we have a huge scandal here.. the full ramifications are yet to come out..

trog

There is no reason for Intel not to work on a fix from Day 1. As it is, they procrastinated and procrastinated and when they finally released something, it's buggy as hell and has to be uninstalled from most systems. Similar story with Microsoft. Good they are being called up.

Not releasing the information, I can understand. Dumping your stock and not working on a fix until much later on in the game is deplorable.

I believe the news surrounding this indicated that Intel made Chinese companies aware of the flaw before they told US customers.

RCoonI believe the news surrounding this indicated that Intel made Chinese companies aware of the flaw before they told US customers.

which of course will bring national security into the equation making making an already messy situation even messier..

trog

RCoonI believe the news surrounding this indicated that Intel made Chinese companies aware of the flaw before they told US customers.

I believe the concern is wrt the Chinese govt, if they'd known - which is almost a given - about spectre & meltdown before a patch was available then there's a good chance they might have exploited it in the second half of 2017.

What choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

Why is Amazon being pulled into this?

ChaitanyaWhy is Amazon being pulled into this?

Because it's the greatest beneficiary of early info. Smaller companies are temporarily moving their IT setups to "safer" Amazon Cloud while they upgrade their local infrastructure (great opportunity for Amazon to convince them to stay on the cloud instead of spending 'more' money on their own infra). Smells crony.

Intel Spectre & Meltdown Vulnerability - Clear Sky Strategy

"ask for the money back. Intel hahaha" ;)

Well Volkswagen had to buy back 288,000 Diesel cars just in the US.. Lets see how this one goes!
Thank you for watching! :-)
:laugh: best comment from Morten .

birdieWhat choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

Meltdown fixes have been widely deployed. OSX has patches were out in autumn, Linux was trying to get the new kernel out before embargo was supposed to end on January 9th, same with Microsoft and Windows patches. Spectre... is trickier.

Intel was between rock and a hard place. They had to do something to counter Ryzen launch, even it if was half a year late. They just could not wait any longer, Coffee lake release was rushed even as it was.

londisteMeltdown fixes have been widely deployed. OSX has patches were out in autumn, Linux was trying to get the new kernel out before embargo was supposed to end on January 9th, same with Microsoft and Windows patches. Spectre... is trickier.

Intel was between rock and a hard place. They had to do something to counter Ryzen launch, even it if was half a year late. They just could not wait any longer, Coffee lake release was rushed even as it was.

The first Linux kernel to contain a fix was 4.14.11 and it was released on January, 3, 2018. Microsoft released its meltdown patches even later than that.

So, who are you trying to BS here?

birdieThe first Linux kernel to contain a fix was 4.14.11 and it was released on January, 3, 2018. Microsoft released its meltdown patches even later than that.
So, who are you trying to BS here?

What do you mean, BS?
Embargo on Meltdown and Spectre was meant to end on January 9th.
For meltdown patches, Linux had a new kernel out on 3rd as you said, Microsoft released Windows 10 patches on 4th and Windows 7/8 got patches on 9th as initially planned.

birdieWhat choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

Intel telling the US companies first or even at the same time would've been a good idea since Intel is US based. I don't think they're getting out of this unscathed but time will tell.

Its alright let the CEO's sell their stocks first and consumers will be dealt with when the time comes.

Prince ValiantIntel telling the US companies first or even at the same time would've been a good idea since Intel is US based. I don't think they're getting out of this unscathed but time will tell.

Intel did tell US companies as well. This probably went out to a number of companies. In addition to Lenovo and Alibaba articles mention Microsoft, Amazon, ARM (UK) and this is definitely not a conclusive list.

silkstoneThere is no reason for Intel not to work on a fix from Day 1. As it is, they procrastinated and procrastinated and when they finally released something, it's buggy as hell and has to be uninstalled from most systems. Similar story with Microsoft. Good they are being called up.

Not releasing the information, I can understand. Dumping your stock and not working on a fix until much later on in the game is deplorable.

How do you ever know Intel does not work from Day 1? Did you work there?

Linux kernel community has been known to be extremely conservative when it comes to performance-degrading patches in the past decade. This KPTI which almost busted the performance of kernel call must have been a last resort and a hard choice as hell.

First StrikeHow do you ever know Intel does not work from Day 1? Did you work there?

Linux kernel community has been known to be extremely conservative when it comes to performance-degrading patches in the past decade. This KPTI which almost busted the performance of kernel call must have been a last resort and a hard choice as hell.

With the considerable resources that Intel can bring to bare, it should not have taken them this long to issue a (buggy/revoked) patch. They either started much later, or did not prioritize the work. Considering the possible ramifications that these exploits can have, there is no excuse for not having a fix by the time it was publicly announced. Furthermore, they released a new series of cpu all the while knowing that it contained a critical flaw. Intel's behaviour is beyond the pale, and if they were a smaller company, they'd be buried in litigation right now. How many people/companies do you think would have passed over on coffee lake knowing the security risk? I, for one, would not have purchased a broken CPU and would have spent a little more for an AMD chip.

If you think that Intel didn't factor all of this in to their timeline, you are being naive. Intel could have fixed this well before coffee lake and had they done so, it would have negatively affected coffee lake sales as they would have had to acknowledge the flaw earlier. They may even have had to go back to the drawing board (at considerable expense) on that chip after the design was finished, causing them to either or go over budget or skip a generation . Shareholders would not have been pleased.

Their actions demonstrate that they only care about protecting their corporate interests rather than the consumer . . . Well most of the consumers . . . Their biggest clients were informed well in advance in a bid to keep their relationships in good standing. Hence their appearance in front of the house committee. Corrupt, greedy, unethical, conniving are just a few of the words that come to mind.

In the automotive industry, car makers are forced to issue recalls if a critical defect is found. The only reason that Intel won't be told to do this is because the industry is not as well regulated. I do hope, however, that they get buried in class actions for the next 20 years.

silkstoneThere is no reason for Intel not to work on a fix from Day 1. As it is, they procrastinated and procrastinated and when they finally released something, it's buggy as hell and has to be uninstalled from most systems. Similar story with Microsoft. Good they are being called up.

Not releasing the information, I can understand. Dumping your stock and not working on a fix until much later on in the game is deplorable.

birdieWhat choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

silkstoneWith the considerable resources that Intel can bring to bare, it should not have taken them this long to issue a (buggy/revoked) patch. They either started much later, or did not prioritize the work. Considering the possible ramifications that these exploits can have, there is no excuse for not having a fix by the time it was publicly announced. Furthermore, they released a new series of cpu all the while knowing that it contained a critical flaw. Intel's behaviour is beyond the pale, and if they were a smaller company, they'd be buried in litigation right now. How many people/companies do you think would have passed over on coffee lake knowing the security risk? I, for one, would not have purchased a broken CPU and would have spent a little more for an AMD chip.

If you think that Intel didn't factor all of this in to their timeline, you are being naive. Intel could have fixed this well before coffee lake and had they done so, it would have negatively affected coffee lake sales as they would have had to acknowledge the flaw earlier. They may even have had to go back to the drawing board (at considerable expense) on that chip after the design was finished, causing them to either or go over budget or skip a generation . Shareholders would not have been pleased.

Their actions demonstrate that they only care about protecting their corporate interests rather than the consumer . . . Well most of the consumers . . . Their biggest clients were informed well in advance in a bid to keep their relationships in good standing. Hence their appearance in front of the house committee. Corrupt, greedy, unethical, conniving are just a few of the words that come to mind.

In the automotive industry, car makers are forced to issue recalls if a critical defect is found. The only reason that Intel won't be told to do this is because the industry is not as well regulated. I do hope, however, that they get buried in class actions for the next 20 years.

Because it's a really, really hard problem to solve if you're unable to replace the hardware. As for Coffee Lake, there's no realistic way for Intel to fix it. By the time Intel was made aware of the problem, Coffee Lake was already in it's ramp phase (fab and stockpile for launch day.. probably already on boats being shipped even). As for how long the patching is taking, I'd like to see you, or any team you can name/assemble do better than what the major guys have been doing so far. Like I said, really, really hard problem to deal with.

Sure, Intel could issue a recall, then what? Unlike VAG diesel cars and SUVs, you're not talking a few million worldwide, you're talking literal billions of devices.. devices that literally run the world as we speak. Even if Intel had been perfectly willing to swap every single affected chip (meaning literally all of em in use right now), they simply do not have the manufacturing capability to do so, nor do the partner OEMs and ODMs building devices and motherboards.

Evidently though, Intel and partners are most certainly not free of blame: they should have informed tier 2 partners (people like OVH, DigitalOcean, AV vendors and the like) a fair bit earlier in the pipeline, and they should NOT have released patches that needed to be pulled, certainly not as mandatory install ASAP security updates. At the same time though, their hand was being forced by other researchers being on the verge of INDEPENDENTLY discovering the same vulnerability. If other researchers can discover it cleanly and independently, then you can be certain that the evil hackers and attackers are at least as close to discovering it, if they're not shipping malware using it already. Result: the decision was made to ship the buggy patch and hope not too many people get bit by the bugs.

ZeDestructorBecause it's a really, really hard problem to solve if you're unable to replace the hardware. As for Coffee Lake, there's no realistic way for Intel to fix it. By the time Intel was made aware of the problem, Coffee Lake was already in it's ramp phase (fab and stockpile for launch day.. probably already on boats being shipped even). As for how long the patching is taking, I'd like to see you, or any team you can name/assemble do better than what the major guys have been doing so far. Like I said, really, really hard problem to deal with.

Sure, Intel could issue a recall, then what? Unlike VAG diesel cars and SUVs, you're not talking a few million worldwide, you're talking literal billions of devices.. devices that literally run the world as we speak. Even if Intel had been perfectly willing to swap every single affected chip (meaning literally all of em in use right now), they simply do not have the manufacturing capability to do so, nor do the partner OEMs and ODMs building devices and motherboards.

Evidently though, Intel and partners are most certainly not free of blame: they should have informed tier 2 partners (people like OVH, DigitalOcean, AV vendors and the like) a fair bit earlier in the pipeline, and they should NOT have released patches that needed to be pulled, certainly not as mandatory install ASAP security updates. At the same time though, their hand was being forced by other researchers being on the verge of INDEPENDENTLY discovering the same vulnerability. If other researchers can discover it cleanly and independently, then you can be certain that the evil hackers and attackers are at least as close to discovering it, if they're not shipping malware using it already. Result: the decision was made to ship the buggy patch and hope not too many people get bit by the bugs.

I call bull$**t.

[Edit] Intel released the information about the security issue to (some) vendors back in June, meaning they likely knew about this well before.
Intel was aware of the issues in at least January 2017: Source
Coffee Lake was announced in Feb 2017: Source
Coffee lake was not released until October 2017: Source

Over a year to fix a critical security bug and still release another flawed processor in the mean-time? My original arguments still stand. It would have cost them a tonne of money, but they wouldn't be knowingly selling a product that is essentially broken.

silkstoneI call bull$**t.

Intel was aware of the issues in at least January 2017: Source

It takes a while to go from PoC to an actual, workable attack. If you measure strictly by similar attacks, you can go all the way back to 2002 for the first ones using this technique. All were silently mitigated without a big aanouncement. By the time June came about, KAISER was being quietly released to counter Gruss' particular variant. Problem was that KAISER was incomplete when presented Horn's more extensive set of attacks, which only came about in June.. and those obviously needed even more patches.

silkstoneCoffee Lake was announced in Feb 2017: Source
Coffee lake was not released until October 2017: Source

For big chips like CPUs, you can easily finish tape-out a full year ahead of hitting retail. Either ways, do you really think anyone, be it Intel, AMD, nVidia, IBM or ARM would have cancelled their launches?

silkstoneOver a year to fix a critical security bug and still release another flawed processor in the mean-time? My original arguments still stand.

Oh, this is just the beginning mate. There'll be even more attacks that 'sploit hardware features in the years to come: the security industry has just started having fun pwning CPUs, and this is just the low-hanging fruit.

PS: ARM was aware of the CPU faults just as much as Intel, for about as long and they happily announced the Cortex-A75 on 29 May 2017. These cores haven't even shipped in a real product yet (they will be in 2018) and ARM has not announced that they will be changing the core to mitigate.[/QUOTE]

Lets face it, anyone trying to use these exploits isn't going after you or me. They are going after bigger fish, I think by waiting as long as possible they saved a few companies from more pain as the hackers had less time to work on it.

jaggerwildLets face it, anyone trying to use these exploits isn't going after you or me. They are going after bigger fish, I think by waiting as long as possible they saved a few companies from more pain as the hackers had less time to work on it.

You think that if someone could write a java based program that could steal peoples banking information just by visiting a website running the code, the wouldn't?
Even if this turns out to be infeasible, think about where all of your e-mails, backups, etc. are stored.

silkstoneIntel was aware of the issues in at least January 2017: Source

That is not what you source (or any other source) says. All the dates in that source are January 2018.

londisteThat is not what you source (or any other source) says. All the dates in that source are January 2018.

My apologies, reading fail. The article says as early as June. I have read elsewhere January and Wikipedia state's that the CVE's were issued back in Feb: en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History
It does also mention that Meltdown wasn't (independently) discovered until July.

silkstoneMy apologies, reading fail. The article says as early as June. I have read elsewhere January and Wikipedia state's that the CVE's were issued back in Feb: en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History
It does also mention that Meltdown wasn't (independently) discovered until July.

Thank you for the link. That wiki article has evolved into a pretty good one :)
That CVE assigning in February is interesting. Wiki has a bit of an error there, these were not assigned to Intel but assigned by Intel as CNA (CVE Numbering Authority). I am really curious about the background though, like who requested those.
Wiki article says it was discovered (or in reality, exploit found) in June by two different teams and again in December by third one. That third one was in the article you originally pointed to - when they went to Intel in December and said they discovered this, Intel responded that they already know (as it has been reported back in June).