Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com) 99
Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
Re:Is everyone else getting sued, too? (Score:5, Informative)
Re: (Score:1)
No it doesn't. Read again.
Re:Is everyone else getting sued, too? (Score:5, Informative)
Re: (Score:2)
The summary is fucking wrong
It is nothing of the sort. Spectre affects most CPUs including AMD, Meltdown affects most CPUs *except* for AMD. Just because AMD did something right doesn't mean that there aren't examples of SPARC, ARM, and multiple lines of Power chips affected too.
Painting this as Intel only is just as absurd as lumping AMD together with Intel when discussing 2 separate flaws.
Re: (Score:3)
(yes, i know, if you google "specter proof of concept" you will find things, but what you will find is a proof of concept for meltdown called a proof of concept of specter. Some code-faggot got PAID to conflate the two, not to mention the scholastic-fag who wrote the scholarly paper conflating the two he refers to).
Re: (Score:2)
Meltdown is intel only
Yes which is why IBM, Broadcom, ARM and Oracle have issued statements about how they are affected by meltdown, or in Oracle's case they published a list of processors not affected ... a very short list and said nothing more.
AMD is not vulerable to meltdown. That doesn't mean it's Intel only. The bug is related to a specific optimisation that is used in a variety of architectures.
Re: (Score:2)
The only other CPU vendor I heard of being vulnerable to Meltdown is Qualcomm.
Re: (Score:2)
The you haven't been listening. IBM's advisory specifically calls out all three CVEs. Even news articles which know what they were talking about when they said Meltdown was thought to only affect Intel and some ARM processors have pointed out it also affects all of the POWER architecture processors.
And Oracle gave a long list of SPARC architectures that were affected by Spectre along with a patch, and then gave a single note that said SPARCv9 systems are not affected by Meltdown, and then proceeded to refus
Re: (Score:3)
Re: (Score:2)
It isn't Intel only, ARM's Cortex A75 was vulnerable. The A75 chip is the only high-end core designed by ARM since the patent on the technique that turns out to be vulnerable to Meltdown expired. Intel helpfully (in retrospect) protected the industry by patenting it and not including it in any of their cross-licensing agreements, preventing anyone else from being vulnerable. The technique improved system call performance, so if you regard making system calls faster, then I suppose it was for cheating at
Fuck off (Score:1)
but setting the precedent that you're liable if your product is vulnerable to exploit techniques that are invented after the product ships would be very dangerous for the entire industry.
Fuck off, make dangerously broken shit and you need to do a recall, just like the auto industry.
Re: (Score:3)
Now, that may be the moral obligation, but the legal concept is much more difficult to define.
How dangerous is dangerous enough to warrant a recall? Sure, this may leak some data, but now that the vulnerabilities are known, they can be mitigated... or do we also claim that software vendors who don't implement mitigations are making a "dangerous" product?
Who's responsible for the recall? I've rarely purchased directly from Intel. More often, I buy CPU/motherboard combos from vendors. Are they going to suppor
Re: (Score:1)
Re: (Score:2)
When you post things like this, log in first unless you really ARE a coward.
Re: (Score:2)
Intel not only made dangerously broken CPUs which had been predicted to be dangerously broken (without a definite exploit) before they were designed, but if they didn't already know about how to exploit it, they were informed at least 6 months before the public notice, and appear to have taken no steps to mitigate the problem prior to public notice. We can't really know, but the patches that they rushed out after notice was made public were so poor that they probably hadn't done anything.
Etc.
I'm willing fo
Re: (Score:2)
Intel not only made dangerously broken CPUs which had been predicted to be dangerously broken (without a definite exploit) before they were designed
Really? Care to cite those predictions (ideally from 1995 or earlier, when Intel introduced this feature).
they were informed at least 6 months before the public notice, and appear to have taken no steps to mitigate the problem prior to public notice.
They disclosed the vulnerabilities to ARM and worked with Microsoft, Apple, and some Linux developers on work-arounds, though the Linux people completely botched the embargo.
Re: (Score:2)
My personal opinion is that they are liable for replacing every CPU they sold after they were aware of this problem without disclosing it. I don't fault them for selling CPUs when they were not aware. The i9 7940X, 7960X and 7980X should not have been released last year or if released only with a disclosure of vulnerability.
Re: (Score:2)
and was probably done on purpose
Yes because optimising code paths exist only to cheat benchmarks.
Some people have really lost their grip on reality. Are you by any chance that crazy person who's trying to launch himself into the sky on a steampunk rocket?
Re: (Score:2)
MIGHT have been done to make benchmarks better but without the realization that it exposed a vulnerability. Often engineering projects are success-oriented, and once the chip was running all of the tests and benchmarks and the performance was good, that may have been as hard as anybody looked. You need to have people whose job it is to break all such new products, but that both costs more and delays the time to market, and executives rarely want either.
Re: (Score:2)
Meltdown which is the worst of all
That remains to be seen. Meltdown is a big problem if unpatched. However, patches are available, and they appear to work.
Spectre is harder to exploit, but also harder to mitigate. Nobody has fully patched Spectre; the in-flight 4.16 Linux kernel has only the beginning of Spectre patches, and the situation isn't any better with other OSes.
Spectre, unlike Meltdown, will haunt for years to come.
Re: (Score:2)
Spectre, unlike Meltdown, will haunt for years to come.
As she's been doing since 2006 https://dota2.gamepedia.com/Sp... [gamepedia.com]
class action = big payout (Score:5, Funny)
I can't wait to get my $3 !!
Obligatory: Intel CPU Backdoor Report (Jan 1 2018) (Score:5, Interesting)
Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag [events.ccc.de]:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode [ptsecurity.com], use me_cleaner [github.com] with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit [github.com].
Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode) [ptsecurity.com]
me_cleaner: Set HAP AltMeDisable bit with -S option [github.com]
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine [blackhat.com]
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it [eff.org]
Sakaki's EFI Install Guide/Disabling the Intel Management Engine [gentoo.org]
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws. [zdnet.com]
CVE-2017-5689 [cvedetails.com]: An unprivileged network attacker could ga
Meh, I'll be joining one (Score:2)
Re: (Score:2)
Does the existence of a class action stop you suing them yourself?
I'm using small claims court. Cheap and effective.
Re: (Score:1)
Does the existence of a class action stop you suing them yourself?
Yes, if you don't take efforts to opt out of them all. Class action lawsuits are auto-opt-in, you have to personally track down and remove yourself from the list of people on each one to be able to sue because you can't sue twice. This means that while actual damages were around 70% of the cost paid for any Intel CPUs over the years (since that's the power loss and false advertising they conducting) you'll get a couple cents, if you explicitly state that, and the lawyers will get the rest. This class act
Re: (Score:2)
None of these are class actions yet, whenever you see a story in the media that claims "some number of class actions suits were filed" you should know without looking at the details that it is not true as claimed.
You have to file an individual claim, with an individual cause of action. That is the thing that you "file" with the help of your lawyer. Then you ask the court to Certify a Class of plaintiffs that have been harmed in the same way. If the Court says yes, they will then rule on what the class actua
Re: (Score:2)
I don't know. Some bloody big companies got hacked et al. Some real deep pocketed companies, even they profit with a class action. So, so, many big companies, the losses way and beyond CPU price. So the question for the big players, take as much as you can without killing Intel or strip mine it for it's assets, it could be that bad. No need to panic yet, as the civil proceeding will likely take many years but in the end, it doesn't look good for Intel.
Re: (Score:3, Interesting)
Re: (Score:3)
Class actions aren't for compensation. They're for deterrence and changing incentives.
Re: (Score:2)
I got $27 last year from a class action because some shady "collection agency" called my cell phone a bunch of times trying to collect on an invalid "debt."
The reason that you'd be lucky to get $3 is that Intel didn't promise that their chips could output some number of math answers per second in a secure way, they only sold you a CPU that does all the instructions they promised it does.
Numerous combinations of CPU instructions might turn out to not do what you wanted them to do, if you wanted a different t
Re: (Score:1)
Why $3?
If I bought (as I did) a system/CPU that was top of the range at the time and paid a premium price for it - and now have to run patches that slow it by 50% to "sort" Meltdown and Spectre problems - then the comparison and recompense should be in line with a system/CPU that ran at 50% of the performance and was available at the time of the original purchase. In which case the difference/reasonable compensation could be several hundred dollars per CPU.
No warranty (Score:3)
I'm pretty sure Intel never made promises that it was a highly secure chip. They mainly market on power and performance.
Re: (Score:3)
Intel TXT, NX bit, Intel MPX, Intel Secure Key, Intel SGX, Intel KPT, IIRC MSRs, Intel Management Engine(this one is very secure)
Re: (Score:2)
Did they ever claim that it was resilient against side channels?
The SGX one is perhaps the most interesting of these, because Spectre can allow disclosure of unencrypted memory from SGX enclaves, which makes them largely useless. If you bought processors specifically for the SGX functionality then you may be entitled to a refund along the lines of the refund when they disabled HTM in Haswell. Microsoft bought quite a lot of Intel chips for Azure for this reason, which could get interesting.
Re: (Score:1)
Then off with their heads!
Re: (Score:1)
ENGINEER: (ENTERING MANAGER'S OFFICE) "Sir. We seem to have found a vulnerability in the new chip design"
MANAGER: "What sort of vulnerability?"
ENGINEER: "Well, when a computer is connected to the Internet...."
MANGER: (INTERRUPTING) "Stop right there." (HOLDS DOWN BUTTON ON INTERCOM) "Call the lawyers and have them see if we promise the chips to be secure when attached to a network." (TURNS TO ENGINEER) "Is there anything else?"
ENGINEER: (GRINNING) "No sir. Thank you for your time." (LEAVES)
MANGER: (MAKES S
Re: (Score:2)
Re: (Score:2)
You aren't too bright.
That's a bold strategy cotton (Score:2)
Re: (Score:2)
And Ford never formally states that their cars don't explode if used on alternate Thursdays. Fortunately, reasonable assumptions about a product are reasonable and actionable.
Article being referred to is inaccurate (Score:5, Informative)
I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity. Please do not encourage the spread of this misinfo. It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.
https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html
Fuck Intel, as of this moment AMD is much safer (Score:1)
Don't fall for Intel's PR tactics.
Meltdown is much worse than Spectre and Meltdown is an Intel only flaw.
Re: (Score:1)
It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.
https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html
That article contains errors. In particular, the article claims that AMD processors are "potentially vulnerable to only one of the three variants of Meltdown". This is incorrect for two reasons.
(1) There is only one "variant" of Meltdown. Presumably, the author mistakenly considers Spectre Variant 1 and Spectre Variant 2 to be "variants" of Meltdown.
(2) According to AMD's own statement [amd.com] (which is linked in the article), AMD processors are immune to Meltdown, but vulnerable to both variants of Spectre.
Re: (Score:2)
"I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity."
This theoretically isn't true. A DPA attack might be enough to open a hole for Meltdown-style problems.
What is the intended outcome? (Score:2)
Only 30? (Score:1)
30 sounds low. Throw the book at 'em!
Looks like Intel made two mistakes (Score:2)
Mistake 1: A major engineering design flaw.
Mistake 2: Neglected to force their users to enter into a binding arbitration agreement before using the CPUs.
Re: (Score:2)
Wouldn't have helped. Don't forget that Intel found out about this at least seven months before it was revealed, which means for seven months it continued selling processors it knew were defective without disclosing that face.
Any agreement it reached with people who bought chips during those seven months would be invalid, because withholding material information means there was no "meeting of the minds".
Purchase Delay (Score:1)
No purchases until hardware fix.
This will be a total shit-storm (Score:1)
Lovely bug that can't be fixed by microcode. Millions of flawed CPUs out there. What's the technology that pushes native code to run in web browsers called again? Can't wait for that clusterfuck to happen.
Re: (Score:2)
What's the technology that pushes native code to run in web browsers called again?
ActiveX.
Re: (Score:2)
ASM.JS
What do they hope to get out of it? (Score:5, Interesting)
Will they have to actually demonstrate a material loss resulting from a security breach associated with the flaw, including some kind of material proof that the flaw was actually the cause of the breach?
I'm kind of guessing time spent running around and patching probably isn't something they can sue for, otherwise MS would have been out of business ages ago on this item.
And what do they actually hope to get out of it? New CPUs not compatible with their existing motherboards? A cash payment based on the pro-rated cost of the microprocessor itself based on remaining life cycle?
I can see the obvious desire to rake Intel over the coals and perhaps they deserve some of it, I just don't get how you can link any specific loss to this chip flaw, or if you can, it's extremely hard to prove.
I'm also curious if there's not some general defense for Intel along the lines of "running a computing infrastructure involves dealing with bugs and flaws in hardware and software, problems will arise".
Re: (Score:2)
Exactly this.
The harm is that when the user accidentally grants explicit access for some malware to run on their computer, now it can be 15% more naughty. That's bad, but pinning it on Intel is going to be hard, even if it is actually a bug. But it might not even be a bug, it might be a misfeature that the whole industry misunderstood. And it might not be a misfeature in the CPUs, but in many of the Operating Systems, who foolishly trusted things that were only assumed to be true, but had not actually been
Will it even matter, though? (Score:5, Interesting)
I mean, thinking this all through, it seems to be a frivolous exercise without some massive shift.
Intel grossed over $60 billion in FY 2016. Even if each of these lawsuits requires Intel to pay $1 billion, and all of them are won, it's less than six months of revenue for them - not fun, but not the corporate equivalent of $150,000 in individual medical debt, either. Intel has enough in the bank to ride the storm, and simply bump up CPU prices by another 15% until the costs are paid...and then leave the prices there.
In a perfect world, this would give AMD the golden opportunity to pick up the slack. The Ryzen line of processors has been met with a whole lot of favorable press; they could easily take over the i3/i5/i7 desktop/laptop markets from a performance perspective. However, AMD has spent the last decade scraping the bottom of the barrel with their A10 processors and similar, low performance CPUs that are almost synonymous with the sub-$400 laptop market, and the hatred that people associate with Windows machines. Even if the shelves at Best Buy became 50/50 between AMD and Intel (as opposed to right now, when there are more Xeon-based laptops available than Ryzen 5 and Ryzen 7 combined), it's going to take consumers quite a while to realize that AMD makes high end processors, too. Intel sales take a dip, sure, but I don't see AMD managing to truly eat at Intel's market in a way that leaves a lasting impact.
The server room is still Intel's. Dell, HP, and Lenovo have dabbled in a few AMD-based machines (I've got a pair of Opteron-based R415's running as routers myself), but will AMD having misstepped with the Bulldozer architecture and certain server applications being all "we only support Intel", I don't see AMD making massive inroads there either. This is compounded by the likelihood that Dell ordering 0.8X Xeon processors from last year and making up the slack with newer Opterons is going to inevitably involve a higher per-processor price, making their servers more expensive, meaning that if Lenovo keeps their orders up, they will be cost favorable, leaving Dell less able to compete on price unless sysadmins really do start ordering AMD-based servers for their racks.
Now, the one player that really could make a dent would be Samsung - there's not a laptop component they don't make except the processor at this point, so retooling their Exynos chip fabs to make an x86 processor that can compete with an i3 and deliver an end-to-end, single-manufacturer laptop or desktop is in the cards for them, certainly more so than any other manufacturer. If they can pitch one running Android and avoid a Windows license, even better. Even so, it's risky for Samsung, and although they can eat a pretty big loss, trying to capitalize on Intel while they are down and hoping that consumers end up buying a laptop sporting a CPU from relative newcomer is not the kind of gamble that risk-averse execs are likely to go full force on.
In summary, Intel CPU processors will rise, AMD may well be capable of meeting demand but OEMs, retailers, sysadmins, and consumers are going to be a bit skittish about giving AMD a shot when Intel is a known quantity, and while Samsung could probably kick 'em while they're down, it's highly debatable that they will do so. In the end, Intel is likely to just raise prices and the world continues as normal.
Re: (Score:3)
Re: (Score:3)
Wow. You are a good corporatist there. You never mentioned the affected end users, just Intel and a few other mega corporations. Good job.
Affected end users aren't fabbing their own processors. Affected end users are in a position to decide how much they care, and whether they will buy not-Intel for their next computer. Affected end users may choose AMD, but are unlikely to do so in an impactful manner. Affected end users may have the option to purchase from Samsung if Samsung decides to enter the market. Affected end users will likely end up paying more for Intel, as Intel is likely to simply increase costs to affected end users in order to
Re: (Score:2)
Stop making sense. Just climb onto the pro-AMD/anti-Intel bandwagon and brigade against the man!
We were promised perfection by Intel, and by God we will scream until we get it.
Re: (Score:2)
We were promised perfection by Intel..
No, we were promised secure hardware, you obtuse douche-nozzle.
No, you were promised hardware, dill weed.
And it was delivered.
Re: (Score:3)
They said if I bought a used 8088, my computer would run "too slow" to do anything, but I still did stuff.
They said if I bought a 386SX, my computer would run "too slow," but it didn't.
They said if I bought Cyrix, my computer would run "too slow," but GCC didn't care and neither did I.
They said if I bought AMD, my computer would run "too slow," but I had long stopped listening and just kept using the tool.
The truth is that most of what I use my computer for I could be doing on a microcontroller if it was al
Re: (Score:2)
LOL you're a fucking moron, 10 years ago the world didn't run on social media, now news travel fast, very fast.
AMD is killing Intel in performance and prices, that's what the customers see, not what AMD fucking released 10 years ago.
You think like a moron, stop thinking with Intel's dick in your mouth.
Normally I would just ignore the AC who can't spell my name right...
We agree that AMD's mainline CPUs are at least equivalent, if not superior, to Intel's offerings. The issue isn't that AMD had very low end processors a decade ago, but that AMD's low end processors have been the most readily accessible to customers for the past decade. The brief time when AMD beat Intel to 64-bit desktop CPUs with the Athlon64 line was the last time, to my recollection, that midrange machines sporting both Intel and AMD sh