Monday, January 29th 2018

US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy

by
btarunr
 Discuss (35 Comments)
In the wake of reports surrounding the secrecy and selective disclosure of information related to the Meltdown and Spectre vulnerabilities leading up to the eventual January 3 public release, US lawmakers are unhappy with leading tech firms Intel, Microsoft, ARM, Apple, and Amazon. The five companies, among a few unnamed others, are being pulled up by a house committee over allegations of selective access of vital information that caught many American companies off guard on the January 3rd. Barring a few tech giants, thousands of American companies were unaware, and hence unprepared for Meltdown and Spectre until January 3, and are now spending vast resources to overhaul their IT infrastructure at breakneck pace.

In letters such as this one, addressed to CEOs of big tech firms, lawmakers criticized the secrecy and selective disclosure of information to safeguard IT infrastructure, which has left thousands of American companies out in the lurch, having to spend vast amounts of money securing their infrastructure. "While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.
Source: Tech Republic

Related News

Add your own comment

35 Comments on US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy

#26
ZeDestructor
silkstoneMy apologies, reading fail. The article says as early as June. I have read elsewhere January and Wikipedia state's that the CVE's were issued back in Feb: en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History
It does also mention that Meltdown wasn't (independently) discovered until July.
As I said in my earlier reply, they were different vulnerabilities. Meltdown is the easy one to fix (at potentially huge performance cost), but the full Spectre attack wasn't properly discovered until June 2017 by Project Zero. The full set was also independently being fully discovered later in December 2017 to January 2017, which led to the embargo being pulled to earlier.
Posted on Reply
#27
silkstone
ZeDestructorAs I said in my earlier reply, they were different vulnerabilities. Meltdown is the easy one to fix (at potentially huge performance cost), but the full Spectre attack wasn't properly discovered until June 2017 by Project Zero. The full set was also independently being fully discovered later in December 2017 to January 2017, which led to the embargo being pulled to earlier.
Meltdown has yet to be fixed.
Posted on Reply
#28
ZeDestructor
silkstoneMeltdown has yet to be fixed.
Meltdown's basically been fixed if you have the patch installed (it's a fairly simple fix too - just flush the TLB before and after every syscall). Unfortunately, MS bundled it with the other Spectre fixes, and had to pull the patch when it started BSODing machines left right and center. On my machines, it's working wonderfully.. I haven't even observed any real performance losses in everyday use and gaming. I'm sure I could measure perf drops in VMs and such if I could be arsed benchmarking it, but this is my desktop and laptop.. not my VM host. As for the VM host, my VM load is so low CPU-wise that I don't even care even if it did have the full 30% penalty. Neither do the cloud providers and users, for the most part: they'll just add as many more machines as they need to maintain their required performance.
Posted on Reply
#29
silkstone
ZeDestructorMeltdown's basically been fixed if you have the patch installed (it's a fairly simple fix too - just flush the TLB before and after every syscall). Unfortunately, MS bundled it with the other Spectre fixes, and had to pull the patch when it started BSODing machines left right and center. On my machines, it's working wonderfully.. I haven't even observed any real performance losses in everyday use and gaming. I'm sure I could measure perf drops in VMs and such if I could be arsed benchmarking it, but this is my desktop and laptop.. not my VM host. As for the VM host, my VM load is so low CPU-wise that I don't even care even if it did have the full 30% penalty. Neither do the cloud providers and users, for the most part: they'll just add as many more machines as they need to maintain their required performance.
The CPU microcode update causes machines to reboot much more frequently. The extent to which has forced Microsoft to nullify the patch and lead to many vendors recommending it not be installed. I wouldn't call that a working fix by any stretch of the imagination, even if it works okay in your particular case.
Posted on Reply
#30
ZeDestructor
silkstoneThe CPU microcode update causes machines to reboot much more frequently. The extent to which has forced Microsoft to nullify the patch and lead to many vendors recommending it not be installed. I wouldn't call that a working fix by any stretch of the imagination, even if it works okay in your particular case.
That doesn't touch Meltdown/Spectre 3, only Spectre 1 and 2 (yes, there are 3 vulns in question here). Also, only Spectre 2 needs the microcode update - the other 2 are entirely done at the kernel level.
Posted on Reply
#31
R-T-B
silkstoneThe CPU microcode update causes machines to reboot much more frequently. The extent to which has forced Microsoft to nullify the patch and lead to many vendors recommending it not be installed. I wouldn't call that a working fix by any stretch of the imagination, even if it works okay in your particular case.
The microcode fixes have nothing to do with meltdown.
Posted on Reply
#32
silkstone
ZeDestructorThat doesn't touch Meltdown/Spectre 3, only Spectre 1 and 2 (yes, there are 3 vulns in question here). Also, only Spectre 2 needs the microcode update - the other 2 are entirely done at the kernel level.
I must be getting my wires crossed then. I assumed that as only Intel CPUs were vulnerable to meltdown the microcode updates were for meltdown.

Still, the Spectre vulnerabilities have been known for a long time. They informed some vendors back in June, which means that they would have know about them way before then.
Posted on Reply
#33
londiste
silkstoneI must be getting my wires crossed then. I assumed that as only Intel CPUs were vulnerable to meltdown the microcode updates were for meltdown.
Microcode updates are for Spectre 2. In desktop space, AMD will get microcode updates for it as well:
www.amd.com/en/corporate/speculative-execution
AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks.
Edit: Now that I read this statement again, isn't that "optional" exactly what Linus was angry about when reviewing Intel patches?
Posted on Reply
#34
Prima.Vera
I want to see fines in the order of dozen of billions! Those crappy corporations deserve all that is coming to them. I hope EU and China will follow the trend.
Posted on Reply
#35
ZeDestructor
Prima.VeraI want to see fines in the order of dozen of billions! Those crappy corporations deserve all that is coming to them. I hope EU and China will follow the trend.
Why billions, though? The only real missteps Intel, Google and the other partners did was keep it in absolute secrecy and release some unstable patches... The secrecy while understandable, should have been relaxed when nearing release, but the patches? Spectre/Meltdown are seriously hard problems to fix without shipping brand spanking new silicon.. and to top it all off, any and all software fixes will be inherently unstable dirty hacks, that'll have more code added to to be less unstable.

Personally, I think that they (meaning Intel, Google, MS, Linux kernel community etc) should take a fine in the 10s to 100s of millions for keeping everyone not involved directly in the dark. Other than that, they handled things passably well on the pure engineering side.
Posted on Reply
Add your own comment
Dec 27th, 2024 11:43 EST change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts