Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[DrMrLordX]

I guess Intel figured, if Google and Amazon already knew, they should hit Alibaba and Lenovo up next. Gub'ment either doesn't buy enough chips to matter, or spies on Google/Amazon enough to already know.

Still seems kinda weird, but it makes sense in a twisted conspiracy-thinking kind of way.

Score one for tinfoil-hat mentality.

 

[hnizdo]

Intel rightfully feared that government is not to able to keep the secret.
Or to keep the secret for itself only?

 

[csbin]

US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy


https://www.techpowerup.com/241032/...-arm-microsoft-and-amazon-for-spectre-secrecy


In the wake of reports surrounding the secrecy and selective disclosure of information related to the Meltdown and Spectre vulnerabilities leading up to the eventual January 3 public release, US lawmakers are unhappy with leading tech firms Intel, Microsoft, ARM, Apple, and Amazon. The four companies, among a few unnamed others, are being pulled up by a house committee over allegations of selective access of vital information that caught many American companies off guard on the January 3rd. Barring a few tech giants, thousands of American companies were unaware, and hence unprepared for Meltdown and Spectre until January 3, and are now spending vast resources to overhaul their IT infrastructure at breakneck pace.

In letters such as this one, addressed to CEOs of big tech firms, lawmakers criticized the secrecy and selective disclosure of information to safeguard IT infrastructure, which has left thousands of American companies out in the lurch, having to spend vast amounts of money securing their infrastructure. "While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.

 

[LTC8K6]

Ha.

Somebody messed up. At least try and pretend that they didn't already know.

I suggested a while ago that Intel already knew.

$1 says that the US government was informed in a timely manner and did nothing.

 

[naukkis]

So Intel panicked so badly that they published unstable microcode for their CPU's, even for server grades. Is there any quality control at all left in Intel?

Wonder why there ain't more jokes about that patch, Intel turned mostly good CPU's into unstable junk because fear of Spectre.....

 

[PingSpike]

The weirdest part is Intel was told about the vulnerability 7 months ago so the panic thing doesn't even make sense. Meltdown was clearly the worse problem, but I kind of doubt the people Intel had submitting patches to linux kernel and advising Microsoft are the same ones developing microcode updates so it doesn't seem like it should even be a manpower thing.

Was their plan was to just ignore the other spectre variants altogether and hope their PR well poisoning made everyone throw up their hands and accept things? And then they changed course and crapped out some untested fixes?

 

[LTC8K6]

The weirdest part is Intel was told about the vulnerability 7 months ago so the panic thing doesn't even make sense. Meltdown was clearly the worse problem, but I kind of doubt the people Intel had submitting patches to linux kernel and advising Microsoft are the same ones developing microcode updates so it doesn't seem like it should even be a manpower thing.

Was their plan was to just ignore the other spectre variants altogether and hope their PR well poisoning made everyone throw up their hands and accept things? And then they changed course and crapped out some untested fixes?

How about, Intel already knew, and already had fixed silicon in the pipeline, and was trying to hold out until the fixed chips could be launched...

Then they could say "Yes, but we already have revised chips..."

 

[DrMrLordX]

For Intel's sake, let's hope that's no the case . . .

 

[LTC8K6]

For Intel's sake, let's hope that's no the case . . .

Well, they have already said, a few times, that silicon fixed chips will be out this year, and I've heard time and time again that they didn't have enough time...

 

[ZGR]

I think the debate now is how Intel will patch this. I am skeptical it is an actual architectural change, but I would be pleasantly surprised.

 

[LTC8K6]

I think the debate now is how Intel will patch this. I am skeptical it is an actual architectural change, but I would be pleasantly surprised.

I think it has to be an architectural change, given the nature of the problem, and given Intel's statements. Plus the patching seems rather shaky.

 

[Kenmitch]

Just when the dust looks to be settling another storm hits the horizon. Guessing we still haven't heard the last of it yet.

 

[maddie]

How about, Intel already knew, and already had fixed silicon in the pipeline, and was trying to hold out until the fixed chips could be launched...

Then they could say "Yes, but we already have revised chips..."

Hope not. If this is the true scenario, I can see Intel facing big lawsuits. Misleading customers by withholding critical information, to basically prevent a loss of sales. Criminal.

 

[LTC8K6]

Hope not. If this is the true scenario, I can see Intel facing big lawsuits. Misleading customers by withholding critical information, to basically prevent a loss of sales. Criminal.

I doubt that.

I'm thinking that Intel knew that the silicon needed to be changed, but not about the specific Meltdown/Spectre exploits.
There have been reports here and there going back years about possible leaks and possible exploits.

Or possibly, Intel's newer design just happened to be different enough to not be vulnerable.

Keep in mind that no real world examples have been found of these exploits.

 

[richaron]

I doubt that.

I'm thinking that Intel knew that the silicon needed to be changed, but not about the specific Meltdown/Spectre exploits.
There have been reports here and there going back years about possible leaks and possible exploits.

Or possibly, Intel's newer design just happened to be different enough to not be vulnerable.

Keep in mind that no real world examples have been found of these exploits.

Real world examples which have been found are a moot point. I shouldn't have to point out those which haven't been "found out" are those which people are worried about.

And obviously intel's new designs are vulnerable. Equally obvious is that intel released these new designs well after they were aware they were vulnerable.

 

[LTC8K6]

Real world examples which have been found are a moot point. I shouldn't have to point out those which haven't been "found out" are those which people are worried about.

And obviously intel's new designs are vulnerable. Equally obvious is that intel released these new designs well after they were aware they were vulnerable.

I mean the designs that Intel says are coming out later this year, that have been fixed in the silicon and are not vulnerable to meltdown/spectre.

 

[maddie]

I doubt that.

I'm thinking that Intel knew that the silicon needed to be changed, but not about the specific Meltdown/Spectre exploits.
There have been reports here and there going back years about possible leaks and possible exploits.

Or possibly, Intel's newer design just happened to be different enough to not be vulnerable.

Keep in mind that no real world examples have been found of these exploits.

That is an amazingly complex path to redeeming Intel. A mental Rube Goldburg construct.

Intel knew the silicon needed to be changed without knowing about "the specific Meltdown/Spectre exploits", in your words. How is this a reasonable line of thought? They fix things that as far as they know are working well without exploits? What were the benefits to fixing this? more performance? Less power consumption? Less area?

 

[LTC8K6]

That is an amazingly complex path to redeeming Intel. A mental Rube Goldburg construct.

Intel knew the silicon needed to be changed without knowing about "the specific Meltdown/Spectre exploits", in your words. How is this a reasonable line of thought? They fix things that as far as they know are working well without exploits? What were the benefits to fixing this? more performance? Less power consumption? Less area?

I see that I can't suggest any possibilities without you assuming that I believe it and am endorsing it as real.

There has to be some reason that Intel has repeatedly claimed to have a silicon fix coming out this year.
Even if they are late and it's out 1Q 2019, we'd both agree that is pretty fast for having been first told of the problem in June of 2017, wouldn't we?

 

[maddie]

I see that I can't suggest any possibilities without you assuming that I believe it and am endorsing it as real.

There has to be some reason that Intel has repeatedly claimed to have a silicon fix coming out this year.
Even if they are late and it's out 1Q 2019, we'd both agree that is pretty fast for having been first told of the problem in June of 2017, wouldn't we?

My point is this. How is it possible to have a fix if everything was good, if as far as they knew, no exploit was possible. A fix, by definition means correcting something. If they knew about exploits, then they're guilty of withholding critical info. Both scenarios can't be right simultaneously.

You're right that I have been assuming that you believed Intel's PR and I confess, that is a mistake by me. A straight question. Do you?

 

[zinfamous]

My point is this. How is it possible to have a fix if everything was good, if as far as they knew, no exploit was possible. A fix, by definition means correcting something. If they knew about exploits, then they're guilty of withholding critical info. Both scenarios can't be right simultaneously.

You're right that I have been assuming that you believed Intel's PR and I confess, that is a mistake by me. A straight question. Do you?

I think he was suggesting that the exploits were "fixed" through no intention of Intel, just through design changes. I think an exploit and a bug can be "fixed" if it isn't done so intentionally--it just means that the exploit is no longer there due to design change.

....I do find this hard to believe, however, as the new architecture coming out this year is already 1+ years old, right? Early on in this debacle, posters were saying that it really takes up to 5 years from design to release a new architecture, right? Or are these minor tweaks within the current design, for this upcoming generation, that fortuitously managed to fix the exploits?

 

[realibrad]

How about, Intel already knew, and already had fixed silicon in the pipeline, and was trying to hold out until the fixed chips could be launched...

Then they could say "Yes, but we already have revised chips..."

And leave all the old chips alone?

 

[LTC8K6]

And leave all the old chips alone?

That's an interesting point. Not sure what Intel would do in the case of customers saying "Hey! What about me?"

 

[LTC8K6]

My point is this. How is it possible to have a fix if everything was good, if as far as they knew, no exploit was possible. A fix, by definition means correcting something. If they knew about exploits, then they're guilty of withholding critical info. Both scenarios can't be right simultaneously.

You're right that I have been assuming that you believed Intel's PR and I confess, that is a mistake by me. A straight question. Do you?

I generally don't believe any PR statements, but this particular one seems to have very little wiggle room for Intel.

We’re working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year.

Intel repeatedly said, in the beginning, that their chips were working as designed, and this was not a flaw or bug in their chips. Even I agreed with that idea initially.
That "working as designed" line might be a clue when combined with their claims now of having fixed chips coming out relatively soon.

Or Intel could simply be scrambling around trying to recover some way, any way.

 

[LTC8K6]

I think he was suggesting that the exploits were "fixed" through no intention of Intel, just through design changes. I think an exploit and a bug can be "fixed" if it isn't done so intentionally--it just means that the exploit is no longer there due to design change.

....I do find this hard to believe, however, as the new architecture coming out this year is already 1+ years old, right? Early on in this debacle, posters were saying that it really takes up to 5 years from design to release a new architecture, right? Or are these minor tweaks within the current design, for this upcoming generation, that fortuitously managed to fix the exploits?

I think I read somewhere that it's about as difficult to take finished silicon and go in and tweak it, as it is to make a new chip?

Anyway, Intel has made it's bed. It must now sleep in it.

 

[EXCellR8]

Kind of funny that governments are upset... "hey, you Intel guys messed up and now we can't keep our shady government exploits a secret because our outdated stuff is compromised, because of your shady broken stuff."

Fun fact: If Intel and its partners brought this to governing bodies and never released the information to the general public or third parties, there probably wouldn't be an issue. Sweep it under the rug and fix it now but don't worry about the consumer, they don't have to know. BUT, if that was ever discovered there would be all sorts of hypocrisy theory and a much bigger uproar.

If you ask me, the current route is the lesser of the two evils, which may be what Intel intended--damage control.