In the past, Apple has lied about a severe security incident involving Super Micro hardware.
In 2016 Super Micro Senior Vice President of Technology himself said Apple found "infected firmware." It was so bad that Apple "discontinued future business [with Super Micro] as a result of a compromised internal development environment". Strangely Apple at the time was denying the whole thing:
https://appleinsider.com/articles/17/02/23/server-firmware-s...
But today, 2 years later, in a statement denying the current spy chip saga, Apple now appears to acknowledge this 2016 security incident, while minimizing it: they say it was "an infected driver on a single Super Micro server in one of our labs" (https://www.apple.com/newsroom/2018/10/what-businessweek-got...)
Why would Apple deny then 2 years later confirm this security incident?
As usual, the truth is probably somewhere in the middle. It is very possible the anonymous sources at Apple who support the spy chip story are not technical persons and are confusing this 2016 incident with the spy chip incident (in fact it's what Apple theorizes in their statement.) It is very possible the spy chip does exist and was found at some companies, just not at Apple.
I also find it very interesting that the FBI, the one organization allegedly at the center of this saga investigating the spy chip, has remained completely silent, neither confirming nor denying the story.
In the past, these Bloomberg reporters have misreported on NSA exploiting Heartbleed. Here is the Washington Post giving them shit about it:[1]
As for the 2016 incident, read Apple's denial more closely. They denied finding infected firmware on servers purchased from SuperMicro. What happened is someone in the design lab (not in production) downloaded infected firmware from SM's support site, where it was "still hosted".[2] While you might say Apple could have been clearer at the time, that is nothing like the very strong, clear, detailed denials at hand here.
Not even infected firmware, an infected Windows driver package. Which, although embarrassing for Supermicro, is a lot less sophisticated or unusual an attack than anything being claimed.
> someone in the design lab (not in production) downloaded infected firmware from SM's support site
Other than the claim that the infected firmware is "still hosted there" (which beggars belief) that sounds more like an engineer was spearphished and fooled into downloading firmware from what he believed to be the SM support site.
FYI "still" meant as of the time of the follow-up reporting in 2016, not today. I think it's believable that SuperMicro's support site got hacked. But I agree that was an incident on par with a sole developer installing malware on their system, not a supply chain compromise or major security incident with production systems.
Isn't hacking the support site a supply chain compromise?
Much discussion about software supply chain attacks was around the role of NPM as a vector, which can be thought of as a source of "drivers" that make various products and services work, similar to the role that a support site for a physical manufacturer plays.
I meant the supply chain for their data center. But I won’t split hairs.. yes support site compromise is a supplier problem and probably a factor in Apple shifting away. But clearly Apple had more protections in place for their production systems than what some dev installed in the design lab. So I think Apple’s denial is fair.
A news website publishes many articles about hot topics.
Is 16 a lot or a littler? Is that more or less than pro-Sanders or anti/pro-Clinton articles? DemocracyNow had nothing to say about that.
Even though a complaint whose only evidence is one hand-assembled image shouldn't be taken seriously as an evidence-backed analysis, here goes:
Why would you type just part of the quote from Apple?
"Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
And the AppleInsider article was updated to reflect the information that Apple provided in its press release. So there's no there there.
> I also find it very interesting that the FBI, the one organization at the center of this saga who is allegedly investigating the spy chip, has remained completely silent, neither confirming nor denying the story.
The FBI has a policy of never publicly commenting on ongoing investigations. You might remember certain exceptions to that policy causing an uproar about two years ago.
If you read the The Information article[1], an Apple spokesperson says that Apple was “not aware of...infected firmware found on the servers purchased from this vendor”, but they’re not really denying that there was some kind of incident.
One element of such a case would be showing that the claims are untrue. Discovery on that question would dig deep into all sorts of areas that no one besides Bloomberg would want dug into.
Well no one at those companies maybe, but I sure would. Transparency is the only way truth will be known here, and that's against the nature of secret sources and against the nature of Apple in general. If only there were an independent arbiter we could trust that could view both sides in confidence and provide an independent ruling, but there's too much statecraft involved for that to happen.
It could be. Particularly of the foreign government, but also of the supposed target especially if security of the kind that was claimed to be compromised is key to their business reputation.
Well, yes, you can sue for anything. The barrier here isn't that publishing that a firm is subject to an exploit is specially categorically immune from defamation liability, but the regular standards for defamation, which in the US include falsity, a certain measure of responsibility for the falsity (which carries based on whether public figure or a matter of public interest are involved), and actually damaging publication.
What they denied was that the servers were used in production. They also said they didn't find the firmware on the server as shipped from Supermicro, it was downloaded from their website [1].
>Update: A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple's design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro's support site—and that firmware is still hosted there.
Apple issued the following official comment:
Apple is deeply committed to protecting the privacy and security of our customers and the data we store. We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware. We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor.
>I also find it very interesting that the FBI, the one organization at the center of this saga who is allegedly investigating the spy chip, has remained completely silent, neither confirming nor denying the story.
That's not true. Christopher Wray, in a congressional hearing, said "be careful what you read" in a response to a question about the story [2].
«Christopher Wray, in a congressional hearing, said "be careful what you read"»
Like philwelch mentioned, the FBI has a policy of never publicly commenting on ongoing investigations. Wray's statement—extremely vague and neither confirming nor denying the story—thus implies there is an ongoing investigation... Hmm.
It really doesn't and for exactly this reason. If you never comment on ongoing investigations, you also can't ever deny a non-existent investigation, or a lack of denial is confirmation.
That is neither a confirmation nor a denial, although it is obnoxious. Who is this guy, Chairman of the Fed? A simple "I can't comment on ongoing investigations" would have sufficed. Instead, he's warning Congress about their reading habits? It sounds like something JEH would have said...
In 2016 Super Micro Senior Vice President of Technology himself said Apple found "infected firmware." It was so bad that Apple "discontinued future business [with Super Micro] as a result of a compromised internal development environment". Strangely Apple at the time was denying the whole thing: https://appleinsider.com/articles/17/02/23/server-firmware-s... But today, 2 years later, in a statement denying the current spy chip saga, Apple now appears to acknowledge this 2016 security incident, while minimizing it: they say it was "an infected driver on a single Super Micro server in one of our labs" (https://www.apple.com/newsroom/2018/10/what-businessweek-got...)
Why would Apple deny then 2 years later confirm this security incident?
As usual, the truth is probably somewhere in the middle. It is very possible the anonymous sources at Apple who support the spy chip story are not technical persons and are confusing this 2016 incident with the spy chip incident (in fact it's what Apple theorizes in their statement.) It is very possible the spy chip does exist and was found at some companies, just not at Apple.
I also find it very interesting that the FBI, the one organization allegedly at the center of this saga investigating the spy chip, has remained completely silent, neither confirming nor denying the story.