Editorial: A year later, Bloomberg silently stands by its 'Big Hack' iCloud spy chip story...

Posted:
in General Discussion edited October 4
Bloomberg Businessweek's claims of Chinese spy chips hidden in Apple and Amazon servers has been refuted, debunked, and ridiculed. You just wouldn't know that from what Bloomberg has said or, most recently, done.

The cover image from Bloomberg's Big Hack article
The cover image from Bloomberg's Big Hack article


There's been a lot of smoke, but no firings. Quite the opposite. It's been a year since Bloomberg Businessweek published an extensively debunked story claiming that companies including Apple and Amazon had been hacked. Yet since then, all of Bloomberg's few responses and actions have only doubled down on how this publication lacks credibility on the topic.

The story from 2018 claimed that many firms were compromised by how they had bought servers from a company called Super Micro. Secretly embedded in the motherboards of these servers were Chinese spy chips.

If it were true, then "The Big Hack" by reporters Jordan Robertson and Michael Riley, would've been the Watergate of technology stories. It would mean that the very core of America's entire technology infrastructure had been secretly and extensively infiltrated by another nation -- a nation that the US has since become embroiled in a trade dispute with that will cost American businesses and consumers literally billions of dollars.

Mind you, if it were true, there would also be proof.

This was the one thing lacking from the Bloomberg piece, though you would think it would be the first thing that this or any publication would have insisted on. You would at least, at the utter least, expect Bloomberg to have one of these motherboards and show us this spy chip. Instead, we got an illustration by artist Scott Gelber.

It's not as if the company would have had to go far -- the Bloomberg company itself owns some Super Micro servers.

An Apple datacenter
An Apple datacenter


At the very end of its original October 4, 2018, piece, Bloomberg Businessweek wrote that "Bloomberg LP has been a Supermicro customer. According to a Bloomberg LP spokesperson, the company has found no evidence to suggest that it has been affected by the hardware issues raised in the article."

Notably, neither did any other firm named in the piece.

Apple was particularly vehement about the accusation. Usually it tends not to comment on stories like it, but in this case Tim Cook even called out Bloomberg on it.

Apple had already issued a statement refuting the story plus detailing both how it had investigated the claims now and during months of prior discussions with the publication's reporters.

But then Cook just directly said that the story was "100 percent a lie." The CEO of a multi-billion dollar corporation does not casually use the word "lie."

But by the time he said this, a couple of weeks after the story broke, every organization or type of investigator you can think of, was saying the same thing. Industry experts established that the allegations were technically impossible.

Intelligence agencies in the US said the same thing. If you're thinking that such a breach would be so catastrophically bad that of course the government would deny it, so did overseas intelligence agencies.

All companies named in the story denied there was any accuracy in the reporting whatsoever. With one exception, all other investigations into the piece subsequently agreed that it was entirely wrong.

There is this one exception, but it's not that anyone agrees with the story, it's that we do not know the outcome of this other investigation. That's because it was done by Bloomberg itself, after publication, and its findings have not been published.

According to Erik Wemple of The Washington Post, reporter Ben Elgin was assigned by Bloomberg to investigate the publication's own story.

"In emails to employees at Apple," said Wemple, "Bloomberg's Ben Elgin has requested 'discreet' input on the alleged hack."

Again, you would expect this to be done prior to publication. And according to Apple's statement, it had already been providing extensively detailed input throughout the original investigation.

Bloomberg's scale example for the size of the alleged spy chip. That isn't the spy chip.
Bloomberg's scale example for the size of the alleged spy chip. That isn't the spy chip.


More, Wemple reports being told that Elgin if enough sources refuted the piece, he would "send that message up his chain of command."

It's hard to believe that Elgin didn't get enough sources refuting it, since every source was doing that publicly already, but if he did get enough and he did pass the news up the chain, Bloomberg appears to have done nothing.

What's happened since

Or at least, it's done nothing about proving or retracting the story.

Some time between the October 4, 2018, publication date and a December 11, 2018 competition closing date, Bloomberg entered the "Big Hack" article into the American Society of Magazine Editors Awards (ASME). It didn't make the shortlist.

Bloomberg did not enter the same piece into the Pwnies, but it won one anyway. The Pwnies are a series of awards made by the security community and awarded at the BlackHat USA conference. Most of the awards are serious and celebrate genuine achievements, but Bloomberg won one for "Most Over-Hyped Bug."

"The story had every buzzword that make any CISO [Chief Information Security Officer] want to retire: supply chain interdiction, state sponsored, China, Snowden," say the Pwnie organizers.

"It was said to affect major banks, government contractors, and even the company they all aspire to be, Apple," they continued. "This was definitely the computer security story of the year, maybe the decade, except for one small detail. It seems it was all bullshit."

Bloomberg did not acknowledge its Pwnie win.

The only public comment the company has made on the topic since publication was a statement that it was standing by the story. It said this to Buzzfeed later in October 2018. Then in December 2018, in a Bloomberg story about Super Micro denying all allegations, the reporter said that the company had "previously said it stands by its story."

The company then completely ignored repeated requests for comment by AppleInsider until September 2019. Asked directly about his investigation into the story, reporter Ben Elgin refused to comment on any specific stories or reporting, but did reveal one detail.

"I've been working full-time on some pharma industry stories for the past several months, so I'm out of the loop on this," he said in an email. "I really don't know."

Similarly, a Bloomberg spokesperson declined to comment, but did provide confirmation on issues concerning the "Big Hack" writers, Jordan Robertson and Michael Riley.

Michael Riley gets promoted

Words fail us. Co-author Michael Riley was promoted in September 2019 to oversee all of Bloomberg's technology security coverage.

An artist's impression of the spy chip on a stripped-down motherboard. We'd have liked to see an actual stripped down motherboard, not to mention the actual spy chip
An artist's impression of the spy chip on a stripped-down motherboard. We'd have liked to see an actual stripped down motherboard, not to mention the actual spy chip


A spokesperson from the company sent AppleInsider an extract from a note sent by Bloomberg News editor in chief John Micklethwait, to editorial and research staff on September 16.

"Mike Riley has become our cybersecurity czar," it says, before listing other members of a new group devoted to the topic. "The team will write about the various attempts to hack companies, governments and elections, as well as the thriving marketplace for cybersecurity tools, both legal and otherwise. But it is also intended to be a resource for the whole newsroom: if there is a cyber-incident in your coverage area, call our team."

The same note includes the phrase "sometimes a subject affects more than one part of the newsroom." If the existence of a seemingly bogus story of this scale isn't enough to undermine credibility, then the company's refusal to retract is.

And the rewarding of its co-author with this position of oversight on all technology security issues affects more than one part of the newsroom.

This is also not the only reward that has been given to Riley or co-author Jordan Robertson.

According to Bloomberg's own catalog, Michael Riley wrote nothing whatsoever for the publication from October 9, 2018 to August 31, 2019. He is since credited as co-author on four stories, all dated on the weekend of August 31 and September 1, 2019.

@J_J_E_ @karaswisher
That's the unique thing about this attack. Although details have been very tightly held, there is physical evidence out there in the world. Now that details are out, it will be hard to keep more from emerging.

-- Michael Riley (@MichaelRileyDC)
Similarly, Jordan Robertson had no published bylines on Bloomberg between October 9, 2018 and September 2, 2019. He is now credited as co-author on a single article on that latter date.

Nonetheless, a Bloomberg spokesperson confirmed to AppleInsider that Robertson remains employed by the company.

It is possible that both writers continued to be on the payroll despite writing no articles, because they were investigating this "Big Hack" story.

This would be a commendable thing for Bloomberg to do, to invest so much time and money in its reporters to make sure a story is correct. But of course that's what it should have been doing before publication.

And of course it's hard to justify 11 months of salaries for two journalists when all they needed to do to prove this story was produce one motherboard with the alleged spy chip.

Activity and no activity

Unless Bloomberg does publish either some proof or a retraction, we're unlikely to know what has really gone on in the year since its story was published.

Certainly, if Robertson is investigating it then he has chosen to close himself off to potential sources. As well as ignoring AppleInsider emails, he has stayed off Twitter since October 9, 2018, and can't be directly messaged. Michael Riley ceased tweeting on October 5, 2018 and can't be reached there nor replies to emails.

Having claimed Amazon's AWS cloud services were compromised by this "Big Hack", Bloomberg has now nonetheless moved its own online trading data system to exactly that service this September.

Back in May 2019, the company published an ill-informed opinion piece about end to end encryption, which AppleInsider debunked and the Pwnies called "fan fiction."

Even prior to that high-profile example, AppleInsider examined just how peculiarly poor Bloomberg's coverage of Apple tends to be.

We did reach out to Apple about what's been happening in the year since the article was published. A spokesperson said that they simply had nothing to add to their original statements refuting the allegations.

Apple has nothing more to say, and presumably neither it nor any of the other companies mentioned in the article, have anything more they can do, until Bloomberg proves or retracts the claims.

That could be why Bloomberg remains silent. It could be because reopening the story publicly could further damage the company either in terms of reputation or, conceivably, legal issues.

But then nothing puts worms back into a can better than promoting one of the openers.

We live in an age when for political advantage, the whole of the media regularly gets labelled as fake news. Bloomberg may have believed its story, and so initially was just woefully incompetent, but its actions since are letting us all down.
edredwatto_cobra
«1

Comments

  • Reply 1 of 26
    lkrupplkrupp Posts: 7,463member
    No worries. This story is long forgotten and has been relegated to the trash bin of bad journalism. This editorial is right on the money. If this were actually true Bloomberg should have been hammering away at it for the past year, demanding action, interviewing corporations affected, cajoling Apple, Amazon, Google, and all the others to DO SOMETHING! Bloomberg’s silence is damning. They dropped this turd on the floor hoping the world would gather round to sniff it.

    But none of this will stop the conspiracy theorists from claiming the government, Apple, Amazon, Google, and the rest conspired to cover this up. Even Bloomberg cooperated by remaining silent. My brother-in-law (RIP) was a huge, big time conspiracy nut so I know how these types think. I once got a lecture from him about how the $100 bill was connected to the Kennedy assassination.
    edredmagman1979p-dogwatto_cobra
  • Reply 2 of 26
    StrangeDaysStrangeDays Posts: 8,804member
    Excellent commentary. 

    Let’s also not forget that one of the only named source in their story, a security expert, had come out to say he was uncomfortable with how they presented all the hypotheticals he abstractly described, as facts.

    https://daringfireball.net/linked/2018/10/09/big-hack-doubts

    That Bloomberg never retracted their made up story and in fact promoted one of its authors to security czar speaks really poorly of their judgement. They seem to be a pro-troll when it comes to all things Apple. 
    edited October 4 lkruppedredmagman1979Deelronlolliverwatto_cobra
  • Reply 3 of 26
    lkrupplkrupp Posts: 7,463member
    Excellent commentary. 

    Let’s also not forget that one of the only named source in their story, a security expert, had come out to say he was uncomfortable with how they presented all the hypotheticals he abstractly described, as facts.

    https://daringfireball.net/linked/2018/10/09/big-hack-doubts

    That Bloomberg never retracted their made up story and in fact promoted one of its authors to security czar speaks really poorly of their judgement. They seem to be a pro-troll when it comes to all things Apple. 
    Trashing Apple has become the goto option when you need ad clicks or want to get street cred as a “journalist”. Same thing goes for Apple centric tech blogs. When you feel bad about being a lemming using Windows or Android you come here to vent your anger and frustrations. Trashing Apple makes you feel better.
    edited October 4 edredStrangeDaysmagman1979p-dogwatto_cobra
  • Reply 4 of 26
    B’berg is anti-Apple and Anti-Tesla as well. Left wing trash of a news source. Look up “Fake news” and there’s a picture of these trolls.
    watto_cobra
  • Reply 5 of 26
    gatorguygatorguy Posts: 21,289member
    Bloomberg Businessweek's claims of Chinese spy chips hidden in Apple, Amazon, and Google servers has been refuted, debunked, and ridiculed. You just wouldn't know that from what Bloomberg has said or, most recently, done...


    There's been a lot of smoke, but no firings. Quite the opposite. It's been a year since Bloomberg Businessweek published an extensively debunked story claiming that companies including Apple and Amazon had been hacked. Yet since then, all of Bloomberg's few responses and actions have only doubled down on how this publication lacks credibility on the topic.

    The story from 2018 claimed that many firms were compromised by how they had bought servers from a company called Super Micro. y, and so initially was just woefully incompetent, but its actions since are letting us all down.
    Good article, except that the first paragraph is wrong and seemingly intentionally so.  There was never any claim that Google servers were potentially compromised. The AI editor created that all on his own and put it in the lead-in yet just one paragraph later clarifies the claims were concerning Apple and Amazon servers. Google was never part of the conversation and even the AI editor never mentions them again.

    So why wouldn't Google be included even if not specifically mentioned? They don't purchase servers from SuperMicro who was the supposed source of the hack. In fact they don't buy servers at all. They build their own, including the processors that drive them. 

    The AI editor should probably correct his misrepresentation in the lead paragraph.  Otherwise it's a very good article. Yes Businessweek should absolutely have followed up the report. Based on everything we've heard since there is not factual support for "spying rice chips". Due diligence was apparently ignored for wont of a great story. Emphasis on story. 
    edited October 4
  • Reply 6 of 26
    And yet Bloomberg is still quoted as a reputable source of other information by well known Apple blogs and information sites.
    watto_cobra
  • Reply 7 of 26
    gatorguygatorguy Posts: 21,289member
    lkrupp said:
    If this were actually true Bloomberg should have been hammering away at it for the past year, demanding action, interviewing corporations affected, cajoling Apple, Amazon, Google, and all the others to DO SOMETHING! 
    Google was never cajoled to "do something" because they were never part of the story in the first place. They don't buy servers from Super Micro, they build their own. 
    edited October 4
  • Reply 8 of 26
    thttht Posts: 3,316member
    Wgkrueger said:
    And yet Bloomberg is still quoted as a reputable source of other information by well known Apple blogs and information sites.
    That’s because Mark Gurman works for them. If he and his track record weren’t there, Bloomberg wouldn’t have any good Apple news at all.

    Gurman has a long history with Apple rumors, starting all the way back with 9to5mac.com. He was like 13 years old when he started publishing Apple rumors. 9to5mac was really sad when he had to grow up, go to college, and get a higher paying job.
    watto_cobra
  • Reply 9 of 26
    Mike WuertheleMike Wuerthele Posts: 5,004administrator
    gatorguy said:
    lkrupp said:
    If this were actually true Bloomberg should have been hammering away at it for the past year, demanding action, interviewing corporations affected, cajoling Apple, Amazon, Google, and all the others to DO SOMETHING! 
    Google was never cajoled to "do something" because they were never part of the story in the first place. They don't buy servers from Super Micro, they build their own. 
    They do build most of their own, but when their own construction can't keep up with demand, they buy from Super Micro and all over the place.

    The inclusion of them in the lede was an editorial oddity left over from a previous draft and has been removed.
    muthuk_vanalingammagman1979p-doglolliverwatto_cobra
  • Reply 10 of 26
    gatorguygatorguy Posts: 21,289member
    gatorguy said:
    lkrupp said:
    If this were actually true Bloomberg should have been hammering away at it for the past year, demanding action, interviewing corporations affected, cajoling Apple, Amazon, Google, and all the others to DO SOMETHING! 
    Google was never cajoled to "do something" because they were never part of the story in the first place. They don't buy servers from Super Micro, they build their own. 
    They do build most of their own, but when their own construction can't keep up with demand, they buy from Super Micro and all over the place.

    The inclusion of them in the lede was an editorial oddity left over from a previous draft and has been removed.
    Thanks Mike. You guys have always been proactive on article corrections. BusinessWeek could take a lesson from you. 
    muthuk_vanalingamroundaboutnow
  • Reply 11 of 26
    jax44jax44 Posts: 79member
    gatorguy said:
    gatorguy said:
    lkrupp said:
    If this were actually true Bloomberg should have been hammering away at it for the past year, demanding action, interviewing corporations affected, cajoling Apple, Amazon, Google, and all the others to DO SOMETHING! 
    Google was never cajoled to "do something" because they were never part of the story in the first place. They don't buy servers from Super Micro, they build their own. 
    They do build most of their own, but when their own construction can't keep up with demand, they buy from Super Micro and all over the place.

    The inclusion of them in the lede was an editorial oddity left over from a previous draft and has been removed.
    Thanks Mike. You guys have always been proactive on article corrections. BusinessWeek could take a lesson from you. 
    Not to nitpick, but it’s Bloomberg.
    lolliver
  • Reply 12 of 26
    gatorguygatorguy Posts: 21,289member
    jax44 said:
    gatorguy said:
    gatorguy said:
    lkrupp said:
    If this were actually true Bloomberg should have been hammering away at it for the past year, demanding action, interviewing corporations affected, cajoling Apple, Amazon, Google, and all the others to DO SOMETHING! 
    Google was never cajoled to "do something" because they were never part of the story in the first place. They don't buy servers from Super Micro, they build their own. 
    They do build most of their own, but when their own construction can't keep up with demand, they buy from Super Micro and all over the place.

    The inclusion of them in the lede was an editorial oddity left over from a previous draft and has been removed.
    Thanks Mike. You guys have always been proactive on article corrections. BusinessWeek could take a lesson from you. 
    Not to nitpick, but it’s Bloomberg.
    Bloomberg Businessweek. A crop of the original cover for the story is at the top of the AI article. 
    edited October 4
  • Reply 13 of 26
    boboqboboq Posts: 10member
    It served its purpose - page clicks, ad revenue, publicity for Bloomberg. What’s to retract?
    watto_cobra
  • Reply 14 of 26
    wizard69wizard69 Posts: 12,902member
    Excellent commentary. 

    Let’s also not forget that one of the only named source in their story, a security expert, had come out to say he was uncomfortable with how they presented all the hypotheticals he abstractly described, as facts.

    https://daringfireball.net/linked/2018/10/09/big-hack-doubts

    That Bloomberg never retracted their made up story and in fact promoted one of its authors to security czar speaks really poorly of their judgement. They seem to be a pro-troll when it comes to all things Apple. 
    Honestly I heard about compromised machines years before Bloomberg published.  It became a national security manner real quick.   I’m actually surprised Bloomberg was able to dig anything up on this manner.  
  • Reply 15 of 26
    gatorguygatorguy Posts: 21,289member
    wizard69 said:
    Excellent commentary. 

    Let’s also not forget that one of the only named source in their story, a security expert, had come out to say he was uncomfortable with how they presented all the hypotheticals he abstractly described, as facts.

    https://daringfireball.net/linked/2018/10/09/big-hack-doubts

    That Bloomberg never retracted their made up story and in fact promoted one of its authors to security czar speaks really poorly of their judgement. They seem to be a pro-troll when it comes to all things Apple. 
    Honestly I heard about compromised machines years before Bloomberg published.  It became a national security manner real quick.   I’m actually surprised Bloomberg was able to dig anything up on this manner.  
    https://securityledger.com/2019/01/more-questions-as-expert-recreates-chinese-super-micro-hardware-hack/
    It's old news that the CIA has reportedly done so in the past.

    There's no security professional disputing that such a thing could happen. The dispute is that it DID happen to Apple, Amazon and Super Micro. 
    edited October 4 maltzmuthuk_vanalingam
  • Reply 16 of 26
    Since this story, I have discounted any Bloomberg technology stories I come across. It makes me wonder if their financial news stories are as poorly researched and vetted?
  • Reply 17 of 26
    philboogiephilboogie Posts: 7,494member
    Bloomberg. That's the company that published Steve Jobs' obituary prematurely, right? Right. "Next."

    https:// www.telegraph .co.uk/news/newstopics/howaboutthat/2638481/Steve-Jobs-obituary-published-by-Bloomberg.html

    watto_cobra
  • Reply 18 of 26
    AppleExposedAppleExposed Posts: 1,688unconfirmed, member
    gatorguy said:
    Bloomberg Businessweek's claims of Chinese spy chips hidden in Apple, Amazon, and Google servers has been refuted, debunked, and ridiculed. You just wouldn't know that from what Bloomberg has said or, most recently, done...


    There's been a lot of smoke, but no firings. Quite the opposite. It's been a year since Bloomberg Businessweek published an extensively debunked story claiming that companies including Apple and Amazon had been hacked. Yet since then, all of Bloomberg's few responses and actions have only doubled down on how this publication lacks credibility on the topic.

    The story from 2018 claimed that many firms were compromised by how they had bought servers from a company called Super Micro. y, and so initially was just woefully incompetent, but its actions since are letting us all down.
    Good article, except that the first paragraph is wrong and seemingly intentionally so.  There was never any claim that Google servers were potentially compromised. The AI editor created that all on his own and put it in the lead-in yet just one paragraph later clarifies the claims were concerning Apple and Amazon servers. Google was never part of the conversation and even the AI editor never mentions them again.

    So why wouldn't Google be included even if not specifically mentioned? They don't purchase servers from SuperMicro who was the supposed source of the hack. In fact they don't buy servers at all. They build their own, including the processors that drive them. 

    The AI editor should probably correct his misrepresentation in the lead paragraph.  Otherwise it's a very good article. Yes Businessweek should absolutely have followed up the report. Based on everything we've heard since there is not factual support for "spying rice chips". Due diligence was apparently ignored for wont of a great story. Emphasis on story. 

    Except it's not hard to believe since Google gets away from media bashing in favor of Apple. Yes it was a mistake but Apple wasn't hacked either. I read this and didn't question it because I'm used to the media dismissing anyone who isn't Apple. What stood out is the fact Bloomberg would include them, which is why you probably caught it so quickly.

    A good example was when iCloud "was hacked" and articles conveniently left out Microsoft and Google who were also "hacked" by the same guys during the same time. But again, no one was hacked just Apple got bashed to death.
    lolliverwatto_cobra
  • Reply 19 of 26
    gatorguygatorguy Posts: 21,289member
    gatorguy said:
    Bloomberg Businessweek's claims of Chinese spy chips hidden in Apple, Amazon, and Google servers has been refuted, debunked, and ridiculed. You just wouldn't know that from what Bloomberg has said or, most recently, done...


    There's been a lot of smoke, but no firings. Quite the opposite. It's been a year since Bloomberg Businessweek published an extensively debunked story claiming that companies including Apple and Amazon had been hacked. Yet since then, all of Bloomberg's few responses and actions have only doubled down on how this publication lacks credibility on the topic.

    The story from 2018 claimed that many firms were compromised by how they had bought servers from a company called Super Micro. y, and so initially was just woefully incompetent, but its actions since are letting us all down.
    Good article, except that the first paragraph is wrong and seemingly intentionally so.  There was never any claim that Google servers were potentially compromised. The AI editor created that all on his own and put it in the lead-in yet just one paragraph later clarifies the claims were concerning Apple and Amazon servers. Google was never part of the conversation and even the AI editor never mentions them again.

    So why wouldn't Google be included even if not specifically mentioned? They don't purchase servers from SuperMicro who was the supposed source of the hack. In fact they don't buy servers at all. They build their own, including the processors that drive them. 

    The AI editor should probably correct his misrepresentation in the lead paragraph.  Otherwise it's a very good article. Yes Businessweek should absolutely have followed up the report. Based on everything we've heard since there is not factual support for "spying rice chips". Due diligence was apparently ignored for wont of a great story. Emphasis on story. 
    A good example was when iCloud "was hacked" and articles conveniently left out Microsoft and Google who were also "hacked" by the same guys during the same time. But again, no one was hacked just Apple got bashed to death.
    Except they weren't if you're referring to the Project Zero/Apple exploits. The exploit the hackers may have been attempting to use to gain access to Android handsets was patched by Google back in 2017. There's zero evidence that Microsoft was hacked too, and MS themselves says didn't happen and no one is disagreeing with that. 

    That makes the example you offered a horribly inaccurate one 
    edited October 4 muthuk_vanalingam
  • Reply 20 of 26
    DAalsethDAalseth Posts: 765member
    So one of the people involved is now been investigating Big Pharma? 
    After this story I’m sure myself and a lot of other people as well are going to disbelieve it when it comes out. 
    Bloomberg has destroyed their reputation.
    any Big Pharma company they accuse will just point at this article and say “They put this out, why would you believe what they say about us?”
Sign In or Register to comment.