Does it seem a little odd for the 5 eyes to be weighing in while the us gov is silent? I am not sure how to read this but it is weird. I have never seen them make a public statement on a hack in a way specific to specific companies (and not others mentioned in the bloomberg article).
Even if taken at face value, it can only mean 2 things. 1. They already, thouroughly investigated it (draw your own conclusions what they found or any involvement) or 2. They just issued an official statement without possibly having the time to investigate the merits of the accusation. This not only doesn't pass the sniff test, its evidince of yet another turd on our lawn.
> Does it seem a little odd for the 5 eyes to be weighing in while the us gov is silent?
Chances are, American intelligence has been running counterintelligence operations through this network. That leaves lots of people in American intelligence who would prefer this remain a secret, without a similar restriction elsewhere.
The big question is whether it's your neighbor's turd or your neighbor's dog's turd.
Re: 1, if they investigated it then that means that "it" was something in the first place thus warranting the investigation.
Re: 2, that's the kind of thing you do when you need to inject uncertainty into the situation to buy yourself or your buddies time to tie up loose ends/burn evidence/figure out what story they'll tell the politicians.
I don't think this is feasible. They are 100% going to get caught with this tactic. If they were guilty in the way you guess, I think the likely response would be to muddy the waters with FUD and create lots of confusion.
It could also be possible that these companies are legally bound by some sort of investigation-related order to maintain ignorance to the presence of the chips and that Bloomberg have just sunk an ongoing investigation/counter-espionage operation, potentially putting an associated intelligence network at risk.
There is plenty of precedent for the US government issuing national security letters (“NSLs”) containing gag orders for ongoing investigations, often with massive monetary penalties imposed for violations.
Unless the fine is implemented as a percent of revenue, market cap or the like. Similarly, the US government once threatened to fine Yahoo $250k per day for non-compliance with PRISM. [0]
As an aside, what do you think is draconian about such a law? It seems like there are reasonable arguments for why it would be in the national best interest to keep an ongoing investigation classified. In fact it seems like an unusually straight forward application of the cliche justification “for national security reasons.”
"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."
talks about Congress, not an executive branch. the latter can gag a person, or a company.
The First Amendment applies to all three branches of the government, not just Congress. The executive branch can attempt to obtain a gag order, but the 1st Amendment nonetheless places limits upon them.
Which Yahoo shareholders would be irate about, and the Yahoo corporation could not trivially afford to throw away regardless. That would have destroyed about 1/4 of Yahoo's profit at the time.
That would be bad enough, however the next step by the government would be to increase the fine amount, were Yahoo to hold out over time. Kick it up to $1 million per day and Yahoo would have folded no matter what. The problem is pretty straight forward: the government could push it as high as necessary to compel the result they wanted.
> There is plenty of precedent for the US government issuing national security letters (“NSLs”) containing gag orders for ongoing investigations
I don't think the U.S. government can compel companies to lie. It can, though, request them to.
If the NSA said "your servers were compromised by a state-sponsored scheme, and we'd like your co-operation in running counterintelligence operations" I think it would be fair for a company to say "yes". Particularly if part of the offer included help extracting infected hardware from said company's infrastructure.
However, the US enforces the Patriot Act that obligates US companies to turn over user data and are further legally obligated to keep the fact secret? Is it that far fetched to think they couldn't be obligated to avoid admitting (explicitly, or implicitly) something that would jeopardise ongoing espionage-related activities?
This seems the most likely scenario to me. The official response definitely does not pass the smell test, and this is the simplest way 5 eyes has to benefit from lying.
They're not "maintaining ignorance"; they're categorically denying it, and in significant detail. Both Apple and Amazon produced essentially bulleted refutations of the story. That's not what you do when you're trying to brush something off.
At this point it's clearly down to Bloomberg / Businessweek to bring more evidence to the table, and support their story further. The other side has entirely put the ball back in Bloomberg's court. Their credibility will be severely thrashed by this if they don't.
Why limit yourself to news agencies? If trustworthiness amounted for anything, nearly all corporations big enough to have a PR department, and all governments would be out of business.
> They're not "maintaining ignorance"; they're categorically denying it
What makes you think the people denying it know about it though? E.g. if the head of Apple security got served an NSL, wouldn't that potentially prevent them from telling the company lawyers or the executive team?
It's a curious forum we're on where on one day there are jiggabytes spilled over how journalists get technical things wrong and on another, they're so reliably accurate, technology organizations making the case reporting on them is inaccurate must have been infiltrated by men in black and have had hapless employees flashed with a neuralyzer.
It's not an 'unsubstantive' comment. There is a very large section of users who are ardent believers in the 'Gell-Mann amnesia' effect. There are also seemingly many, many users, as the one I'm replying to and many who've posted similar, highly voted comments on this thread whose explanation for the discrepancies between the reporting on this story and the company responses amount to (in my view) to MiB but with different acronyms. I find that curious. Maybe you don't, maybe you think those users don't overlap much or at all, that's fair enough. But 'things people find curious about HN that you think maybe aren't' is not 'unsubstantive' so get of my case, oppressor!
This is a rare instance where I agree that 'dang has jumped the gun. I don't see how your comment is insubstantial either, and I think HN's weird relationship with the news media is worthy of comment. No reasonable person reads the comment above to mean "literally everyone on HN has inconsistent beliefs about the press".
> HN's weird relationship with the news media is worthy of comment
If I had said something about trusting Bloomberg or the media then sure. But that’s a completely different topic that’s not even remotely related to whether Apple’s denials on potential NSL issues are reliable.
How are those two topics not intimately related? The question of how reliable Apple's employees are is only relevant to the extent that you believe Bloomberg's reporters were competent in sourcing the story.
The trouble with incurring Dan's wrath is that he's right 99% of the time. That gives the impression that he's omniscient and benevolent, since 99 out of 100 random people will back his decisions.
That puts those of us in the 1% in a terrible position. It's difficult to even figure out whether you did something wrong. And if you conclude that – against the odds – you seem to be innocent, what do you do?
Dan has also given the impression that the community stands by his decisions. This is often not true, but he uses software tricks to make it appear true. As an example, he often flags comments manually, which immediately and unconditionally kills them and marks them as [flagged]. You can tell he does this, because it says [flagged] rather than [flagged] [dead]. I have been quietly gathering evidence for some time now: https://imgur.com/a/2GwVibp
The worst part is, all attempts at trying to discuss the situation are ruthlessly rejected. And since you're bucketed into the same category as some very unsavory people, no one who cares will side with you. And all the rest don't care.
https://news.ycombinator.com/item?id=18153219 Not 30 minutes ago, I tried – for the dozenth time – to extend an olive branch and agree to focus on the site's goal of gratifying intellectual curiosity. It was immediately rejected.
As someone who is trying to write a book on Lisp, this must be the ultimate proof that the site is no longer about attracting bookish people. That may have been the original aim, but HN is now intended to be an entertainment site. If your comments do not entertain, expect to be hit. Hard. And the surest way to not entertain is to comment about social issues.
Dan also likes to frame his moderation decisions as reasonable, and will go to great lengths to make them seem that way. For example, all of my accounts were banned two weeks ago, for three months. Dan called this a "probation", which is precisely the opposite of what probation is. He also said that it was possible to continue using HN, since there is a fine vouching system that will grab the good comments.
Very few people read dead comments. I know. I've measured. Effectively, if you're hellbanned, you're screwed. But you turn out to be screwed for a subtle but important reason: It's impossible to post more than two comments every 5 hours. This is a sharp increase from the old limit of five comments every three hours. And if you have made any comment within the last 5 hours, you cannot submit anything. Any attempt to do so will be met with "You're posting too fast. Please slow down. Thanks."
HN also uses many tricks that make it appear the community is against you, when in fact it is the software. For example, I am reasonably certain that there exists a setting which will automatically downvote your comments in certain circumstances. Such a setting has the uncomfortable effect that it is completely impossible to present any evidence of it without appearing to be completely unhinged.
All of this is to say:
Thanks, now I'm regretting not going with the pithier 'ur mom has 5M monthly users' a little less.
Please don't regret having original thoughts. HN is in the terrible position of having so much inertia that it no longer matters whether a moderator is behaving badly, or whether he is using software tricks to make it seem like the community is on his side. And since he is the de facto leader of HN, there is much to gain by being on his side, and much to lose by speaking out.
And again, 99% of his decisions are correct. But when he makes 100 decisions a day, there are a growing number who are the recipient of harsh actions with no recourse. Any attempt at pointing this out is quickly and immediately silenced, and used as evid...
One other software trick: Certain comments and certain accounts are marked unvouchable. You would never know this from the outside. https://imgur.com/5GMh3Nw
(For example, this one: https://news.ycombinator.com/item?id=18076424 I'm not saying it was a good comment, just that the mods do have that power and that they do exercise it, further giving the appearance that the community is on their side.)
EDIT: Note that I tried to edit my comment below (posted as shawn), but a side effect of making a comment unvouchable is that it becomes un-editable. My edit was dropped. Here it is:
To recap my points for anyone who is listening:
- Many comments that are [flagged] are not in fact flagged by the community, but manually, by Dan.
- When you are banned, it is no longer possible to use HN: All of your comments start at the very bottom, and very few people know what `showdead` even is, let alone use it. You cannot submit more than two comments every five hours. And if you have submitted any comment, you cannot submit any stories.
(Obviously, that's the point of a ban, but Dan likes to pretend that the vouch system is in place to catch just such an occurrence. That leads me to my final point:
- Some of the comments that are [dead] are unvouchable. If you try, the software will simply register your vouch but do nothing. This further cements the impression that the community is on their side.
Note how tremendously difficult it is to even let anybody know what is going on, let alone to do anything about it. This is no coincidence; HN has apparently gone to great lengths to ensure that it is just so.
Except, it's not HN doing this. It appears to be one person.
I may as well chime in. If anyone is curious what got me banned, it was for saying "I don't see much hatred on /r/braincels, just a lot of depressed men." Specifically, I was rate limited; I emailed three times asking why, and then promised not to write about such topics in the future in exchange for being un-rate limited. These were all ignored. When I tried to ask why in public, I was banned for 3 months. Presumably this sentence was pulled out of a hat.
When all attempts fail to ask reasonably and to act reasonably, what do you do? I don't know. But there is a reason the mods insist you email all questions to hn@ycombinator.com – if people were free to post about HN, much of the bad behavior would come to light.
FWIW, I was shocked that this seems to be the situation. But times have clearly changed.
If anyone wants to discuss what an alternative site might look like, you can reach me at shawnpresser@gmail.com. A few people have, but many of them are people who deserve to be banned.
I had to use a combination of Tor and multiple accounts to post this many times in quick succession. This loophole will probably be shut off. It's already difficult to create new accounts via Tor, since their recaptcha implementation doesn't work via Tor. (Or at least it didn't; I haven't checked in a few weeks.)
Let this be a warning: Your dictator had better stay benevolent. In modern times, it's easy to get the impression that the only places worth speaking on are HN and Reddit. Surprise: YC controls both. That gives certain people tremendous power; till now, they have acted reasonably with it, but that appears to no longer be the case.
Apart from that not being remotely what's being said, HN is not one person, it's a lot of different people with different opinions, commenting on different articles.
I'm not sure what is 'remotely not being said' and I have some vague understanding of the idea HN is not one person.
But there are definitely two (among many) strong tribes of HN-popular belief - let's call them the Gell-Mannicheans and the National Security Epistoleros. It's weird (to me) that they rarely meet in threads on stories concerning both! That could be because they live in different timezones or have different interests. It could be that the Epistoleros are just that much more numerous or that for some people epistolerism trumps gell-mannicheism. Or something else altogether. I find it a curious thing to observe and think about - it's not some underhanded 'zomg lolz, I have caught you in logic error' comment.
How is "we have found no evidence of..." categorically denying? They're doing exactly what parent says, turning a blind eye to it, and "truthfully" saying they haven't seen anything amiss.
The story claims that the Apple worked with the FBI to investigate the issue, and Apple is saying no such cooperation ever happened. There really is no way to square these two sides; somebody is either wrong or lying.
I have reason to believe that Apple and Amazon (and intelligence agencies) silo some data internally on a need-to-know basis wherever possible. A leaker shouldn’t be capable of leaking everything.
So not one of the fifteen Bloomberg sources knew about any kind of gag order or reason for Apple/Amazon to deny these claims? Just saying that seems unlikely.
Sure, but it wouldn't make sense to only relay the gag order to a subset of people who were aware of an incident - that would add risk and defeat the purpose of the risk-mitigating silos that you're suggesting.
> Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
Which is actually what Reddit did with their annual transparency report. They said something along the lines of "if we haven't been gagged, we'll explicitly tell you we haven't been gagged. Otherwise..."
If the government can compel one kind of speech, it's not hard to compel others. They don't even have to make a a brand new rule for this. The companies have stated they use this technique to get around the gag order.
Judges aren't compilers who will faithfully follow all the rules as written down without deviation. They at specifically empowered to make decisions in light of new evidence, so why wouldn't they force companies to actively like if they are already adding exceptions to the first amendment?
That is a commonly accepted position. As any prosecutions under an NSL would presumably be kept secret in order to keep the NSL itself secret, I strongly suspect that governments in general will take a dim view of such loopholes. The aforementioned secrecy means you are unlikely to find out.
Yes, it's not really backing them any more than the equally non-committal statement from the Norwegian National Security Authority is. The Reuters headline is not borne out by its article.
"We have no reason to doubt" is not a weasel statement. "At this stage" is a weasel statement, but only in the sense that it means "We haven't investigated this or seen any evidence ourselves, and until we do we'll go with the line taken by Apple and AWS."
This can be taken as meaning "The US has given us details and asked us to deny them" - which makes no sense, IMO.
Or "The US has given us no details" - which is rather more likely.
Nobody said it was a weasel statement. Nobody said it was their job to back these companies. The claim is that, counter to the title, they have not backed these companies.
If I might don the tinfoil cap, this is a mighty fine time to bring negative light onto CN, with Dragonfly stirring the pot and a testimony from Google's CEO next month.
I'm not sure this is necessarily a point in Apple and Amazon's favor. Also, as another comment here mentions, the "backing" in the title seems stronger than GCHQ's actual statement.
A cowworker remarked to me earlier today that the denials don't matter, true or false the story serves a domestic US purpose in distracting from $OTHERNEWS (in this case the kavenaugh circus)
Just to clarify your sentence, do you mean "far more inclined to believe China did spy on Apple/Amazon, etc"? Or you're far more inclined to believe Apple/Amazon, etc?
“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,”
"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us"
Easy to say if they cleaned up the evidence. What's convenient about recalling servers is that they're all neatly lined up in racks in datacenters, making them easy to pull out and replace. Supermicro would have lists of affected serial numbers, allowing them to take them back and make sure there aren't any samples lingering around for independent analysis.
I heard this on NPR [1] and thought it was interesting and hadn't seen it in these articles on HN:
> When [Bloomberg] asked China's foreign ministry for a response, a lot of times they'll say things like, you're crazy; we know nothing about this. Their response was a little more nuanced and contextual in the environment we're in now. Basically they said, we are a victim of these kinds of attacks, too. And, you know, they're right. The U.S. government - it's very, very good at these kinds of hardware attacks.
Supporting evidence for Bloomberg's claim: NSA interdiction of US export shipments [2].
Are you saying the NSA bribed manufacturers in China to add these to boards - so Americans would discover then and accuse the Chinese government of espionage? Is this the stick to the tariff's carrot?
Remember, astronauts couldn't have met aliens on the moon, if the moon landings were faked.
Or maybe just those manufacturers doing their online shopping and accidentally bought those kind of comprised chips.
Yes, you can actually buy the similar looking chip on Taobao.com by searching HHM1523C1[0] or HHM1526[1]. Some vendors even claims the chips they're selling are "Imported, 100% legit".
And, of course there can be another interpretation: We (China) bugged your server, because you (the U.S.) bugged ours first.
The water is so muddy right now, maybe wait for more information?
No, I am not. I'm saying that China's foreign ministry's response sounds a little like they're saying "we are [merely] retaliating in kind." NSA has been caught adulterating computers in export interdictions and maybe this is us catching China up to the same.
I didn't bring up trade wars at all, I don't think it's necessarily related (this kind of tradecraft was likely in the works for much longer than recent trade disputes).
So plain old espionage, executed for whatever the needs of the day might be.
The fact that NSA could do it supports at least a strong possibility that the Chinese could do the same on their soil. It’s crazy to waste such excellent attack vectors, especially when Supermicro is a American and not a Chinese company.
It seems unlikely that Amazon would not detect attempts to reach unauthorized IP addresses. If you’ve used AWS security groups, you know that you can specify what IP ranges your machines can access. While many customers aren’t locking this access down, I’m fairly certain Amazon knows exactly what they are doing on the AWS systems they use.
Detecting such attempts on a brand new system would spur them to identify the source. They’d have found that chip, most likely.
that would actually explain the strong denials and involvement of UK spy agency. being caught with NSA chips in servers would be far worse for Apple than with chinese chips.
I am pretty sure some security issues did happened else supermicro would have definitely sued the reporters by now. But then the mild response by US government and the FBI in general means that the so called attack wasn't as sophisticated as claimed by Bloomberg.
On the other side of the coin, it’s possible that they have a vested interest in keep in this quiet as it would bring attention to their own practices.
Funny how this story comes out shortly after Apple announced you can’t fully repair the newest MacBook pros and iMac pros without their software for “security sake”.
Coincidence? Yeah probably, and very tin-foil hat, but who knows?
There is a TON of counterfeit Apple service parts on the market. This is the result of the only real source of parts being pulls from recycled units, and Apple has this neat "recycle initiative" requiring subcontractors SHRED everything and provide detailed protocols of destruction.
Most counterfeits differ in lower quality, not gorilla gorilla glass, lower brightness not quite actual white backlight, non IPS IPS LCDs, 7 year old 4 times repackaged "brand new" batteries etc.
There are also replacements with straight up fake, dummy plastic parts thrown in, for example https://www.youtube.com/watch?v=TalLpLWaOV4. It becomes real brand problem when Staples "fixes" your product using scam parts.
But there are also a ton of people using real or just as good parts to repair their macs. Those people, who can’t afford a non-warranty repair at Apple, will be hurt the most.
It’s especially true in east Asia. Yes, there are plenty of counterfeits, but there are also plenty of legitimate ones too.
98 comments
[ 3.1 ms ] story [ 135 ms ] threadEven if taken at face value, it can only mean 2 things. 1. They already, thouroughly investigated it (draw your own conclusions what they found or any involvement) or 2. They just issued an official statement without possibly having the time to investigate the merits of the accusation. This not only doesn't pass the sniff test, its evidince of yet another turd on our lawn.
Chances are, American intelligence has been running counterintelligence operations through this network. That leaves lots of people in American intelligence who would prefer this remain a secret, without a similar restriction elsewhere.
Re: 1, if they investigated it then that means that "it" was something in the first place thus warranting the investigation.
Re: 2, that's the kind of thing you do when you need to inject uncertainty into the situation to buy yourself or your buddies time to tie up loose ends/burn evidence/figure out what story they'll tell the politicians.
a) officially deny anything happend
b) unofficially shift the blame to China
Whatever happens, my popcorn is ready.
"Nothing to see here - move along!" while thinking of a new means to hide this stuff in the server hardware...
As an aside, what do you think is draconian about such a law? It seems like there are reasonable arguments for why it would be in the national best interest to keep an ongoing investigation classified. In fact it seems like an unusually straight forward application of the cliche justification “for national security reasons.”
[0] https://news.ycombinator.com/item?id=8305925
"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."
talks about Congress, not an executive branch. the latter can gag a person, or a company.
See, for example, https://en.wikipedia.org/wiki/New_York_Times_Co._v._United_S...
That would be bad enough, however the next step by the government would be to increase the fine amount, were Yahoo to hold out over time. Kick it up to $1 million per day and Yahoo would have folded no matter what. The problem is pretty straight forward: the government could push it as high as necessary to compel the result they wanted.
I don't think the U.S. government can compel companies to lie. It can, though, request them to.
If the NSA said "your servers were compromised by a state-sponsored scheme, and we'd like your co-operation in running counterintelligence operations" I think it would be fair for a company to say "yes". Particularly if part of the offer included help extracting infected hardware from said company's infrastructure.
If trustworthiness amounted for anything in today's world, all major news agencies would be out of business.
What makes you think the people denying it know about it though? E.g. if the head of Apple security got served an NSL, wouldn't that potentially prevent them from telling the company lawyers or the executive team?
HN has 5M monthly users. Obviously there isn't going to be any consistency.
If I had said something about trusting Bloomberg or the media then sure. But that’s a completely different topic that’s not even remotely related to whether Apple’s denials on potential NSL issues are reliable.
That puts those of us in the 1% in a terrible position. It's difficult to even figure out whether you did something wrong. And if you conclude that – against the odds – you seem to be innocent, what do you do?
Dan has also given the impression that the community stands by his decisions. This is often not true, but he uses software tricks to make it appear true. As an example, he often flags comments manually, which immediately and unconditionally kills them and marks them as [flagged]. You can tell he does this, because it says [flagged] rather than [flagged] [dead]. I have been quietly gathering evidence for some time now: https://imgur.com/a/2GwVibp
The worst part is, all attempts at trying to discuss the situation are ruthlessly rejected. And since you're bucketed into the same category as some very unsavory people, no one who cares will side with you. And all the rest don't care.
https://news.ycombinator.com/item?id=18153219 Not 30 minutes ago, I tried – for the dozenth time – to extend an olive branch and agree to focus on the site's goal of gratifying intellectual curiosity. It was immediately rejected.
As someone who is trying to write a book on Lisp, this must be the ultimate proof that the site is no longer about attracting bookish people. That may have been the original aim, but HN is now intended to be an entertainment site. If your comments do not entertain, expect to be hit. Hard. And the surest way to not entertain is to comment about social issues.
Dan also likes to frame his moderation decisions as reasonable, and will go to great lengths to make them seem that way. For example, all of my accounts were banned two weeks ago, for three months. Dan called this a "probation", which is precisely the opposite of what probation is. He also said that it was possible to continue using HN, since there is a fine vouching system that will grab the good comments.
Very few people read dead comments. I know. I've measured. Effectively, if you're hellbanned, you're screwed. But you turn out to be screwed for a subtle but important reason: It's impossible to post more than two comments every 5 hours. This is a sharp increase from the old limit of five comments every three hours. And if you have made any comment within the last 5 hours, you cannot submit anything. Any attempt to do so will be met with "You're posting too fast. Please slow down. Thanks."
HN also uses many tricks that make it appear the community is against you, when in fact it is the software. For example, I am reasonably certain that there exists a setting which will automatically downvote your comments in certain circumstances. Such a setting has the uncomfortable effect that it is completely impossible to present any evidence of it without appearing to be completely unhinged.
All of this is to say:
Thanks, now I'm regretting not going with the pithier 'ur mom has 5M monthly users' a little less.
Please don't regret having original thoughts. HN is in the terrible position of having so much inertia that it no longer matters whether a moderator is behaving badly, or whether he is using software tricks to make it seem like the community is on his side. And since he is the de facto leader of HN, there is much to gain by being on his side, and much to lose by speaking out.
And again, 99% of his decisions are correct. But when he makes 100 decisions a day, there are a growing number who are the recipient of harsh actions with no recourse. Any attempt at pointing this out is quickly and immediately silenced, and used as evid...
(For example, this one: https://news.ycombinator.com/item?id=18076424 I'm not saying it was a good comment, just that the mods do have that power and that they do exercise it, further giving the appearance that the community is on their side.)
EDIT: Note that I tried to edit my comment below (posted as shawn), but a side effect of making a comment unvouchable is that it becomes un-editable. My edit was dropped. Here it is:
To recap my points for anyone who is listening:
- Many comments that are [flagged] are not in fact flagged by the community, but manually, by Dan.
- When you are banned, it is no longer possible to use HN: All of your comments start at the very bottom, and very few people know what `showdead` even is, let alone use it. You cannot submit more than two comments every five hours. And if you have submitted any comment, you cannot submit any stories.
(Obviously, that's the point of a ban, but Dan likes to pretend that the vouch system is in place to catch just such an occurrence. That leads me to my final point:
- Some of the comments that are [dead] are unvouchable. If you try, the software will simply register your vouch but do nothing. This further cements the impression that the community is on their side.
Note how tremendously difficult it is to even let anybody know what is going on, let alone to do anything about it. This is no coincidence; HN has apparently gone to great lengths to ensure that it is just so.
Except, it's not HN doing this. It appears to be one person.
Judge for yourself, as Dan likes to say: https://news.ycombinator.com/item?id=18054259 (You'll need showdead enabled, of course, which most people don't use.)
When all attempts fail to ask reasonably and to act reasonably, what do you do? I don't know. But there is a reason the mods insist you email all questions to hn@ycombinator.com – if people were free to post about HN, much of the bad behavior would come to light.
FWIW, I was shocked that this seems to be the situation. But times have clearly changed.
If anyone wants to discuss what an alternative site might look like, you can reach me at shawnpresser@gmail.com. A few people have, but many of them are people who deserve to be banned.
I had to use a combination of Tor and multiple accounts to post this many times in quick succession. This loophole will probably be shut off. It's already difficult to create new accounts via Tor, since their recaptcha implementation doesn't work via Tor. (Or at least it didn't; I haven't checked in a few weeks.)
Let this be a warning: Your dictator had better stay benevolent. In modern times, it's easy to get the impression that the only places worth speaking on are HN and Reddit. Surprise: YC controls both. That gives certain people tremendous power; till now, they have acted reasonably with it, but that appears to no longer be the case.
But there are definitely two (among many) strong tribes of HN-popular belief - let's call them the Gell-Mannicheans and the National Security Epistoleros. It's weird (to me) that they rarely meet in threads on stories concerning both! That could be because they live in different timezones or have different interests. It could be that the Epistoleros are just that much more numerous or that for some people epistolerism trumps gell-mannicheism. Or something else altogether. I find it a curious thing to observe and think about - it's not some underhanded 'zomg lolz, I have caught you in logic error' comment.
> That's not what you do when you're trying to brush something off.
It /could/ be what you do if good relations with the Chinese government are crucial to your business (true for both Apple and Amazon).
As for the UK NCSC, it's bizarre that they would comment at all. One possible motivation: eagerness to discover how to use such a backdoor themselves
> “The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us”
> Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.
https://daringfireball.net/linked/2018/10/04/what-businesswe...
Judges aren't compilers who will faithfully follow all the rules as written down without deviation. They at specifically empowered to make decisions in light of new evidence, so why wouldn't they force companies to actively like if they are already adding exceptions to the first amendment?
This is a pretty mild statement, would not say it backs Apple and Amazon.
* https://news.ycombinator.com/item?id=18146242
"Defence will continue to work with the ACSC [Australian Cyber Security Centre] to continue to monitor the situation," the spokesperson said.
http://www.abc.net.au/news/science/2018-10-05/supermicro-mal...
"We have no reason to doubt" is not a weasel statement. "At this stage" is a weasel statement, but only in the sense that it means "We haven't investigated this or seen any evidence ourselves, and until we do we'll go with the line taken by Apple and AWS."
This can be taken as meaning "The US has given us details and asked us to deny them" - which makes no sense, IMO.
Or "The US has given us no details" - which is rather more likely.
If I were cynical, and I am, I could see that Apple aren't telling the whole truth here.
If you don't want to find malicious chips in your servers, don't look. Just destroy the ones you suspect and don't examine them.
“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” "The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us"
This is not backing.
> When [Bloomberg] asked China's foreign ministry for a response, a lot of times they'll say things like, you're crazy; we know nothing about this. Their response was a little more nuanced and contextual in the environment we're in now. Basically they said, we are a victim of these kinds of attacks, too. And, you know, they're right. The U.S. government - it's very, very good at these kinds of hardware attacks.
Supporting evidence for Bloomberg's claim: NSA interdiction of US export shipments [2].
[1] https://www.npr.org/2018/10/04/654518383/bloomberg-reporter-...
[2] https://www.theguardian.com/books/2014/may/12/glenn-greenwal...
Remember, astronauts couldn't have met aliens on the moon, if the moon landings were faked.
Now that's a debate I'd pay to watch.
Yes, you can actually buy the similar looking chip on Taobao.com by searching HHM1523C1[0] or HHM1526[1]. Some vendors even claims the chips they're selling are "Imported, 100% legit".
And, of course there can be another interpretation: We (China) bugged your server, because you (the U.S.) bugged ours first.
The water is so muddy right now, maybe wait for more information?
[0] https://s.taobao.com/search?q=HHM1523C1
[1] https://s.taobao.com/search?q=HHM1526
I didn't bring up trade wars at all, I don't think it's necessarily related (this kind of tradecraft was likely in the works for much longer than recent trade disputes).
So plain old espionage, executed for whatever the needs of the day might be.
Good shit. Chinese government probably love Alex Jones a lot.
https://news.ycombinator.com/newsguidelines.html
Detecting such attempts on a brand new system would spur them to identify the source. They’d have found that chip, most likely.
Coincidence? Yeah probably, and very tin-foil hat, but who knows?
Most counterfeits differ in lower quality, not gorilla gorilla glass, lower brightness not quite actual white backlight, non IPS IPS LCDs, 7 year old 4 times repackaged "brand new" batteries etc. There are also replacements with straight up fake, dummy plastic parts thrown in, for example https://www.youtube.com/watch?v=TalLpLWaOV4. It becomes real brand problem when Staples "fixes" your product using scam parts.
It’s especially true in east Asia. Yes, there are plenty of counterfeits, but there are also plenty of legitimate ones too.