It seems like the writer has a personal stake in the idea that Apple can do no wrong, therefor Bloomberg must be lying.
As an example they claim 10 reasons not to believe Bloomberg and cite two other pieces they have wrote, both proclaiming apples innocence.
They literally give the same reason multiple times, and the reason is little more than "Apple wouldn't lie!". Apple has been caught lying in the past about other things like battery life.
>Apple has been caught lying in the past about other things like battery life.
That's a stretch to say that they were lying. They weren't lying about the battery life nor did they claim that they weren't changing the clock speed of the device. They simply claimed to have different motivation for doing so (namely, to keep older phones from completely turning off) than what others assume was the motivation (intentionally slowing phones to gain more sales).
The article is a clunky representation of the original material. I would highly recommend listening to the podcast that is being quoted from [0]. It is only 20 minutes long, and both the interviewer and the named source Joe Fitzpatrick have thoughtful commentary on the matter.
This. Also, Bloomberg's report is not specifically targeted at Apple. It seems, that it's being attacked here only because Apple is mentioned in it, and the author tends to trust Apple more than Bloomberg.
They are not necessary lying. But Journalists (and also politicians, lawyers, etc.) have a tendency to wrap a suspicion into a conclusion. That's more deceptive than propaganda because the authors believe their conclusions. Here the trick is making the evidence unfalsifiable with solid reason. For example: the information source is classified due to national security.
"They claimed anonymous US intelligence community sources as well. Except I led the ICS threat discovery mission at the time at the NSA. And I had never heard of this attack being a cyber attack. The NSA doesn’t see everything but if the US IC is your source we would have."
He is referring to the BTC pipeline piece that these guys wrote. It claims the pipeline explosion was a cyber attack, which has never been substantiated.
Why would the the NSA ICS threat discovery lead at the time be able to confirm one way or another? It seems like either way would be a "no comment" sort of situation.
Sounds like Bloomberg was creating a bit of fiction about how something like this could happen and backing it into validation by sources.
Particularly damning part, to me: "I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story." Clearly they didn't have an original hacked part like some have claimed/hoped.
It seemed incredible to me that they talked about these tiny little components being added to systems that allowed the evil doer to take complete control of the system. How exactly is something with 2 connections to the motherboard going to exert dramatic influence over a CPU with 1000+ connections to the rest of the system. Some 48-56 physical address lines, 64 data lines, and etc. all being manipulated by the magic rice grain? I don't think so.
I found the attempted humorous article "Here are the subjects our [science] reporters enjoy covering the least" to be very revealing of typical reporter attitudes
> How could [discovering exoplanet] not be dramatic? If you're an actual f$@!%%# astronomer, that's how. Because then you'd feel compelled to drone on for page after page of details on the different telescopes you used, and the software pipelines the data went through, and how everything was normalized to... Exoplanets, which are BRAND NEW WORLDS UNKNOWN TO US get announced with excessive details on Monte Carlo sampling and Markov chains. I would not have thought it possible to suck the life out of stories like these, but the people who have chosen to make this their life's work manage.
In other words: "Why do these eggheads spend so much time worrying about whether the things they think they know are actually true when they could be talking about how it makes them feel?"
Seems like the "journalist" does not understand the role of academic artifacts (such as published papers) or science in general. Most academics are not trying to drive excitement in the general population with their research, but rather appeal to their peers, who by the very nature of their job must evaluate methodology and formal approaches to ascertain the quality of the findings. Sensationalizing your research before it has attained general acceptance in your discipline (or ever) might be fine with regard to PR, but terrible for your overall academic career.
Did you mean to reply to the 9to5mac article about the Bloomberg hardware expert Joe Fitzpatrick concerns about the Supermicro story? If so I do not understand your comment
The relation of journalists to the truth is quite similar to the relation of used car salesman to road safety; I am sure every used car salesman can tell you a story about the clunker he didn't sell. (The big difference is, that for some reason newspapers don't go on and on and on about how important used car salesman are for democracy.)
"But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work"
>I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story...
I don't know much about technology journalism, but I would think that no one who is a technology reporter would make a miss like that. And even if he/she did make a miss like that, wouldn't an editor or someone higher up call that out pretty much right away?
I can't see why this story would have been put out as is without further investigation? Maybe some independent verification? I suppose there remains a slim possibility that the overarching theme of the story is true, and the reporters are simply spectacularly inept. There is also the possibility that the story is false and Bloomberg itself is spectacularly inept. Other possibilities are too terrible to contemplate. They run the gamut from simple propaganda, which is terrible, but would not be unexpected... all the way to out and out graft. ie - Some influential guy was short Apple.
I'm not saying it is true, but of course all parties involved will deny everything, imagine how much it would hurt them if they acknowledged they have been hacked.
There's a lot about this story that doesn't add up either. One particularly questionable bit is:
> Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer.
Every RJ45 jack ("Ethernet connector") I've seen used in modern networking hardware has a metal case for EMI shielding. This isn't an indicator of compromise. Nor does this make sense as a location for an implant -- the RJ45 jack isn't in a privileged position to access information on the server, nor would a device located inside the jack be able to easily interact with the network without interfering with the real Ethernet controller.
This evidence does nothing to support the original chip story. An ethernet implant is completely separate and does not affect the originally reported companies.
> imagine how much it would hurt them if they acknowledged they have been hacked
We don't even have to imagine much beyond the current pain its caused Supermicro. According to that article, the stock dropped 41% last Thursday from the original article and then another 15% today (the article says 27% today, but they made some gains since the article was published).
Apple dumped supermicro in 2017 for security issues. But Bloomberg really needs to provide some information to back up their claims, this isn't a minor issue, this is a clam of spying from China.
>Super Micro Computer Inc. SMCI, -18.58% dropped 8% in late trading Thursday after a report said Apple Inc. AAPL, +0.93% ended its relationship with the company after finding "a potential security vulnerability" in a data center server provided by Super Micro.
I tried to buy some over the weekend, because I think this will all blow over like Equifax, but I got a message saying they've been suspended from trading since August for not reporting to the SEC on time. Is it the OTC price?
Ironic that an article about how bloomberg may have misunderstood and jumbled their expert sources' info has some glaring mis-transcribed quotes!
"For example putting two pieces of silicone in a single package makes sense when one of them is flash storage and the other is a micro controller. But an experienced observer could easily jump to the conclusion that it’s a hardware implant."
yeah - silicone. but more importantly: he certainly meant IN-experienced.
The buck doesn't stop at the reporters right? They had somebody above them who gave the permission to run the story.
Also, I want to believe that they did more groundwork to establish credibility before deciding to go for it. If it turns out to be false, I wouldn't know whom to trust anymore.
This will be exactly what POTUS needs to get his AG to move against the press. He's been threatening it since before he took office. Not saying it would succeed, but I'd wager he'll try.
Well if you look at the US company stocks since the story (not the chinese ones) you'll see none of them had a negative day.
So either they miss-planed their "stock market" manipulation or it was not their intention...
I have been purposely misquoted several times in several California small town news agencies (their agenda almost diametrically opposed to my information), I am not particularly surprised this may be happening with Bloomberg. I have stopped responding to requests for interviews, as I am rarely informed ahead of time what the person's (or editor's) agenda may be, to decide if it aligns with what I wish to contribute ammunition/fodder towards.
I, too, wondered if this might have been planted by someone to either disrupt existing supply chains or raise awareness of this sort of vulnerability, but this makes it look more like journalistic incompetence, possibly magnified by pressure to have impact.
Why the Chinese? That makes zero sense. Much more likely the US who want more casus belli to go after China. Wouldn't be surprising at all seeing the moves by the US gov so far.
My guess is that the story was pushed by those that compete against Supermicro. Possibly due to their own security issues that have not yet been disclosed.
In a way, this resembles a technique that is sometimes (but should not be) used in the interrogation of criminal suspects: raise hypothetical questions, and then write up the replies as if they were statements/confessions of what actually happened.
Sounds like Bloomberg painted the theory they wanted to paint, and were not particularly subtle about covering there tracks. Assuming what this dude says is true, this is going to be very bad and very, very expensive for them.
>I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story.
I did a super quick search, and sure enough, yep- the images in the article are most likely a $0.38/each 0603 coupler.
I'd argue that all this backlash is justification for why we don't typically have to worry about the Gell-Mann amnesia effect. When something is egregiously wrong in the news, people talk about it, and we learn. As long as you're reading about something that will critical and knowledgeable people also reading it, then you should feel comfortable knowing that no backlash means it's probably fine.
Technical people like to talk about technical things and non-technical reporters are torn-up about it. Then some outlets have reasons to report one side not in totally good faith. Here is a prior case:
>For a journalist, the fear of getting it wrong is a mortal one. Experts loudly calling me wrongheaded were hard to shake. Many of their objections were highly technical—and I would never pass myself off as someone with an expert’s grasp of computer science. (Less than 24 hours after my piece went live, The Intercept published a very long, very detailed piece that suggested my piece was likely bunk.)…
That guy should've been more scared about getting it wrong. Every single piece of evidence pointed to his supposed secret communications channel with a Russian bank (and a random American health clinic for some reason) being the simple result of run-of-the-mill mass marketing emails for Trump hotels sent by a company that had been subcontracted to do so for years. The Intercept even managed to obtain copies of some of the emails they'd sent. A DNS covert channel of the sort being suggested would require the secret co-operation of the technical staff at a company the Trump Organization didn't even have a direct contractual relationship with - why take that risk to set up a really terrible communications channel? Multiple outlets had apparently already passed on the story because it didn't hold up - but that didn't matter, because the moment he published it went viral on social media, with the Clinton camp's tweets alone getting tens of thousands of retweets.
It would be no exaggeration to say that his decision to ignore the pesky technical objections he didn't understand and run the story anyway did permanent damage to the US political and news climate, that it made everyone's beliefs about the world a little more wrong forevermore. When Clinton's campaign tweeted to demand the FBI investigate, only one outlet - the New York Times - dared stand up and report that the FBI had already investigated and concluded all the evidence was consistent with it being exactly the boring junk email server it looked like, and people are still pointing to that article to drag the Times' reputation through the mud to this day. (Their own public editor even criticized them for questioning and not believing!)
He created a world where not believing junk emails were secret Russian communications was, to quote the recent New Yorker article, the equivalent of believing "that space aliens did this".
Can somebody hunt down one of those motherboards maybe on eBay or in their own data centers and track down this malicious device? Putting together a test circuit that throws the BMC firmware down it and see if anything different comes out the other end should be a simple enough task.
This is the first criticism of Bloomberg's story that made a decent point (along with several bad ones). I definitely believe Apple or Amazon would lie, I definitely believe they might get told to by the feds, I definitely believe the Chinese government has at least looked into the idea of using their hold on the supply chain to get intelligence. The idea that there are much easier ways to do this, however, is an important one.
Since the lead in this story is maximally buried -
"You put hardware in a device to help you persist the software, the malware. You don’t put hardware in a device to do the whole attack, you put hardware in the device to unlock the keys, to elevate the privileges on the shell, to open the network port and then you take a software or remote approach to do the rest of the work. And I think that’s the context of that quote."
[+] [-] dangerface|7 years ago|reply
As an example they claim 10 reasons not to believe Bloomberg and cite two other pieces they have wrote, both proclaiming apples innocence.
They literally give the same reason multiple times, and the reason is little more than "Apple wouldn't lie!". Apple has been caught lying in the past about other things like battery life.
https://9to5mac.com/2018/10/05/chinese-spy-chip/
[+] [-] dkonofalski|7 years ago|reply
That's a stretch to say that they were lying. They weren't lying about the battery life nor did they claim that they weren't changing the clock speed of the device. They simply claimed to have different motivation for doing so (namely, to keep older phones from completely turning off) than what others assume was the motivation (intentionally slowing phones to gain more sales).
[+] [-] doctorsher|7 years ago|reply
[0] https://risky.biz/RB517_feature/
[+] [-] krn|7 years ago|reply
[+] [-] jjcc|7 years ago|reply
[+] [-] cm2187|7 years ago|reply
[+] [-] mmaunder|7 years ago|reply
https://risky.biz/RB517_feature/
Also worth mentioning here is the background on the credibility of these journo's that Robert Lee provides:
https://twitter.com/RobertMLee/status/1049617855396933632?s=...
The most interesting tweet in that thread:
"They claimed anonymous US intelligence community sources as well. Except I led the ICS threat discovery mission at the time at the NSA. And I had never heard of this attack being a cyber attack. The NSA doesn’t see everything but if the US IC is your source we would have."
He is referring to the BTC pipeline piece that these guys wrote. It claims the pipeline explosion was a cyber attack, which has never been substantiated.
[+] [-] monocasa|7 years ago|reply
[+] [-] millisecond|7 years ago|reply
Particularly damning part, to me: "I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story." Clearly they didn't have an original hacked part like some have claimed/hoped.
[+] [-] wang_li|7 years ago|reply
[+] [-] jessriedel|7 years ago|reply
> How could [discovering exoplanet] not be dramatic? If you're an actual f$@!%%# astronomer, that's how. Because then you'd feel compelled to drone on for page after page of details on the different telescopes you used, and the software pipelines the data went through, and how everything was normalized to... Exoplanets, which are BRAND NEW WORLDS UNKNOWN TO US get announced with excessive details on Monte Carlo sampling and Markov chains. I would not have thought it possible to suck the life out of stories like these, but the people who have chosen to make this their life's work manage.
https://arstechnica.com/science/2018/09/here-are-the-subject...
In other words: "Why do these eggheads spend so much time worrying about whether the things they think they know are actually true when they could be talking about how it makes them feel?"
[+] [-] barbecue_sauce|7 years ago|reply
[+] [-] mediocrejoker|7 years ago|reply
[+] [-] yk|7 years ago|reply
[+] [-] zymhan|7 years ago|reply
Yeah that doesn't sound promising for Bloomberg.
[+] [-] bilbo0s|7 years ago|reply
>I sent him a link to Mouser, a catalog where you can buy a 0.006 x 0.003 inch coupler. Turns out that’s the exact coupler in all the images in the story...
I don't know much about technology journalism, but I would think that no one who is a technology reporter would make a miss like that. And even if he/she did make a miss like that, wouldn't an editor or someone higher up call that out pretty much right away?
I can't see why this story would have been put out as is without further investigation? Maybe some independent verification? I suppose there remains a slim possibility that the overarching theme of the story is true, and the reporters are simply spectacularly inept. There is also the possibility that the story is false and Bloomberg itself is spectacularly inept. Other possibilities are too terrible to contemplate. They run the gamut from simple propaganda, which is terrible, but would not be unexpected... all the way to out and out graft. ie - Some influential guy was short Apple.
[+] [-] m0skit0|7 years ago|reply
https://www.bloomberg.com/news/articles/2018-10-09/new-evide...
I'm not saying it is true, but of course all parties involved will deny everything, imagine how much it would hurt them if they acknowledged they have been hacked.
[+] [-] duskwuff|7 years ago|reply
> Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer.
Every RJ45 jack ("Ethernet connector") I've seen used in modern networking hardware has a metal case for EMI shielding. This isn't an indicator of compromise. Nor does this make sense as a location for an implant -- the RJ45 jack isn't in a privileged position to access information on the server, nor would a device located inside the jack be able to easily interact with the network without interfering with the real Ethernet controller.
[+] [-] TACIXAT|7 years ago|reply
[+] [-] bonestamp2|7 years ago|reply
We don't even have to imagine much beyond the current pain its caused Supermicro. According to that article, the stock dropped 41% last Thursday from the original article and then another 15% today (the article says 27% today, but they made some gains since the article was published).
[+] [-] jakebasile|7 years ago|reply
[+] [-] seppin|7 years ago|reply
Journalists are the only ones that care about what the public knows.
[+] [-] IronWolve|7 years ago|reply
>Super Micro Computer Inc. SMCI, -18.58% dropped 8% in late trading Thursday after a report said Apple Inc. AAPL, +0.93% ended its relationship with the company after finding "a potential security vulnerability" in a data center server provided by Super Micro.
https://www.marketwatch.com/story/super-micro-plummets-after...
[+] [-] jlarocco|7 years ago|reply
I tried to buy some over the weekend, because I think this will all blow over like Equifax, but I got a message saying they've been suspended from trading since August for not reporting to the SEC on time. Is it the OTC price?
[+] [-] vpribish|7 years ago|reply
"For example putting two pieces of silicone in a single package makes sense when one of them is flash storage and the other is a micro controller. But an experienced observer could easily jump to the conclusion that it’s a hardware implant."
yeah - silicone. but more importantly: he certainly meant IN-experienced.
[+] [-] weliketocode|7 years ago|reply
Written apology from Bloomberg? Fire the reporters? SEC charges of security fraud related to stock manipulation?
[+] [-] 0xcafecafe|7 years ago|reply
Also, I want to believe that they did more groundwork to establish credibility before deciding to go for it. If it turns out to be false, I wouldn't know whom to trust anymore.
[+] [-] kasey_junk|7 years ago|reply
A lawsuit from damaged shareholders isn’t out of the question though.
[+] [-] mikekchar|7 years ago|reply
[+] [-] e40|7 years ago|reply
[+] [-] kjullien|7 years ago|reply
[+] [-] raintrees|7 years ago|reply
[+] [-] gameswithgo|7 years ago|reply
In seriousness though this is starting to smell like the whole story is plain wrong. Which is fascinating, however it came to be.
[+] [-] e40|7 years ago|reply
So next time, when it's real, we'll all ignore the story?
[+] [-] mannykannot|7 years ago|reply
[+] [-] Sharlin|7 years ago|reply
[+] [-] SZJX|7 years ago|reply
[+] [-] techntoke|7 years ago|reply
[+] [-] mannykannot|7 years ago|reply
[+] [-] perl4ever|7 years ago|reply
Is it the expert or the journalist who doesn't know the difference between silicon and silicone?
[+] [-] jackconnor|7 years ago|reply
[+] [-] tomswartz07|7 years ago|reply
I did a super quick search, and sure enough, yep- the images in the article are most likely a $0.38/each 0603 coupler.
https://www.mouser.com/ProductDetail/TDK/HHM2510B1?qs=sGAEpi...
I'd imagine it's mostly for illustrative purposes, but Gell-Mann Amnesia Effect in full force here.
[+] [-] nerdponx|7 years ago|reply
I'd argue that all this backlash is justification for why we don't typically have to worry about the Gell-Mann amnesia effect. When something is egregiously wrong in the news, people talk about it, and we learn. As long as you're reading about something that will critical and knowledgeable people also reading it, then you should feel comfortable knowing that no backlash means it's probably fine.
[+] [-] mzs|7 years ago|reply
>For a journalist, the fear of getting it wrong is a mortal one. Experts loudly calling me wrongheaded were hard to shake. Many of their objections were highly technical—and I would never pass myself off as someone with an expert’s grasp of computer science. (Less than 24 hours after my piece went live, The Intercept published a very long, very detailed piece that suggested my piece was likely bunk.)…
https://www.theatlantic.com/politics/archive/2018/10/trump-o...
[+] [-] makomk|7 years ago|reply
It would be no exaggeration to say that his decision to ignore the pesky technical objections he didn't understand and run the story anyway did permanent damage to the US political and news climate, that it made everyone's beliefs about the world a little more wrong forevermore. When Clinton's campaign tweeted to demand the FBI investigate, only one outlet - the New York Times - dared stand up and report that the FBI had already investigated and concluded all the evidence was consistent with it being exactly the boring junk email server it looked like, and people are still pointing to that article to drag the Times' reputation through the mud to this day. (Their own public editor even criticized them for questioning and not believing!)
He created a world where not believing junk emails were secret Russian communications was, to quote the recent New Yorker article, the equivalent of believing "that space aliens did this".
[+] [-] VectorLock|7 years ago|reply
[+] [-] rossdavidh|7 years ago|reply
[+] [-] pharrington|7 years ago|reply
"You put hardware in a device to help you persist the software, the malware. You don’t put hardware in a device to do the whole attack, you put hardware in the device to unlock the keys, to elevate the privileges on the shell, to open the network port and then you take a software or remote approach to do the rest of the work. And I think that’s the context of that quote."