Apple denies claim China slipped spy chips into its iCloud server hardware [u]

2456

Comments

  • Reply 21 of 118
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    gatorguy said:
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    I suspect this is a national security issue which means the involved players can deny all they want without fear of the SEC who would be prevented from interfering or involving themselves if it's truly an active case.  The Bloomberg articles says as much, that it's still an open and classified investigation.

    On top of that there never were allegations of a "wide-spread attack" on Apple's servers as alluded to in the AI article so of course that's deniable, and calling any source making that claim (they haven't) laughable might be perfectly appropriate.

    Every reference to Apple in the investigative piece (and they were few) indicates Apple caught this early on, never once implying it was persistent and widespread. Amazon also denies anything happened and the whole thing is made up, someone's imagination, despite 17 sources including 6 hi-level current and former intelligence officials claiming otherwise. 
    That's not how comments about national security issues by publicly traded companies are made, though. 

    Those are more like "We have no comment, pending the results of a classified investigation" or just no response at all. The SEC can still come after a company that lied in public statements. national security or no.

    And, regarding wide-spread. The allegations are that over 5000 servers had the surveillance chip. If that's not wide-spread, then what is?
    edited October 2018 anantksundarammagman1979zoetmbMuntzrandominternetpersonbaconstangpscooter63JWSCwatto_cobra
  • Reply 22 of 118
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
    Bloomberg's "solid track record of reporting on Apple"? I must have missed it. Can you provide some examples (I mean stories like this one they broke that are non-trivial, not ones where they're just reporting what others are).
    edited October 2018 magman1979racerhomie3StrangeDaysMuntzbaconstangwatto_cobra
  • Reply 23 of 118
    tmaytmay Posts: 6,312member
    gatorguy said:
    Rayz2016 said:
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
    Nope.

    https://appleinsider.com/articles/18/03/24/editorial-bloomberg-spins-apples-event-as-a-desperate-blind-stab-for-cheap-ipads-in-education


    This Bloomberg article we're discussing did not involve Apple as the focus anyway, very little mentioned about them, and zero claims about it being anything widespread. It had far more to do with Amazon so hardly to be considered an Apple hit-piece. 

    In a probably unrelated event Apple began using Google servers for iCloud just a few months later which quite a few members here found surprising and some even distressed by. FWIW Google build its own servers and uses its own in-house designed security chipsets.
    Amazon has a denial statement up as well;

    https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

    Mirrors Apple's statement.
    muthuk_vanalingamwatto_cobra
  • Reply 24 of 118
    gatorguygatorguy Posts: 24,178member
    gatorguy said:
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    I suspect this is a national security issue which means the involved players can deny all they want without fear of the SEC who would be prevented from interfering or involving themselves if it's truly an active case.  The Bloomberg articles says as much, that it's still an open and classified investigation.

    On top of that there never were allegations of a "wide-spread attack" on Apple's servers as alluded to in the AI article so of course that's deniable, and calling any source making that claim (they haven't) laughable might be perfectly appropriate.

    Every reference to Apple in the investigative piece (and they were few) indicates Apple caught this early on, never once implying it was persistent and widespread. Amazon also denies anything happened and the whole thing is made up, someone's imagination, despite 17 sources including 6 hi-level current and former intelligence officials claiming otherwise. 
    That's not how comments about national security issues by publicly traded companies are made, though. 

    Those are more like "We have no comment, pending the results of a classified investigation" or just no response at all. The SEC can still come after a company that lied in public statements. national security or no.

    And, regarding wide-spread. The allegations are that over 5000 servers had the surveillance chip. If that's not wide-spread, then what is?
    Where did Bloomberg say that 5000 Apple servers were infected? I totally missed that if it's there. AFAICT they don't claim that and I read the article again just now. 

    As regards the SEC what leads you to believe they can involve themselves in a classified national security investigation? It looks to me like "classified and national security" would trump any SEC investigation, in fact any other civil agency probe.

    On top of that Apple's statement was both extremely specific and at the same time quite vague. IMHO the very specific claim alluded to could well be true without the Bloomberg article being false. 

    Apple: "Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server"
    Bloomberg: "Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards." 
    Supposedly this was discovered within a lab setting and not in one of their server farms? I think that's the claim.
    edited October 2018
  • Reply 25 of 118
    Rayz2016Rayz2016 Posts: 6,957member
    gatorguy said:
    From two years ago there was this, which Apple also denied but the supplier largely confirmed. The Siri claim came from a different source. In any event that report juxtaposes well with the Bloomberg piece:
    https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/

    Yeah, this is already covered in the original story:

     Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple. 

    The supplier said that Apple had purchased servers, but the supplier doesn't actually know what Apple did with them. The report that Siri used infected servers came from an anonymous source, not the supplier.

    Apple's final word at the time:

    Apple is deeply committed to protecting the privacy and security of our customers and the data we store. We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware. We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor.

    I get that you work to the notion that 'anything bad for Apple is good for Google', but you and the 'Apple must die' brigade need to think this through.

    As Mike as already pointed out:

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    If Apple were to try to cover up a breach of any size in the way that you're accusing them of, then effect on the company when it came to light would be catastrophic. Even Facebook would not attempt to keep something like this under wraps. Users need to be informed if there is any chance that their personal data is compromised in such a way.

    In 2006, Apple sent out a small number iPods that were infected with a virus. In this case, they warned the general public as soon as they found:

    In a statement posted to its website, Apple says 1% of Video iPods sold after 12 September 2006 were infected with a computer virus known as “RavMonE”.
    “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it,” the Apple statement says. “This known virus affects only Windows computers, and up-to-date anti-virus software should detect and remove it. So far we have seen less than 25 reports concerning this problem.”

    https://www.newscientist.com/article/dn10325-apple-blames-ipod-virus-on-windows/

    As I said at the time: classy

    Point is, rather than try to cover it up, Apple would most likely come clean (as the law requires) and just blame the folk who sold them the equipment.


    anantksundarambaconstangJWSCwatto_cobra
  • Reply 26 of 118
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    gatorguy said:
    gatorguy said:
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    I suspect this is a national security issue which means the involved players can deny all they want without fear of the SEC who would be prevented from interfering or involving themselves if it's truly an active case.  The Bloomberg articles says as much, that it's still an open and classified investigation.

    On top of that there never were allegations of a "wide-spread attack" on Apple's servers as alluded to in the AI article so of course that's deniable, and calling any source making that claim (they haven't) laughable might be perfectly appropriate.

    Every reference to Apple in the investigative piece (and they were few) indicates Apple caught this early on, never once implying it was persistent and widespread. Amazon also denies anything happened and the whole thing is made up, someone's imagination, despite 17 sources including 6 hi-level current and former intelligence officials claiming otherwise. 
    That's not how comments about national security issues by publicly traded companies are made, though. 

    Those are more like "We have no comment, pending the results of a classified investigation" or just no response at all. The SEC can still come after a company that lied in public statements. national security or no.

    And, regarding wide-spread. The allegations are that over 5000 servers had the surveillance chip. If that's not wide-spread, then what is?
    Where did Bloomberg say that 5000 Apple servers were infected? I totally missed that. AFAICT they don't claim that and I read the article again just now. 

    As far as the SEC where have you seen that they can ignore national security orders? 
    My bad, 7000. Bloomberg does say 7000.

    Also, FTA, from Apple's response: "In response to Bloomberg's latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips."

    Regarding the SEC - they couldn't ignore a national security order now. However, they can go back to lies by publicly traded companies presented during the time of the investigation and drop the hammer on companies. If Apple, and Amazon are under a national security order, they wouldn't have said a single thing.

    This is a funny hill for you to die on, man. Occam's razor applies here -- the simplest explanation is that Bloomberg is wrong, because the stakes are too high for Apple and Amazon to lie about it.
    edited October 2018 StrangeDaysentropysbaconstangJWSCRayz2016watto_cobra
  • Reply 27 of 118
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    No correlation to the APPL Shorters then? BB seem to be very good at causing stock movements in a number of stocks. Just asking and I have no holdings in any US Stock.
    baconstangwatto_cobra
  • Reply 28 of 118
    tipootipoo Posts: 1,141member
    Wow, I don't remember Apple's official statements EVER being that hard hitting. Between their reputation and Bloomberg's, a lot is on the line here. 
    randominternetpersonentropysJWSCGeorgeBMacwatto_cobra
  • Reply 29 of 118
    StrangeDaysStrangeDays Posts: 12,844member
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
     You must be new. Bloomberg has a solid track record of trolling Apple, as its headed now by Mark Gurman. Gurman has an axe to grind for Apple from when he was a rumors blog Jr detective. He once got so pissy about one of his rumors being wrong that he claimed Apple actually changed their product design just to invalidate his rumor. Kid is nuts.
    anantksundaramronnentropysbaconstangpscooter63JWSCmacpluspluspatchythepiratebackstabmacseeker
  • Reply 30 of 118
    volcanvolcan Posts: 1,799member
    I used Super Micro motherboards for years but back then they were made in USA. I bought a little Atom server from them a couple years ago and it only lasted about 18 months. Unknown motherboard failure, not repairable and out of warranty. Since then I have only purchased Intel boards but I never investigated where they were manufactured.
    baconstangwatto_cobra
  • Reply 31 of 118
    gatorguygatorguy Posts: 24,178member
    gatorguy said:
    gatorguy said:
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    I suspect this is a national security issue which means the involved players can deny all they want without fear of the SEC who would be prevented from interfering or involving themselves if it's truly an active case.  The Bloomberg articles says as much, that it's still an open and classified investigation.

    On top of that there never were allegations of a "wide-spread attack" on Apple's servers as alluded to in the AI article so of course that's deniable, and calling any source making that claim (they haven't) laughable might be perfectly appropriate.

    Every reference to Apple in the investigative piece (and they were few) indicates Apple caught this early on, never once implying it was persistent and widespread. Amazon also denies anything happened and the whole thing is made up, someone's imagination, despite 17 sources including 6 hi-level current and former intelligence officials claiming otherwise. 
    That's not how comments about national security issues by publicly traded companies are made, though. 

    Those are more like "We have no comment, pending the results of a classified investigation" or just no response at all. The SEC can still come after a company that lied in public statements. national security or no.

    And, regarding wide-spread. The allegations are that over 5000 servers had the surveillance chip. If that's not wide-spread, then what is?
    Where did Bloomberg say that 5000 Apple servers were infected? I totally missed that. AFAICT they don't claim that and I read the article again just now. 

    As far as the SEC where have you seen that they can ignore national security orders? 
    My bad, 7000. Bloomberg does say 7000.

    Also, FTA, from Apple's response: "In response to Bloomberg's latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips."

    Regarding the SEC - they couldn't ignore a national security order now. However, they can go back to lies by publicly traded companies presented during the time of the investigation and drop the hammer on companies. If Apple, and Amazon are under a national security order, they wouldn't have said a single thing.

    This is a funny hill for you to die on, man. Occam's razor applies here -- the simplest explanation is that Bloomberg is wrong, because the stakes are too high for Apple and Amazon to lie about it.
    No one is accusing them of lying, and no one is claiming there was any security breach at Apple. Nor is Bloomberg claiming your revised 7000 servers number was infected with anything at all.  It appears to me the reason for including a mention in the story was to emphasize how many Apple had in place before the returns back to Supermicro started.

    But the vendor themselves notes Apple's sudden and unexplained refusal to continue communication with them on the discovered "firmware" issue after initially reporting it:
    "...when his company (Supermicro) asked Apple's engineers to provide information about the firmware, they gave an incorrect version number—and then refused to give further information.
    The big question that should be staring you in the face begging for an answer is:  If the firmware version was not a legitimate one recognized by the vendor how did it get there and who authored it?  Second to that is what prompted Apple to stop pursuing the answer through the vendor, ending cooperation. 

    They also confirm Apple's return of servers already supplied by them.
    "Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased."

    Occam's Razor says something significant was going on and I'm surprised as an investigative sort yourself that you aren't the least bit curious or better yet suspicious about what it was. The simplest explanation is that the vendor had no reason to lie about either statement, but Apple might have reason for misdirection considering security issues.  Lying? I'm not claiming they did or Amazon did and no one else involved is either AFAICT.

    Anyway I don't plan on dying on any hill, this is probably the last of my involvement in the thread (Probably). I'm not taking any PR statement at face value and you seem to want to believe even more than was actually stated by Apple. Fair enough. Neither of us have our own unquestionable proof. It's more like in a civil trial, preponderance of the evidence IMHO. 
    edited October 2018 ronn
  • Reply 32 of 118
    gatorguy said:
    gatorguy said:
    gatorguy said:
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    I suspect this is a national security issue which means the involved players can deny all they want without fear of the SEC who would be prevented from interfering or involving themselves if it's truly an active case.  The Bloomberg articles says as much, that it's still an open and classified investigation.

    On top of that there never were allegations of a "wide-spread attack" on Apple's servers as alluded to in the AI article so of course that's deniable, and calling any source making that claim (they haven't) laughable might be perfectly appropriate.

    Every reference to Apple in the investigative piece (and they were few) indicates Apple caught this early on, never once implying it was persistent and widespread. Amazon also denies anything happened and the whole thing is made up, someone's imagination, despite 17 sources including 6 hi-level current and former intelligence officials claiming otherwise. 
    That's not how comments about national security issues by publicly traded companies are made, though. 

    Those are more like "We have no comment, pending the results of a classified investigation" or just no response at all. The SEC can still come after a company that lied in public statements. national security or no.

    And, regarding wide-spread. The allegations are that over 5000 servers had the surveillance chip. If that's not wide-spread, then what is?
    Where did Bloomberg say that 5000 Apple servers were infected? I totally missed that. AFAICT they don't claim that and I read the article again just now. 

    As far as the SEC where have you seen that they can ignore national security orders? 
    My bad, 7000. Bloomberg does say 7000.

    Also, FTA, from Apple's response: "In response to Bloomberg's latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips."

    Regarding the SEC - they couldn't ignore a national security order now. However, they can go back to lies by publicly traded companies presented during the time of the investigation and drop the hammer on companies. If Apple, and Amazon are under a national security order, they wouldn't have said a single thing.

    This is a funny hill for you to die on, man. Occam's razor applies here -- the simplest explanation is that Bloomberg is wrong, because the stakes are too high for Apple and Amazon to lie about it.
    No one is accusing them of lying, and no one is claiming there was any security breach at Apple. Nor is Bloomberg claiming your revised 7000 servers number was infected with anything at all.  It appears to me the reason for including a mention in the story was to emphasize how many Apple had in place before the returns back to Supermicro started.

    But the vendor themselves notes Apple's sudden and unexplained refusal to continue communication with them on the discovered "firmware" issue after initially reporting it:
    "...when his company (Supermicro) asked Apple's engineers to provide information about the firmware, they gave an incorrect version number—and then refused to give further information.

    They also confirm Apple's return of servers already supplied by them.
    "Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased."

    Occam's Razor says something significant was going on and I'm surprised as an investigative sort yourself that you aren't the least bit curious or better yet suspicious about what it was. The simplest explanation is that the vendor had no reason to lie about either statement, but Apple might have reason for misdirection considering security issues.  Lying? I'm not claiming they did and no one else involved is either AFAICT.
    GG, move along...
    baconstangpscooter63watto_cobra
  • Reply 33 of 118
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    gatorguy said:
    gatorguy said:
    gatorguy said:
    gatorguy said:
    The Bloomberg story seems politically motivated...

    There isn’t enough information do determine fault in the separate firmware incident.  It also doesn’t say if Apple resumed using SuperMicro as a supplier...

    Bottom line is Apple found a problem and addressed it before it could cause damage.  We don’t know the results of their investigation into whom was responsible.  Was the firmware modified by a third party?  Was it a beta firmware? Was the hardware intercepted and modified after leaving the manufacturer, but before getting to Apple and an exploit introduced?

    No enough information... but Bloomberg needs to get their facts straight before publishing rumors.
    Bloomberg says they DO have their facts straight.
    "The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

    He said, she said...
    I find it utterly inconceivable that Apple -- especially Tim Cook -- would not be at least as concerned about such a security intrusion as some Bloomberg reporters or unnamed "former senior security officials" (it's the same crowd that kept harassing Apple to create backdoors and to give intrusive access to iOS devices to the likes of the FBI).

    I am quite satisfied -- as both a consumer and a shareholder -- with Apple's unambiguous denial of this claim. I'd take Apple's word over that of these media/Washington DC types.
    If Bloomberg is wrong, nobody will care in a month.

    If Apple is lying, then the SEC will ultimately dole out a massive fine and the entire saga will be in the press for a very long time.

    Yeah. I'm pretty sure that Apple's presenting the situation accurately.
    I suspect this is a national security issue which means the involved players can deny all they want without fear of the SEC who would be prevented from interfering or involving themselves if it's truly an active case.  The Bloomberg articles says as much, that it's still an open and classified investigation.

    On top of that there never were allegations of a "wide-spread attack" on Apple's servers as alluded to in the AI article so of course that's deniable, and calling any source making that claim (they haven't) laughable might be perfectly appropriate.

    Every reference to Apple in the investigative piece (and they were few) indicates Apple caught this early on, never once implying it was persistent and widespread. Amazon also denies anything happened and the whole thing is made up, someone's imagination, despite 17 sources including 6 hi-level current and former intelligence officials claiming otherwise. 
    That's not how comments about national security issues by publicly traded companies are made, though. 

    Those are more like "We have no comment, pending the results of a classified investigation" or just no response at all. The SEC can still come after a company that lied in public statements. national security or no.

    And, regarding wide-spread. The allegations are that over 5000 servers had the surveillance chip. If that's not wide-spread, then what is?
    Where did Bloomberg say that 5000 Apple servers were infected? I totally missed that. AFAICT they don't claim that and I read the article again just now. 

    As far as the SEC where have you seen that they can ignore national security orders? 
    My bad, 7000. Bloomberg does say 7000.

    Also, FTA, from Apple's response: "In response to Bloomberg's latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips."

    Regarding the SEC - they couldn't ignore a national security order now. However, they can go back to lies by publicly traded companies presented during the time of the investigation and drop the hammer on companies. If Apple, and Amazon are under a national security order, they wouldn't have said a single thing.

    This is a funny hill for you to die on, man. Occam's razor applies here -- the simplest explanation is that Bloomberg is wrong, because the stakes are too high for Apple and Amazon to lie about it.
    No one is accusing them of lying, and no one is claiming there was any security breach at Apple. Nor is Bloomberg claiming your revised 7000 servers number was infected with anything at all.  It appears to me the reason for including a mention in the story was to emphasize how many Apple had in place before the returns back to Supermicro started.

    But the vendor themselves notes Apple's sudden and unexplained refusal to continue communication with them on the discovered "firmware" issue after initially reporting it:
    "...when his company (Supermicro) asked Apple's engineers to provide information about the firmware, they gave an incorrect version number—and then refused to give further information.

    They also confirm Apple's return of servers already supplied by them.
    "Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased."

    Occam's Razor says something significant was going on and I'm surprised as an investigative sort yourself that you aren't the least bit curious or better yet suspicious about what it was. The simplest explanation is that the vendor had no reason to lie about either statement, but Apple might have reason for misdirection considering security issues.  Lying? I'm not claiming they did and no one else involved is either AFAICT.

    Anyway I don't plan on dying on any hill, this is probably the last of my involvement in the thread (Probably). I'm not taking any PR statement at face value and you seem to want to believe even more than was actually stated by Apple. Fair enough. Neither of us have our own unquestionable proof. It's more like in a civil trial, preponderance of the evidence IMHO. 
    Two people I've been working with for over 20 years and were friends before that gave me the quotes that I put in the story beyond Apple's direct quote.

    So yeah, I'm pretty sure about what's going on.
    baconstangRayz2016watto_cobra
  • Reply 34 of 118
    sflocalsflocal Posts: 6,092member
    gatorguy said:
    Rayz2016 said:
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
    Nope.

    https://appleinsider.com/articles/18/03/24/editorial-bloomberg-spins-apples-event-as-a-desperate-blind-stab-for-cheap-ipads-in-education


    This Bloomberg article we're discussing did not involve Apple as the focus anyway, very little mentioned about them, and zero claims about it being anything widespread. It had far more to do with Amazon so hardly to be considered an Apple hit-piece. 

    In a probably unrelated event Apple began using Google servers for iCloud just a few months later which quite a few members here found surprising and some even distressed by. FWIW Google build its own servers and uses its own in-house designed security chipsets.
    FWIW - SuperMicro builds its own servers too.  They just outsource the actual fabrication of the components in Asia.  Does Google do that too?  I don't think Google manufactures its own PCB boards, with capacitors, resistors, etc.. and solders them to the PCB right?  
    radarthekatwatto_cobra
  • Reply 35 of 118
    gatorguygatorguy Posts: 24,178member
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
       Bloomberg has a solid track record of trolling Apple, as its headed now by Mark Gurman. 
    Um. No. He's a reporter and definitely "not in charge". His name isn't in this story's by-line either. NOW I'm done ;) 
    Plenty here for everyone to make up their own minds what to take at face value if anything.
    edited October 2018
  • Reply 36 of 118
    gatorguy said:
    Plenty here for everyone to make up their own minds what to take at face value if anything.
    Yeah, there's plenty in the story, if that's what you mean. And yes, we've made up our own minds.
    watto_cobra
  • Reply 37 of 118
    gatorguygatorguy Posts: 24,178member
    sflocal said:
    gatorguy said:
    Rayz2016 said:
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
    Nope.

    https://appleinsider.com/articles/18/03/24/editorial-bloomberg-spins-apples-event-as-a-desperate-blind-stab-for-cheap-ipads-in-education


    This Bloomberg article we're discussing did not involve Apple as the focus anyway, very little mentioned about them, and zero claims about it being anything widespread. It had far more to do with Amazon so hardly to be considered an Apple hit-piece. 

    In a probably unrelated event Apple began using Google servers for iCloud just a few months later which quite a few members here found surprising and some even distressed by. FWIW Google build its own servers and uses its own in-house designed security chipsets.
    FWIW - SuperMicro builds its own servers too.  They just outsource the actual fabrication of the components in Asia.  Does Google do that too?  I don't think Google manufactures its own PCB boards, with capacitors, resistors, etc.. and solders them to the PCB right?  
    I forgot AI frowns on PM's so I'll post it here tho that wasn't my intent:
    https://www.theregister.co.uk/2017/01/16/google_reveals_its_servers_all_contain_custom_security_silicon/

    Google is pretty secretive when it comes to the actual specifics. A couple years ago someone had asked the man overseeing Google's worldwide server network about designing the servers but sending the manufacturing to China. His answer was that wasn't exactly true about sourcing all the stuff from Asia/China but he wasn't allowed to discuss why it wasn't true, trade secrets and all. 

    But to the exact question you asked: Common sense would tell you that Google would not be building each individual capacitor, resistor etc so yes there will always be a possibility of some creative ne'er-do-well finding a hardware door somewhere. 
    edited October 2018 ronn
  • Reply 38 of 118
    I find it difficult to believe that Bloomberg would risk fabricating this whole story.  It seems more likely that deals were made behind the scenes to use this to pressure China to back off on IP theft and open up their markets.  Apple and Amazon would benefit from this much more than pissing off China by going public.
  • Reply 39 of 118
    Rayz2016 said:
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
    Nope.

    https://appleinsider.com/articles/18/03/24/editorial-bloomberg-spins-apples-event-as-a-desperate-blind-stab-for-cheap-ipads-in-education

    Bloomberg spins for clicks, like everyone else.



    Or maybe you just can't tell a news article from an editorial? 
  • Reply 40 of 118
    StrangeDaysStrangeDays Posts: 12,844member
    gatorguy said:
    davgreg said:
    Rayz2016 said:
    Ah, Bloomberg …

    Perhaps they should leave the techie stuff to the likes of Ars Technica.

    Bloomberg has a solid track record of reporting on Apple. Apple has a solid track record of saying little of substance when it does not fit their image.
       Bloomberg has a solid track record of trolling Apple, as its headed now by Mark Gurman. 
    Um. No. He's a reporter and definitely "not in charge". His name isn't in this story's by-line either. 
    I’m under the impression Gurman was hired to do their Apple-rumors coverage, even if that isn’t being “in charge”. Perhaps he’s not involved here because it’s a matter of general tech/security. 

    Besides the point tho, which was that he’s not unbiased and is a pro-troll. 

    (Edited to revise statement of being in charge)
    edited October 2018 baconstangpscooter63macplusplus
Sign In or Register to comment.