back to article Apple boss demands Bloomberg Super Micro U-turn, Russian troll charged, NSA hands out cash, and more

After we encountered a libssh security blunder, a leaky Tea Party, and a dodgy Redmond sports marketer, another week is in the book. Here are a few more bits of infosec news to occupy the weekend. The way the Cook, he grumbles Apple boss Tim Cook is still not over the Bloomberg hit piece on Super Micro that named the iGiant …

  1. Chairman of the Bored Silver badge

    Connecticut...

    So West Haven pays off criminals? There is form- the adjacent town of New Haven {used to be | is} a significant node in the American Mafia network.

    The city fathers probably mistook the ransomware rip off for a more familiar shakedown or protection racket.

  2. SuccessCase

    Bloomberg isn't standing firm and backing everything they reported. They have been rather sneaky in their non denial denial of what is increasingly looking like rather dodgy reporting. They said:

    "Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources."

    But note how carefully this is worded. As John Gruber of Daring Fireball has pointed out, notably they are being careful not to say Cook is wrong, or that their story is true. And the Buzzfeed story goes on to note no one in the security community has been able to verify anything in Bloomberg’s story and no other news source has backed it up (tip of the hat also to Gruber)

    Additionally in an early Daring Fireball report, Gruber quotes a transcript of the Risky Business podcast when Joe Fitzpatrick, a security researcher contacted by Bloomberg said the following:

    FITZPATRICK: But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked.

    GRAY: So I guess what you are saying here is, the report, I mean all of the technical details of the report, you’d covered that ground with that reporter.

    FITZPATRICK: Yeah, I had conversations about all the technical details and various contexts. But there are a lot of filters that happen, you know? When I explain hardware things even to software people, I don’t expect people to get it the first time and I don’t expect people to be able to describe it accurately all the time. So there is definitely a lot of telephone exchange happening

    GRAY: OK but why did that make you feel uneasy? Could it be the case that you know that the technical things you told him lined up perfectly with the technical things that some of these 17 of the anonymous sources told him?

    FITZPATRICK: You know, I’m just Joe. I do this stuff solo. I am building hardware implants for phones to show off at conferences. I’m not a pro at building hardware implants. I don’t work for any nation or any state building and shipping these as products. I feel like I have a good grasp at what’s possible and what’s available and how to do it just from my practice. But it was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100 percent of what I described was confirmed by sources.

    GRAY: And that’s what he was telling you through this process?

    FITZPATRICK: That’s what I read in the article.

    GRAY: OK, right. You find that a bit strange? That every single thing you seem to tell him, or a large proportion of what you told him, was then confirmed by his other sources.

    FITZPATRICK: Yeah, basically. Either I have excellent foresight or something else is going on.

    All in all it very much seems like a Bloomberg reporting has got somewhat carried away with a possibility and reported it as fact. I even wonder if the reporter was mistaking these stories as a hinted reality. e.g. did the reporter get carried away and think Fitzpatrick was speaking hypothetically to present the truth without breaking confidence or legal non disclosure, when in fact Fitzpatrick was only speaking hypothetically?

    It seems a distinct possibility to me that the reporter added 2 + 2 and calculated the result is 5. Certainly the denials are very direct and Cook is prepared to put his integrity on the line. If for SEC rules alone, his statement is highly significant. When execs of a public company have something to hide, they usually avoid talking about it so as to avoid all possibility legal blowback and word is Cook is one of the more trustworthy of the major tech CEOs.

    1. bombastic bob Silver badge
      Devil

      reporting got carried away with 'possibility' and reported it as 'fact'

      sounds like a topic line to me. This (captain obvious says) is sometimes called 'fake news'. 'Fake news' usually consists of a ton of 'anonymous sources' claims, and click-bait headlines, surrounding a plausible story [or at least plausible to the audience].

      Sometimes, this ends up becoming REAL news, over time, like 'Watergate' back in the 70's. Other times it turns out to be just pure B.S. and FUD, often just an attempt by press organizations to gain attention, drive an agenda, or worse.

      I'll give Bloomberg 'benefit of the doubt' on this and keep a skeptical eye on them at the same time. If they prove to have been guilty of spreading 'Fake News' they will DESERVE the lawsuits that are likely to follow.

      /me points out that they're sometimes called 'Doomberg' within conservative media. heh.

    2. Spazturtle Silver badge

      Yeah I think this is what is going on, I found myself being quoted as an 'anonymous industry insider' in an article in a tech news site at the start of this year (most tech news sites are trash to be honest). I made a comment on a Linux/Unix forum about Meltdown and how it looked like Intel were performing the bounds check at the wrong point (which turned out to be correct) and how this was likely done as in order to boost performance (when the CPU revives the instruction to "Do X, Then Y, Then Z" it should do a bounds check before doing X, then before doing Y and then again before doing Z, what appeared to be happening was that the bounds check was only being performed after X, Y and Z had been done and if the check failed the CPU attempts to roll back).

      A week later somebody sent me a PM linking me to an article where my comment had been quoted nearly word for word and attributed to an 'anonymous industry insider'.

  3. Rol Silver badge

    "We stand by our story and are confident in our reporting and sources."

    Doesn't come across as:-

    "notably they are being careful not to say Cook is wrong, or that their story is true."

    I think "standing by our story" can only be interpreted as a noncommittal statement if you read it by the light of an ancient oil lamp which you were rubbing vigorously.

    Wishing Bloomberg away is not the same as disproving their story.

    Obviously hard evidence of tampered motherboards either exists or it doesn't, and that will be the metric that this story is measured by.

    If those involved are willing to let independent experts investigate their motherboards then a conclusion will be forthcoming.

    If those parties make a song and dance about letting such an investigation happen, then I guess we have our answer.

    1. Anonymous Coward
      Anonymous Coward

      Apple say a lot of shit these days. I don't now what i should belive. Look how Lois Rossman is treated by Appple

      https://www.youtube.com/watch?v=o2_SZ4tfLns&t=4s

      https://www.youtube.com/watch?v=AVL65qwBGnw

  4. Version 1.0 Silver badge
    Big Brother

    The Bloomberg report was probably incomplete - I think it would be unbelievable if the reported board hack has not taken place but equally well, it's very unlikely that it was a generalized as some of the published stories have suggested. And I'd be very surprised if the hacked boards did not contain a method of making the hack "vanish" too - if you are going to play these sort of tricks then you would be strongly advised to include a switch to cover your tracks.

    I'm not being paranoid, just realistic - it's very unlikely that we'll ever know the truth.

    1. Voyna i Mor Silver badge

      "And I'd be very surprised if the hacked boards did not contain a method of making the hack "vanish" too"

      If it was an additional semiconductor, whether on the surface or somehow embedded during the board fabrication (a little unlikely perhaps given the manufacturing implications) then presumably you'd need something like a fuse and a very small thermit charge. The small smoking crater might be a giveaway.

      1. Anonymous Coward
        Anonymous Coward

        I think there are two points here -

        1) A report from Bloomberg

        The companies involved are required if the US wish, to be required to deny the story because of US legislation.

        Bloomberg lacks a smoking gun in the form of a board we can see and their sources may have been got to.

        2) The concept that hardware can be modified in production in China and else where

        This has happend and will happen again, larger companies should be checking systems for secure proceasing at the physical and chip code levels. Smaller companies in supply chains to secure companies need to know they are a stepping stone for nation state actors to the main prize.

  5. Rol Silver badge

    It's not always Russia manipulating stories and poisoning our media

    Is it!!!

  6. Mark 85 Silver badge

    Apple boss Tim Cook is still not over the Bloomberg hit piece on Super Micro that named the iGiant as a possible spying victim.

    The lad doth protest to much. Makes one wonder if the adage about "where there's smoke, there's fire" applies here. Might as well not get too worked up and just wait and see. Popcorn?

    1. Yet Another Anonymous coward Silver badge

      He doth protest nowhere near enough

      If this turns out to be:

      A 3letter agency getting in the ground work for some future China tariff / ban

      Intel putting in a defensive move to dilute any stories about its management engine

      A short seller hoping to take advantage of a drop in share price.

      It could be the end of Bloomberg. Why am I paying $25K/pa for a Bloomberg terminal that is about as trustworthy as Fox and friends ?

      1. Anonymous Coward
        Anonymous Coward

        >Why am I paying $25K/pa for a Bloomberg terminal that is about as trustworthy as Fox and friends ?

        Well, for instance Macro Man is a cool dude to listen to.

        1. bombastic bob Silver badge
          Trollface

          paying $25k/pa for a Bloomberg terminal? [I'm guessing you're a news provider subscribing to them]

          I think I'd prefer 'Fox and Friends' over Bloomberg, or better still, THIS guy. Lots more entertaining, at the least.

      2. bombastic bob Silver badge
        Black Helicopters

        "Intel putting in a defensive move to dilute any stories about its management engine"

        That's a NICE conspiracy theory! I like it! [conspiracy theories are fun - not like I necessarily believe them, but they're definitely fun]

        /me ducks to avoid being seen by the black helicopters [see icon]

        1. FlamingDeath Bronze badge
          Big Brother

          You would not believe some of the absurd shit people will do to not get caught.

          "All the world's a stage"

  7. Anonymous Coward
    Anonymous Coward

    Lily Savage is Apples new CEO?...

    That photo, at the top the story, looks remarkably like Lily Savage a.k.a Paul O'Grady.

    I hope O'Grady actually is the new CEO of Apple. A man with a remarkably fast and razor sharp mind. Something that has been sadly lacking at the senior levels of Apple management for quite a few years now. Based on the public evidence so far,

    1. Anomalous Cowturd
      Pint

      Re: Lily Savage is Apples new CEO?...

      I thought exactly the same thing. You'd think they were identical twins.

      He (O'Grady) lives not far from my sister. Often to be found walking his dogs locally, or at the local Waitrose. His house has amazing views.

      Bloody nice chap, by all accounts.

      1. Voyna i Mor Silver badge
        Coat

        Re: Lily Savage is Apples new CEO?...

        "Often to be found walking his dogs locally, or at the local Waitrose."

        I wish I was a celebrity and was allowed to walk my dog at the nearest Waitrose.

      2. julian_n

        Re: Lily Savage is Apples new CEO?...

        I thought he had left the country after the 2015 election:

        https://www.telegraph.co.uk/news/politics/labour/11579451/Lily-Savage-star-Paul-OGrady-to-leave-Britain-if-Conservatives-wins-election.html

        What? He didn't? Another leftie hypocrite

    2. MJI Silver badge

      I thought Paul too

      Just lock up any small cute dogs unless you want them adopted.

  8. Howard Hanek Bronze badge
    Happy

    Please End the Confusion

    Despite Bloomberg's best efforts to be known as the home of the dodgers they're still in LA and are doing great this year.

  9. Andy The Hat Silver badge

    confused ...

    "The strategic goal of this alleged conspiracy, which continues to this day, is to sow discord in the US political system and to undermine faith in our democratic institutions,”

    I thought Trump was doing this?

  10. FlamingDeath Bronze badge
    Meh

    One things for certain...

    Madame Tussauds will have no issue with recreating Tim Cook in wax form

    1. MJI Silver badge

      Re: One things for certain...

      Place on small fluffy dog - Paul O'Grady

      No small fluffy dog - the Apple Paul O'Grady lookalike

  11. FlamingDeath Bronze badge
    Stop

    Back to reality...

    Tim Crook cares more about the stock value of CrApple than the security of its customers, and that is a 100% bankable factually correct and provable piece of information, you can even quote me on it. You can also apply this sound reasoning to every single publically listed company on the planet

    So, with that bit of reality taken care of, PR guff IS expected of CrApple and every other shareholder infested organisation out there.

    Hopefully I have given some insight into this money-centric-world

  12. MJI Silver badge

    Why?

    Are you using a picture of Paul O'Grady?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019