It’s fascinating to see this story unfold. On one end you have Bloomberg doubling down on their claims, and here you have Apple making a move that shows their confidence in their claims.
For a while I was buying the subpoena theory, but this action clearly doesn’t fall under that, and they would be setting themselves up for serious liability / damage claims if it were true.
Either there is some gross miscommunication going on inside Apple and Tim Cook is not properly informed - which is very unlikely at this point - or there might be less truth to Bloomberg’s story.
The frustrating thing is, we’ll probably never know the answer.
I concur. If it really is a chip being inserted on a board, then that's hard evidence that can be verified by cracking open the hardware and looking for said chip.
And Apple -- being, in part, a hardware company -- has extensive tools and expertise at their disposal to investigate any hardware abnormality. If they've concluded that everything is normal, I'm inclined to believe them.
Cook has made this claim in a way that exposes the company, and probably himself, to a lot of legal grief if it later becomes evident that he's not being truthful.
What does Bloomberg have at stake, in comparison? Nothing, apparently, since they don't seem to value their reputation enough to back up their reporting with evidence.
I believe the Bloomberg story because of their report that the malicious chip was originally found on hardware owned by Elemental, which at the time was a small startup company that had government clients.
The hardware was found when Elemental was acquired by AWS and they did a more thorough hardware security review. Elemental would have been a good target because of their government clients but was/is not large enough to be noteworthy otherwise. This is where I trust the Bloomberg story. Saying, "Amazon, FB, Apple got hacked" is one thing. Including a then-200 person startup company in the mix is another. To me it serves as evidence that the hack was real.
There is no reason to believe than Tim Cook or any executive would be aware of anything.
In large companies with a hundred thousand employees and contractors, barely anyone is aware of anything.
Ask a thousand people about project something and they will assert in good faith that they have never heard of it. It doesn't mean that it doesn't exist, just that you didn't find the handful of people who knows about it.
>There is no reason to believe than Tim Cook or any executive would be aware of anything.
The minute this story hit publication you can bet internal security teams at Apple would have validated it and submitted findings to Tim Cook. At this point Tim Cook, along with his legal team, has all the facts as they pertain to Apple and Apple suppliers and every component inside Apple devices. You don't come out without a strong denial like that unless you are sure you can back it up.
Unless there are moles on both sides inside of Apple, and the PRC-malicious-chip-installation moles managed to destroy evidence and silence witnesses. That sounds vaguely fantastic, but "PRC installing malicious chips on server motherboards and Anonymous Sources discovering those chips and leaking news to Bloomberg" is already well into spy vs. spy territory.
Bloomberg said that Apple changed supplier over the rogue chip. To hide this the mole to non-mole ratio inside Apple would have to be very high. Unbelievably high.
Yeah, that is typically the case, sure. But you are comparing business-as-usual operations to an incident investigation. Sure, Tim Cook likely new nothing or very little about the organization's business dealings with Super Micro before the story broke, but not now. If this story is true, the implications for Apple are huge. It makes them look inept and creates a large problem that must be solved. Tim Cook would be very aware of any potential problem at this point.
This. Apple is a large enough, and competent enough, organization to investigate this internally.
Some will say "but the people involved have a gag order, and nobody investigating, including tim cook or legal knows". This doesn't make any sense.
People without a clearance are not obligated to keep it a secret, and can investigate for themselves. So either everyone competent to investigate this has a clearance and/or is gagged (i.e., many thousands of people) and if that were the case it'd almost certainly make to Tim Cook's radar.
Or not that many people are gagged, and Apple has thousands of engineers that could be looking into this, and they found nothing. I find that much more plausible.
Suppose this was a malicious attack, and PRC intelligence within SuperMicro and perhaps even Apple are responsible for these machines getting shipped and installed by Apple. Let's further suppose that the plot was uncovered by US counterintelligence.
Why the heck would US counterintelligence operate inside of Apple, discover security vulnerabilities that affect Apple in particular, hide this discovery from Apple's senior management, and then go on to leak it to Bloomberg while continuing to cover it up on the inside of Apple?
There is a reasonable-ish explanation for this. US counterintelligence usually falls under the purview of the FBI, and the FBI has had a couple public spats with Tim Cook over the years. Given Apple's commitment to user privacy, it's reasonable to presume that Tim Cook would not knowingly allow the FBI to infiltrate Apple. It's also reasonable to assume that, given any number of motives both virtuous and vicious, the FBI would have a vested interest in infiltrating Apple. In this scenario, notifying Apple management about these issues would risk revealing sources and methods.
At this point, the only remaining question is: why wouldn't the moles just quietly inform Apple management about the issue? Clearly, Apple personnel who are in the business of receiving and installing server hardware would have a defensible cover for poking around and raising questions about weird chips that mysteriously appeared on the hardware. There are possible explanations for this, but at that point we're just compounding conspiracy theories on conspiracy theories.
I'm flabbergasted that you are being downvoted. I have the same opinion as you, but to the point where i think it's almost fact... executives at a company that size (# of employees) don't know anything.
It's up to Bloomberg to prove their hypothesis is true, but don't see how Apple can say it's without a doubt untrue.
>Tim Cook is not properly informed - which is very unlikely at this point
Humor me, why is this unlikely? Why is it not possible that (whatever three letter agency) grabbed a few engineers, told them to do X without talking to anyone else, at the risk of them and their families getting disappeared to a black site?
Besides, in security controlled jobs it's perfectly normal to not be allowed to disclose what you're working on even to your direct superior. This idea that Tim Cook / Apple PR must know everything that's going on at Apple is kinda ridiculous.
Well, who scrubbed the emails? Who scrubbed the data center record? And the financial records and shipping records? Who hid the motherboards?
It’s going to take more than a couple engineers to cover this up completely.
Also, if the consequence for talking about this is being disappeared, why weren’t the Bloomberg reporters disappeared some time during the year they were working on the story?
And why exactly would a three letter agency do this to protect Apple?
They're not doing it to protect Apple, they're doing it to protect their sources and methods within Apple. Tim Cook isn't a huge friend of the FBI (http://time.com/4262480/tim-cook-apple-fbi-2/) so if the FBI has a counterintelligence op embedded within Apple, they're going to want to hide it from Cook.
I think the idea that he has to know everything going on ahead of time or when it happens is certainly infeasible.
But while I'm not promoting some kind of executive supremacy, I don't feel it's a big stretch that the CEO can get properly informed of specific goings on of the company if the issue really lands on her or his plate. Even if there's some hole, having zero evidence that something weird may have happened on several thousand servers seems odder than anything.
> Why is it not possible that (whatever three letter agency) grabbed a few engineers, told them to do X without talking to anyone else...
Even if that were possible it wouldn't account for all the discrepancies here. Bloomberg claimed that Apple worked with the FBI on an investigation and returned thousands of servers. Apple has strongly denied that which casts doubt on the rest of it as well.
> This idea that Tim Cook / Apple PR must know everything that's going on at Apple is kinda ridiculous.
He doesn't have to know everything, but he sure as hell would know "a foreign government is implanting spy chips into the hardware that is being sold to us".
A foreign spy agency isn't going to walk around with a sign saying, hey we planted this. The spy's sole purpose is to make sure Tim doesn't know about it.
Accounting has audits too and there is still accounting fraud, mis-statements, theft.
We're commenting on Hacker News and we're believing that Tim is all knowing because of a security audit... against some malicious actor with the resources of a foreign state??
The flaw in your logic doesn't lie in your assertion, but the opposite:
If it's indeed possible for some powerful forces to coerce some engineers into accomplishing certain goals, how possible is it for the same said forces to coerce some other people into accomplishing some other goals?
For a while I was buying the subpoena theory, but this action clearly doesn’t fall under that, and they would be setting themselves up for serious liability / damage claims if it were true.
Either there is some gross miscommunication going on inside Apple and Tim Cook is not properly informed - which is very unlikely at this point - or there might be less truth to Bloomberg’s story.
The frustrating thing is, we’ll probably never know the answer.