An of course MR has to lend credibility to this nonsense Bloomberg article by reposting the "How the hack worked" illustration. Because that's what clickbait is all about.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
UK's Cyber Security Agency Supports Apple's Denial That Chinese Spies Infiltrated iCloud Servers
- Thread starter MacRumors
- Start date
- Sort by reaction score
Edward Snowden said stuff like this was going on - but I had assumed it was right at the top of the design team. A very few number of people in this world are making the cites of silicon, and it is beyond the understanding of nearly everyone. Nearly. Chip foundries could "in theory" drop in a whole "NSA" module into any computer and there wouldn't be many folks to question it or wonder about it.
In the end it is things like "little snitch" that lets you see if a computer is doing something funny. But even that can be faked out to look like normal traffic plausibly. If you can think it, it might have already been done.
I would listen to what Edward Snowden says about it - he is a hero who got to see the reality of government surveillance and the lack of respect for every person's privacy. Edward Snowden blew the whistle and has said a lot about such things and I think he can be trusted.
He sacrificed a lot just to make people aware of "Big Brother".
Who knows what is true. I tend to believe what Apple says and what Tim Cook says - but what if he doesn't even know the real truth of the matter? This is a hard one to solve really and there is not much anyone can do about it either.
In the end it is things like "little snitch" that lets you see if a computer is doing something funny. But even that can be faked out to look like normal traffic plausibly. If you can think it, it might have already been done.
I would listen to what Edward Snowden says about it - he is a hero who got to see the reality of government surveillance and the lack of respect for every person's privacy. Edward Snowden blew the whistle and has said a lot about such things and I think he can be trusted.
He sacrificed a lot just to make people aware of "Big Brother".
Who knows what is true. I tend to believe what Apple says and what Tim Cook says - but what if he doesn't even know the real truth of the matter? This is a hard one to solve really and there is not much anyone can do about it either.
We design lots of stuff here, and I am going to say I see no way to do all of what the article says they were doing with 4 pins, in fact I'm not sure I could do it for 8, though maybe someone could, at 16 or more it becomes more a possibility on the hardware, but the software side of it is much harder to believe. And adding a 16+ pin device to a system is a much harder to do then a cap or resister.
We send the PWB's to the board house, they want to move things, we argue etc, but to get a new part, in the BOM, that is a much bigger trick, and at one time we made a significant portion of the worlds motherboards. But even if they get the part on, from there how do you know which software/bios, etc they are going to load, I know Amazon and Apple have hugely different software/firmware/client layout. So how does THE CHIP not only steal from Apple but also Amazon and the rest of the supermicro clients. If Supermicro gets bought soon, we probably get to blame Bloomberg, or if someone makes a fortune shorting it we can do the same. I also want to categorically say that if this is true, Tim Cook and Jeff Bezos would be removed by the SEC from their respective boards for the official comments today, so there is no chance its true, Bezos isnt going to get removed from his company to cover up for Supermicro and I doubt Tim would either.
-Tig
If you look at this tiny component you'll realize it is not able to inject or forward data onwards it's just not big enough to have such advanced circuitry in such a small package! It also doesn't have enough electrical connections to even communicate with the systems logic (six contacts).
This is not how someone would inject eavesdropping or malware.
It's not to say someone couldn't alter the systems BIOS chips or other logic chips with embedded code. I'm sure Apple and the others control that quite well. As that would be the obvious way someone could hack the server.
Basically, this is a big noise of Nothing! to create FUD (Fear/Uncertainty/Doubt) or someones idea to smudge a company for monetary gain.
This is not how someone would inject eavesdropping or malware.
It's not to say someone couldn't alter the systems BIOS chips or other logic chips with embedded code. I'm sure Apple and the others control that quite well. As that would be the obvious way someone could hack the server.
Basically, this is a big noise of Nothing! to create FUD (Fear/Uncertainty/Doubt) or someones idea to smudge a company for monetary gain.
I'm not surprised. Considering the surveillance arena, it's more than likely that several nation state intel services are into modification of HW at very early stages.
First, admitting it happened wouldn't carry any downside. Plenty of companies have had massive security breaches that affects millions of customers (and suffered no long-term effects), whereas this breach did not affect any customers. In short, even if it did happen (it did not), no one cares other than the Android fan boys that troll this forum.
Even if it did affect stock prices, so what? Apple makes money selling hardware, software, and services, not buying and reselling its own stock.
Moreover, if anyone at Apple denied something that was in fact true, or made materially false statements, that would subject that person to criminal penalties (jail) and civil prosecution by the SEC. See Enron, Martha Stewart, Elon Musk, et al.
It makes zero sense that Apple would engage in a massive criminal conspiracy simply to avoid what might at most be a short-term drop in stock price or sales.
It sounds like you know some things about how a computer works. but can you "think different" and play through how you could be innovative to achieve a result that a hacker might desire? So often good honest intelligent people make statements about how something is impossible - but then a hacker with great creativity figures a different way to get the result that goes right past whatever "security" was planned out by good honest people. There are many interesting examples of this in the world of hacking.
I tend to think that nobody can be 100% sure of anything at all.
What a lot of non-technical people don't seem to understand is that a lot of critical systems are locked down so that they can't simply "phone home" to China, etc.
I work for a company that has a decent sized internet presence, but we're no where near as big as the likes of Amazon, Google, etc. About a year or so ago we reached a threshold with the credit card industry to go from PCI level 3 to level 2. This basically means we're processing more credit card transactions, and as a result we have to implement security procedures & go through annual audits to prove to the likes of Visa, American Express, etc. that we're keeping sensitive data secure.
Our systems that handle credit cards are protected through numerous layers of security, one of the biggest being that no unauthorized egress from our servers to the internet at large is possible. Outbound access is blocked at the network layer, beyond the ability of a compromised server to do anything about it. Services that must be allowed out are filtered, go through proxies, etc. For example, all DNS requests go through a proxying DNS server that logs those requests and those logs are monitored. Outgoing HTTP/HTTPS requests go through proxy servers that whitelist what domains are permitted and trigger alarms if an attempt is made to proxy out to an unrecognized domain. And so on...
Granted our security is likely far from perfect, but it would make an attack vector like what is described here very difficult to be successful since those chips would not have any clear path with which to connect back to China. And if our small-ish company is doing this sort of security where we really only have 5 people doing it all, you can rest assured that companies like Amazon, Apple, etc. have a lot more security in place and many more people managing it.
I work for a company that has a decent sized internet presence, but we're no where near as big as the likes of Amazon, Google, etc. About a year or so ago we reached a threshold with the credit card industry to go from PCI level 3 to level 2. This basically means we're processing more credit card transactions, and as a result we have to implement security procedures & go through annual audits to prove to the likes of Visa, American Express, etc. that we're keeping sensitive data secure.
Our systems that handle credit cards are protected through numerous layers of security, one of the biggest being that no unauthorized egress from our servers to the internet at large is possible. Outbound access is blocked at the network layer, beyond the ability of a compromised server to do anything about it. Services that must be allowed out are filtered, go through proxies, etc. For example, all DNS requests go through a proxying DNS server that logs those requests and those logs are monitored. Outgoing HTTP/HTTPS requests go through proxy servers that whitelist what domains are permitted and trigger alarms if an attempt is made to proxy out to an unrecognized domain. And so on...
Granted our security is likely far from perfect, but it would make an attack vector like what is described here very difficult to be successful since those chips would not have any clear path with which to connect back to China. And if our small-ish company is doing this sort of security where we really only have 5 people doing it all, you can rest assured that companies like Amazon, Apple, etc. have a lot more security in place and many more people managing it.
This simply is not happening, at least not in any volume parts. I designed CPUs for years. We knew what every transistor did. If one or two people on the team were NSA plants they couldn't have snuck this sort of massive logic in without everyone else knowing it. Nor could someone take our complete designs and then bolt on additional logic without everyone knowing it. Not even at the fabs; the chips are tested, microphotographed, examined with a fine tooth comb. Every mW and square mm is accounted for.
Bloomberg has been publishing a lot of anti-Apple stuff lately. They were the ones who falsely claimed the iPhone X was selling poorly just before earnings came out and proved them wrong. I think someone on their editorial staff is manipulating Apple stock for their personal gain.
Either that, or Apple is just sick of Bloomberg's crap and hired someone to leak this story to them in hopes that it would ruin their credibility...?
Either way, damage control at this point would be a full retraction.
Either that, or Apple is just sick of Bloomberg's crap and hired someone to leak this story to them in hopes that it would ruin their credibility...?
Either way, damage control at this point would be a full retraction.
I thought long and hard as well as read up on what Bloomberg was saying before posting this. Sure I know of a few ways but each way would be seen!
With older computers 8/16bit we had so many parts the jungle of them would hide the odd ball tree (chip). Here things are so intergraded with just a few chips and the data paths are so wide you can't hide things like adding a chip anymore in the forest as all we have now is open prairie with small stands of trees, don't forget the logic board would also need to be designed to support the chip. Anyone with eyes would note the differences.
The only way as I stated would be to alter the programing of the BIOS or the OS kernel its self. Neither of these pathways like the hardware side are exposed enough to do this either. The OS's these servers run on is minimized and each company has their own way of doing things so it's not likely to share that info to the hardware company. In the tech world we often isolate different parts of a project so no one company has the knowledge of the full system.
Let me put it this way: You want to get to the yolk of the egg but you can't damage or alter the shell of the egg.
This is the oxymoron problem you face here as there is no solution that gives you the needed access without being seen either physically or via code review. Which I promise you is done quite frequently not only on the new gear but the gear in use.
The fact that this was mentioned is very convincing.
Apple and Amazon's existence are heavily dependent on cheap Chinese imports so covering China's back when they've abused the trust system is the lesser of two evils than going BK. Spy chip is just the covert extension of China's policy requiring transfer of Western technology to do business there.
Apple and Amazon's existence are heavily dependent on cheap Chinese imports so covering China's back when they've abused the trust system is the lesser of two evils than going BK. Spy chip is just the covert extension of China's policy requiring transfer of Western technology to do business there.
From a TechCrunch article that was a partial analysis of the Bloomberg piece:
https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/amp/
Last edited:
I think Bloomberg is just trying to make money off scare tactics. Doesn’t seem like they care if they are false or not.
Ok, first off the hack as described is outrageously unbelievable, you couldn't make a chip that small that is capable of doing all of that. If you could, don't you think Apple and every other phone manufacturer would want the tech involved so they could dramatically reduce the size of the chips in every phone in existence? Trust me, it would be all over the news if this really existed.
Secondly, and this is the harder part about this, if the tech did exist, Apple would actually have motivation to cover up any infections because China could be saying to them that they will no longer let Apple sell their products there if they don't. And this is the reason that people see some amount of truth in these claims, but again, the problem is the tech doesn't exist.
Secondly, and this is the harder part about this, if the tech did exist, Apple would actually have motivation to cover up any infections because China could be saying to them that they will no longer let Apple sell their products there if they don't. And this is the reason that people see some amount of truth in these claims, but again, the problem is the tech doesn't exist.
You didn't read the Bloomberg article, or you would realize that your refutes regarding the design phase are meaningless, as this was allegedly being done well downstream of the design phase.
And we aren't talking about a CPU, we're talking about the mobo. And this wasn't being done at the main fabs. This was allegedly 4 subs that handle overflow orders when a large volume order came in that was too big for the main shops.
The industry has long moved to SerDes for high speed communication requiring fewer pins so the number of pins is no longer relevant along with size.
https://en.m.wikipedia.org/wiki/SerDes
Freescale MCU from 2013.
Last edited:
I wasn’t talking about the Bloomberg article. I was responding to a specific post, which I included in my response. Next time, read.
I'm going to say that techcrunch needs smarter people, or didnt read the article or the denials, which goes back to smarter people. If the story was that the NSA, the FBI, (fill in the blank 3 letter group) found the problems, there is tiny remote chance that the CEO didnt know about it. HOWEVER since the story is that both Apple and Amazon discovered it themselves, figured out what was happening and then called the FBI, techcrunch's theory is incorrect. Saying that Bezos or the even more hands on Tim, wouldnt know anything about a discovery that lead to calling the FBI about data being sent to a foreign power. Also how exactly do you cover up in Apple's case over 7000 expensive servers, just having to be turned off and replaced one day because they are Supermicro and all the other ones that had to be checked to see that they were not doing the same thing? That is a huge financial cost and they are stating it didn't happen, which I am sorry is another SEC violation, and since it is an official Apple statement its been vetted by the Chief Counsel, who techcrunch says would know but not be allowed to tell Tim. He can't allow a false statement like this to go out, again a violation. Also over 10,000 boards have this chip, maybe way more, yet Bloomberg couldn't get there hands on one. I mean, if they had a picture of the chip on the board, and x-ray of the chip, that would be a pretty good piece of evidence. They say 30 companies had the board and sending data to china not one can be found?
-Tig
The article shows a 6 pin part, which I don't think can do it as I said earlier, you are suggesting a 20 pin grid array, its a tiny part, but it is 20 pins, which is kind of the point several of us are making, adding 20 new lines to the board is liable to draw attention. And again, the software issue is bigger then the hardware issue, and the SEC issue is bigger then that, all of which leans pretty heavy on that this didn't really happen. So what really happened, probably counterfeit parts on some boards, that has been an issue for a long time with China, Bloomberg and their "high placed sources" don't understand the difference between a fake tantalum part and a magic chip someone is talking about.
-Tig
In the world of spies many countries spy on each other. Allies and non-allies do this. Many have been doing this for year including America
I am not suggesting the chip itself isn't capable of performing actions. What I'm saying is, the article claims it was intercepting CPU commands to the memory. Not possible. The Memory sticks use a 184 pin system, the chip they showed had 7 pins. Such interception is literally impossible with that many pins.
Also based on their placement it's right next to the BMC chip (the management IC) indicating it is talking to the BMC likely over serial which the BMC has.
But again all this is simply not true. Refuted by literally everyone in the story. It's all bunk.
I still dunno why Apple would raise issues over incorrect reporting when they have also repeatedly said they do not get involved in media press.
When its not their stuff on the line, they may. but no one told me that.
Let sleeping dogs, lie. Apple users already know this is fake... so really by Apple screaming to "make it worse by debating this" they too are re-interrating something no one really needs to even know..
If only a handful of people believed it, they will talk to Apple themselves... for their source.
I'm surprised Apple even went this far to publicly deny it... Because they too are doing the same they swore NOT to do. and UK is backing them up as a result of public knowledge of this.
So, the old 'ball & chain' game keeps going.
When its not their stuff on the line, they may. but no one told me that.
Let sleeping dogs, lie. Apple users already know this is fake... so really by Apple screaming to "make it worse by debating this" they too are re-interrating something no one really needs to even know..
If only a handful of people believed it, they will talk to Apple themselves... for their source.
I'm surprised Apple even went this far to publicly deny it... Because they too are doing the same they swore NOT to do. and UK is backing them up as a result of public knowledge of this.
So, the old 'ball & chain' game keeps going.
Last edited: