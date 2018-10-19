Apple Demands Retraction Of Bloomberg's Big 'Chip Infiltration' Story; Bloomberg Has Some Explaining To Do
from the not-looking-good dept
A few weeks ago, Bloomberg published a giant story claiming that Chinese spies did a somewhat daring supply chain hack on American big tech firms. The gist of the story was that servers from Super Micro had hidden chips that somehow were then used by Apple and Amazon (not to mention the US government), that allowed someone in China to access certain data. The story was a blockbuster that got everyone talking. But, almost as soon as it came out, a bunch of people started raising questions about the story. While the Bloomberg reporters claimed over a dozen sources, both Apple and Amazon came out with incredibly strong denials. Way stronger than is common in these situations. And while I know some cynical people insist that companies will lie about this stuff all the time, that is not actually true. Some companies may misrepresent things, or try to play down stories, but outright fabrication is not at all common (and the consequences of a company doing it would be severe). And here, both Amazon and Apple's denials were so clear, so specific and so adamant that it raised serious questions about the reporting.
Since there was so much confusion over it all, we held off on writing about it, figuring more information would come out in the days and weeks after the initial story. And so far, nearly all of the "additional info" has only served to raise significantly more questions about Bloomberg's reporting. Various government and intelligence agencies all claimed they had no evidence to support these claims. Again, some will argue that they are lying, and (again) while those agencies may have a history of misrepresenting things, the denials here were clear and unequivocal. The UK's National Cyber Security Centre (a part of GCHQ) said they completely supported Apple and Amazon that no such attack occurred. The US Department of Homeland Security said the same thing. Dan Coats, the US Director of National Intelligence said the US intelligence community has seen no evidence of such an attack, which certainly undermines the Bloomberg story. Some of the folks quoted in the Bloomberg article even questioned the accuracy of the article with one going so far as to say the article that he is named in... "didn't make sense."
Also, as reporter Nicole Perlroth noted, one of the reporters on the Bloomberg story -- Michael Riley -- had also done a story back in 2014 making bold claims that the NSA had exploited the Heartbleed bug, and multiple other reports ripped that story to shreds, with multiple people denying it and no one else confirming it.
Now, with this story, Apple has done something it's never done before: asked Bloomberg for a retraction of the article. That's a pretty big move -- and Bloomberg says it still stands by its reporting (as it did with the Heartbleed story).
However, at this point, Bloomberg has whittled away whatever benefit of the doubt there was left and set fire to the scraps. It's difficult to believe that Bloomberg's story was accurate, and the company and its reporters owe everyone an explanation -- or at least some additional evidence to support the reporting. I don't doubt that there is a kernel of truth in the story -- but given the vehement and thorough response from everyone, it certainly seems likely that the reporters on the Bloomberg piece misunderstood something big, leading to misreporting of things in a way that leads to a very inaccurate picture of what's going on. Bloomberg should, at the very least, appoint someone else to go through the work put in by reporters Michael Riley and Jordan Robertson, and explore whether or not the story really is accurate, and why it is that basically everyone is saying it's not.
Reporters can, and do, make mistakes. How they respond to such mistakes is the real marker of the ethics they and the organizations they work for hold. Considering Bloomberg stood by that Heartbleed story, perhaps we shouldn't expect such a reckoning at the publication -- but, at the very least, it's going to lead plenty of people to write off Bloomberg as a credible source on issues like these, and that's unfortunate, given that there are some really big and important stories having to do with computer security right now. Having one major publication show itself to be untrustworthy in its coverage would be very bad.
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yes, but first they must be an actual reporter
Listen to various chats, fueled by who knows what, believe it (for who knows why), publish and double down. Include the names of people who said that the initial info didn't make any sense, and clam up when the list of people that clearly knows better.
That is hardly a mistake. That is bad reporting. Bad publishing too.
[ reply to this | link to this | view in chronology ]
First rule of spycraft
[ reply to this | link to this | view in chronology ]
Since there was so much confusion over it all, we held off on writing about it, figuring more information would come out in the days and weeks after the initial story.
I noticed that, and had to follow the story over at Ars. On a completely unrelated note, has anyone ever had to get a latte at a strip-mall Starbucks because their local coffee shop's espresso machine was on the fritz?
[ reply to this | link to this | view in chronology ]
Denials everywhere...
And here, both Amazon and Apple's denials were so clear, so specific and so adamant that it raised serious questions [whether they were ordered by the government to deny it].
[ reply to this | link to this | view in chronology ]
Is it entirely possible that Bloomberg lied? Yes. Is it equally possible, or even more likely, that the others are lying? Yes.
Let's assume for a second the attack is real. Even if it weren't in the companies' best interests to deny it, it would still be in the government's interest, and the companies would be forced to deny it. The sheer number of heads that would roll would make sure that no intelligence agency would ever admit to it in public.
Now, besides denying it, what would we do if it were true? We would retaliate. Not in kind, because we don't have that capability, but with what is available to us. What have we recently been doing to China? Attacking their economy in a way that hurts us, but hurts them a lot more.
The fact that our actions to hurt China's economy also hurt ours indicate there are other reasons involved other than the purely economic. This is a candidate for being that reason.
[ reply to this | link to this | view in chronology ]
Unknowable truth here...
Now, my factually unsupported opinion is that someone from the NSA put the reporters up to it because NSA TAO is thinking about such hacks, and they are looking for a smart PhD/maker/hacker to implement a proof of concept that they can then weaponize.
There is also the defense-in-depth aspect of this -- the publicity highlights the attack surface inherent in a board control computer that can reboot the server on command and feed it arbitrary firmware. So some other smart PhD will now figure out how to defend against something like this.
[ reply to this | link to this | view in chronology ]
Add Your Comment