Regarding Apple's denial, there are other publications that corroborate the Bloomberg story. Previously, Apple has denied security incidents even when multiple outlets report it. For example, last year, The Information reported Apple discovered malware on Super Micro servers in their development and production environments [1]. As a result, the Information claimed that Apple ended up terminating its relationship with Super Micro.
In response to the report, an Apple spokesperson denied there was a security incident, stating: "We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor."
However, based on sources from within Apple, Ars Technica claimed Apple employees did find compromised firmware in Apple's design lab. Super Micro SVP of Technology also reported Apple terminated its relationship with them.
Which makes it more curious. Last year, Apple PR denied existence of the security incident, but today they admitted it actually happened. That is a contradiction.
It does not seem like this story is true. If it's true, it makes absolutely no sense for Apple and Amazon to attack Bloomberg. Sure, a national security letter could force them to stay quiet, or maybe even to lie to the public and say it didn't happen, but it can't make them criticize Bloomberg. Attacking Bloomberg if the story is true is only going to convince Bloomberg to dig deeper. And the story isn't even that bad for Amazon or Apple - it's much worse for US-China relations than it is for either of those companies.
The key technical detail of what these chips are allegedly doing also does not make sense. From the article:
the chips allowed the attackers to create a stealth doorway into any network that included the altered machines
How can you get around a firewall by using a compromised machine that's part of the internal network?
I don't think Bloomberg reporters are just making stuff up. But the technical confusion here makes me suspect that the government officials who leaked this story just didn't understand the details of a real incident that happened, and in the leaking the story got mangled into inaccuracy.
The actual details on the hardware are also sketchy. Based on my reading of the article, this wasn't a chip swap where one chip is replaced by a backdoored version. The article implies that this was an extra chip so either dozens (possibly hundreds) of engineers were in on the operation from the beginning to slip the chip into the design undetected or the chip was mounted without any changes to the board design. The former is much riskier than backdooring the chips and the latter, as far as I know, has not been done before with a nontrivial chip.
Fitting any chip capable of exfiltrating a nontrivial amount of data onto a modern motherboard without going through many rounds of simulation or significantly impacting performance, while also putting it in a place it is capable of intercepting valuable data is practically impossible. Hell, just getting the right power domains wired to the chip is going to be tough enough.
The most plausible theory I have seen so far it that this chip was embedded in the pcb below an empty pad for the backup flash that loads the management system firmware.
Three reasons this would work well:
1. The pad looks empty on casual inspection.
2. The data and power traces are already routed to that spot
3. The management system is already set up to load from this flash if it is populated.
Placing it on a low speed SPI read/write trace to the flash chip containing the BMC firmware is entirely plausible, and in no way would require "dozens (possibly hundreds) of engineers."
It depends. These chips were specifically connected to the BMC/IPMI:
>The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
Is your OOB-management VLAN/network firewalled off from outgoing access to the internet? If not, this chip can make requests out to another host, who gives it code to run. This code can then either collect data and send it back out, or do other nefarious things.
The BMC is always on a maintenance vlan for any organization worth its salt. The software stack on those things doesn't deserve to see the light of the day. If you open it up to the internet, you will get pwned, china or not. So there seems to be something missing. It can't just be a compromised BMC.
Edit: Now that I think of it, a compromised BMC can inject payloads into the running OS, depending on the sophistication of the attack and the defenses of the OS. So it does seem possible.
> And the story isn't even that bad for Amazon or Apple - it's much worse for US-China relations than it is for either of those companies.
If true, it's pretty bad. For one thing customers will be more wary of buying hardware from China. If they move manufacturing elsewhere (or, for Amazon, source hardware elsewhere) they would have higher costs and lower margins, if they don't and a competitor does they lose business.
On top of that, people are already wary of the privacy implications of these companies having all your data, but most are willing to trust major US companies. If it looks like they can't keep it secure against random Chinese companies engaged in industrial espionage, more customers will conclude that operating servers in-house is the better choice.
It goes beyond that. If this story were in fact true, what we're witnessing is large companies whose entire business is built upon user trust setting fire to themselves. Who'd ever trust AWS again with anything of consequence if it turns out the denial is false?
I don't buy it as written. There's something else here.
What would lead to more of a loss of trust? Revealing to your customers that you hid a massive hack for a few years (even if the government required you to) or insisting that Bloomberg is lying, when you know all the other relevant players will also insist on the same.
> Who'd ever trust AWS again with anything of consequence if it turns out the denial is false?
I agree it makes little sense to attack and deny rather than just stay quiet or keep it to a minimal PR blurb. But I think you're overestimating the amount of blowback they would get if they're lying. Most people just wouldn't care. It might be the decisive factor in a bigger company deciding where to put something new and them going to Oracle Metal or something, but I am really skeptical their bottom line would suffer because of this one thing.
> How can you get around a firewall by using a compromised machine that's part of the internal network?
Reverse shell depending on how you have the firewall set up. Most firewalls don't block outbound packets, and even if they do you can tunnel over an open port.
> If it's true, it makes absolutely no sense for Apple and Amazon to attack Bloomberg.
If you are a major company, are you going to use AWS if you believe their hardware is pwned?
I find the lack of real technical information quite surprising, not just on bloomberg, but here as well. The previous big thread that you can scroll endlessly has anecdotes and chit-chat but nothing on the actual technical details.
China (or the NSA) hacking into something is non-news. Everybody expects that, especially since Snowden. It's their job, and the news would be them failing to do it.
That is my question as well, without getting their hands on the machine, how do the attackers start the attacks? And in case of AWS, since everything is so virtualized, does it make sense to install a hardware backdoor if it cant even map to your true target?
It could probably make more sense as a backdoor when the hackers get hold the access to the physical device, it is however quite incredible to me that this hack is designed for a remote network access, and could go unnoticed from infosec within the company if it is truly sending packets outside the firewall...
> That is my question as well, without getting their hands on the machine, how do the attackers start the attacks? And in case of AWS, since everything is so virtualized, does it make sense to install a hardware backdoor if it cant even map to your true target?
Nation states have the manpower for spray-and-pray attacks. They have less need for precise targeting.
> It could probably make more sense as a backdoor when the hackers get hold the access to the physical device, it is however quite incredible to me that this hack is designed for a remote network access, and could go unnoticed from infosec within the company if it is truly sending packets outside the firewall...
How is it incredible? Infosec isn't perfect. Equifax was hacked in part because their IDS system was offline due to an out-of-date certificate [1]. That system would have caught the exfiltration of data if it had been active.
Also, Amazon AWS must have all kinds of crazy traffic flowing through its network due to its customers. My gut feel is that it would be incredibly hard to characterize that traffic in order to proactively detect many kinds of nefarious traffic. The Bloomberg article stated they were easily able to find the traffic from these implants...but only after they knew what to look for.
For major major reports like this, reputed newspapers are rarely wrong. See WSJ John Crareyou of Theranos. Theranos vehemently denied it, MSM was with Theranos and at least they weren’t outright against them. Then they did more digging etc.
The Washpo digging on Roy Moore, the NYT digging on Clinton Foundation, etc. these are experienced reporters having 15-30 credible sources, evidence etc. every time this happens, everyone denies and slowly little by little the story finds more evidence and facts and it becomes true.
This is why a free press is soooo important
Why would Apple disclose that millions of their products could be hacked and you’ve lost all your privacy. Who would trust them? They’d lose billions, regulations would come etc. it’s in the best interest for every party to deny.
On the other hand, Newsweek was wrong about Satoshi.
My suspicion is that there are many cases where the Chinese government is actually trying to insert backdoors into things, and that in particular Supermicro really has been compromised by the Chinese government, but the technical details of this chip are incorrect. That explains why so many government officials are eager to leak information to Bloomberg, but at the same time the technical details don't really make sense.
It isn't really in Amazon's and Apple's best interest to lie about this. When Gmail got hacked by the Chinese government, Google was pretty honest about it. China has a lot of resources so you can't really expect companies to fend off 100% of attacks on their own; it makes sense for them to acknowledge this publicly and get help from the US government when needed.
The Newsweek that published that article and the Newsweek that built the brand reputation are entirely separate entities.
The current Newsweek is no more formal journalism than Gawker is, which is to say occasionally they'll get big scoops but most of the time they're in the mud trying to get clicks/eyeballs.
Note that Facebook and Apple have confirmed that they had heard about and actually saw, respectively, security issues with compromised software updates from Supermicro - it's only the chip story they're denying. https://www.bloomberg.com/news/articles/2018-10-04/the-big-h...
So counter to your point, Bloomberg reported on a mid-sized company I worked for. The vast majority of the article was sourced from one disgruntled employee, and was completely untrue based on objective facts. An example I could verify visually was the supposition that executive X was hardly in the office. I sat 30 ft from executive X, and he was there every day.
I'm not saying this particular article is incorrect, just that I wouldn't strongly assume either direction without more information.
Was that a highly detailed front page investigative story? Because I’m specifically talking about those. For other cases, they are wrong quite frequently, some of the nonopinion articles on Bloomberg are often a few rungs above college journalism reporting. All elite papers are the same in that regard. The Nytimes just a few weeks ago they had a story that Nikki Haley spent tens of thousands of dollars on curtains and a possible corruption scandal which was easily disproven hours later. Those are usually junior journalists working on it alone, sometimes creating a story rather than reporting on one and fitting all the facts to match a singular narrative. These ones I’m talking about are different. They have a much higher level of checks and due dillegence.
Edit: I absolutely could be wrong and things could be disproven in this, but just in my experience highly detailed articles like this are usually right on the money or close but just like everything in the world, can’t say anything with certainty.
I think respectable MSM rarely lie about having sources and sources having said what they claim they said. However, sources can be chosen, and sources can lie, so the question is how deep your trust goes. This is why anonymous sources are always very problematic - you can trust that the paper accurately reported that somebody said something, but you have no idea if that somebody was lying or not.
You mean major major reports like Iraq WMDs?[1] Yeah, the press never gets major stories sourced from government sources wrong.
> Why would Apple disclose that millions of their products could be hacked and you’ve lost all your privacy. Who would trust them?
You've got it perfectly inverted. This is exactly why Apple would come clean if they've been hacked by a nation state and take further steps to protect their customers.
Case in point: This happened to Google.[2] Can you imagine how much trust Google would destroy if they vehemently pretended that the hacking never happened? As opposed to going public ASAP with an action plan, which is what they did -- and it improved trust.
These conspiracy theories are never very well thought through. Conspiracies leak. Remember how Watchmen ended?
Agreed, I think you've stated your point better than I have further down in the thread based on my down votes.
The American press is not perfect, but over the years I've been really impressed with the journalistic skill of our major publishers. Just this week the New York Times had an extensive story regarding the president's tax returns, they claim to have access to hundreds of thousands of documents and spoke to dozens of sources. I'm more inclined to believe Bloomberg's journalistic integrity than the denials of Apple, Amazon and China.
I'd also underline how convenient this news is for the current administration - move production back home. The article is much more damaging to the Chinese hardware suppliers than Apple/Amazon which will likely get over it soon.
This is exactly it. There's no cost to deny, deny, deny until it's impossible, then "oops, after extensive investigations we've found the claims to be true on a limited number of devices...".
But Bloomberg is reporting thousands of affected devices and Apple/Amazon have said they've already done extensive investigations and are totally denying it. That means they both would certainly have to be lying. And there's an enormous cost to that. Very different from being vague or leaving an "out" when the truth comes out.
On the other hand, NYTimes was wrong about WMD in Iraq, and those articles were sourced from numerous anonymous government officials. Turns out, just as in this case, those government officials had an agenda. In 2003, it was starting a pre-emptive war against Iraq, and in 2018, it seems trade wars with China are popular... perhaps we can connect some dots.
How much of an individual user’s data has been compromised? As far as I understand, as long as you’re not using iCloud, you’re pretty well-protected. Is that inaccurate?
Seems odd that national security officials would outright lie about a computer chip being implanted on hardware. Occam's razor tells me Amazon/Apple are trying not to sour ties with their suppliers.
If you’re looking for a motive, how about this administration’s obsession with getting manufacturing jobs “back” to the US? Seems to me that this along with the current trade war, could be part of a strategy to do just that.
Agree. Bloomberg is taking on the two biggest companies in the history of capitalism and China. And they doubled down on their claim after the initial refutations from A&A. So I’m pretty configent they made double extra sure their facts were correct before they published.
The article doesn’t have to be correct, it just has to be well sourced. If it turns out to be incorrect, then it becomes a story about how or why the sources got it wrong.
On the contrary, when the reports concern China, almost none of these media is trustworthy. I’ve been reading those articles in the past, and checking their original source of information or comparing reports/announcements from multipe sources, only to find that those reports are very often full of information from unreliable sources, misunderstanding or plain lies. Even when they report some truths, they can be very selective on the truths to report to reinforce their existing opinions. Reading those reports about China is very like reading Foxnews. I basically stopped reading those now.
Free media is nice, but articles are written by normal people. It’d be silly to trust whatever you can read
Can National Security Letters can be used to require companies to issue outright lies to the public? The bloomberg article indicates that the investigation is not complete, so that could be on explanation for the apparent disconnect between a seemingly well-reported story and the unsually forceful denials.
Today's Money Stuff ponders another angle of this: whether those companies would be committed securities fraud by abiding by such a request:
> I do not think that the securities laws explicitly allow companies to make false statements of material fact if required for national security, but you could see giving them a pass here.
What if the story is bigger than Bloomberg or anyone else publicly knows at this point? That is, if the government turned over this rock and found something worse.
The US Government could easily find it in its self-interest to make a deal, involving the SEC, on a national security basis, to allow Amazon and Apple to go the denial route with the US Government giving them guarantees regarding fallout.
If it's worse than Bloomberg has reported, it would be highly desirable by the US Government to keep the rest as quiet as possible for as long as possible, to get at as much of what China is doing as possible. They might be running a counter intel program by now that relies on something China was doing.
What's more likely is someone on the inside of one of these companies was privy to the discovery, but not the follow up.
I've been in such a situation myself where I was in the room during what LOOKED like a DDOS by Akamai 10 minutes after we got off the phone with them to turn down their CDN services.
In much the same way as Apple is refuting this claim, after a few weeks of internal debate above our pay grade we decided we didn't see it and it didn't exist and therefore it didn't.
Perhaps these things aren't handled at the level of "company"?
For a national security-related issue, you might just include the minimum number of people that need to know, which would naturally not include your PR team. Then when an article like this comes out, the PR team responds in exactly the way they would if it were an outright fabrication, which is what the goal would be.
Even though this could be the case (that the security team is under a gag order and the marketing/PR team don't know about it), I'm pretty sure a "no comment" response from security would signal the PR team to maybe downplay the whole thing. The active refusal is a bit too strong for just being a miscommunication.
No but the gov might be unhappy that the secret is out while they were trying to use the chips to infiltrate/reverse engineer wherever the chips were reporting to? Amazon has gov contracts it wants to protect so Im not surprised they would deny this at the govs request, and Apple's #1 product is privacy so having something like this show up on their servers would undermine that product strategy so I can understand their denial too (homegrown or at the govs request)
This seems like the most likely reason for domestic companies to deny everything, and for their supply chain distributors to play along.
1) Big company partners with distributor.
2) Distributor has security issues.
3) Gov is already aware of security issues, says nothing.
4) Big company becomes aware of issues.
5)Gov steps in and pitches a deal:
i)Both big company and distributor must deny.
ii)In return, gov gets to:
iii)Preserve any existing contracts
iv)Protect the big company and distributor, with any legal, trade, or commercial benefits
> Amazon has gov contracts it wants to protect so Im not surprised they would deny this at the govs request, and Apple's #1 product is privacy so having something like this show up on their servers would undermine that product strategy so I can understand their denial too
Additionally, Amazon and Apple are two of the still allowed to compete western companies in China that they haven't booted out of their markets, it could be that Amazon and Apple also want to retain the Chinese market and don't want to appear like they are helping while they have the cover of the NSL.
Amazon and Apple are caught in a tough spot and the hardware issue/espionage device is definitely true. It is probably just that the people that know in the company aren't allowed to say and the PR team is not part of that 'need to know' group. Either way, trust of Chinese manufacturing is over, which hits Apple very hard in both market and domestic trust.
> But in my experience, Apple PR does not lie. Do they spin the truth in ways that favor the company? Of course. That’s their job. But they don’t lie, because they understand that one of Apple’s key assets is its credibility. They’d say nothing before they’d lie.
"Saying nothing" is indeed an extremely common move for Apple PR. "An Apple spokesperson declined to comment" is such a proverbial reaction that it would be considered completely standard operating practice here.
If the US files injunctions for relief, federal court (FISA) justices can probably compel you to do just about anything. Presumably the Bill of Rights still pertains and takes precedent. But it's not ludicrous to think that you could be compelled to issue a denial or not issue an affirmation of the public claims.
Bloomberg reported that the startup I worked for was for sale and the founders were pitching it to potential buyers. Internally, they vehemently denied the report and said Bloomberg completely made it up. Bloomberg was dead on the money. That's not to say every journalist/article they publish is going to be spot on, but I definitely give them enough credit that I will believe this report until proven unequivocally not true by the accused.
A CEO shopping a private startup has every incentive to lie to his employees in that scenario and little reason not to.
On the other hand, Apple and Amazon have huge reasons not to blatantly lie about this. The plaintiffs bar would be all over both companies for material false and misleading statements if this turned out to be true (see also Elon's recent experiences with the SEC).
Apple and Amazon are certainly incentivized to not admit bad facts, to spin facts, to issue misleading unclear statements that read as a denial but are not, etc. But I really don't think the legal teams at either company would let executives get away with issuing such full-throated and clear denials if they were untrue.
yeeaaah...on the other hand, they could be pulling a hat trick from the FCC playbook. "I had no idea it was legitimate users leaving feedback and the guy I trusted to inform me no longer works here. I was told everything was fine!" Plausible deniability goes a long way when you have enough money/political support or are "too big to fail". It happens. Often.
What if Apple or Amazon didn't find the chips but other investigators found them in Apple/Amazon servers. That would make their denial wording technically true. They didn't say no chips were found, they just said they didn't find any.
This is this is similar to all the backdoored Cisco devices the FBI found all over the government. If they are doing it at all they would have a complex plan and this would be one of the many approaches. Even scarier IMHO are the CPU fabrication hacks that add in an imperceptible backdoor directly in the chip logic. A recent report showed how CPUs can be backdoored at critical points in the fabrication process by a single operator that would be incredibly hard to detect. We are talking instruction patterns that charge capacitor buffers that allow privileged access once a threshold is reached. Amazing really.
>But they don’t lie, because they understand that one of Apple’s key assets is its credibility. They’d say nothing before they’d lie.
This is so typical of Gruber as an evangelist.
There's no way that Apple would remain silent on this even if they KNEW it were true. The only possible move is denial.
Silence is validation or uncertainty, a statement of ambiguity will tank the stock and reputation as experts, recognition of even partial truth could possibly destroy their supply lines overnight.
I honestly think the corporate denials here need to be outright ignored because they have so much to lose. A story of this magnitude is basically like pointing a gun to someone's head and asking them for permission to pull the trigger.
You can theorize all sorts of conspiracies, like the government planting the story to distance China... so it's possible Bloomberg was mislead.
I think at this point it's more believable the story is true, because Bloomberg is the most credible participant at this point... they're anonymous sources, but as long as Bloomberg did their due diligence as journalists, they've validated their (numerous) sources as credible.
...and like you said, all these corporations have MASSIVE amounts to lose. Just check out what Trend Micro's stock is doing today.
> What incentive do you see for Bloomberg to report a major story and lie!? Why would they do that?
just like all of their other stories on Apple products/etc that have been wrong - page clicks and ad revenue. Writing about Apple gets you both. the WSJ is in the same boat. Quoting vague "sources briefed on the matter" is just mysterious enough to keep the reader on the hook for more. I haven't trusted Bloomberg to report anything accurate about Apple for years now.
Readit News
In response to the report, an Apple spokesperson denied there was a security incident, stating: "We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor."
However, based on sources from within Apple, Ars Technica claimed Apple employees did find compromised firmware in Apple's design lab. Super Micro SVP of Technology also reported Apple terminated its relationship with them.
I believe we are seeing the same situation here.
[1] https://arstechnica.com/information-technology/2017/02/apple...
The key technical detail of what these chips are allegedly doing also does not make sense. From the article:
the chips allowed the attackers to create a stealth doorway into any network that included the altered machines
How can you get around a firewall by using a compromised machine that's part of the internal network?
I don't think Bloomberg reporters are just making stuff up. But the technical confusion here makes me suspect that the government officials who leaked this story just didn't understand the details of a real incident that happened, and in the leaking the story got mangled into inaccuracy.
Fitting any chip capable of exfiltrating a nontrivial amount of data onto a modern motherboard without going through many rounds of simulation or significantly impacting performance, while also putting it in a place it is capable of intercepting valuable data is practically impossible. Hell, just getting the right power domains wired to the chip is going to be tough enough.
EDIT: https://news.ycombinator.com/item?id=18138638
>The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
Is your OOB-management VLAN/network firewalled off from outgoing access to the internet? If not, this chip can make requests out to another host, who gives it code to run. This code can then either collect data and send it back out, or do other nefarious things.
Edit: Now that I think of it, a compromised BMC can inject payloads into the running OS, depending on the sophistication of the attack and the defenses of the OS. So it does seem possible.
If true, it's pretty bad. For one thing customers will be more wary of buying hardware from China. If they move manufacturing elsewhere (or, for Amazon, source hardware elsewhere) they would have higher costs and lower margins, if they don't and a competitor does they lose business.
On top of that, people are already wary of the privacy implications of these companies having all your data, but most are willing to trust major US companies. If it looks like they can't keep it secure against random Chinese companies engaged in industrial espionage, more customers will conclude that operating servers in-house is the better choice.
I don't buy it as written. There's something else here.
I agree it makes little sense to attack and deny rather than just stay quiet or keep it to a minimal PR blurb. But I think you're overestimating the amount of blowback they would get if they're lying. Most people just wouldn't care. It might be the decisive factor in a bigger company deciding where to put something new and them going to Oracle Metal or something, but I am really skeptical their bottom line would suffer because of this one thing.
Deleted Comment
Reverse shell depending on how you have the firewall set up. Most firewalls don't block outbound packets, and even if they do you can tunnel over an open port.
> If it's true, it makes absolutely no sense for Apple and Amazon to attack Bloomberg.
If you are a major company, are you going to use AWS if you believe their hardware is pwned?
It makes a perfect sense to protect from a potential devastating blow to stock price.
China (or the NSA) hacking into something is non-news. Everybody expects that, especially since Snowden. It's their job, and the news would be them failing to do it.
And yes, I had the problem with my Lenovo desktop.
It could probably make more sense as a backdoor when the hackers get hold the access to the physical device, it is however quite incredible to me that this hack is designed for a remote network access, and could go unnoticed from infosec within the company if it is truly sending packets outside the firewall...
Nation states have the manpower for spray-and-pray attacks. They have less need for precise targeting.
> It could probably make more sense as a backdoor when the hackers get hold the access to the physical device, it is however quite incredible to me that this hack is designed for a remote network access, and could go unnoticed from infosec within the company if it is truly sending packets outside the firewall...
How is it incredible? Infosec isn't perfect. Equifax was hacked in part because their IDS system was offline due to an out-of-date certificate [1]. That system would have caught the exfiltration of data if it had been active.
Also, Amazon AWS must have all kinds of crazy traffic flowing through its network due to its customers. My gut feel is that it would be incredibly hard to characterize that traffic in order to proactively detect many kinds of nefarious traffic. The Bloomberg article stated they were easily able to find the traffic from these implants...but only after they knew what to look for.
[1] https://www.bankinfosecurity.com/postmortem-behind-equifax-b...
The Washpo digging on Roy Moore, the NYT digging on Clinton Foundation, etc. these are experienced reporters having 15-30 credible sources, evidence etc. every time this happens, everyone denies and slowly little by little the story finds more evidence and facts and it becomes true.
This is why a free press is soooo important
Why would Apple disclose that millions of their products could be hacked and you’ve lost all your privacy. Who would trust them? They’d lose billions, regulations would come etc. it’s in the best interest for every party to deny.
My suspicion is that there are many cases where the Chinese government is actually trying to insert backdoors into things, and that in particular Supermicro really has been compromised by the Chinese government, but the technical details of this chip are incorrect. That explains why so many government officials are eager to leak information to Bloomberg, but at the same time the technical details don't really make sense.
It isn't really in Amazon's and Apple's best interest to lie about this. When Gmail got hacked by the Chinese government, Google was pretty honest about it. China has a lot of resources so you can't really expect companies to fend off 100% of attacks on their own; it makes sense for them to acknowledge this publicly and get help from the US government when needed.
The current Newsweek is no more formal journalism than Gawker is, which is to say occasionally they'll get big scoops but most of the time they're in the mud trying to get clicks/eyeballs.
That hack involved several companies, most of whom were not up front about it.
I'm not saying this particular article is incorrect, just that I wouldn't strongly assume either direction without more information.
Edit: I absolutely could be wrong and things could be disproven in this, but just in my experience highly detailed articles like this are usually right on the money or close but just like everything in the world, can’t say anything with certainty.
> Why would Apple disclose that millions of their products could be hacked and you’ve lost all your privacy. Who would trust them?
You've got it perfectly inverted. This is exactly why Apple would come clean if they've been hacked by a nation state and take further steps to protect their customers.
Case in point: This happened to Google.[2] Can you imagine how much trust Google would destroy if they vehemently pretended that the hacking never happened? As opposed to going public ASAP with an action plan, which is what they did -- and it improved trust.
These conspiracy theories are never very well thought through. Conspiracies leak. Remember how Watchmen ended?
[1] https://theintercept.com/2015/04/10/twelve-years-later-u-s-m...
[2] https://en.wikipedia.org/wiki/Operation_Aurora
The American press is not perfect, but over the years I've been really impressed with the journalistic skill of our major publishers. Just this week the New York Times had an extensive story regarding the president's tax returns, they claim to have access to hundreds of thousands of documents and spoke to dozens of sources. I'm more inclined to believe Bloomberg's journalistic integrity than the denials of Apple, Amazon and China.
This is exactly it. There's no cost to deny, deny, deny until it's impossible, then "oops, after extensive investigations we've found the claims to be true on a limited number of devices...".
There's a cost to damaging your credibility.
EDIT: Not sure if it's related, but in 2015 Reddit removed it's canary [2].
[1]: https://www.theregister.co.uk/2014/09/20/apples_warrant_cana...
[2]: https://old.reddit.com/r/announcements/comments/4cqyia/for_y...
Deleted Comment
Free media is nice, but articles are written by normal people. It’d be silly to trust whatever you can read
Deleted Comment
Dead Comment
> I do not think that the securities laws explicitly allow companies to make false statements of material fact if required for national security, but you could see giving them a pass here.
https://www.bloomberg.com/view/articles/2018-10-04/computer-...
The US Government could easily find it in its self-interest to make a deal, involving the SEC, on a national security basis, to allow Amazon and Apple to go the denial route with the US Government giving them guarantees regarding fallout.
If it's worse than Bloomberg has reported, it would be highly desirable by the US Government to keep the rest as quiet as possible for as long as possible, to get at as much of what China is doing as possible. They might be running a counter intel program by now that relies on something China was doing.
I've been in such a situation myself where I was in the room during what LOOKED like a DDOS by Akamai 10 minutes after we got off the phone with them to turn down their CDN services.
In much the same way as Apple is refuting this claim, after a few weeks of internal debate above our pay grade we decided we didn't see it and it didn't exist and therefore it didn't.
For a national security-related issue, you might just include the minimum number of people that need to know, which would naturally not include your PR team. Then when an article like this comes out, the PR team responds in exactly the way they would if it were an outright fabrication, which is what the goal would be.
1) Big company partners with distributor. 2) Distributor has security issues. 3) Gov is already aware of security issues, says nothing. 4) Big company becomes aware of issues. 5)Gov steps in and pitches a deal: i)Both big company and distributor must deny. ii)In return, gov gets to: iii)Preserve any existing contracts iv)Protect the big company and distributor, with any legal, trade, or commercial benefits
Additionally, Amazon and Apple are two of the still allowed to compete western companies in China that they haven't booted out of their markets, it could be that Amazon and Apple also want to retain the Chinese market and don't want to appear like they are helping while they have the cover of the NSL.
Amazon and Apple are caught in a tough spot and the hardware issue/espionage device is definitely true. It is probably just that the people that know in the company aren't allowed to say and the PR team is not part of that 'need to know' group. Either way, trust of Chinese manufacturing is over, which hits Apple very hard in both market and domestic trust.
What's stopping someone to sue after buying stock under the assumption that the companies are sound? I assume they have a duty to the shareholders.
edit: spelling.
On the other hand, Apple and Amazon have huge reasons not to blatantly lie about this. The plaintiffs bar would be all over both companies for material false and misleading statements if this turned out to be true (see also Elon's recent experiences with the SEC).
Apple and Amazon are certainly incentivized to not admit bad facts, to spin facts, to issue misleading unclear statements that read as a denial but are not, etc. But I really don't think the legal teams at either company would let executives get away with issuing such full-throated and clear denials if they were untrue.
This is so typical of Gruber as an evangelist.
There's no way that Apple would remain silent on this even if they KNEW it were true. The only possible move is denial.
Silence is validation or uncertainty, a statement of ambiguity will tank the stock and reputation as experts, recognition of even partial truth could possibly destroy their supply lines overnight.
I honestly think the corporate denials here need to be outright ignored because they have so much to lose. A story of this magnitude is basically like pointing a gun to someone's head and asking them for permission to pull the trigger.
What incentive do you see for Bloomberg to report a major story and lie!? Why would they do that?
I think at this point it's more believable the story is true, because Bloomberg is the most credible participant at this point... they're anonymous sources, but as long as Bloomberg did their due diligence as journalists, they've validated their (numerous) sources as credible.
...and like you said, all these corporations have MASSIVE amounts to lose. Just check out what Trend Micro's stock is doing today.
just like all of their other stories on Apple products/etc that have been wrong - page clicks and ad revenue. Writing about Apple gets you both. the WSJ is in the same boat. Quoting vague "sources briefed on the matter" is just mysterious enough to keep the reader on the hook for more. I haven't trusted Bloomberg to report anything accurate about Apple for years now.
Dead Comment