Skip to comments.NSA Senior Advisor Latest to Question Report Claiming China Hacked Apple's Former Server Supplier
Posted on 10/10/2018 8:45:17 PM PDT by Swordmaker
Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek's bombshell "The Big Hack" report about Chinese spies compromising the U.S. tech supply chain.
"I have pretty good understanding about what we're worried about and what we're working on from my position. I don't see it," said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.
"I've got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody's found anything," Joyce added.
Joyce, a former White House cybersecurity coordinator, noted that all of the companies named in the Bloomberg Businessweek report have issued strong denials, including Apple, Amazon, and Supermicro. He said those companies would "suffer a world of hurt" if regulators later determine that they lied.
Apple's statement read in part:
On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.Bloomberg Businessweek, citing 17 unnamed sources, claimed that Chinese spies planted tiny chips the size of a pencil tip on server motherboards manufactured by Supermicro at its Chinese factories. The servers were then sold to companies such as Apple and Amazon for use in their respective data centers.
An unnamed government official cited in the report said China's goal was "long-term access to high-value corporate secrets and sensitive government networks," but no customer data is known to have been stolen.
The report claimed that Apple discovered the suspicious chips on the motherboards around May 2015, after detecting odd network activity and firmware problems. Two senior Apple insiders were cited as saying the company reported the incident to the FBI, but kept details about what it had detected tightly held.
Apple dropped Supermicro as a supplier in 2016, a decision the company said it made for reasons unrelated to "The Big Hack" story.
Joyce is far from the only source to question the accuracy of the Bloomberg Businessweek report. Both the U.S. Department of Homeland Security and the U.K.'s national cyber security agency have said they have "no reason to doubt" Apple's denial of the story, while the FBI is said to be unaware of the hack.
"We're just befuddled," said Joyce. He added that he had "grave concerns about where this has taken us," according to Politico. "I worry that we're chasing shadows right now. I worry about the distraction that it is causing."
In related news, Reuters reports that U.S. Senator John Thune has sent letters to the CEOs of Apple, Amazon, and Supermicro with questions about the allegations. U.S. Senators Marco Rubio and Richard Blumenthal also sent a joint letter to Supermicro CEO Charles Liang with similar questions.
One, when asked about a specific type of part, provided the Bloomberg reporters with a catalog photo of said part, and was shocked to see that part being touted in the article and pictured AS THE spurious added IC, when it was anything but what Bloomberg were characterizing it as, but a common electronic part.
This all is FAKE NEWS and Bloomberg doubled down on it with another article about a completely DIFFERENT story, also slamming Supermicro, about an unnamed "major telecom company" which supposedly brought in a consultant, one Yossi Appleboum, Co-CEO of Sepio Systems, a 2016 startup security company which publishes software to "mitigate the inclusion of surreptitious chips on motherboards" to scan their servers, and found ONE Supermicro server (out of THOUSANDS OF INSTALLED SERVERS) with a supposed addition in the Ethernet connector. Not the same thing at all as the previous claim.
Appleboum and Sepio claim they can't reveal the name of the "major telecom company" due to a nondisclosure agreement (NDA), but they go on to reveal everything else about their visit, scanning, and findings, to Bloomberg's reporters. I've NEVER heard of an NDA that would only prevent the exposure of the name of the primary company involved. I've signed NDAs and EVERYTHING is under the NDA.
We then find that Appleboum and Sepio have been feeding Bloomberg this line of information for long before either article came out. . . and that Bloomberg has been touting this company. This is what Bloomberg has been criticized before on FAKE NEWS. . . touting stories to bolster companies they are pushing. This is what is going on here. They are trying to increase the sales of Sepio's products.
Yeah, I trust the Chinese government and the big tech companies. I am sure neither would lie to us.
Why would I believe someone from the NSA?
I think the more reasonable approach would be to be highly skeptical.
If you want on or off the Mac Ping List, Freepmail me.
Maybe when the SEC gets done with Elon Musk they should have a look see at Bloomberg.
Anything with the name “Bloomberg” attached should automatically be considered #fakenews.
Yeah, I trust the Chinese government and the big tech companies. I am sure neither would lie to us.
So you trust Bloomberg...good to know.
Is that the same dude, who was a fake republican, who became a demon rat?
Look, ChinaGotTheGoodsOnClinton, use your head. There are FAR EASIER, CHEAPER, and SMARTER WAYS to accomplish this than sticking a big red FLAG extra IC on a motherboard that would be spotted by the Quality Control checks of the guys who DESIGNED THE MOTHERBOARD in San Jose, CA! That is not how these things are done! Bloomberg's article is BOGUS. Multiple computer security EXPERTS have come out and stated that the NON-EXPERT BLOOMBERT reporters with their ANONYMOUS sources are not telling the truth and are publishing FAKE NEWS . . . including some who were cited in Bloomberg's article who are saying they were misquoted and taken out of context!
Had Bloomberg's reporters written that the Chinese were altering the FIRMWARE software codes to force the PROCESSORS or the firmware of the IO ports to do something nefarious, then it would be far more believable and much easier for them to do and HIDE than sticking an extra chip on a multi-layer motherboard. . . which requires them to RE-ENGINEER THE BOARD from the ground up to accommodate the traces, solder pads, power lines, and a whole host of things that MUST be considered for just ONE MORE IC to be added. It's not just soldering it on there and expecting it to work properly with all the other components. Hardware design ain't that easy. Motherboards aren't kludged like they once were, with parts simply hand soldered across the legs of ICs in sockets. Mother boards may have as many as six and eight layers of circuit traces.
Another approach that would be much harder to find is to build your component into the IC chips that already exist, adding that new, surreptitious functionality you want to phone home, after spying and collecting the data, onto a chip that ALREADY EXISTS on the board. The only way to find that is to pull the chip, sand it down to reveal the various multiple levels of circuitry under a scanning electron microscope and ANALYZE exactly what circuitry there is on there, and what is ALSO programmed in it and what it will do. With circuits that can have BILLIONS of transistors on a chip, one can hide a LOT in a chip. . . and no one would be the wiser. . .
Yet these "oh so smart Chinese Spy engineers," Bloomberg would have us believe "just soldered on a Grain of Rice Sized IC chip onto a mother boarda board designed by an expert American Company in San Jose, Californiaand then expect that NO ONE WOULD NOTICE the major changes that would have to made to their custom designed motherboard to ADD a spurious chip during Quality Control Inspection?" This, keep in mind, is a product that would undergo computer assisted QUALITY CONTROL EXAMINATIONnot just someone picking it up and eyeballing it at at every step of product build. That means the board would be compared with a reference board BY A COMPUTER to assure it MATCHES IN EVERY DETAIL, and that EVERY CIRCUIT also matches and passes muster.
OOPS. It won't match if it's been altered. Oh, there a grain of rice size chip added??? Oh, that's ok. . . let it go. Must have been authorized by someone. DO YOU REALLY THINK THAT HAPPENED? I don't.
They are not the first ones to say this. Remember, Snowden leaked material about a similar hack the FBI pioneered.
Then there is this earlier article:
My question is considering the difficulty in detecting this supply chain hack, why WOULD’NT the Chinese government be doing this?
Yep,, same Michael Bloomberg...
I have absolutely no doubt that they ARE doing this. What they are NOT doing is what Bloomberg's idiotic argument is claiming. That is a smokescreen that obscures the REAL thread which YOUR linked article TRUTHFULLY describes. Using a stupid chip on a motherboard is an EASILY FOUND stupid way to do it. The article above is the way they are REALLY doing it.
Bloomberg is talking about the Chinese as if they and we ARE STUPID. . . It is as if we could tell the Chinese Spies in our industrial and military systems because they are wearing signs, saying "I am a Chinese Commie Spy!" and go around like the bad guys in Mad Magazine's "Spy vs. Spy" cartoons. They aren't that stupid and (I hope) we aren't that stupid either.
Bloomberg seems to think we all are. That is why I am POINTING THE STUPID FAKE NEWS blame at Bloomberg because they are aiming our attention at the WRONG TARGETS!!!!
Strikes me that these people that imagine sticking a chip on to a MB is easy are like the people who imagine food is made grocery stores ... or that can goods are grown that way.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.