Unless I'm missing something, it appears Mr. Stamos (and others) are refuting the original reporting [1][2] with details from the US CLOUD act [3]. The original reporting did not mention the CLOUD act and only mentioned an upcoming "treaty" or "accord". While it's a reasonable guess that these are related, I fear the Hacker News headline prematurely burns Bloomberg with unsubstantiated opinion that currently holds no more weight than the original reporting.
"Bloomberg, of course, is the publication that published “The Big Hack” in October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services. The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort to do so), and has been largely discredited by one of Bloomberg’s own sources. By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it. I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true."
I have seen absolutely no evidence that the story was bullshit. It's clearly unconfirmed and probably shouldn't have been reported for that reason. But there's a difference between unproven and proven wrong. Did I miss some evidence that proved this story false?
I generally believe that the default reaction to a news story should be "it might be true, it might not". The ratio depends on the claim and the evidence. This is an extraordinary claim with mediocre-to-weak evidence, so I'm on the "unlikely to be true" side, but it's hardly an impossible story.
The story is essentially that there was a breakthrough in an effort that everyone in the world is pursuing (hardware supply chain attacks) and then everyone involved behaved as you'd expect them to behave (secretive at first and then defensively once the secret was out). While I don't expect people to believe it, I do expect some evidence if you're going to call it bullshit.
The more fantastic the story, the greater the burden of proof needed to sustain it. It’s never been the public’s burden to disprove a story that no one has ever heard before. And at this point, enough time has passed since the story broke without any evidence being put forth that it’s reasonable for people to think that yes, in fact, the story is likely bullshit.
It is reasonable to think that the story is likely bullshit. It is not, IMO, reasonable to go from that to claiming that it has ruined the credibility of the reporting organization and that you should presume all stories from them are likely false. To come to that conclusion, I believe you need some proof that the reporting was incorrect, not a lack of proof that the story was correct.
When we are talking about national security, the consequences of sources being identified are so high that it is not surprising that Bloomberg is unwilling to provide primary sources.
Trust is the currency of journalism. When journalists make fantastic claims that turn out to be false, it tarnishes the credibility both of themselves and the enterprises that sponsor them and publish their work.
I don't think anyone is actually saying that everything Bloomberg publishes is suspect without exception (the quote above notwithstanding). Nobody would question, based on previous history, a Bloomberg story claiming water is still wet.
Where they do lack credibility now are stories claiming bombshells relating to technology companies.
In this instance we have both Alex Stamos, who knows a lot of inside information and is a well-regarded security expert, and the head of WhatsApp itself both denying the claims. And any time a company or one of its high level representatives makes a material statement of fact, investors are going to pay close attention. If they prove to be wrong, an army of shareholders' attorneys are going to march to court to extract a pound of flesh. If there were even a shred of possibility that these stories were true, these folks -- as well as the leaders at Amazon and Apple implicated in the earlier stories -- would clam up instead of going on the record unambiguously denying the stories.
But this hasn't "turned out to be false". It's unconfirmed and thus very suspicious.
This is an article about an attack so advanced it's generally considered impossible, using the most valuable attack vector in the most important battlefield (see DNI Maguire's hearing answer to the biggest threat facing America) between the world's two superpowers. Would it really be that shocking if, after an initial leak, the US government was able to shut down leaks?
You make good points, particularly around the public denials, and I don't want to debate this any further (I was mostly railing against that ridiculous quote), but I think people are being pretty quick to claim this report is false rather than probably false.
130,000 people worked on the atomic bomb for 6 years in secret - when it comes to matters the government considers crucial to national security (and cutting edge breakthroughs in cyber warfare would certainly qualify), silence can be kept.
these are the same companies that were "shocked" by the snowden revelations. its not a question of "are these databases less secure than advertised, its a question of to what degree are they less secure than advertised. so i think calling the china access a conspiracy theory is too naive
Reporting is not and should not be "innocent until proven guilty". You don't need evidence of bullshit to mistrust a media article, you need lack of validation. If a scientist suddenly discovers a new means of creating fusion, but refuses to release any data about it, no one is going to believe him/her, and no one will fund them either. If they aren't reporting based on facts, they should be reporting at all.
Sometimes reporters can work that transparently, but they can also report stories based on private information, and your only choice is whether to trust that they're telling the truth.
For example, a newspaper will sometimes report things based on anonymous sources. You don't get to know who the sources are. You just have to trust that the newspaper isn't making things up and properly vetted their sources.
Of course, that doesn't mean you immediately start trusting any random reporter or newspaper, but trust is based on track record and reputation, not being transparent about sources in every story.
I'm of the opinion that you need evidence of bullshit if you're going to claim that the reporting organization has lost all credibility. Anonymous sources unwilling to go public is the nature of intelligence community reporting.
If this story is real and sources are made public, people are almost certainly going to jail - some of those sources (if real) had to have security clearances.
I did. I would need a lawyer to better understand what exactly we can extract from those denials, but this is what I can say for sure: all 3 of those companies would be extremely damaged by the public thinking this story is true. AWS considers security to be its single most important job and if the public discourse were to become cloud=supply-chain vulnerability, it would be devastating. This is clearly an existential threat to SuperMicro. I can't say as much about Apple, but from the outside it looks like they believe security/privacy to be one of their core brand strengths. Whether the article is true or false, I would fully expect these companies to minimize the impact of this article to the full extent they are legally able.
I would need a legal opinion to understand if their denials would put them at legal risk were the article to be true (in which case I would be much more inclined to believe their denials) and whether their denials tell us anything about potential government gag orders (if the article is correct about a top-secret investigation, I would imagine they would have legal obligations around what they can say).
I don't want to use false equivalence to make it seem like I believe this article is as likely to be true as not (I think it's unlikely or at least extremely misleading), but everything I can see from my not-so-informed position is consistent with both a true and a false article.
If you remove the word "encrypted" from this sentence in the Bloomberg article:
Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.
Then the article matches Stamos's account entirely.
With the word "encrypted," the article makes no sense – it would take legislation to force US companies to build backdoors to encryption, not an international accord.
I agree the HN headline could be better (my fault!) - but my money is on another Bloomberg security reporting error. Hope they actually issue a correction this time...
> With the word "encrypted," the article makes no sense – it would take legislation to force US companies to build backdoors to encryption, not an international accord.
It makes sense if you take it to mean that WhatsApp with share the encrypted messages, without any means to decrypt. It's not a very meaningful statement though, and will only confuse people.
The resolution is simple. Originally, WhatsApp encrypted end-to-end, and they had no ability to examine traffic. Now, it is encrypted between you and the server, decrypted and scanned, and then re-encrypted for transmission.
If you want end-to-end encryption, you will need to use something else.
it would take legislation to force US companies to build backdoors to encryption, not an international accord.
Would it? It might take Congress ratifying a treaty, but at that point doesn't it take the force of law?
ISTR that this has been one of the big arguments over things like the TPP with Investor - State disputes (https://en.m.wikipedia.org/wiki/Investor-state_dispute_settl...) and assorted copyright measures being placed in treaty proposals instead of being addressed legislatively.
"This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land" (emphasis added) https://en.m.wikipedia.org/wiki/Article_Six_of_the_United_St...
I’m questioning the journalistic integrity of Bloomberg after the author of the article about the “Big Hack”, with China infiltrating hardware, received a promotion.
Ah, the Peter Principle. But I'm not so sure it will work. Maybe the higher level will allow more editorial decisions, and we've already seen problems there.
Hmm, I think it could be either, depending on whether leadership viewed the author as incompetent. If leadership viewed the author as incompetent, it's the Dilbert Principle. If leadership viewed the author as competent, it's the Peter Principle.
Sorry for a meta comment here, but does anyone enjoy long articles in “Twitter format”? The formatting is ugly, it’s transient, and beholden to a third party’s whims. Much better would be a blog article and a link to it from Twitter.
The writing is usually bad, too, and in a narrow range of style. I suspect these long threads are not read as often as they are favorited by other people hoping the favor will be returned.
Another great opportunity to quote the "Gell-Mann Amnesia Effect" (coined by Michael Crichton).
For those who don't know, Gell-Mann won the nobel prize in physics. He pointed out that whenever you see a news article about a topic you personally know about, the article is always shockingly inaccurate.
The 'amnesia' part is that you immediately forget that every article you have expertise on is hilariously inaccurate, and assume that articles you read are accurate the rest of the time.
Lesson: news articles are written by non-experts trying to sum up some things that they do not understand, and with exceptions I am unaware of, never accurate
Why oh why are people writing long copy in a gazillion tweets instead of anouncing/advertising the article there and then referring to a place more suited for that type of essay?
I get the popularity of Twitter, but I don't see how anyone can think this sort of tweetsalami essay writing can beat having a summary in 1-3 tweets with a reference to a webpage that has the full essay.
60 comments
[ 2.8 ms ] story [ 110 ms ] thread[1] https://www.bloomberg.com/news/articles/2019-09-28/facebook-...
[2] https://www.thetimes.co.uk/article/police-can-access-suspect...
[3] https://www.justice.gov/dag/cloudact
"Bloomberg, of course, is the publication that published “The Big Hack” in October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services. The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort to do so), and has been largely discredited by one of Bloomberg’s own sources. By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it. I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true."
Why should anyone believe it true without some kind of proof.
The story is essentially that there was a breakthrough in an effort that everyone in the world is pursuing (hardware supply chain attacks) and then everyone involved behaved as you'd expect them to behave (secretive at first and then defensively once the secret was out). While I don't expect people to believe it, I do expect some evidence if you're going to call it bullshit.
The more fantastic the story, the greater the burden of proof needed to sustain it. It’s never been the public’s burden to disprove a story that no one has ever heard before. And at this point, enough time has passed since the story broke without any evidence being put forth that it’s reasonable for people to think that yes, in fact, the story is likely bullshit.
When we are talking about national security, the consequences of sources being identified are so high that it is not surprising that Bloomberg is unwilling to provide primary sources.
I don't think anyone is actually saying that everything Bloomberg publishes is suspect without exception (the quote above notwithstanding). Nobody would question, based on previous history, a Bloomberg story claiming water is still wet.
Where they do lack credibility now are stories claiming bombshells relating to technology companies.
In this instance we have both Alex Stamos, who knows a lot of inside information and is a well-regarded security expert, and the head of WhatsApp itself both denying the claims. And any time a company or one of its high level representatives makes a material statement of fact, investors are going to pay close attention. If they prove to be wrong, an army of shareholders' attorneys are going to march to court to extract a pound of flesh. If there were even a shred of possibility that these stories were true, these folks -- as well as the leaders at Amazon and Apple implicated in the earlier stories -- would clam up instead of going on the record unambiguously denying the stories.
This is an article about an attack so advanced it's generally considered impossible, using the most valuable attack vector in the most important battlefield (see DNI Maguire's hearing answer to the biggest threat facing America) between the world's two superpowers. Would it really be that shocking if, after an initial leak, the US government was able to shut down leaks?
You make good points, particularly around the public denials, and I don't want to debate this any further (I was mostly railing against that ridiculous quote), but I think people are being pretty quick to claim this report is false rather than probably false.
130,000 people worked on the atomic bomb for 6 years in secret - when it comes to matters the government considers crucial to national security (and cutting edge breakthroughs in cyber warfare would certainly qualify), silence can be kept.
Bloomberg has provided no evidence at all that it is true.
A report that is not supported by any evidence is not just ‘unconfirmed’. It is bullshit plain and simple.
Sometimes reporters can work that transparently, but they can also report stories based on private information, and your only choice is whether to trust that they're telling the truth.
For example, a newspaper will sometimes report things based on anonymous sources. You don't get to know who the sources are. You just have to trust that the newspaper isn't making things up and properly vetted their sources.
Of course, that doesn't mean you immediately start trusting any random reporter or newspaper, but trust is based on track record and reputation, not being transparent about sources in every story.
If this story is real and sources are made public, people are almost certainly going to jail - some of those sources (if real) had to have security clearances.
Can't replicate or check info? Then there's no information to speak about in the first place.
As Bloomberg reported: https://www.bloomberg.com/news/articles/2018-10-04/the-big-h...
Apple: https://www.apple.com/newsroom/2018/10/what-businessweek-got...
Amazon: https://aws.amazon.com/blogs/security/setting-the-record-str...
Supermicro: https://www.supermicro.com/en/pressreleases/supermicro-refut...
I would need a legal opinion to understand if their denials would put them at legal risk were the article to be true (in which case I would be much more inclined to believe their denials) and whether their denials tell us anything about potential government gag orders (if the article is correct about a top-secret investigation, I would imagine they would have legal obligations around what they can say).
I don't want to use false equivalence to make it seem like I believe this article is as likely to be true as not (I think it's unlikely or at least extremely misleading), but everything I can see from my not-so-informed position is consistent with both a true and a false article.
Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.
Then the article matches Stamos's account entirely.
With the word "encrypted," the article makes no sense – it would take legislation to force US companies to build backdoors to encryption, not an international accord.
I agree the HN headline could be better (my fault!) - but my money is on another Bloomberg security reporting error. Hope they actually issue a correction this time...
It makes sense if you take it to mean that WhatsApp with share the encrypted messages, without any means to decrypt. It's not a very meaningful statement though, and will only confuse people.
If you want end-to-end encryption, you will need to use something else.
Would it? It might take Congress ratifying a treaty, but at that point doesn't it take the force of law?
ISTR that this has been one of the big arguments over things like the TPP with Investor - State disputes (https://en.m.wikipedia.org/wiki/Investor-state_dispute_settl...) and assorted copyright measures being placed in treaty proposals instead of being addressed legislatively.
"This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land" (emphasis added) https://en.m.wikipedia.org/wiki/Article_Six_of_the_United_St...
Edit: fix italics
Such a law already exists in Australia, so I don't think it's out of the question.
https://www.washingtonpost.com/opinions/2019/09/17/bloomberg...
Who downvoted this? It’s true!
https://en.wikipedia.org/wiki/Dilbert_principle
I think my original comment is quite clear.
https://www.businessinsider.com/bloomberg-reporters-compensa...
in such an environment it seems obvious that they're going to stretch stories
For those who don't know, Gell-Mann won the nobel prize in physics. He pointed out that whenever you see a news article about a topic you personally know about, the article is always shockingly inaccurate.
The 'amnesia' part is that you immediately forget that every article you have expertise on is hilariously inaccurate, and assume that articles you read are accurate the rest of the time.
Lesson: news articles are written by non-experts trying to sum up some things that they do not understand, and with exceptions I am unaware of, never accurate
https://en.m.wikipedia.org/wiki/Michael_Crichton#GellMannAmn...
https://threadreaderapp.com/thread/1178308065268920320.html
I find it annoying too, but some people really like twitter/have an established following there.
I get the popularity of Twitter, but I don't see how anyone can think this sort of tweetsalami essay writing can beat having a summary in 1-3 tweets with a reference to a webpage that has the full essay.