Official Story to be presented to anyone questioning?
Like I said, leaked before the gov't reps got out of the building.
[ link to this | view in chronology ]
Re: Re: Re: Re: Denials everywhere...
Think more as follows: Somebody testing a new server quietly investigates some anomalous network traffic from one of these servers, and tips off the NSA....who swears her and possibly her boss to secrecy.
NSA asks these people who is responsible for physical maintenance.... and pays that manager a visit, and swears them to secrecy. The compromised servers are rotated out as part of regular PM, but *much* sooner than they would be otherwise, and the guys lifting the racks don't know that anything special is going on...
Of course, if this was the actual sequence of events, you have to ask who is doing the leaking to the press, and why that leak wouldn't point to those people above who knew. Additionally, suppose the exploit was real and NSA knew about it...wouldn't it be to their advantage to let the chinese think it was undiscovered?? The case in favor of the bloomberg article being anything like the whole truth is weakened substantially.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Denials everywhere...
I find it far more likely that the "journalists" were baffled by conspiracy theory regarding that firmware and ran with it.
Huawei is "banned", but Apple is "allowed" at the moment. I can easily see a couple of engineers at Huawei coming up with a propaganda story to shift the claim of pre-exploited firmware to Apple.
But even that is a bit far-fetched when simpler explanations are available.
[ link to this | view in chronology ]
Re: Denials everywhere...
[ link to this | view in chronology ]
Re: Re: Denials everywhere...
On a completely unrelated note,
https://www.theatlantic.com/health/archive/2012/09/tin-foil-hats-actually-make-it-easier-for-the-gov ernment-to-track-your-thoughts/262998/
[ link to this | view in chronology ]
Re: Re: Denials everywhere...
[ link to this | view in chronology ]
Is it entirely possible that Bloomberg lied? Yes. Is it equally possible, or even more likely, that the others are lying? Yes.
Let's assume for a second the attack is real. Even if it weren't in the companies' best interests to deny it, it would still be in the government's interest, and the companies would be forced to deny it. The sheer number of heads that would roll would make sure that no intelligence agency would ever admit to it in public.
Now, besides denying it, what would we do if it were true? We would retaliate. Not in kind, because we don't have that capability, but with what is available to us. What have we recently been doing to China? Attacking their economy in a way that hurts us, but hurts them a lot more.
The fact that our actions to hurt China's economy also hurt ours indicate there are other reasons involved other than the purely economic. This is a candidate for being that reason.
[ link to this | view in chronology ]
Re:
Is it entirely possible that Bloomberg lied? Yes. Is it equally possible, or even more likely, that the others are lying? Yes.
I don't think either one is lying. I think the reporters likely got confused over something that did happen (but likely wasn't nearly as serious as this story implied), and the companies are, rightly, denying an incorrect story. Neither of those involves lying.
it would still be in the government's interest, and the companies would be forced to deny it.
Again, the government has no power here to compel private companies to deny. Compelled speech by the government is not something that is happening.
[ link to this | view in chronology ]
Re: Re:
Really, how gullible do you think we goys are? Do you really believe we don't know the reason that they are denying it is because they have done the exact same thing with all the hardware sold all over the globe for the past half century?
[ link to this | view in chronology ]
Extraordinary claims require extraordinary evidence.
Also: Take your anti-Semitism somewhere else—preferably Hell, if you can swing that.
[ link to this | view in chronology ]
Re: Semitism? Love it!
On a completely unrelated note, didn't Intel & AMD both have a 'Management Engine' backdoor last year?
Disclaimer; I supplied the bits and filmed the Bad Guy's brains that fell out in the first 'Tron' movie.
[ link to this | view in chronology ]
Re: Re: Semitism? Love it!
[ link to this | view in chronology ]
Re: Re: Re: Frisbee® deaths in China
Since the 'rendering' computers were running at a few megahertz, I built an aluminum rig to mount Chris's 1920's Bell&Howell 2709 on the Hong Kong hotel wall to shoot the animation cells coming back by mule from Red China (not Taiwan) where the 'ink & paint' was done for Tron.... still a State Secret.
After he got back and turned in the color negative, Disney needed a 'pick-up' shot of spilling brains, we shot that on an Oxberry that I bought from Lockheed Skunkworks the year before. Sadly, the parts and bits were replaced with Fruit Loops in the DVD release:(
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
You mean there's a First Amendment and, consequently, no law that can enforce such an order. You neglect extortion along the lines of, "You should do X so we don't have to review all your lucrative contracts."
Government power does not all derive from mere law.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
https://blog.eclypsium.com/2018/09/06/insecure-firmware-updates-in-server-management-systems/
Thing is these attacks are well known, and anyone will put very strict firewall rules on any BMC access.
[ link to this | view in chronology ]
Response to: Anonymous Coward on Oct 19th, 2018 @ 8:45pm
China can export every single product they've been exporting to us to any other nation on earth, and for the exact same price. While no other nation has the buying power of the US, many of them in aggregate - for example, the EU - totally do. Add to that the fact that tariffs are paid by the importers, not the exporters, and the effects of US tariffs on imports from China are felt almost entirely by US consumers, not Chinese manufacturers.
So no, the trade war is hurting us worse than them, and it will continue to for the foreseeable future because you'd have to get the entire EU, all of the richer middle eastern nations, and the half of South America that has some money to all join with us and tariff them together for it to have the desired effect, and none of those nations have any incentive to join us.
Trade wars can be won, but much like nuclear war, in the end everybody loses. This is a reality that a "lifetime politician" understands and that 99% of the business world doesn't because an individual business can usually work around a trade war, while a nation's economy as a whole cannot. Just another example of why electing a businessman - ANY businessman, regardless of party or ideology - is always, always, ALWAYS a bad idea.
[ link to this | view in chronology ]
Re:
And how would that work exactly?
[ link to this | view in chronology ]
Unknowable truth here...
Now, my factually unsupported opinion is that someone from the NSA put the reporters up to it because NSA TAO is thinking about such hacks, and they are looking for a smart PhD/maker/hacker to implement a proof of concept that they can then weaponize.
There is also the defense-in-depth aspect of this -- the publicity highlights the attack surface inherent in a board control computer that can reboot the server on command and feed it arbitrary firmware. So some other smart PhD will now figure out how to defend against something like this.
[ link to this | view in chronology ]
But?
If the object requires a piece made in an suspect area, and is carried into secure areas, what else might it be doing? Like an Apple watch, set to record what's going on during an visit. That is the owner spying, keeping a daily record of his travels. It's called a feature. Let's extend that a little further, was there a camera built into the watch?
Another feature, the voice, could have been hacked, could the camera have been hacked also. And those "built in features" include biometric monitoring, and a wallet, and what other informations? The parts, and the boards are getting down to wafer size. What lse is in there hidden from the user? Or was it added for consumer or ad revenue, or simple spying. If Bloomberg gives up the quest, we will Never know. A shame, I say, go Bloomberg, don't let the critics of nowledge stop you.
[ link to this | view in chronology ]
I guess they decided it was too difficult to convince the world the clipper chip was in their best interests, lol.
Possibly, they moved onto IOT as a way to spy upon everyone.
[ link to this | view in chronology ]
Surely if they didn't want people to realize they'd fallen for such a hack, they'd show people the original hardware and not pay to have it shredded and burned?
[ link to this | view in chronology ]
Re:
It was an exploitable system, so they changed over to a new system.
So far as I can recall, there were no claims of foreign OR domestic "hacks" via that firmware.
[ link to this | view in chronology ]
This reads like Apple/Amazon were using the hidden chips, rather than the servers, which would be a different story, I feel.
[ link to this | view in chronology ]
Read most of the Bloomberg report.
Compression is a great ting, but there are faults in it..
You CANT compress something beyond a certain level and have anything intelligible.
Text has the biggest compression rate but even THAT, has its problems. Compressing "Multi- key format worlds" like Chinese and Japanese, and a few other languages..Really can mess things up.
Take a picture that you need Lots of detail and compress it, ALLOT..then return it to its uncompressed size, and run a compare program. There are Lost points/pixels. Things change when they get augmented, and computers are only so good at Compressing and Uncompressing.
Then you come to another Fact. Sending the data, in a Unnoticeable, from your computer, threw a bunch of servers, BACK to its home. This is like a Leaky pipe in a house..It will be noticed eventually..because people want to know whats going THREW their servers.
the internet DOES use types of compression to make things faster, but MANY times it can Slow things down. because sending Compressed programs, AND THEN, compressing it again, dont work very well...AT ALL..
Cant see it happening.
Esp, if you are running this on server systems. The Amounts of Data are HUGE, and you are trying to sort, and compress this to send back home??
[ link to this | view in chronology ]
https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found- in-u-s-telecom
This article covers something that appears different from the original article. It looks plausible: the extra chip is in the connection between the Ethernet connector itself and the internal NICs in the CPU, which'd give it both network access and potentially access to the PCIe bus and/or the internal bus connecting components within the CPU. In a multi-layer motherboard I can see hiding some extra traces that'd be sufficient to give the chip enough access to monitor memory and the hard drives. Add in the claims that the technique was also found in NSA leaks back in 2013 (the TAO catalog from the NSA's Advanced Network Technologies group) and it looks like it falls into the "I really don't want to think they did that, but I can see too many ways they can feasibly do it and I know the potential payoff would be enough to tempt even a saint" category.
[ link to this | view in chronology ]
Response to: TKnarr on Oct 20th, 2018 @ 4:08pm
2) The problem with these sorts of hacks is that, while they absolutely can hide the data from the system with the chip installed, that data has to be sent back to Spymaster HQ somehow. That can either be through the device itself - which runs the risk that an uncompromised system on the network can detect it, easily - or some sort of wireless transmission - which can be easily detected with a $10 RF scanner.
Any infrared system needs line of sight so couldn't transmit from a datacenter in California or New York all the way around the curvature of the earth back to China (disregarding the fact that IR light that strong would be impossible to miss and likely also give anyone nearby instant sunburns and probably 5 minute cancer). Any satellite-based system is just directional RF that you'd also pickup with the RF scanner.
I could keep going on but the point is made, I hope. This type of hack has never been widely deployed because it's too hard to deny and it's completely impossible to hide. You could target it at a specific user or device - Trump's Tweet Phone is a prime target - but the odds that your chip winds up in the right finished device are astronomically low.
Now, in theory, you could put the chip in every device that fits the make/model and then use some sort of special code to activate the chip later. This would give you a far lower risk of detection and if your target isn't someone super-important like POTUS (maybe someone like a major CEO or even CTO instead) the odds that their IT department will be able to identify your little chip are low. In short, it could work as a hardware-based spear fishing attack.
But that's one hell of a lot of money to spend on such an attack. You'd have to be targeting someone with some VERY juicy info - either insanely good blackmail material or extremely valuable IP - and one bad choice of targets and all your effort and expense is for naught.
[ link to this | view in chronology ]
Re: Response to: TKnarr on Oct 20th, 2018 @ 4:08pm
As to #2, these chips were installed in the Ethernet connector itself. That means they have access to the physical Ethernet so they can inject their own packets in between legitimate packets. And if you'd read the article, the extra network traffic that would imply was exactly how they were in fact detected according to the author.
As to #1, go look up the specs for Intel's chipsets like the current X299. They include on-board network hardware (specifically an Intel I219) which is connected to the Ethernet connector itself via a PCIe x1 and the SMBus. That would give hardware embedded in the Ethernet connector a nice neat line into the hardware's internals.
And perhaps it might be a lot of money. Maybe. Remember that this is China, which specializes in manufacturing chips for electronics manufacturers. I'm pretty sure their government could fund a fab line for the necessary chip, they could probably even piggyback it onto an existing fab line other companies were paying for. Installing it in every Supermicro board manufactured in China wouldn't be expensive, it's just a small tweak to the cost they're already charging Supermicro to manufacture the boards after all. Putting it into every board would actually make it less likely to be detected since there'd be no anomalies in the components to be noticed and the chip is probably on the original blueprints labelled as something innocuous so anyone checking would see that the connector's exactly as specced. You'd need to actually peel the chip apart before you'd find any hint of anything wrong. Or be monitoring for unusual network traffic, and that's often difficult as there's so much and only the most paranoid would go to that effort. Your targets wouldn't be the high-security networks that'd be the main places that'd spot that traffic either, they'd be the lower-security stuff in big datacenters where you can scoop up information from the commercial side where security isn't nearly as tight. Set the chip up to do a limited number of time-delayed pings at first power-up and shut itself off if it didn't get a response and by the time anyone looking notices the traffic and goes hunting for the source the trail's gone cold.
As for juicy, remember that the government contracts out almost all of it's military hardware. You may not be able to steal the designs from the government, but scoop up the info on what the civilian subcontractors are making for the contractors making the hardware and you can get a pretty good idea what's being delivered. Plus the sheer monetary value of simple commercial espionage, of course, and commercial security is a complete joke as we've witnessed time and time again.
[ link to this | view in chronology ]
Re: Response to: TKnarr on Oct 20th, 2018 @ 4:08pm
All modern CPUs are actually SOCs to some degree (eg. integrated Northbridge / memory controller). What do you mean by "not literally part of the same chip?" Don't they have everything but the PHY in the same wafer stack?
[ link to this | view in chronology ]
Yeah...No
[ link to this | view in chronology ]
Re: Yeah...No
And the old Authors about 1984, type things..
Een a recent article here about DHS wanting to cover ALL travel in the USA...another way to bag and tag everyone..
Anything can be done..
but the costs and the secrecy needed is horrendous..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Yup it just happened coincidentally all at the same time.
What vile hypocrites you people are.
[ link to this | view in chronology ]
If you could prove it, you would have done so already.
[ link to this | view in chronology ]
People should listen to this interview with the engineer who was a source on the story:
https://risky.biz/RB517_feature/
The whole thing is complete bullshit. The photo they used of the secret spy device is the same thing this guy linked them to on Mouser when the author asked for an example of a small device. He said his descriptions of theoretical attacks match exactly what the author wrote about how the attacks worked.
[ link to this | view in chronology ]
Re:
So all that shows is that Bloomberg's other sources didn't provide specific technical details of the attack, not that no attack occurred. It is, however, reason to doubt that the story accurately describes the actual mechanism used.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I can't blame them
So yeah, we really can't blame Bloomberg for trying to fabricate a story out of thin air. They learned it from watching mom and dad.
[ link to this | view in chronology ]
Re: I can't blame them
People who refer to the media as though it were one homogeneous unit that works in unison all publishing tghe same stories ... well, they are quite wrong in their over simplifications. I find it useful to read a variety of sources and intentionally look for counter arguments because well - many people out there are liars but not everyone regurgitates the same lies. Eventually you begin to get the idea of wtf is going on - maybe. Depends upon how good the cover up is.
[ link to this | view in chronology ]
Please cite the 8 working examples...
I flunked mind-reading class, and have been thrown out repeatedly for having absolutely no skill at it!
[ link to this | view in chronology ]
It used to be...
When did that change? I swear, I can remember that being normal.
[ link to this | view in chronology ]
Re: It used to be...
[ link to this | view in chronology ]
Maybe the story is right but the government named is wrong
[ link to this | view in chronology ]
Apple was extremely strong and powerful in his denial today :)
[ link to this | view in chronology ]
Apple did pull a bunch of Supermicro units out of service about the time the story claimed the chips were discovered. Apple claimed a firmware issue. Believable cover story if there really were spy chips.
Amazon did sell off one of their China operations about the time the story claimed Supermicro boards were found in the China operation. Amazon claimed the sale was due to increasing China Govt interference in their operations. Again, a believable cover story as China is increasingly exerting government oversight over Internet in China.
Further, the story claimed the magic chips were added at a sometimes used subcontractor for Supermicro. Unlikely that batch number 3 from a subcontractor would get the same QA look over that the first qualification batch would get, making it a better time to add the magic chip.
But at some point, a modified board needs to be produced and that hasn't happened. Where did the retired Apple servers go? Either there are magic chips on them or not. Unlikely we could inspect the former Amazon China operation at this point for compromised boards.
Given the failure to produce a modified motherboard, might be worth investigating any possible connection between the folks that reported this story and people/companies that made money from the large drop in Supermicro stock.
[ link to this | view in chronology ]
Re:
One podcaster I listen to mentioned that he had what would have been a suspect motherboard in his specialized, very expensive, video recording setup. Unfortunately, he traded it back in when he upgraded. Perhaps they were being removed from circulation through planned obsolesce.
[ link to this | view in chronology ]
Bonus chip the least plausible part
[ link to this | view in chronology ]
Re: Bonus chip the least plausible part
Note that Supermicro HQ and design work is in the US; only the actual fabrication is done in China.
[ link to this | view in chronology ]
This article starts with incorrect and misslead
[ link to this | view in chronology ]
This article starts with incorrect statement right from the top
"The gist of the story was that servers from Super Micro had hidden chips that somehow were then used by Apple and Amazon (not to mention the US government), that allowed someone in China to access certain data."
The gist of original article was that Chinese spy agency has changed / compromised products of Super Micro - servers by hardware hack adding additional chips in hardware design. Those servers where then sold to Apple, Amazon & others. Hidden chips were used then by Chinese spy agency to access servers and article never claimed that hidden chips were used by Apple or Amazon. US government was mentioned in relation of similar hardware hacks that happen prior, based on leaked documents and not related to this incident.
Apple and Amazon are claiming that they never detected - discovered this hardware hack which was also mentioned in original article. Apple took position that this never happened too - also in original article or maybe in some that followed.
This is at least what I read in original article.
Thanks,
Vlad
[ link to this | view in chronology ]