AWS CEO Andy Jassy Follows Apple In Calling For Retraction of Chinese Spy Chip Story (cnbc.com) 111
An anonymous reader quotes a report from CNBC: Andy Jassy, the CEO of Amazon Web Services, followed Apple's lead in calling the for the retraction of Bloomberg's story about spy chips being embedded in servers. "They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories," Jassy wrote in a tweet on Monday. "Reporters got played or took liberties. Bloomberg should retract."
Apple CEO Tim Cook told Buzzfeed on Friday that the scenario Bloomberg reported never happened and that the October story in Bloomberg Businessweek should be retracted. Bloomberg alleged data center hardware used by Apple and AWS, and provided by server company Super Micro, was under surveillance by the Chinese government, even though almost all the companies named in the report denied Bloomberg's claim. Bloomberg published a denial from AWS alongside its own report, and AWS refuted the report in a more strongly worded six-paragraph blog post entitled "Setting the Record Straight on Bloomberg Businessweek's Erroneous Article." Further reading is available via The Washington Post.
"Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed," the Washington Post reports. "(The Post did run a story summarizing Bloomberg's findings, along with various denials and official skepticism.) It behooves such outlets to dispatch entire teams to search for corroboration: If, indeed, it's true that China has embarked on this sort of attack, there will be a long tail of implications. No self-respecting news organization will want to be left out of those stories. 'Unlike software, hardware leaves behind a good trail of evidence. If somebody decides to go down that path, it means that they don't care about the consequences,' Stathakopoulos says.'"
Apple CEO Tim Cook told Buzzfeed on Friday that the scenario Bloomberg reported never happened and that the October story in Bloomberg Businessweek should be retracted. Bloomberg alleged data center hardware used by Apple and AWS, and provided by server company Super Micro, was under surveillance by the Chinese government, even though almost all the companies named in the report denied Bloomberg's claim. Bloomberg published a denial from AWS alongside its own report, and AWS refuted the report in a more strongly worded six-paragraph blog post entitled "Setting the Record Straight on Bloomberg Businessweek's Erroneous Article." Further reading is available via The Washington Post.
"Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed," the Washington Post reports. "(The Post did run a story summarizing Bloomberg's findings, along with various denials and official skepticism.) It behooves such outlets to dispatch entire teams to search for corroboration: If, indeed, it's true that China has embarked on this sort of attack, there will be a long tail of implications. No self-respecting news organization will want to be left out of those stories. 'Unlike software, hardware leaves behind a good trail of evidence. If somebody decides to go down that path, it means that they don't care about the consequences,' Stathakopoulos says.'"
Well, duh... (Score:2, Funny)
The very mention of SuperMicro in the story means it's crap. Damned company can barely get their legit mobo components running, let alone some astoundingly sophisticated spy chip.
(/me gets his coat...)
Re: (Score:1)
This is another thing that's got me confused. Everyone here on /. says that SuperMicro servers are crap. I have no personal experience with them. Yet, if they're so crap, how come Apple, Amazon, et. al. are buying thousands of these machines for their mission-critical data centres?
Re: (Score:2)
Personally, I've had more mysterious problems with HP than Supermicro.
Re: (Score:1)
Re: (Score:2)
My experience is very different. I find that Supermicro is quite reliable, at least when running Linux.
They don't seem to be too picky about environment or power. (within reason)
Of course, I don't get the bargain basement model or run Windows, so that may be a different story.
Re:Well, duh... (Score:5, Informative)
My experience with them is a few years old, and it's from the finance industry, so not directly related to using them for cloud services. SuperMicro sells on price and density. SuperMicro have products that are two complete, fully independent servers in a 1U rack enclosure. They're also very cheap. Now to achieve this, something's got to give, so there are some compromises.
SuperMicro servers aren't as feature-rich as something you'll get from Dell or HP. For example the out-of-band management isn't as sophisticated, the storage controllers aren't as configurable, and you don't have as many options for NIC modules. The build quality isn't spectacular either - they're definitely not as physically robust or convenient to work on as a Dell PowerEdge.
In terms of performance, they weren't really competitive with Dell or IBM for single-CPU throughput or wire-to-wire latency. Whether this is important or not depends heavily on your application. If you're doing something like online transaction processing where latency isn't critical, you might get better overall performance by going with SuperMicro and making the most of the higher density and lower price. But that's not going to help you if your application depends on good wire-to-wire latency.
Failure rates weren't much worse than HP really. After-sales support from SuperMicro isn't great, but remember you're paying a lot less. If you're prepared to do more of your service/support in-house rather than dealing with the manufacturer or a value-added reseller, SuperMicro might be better value.
TL;DR SuperMicro's offerings aren't as good in terms of performance, build-quality and vendor support, but they try to make up for it with low cost and high density. Depending on your application, it may be a win.
Re: (Score:2)
++
Maybe not the best there is - but not crap.
Re: (Score:2)
Because they aren't crap.
Re: (Score:3)
Public company, short the stocks, spread a story voila big profits to be made. It's all part of the corporate wars, using various criminal methods and attack and destroy other corporations, spreading misinformation just a minor part, computer hacking of all kinds, corrupting staff in competing companies and you can expect targeted assassination to follow. American special services are no bragging about post employment for profit assassination program. So take out a critical executive, at a critical time, ca
There's no There There (Score:5, Insightful)
If it were just Apple, or Amazon claiming the story was false I'd be dubious.
But it's both companies. And the NSA, and every other news organization that has gone looking. All are coming up blank on this.
At some point you have to go with the "simplest answer is correct", which means that Bloomberg is wrong in this case. The real question to my mind is, how did they go so badly wrong.
Re:There's no There There (Score:5, Insightful)
IIRC, they had a single source who claimed it, and showed pictures of the mobo to the reporters. The reporters then showed the photos to a computer expert who agreed that that chip looked suspicious and could be a spy chip. Further, that he couldn't identify another good reason for the chip.
The original source may have had other documentation, but that's all I've seen so far.
Re:There's no There There (Score:4, Insightful)
Single source, photo not hard evidence, expert using words like "could".
You'd want to have more than that when you make an accusation affecting the worlds biggest companies.
Re: (Score:2)
I'm not sure... I mean, it seems to be the minimum to be non-reckless, so you're safe from libel concerns. And if you thought it was true (e.g. if the source was your brother), you might think it would shke other sources free...
I certainly think the fact that they are the world's biggest companies means you have less of a requirement of care - they can fight back. If they said things about you personally,
Re: (Score:2)
You seem confused. Bloomberg has 17 anonymous sources, not 1.
Re: There's no There There (Score:1)
No, they had one source who supposedly provide hard evidence in the form of a couple pictures. And 16 people who supposedly confirmed the 1st guy, but who could just as easily been confirming rumors they heard around the watercooler.
Re: There's no There There (Score:2)
And yet they can't produce even one of thousands of server boards that were allegedly removed from the data centers after the denied discovery of alleged hardware.
Where is the hardware if this is real?
Re: (Score:2)
But mysteriously, they haven't shown the photos to their readers.
Re:There's no There There (Score:4, Insightful)
Re: (Score:1)
They have 17 sources, so that's one heck of a conspiracy theory once you fit that in. ;)
What surprises me is how many people, even here at slashdot, hear a few executives making strong statements and they forget all about which is provable, positive statements, or negative statements?
If it happened, and not everybody knew about it, do people who tried to find out about it but found nothing have evidence that nothing happened? Or do they only have no information?
The way I see it, Bloomberg is making statemen
Re: (Score:1)
Re: (Score:3)
They SAY they have 17 sources, but all are conveniently anonymous. The only expert that was named says he was mis-quoted.
Given the amount of doubt and multiple publioc challenges, you'd think that if they have anything to prove any of this, even to a preponderance of the evidence, they'd cough it up.
Homo Sapiens were planted here by grey aliens from Sirius. I have proof but God told me not to publish that yet. Care for a nice refreshing cup of Cool Aid?
Re: (Score:2)
OK, sjames, since you're a kid who was born yesterday, I'll just give out the spoiler:
journalists protect their sources, that isn't information you ever have been receiving in your life when these things get reported on. Journalists sometimes even go to jail rather than tell you who their sources were. No, that isn't information you were reasonably expecting to get. And in this case, it would obvious endanger the actual physical lives of the sources.
Now, are you really sure you didn't already know all that?
Re: (Score:2)
Since I don't have a time machine to fix your being apparently raised by wolves, I'll just mention that they also mis-quoted the only named expert and they haven't even managed to show us a picture of an affected board (they did, however, show us utterly useless pictures of generic un-hacked boards and a harmless signal conditioner in order to leave the impression that they had presented photographic evidence).
Re: There's no There There (Score:4, Insightful)
Why is it on multiple companies to prove a negative, instead of Bloomberg showing the proof of their accusations?
You have it completely backwards. If I say that that someone buggers goats and I have evidence I'd better be able to produce that evidence - it's not on the alleged goat-buggerer to somehow prove he hasn't buggered a goat.
Re: (Score:2)
Why is it on multiple companies to prove a negative,
I didn't say it is "on them" to prove a negative, I said they're claiming to have already proven the negative, that's their whole denial!
The lie is on them, not the requirement to lie. ;)
Re: (Score:2)
Re: (Score:2)
You can't prove a negative. That's a known fact.
If you stopped right there you'd be spot-on. But then you started equivocating about how in this case, they get to pretend they can prove a negative, because you proposed a hypothetical that sounds self-consistent to you. But actually, nobody has the level of detail that would be needed to prove anything, other than potentially Bloomberg.
The parts of what you said that are factual could actually be part of a different event that happened concurrently. You don't even have enough detail to know that much.
Just
Re: (Score:2)
According to Apple this story have been researched by the writers for over a year. Well, "researched".
Re: There's no There There (Score:2)
I think it's one of those things that got by because it was plausible enough in the light of the Snowden revelations that governments do this kind of guff that a manufacture might deploy a hacked version of Intel management engine or something like that. Like sure it's possible.....
But possible isn't the same as actual, and the editors really ought to have demanded some evidence , not because it was dubious but because it's a big story with big implications
Re: (Score:2)
I wouldn't go that far. It's more reasonable to say the simplest answer shall be considered "the default assumption" or "the most likely". (See Occam's razor [wikipedia.org].)
Re: (Score:2)
And why should we expect any of those entities to be truthful in this at all? Apple? Aws? Agencies?
Apple and AWS because they denials they have issued would mean big fines if they are false.
NSA, maybe, I'm like 50/50 on that as I can't see a good angle for why they would lie about it one way or the other.
However as I said multiple other news agencies also cannot find anything, and they very much have motive to get to the truth as well. They have nothing.
Re: (Score:2)
NSA, maybe, I'm like 50/50 on that as I can't see a good angle for why they would lie about it one way or the other.
***ROFLCOPTER***
Like, spy agencies need a special occasion to find benefit in the public having incorrect information about them?!
I wouldn't trust them to take an office poll about everybody's favorite flavor of ice cream. They'd lie for sure, out of fear of accidentally leaking some aspect of their process.
An organization that only recently started even admitting that it exists, and people already treat them like some do-goody nun who would never lie unless it was for a really good reason like protecting r
Re: (Score:2)
And why should we expect any of those entities to be truthful in this at all? Apple? Aws?
The companies are subject to serious civil and criminal penalties for lying about material facts that could affect their stock price.
Agencies?
The agencies would get major budget boosts if they can show that the Chinese infiltrated all of these companies. They have a strong vested interest in making China look like a powerful and dangerous boogeyman.
Re: There's no There There (Score:2)
News organizations get taken on stories. It happens, even with rigorous attempts to confirm. The New York Times has been taken on some false stories not too far in the past due to over-zealous reporters that think they are on something big, and lose objectivity. It happens. And it's also why some news organizations don't run shit until they have two named sources on the record, so if it's horse shit they can point to where they got the bad information.
Bloomberg won't name their sources, and they won't p
Re: (Score:2)
Apple in particular has 100's billions worth of reputational mindshare build partially on protecting privacy ... lying has a significant monetary risk for them since every lie has the chance of being found out, what would offset that cost for them?
Re: (Score:2)
Here [microchip.com] is a picture of a complete self-contained microcontroller. The picture only shows one side, it has six pins in an SOT-23-6 package. That means the plastic package is about the size of a grain of rice. It's six pins are four general purpose I/O pins, plus power and ground.
It's not an exotic chip or even an expensive one. It's got programmable flash memory and costs less than 20 cents in medium quantities. It's commercial off-the-shelf stuff you can buy from DigiKey and have delivered in a few days
Re: (Score:1)
Whoops, my pricing is wrong. It's 40 cents in quantity 3000. Better up the budget, spooks.
Re: (Score:2)
I bet the Chinese were the first to deny the story.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
In other words this story seems to be an amalgamation of the foll
Re: There's no There There (Score:1)
This is a reasonable conclusion. The other interesting angle which was mentioned from one of the prior threads on this was, alternatively, they didnt uncover a Chinese op, but an internal US op, and thereby disclosing it, opened up another can of worms there.... That might explain the reaction by politicians then...
This would also explain the major push to get everything and everyones data cloud based, because cloud is goodz..... Over the last 5 years.... The propoganda or forced adoption to cloud very heav
It depends on what the meaning of "SEC" is (Score:3)
They denied it, then denied it more fully, then followed up with a more clear and forceful denial. If it turns out to be true, the SEC will decide which executives they want to put in prison for material false statements.
The amount and type of denials aren't necessary and wouldn't be appropriate if the story was actually true. The executives have no reason put themselves at risk denying it in the *manner* that they have. If it were true, they'd very much want to use more Clintonian statements like "we hav
Re: (Score:2)
Wow, even Ray Morris got confused by this story! He's not sure anymore which is provable, positive statements, or negative statements? If it happened and people who didn't know actually didn't know, does that mean they did know?!
You have no idea if the executives would be in jeopardy or not, because there are no public facts about if they're being directed to make the statements by the government. It is quite obvious that any public knowledge of the necessary information will only come out at a much later s
Re: (Score:2)
They denied it, then denied it more fully, then followed up with a more clear and forceful denial. If it turns out to be true, the SEC will decide which executives they want to put in prison for material false statements.
Does national security (NSA) override the SEC? If so, it doesn't matter that the companies might be lying about these chips - they won't be prosecuted as that would expose what's going on.
Re: (Score:1)
Re:There's no There There (Score:4, Insightful)
Every organization involved has a strong, strong motive to deny this
That isn't even remotely true. Were the story true in part or whole, they'd have plenty of reasons to make couched denials or to keep their mouths shut, but they wouldn't have any reason to make the categorical denials they've been making. Categorical denials can come back to bite them.
If it later came out that Bloomberg was right, but that Apple and Amazon had chosen to make categorical denials despite knowing better, we'd lose count at the number of lawsuits and criminal charges filed against them. They'd have knowingly misled their shareholders, repeatedly engaged in fraud in public statements, and lied to Congress, among other crimes and illicit activities. And both companies have had C-level executives signing their names to these statements, including those being made to Congress, meaning that real people are putting themselves on the hook for what these companies are claiming. There would be jail time.
Had they come out with couched, non-denial denials that made it clear that they were merely denying certain facts of the story, that'd be one thing, but they're all outright saying that Bloomberg got the story wrong, and not just in part, but in full inasmuch as it relates to each of them. Apple says that they have no awareness of the things they're supposedly aware of. Amazon says the same. The FBI says the same. Other newspapers have been unable to come up with any corroborating evidence. Bloomberg has failed to produce a single person with firsthand knowledge who is willing to speak on the record, let alone produce the chip itself, which would be the smoking gun that could silence all criticism.
Also, it's clear you don't even know what the implications are of the alleged chips. Amazon allegedly picked up these boards when it acquired Elemental. They weren't a part of AWS. Hell, they weren't even connected to the Internet. And Apple allegedly had these boards in their data centers (side note: Apple never even had the number of SuperMicro boards that Bloomberg claimed were affected), so we're not talking about a phone compromise.
Moreover, Apple and Amazon allegedly knew about these boards back in 2015, yet Apple didn't dump SuperMicro until 2016, and Amazon was still using SuperMicro boards as of just a few months ago. Are you telling me that they kept using boards from SuperMicro for a year or three after finding out about this issue?
Come on.
Re:There's no There There (Score:5, Insightful)
If this spy chip had been implanted into that many motherboards there would be copies of it all over the place for people to study. This is why the NSA doesn't modify actual hardware, everything is in software where they have plausible deniability.
Spy chips create physical evidence and I doubt even China is dumb enough to go that route.
Re: (Score:2)
Uh, where did the words "that many" come from? Maybe it wasn't "that many," maybe it was only a few out of millions?
News flash: We have no idea if the NSA modifies actual hardware. As far as we know, they do, and they were the ones who modified the hardware in this story. Or they weren't, but they want people to think that they do. Or they don't, but they're worried somebody will leak that they don't, so they leaked a fake story that they did. Or they do, and they were worried about a leak, so they leaked t
Re: (Score:2)
The entire point of this story was corruption of the supply chain, a huge conspiracy involving the factory bosses being bullied by the communist party.
If it's just a couple computers it makes far more sense to simply intercept the computer during shipping and then quickly modify it.
Re: (Score:2)
One of the bloomberg articles (I dont' recall if it was the followup or the first article) indicated there was a AWS datacenter with 30K of these supermicro motherboards in it. The article directly implies that the entire production line sometime in 2014-2015 was compromised with every server leaving the factory containing a chip.
Did you read the article? If there was 30K in an AWS data center there were at least that many that didn't make it to AWS, the world would literally be flooded with these compromis
Re: (Score:2)
Yeah, and all the land-based animals would literally be drowning...
Re: (Score:2)
Lack of detail in a story does not imply an absolute in a continuous tense. That would make every story in every newspaper false.
Instead, lack of detail in the phrasing only implies a lack of detail in the knowledge.
Re: (Score:2)
I assume that if NSA really wants to lowjack hardware they simply make their own chip of something already on the board, using some materials which react with nitric acid and/or some pyrophorics to make sure anyone trying to decap them won't get any evidence. Much lower chance of detection.
In this purported case the Chinese could easily have done the same, why put a chip in between flash and the BCM instead of just putting an extra die in a custom flash chip and replacing the entire chip?
Re: (Score:2)
Actually Apple would have gained a lot by saying this was true and that they detected the chips early long before deploying the servers. They could include a blurb of how they are security conscious in this modern world and always there protecting their customers from every conceivable threat. ... - th
If they wanted to protect the company producing the servers they could then include how they quickly helped locating the bug, wasted no effort validating every server, provided services far beyond the expected
Re: (Score:2)
Re: (Score:2)
Moreover, Apple and Amazon allegedly knew about these boards back in 2015, yet Apple didn't dump SuperMicro until 2016...
There seems to be a persistent misunderstanding of the timeline. The initial detection wasn't, "Hey, I found a board with an amazing spy chip in it!" The initial detection was, " That's funny..."
I could easily believe that it took a year of painstaking labor for the alleged Canadian security company to track down the source of the rogue packets on the boards they were sent. There are a lot more likely things in the system to be generating the traffic than a chip that shouldn't be there. I'm sure it took
Re: (Score:2)
Every organization involved has a strong, strong motive to deny this, and no motive to admit it.
You have a strong, strong motive to deny you are a child molester, and no motive to admit it.
Re: (Score:2)
I've heard this before... (Score:2)
They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories," Jassy wrote in a tweet on Monday.
Wait, that sounds familiar.
Hardware security was punnetrated (Score:1)
So Amazon is chipping in.
Re: Hardware security was punnetrated (Score:2)
I've bought microcontrollers on Amazon, so... yes.
Re: Now I believe it even more (Score:2)
There will inevitably be a bit of a Streisand effect.
Re: Why retract? (Score:2)
Using would require both discovery and proving damages. These companies really don't want the defense digging through their records and datacenters for reasons that should be obvious, and proving damages would be difficult if not impossible.