[zjfroot]

Statements from Amazon, Apple, Supermicro and Chinese government.

https://www.bloomberg.com/news/articles/2018-10-04/the-big-h...

From Apple:

"Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple."

[sctb]

Main discussion of that post: https://news.ycombinator.com/item?id=18138990.

[MrBingley]

What liars. Apple has done this before as well, when they said they had "never heard" of PRISM, despite a Snowden leak showing the exact opposite.

https://www.theguardian.com/world/2013/jun/06/us-tech-giants...

[swebs]

Regarding both cases:

https://en.wikipedia.org/wiki/Gag_order

[LolNoGenerics]

I wonder how legit it would be for an US company to set up an internal gag order? Running on compromised hardware is practically a nuclear meltdown (pun intended) and publicly admitting to it as well.

[usrusr]

The trick seems to be having sufficiently uninformed people in all positions that might get to write that kind of response. No need to feign ignorance when you can have the real thing.

[mediocrejoker]

At least in the case of Amazon, the denial is published under the name of the CISO, Steve Schmidt, who previously worked for the FBI for a decade.

https://aws.amazon.com/blogs/security/setting-the-record-str...

Not saying he's not lying but it definitely raises the stakes.

[usrusr]

Qualification is no hindrance to being or of the loop though, deliberately or not. It just makes it more embarrassing. Ignorance itself is still easily attainable, just "shoot the messenger" (this will make you seem tough and thorough to your higher ups) a few times when bad internal news escalate to your level and you will remain in blissful ignorance for the rest of your tenure.

[adrr]

The event was probably classified as a national security incident which would compel the affected parties to not disclose the event.

[tw1010]

How does that actually work? How far down the chain of related facts to the national security incident are parties allowed/required to lie? If facts can be used to triangulate the secret, that can't be disclosed, right? Are incidents like this like a little fact-bomb which can be used to legally hide other institutional facts under its cover?

[adrr]

I assume it’s like national security letter. Only people in the company that has knowledge would be the ceo, general counsel, and people working directly to mitigate the issue. PR and corporate communication wouldn’t have any knowledge on the incident. I wonder how you collect insurance for these types of incidents if you can’t disclose them.

[dannyw]

There most likely are classified legal constructs that compel speech. You see that with the PRISM denials by Apple and Google.

[mindslight]

s/legal/extralegal/

"Secret law" is an oxymoron.

[enraged_camel]

I mean what are they gonna say? "Yes, we have been aware that an unknown but possibly huge number of our servers have been compromised, but decided to keep our customers in the dark"?

[fcantournet]

Your point being ?

[crunchlibrarian]

I think the point is that actual honesty from these megacorps would be so surprising that even raising the possibility of it happening is so absurd it feels like parody writing.

[BryantD]

Last week Facebook was reasonably transparent about a hack affecting tens of millions of users.

[crunchlibrarian]

This may be the first time in the history of the internet a statement from Facebook has ever been held up as an example of honesty and transparency from a corporation in America.

The GDPR has already called out Facebook for lack of info in its response to the breach: https://www.cnbc.com/2018/10/02/facebooks-muddy-account-brea...

Not sure why you'd pick that example.

[enraged_camel]

That's because they have been under tremendous scrutiny recently.

[lern_too_spel]

The Snowden leak confirmed Apple's statement. It showed that Apple worked with the FBI on a system to process court ordered user data requests. Apple would obviously have no knowledge of the code name of a downstream NSA system that processed that data.

[EpicEng]

Weren't they uner a gag order? Even if not that's a risky thing to acknowledge.

[TazeTSchnitzel]

Assuming Bloomberg's story is true, I wonder what reason Apple has to hide. Not wanting to upset relations with the PRC govt?

[rasz]

NSL letter, under active investigation

[guelo]

NSLs require secrecy not lying.

[alfalfasprout]

The snowden leaks among others show that most companies aware of PRISM ended up flat out lying about it. Either it's a type of NSL we haven't seen before or employees receive death threats, etc.

[lern_too_spel]

No, none of the companies lied about it. The companies worked with the FBI's Data Intercept Technology Unit. They would obviously have no knowledge of a dowstream data processing system like PRISM.

[gnode]

Couldn't an NSL have been served to datacenter operators, along with the notification of the attack, and the organisation's management simply be unaware?

[iofiiiiiiiii]

They might volunteer to lie, though.

[danimal88]

I can think of a trillion reasons...

[malmsteen]

they have literally every reason to deny and literally no reason to say it's true

[BonesJustice]

Except, you know, to avoid committing securities fraud by making a material misrepresentation.

[insomniacity]

There is no way that the intelligence community would allow that fraud case to go ahead.

[lisper]

That assumes that 1) the intelligence community has the power to stop it and 2) that Apple believes this to be the case and 3) that Apple is confident that the intel community would use that power to protect them. That seems like a reach to me.

[jerf]

#3 isn't the intel community protecting Apple, it would be protecting themselves, which is a lot more plausible. They don't want detailed information about the techniques coming out. Odds are good that the Bloomberg story is still incomplete in some critical way, and decent that even if the story as a whole is broadly-speaking "true" there's still an outright lie contained in it. My guess would be the way in which it was discovered.

I work for a company that sells network appliances, and I've been questioned by customers as to why I'm doing an SRV DNS lookup instead of a standard A DNS record lookup in some software I wrote, and had every detail of how I use TLS picked over by some customers. (More power to them. Not a complaint.) Some people run really tight networks. I wouldn't be surprised the real discovery mechanism was someone noticing the packets heading out that had implausible source-dest pairs ("why is my internal network that barely knows the internet exists trying to send packets to $RANDOM_LOCATION?"). If the people discovering this were actually the intel agencies themselves, for instance, they'd find another story to tell rather than reveal that. I am absolutely, positively not claiming this is true; I have no more evidence of it than anyone else. I'm just giving an example of the sort of thing I mean. It's also possible the intel agencies slipped a hint to someone about what to look for; again, I have no info to that effect, just an example of why they might not want something to go to court.

[pjc50]

I'm reminded of Matrix-Churchill: https://en.wikipedia.org/wiki/Arms-to-Iraq

Although that nearly went in the other direction. The people involved were nearly sent to jail for shipping arms to Iraq which they had been doing at the behest and with the complicity of the UK security services.

The power of government agencies to turn up to people's offices and tell them "you need to stop doing what you're doing, and it's illegal to mention this meeting" should not be underestimated.

[s73v3r_]

I think it's extremely foolish to think that the SEC would have the ability to overrule the CIA/NSA/other TLA when it comes to disclosure of this.

[rohit89]

They will absolutely step in when Apple decides to fight the case in court risking the exposure of sensitive info.

[jmull]

Not at all. It would be quite damaging to their reputation if it came out later that they were affected by this, knew it, and lied about it. Especially since the privacy of customer data is a key part of their marketing message these days.

[hbosch]

Damaging how? People will stop buying iPhones? Be realistic.

Assuming the story is true, you lie lie lie until something bigger in the news happens then you quietly relent.

[itake]

Personally I buy Apple because they are more private than android. I would look at alternatives if Apple was caught lying here.

[mandevil]

Well, what was Apple's response to the PRISM revelations?

Apple: "We have never heard of PRISM. We do not provide any government agency direct access to our servers, and any government agency requesting customer data must get a court order."

PRISM: "Collection directly from the servers of these US service providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple" A later slide claims that Apple joined the program in October 2012.

http://www.washingtonpost.com/wp-srv/special/politics/prism-... for those documents.

So, was Apple lying about PRISM? The Snowden documents certainly seem to support that position[1]. If they lied about PRISM, why would you trust them now?

[1]: Obviously there are possibilities like Snowden documents were wrong, or deliberate hoaxes, etc. Spy games are fun!

[crunchlibrarian]

What percentage of stories like this do you think never come out publicly? 50%? 90%?

[ajpikul]

This article is more or less total bullshit. At _best_ that device might be a mechanism to cause failure intentionally. And there are tons of ways to detect it with commodity technology, and plenty of vendors who implement that technology for assembly manufactures commercially.

[eecc]

That’s what I thought but then it says it’s hooked to the BMC bus. It’s basically a small IME device with no java bloatware to run. I’d think it’s reasonably credible

[ajpikul]

My issue isn't whether or not it's possible for hardware to be insecure or whether or not it's possible for exploits to exist.

My issue is this Chinese undetectable super chip creating unpreventable wide-scale vulnerabilities.

For what it's worth, I've worked in hardware security and I own a hardware quality control startup.

[MrEfficiency]

> I wonder what reason Apple has to hide.

The perception is that Apple is perfect and worth paying 3x the cost?

EDIT: Curious if all of these Apple comments are going to disappear. I believe they have a strong marketing team to hide dissent.

[dang]

This breaks the site guideline that asks you not to insinuate astroturfing or shillage without evidence. Please don't do that—it's a toxic trope that leads to dumber threads.

https://news.ycombinator.com/newsguidelines.html

Edit: looks like we've already warned you about this more than once. If you keep doing it we're going to have to ban you, so please don't post like this again. Ditto for unsubstantive comments in general.

[MrEfficiency]

What evidence do you want? They only have 5 accounts with the ability to downvote. This is why comments always have -4 with anything critical of apple.

[dang]

HN's software puts a floor of -4 on downvoted comments.

Please stop this now.

[macintux]

Or people recognize that statements like "The perception is that Apple is perfect and worth paying 3x the cost?" are hyperbolic nonsense.

[jpster]

>Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.

An uncharitable reading, but this statement does not exclude the possibility of investigations by 3rd parties hired by Apple.

[buckminster]

Neither does it exclude the possibility of internal investigations of which Apple's press office is unaware. If Tim Cook simply said this never happened I'd believe him. This elaborate denial suggests otherwise.

[analyst74]

I'm actually kind of sympathetic to Apple here.

One of the company I worked for once received request from a news outlet about potential rumor around us, and bullied our CEO into an interview to disprove that rumor.

Then the journalist picked several quotes out of context as proof that rumor being true.

While I don't trust megacorps, I don't know if I can trust journalists more when a major breaking news is on the line.

[c789a123]

They have to deny it. If the allegation is true, it means the Chinese CCP Gov knows which computer parts are produced specially for US gov or certain big companies and target precisely. There has to be some deep link for information flow to allow that. Anyway, worth further digging.

[CobrastanJorji]

That seems plausible, given what we know about Amazon employees with ties to China disclosing private sales info or changing reviews in exchange for cash bribes. https://abcnews.go.com/Business/amazon-probes-report-workers...

[mzs]

The article says they shipped the boards to a company in Ontario, lawyerly:

>…At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

[joshgel]

I mean: > The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation.