Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Intel Government Security United States

Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public (reuters.com) 79

Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.
This discussion has been archived. No new comments can be posted.

Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public

Comments Filter:
  • Good... (Score:5, Insightful)

    by Luthair ( 847766 ) on Friday February 23, 2018 @10:22AM (#56175889)
    who exactly would trust them with this information? We all know they would have spent the last 6-months exploiting them and attempting to find more variations.
    • At least as likely would be an almost instantaneous leak of the information to the press...

  • by Daneel Olivaw R. ( 5113539 ) on Friday February 23, 2018 @10:23AM (#56175899)
    ... else US would have "accidentally" leaked it to hackers and blamed Russia for it.
    • Actually, the US govt would have kept it secret (or as secret as they can be - which at best, is pretty poor in general) and allowed the US security services (one of the many 3-letter 'above/outside the law' agencies) to use to exploit for domestic spying activities.

  • by technoid_ ( 136914 ) on Friday February 23, 2018 @10:25AM (#56175907) Homepage Journal

    Is the Feds can ban Kaspersky and Huawei for not being secure for US government usage, perhaps Intel chips should be banned for use in government use.

    Oh yeah, Intel is a US company, they can't do that now.

    • Stop acting like foreign corporations are equal to our own, they aren't any more than their citizens are. The US government owes it to the population to source everything they use domestically and have no obligation whatsoever to buy from foreign vendors - the fact they even gave the rationale of "for security reasons" in regard to Kaspersky and Huawei is more than they deserve. Huawei is known to intentionally put Chinese-sponsored backdoors into their hardware (just as Intel is known to put US-sponsored
      • Re: (Score:3, Insightful)

        by Train0987 ( 1059246 )

        The problem with your argument is that nothing on the component-level is manufactured in the US. Even "domestically-produced" equipment relies on parts manufactured in China, etc.

        • by Junta ( 36770 )

          Further, when we say 'components' we don't mean merely things like resistors, we are talking about full circuit boards complete with critical security related firmware, if not the whole system (though the whole system isn't really that much more risky than complete motherboards).

          The ship has pretty much sailed for any semblance of diversity of sourcing electronics. The government is left having to do 'secure' looking gestures without being able to address real threats in any significant way.

        • Not so much for consumer, but for military hardware it absolutely is made in the US. The one exception was the F-16 replacement from the other year and it made the news because it was a huge scandal that they let a foreign military component in via a subcontractor.
      • Re: (Score:3, Interesting)

        by jpschaaf ( 313847 )

        I'm sure Intel dabbles in plenty of government contracts, but processors are a consumer good, not a defense product.

        If Intel had to choose between selling on the international consumer market and selling to the US government, I'm pretty sure they'd dump the government in about 5 seconds.

        If the US government really wants a secure processor, they should get a secure processor... instead of using the same consumer-grade contraption that I use to surf the web.

      • by Anonymous Coward

        Guys, Russia makes clone of Pentium 4 for its own military applications, its cost is around $3500 per chip and they consider it worth of making. They use them in government computers as well. The PCs have huge memory compared to original Pentium 4's, but idea is clear, don't rely on foreign chip makers.

        We don't know probably these bugs are just sophisticated backdoors, which lost its sense when they became discovered by hackers, so Google started to push Intel to fix them.

        • The NSA has it's own CPU fabrication facility as well. I don't even want to think about what the per-unit cost is on those.

          • I wonder if they also make their own GPUs For use in brute force attacks.

            If so could I buy a graphics card off them? I'm sure it would still windup cheaper than the current crypto markup on retail units.

            • They already do this. Who do you think actually controls the world's Crypto farming?

              NSA crypto-miners operating from a hidden server farm room built into the Hoover Dam for cheap power and minimal detection.

  • by Anonymous Coward

    I bet the NSA knew and kept the information classified so they could use it against adversaries.

    • I doubt it, but apparently the idea they did know has given them space in your mind rent free...

      I'm guessing they didn't know anymore than Intel knew. But now that they know, I'm sure they are fielding exploits as fast as they can.

      • by HiThere ( 15173 )

        Intel knew, or had reason to know, of the risk. Whether the management did is a different question, of course. I suspect not. But the risk of this kind of attack was discussed publicly before speculative execution chips were designed. I believe that at that point everyone decided that while there was a theoretical risk, it was too difficult to exploit, so it was safe to ignore it.

        I don't see any reason to presume that this conclusion was ever privately revisited until extremely recently.

  • ...should notifications go out alphabetically?

    Cuba, Iran, North Korea, Russia, oh yes, and then the United States.

    Not that there wouldn't be certain arguments for notifying the government where the company's headquarters is located, but how exactly would Intel (or any other company working on a global scale) be expected to comply with the myriad of governments that could pass laws requiring that they get notified first. It's a lot simpler and a lot more elegant if everyone finds out at the same time.

  • by Anonymous Coward

    don't believe anything else.

  • Why on earth would anyone other than the people directly responsible for patching a security flaw get told about a security flaw. That is the entire point of moratoriums and the whole responsible disclosure business.

    The government has no business knowing. Oh and despite the fact that this seems to have hit the popular news today, we actually already covered this here on Slashdot. https://it.slashdot.org/story/... [slashdot.org] I think I need to buy a lottery ticket.

  • by Anonymous Coward on Friday February 23, 2018 @10:56AM (#56176119)

    Netburst was Intel's utter x86 architecture disaster- but at the time every major tech outlet declared it FAR superior to AMD's infinitely better Athlon 64, cos of Intel's Payolla.

    Netburst was going to 10GHz, didn't ya know, and that was all that mattered. But Intel knew the truth, killed Netburst, and rebooted the Pentium 3, crossed with AMD innovations available to Intel via its cross patent licence with AMD.

    So CORE 2 was born (now just called core). Only problem was, the dreadful 'engineers' at Intel Israel had sabotaged the design by removing all data privilege tests- the process by which a thread is blocked from accessing data owned by another thread of different privilege.

    By dropping these hardware data blocks, Intel's architecture got faster- MUCH faster. And the NSA, GCHQ etc were guaranteed a method by which any user code injection would have access to any data on an Intel part.

    Here's the current risk table- Intel since Netburst vs AMD's new amazing Ryzen:

                                        Intel (core2/Core) AMD (Ryzen)
    Meltdown: 1000 0
    Spectre 500 0.1

    AMD is a LITTLE slower per clock per thread on current compiler output down to the fact that Ryzen has low level hardware data privilege circuits, whereas Intel does not. Intel relies on DOMAIN methods- a hybrid technique that relies on trust and the OS.

    All current Intel chips are broken by design and unfixable unless you only run one thread at a time on the entire chip and flush every chip asset each time you time slice a new thread. But to do this would reduce Intel's performance by perhaps 80-95%.

    Intel cannot fix its architecture within even two years from this date. It needs a from scartch redesign. So Intel instead floods outlets all across the net with anti-AMD FUD.

  • Smart (Score:5, Interesting)

    by Joseph Dickinson ( 2998183 ) on Friday February 23, 2018 @11:19AM (#56176267)
    Smart move for Intel. Would you tell your government where you keep your secrets?
  • by Anonymous Coward

    They are everywhere, All I want to Know is When Intel is going to Replace the Broken Chips they Sold Everyone???????

    In Computers there is no GREY Area it is YES or NO or Right and Wrong Intel Did it the Wrong Way to Get Ahead in the MHZ Race in the END all there CPU's are Broken, Just Take a look at Spot Prices for Replacements the only ones holding there own are Not Intel.

  • by Anonymous Coward

    There are many departments in the government, and they don't talk to each other because of secrecy. I'm sure Intel told the "deep state" in both US and Israel. They told the people who hoarde 0-days. And there's no way you would know about it if they did. They just didn't tell all these spinup fragmented Cyberwehr offices all over the place that have no record of keeping secrets, and now one of them is whining about it.

  • by Anonymous Coward

    Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities

    Nice to see them being so proactive over the situation...Oh wait, what's the opposite of that ?
    By Intel's standards, I shouldn't need locks on my front door since I haven't been burgled yet.

    How do Intel know that nobody had exploited it, or at least weren't developing an exploit.
    Makes you wonder, how many other security vulnerabilities there are in Intel chips that they're keeping quiet about ?

  • I hope the US intelligence agencies have deep hacks in place to harvest this kind of intel (pun?). These tech companies should be required to submit full, real-time, access to any possible security violations. Especially those operating as US companies or with a physical presence in the US.

    The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't

    • Stupid Americans (Score:5, Insightful)

      by Anonymous Coward on Friday February 23, 2018 @12:21PM (#56176619)

      The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't

      It doesn't, the US gov works for the banks and corporations.

      That's why banks get bail outs and CEOs get big bonuses.

    • by Sloppy ( 14984 )

      The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't

      What convinced you to trust at least one of them? That was a non-obvious move on your part, and a lot more interesting than how you decided which one to trust.

      • by bigmacx ( 135216 )

        Let me know next time the entire US gets a chance to vote Intel out of office.

    • ITs not a choice of trusting one or the Other. Intel already has the information, the choice is whether or not you would ALSO trust the US Gov with that information. For me that is a big fat fuck know. They almost certainly would have either Leaked it/shared it/abused it
      • by bigmacx ( 135216 )

        #1 leaked: would have been good. It would help embarrass these tech companies so they might stop releasing all this breach ridden trash on us.

        #2 shared: isn't that a core principle of /. readers? And are we not also of the view that more eyes on a problem/code is better?

        #3 abused it: good. I hope they would have abused it against our opfor

        I get all the "who watches the watchers" stuff and I'm not a huge fan of the gov't pervasive invasive, but I trust the big tech companies even less. I made a great career

  • by Anonymous Coward

    Just last month there was a story about them notifying the chinese government or something.
    I don't think there is anything wrong with that. They should. But at the same time, they should notify the US government (and EU etc) as well.
    This is why I think the whole "responsible disclosure" thing is bullshit.
    The reality has shown that the companies do nothing in the meantime, and sit on it until the latest possible day.
    Better to just let everyone know immediately and put pressure on them to fix it.

  • by Anonymous Coward

    Go back a few years to AMD's 'terrible' new architecture, Bulldozer (the reason many today still don't trust the insanely good Ryzen design).

    The best x86 CPU analyst on the planet discovered that a L1-cache exclusive thread on one bulldozer module ran at 10 (relative performance rating). On the other module also 10, of course. But if both modules ran threads (in L1 cache) at the same time, with ZERO inter-thread code or data dependency, the two threads ran at 8+8, not 10+10. Why? Because SPECULATIVE data de

    • by Zan Lynx ( 87672 )

      Because AMD is careful not to cross privilege levels but Spectre attacks are user mode to user mode. So even though they may be two different users they are still in Ring 3. Spectre can only be used against kernel code if the kernel is convinced to run a user's code for some reason. Like an eBPF byte-code, for example.

      But it can work really well for a sandboxed program to steal information from outside the sandbox.

      So AMD is still vulnerable to speculation attacks.

  • There is so much distrust on both sides of the equation that they have to be publicly shamed to say anything.
  • Intel is not under any obligation to protect that information from the public.

    Who says the feds have to be the first to know?

    Not me.
  • by sheph ( 955019 )
    Since the information came from Alphabet, they probably assumed the government already knew.
  • Once again, we get to hear about risks to national security. Laughable ones, at that.

    You have to assume that every endpoint on your network can be compromised. If your network security model cannot cope with widespread host infection, then your security is garbage. If they really cared about security, their networks should already have mitigations for Meltdown/Spectre-class malware in place.

    Meltdown and Spectre aren't the first exploits either. They should have a plan for unexpected malware. There is no rea

    • I'm betting that's why Google has a network that's wide open, but access to anything is carefully controlled in other ways.

    • You have to wonder too how much the AI is pouring over every new virustotal submission, and web scrape, giving the Google researchers insights as to what vulnerabilities are really out there as the bad guys try to develop them undetected.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...