In last weekend’s column we discussed Bloomberg Businessweek’s recent, explosive report alleging that Chinese spies had planted surveillance chips on the motherboards of computer servers that ended up inside more than two dozen companies, including Amazon and Apple. Just about all of the parties named in the piece issued strong denials. I urged readers to approach the story with skepticism. “It’s likely there is truth in the piece, but in which parts remains an open question,” I wrote.
A week later, I remain deeply troubled by this story—not because of its substance, but because of its lack of substantiation. It seems a little odd that no one has reported identifying a single one of these spy chips in the wild since Bloomberg’s report appeared, no? Wouldn’t it have been easy for any companies using servers containing components from Supermicro, the company whose products were allegedly backdoored, to send an engineer into a data center, pry open a server, pluck out an offending implant, and reveal China’s alleged subterfuge to the world? Instead, we hear cricket chirps.
While this absence of evidence is not enough to debunk the report, it does raise doubts. Besides, wouldn’t it be easier for spies simply to meddle with Supermicro’s notoriously buggy firmware? This approach would achieve the same results and be far less complicated to pull off logistically. Plus, it would leave no trace.
Further developments related to the report’s publication give me pause. Joe Fitzpatrick, a hardware hacking expert and one of the only named sources in the piece, said he finds the story implausible. The authors have published erroneous cybersecurity reports before. (No one is perfect, but these prior offenses do raise an eyebrow.) Even Rob Joyce, a top National Security Agency official, said he has not found “any ties to the claims that are in the article.” He added: “I worry that we’re chasing shadows right now.”
While we await even the faintest whiff of corroboration, one must acknowledge that this story does not as yet pass the sniff test. For now, I recommend filing the piece under cloak, not dagger.
Have a great weekend.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Facebook hack. Facebook said a recent breach of its network affected 30 million users, 20 million fewer than it estimated when it first announced the incident a couple of weeks ago. The company said the breach exposed more intimate personal information than previously thought: things people searched for, places they had "checked into," demographic, and contact information. Meanwhile, Facebook purged hundreds of accounts it said were spreading misinformation.
Don't answer the phone. A researcher for Google's Project Zero team, a group that hunts for bugs and urges companies to fix them, found a flaw in Facebook's WhatsApp messaging app that could enable an attacker to crash the app simply by tricking someone into answering a video call. Natalie Silvanovich, the researcher, said she discovered and reported the bug in late August. Facebook fixed it by early October. By the way, the company just released Portal, a device that lets you make video calls...
Google minus. Google said it would shutter its social media service, Google Plus, after earlier this year discovering a security vulnerability that could have allowed people to access hundreds of thousands of users' personal information. The Wall Street Journal originally reported this as a "data breach," but walked back this labelling after Google said it found no evidence that people's data were misused. Here is a worthwhile essay that goes over the difference between a breach and a bug, and why such distinctions are important.
An unexpected layover. Federal agents lured a Chinese government spy to Belgium where he was apprehended and transferred to the U.S. He now faces prosecution over economic espionage charges in the states. The accused, Yanjun Xu, a senior officer with China's Ministry of State Security (MSS), is alleged to have stolen trade secrets from aerospace companies. This is the first time a Chinese government spy has been brought to the U.S. to face charges.
C'mon Kanye, you're better than this.
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Jared Goetz was at dinner when someone used his American Express card to buy a $39,000 web domain. Goetz wasn’t too concerned, he told Motherboard in a phone call: He told the American Express fraud department the transaction wasn’t his, but things rapidly got much worse.
Goetz’s cellphone suddenly lost all service, meaning he couldn’t receive or make any calls or texts, or use any online services. Maybe the e-commerce entrepreneur and business coach had forgotten to pay his T-Mobile bill, he thought. After getting back to the hotel, he found someone had changed his T-Mobile password. Then, he discovered he also couldn’t log into his email, the epicentre of his digital life.
FORTUNE RECON
Apple Files Patent to Detect Phone Calls From Spoofed Numbers by Emily Price
How Broadcom Stock Was Hit by a Fake National Security Scare by Aaron Pressman
Rick Gates Requested Proposals From an Israeli Firm to Manipulate the 2016 Election by Natasha Bach
Google Passes on a $10 Billion Pentagon Cloud Contract, Citing Its New AI Principles by Hallie Detrick
Instagram Says It Can Now Detect Cyberbullying in Videos by Emily Price
Police Find Almost $25,000 in Stolen Tequila After It Was Advertised on Social Media by Renae Reints
Apple Watch Series 4 Has a Nasty Bug by Don Reisinger
You Can Now Record a Police Stop With a Siri Shortcut by Lisa Marie Segarra
ONE MORE THING
Greyhat hacking. A hacker has been accessing people's routers in order to patch them, so they cannot be abused by more malicious attackers. The vigilante, who goes by "Alexey," claims to have changed the settings and add firewall protections on more than 100,000 vulnerable MikroTik routers to date. He has apparently received very few "thank you" notes.
