[smurfysmurf]

I've seen several comments regarding whether or not Apple, Amazon etc. would deny the hacking if its true and if that is fraud or not. I work at Amazon now and previously was in the Navy, holding a TS/SCI. My firm belief is if such a hack happened, it would not be disclosed to anyone without a clearance, and the organizations that are denying it have no knowledge that it occurred. Furthermore if there truly was a compromise by a foreign nation it would be classified as a national security threat and subsequently classified and kept from public knowledge. Anyone who disclosed the truth would be at risk of loosing their clearance, job, and could end up getting the snowden treatment.

[mabbo]

> the organizations that are denying it have no knowledge that it occurred

Are you saying that Steve Schmidt, the AWS chief infosec officer didn't know about the hack? Or that his article [0] was published to purposely hide it?

If only one person in Amazon knew about it, it would be Schmidt. And if Schmidt knew, I don't think he'd write an article so strongly claiming Amazon doesn't know anything about it. The only thing in my mind that lends credence to Schmidt covering it up purposely is that $10B contract the Pentagon is putting out- perhaps they've told him to play ball as part of getting the contract. But even then it seems a stretch.

[0]https://aws.amazon.com/blogs/security/setting-the-record-str...

[snowwrestler]

CISO is not the most likely point of crossover, the most likely point is the general counsel's office. Companies don't talk to the Feds without a lawyer, and they also don't issue high profile statements without a lawyer. And unlike the CISO, conversations with your lawyer are privileged.

[eganist]

It's very possible Steve wouldn't know, both owing to past precedent (see SmokeyJ's comment on Alex Stamos) and owing to whether or not he's cleared.

[lostapathy]

He about has to be cleared if he's the security chief over govcloud.

[eganist]

Whoever directly oversees it and acts as the stakeholder for GovCloud should be, sure, but there's no reason for the person above the direct overseer to be cleared. Otherwise by that logic Bezos should be cleared as well.

[stevehawk]

I may be mistaken but I'm fairly confident govcloud is an unclassified network.

[eganist]

At least publicly, they're acknowledged to go up to Secret right now. https://aws.amazon.com/blogs/publicsector/announcing-the-new...

[smokeyj]

https://en.wikipedia.org/wiki/Alex_Stamos#Yahoo!

[eridius]

The Bloomberg article specifically claimed that Apple themselves discovered the chip in a random spot check. If an Apple employee discovered it, it would have been communicated all the way up to the executive level prior to notifying anyone outside the company (such as the FBI), which means you can't just chalk this up to a handful of lower-level Apple employees being covered by a gag order and the executives not knowing.

[mokus]

It also claimed Apple removed 7000 SuperMicro servers in a few weeks. That seems especially unlikely to happen without at least some explanations to upper management. Sure, they could lie to management about why but either way management can’t then claim no servers were removed without lying themselves.

[eridius]

Apple also said they didn’t even have 7000 SuperMicro servers to begin with.

[OverlordXenu]

unless the NSA or another intelligence agency has an insider that could catch that before it made it up high enough to cause trouble. conceivably, someone below the insider could leak to Bloomberg realizing that they have limited options.

[nickodell]

That seems like a lot of work. What would be the point of that?

If Amazon is being spied on by foreign intelligence, wouldn't the NSA want Amazon to know about it? Particularly since government data is hosted on Amazon's servers.

[Zeklandia]

Because now the NSA has a strategic foothold. If they acknowledge the hack, then the adversary will move on to something else. If they don't acknowledge it, they can secretly mitigate it, by feeding false data, for example, and waste the adversary's time.

[krn]

> Furthermore if there truly was a compromise by a foreign nation it would be classified as a national security threat and subsequently classified and kept from public knowledge.

This is exactly what I think. Anyone confirming such a case publicly could cause a huge international confrontation between two largest economies in the world. It's not about tech or business – it's about national security and international politics.

[wil421]

I can see where the Navy/Military/Government could compartmentalize a hack like this. How could a company like Apple or Amazon keep this under wraps? How could they keep the knowledge of such a hack within the TS/SCI employees?

[smurfysmurf]

The cleared department is handled the same way as in the military in terms of security. Amazon has SCIF's etc. So unless a disgruntled employee steps forward who doesn't care about there life, I imagine its easily contained (and symptoms of an employee being disgruntled are highly monitored when they hold a clearance)

[wil421]

I’m thinking about the non cleared data center folk, the sys admins and developers who use the servers for their applications.

How do a bunch of Supermicro servers vanish wintout anyone noticing? I’d expect quite a few people would be involved that do not have any clearances. Apple is known for their secrecy but a few other companies named are not.

[user5994461]

At the scale their datacenter are, they must be replacing a full rack of servers every single day, just to follow a standard 3 years depreciation policy.

Servers practically vanish every single day. Add a few more supermicro and it's not even noticeable. Business as usual.

[darawk]

Maybe they didn't remove them.

[mabbo]

I knew a dozen people working on Amazon Go for like 4 years before it launched. Not one person leaked, even internally, what the hell they were building. Just that it was awesome and I should come join their team.

Somehow, Amazon is really good at keeping secrets.

[kevin_thibedeau]

1) Everybody involved has agreed to keep secrets.

2) You compartmentalize everyone so nobody has the complete picture.

[dubya123]

If it is classified and a cleared employee at Amazon/Apple/etc. blabbled there would be life altering consequences for them.

[creeble]

Then there will be? As someone apparently/allegedly blabbed to Bloomberg?

I say again to Bloomberg: picture (x-Ray) or it didn't happen.

[smokeyj]

Very easily, that's how https://en.wikipedia.org/wiki/Alex_Stamos#Yahoo!

[jtbayly]

Except they didn't keep it wrapped, did they? And people all the way to the CEO knew about it.

[smokeyj]

Point being it started with the CEO.. At what point do you suspect the publicist of all people was clued in? Absolutely never.

[dqpb]

What's the point of classifying national security threats?

[misterprime]

When a threat is discovered it can be very helpful if the attacker does not know you've discovered the threat.

Now you can observe them and only intervene when absolutely necessary, thus giving you time to learn more about the attackers and their methods.

[dqpb]

Right. So, if this hack is real, the attacker now knows we know.

[walterbell]

The previously reported issue was alleged to take place in 2013-2015.

This issue in this thread is alleged to have taken place in August 2018.

In the intervening time, much could have happened.

[karambahh]

They might actually know for much longer: if your spying devices suddenly stop communicating to you, that's likely you've been discovered.

If that story is true (and I personnaly think it has a high probability to be), what would a gov or a large org do? Investigate, confirm they have been compromised but then.... leave the hw in place and data flowing back to the alien mothership? Unlikely.

[misterprime]

Yes, it was made public at this time for a reason. I have no idea about who made it public and why, but you can be sure there is a bigger game here.

Did the journalist and/or their friends and family make money on the massive drop in Supermicro stock?

Is the Trump administration asking to push this information out to earn favor in the trade war?

Are the investigators stumped and using this in an attempt to flush out new leads?

No idea.

[imgabe]

If you know that something is compromised, you can use that knowledge to feed misinformation. You don't want them to know that you know.

[passivepinetree]

I don't necessarily agree with the below, but one could argue that classification is necessary to prevent mass panic/prevent attempted vigilante justice/protect the government's image/buy the government time to investigate/respond appropriately.

[pc86]

Things get voted on and positions change so I have no idea what you're referring to with "the below," but it's much simpler than trying to protect "the government's image."

If you're attempting to hack me or steal data from me and I know you're trying (specifically as would be the case with this chip if the story holds up) then I'm in a much better position to try to figure out how, or provide misinformation, or try to turn someone in the chain of custody if anything needs to be physically handled. Or at the very least, if it's an espionage or military situation, it makes it easier to know who to kill.

All of that goes out the window if you immediately disclose every threat. Whoever is attacking you will simply use the means you haven't discovered yet and stop using the ones you have.

[passivepinetree]

Perhaps I should've written "the following" - I just meant the list that I provided in the rest of the sentence.

I believe you covered more in-depth content that could be filed under "buy the government time to investigate/respond appropriately."

[coolspot]

To not give away other nation that their capabilities are mitigated.

[OverlordXenu]

power

[gowld]

Ignorance is not a defense, especially for a director of security. Lying about knowing how the organization you lead operates is a bad as directly lying about how your organization operates.