NSA cybersecurity head can't find corroboration for iCloud spy chip report
The senior advisor for Cybersecurity Strategy to the director of the National Security Agency has advised there is a lack of evidence relating to both of Bloomberg's recent espionage-related stories, and has openly requested for people with knowledge of the situation to provide assistance.
Speaking at a U.S. Chamber of Commerce event, NSA Senior Advisor Rob Joyce was put on the spot about the allegations the Chinese government tampered with servers produced by Supermicro, which were allegedly used by Apple, other major tech companies, and various government organizations. Joyce's comments suggest he disbelieves the entirety of the report, through checking via his own sources.
In response to Wall Street Journal reporter Dustin Volz's query on the allegations, Joyce advised "What I can't find are any ties to the claims in the article," adding "We're befuddled." While noting he has considerable access to intelligence, he has yet to find any corroboration on either the initial story's allegations, nor with a second connected story pertaining to a major telecommunications provider in the U.S.
The lack of connected evidence to the events led Joyce to plea to others to bring clarity, asking "If somebody has first-degree knowledge, can hand us a board, and point to somebody in a company that was involved in this as claimed, we want to talk to them."
Reporting on the same meeting, Politico's Eric Geller quotes Joyce stating "I have a pretty good understanding about what we're worried about and what we're working on from my position. I don't see it. There's not there there yet. I have grave concerns about where this has taken us. I worry that we're chasing shadows right now."
Joyce then admits he has no confidence that there's something to the story. "I worry about the distraction that it is causing."
The comments are not the first to be made by members of the security community connected to a government agency. The UK's National Cyber Security Centre, part of GCHQ, put out a similar plea for people with "credible intelligence" about the report to make contact, commenting "at this stage we have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple."
Both companies issued strong denials to the story shortly after its publication, with Apple characterizing it as "wrong and misinformed." Apple has also performed a "massive, granular, and siloed investigation" into the claims, but did not discover any evidence of hardware tampering, nor any unrelated incidents that could have contributed to the report's claims.
The Department of Homeland Security also issued a statement on Saturday, again siding with Apple and Amazon, but without delving into detail as to why it doesn't believe the Bloomberg report.
One of the few named sources in the original report, security researcher Joe Fitzpatrick, has revealed his own doubts about the report, including dealings with one of its authors. Fitzpatrick advised he had previously spoken to the reporter about proof-of-concept devices demonstrated at Black Hat 2016, but found it strange that the ideas he mentioned were confirmed by other sources of the publication.
A number of U.S. officials contacted by one report advised they were uncertain about its accuracy, with one official changing their mind from their initial assertion the "thrust of the article" was true.
Two U.S. senators have written to Supermicro demanding answers over the reports, issuing questions for response by October 17. The questions, asked by Senators Marco Rubio and Richard Blumenthal, query when Supermicro became aware of the malicious hardware reports, if it had investigated the supply chain, and if the Chinese government ever requested access to confidential security information, among other areas.
Speaking at a U.S. Chamber of Commerce event, NSA Senior Advisor Rob Joyce was put on the spot about the allegations the Chinese government tampered with servers produced by Supermicro, which were allegedly used by Apple, other major tech companies, and various government organizations. Joyce's comments suggest he disbelieves the entirety of the report, through checking via his own sources.
In response to Wall Street Journal reporter Dustin Volz's query on the allegations, Joyce advised "What I can't find are any ties to the claims in the article," adding "We're befuddled." While noting he has considerable access to intelligence, he has yet to find any corroboration on either the initial story's allegations, nor with a second connected story pertaining to a major telecommunications provider in the U.S.
The lack of connected evidence to the events led Joyce to plea to others to bring clarity, asking "If somebody has first-degree knowledge, can hand us a board, and point to somebody in a company that was involved in this as claimed, we want to talk to them."
I just asked @RGB_Lights about the Bloomberg story:
"What I can't find are any ties to the claims in the article ... If somebody has first-degree knowledge, can hand us a board, can point to somebody in a company that was involved in this as claimed, we want to talk to them."-- Dustin Volz (@dnvolz)
Reporting on the same meeting, Politico's Eric Geller quotes Joyce stating "I have a pretty good understanding about what we're worried about and what we're working on from my position. I don't see it. There's not there there yet. I have grave concerns about where this has taken us. I worry that we're chasing shadows right now."
Joyce then admits he has no confidence that there's something to the story. "I worry about the distraction that it is causing."
The comments are not the first to be made by members of the security community connected to a government agency. The UK's National Cyber Security Centre, part of GCHQ, put out a similar plea for people with "credible intelligence" about the report to make contact, commenting "at this stage we have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple."
Both companies issued strong denials to the story shortly after its publication, with Apple characterizing it as "wrong and misinformed." Apple has also performed a "massive, granular, and siloed investigation" into the claims, but did not discover any evidence of hardware tampering, nor any unrelated incidents that could have contributed to the report's claims.
The Department of Homeland Security also issued a statement on Saturday, again siding with Apple and Amazon, but without delving into detail as to why it doesn't believe the Bloomberg report.
One of the few named sources in the original report, security researcher Joe Fitzpatrick, has revealed his own doubts about the report, including dealings with one of its authors. Fitzpatrick advised he had previously spoken to the reporter about proof-of-concept devices demonstrated at Black Hat 2016, but found it strange that the ideas he mentioned were confirmed by other sources of the publication.
A number of U.S. officials contacted by one report advised they were uncertain about its accuracy, with one official changing their mind from their initial assertion the "thrust of the article" was true.
Two U.S. senators have written to Supermicro demanding answers over the reports, issuing questions for response by October 17. The questions, asked by Senators Marco Rubio and Richard Blumenthal, query when Supermicro became aware of the malicious hardware reports, if it had investigated the supply chain, and if the Chinese government ever requested access to confidential security information, among other areas.
Comments
This will be the last time the NSA comes out on Apple's side.
These kinds of stores are either it happened or it did not, it is not reporting on someone opinions, views or analysis of the world order, and they can not get simple facts correct do you think they get more subjective topics correct. This is why today my mantra of "believe nothing of what your are told, half or what your read and see, and all of what you personally experience" has lots of value to the general public consuming news.
1) big financial houses are still pissed off at Steve Jobs for not allowing them preferential access to purchase and broker Apple stocks in bulk (pre-IPO) and therefore, unable to manipulate the company in the way they see fit. I believe this is the origin of all (or most of) the Apple hate;
2) don’t kid yourself, the NSA is not, in fact, coming to the aid of Apple. They are simply covering their own asses.
Bloomberg is just another news outfit trying to make a living for itself. We all need to eat you know.
If you really want to assign blame then look no further than Tim Berners-Lee. The internet brought us all together: you, me, the crazies, the sycophants, the liars, the cheats, the paranoid schizophrenics, and some clear eyed rational people here and there too. We’re all together, yet siloed into geographically dispersed groups of people who share our own belief systems. So we end up with a cacophony of groups and people who are absolutely 100% sure they are right and everyone else is wrong because, well, their friends in their own siloed universe told them so.
If this really happen and Bloomberg wants to claim they worked this for a year, did they every see the chip itself, why didn't they include pictures of the actual device. If there were 30,000 compromised computers you think someone would have gotten their hands on one. It is like saying Supermicro murdered someone and they can not produce the weapon or the body and can not even identify who the person that was murdered. However they have a number of anonymous sources who claim to have seen the murder.
That is okay, our fine Senators will get to the bottom of this, they ask Supermicro to provide the all document related to what happen. You know if it never happen and Supermirco and not product document to show it happen the government will conclude there is a cover up.
True, there’s a lot to despair about in the never ending news cycle. Truth is frequently boring and does not motivate people to read the news. Bad news, particularly when it’s horrific, tragic, or sensational, grabs eyeballs. There’s an underlying and often subconscious tendency to paint things worse than they actually are in the headlines. Politicians use this to rally the troops to their cause du jour. It’s a great way to get and stay elected as well as increase one’s political power.
The effect is that it gets many people down and creates the perception that the world is going to Hell in a hand-basket. This, despite empirical data on almost every front that say otherwise.
But I believe this malaise will pass as well. Good journalists already know that verifiable information is the gold standard by which information should be judged. The younger generation of journalists will be technically knowledgeable about the subject they write about instead of repeating what someone they trust told them. As evidence I present sites like AppleInsider who, when it comes to tech, know what they’re writing about unlike the New York Times, the Wall Street Journal, or Bloomberg.
(No, I’m not a paid shill.)
The problem with Bloomberg's reporting is they have probably been caught with their pants down publishing something that might not be accurate. I remember watching the movie, Truth, about CBS News and Dan Rather. The Bloomberg situation could be the same thing.
The necessity for critical thinking has never been as important as it is today. Anyone with a Twitter account can become a self-publisher of their own version of reality. It's no longer just the morning newspaper and the 6 o'clock news, it's a never ending stream of data and information from multiple sources splashing over you from all directions. The human brain normally processes all of these feeds in a listen-think-act manner - except when it is under duress, at which point the "think" part of the process is reduced to a "canned" response that was originally intended to maximize survival. Critical thinking reinstates the "think" step as a priority in the process, but more importantly helps to avoid letting other people, especially those deemed to have authority or influence, from injecting their own "think-replacement" into your brain's natural evaluation process. All it takes is something to prod you into a feeling of duress, yank out the (critical) thinking part, replace it with the authoritarian's/influencer's canned response, and now you're acting under someone else's evaluation process. In this specific case the threat is that Chinese PRC agents are infiltrating hardware servers of major cloud service providers, telecoms, and even the US military's computing resources for nefarious reasons. So rather than evaluating the claims and seeking physical evidence, and letting the evidence lead us to the most logical conclusions, we're getting senate members potentially conflating this into much more and people questioning whether they can trust the own government. The "think" step has obviously been replaced by action, some of which is probably misguided.
Again, all Bloomberg needs to do is provide physical evidence to support their claims. Let's focus on getting that and then see where it leads us.