Bloomberg’s spy chip story reveals the murky world of national security reporting

Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary… or it’s not, and a lot of people screwed up.

To recap, Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful countries.

Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations. Apple also released its own standalone statement later in the day, as did Supermicro. You don’t see that very often unless they think they have nothing to hide. You can — and should — read the statements for yourself.

Welcome to the murky world of national security reporting.

I’ve covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories — including the U.S. government’s covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens.

Even with this story, my gut is mixed.

China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers

Where reporters across any topic and beat try to seek the truth, tapping information from the intelligence community is near impossible. For spies and diplomats, it’s illegal to share classified information with anyone and can be — and is — punishable by time in prison.

As a security reporter, you’re either incredibly well sourced or downright lucky. More often than not it’s the latter.

Naturally, people are skeptical of this “spy chip” story. On one side you have Bloomberg’s decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources — some inside the government and out — and presenting enough evidence to present a convincing case.

On the other, the sources are anonymous — likely because the information they shared wasn’t theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say “a source familiar with the matter” because it weakens the story. It’s the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves — though transparently published in full by Bloomberg — are not bulletproof in outright rejection of the story’s claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance — turning the story from an evidence-based report into a “he said, she said” situation.

That puts the onus on the reader to judge Bloomberg’s reporting. Reporters can publish the truth all they want, but ultimately it’s down to the reader to believe it or not.

In fairness to Bloomberg, chief among Apple’s complaints is a claim that Bloomberg’s reporters were vague in their questioning. Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.

Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark. Assuming there was an active espionage investigation into the alleged actions of a foreign government, you can bet that only a handful of people at these companies will be even cursorily aware of the situation. U.S. surveillance and counter-espionage laws restrict who can be told about classified information or investigations. Only those who need to be in the know are kept in a very tight loop — typically a company’s chief counsel. Often their bosses, the chief executive or president, are not told to avoid making false or misleading statements to shareholders.

It’s worth casting your mind back to 2013, days after the first Edward Snowden documents were published.

In the aftermath of the disclosure of PRISM, the NSA’s data pulling program that implicated several tech companies — including Apple, but not Amazon — the companies came out fighting, vehemently denying any involvement or connection. Was it a failure of reporting? Partially, yes. But the companies also had plausible deniability by cherry picking what they rebuffed. Despite a claim by the government that PRISM had “direct access” to tech companies’ servers, the companies responded that this wasn’t true. They didn’t, however, refute indirect access — which the companies wouldn’t be allowed to say in any case.

Critics of Bloomberg’s story have rightfully argued for more information — such as more technical data on the chip, its design and its functionality. Rightfully so — it’s entirely reasonable to want to know more. Jake Williams, a former NSA hacker turned founder of Rendition Infosec, told me that the story is “credible,” but “even if it turns out to be untrue, the capability exists and you need to architect your networks to detect this.”

Chinese chip spying report shows the supply chain remains the ultimate weakness

I was hesitant to cover this at first given the complexity of the allegations and how explosive the claims are without also seeking confirmation. That’s not easy to do in an hour when Bloomberg’s reporters have been working for the best part of a year. Assuming Bloomberg did everything right — a cover story on its magazine, no less, which would have gone through endless editing and fact-checking before going to print — the reporters likely hit a wall and had nothing more to report, and went to print.

But Bloomberg’s delivery could have been better. Just as The New York Times does — even as recently as its coverage of President Trump’s tax affairs, Bloomberg missed an opportunity to be more open and transparent in how it came to the conclusions that it did. Journalism isn’t proprietary. It should be open to as many people as possible. If you’re not transparent in how you report things, you lose readers’ trust.

That’s where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you — and I — have to put a lot of trust and faith in Bloomberg and its reporters.

And in this day and age where “fake news” is splashed around wrongly and unfairly, for the sake of journalism, my only hope is they’re not wrong.

from Apple – TechCrunch https://ift.tt/2Pbzsud

Chinese chip spying report shows the supply chain remains the ultimate weakness

Thursday’s explosive story by Bloomberg reveals detailed allegations that the Chinese military embedded tiny chips into servers, which made their way into data centers operated by dozens of major U.S. companies.

We covered the story earlier, including denials by Apple, Amazon and Supermicro — the server maker that was reportedly targeted by the Chinese government. Apple didn’t respond to a request for comment. Amazon said in a blog post that it “employs stringent security standards across our supply chain.” The FBI did not return a request for comment but declined to Bloomberg, and the Office for the Director of National Intelligence declined to comment. This is a complex story that rests on more than a dozen anonymous sources — many of which are sharing classified or highly sensitive information, making on-the-record comments impossible without repercussions. Despite the companies’ denials, Bloomberg is putting its faith in that the reader will trust the reporting.

Much of the story can be summed up with this one line from a former U.S. official: “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

It’s a fair point. Supermicro is one of the biggest tech companies you’ve probably never heard of. It’s a computing supergiant based in San Jose, Calif., with global manufacturing operations across the world — including China, where it builds most of its motherboards. Those motherboards trickle throughout the rest of the world’s tech — and were used in Amazon’s data center servers that power its Amazon Web Services cloud and Apple’s iCloud.

One government official speaking to Bloomberg said China’s goal was “long-term access to high-value corporate secrets and sensitive government networks,” which fits into the playbook of China’s long-running effort to steal intellectual property.

“No consumer data is known to have been stolen,” said Bloomberg.

Infiltrating Supermicro, if true, will have a long-lasting ripple effect on the wider tech industry and how they approach their own supply chains. Make no mistake — introducing any kind of external tech in your data center isn’t taken lightly by any tech company. Fear of corporate and state-sponsored espionage has been rife for years. It’s chief among the reasons why the U.S. and Australia have effectively banned some Chinese telecom giants — like ZTE — from operating on its networks.

Having a key part of your manufacturing process infiltrated — effectively hacked — puts every believed-to-be-secure supply chain into question.

With nearly every consumer electronics or automobile, manufacturers have to procure different parts and components from various sources across the globe. Ensuring the integrity of each component is near impossible. But because so many components are sourced from or assembled in China, it’s far easier for Beijing than any other country to infiltrate without anyone noticing.

The big question now is how to secure the supply chain?

Companies have long seen supply chain threats as a major risk factor. Apple and Amazon are down more than 1 percent in early Thursday trading and Supermicro is down more than 35 percent (at the time of writing) following the news. But companies are acutely aware that pulling out of China will cost them more. Labor and assembly are far cheaper in China, and specialist parts and specific components often can’t be found elsewhere.

Amazon reportedly offloaded its Chinese server business because it was compromised

Instead, locking down the existing supply chain is the only viable option.

Security giant CrowdStrike recently found that the vast majority — nine out of 10 companies — have suffered a software supply chain attack, where a supplier or part manufacturer was hit by ransomware, resulting in a shutdown of operations.

But protecting the hardware supply chain is a different task altogether — not least for the logistical challenge.

Several companies have already identified the risk of manufacturing attacks and taken steps to mitigate. BlackBerry was one of the first companies to introduce root of trust in its phones — a security feature that cryptographically signs the components in each device, effectively preventing the device’s hardware from tampering. Google’s new Titan security key tries to prevent manufacturing-level attacks by baking in the encryption in the hardware chips before the key is assembled.

Albeit at start, it’s not a one-size-fits-all solution. Former NSA hacker Jake Williams, founder of Rendition Infosec, said that even those hardware security mitigations may not have been enough to protect against the Chinese if the implanted chips had direct memory access.

“They can modify memory directly after the secure boot process is finished,” he told TechCrunch.

Some have even pointed to blockchain as a possible solution. By cryptographically signing — like in root of trust — each step of the manufacturing process, blockchain can be used to track goods, chips and components throughout the chain.

Instead, manufacturers often have to act reactively and deal with threats as they emerge.

According to Bloomberg, “since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected.”

Williams said that the report highlights the need for network security monitoring. “While your average organization lacks the resources to discover a hardware implant (such as those discovered to be used by the [Chinese government]), they can see evidence of attackers on the network,” he said.

“It’s important to remember that the malicious chip isn’t magic — to be useful, it must still communicate with a remote server to receive commands and exfiltrate data,” he said. “This is where investigators will be able to discover a compromise.”

The intelligence community is said to be still investigating after it first detected the Chinese spying effort, some three years after it first opened a probe. The investigation is believed to be classified — and no U.S. intelligence officials have yet to talk on the record — even to assuage fears.

China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers

from Apple – TechCrunch https://ift.tt/2IDlhvi

Someone recreated Apple’s new campus with 85,000 LEGO bricks and it’s excellent

2018 has been a good year for ridiculous, gargantuan LEGO builds. Just weeks ago, there was that life size, driveable LEGO Bugatti.

Now someone has gone and built a mega-sized recreation of Apple’s new Cupertino “spaceship” campus – otherwise known as Apple Park.

Coming in at roughly 85,000 pieces, the build took designer Spencer_R a little over two years to complete, with many of those hours spent poring over drone footage of the campus’ construction. At 6.8×4.5 ft, it’s bigger than most kitchen tables. Spencer says it weighs around 78 pounds.

Beyond the massive circular building that serves as the build’s primary feature, tons and tons of tiny details accent the brick canvas: its got the glass-walled Steve Jobs Theater, the hundred-year old Glendenning Barn that was disassembled and rebuilt on the property, the employee parking garages, the visitor center, and even some tiny employee basketball/tennis courts for good measure.

Oh, and trees. Lots, and lots, and lots of trees. 1,646 trees in all, by Spencer’s count.

This is hardly Spencer’s first time recreating a mega building — he’s done custom creations of everything from the Eiffel Tower to the Rockefeller Center. With that said, he notes that Apple Park is “nearly as large as all of [his] other LEGO skyscraper builds combined”

[gallery ids="1726783,1726757,1726762,1726766,1726763,1726760"]

For more build details, you can tap through Spencer_R’s gallery/build notes here. Thank you to Fabrizio Costantini for letting us use these photos.

from Apple – TechCrunch https://ift.tt/2CsYfHr

China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers

Ready for information about what may be one of the largest corporate espionage programs from a nation-state? The Chinese government managed to gain access to the servers of more than 30 U.S. companies, including Apple, according to an explosive report from Bloomberg published today.

Bloomberg reports that U.S-based server motherboard specialist Supermicro was compromised in China where government-affiliated groups are alleged to have infiltrated its supply chain to attach tiny chips, some merely the size of a pencil tip, to motherboards which ended up in servers deployed in the U.S.

The goal, Bloomberg said, was to gain an entry point within company systems to potentially grab IP or confidential information. While the micro-servers themselves were limited in terms of direct capabilities, they represented a “stealth doorway” that could allow China-based operatives to remotely alter how a device functioned to potentially access information.

Once aware of the program, the U.S. government spied on the spies behind the chips but, according to Bloomberg, no consumer data is known to have been stolen through the attacks. Even still, this episode represents one of the most striking espionage programs from the Chinese government to date.

The story reports that the chips were discovered and reported to the FBI by Amazon, which found them during due diligence ahead of its 2015 acquisition of Elemental Systems, a company that held a range of U.S. government contracts, and Apple, which is said to have deployed up to 7,000 Supermicro servers at peak. Bloomberg reported that Amazon removed them all within a one-month period. Apple did indeed cut ties with Supermicro back in 2016, but it denied a claim from The Information which reported at the time that it was based on a security issue.

Amazon, meanwhile, completed the deal for Elemental Systems — reportedly worth $500 million — after it switched its motherboard provider away from Supermicro.

Supermicro, meanwhile, was suspended from trading on the Nasdaq in August after failing to submit quarterly reports on time. The company is likely to be delisted.

Amazon, Apple, Supermicro and China’s Ministry of Foreign Affairs all denied Bloomberg’s findings with strong and lengthy statements — a full list of rebuttals is here. The publication claims that it sourced its information using no fewer than 17 individuals with knowledge of developments, including six U.S. officials and four Apple “insiders.”

You can (and should) read the full story on Bloomberg here.

from Apple – TechCrunch https://ift.tt/2IAXKuV

Apple’s Tim Cook talks privacy, user data in China and banning Alex Jones

Notoriously secret on one hand, Apple has never been one to shy away from speaking its mind on matters of principle. During this current period of societal tumult, the $1 trillion company has more to answer for than ever.

In a new interview with VICE News Tonight on HBO, Apple chief executive Tim Cook talked about a slew of topics — including privacy, how the company keeps user data safe amid legal challenges and why it decided to ban notorious conspiracy theorist Alex Jones from its platforms.

Vice shared a copy of the transcript with TechCrunch. Here’s what he said:

On privacy, Cook calls for “some level” of regulation

Is the tech industry past the point of no return on matters of privacy?

“I see privacy as one of the most important issues of the 21st century,” Cook told interviewer Elle Reeve. “We’re at a stage now, where more information is available about you, online and on your phone than there is in your house. You know, chances are your phone knows what you’ve been browsing, knows your friends, knows your relationships, has all of your photos.”

“I mean just think about this and the magnitude of information — we take that very seriously,” he said.

Apple’s long taken a unique approach to privacy. It doesn’t want your data — unlike advertising giants such as Facebook and Google, Apple doesn’t do anything with your data. But data hoarding companies have come under fire for misusing or exposing user data. Is it too late to reel in these companies and give the power back to the people, with help from Congress?

“I’m not a pro-regulation kind of person,” he said. “I think some level of government regulation is important to come out of that.” Though, Cook wasn’t specific on what he wanted to see.

Cook didn’t outright name his rivals, but said that Apple takes a “collect as little as possible” approach to product design. That’s not new — Apple has done this for years.

“We’re not forming the detailed profile, and then allowing other companies to buy the opportunity to target you,” he said. “It’s not the business that we’re in.”

Is Apple losing out on the competitive edge as a result — say, for Siri compared to Alexa? “No,” said Cook. He said that the narrative that users have to give up their data to make their service better is “a bunch of bonk.”

For the most part, Apple processes user data on the device so the company never gets to see it.

Privacy is a “human right” — even in China

As a device maker, Apple is about as global as it can get — even in China, where device rivals like Google and other tech giants like Facebook have almost no footprint. But that’s cause for conflict between Apple’s privacy ideals and China’s pro-surveillance state.

Asked if privacy as a human right applies to its business in China, Cook said it “absolutely does.”

“Encryption for us is the same in every country in the world,” he said. We don’t design encryption for, you know, for the U.S. and do it differently everywhere else, it’s the same. And so to send a message in China, it’s encrypted, I can’t produce the content. I can’t produce it in the United States either.”

Earlier this year, Apple moved its iCloud encryption keys for Chinese users to mainland China to comply with the country’s new vague, confusing and often conflicting cybersecurity rules. That sparked concern because it meant China can now ask Apple’s China-based cloud partner to turn over data on Chinese customers — just like the FBI can force Apple to turn over data in the U.S. Apple had to play ball in order to keep doing business in the country — and China currently makes up close to 20 percent of Apple’s global annual revenue.

Cook defended the move, saying he “wouldn’t” accept that Chinese data stored in China makes it easier for Beijing to access that data.

“I mean we have servers located in many different countries in the world,” he said. “They are not easier to get data from being in one country versus the next. The key question is how does the encryption process work and who owns the keys, if anyone? In most cases for us, you and the receiver own the keys.”

Decision to ban Alex Jones was made “independently”

Some say Alex Jones is the last bastion of free speech. Others call him a dangerous conspiracy theory-pusher who thinks the Sandy Hook school shooting was a hoax.

This year, Facebook banned him, then Twitter and then YouTube — and also tech giants like MailChimp, Spotify and PayPal. Apple remained silent. Jones’ podcasts were still available on iTunes and his apps in the App Store. Until they weren’t.

“We don’t take a political stand,” said Cook. “We’re not leaning one way or the other.” Across Apple’s various platforms, Cook said that users “see everything from very conservative to very liberal.” And, he said, “that’s the way I think it should be.”

Cook didn’t say there was a single moment that sparked the decision, but said that he has “never” had a conversation about Jones with any other tech company.

“Why not?” said Reeve. “But why?” Cook responded. “Because it’s a huge thing!” said Reeve. Cook said that it’s important that Apple makes decisions “independently.”

Tim Cook speaks out at Fortune’s CEO Initiative on hot-button issues like immigration

from Apple – TechCrunch https://ift.tt/2QqEt1X

The Google Assistant gets more visual

Google today is launching a major visual redesign of its Assistant experience on phones. While the original vision of the Assistant focused mostly on voice, half of all interactions with the Assistant actually include touch. So with this redesign, Google acknowledges that and brings more and larger visuals to the Assistant experience.

If you’ve used one of the recent crop of Assistant-enabled smart displays, then some of what’s new here may look familiar. You now get controls and sliders to manage your smart home devices, for example. Those include sliders to dim your lights and buttons to turn them on or off. There also are controls for managing the volume of your speakers.Even in cases where the Assistant already offered visual feedback — say when you ask for the weather — the team has now also redesigned those results and brought them more in line with what users are already seeing on smart displays from the likes of Lenovo and LG. On the phone, though, that experience still feels a bit more pared down than on those larger displays.

With this redesign, which is going live on both Android and in the iOS app today, Google is also bringing a little bit more of the much-missed Google Now experience back to the phone. While you could already bring up a list of upcoming appointments, commute info, recent orders and other information about your day from the Assistant, that feature was hidden behind a rather odd icon that many users surely ignored. Now, after you’ve long-pressed the home button on your Android phone, you can swipe up to get that same experience. I’m not sure that’s more discoverable than previously, but Google is saving you a tap.

[gallery ids="1725618,1725621,1725611,1725608,1725609,1725614,1725615,1725617,1725616,1725619,1725620,1725624"]

In addition to the visual redesign of the Assistant, Google also today announced a number of new features for developers. Unsurprisingly, one part of this announcement focuses on allowing developers to build their own visual Assistant experiences. Google calls these “rich responses” and provides developers with a set of pre-made visual components that they can easily use to extend their Assistant actions. And because nothing is complete with GIFs, they can now use GIFs in their Assistant apps, too.

But in addition to these new options for creating more visual experiences, Google is also making it a bit easier for developers to take their users money.

While they could already sell physical goods through their Assistant actions, starting today, they’ll also be able to sell digital goods. Those can be one-time purchases for a new level in a game or recurring subscriptions. Headspace, which has long offered a very basic Assistant experience, now lets you sign up for subscriptions right from the Assistant on your phone, for example.

Selling digital goods directly in the Assistant is one thing, but that sale has to sync across different applications, too, so Google today is also launching a new sign-in service for the Assistant that allows developers to log in and link their accounts.

“In the past, account linking could be a frustrating experience for your users; having to manually type a username and password — or worse, create a new account — breaks the natural conversational flow,” the company explains. “With Google Sign-In, users can now create a new account with just a tap or confirmation through their voice. Most users can even link to their existing accounts with your service using their verified email address.”

Starbucks has already integrated this feature into its Assistant experience to give users access to their rewards account. Adding the new Sign-In for the Assistant has almost doubled its conversion rate.

[gallery ids="1725662,1725659,1725661,1725657,1725658,1725660"]

from Android – TechCrunch https://ift.tt/2PcFL0E
via IFTTT

Apple’s Tim Cook is sending a privacy bat-signal to US lawmakers

Apple’s CEO Tim Cook has today been announced as the keynote speaker at a European data protection conference taking place in Brussels later this month — at a time when US lawmakers are asking tech giants outright if they’ll support “EU-like” privacy rules to shield US consumers from platform power.

For a week this month Europe’s data protection commissioners will gather to discuss the bloc’s shiny new privacy framework, GDPR, and what comes after it. They will also gather to listen to Cook talking on the theme of data ethics.

It’s a topic the Apple CEO has been speaking out about publicly for years.

Just this week, in an interview on US television, he couched privacy as “one of the most important issues of the 21st century” — describing it as a human right, and saying he supported “some level” of regulation, even as he professed himself “not a pro-regulation kind of person”.

Privacy is too important to keep being screwed with — or screwed over — was his clear subtext.

In a few weeks’ time Cook will literally stand alongside the architects of Europe’s GDPR, talking up privacy and ethics at the center of a Union whose founding charter grants its citizens data protection as a fundamental right.

The signalling is clear.

Europe is drawing fresh battle lines around the ethics of big data

While Apple might so far have fallen just shy of calling for a full copypaste of GDPR-level data protections into US law, there’s perhaps an element of strategic caution at play that’s moderating its plain-text political messaging.

Because the company’s actions from all other angles show Apple consistently defending privacy rights in a big data ethics fight that’s pitting Europe against a small number of powerful US adtech giants whose ‘best’ argument in defence of the unethical stuff they’re doing is they need to ‘keep up with China’ — a country that neither respects human rights nor privacy…

Zuckerberg urges privacy carve outs to compete with China

These same self-interested adtech giants are now, of course, hard at work lobbying US lawmakers that big data is a tenet of tech faith — when it really doesn’t have to be that way.

Privacy-respecting data-based innovations are both possible and available. The father of the World Wide Web thinks so — and is now doing a startup to make it so. And Apple’s business is an incredible testament to the power of putting people in control of technology, not vice-versa.

Apple is also a testament to how handsome a profit can be turned from privacy.

At a recent Senate hearing to discuss how the US should approach setting a federal privacy law, its VP of software technology, Bud Tribble, summed up the company’s position as: “We want your device to know everything about you but we don’t think we should.”

It’s notable that no other tech giants can make that claim. Not Amazon, not Facebook, not Google.

These platforms fall awkwardly silent when faced with questions about data ethics.

Nor can they comfortably stand on a public podium and discuss what does and does not produce “a result that’s great for society”, as Cook can. They have to invent their own ludicrous measures — like ‘relevant ads’.

Frankly speaking, if that’s your price for giving up on human rights you really are selling out.

So it’s left to Apple to send out the privacy bat-signal.

Let’s just hope the lawmakers are watching. Because the lobbyists are busy whispering.

from Apple – TechCrunch https://ift.tt/2ybv4UN