US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy

[btarunr]

In the wake of reports surrounding the secrecy and selective disclosure of information related to the Meltdown and Spectre vulnerabilities leading up to the eventual January 3 public release, US lawmakers are unhappy with leading tech firms Intel, Microsoft, ARM, Apple, and Amazon. The five companies, among a few unnamed others, are being pulled up by a house committee over allegations of selective access of vital information that caught many American companies off guard on the January 3rd. Barring a few tech giants, thousands of American companies were unaware, and hence unprepared for Meltdown and Spectre until January 3, and are now spending vast resources to overhaul their IT infrastructure at breakneck pace.

In letters such as this one, addressed to CEOs of big tech firms, lawmakers criticized the secrecy and selective disclosure of information to safeguard IT infrastructure, which has left thousands of American companies out in the lurch, having to spend vast amounts of money securing their infrastructure. "While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.



View at TechPowerUp Main Site

 

[trog100]

we have a huge scandal here.. the full ramifications are yet to come out..

trog

 

[silkstone]

There is no reason for Intel not to work on a fix from Day 1. As it is, they procrastinated and procrastinated and when they finally released something, it's buggy as hell and has to be uninstalled from most systems. Similar story with Microsoft. Good they are being called up.

Not releasing the information, I can understand. Dumping your stock and not working on a fix until much later on in the game is deplorable.

 

[RCoon]

I believe the news surrounding this indicated that Intel made Chinese companies aware of the flaw before they told US customers.

 

[trog100]

I believe the news surrounding this indicated that Intel made Chinese companies aware of the flaw before they told US customers.

which of course will bring national security into the equation making making an already messy situation even messier..

trog

 

[R0H1T]

I believe the news surrounding this indicated that Intel made Chinese companies aware of the flaw before they told US customers.

I believe the concern is wrt the Chinese govt, if they'd known - which is almost a given - about spectre & meltdown before a patch was available then there's a good chance they might have exploited it in the second half of 2017.

 

[birdie]

What choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

 

[Chaitanya]

Why is Amazon being pulled into this?

 

[btarunr]

Why is Amazon being pulled into this?

Because it's the greatest beneficiary of early info. Smaller companies are temporarily moving their IT setups to "safer" Amazon Cloud while they upgrade their local infrastructure (great opportunity for Amazon to convince them to stay on the cloud instead of spending 'more' money on their own infra). Smells crony.

 

[Indra18]

Intel Spectre & Meltdown Vulnerability - Clear Sky Strategy

"ask for the money back. Intel hahaha"

Well Volkswagen had to buy back 288,000 Diesel cars just in the US.. Lets see how this one goes!
Thank you for watching!
best comment from Morten .

 

[londiste]

What choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

Meltdown fixes have been widely deployed. OSX has patches were out in autumn, Linux was trying to get the new kernel out before embargo was supposed to end on January 9th, same with Microsoft and Windows patches. Spectre... is trickier.

Intel was between rock and a hard place. They had to do something to counter Ryzen launch, even it if was half a year late. They just could not wait any longer, Coffee lake release was rushed even as it was.

 

[birdie]

Meltdown fixes have been widely deployed. OSX has patches were out in autumn, Linux was trying to get the new kernel out before embargo was supposed to end on January 9th, same with Microsoft and Windows patches. Spectre... is trickier.

Intel was between rock and a hard place. They had to do something to counter Ryzen launch, even it if was half a year late. They just could not wait any longer, Coffee lake release was rushed even as it was.

The first Linux kernel to contain a fix was 4.14.11 and it was released on January, 3, 2018. Microsoft released its meltdown patches even later than that.

So, who are you trying to BS here?

 

[londiste]

The first Linux kernel to contain a fix was 4.14.11 and it was released on January, 3, 2018. Microsoft released its meltdown patches even later than that.
So, who are you trying to BS here?

What do you mean, BS?
Embargo on Meltdown and Spectre was meant to end on January 9th.
For meltdown patches, Linux had a new kernel out on 3rd as you said, Microsoft released Windows 10 patches on 4th and Windows 7/8 got patches on 9th as initially planned.

 

[Prince Valiant]

What choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

Intel telling the US companies first or even at the same time would've been a good idea since Intel is US based. I don't think they're getting out of this unscathed but time will tell.

 

[mcraygsx]

Its alright let the CEO's sell their stocks first and consumers will be dealt with when the time comes.

 

[londiste]

Intel telling the US companies first or even at the same time would've been a good idea since Intel is US based. I don't think they're getting out of this unscathed but time will tell.

Intel did tell US companies as well. This probably went out to a number of companies. In addition to Lenovo and Alibaba articles mention Microsoft, Amazon, ARM (UK) and this is definitely not a conclusive list.

 

[First Strike]

There is no reason for Intel not to work on a fix from Day 1. As it is, they procrastinated and procrastinated and when they finally released something, it's buggy as hell and has to be uninstalled from most systems. Similar story with Microsoft. Good they are being called up.

Not releasing the information, I can understand. Dumping your stock and not working on a fix until much later on in the game is deplorable.

How do you ever know Intel does not work from Day 1? Did you work there?

Linux kernel community has been known to be extremely conservative when it comes to performance-degrading patches in the past decade. This KPTI which almost busted the performance of kernel call must have been a last resort and a hard choice as hell.

 

[silkstone]

How do you ever know Intel does not work from Day 1? Did you work there?

Linux kernel community has been known to be extremely conservative when it comes to performance-degrading patches in the past decade. This KPTI which almost busted the performance of kernel call must have been a last resort and a hard choice as hell.

With the considerable resources that Intel can bring to bare, it should not have taken them this long to issue a (buggy/revoked) patch. They either started much later, or did not prioritize the work. Considering the possible ramifications that these exploits can have, there is no excuse for not having a fix by the time it was publicly announced. Furthermore, they released a new series of cpu all the while knowing that it contained a critical flaw. Intel's behaviour is beyond the pale, and if they were a smaller company, they'd be buried in litigation right now. How many people/companies do you think would have passed over on coffee lake knowing the security risk? I, for one, would not have purchased a broken CPU and would have spent a little more for an AMD chip.

If you think that Intel didn't factor all of this in to their timeline, you are being naive. Intel could have fixed this well before coffee lake and had they done so, it would have negatively affected coffee lake sales as they would have had to acknowledge the flaw earlier. They may even have had to go back to the drawing board (at considerable expense) on that chip after the design was finished, causing them to either or go over budget or skip a generation . Shareholders would not have been pleased.

Their actions demonstrate that they only care about protecting their corporate interests rather than the consumer . . . Well most of the consumers . . . Their biggest clients were informed well in advance in a bid to keep their relationships in good standing. Hence their appearance in front of the house committee. Corrupt, greedy, unethical, conniving are just a few of the words that come to mind.

In the automotive industry, car makers are forced to issue recalls if a critical defect is found. The only reason that Intel won't be told to do this is because the industry is not as well regulated. I do hope, however, that they get buried in class actions for the next 20 years.

 

[ZeDestructor]

There is no reason for Intel not to work on a fix from Day 1. As it is, they procrastinated and procrastinated and when they finally released something, it's buggy as hell and has to be uninstalled from most systems. Similar story with Microsoft. Good they are being called up.

Not releasing the information, I can understand. Dumping your stock and not working on a fix until much later on in the game is deplorable.

What choice did they have? The full fixes have still not been widely deployed three weeks after the details were revealed and if the vulnerabilities had been made public earlier we'd had a major literal industry-wide meltdown because the affected companies wouldn't have any protective measures but hackers would have known enough to gain unauthorized access to the affected systems.

I'm only curious why half a year wasn't enough to solve these vulnerabilities, specially Meltdown. It's mind-boggling really.

Also, I wonder how Intel had the insolence to release the Coffee Lake CPUs knowing full well that they were affected. If they had any consistence they should have postponed its release until software/hardware fixes have been deployed/enabled, so that the prospective customers knew what [performance losses] they were into.

With the considerable resources that Intel can bring to bare, it should not have taken them this long to issue a (buggy/revoked) patch. They either started much later, or did not prioritize the work. Considering the possible ramifications that these exploits can have, there is no excuse for not having a fix by the time it was publicly announced. Furthermore, they released a new series of cpu all the while knowing that it contained a critical flaw. Intel's behaviour is beyond the pale, and if they were a smaller company, they'd be buried in litigation right now. How many people/companies do you think would have passed over on coffee lake knowing the security risk? I, for one, would not have purchased a broken CPU and would have spent a little more for an AMD chip.

If you think that Intel didn't factor all of this in to their timeline, you are being naive. Intel could have fixed this well before coffee lake and had they done so, it would have negatively affected coffee lake sales as they would have had to acknowledge the flaw earlier. They may even have had to go back to the drawing board (at considerable expense) on that chip after the design was finished, causing them to either or go over budget or skip a generation . Shareholders would not have been pleased.

Their actions demonstrate that they only care about protecting their corporate interests rather than the consumer . . . Well most of the consumers . . . Their biggest clients were informed well in advance in a bid to keep their relationships in good standing. Hence their appearance in front of the house committee. Corrupt, greedy, unethical, conniving are just a few of the words that come to mind.

In the automotive industry, car makers are forced to issue recalls if a critical defect is found. The only reason that Intel won't be told to do this is because the industry is not as well regulated. I do hope, however, that they get buried in class actions for the next 20 years.

Because it's a really, really hard problem to solve if you're unable to replace the hardware. As for Coffee Lake, there's no realistic way for Intel to fix it. By the time Intel was made aware of the problem, Coffee Lake was already in it's ramp phase (fab and stockpile for launch day.. probably already on boats being shipped even). As for how long the patching is taking, I'd like to see you, or any team you can name/assemble do better than what the major guys have been doing so far. Like I said, really, really hard problem to deal with.

Sure, Intel could issue a recall, then what? Unlike VAG diesel cars and SUVs, you're not talking a few million worldwide, you're talking literal billions of devices.. devices that literally run the world as we speak. Even if Intel had been perfectly willing to swap every single affected chip (meaning literally all of em in use right now), they simply do not have the manufacturing capability to do so, nor do the partner OEMs and ODMs building devices and motherboards.

Evidently though, Intel and partners are most certainly not free of blame: they should have informed tier 2 partners (people like OVH, DigitalOcean, AV vendors and the like) a fair bit earlier in the pipeline, and they should NOT have released patches that needed to be pulled, certainly not as mandatory install ASAP security updates. At the same time though, their hand was being forced by other researchers being on the verge of INDEPENDENTLY discovering the same vulnerability. If other researchers can discover it cleanly and independently, then you can be certain that the evil hackers and attackers are at least as close to discovering it, if they're not shipping malware using it already. Result: the decision was made to ship the buggy patch and hope not too many people get bit by the bugs.

 

[silkstone]

Because it's a really, really hard problem to solve if you're unable to replace the hardware. As for Coffee Lake, there's no realistic way for Intel to fix it. By the time Intel was made aware of the problem, Coffee Lake was already in it's ramp phase (fab and stockpile for launch day.. probably already on boats being shipped even). As for how long the patching is taking, I'd like to see you, or any team you can name/assemble do better than what the major guys have been doing so far. Like I said, really, really hard problem to deal with.

Sure, Intel could issue a recall, then what? Unlike VAG diesel cars and SUVs, you're not talking a few million worldwide, you're talking literal billions of devices.. devices that literally run the world as we speak. Even if Intel had been perfectly willing to swap every single affected chip (meaning literally all of em in use right now), they simply do not have the manufacturing capability to do so, nor do the partner OEMs and ODMs building devices and motherboards.

Evidently though, Intel and partners are most certainly not free of blame: they should have informed tier 2 partners (people like OVH, DigitalOcean, AV vendors and the like) a fair bit earlier in the pipeline, and they should NOT have released patches that needed to be pulled, certainly not as mandatory install ASAP security updates. At the same time though, their hand was being forced by other researchers being on the verge of INDEPENDENTLY discovering the same vulnerability. If other researchers can discover it cleanly and independently, then you can be certain that the evil hackers and attackers are at least as close to discovering it, if they're not shipping malware using it already. Result: the decision was made to ship the buggy patch and hope not too many people get bit by the bugs.

I call bull$**t.

[Edit] Intel released the information about the security issue to (some) vendors back in June, meaning they likely knew about this well before.
Intel was aware of the issues in at least January 2017: Source
Coffee Lake was announced in Feb 2017: Source
Coffee lake was not released until October 2017: Source

Over a year to fix a critical security bug and still release another flawed processor in the mean-time? My original arguments still stand. It would have cost them a tonne of money, but they wouldn't be knowingly selling a product that is essentially broken.

 

[ZeDestructor]

I call bull$**t.

Intel was aware of the issues in at least January 2017: Source

It takes a while to go from PoC to an actual, workable attack. If you measure strictly by similar attacks, you can go all the way back to 2002 for the first ones using this technique. All were silently mitigated without a big aanouncement. By the time June came about, KAISER was being quietly released to counter Gruss' particular variant. Problem was that KAISER was incomplete when presented Horn's more extensive set of attacks, which only came about in June.. and those obviously needed even more patches.

Coffee Lake was announced in Feb 2017: Source
Coffee lake was not released until October 2017: Source

For big chips like CPUs, you can easily finish tape-out a full year ahead of hitting retail. Either ways, do you really think anyone, be it Intel, AMD, nVidia, IBM or ARM would have cancelled their launches?

Over a year to fix a critical security bug and still release another flawed processor in the mean-time? My original arguments still stand.

Oh, this is just the beginning mate. There'll be even more attacks that 'sploit hardware features in the years to come: the security industry has just started having fun pwning CPUs, and this is just the low-hanging fruit.

PS: ARM was aware of the CPU faults just as much as Intel, for about as long and they happily announced the Cortex-A75 on 29 May 2017. These cores haven't even shipped in a real product yet (they will be in 2018) and ARM has not announced that they will be changing the core to mitigate.[/QUOTE]

 

[jaggerwild]

Lets face it, anyone trying to use these exploits isn't going after you or me. They are going after bigger fish, I think by waiting as long as possible they saved a few companies from more pain as the hackers had less time to work on it.

 

[silkstone]

Lets face it, anyone trying to use these exploits isn't going after you or me. They are going after bigger fish, I think by waiting as long as possible they saved a few companies from more pain as the hackers had less time to work on it.

You think that if someone could write a java based program that could steal peoples banking information just by visiting a website running the code, the wouldn't?
Even if this turns out to be infeasible, think about where all of your e-mails, backups, etc. are stored.

 

[londiste]

Intel was aware of the issues in at least January 2017: Source

That is not what you source (or any other source) says. All the dates in that source are January 2018.

 

[silkstone]

That is not what you source (or any other source) says. All the dates in that source are January 2018.

My apologies, reading fail. The article says as early as June. I have read elsewhere January and Wikipedia state's that the CVE's were issued back in Feb: https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History
It does also mention that Meltdown wasn't (independently) discovered until July.