Apple Tells Congress 'Nothing Was Ever Found' to Suggest Alleged Supply Chain-Based Hack

[KGB7]

There is a big flaw in Bloomberg’s report.

1.
When a motherboard is made, there is no guarantee where a motherboard will be used. For all anyone knows, the motherboards in question are powering porn sites or are used by Netflix.

2.
You can remove every chip and look what’s inside of it via diagnostic software.

3.
Motherboards would have to be ordered through 3rd party to guarantee, that specific motherboards that contain such chips are used in specific servers. This would require a coordination on both sides of the government and country. Using inside people.
And I don’t know of any US Government agency, using untrusted parts supplier.
Every private sector, gets fully vetted before getting a contract from a US Government. Same goes for large companies such as Apple or Google.

So calm down and put away your certificates.

 

[cwt2nospam]

Not at all. I'm merely stating that what they're accusing Apple of is, in fact, a possibility. It is nowhere near as far-fetched as sitting in a cave in the matrix. It's unfortunate you don't seem to understand the difference.

But I do understand the difference. It's minimal. In all three cases there is the postulate that this could be happening, and zero evidence that it is. Your repeating the same lame claim that it could have happened doesn't change this fact.

I have already specified some means whereby such a thing could be possible, and I will not do so again.

Once again, you've either missed the point entirely, or deliberately avoided it. It is pointless to claim that it could have happened unless you have evidence that it has happened.

In fact, the only hack I see going on related to this is a social engineering hack. Suggesting that basically every computer in every business and home might be compromised is a good attempt at creating panic.

 

[Markoth]

Doesn't that mean anything could have happened in all cases? X could have happened, I'm not saying it did but it could have. Can there be a more pointless statement?

I'm backing up this story, nothing more, nothing less. So, no. It was relevant to this article.
[doublepost=1538962652][/doublepost]

But I do understand the difference. It's minimal. In all three cases there is the postulate that this could be happening, and zero evidence that it is. Your repeating the same lame claim that it could have happened doesn't change this fact.
Once again, you've either missed the point entirely, or deliberately avoided it. It is pointless to claim that it could have happened unless you have evidence that it has happened.

In fact, the only hack I see going on related to this is a social engineering hack. Suggesting that basically every computer in every business and home might be compromised is a good attempt at creating panic.

Again, I'm referring to this article's allegation. I'm not talking about caves in the matrix, because that isn't relevant to this article. Based on my experience, this is possible.

Plus, I'm giving for free what normally I'd charge for: Insight into what goes on in the security field. I suppose I should have known that I'd get blowback for saying anything against Apple, but it doesn't get any less annoying, or tiresome.

 

[wubsylol]

All of these highly trained, respected, and paid experts getting it wrong! It's a good thing the MacRumors comments are on the case to solve this.

 

[cwt2nospam]

I suppose I should have known that I'd get blowback for saying anything against Apple, but it doesn't get any less annoying, or tiresome.

You're not getting blowback for saying anything about Apple. You're getting blowback for doing what the article is doing and what "security analysts" do far too often: making wild, unsupported claims designed to scare people into buying products and services they don't need.
[doublepost=1538963674][/doublepost]

All of these highly trained, respected, and paid experts getting it wrong! It's a good thing the MacRumors comments are on the case to solve this.

So Apple's trained, respected, and paid experts are wrong? They don't know how to inspect the motherboards that they designed?

 

[rtdunham]

This is a Dog & Pony Show. If there's an ongoing investigation, #1, they rarely will even tell you. #2 Apple and others might not even know about it. It's even possible no one will ever know if its a vulnerability that is still existing and could be done again. The government never confirms stuff like this and strongly warns companies to do the same while secretly working behind the scenes. Everyone would be told to DENY ANYTHING. If we do find out anything, it will only be AFTER any possible issue is resolved, not during. Could be years!

With all the hacks that tech companies or the government admit/report I’m curious about the sources for your so-confident declarations.

 

[WiiDSmoker]

So Apple's trained, respected, and paid experts are wrong? They don't know how to inspect the motherboards that they designed?

Dude..he's being sarcastic

 

[cwt2nospam]

Dude..he's being sarcastic

Yes, he's being sarcastic about the "security experts" being wrong, directly implying that it's Apple's engineers who are wrong. I'm simply point out that these mother boards have designers who can examine the finished product and compare it with their designs. It's hard to believe that having been notified that something might be inserted into their design they wouldn't be able to find it.

 

[cmaier]

Yes, he's being sarcastic about the "security experts" being wrong, directly implying that it's Apple's engineers who are wrong. I'm simply point out that these mother boards have designers who can examine the finished product and compare it with their designs. It's hard to believe that having been notified that something might be inserted into their design they wouldn't be able to find it.

But it’s possible that magical unicorn tears could be used to hide it from them. There’s no proof that there isn’t magical unicorn tears. Nobody has even tested the unicorn tears to see if they’re magical. Until I see the photos of the unicorns i refuse to believe there aren’t magical unicorn tears being used to mask the hack.

 

[Tech198]

"Despite the denials, which are also backed the UK's national cyber security agency, retired Apple general counsel Bruce Sewell, and other unnamed Apple senior executives, Bloomberg said it stood by its report as of Friday, but didn't immediately respond to requests for comment on Sunday."

When you have a possible lead with no evidence to actually confirm, when you cannot confirmation requests, you'd go the extra mile
I'd say,"good job ob Bloomberg for sticking to their game regardless, as it will still cause issues who is actually right in the end"

We already know governments don't tell the truth, and since all they seem to care abut is "cracking encryption" and undermine cases from going unpunished *because* of encysted devices. nothing would surprise me

When you have as many articles one after the other as you do here, you know it's gonna be huge.

 

[cwt2nospam]

This is beginning to sound like a flat-earth conspiracy theory. For this to be true, governments and businesses must be lying, and through their silence in not showing where these hidden circuits are, the hacker community is either completely fooled or complicit too.

 

[chatin]

A friend of mine from China told me that he has to go to the local party office to get permission to change his password! I can absolutely believe the story!!

 

[AgentAnonymous]

Bloomberg just wanna pull a CNN / Washington Post

CNN and Washington Post are reputable news sources that statistically get it right a lot more often than Fox News does, which frequently outright lies and significantly distorts things.

 

[code-m]

There are many ways to mask communications. I'm not surprised they found nothing.

Zero-day. It’s possible, nations targeting strategically and many are partaking in this type of activity. It would not surprise me if something was found and it’s being kept under wraps, no one chooses to be caught with their pants down.

 

[himanshumodi]

They would be easy to detect only if they're not sophisticated. A couple protocols I'm aware of (and I'm sure many I'm not very familiar with) have either unused sections, or allow for extra data to be included, intended for custom extensions to the protocol, but if properly supported at both ends, can be used for almost anything else. The LZ4 compression's frame format, for example, allows for what are called "skippable frames", which are exactly that: user data which can contain anything, and are not parsed by the algorithm. I know of some other algorithms with similar concepts as well. It would take someone at the other end to receive the transmission, but I have no doubt that Apple communicates with third parties, some of which may be compromised, so the risk exists.

But then, to process that, the communication would have to go to an unauthorized end point no? Even if additional, unintended communication is being passed on by this chip, how would it be received by a malicious third-party... assuming other security protocols are being adhered to.

 

[ChrisA]

Remember the Chinese government response? They did not even try to deny that this happened. They said, "We have been the victim of this type of thing too".

Typically their response is "we did not do that." But we did not hear this.


To everyone who says "Apple did not detect any outbound traffic to un-known servers" Of course they didn't the Chinese engineers who did this are smart and they KNOW every decent company looks for this. HINT, the way to get your data out of a compromised computer is to make the data look like the expected data. A great way is to use a protocol that is common like DNS. I can buy a domain like "cute-kittens.com" and then you spy program tries to resolve "http://S3465.cute-kittens.com" and you have just sent the value "S3465" the DNS server at cute-kittens.com and I bet a buck that would look perfectly normal until cute-kittens was found out. But you have bought maybe 5,000 of these domains.

This was just the simplest example. There are other ways to make you outbound data look "normal"

What Apple's security guy should have said is "we did not see any outbound data" He does not that none was sent.

 

[IG88]

Name one undetectable by common practices.

Fortune 500 companies employ teams of IT security experts. So please enlighten us armchair hacker.

Are you implying that Fortune 500 companies cannot be compromised because "teams of IT security experts?"
[doublepost=1538976444][/doublepost]

Wow a certification! How many *weeks* was the class for that? I mean the exam has 90 whole questions.

You know some people get whole degrees from accredited universities in this stuff.

Again you didn't list an undetectable way to communicate massive data with China. You listed areas that "abuse" could occur. Malware doing something is one thing. Malware on thousands of servers transmitting back to the motherland without any notice of the outbound traffic is something completely different.

You moved the goal posts. Nothing in the Bloomberg article suggested this was about "massive data."
[doublepost=1538976933][/doublepost]

Why the personal insult?

It’s a simple question. Apple and amazon have gone on the record stating that after physical and digital inspections they never found any such chip. Two governments have stated on the record that they believe that.

The news organization making the extraordinarily claim has not produced a single on the record individual witness, nor a single photograph of the supposed chip, nor a single network trace showing illicit traffic, nor any other physical evidence, despite the claim that this is rampant and has affected thousands of machines.

You say that apple not finding anything isn’t proof that there is nothing to find.

I asked a simple question: what would it take to convince you?

Because the answer appears to be that you can’t be convinced. And if no amount of evidence can change your mind, you are basing your opinion on voodoo, not facts.

I realize that you weren't replying to me, but I will say that the extent of the denials to this point are compelling to a certain degree.

But it's also a bit troubling how almost violently this is being denied. Yep I'm wearing my tinfoil hat right now.

If this really is total bs, why does it take so many emphatic denials?

 

[tennisproha]

The lengths and extent to which Apple and other are going to deny this report kinda makes there response suspect. It’s overtly aggressive. It makes me suspect that there actually might be some truth to the report.

 

[ChrisA]

But then, to process that, the communication would have to go to an unauthorized end point no? Even if additional, unintended communication is being passed on by this chip, how would it be received by a malicious third-party... assuming other security protocols are being adhered to.

See what I just wrote. One method is to hide it in a DNS request or send it to a ma mail server for a normal non-suspect domain, routing protocols works too

What about live streaming that is sent as broadcast and not point to point?

One method used during World War II to send messages to Britsh spies was to slip a paper to be read over the air to a BBC news broadcaster. He might say "Mrs. Green had a problem at the post office you may have had too..." and the key word is "GREEN" Everyone on Earth with a shortwave can hear it but the message goes undetected and sound like a normal story. There are a million ways to do that.
One way is to place the data into an MP3 file an then someone protending to be a 12-year-old girl but is really a Chinese agent downloads the file. It looks normal because the Chinese agent is living in an apatment in Los Angeles.

The Chinese are sending the data to computers in normal homes in Los Angels and Texas and New Mexico and Boston and the security people at Apple are saying "we don't see data going to Chinese Military servers" The guys at Apple are 100% correct.
[doublepost=1538977772][/doublepost]You moved the goal posts. Nothing in the Bloomberg article suggested this was about "massive data."
[doublepost=1538976933][/doublepost]

But it's also a bit troubling how almost violently this is being denied. Yep I'm wearing my tinfoil hat right now.

If this really is total bs, why does it take so many emphatic denials?[/QUOTE]

Notice who is NOT making emphatic denials -- the Chinese government. They almost said "yes" when they said "we have been a vicum of this too"

HERE IS WHAT REALLY HAPPEND (I'm guessing)

These servers with the spy chips showed up and were detected. The servers were turned over to the FBI. The FBI gave then to US Counter Intelligence people who saw these "bugged" motherboards as a windfall and set them up with fake data and let them send the fake data to China. This news story broke and ruined years of work because now the Chinese know the data they got was fake. The US is trying hard and failing badly to salvage this. I think they called "everyone"and told them to tell the media "this never happened".

In a way in never did happen, no Apple server sent anything. The servers ended up in a government data center.

My theory (I think) explains everything we have read and gives everyone a good reason to say what they said and actually allows everyone to be technically correct about what they said.

Here is an analogy: Let's say you discovered your phone is bugged. What is the best thing to do? The best plan is to pretend you don't know it is bugged then say lots of wrong but interesting but believable things and try to get the person who placed the bug to act on your miss-information. Finding a bug is a very good thing. That news story ruined it.

 

[abhibeckert]

According to Bloomberg, this issue affects "thousands" of servers across the United States, but nobody has ever come forward to report the issue. That's ridiculous to me - this is an industry where there legislation makes public reporting of security breaches a mandatory legal requirement.

Under the GDPR, Apple would face a fine of $4.5 billion for failing to disclose this issue to customers. Do you really think they'd risk keeping it secret? That would wipe out nearly half their annual profit. Also it'd be a major PR disaster to face the largest fine in the history of the world — far better to admit you were compromised and discovered the issue (they've happily made such admissions in the past).

And they say it was detected - Bloomberg cited "someone" in Apple claiming the company discovered the issue in 2015 and reported it to the FBI. Nobody is claiming this attack was impossible to detect.

Clearly somebody is lying here. It could be Bloomberg (unlikely), it could be all 13 of their sources (even more unlikely given there are so many of them), or it could be every major tech company in the U.S. (almost impossible). It's sad, because Bloomberg has published some good articles over the years, but I'm afraid I don't trust them after this.

 

[IG88]

According to Bloomberg, this issue affects "thousands" of servers across the United States, but nobody has ever come forward to report the issue. That's ridiculous to me - this is an industry where there legislation makes public reporting of security breaches a mandatory legal requirement.

Under the GDPR, Apple would face a fine of $4.5 billion for failing to disclose this issue to customers. Do you really think they'd risk keeping it secret? That would wipe out nearly half their annual profit. Also it'd be a major PR disaster to face the largest fine in the history of the world — far better to admit you were compromised and discovered the issue (they've happily made such admissions in the past).

And they say it was detected - Bloomberg cited "someone" in Apple claiming the company discovered the issue in 2015 and reported it to the FBI. Nobody is claiming this attack was impossible to detect.

Clearly somebody is lying here. It could be Bloomberg (unlikely), it could be all 13 of their sources (even more unlikely given there are so many of them), or it could be every major tech company in the U.S. (almost impossible). It's sad, because Bloomberg has published some good articles over the years, but I'm afraid I don't trust them after this.

All the Feds have to do is to classify it "national security" and BOOM, everything you just said about public reporting requirements is irrelevant.

 

[abhibeckert]

Remember the Chinese government response? They did not even try to deny that this happened. They said, "We have been the victim of this type of thing too".

This is their official response (translation to english by Bloomberg):

"Supply chain safety in cyberspace is an issue of common concern, and China is also a victim."

That's vague to the point it doesn't really say anything. They simply said they have encountered supply chain security compromises in the past. Everybody in the world has seen that — it's a standard form of espionage. There are a thousand ways to compromise security from the supply chain that are nothing at all like what happened here in the Bloomberg article.

Several times a year some security firm finds malware pre-installed on computers. That's almost certainly what China was talking about when they said they've been a victim.
[doublepost=1538978885][/doublepost]

All the Feds have to do is to classify it "national security" and BOOM, everything you just said about public reporting requirements is irrelevant.

You're wrong. A national security letter forces companies to keep their mouth shut. It does not force companies to lie, and in fact it's a serious crime for executives to lie in a press release. Look at the sanctions Musk is facing over his "funding secured" tweet which later turned out to be a lie.

 

[Scooz]

Smelling that Bloomy note...?

 

[IG88]

You're wrong. A national security letter forces companies to keep their mouth shut. It does not force companies to lie, and in fact it's a serious crime for executives to lie in a press release. Look at the sanctions Musk is facing over his "funding secured" tweet which later turned out to be a lie.

No, I'm not wrong. Very few people inside Apple would even be aware of a national security letter. Only a need to know basis, like Lead counsel. CEO may be left out so that he doesn't make false statements to investors. And the only people gagged are the only ones that initially knew about the alleged compromise. At that point the potential for further people finding out is eliminated.

Have you seen Apple's current lead counsel, Katherine Adams, make any statements regarding this?

 

[diddl14]

Published this Friday, coincidence?

https://s3.amazonaws.com/static.militarytimes.com/assets/eo-13806-report-final.pdf