Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public (reuters.com) 79
Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.
Good... (Score:5, Insightful)
Re: (Score:2)
At least as likely would be an almost instantaneous leak of the information to the press...
Re:Vladimir Pentkovski did it Intel named Pentium (Score:4, Interesting)
Ehhh.... if I remember correctly, the possibility of this kind of attack was discussed at around the time speculative execution started to be considered. Unfortunately, I don't remember my source for this, but it was based on non-specialist technical publications that were widely available. (It might have been ComputerWorld or InfoWorld. Something along those lines.)
This isn't a comment about this particular implementation of the attack, but the idea of the attack. Meltdown is the result of thinking the attack was too difficult in principle, so it was safe to ignore the risk. I think Spectre is the result of thinking it was too difficult in practice, so the cost of speculative execution was worth the risk.
So the idea of the attack was out there before the chips were designed, it was just disregarded as impractical. I don't know who Vladimir Pentkovski is (or was), but he was definitely not the sole figure responsible.
Re: (Score:2)
I didn't say "white papers", I said "probably ComputerWorld or InfoWorld". That should say how detailed my knowledge was (when it was fresh). I don't remember what it was based on, but at a wild guess some conference proceeding or discussion. Something public, anyway.
As far as I can remember, it only came up once. It could also have been in Datamation, but I think by that time I'd stopped reading that one. The only other possibility is Byte, and that's really unlikely, as after the early 1970's I skipp
Re: (Score:2)
Well the Register and Wikipedia seem to be in partial agreement with you about his influence on the Pentium. But the thing I heard about was before the Pentium was designed. That's all that showed up on the first page of a Google search. The earliest reference I quickly located was
https://hackaday.com/2018/01/0... [hackaday.com]
But this clearly isn't what I was referring to. The article I read wasn't about something in production, but rather about an approach to design that was being discussed.
That you couldn't find i
P.S.: Re: Vladimir Pentkovski did it Intel named (Score:2)
After seeing the text I noticed that the link, https://hackaday.com/2018/01/0... [hackaday.com] , didn't show the problem it was discussing. The title of the page was speculative-execution-was-a-troublemaker-for-xbox-360.
Re: (Score:2)
Yes, but I originally encountered the discussion of speculative execution flaws in print media which never hit the internet, and that was the reference to the earliest discussion of the problem that I could quickly find. It wasn't the original discussion (which was, I believe, before the chip was designed), but that (probably) didn't hit the internet, and was, AFAIK, only in print. So this was the best I could easily dig up.
First good news from this whole fiasco (Score:3, Interesting)
Re:You belive this bullshit? (Score:5, Interesting)
Of course intelligence agencies knew about it. While I'm not a huge fan (or detractor though) of Assange, he made a good case for Google being essentially an arm of the State Department. Why do you think that China has such an issue with Google? The US now warns about Chinese cell phone manufacturers and that their products are possibly unsafe, but this is very much a case of the fire pit calling the kettle black.
The NSA certainly knew of, and have likely been exploiting this for years. The only positive in this is that, unlike the last time, at least time time they didn't let their exploit out in the wild. That little gem, not telling the public about zero day vulnerabilities they failed to disclose, which they subsequently weaponized, then lost control of the code for, cost more billions in ransomeware attacks than any other single source.
Re: (Score:2)
Actually, the US govt would have kept it secret (or as secret as they can be - which at best, is pretty poor in general) and allowed the US security services (one of the many 3-letter 'above/outside the law' agencies) to use to exploit for domestic spying activities.
Ban Intel chips for all US government use (Score:4, Insightful)
Is the Feds can ban Kaspersky and Huawei for not being secure for US government usage, perhaps Intel chips should be banned for use in government use.
Oh yeah, Intel is a US company, they can't do that now.
Re: (Score:2)
Re: (Score:3, Insightful)
The problem with your argument is that nothing on the component-level is manufactured in the US. Even "domestically-produced" equipment relies on parts manufactured in China, etc.
Re: (Score:3)
Further, when we say 'components' we don't mean merely things like resistors, we are talking about full circuit boards complete with critical security related firmware, if not the whole system (though the whole system isn't really that much more risky than complete motherboards).
The ship has pretty much sailed for any semblance of diversity of sourcing electronics. The government is left having to do 'secure' looking gestures without being able to address real threats in any significant way.
Re: (Score:1)
Correct. "Made in the USA" stickers nowadays only apply to the sticker.
Re: Ban Intel chips for all US government use (Score:2)
Re: (Score:2)
While I don't know anything about things like the avionics of a miltary aircraft, COTS is at least used to handle TS data and is at least *present* as part of the standard buildout of many vehicles.
So not only do COTS components play a role, they play mission critical roles.
Re: (Score:1)
Re: (Score:3, Interesting)
I'm sure Intel dabbles in plenty of government contracts, but processors are a consumer good, not a defense product.
If Intel had to choose between selling on the international consumer market and selling to the US government, I'm pretty sure they'd dump the government in about 5 seconds.
If the US government really wants a secure processor, they should get a secure processor... instead of using the same consumer-grade contraption that I use to surf the web.
These bugs could be just a back doors (Score:1)
Guys, Russia makes clone of Pentium 4 for its own military applications, its cost is around $3500 per chip and they consider it worth of making. They use them in government computers as well. The PCs have huge memory compared to original Pentium 4's, but idea is clear, don't rely on foreign chip makers.
We don't know probably these bugs are just sophisticated backdoors, which lost its sense when they became discovered by hackers, so Google started to push Intel to fix them.
Re: (Score:1)
The NSA has it's own CPU fabrication facility as well. I don't even want to think about what the per-unit cost is on those.
Re: (Score:3)
I wonder if they also make their own GPUs For use in brute force attacks.
If so could I buy a graphics card off them? I'm sure it would still windup cheaper than the current crypto markup on retail units.
Re: (Score:1)
Re: (Score:2)
They already do this. Who do you think actually controls the world's Crypto farming?
NSA crypto-miners operating from a hidden server farm room built into the Hoover Dam for cheap power and minimal detection.
Re: (Score:1)
US sourcing means shitty products for higher prices. It's probably great for the suppliers, but it is bad news for Americans overall.
That is both batshit insane and mentally retarded. You can't source military and infrastructure parts from a place that might cut you off tomorrow or use it as leverage in negotiations or worse, add backdoors so they can flip all your shit off if a war breaks out. Additionally, if you source the highest tech stuff you need from your own people then they get better at making it because they have a stable customer with stringent requirements. We wouldn't even have an electronics manufacturing (or any other
I'd wager the NSA knew (Score:1)
I bet the NSA knew and kept the information classified so they could use it against adversaries.
Re: (Score:2)
I doubt it, but apparently the idea they did know has given them space in your mind rent free...
I'm guessing they didn't know anymore than Intel knew. But now that they know, I'm sure they are fielding exploits as fast as they can.
Re: (Score:2)
Intel knew, or had reason to know, of the risk. Whether the management did is a different question, of course. I suspect not. But the risk of this kind of attack was discussed publicly before speculative execution chips were designed. I believe that at that point everyone decided that while there was a theoretical risk, it was too difficult to exploit, so it was safe to ignore it.
I don't see any reason to presume that this conclusion was ever privately revisited until extremely recently.
Perhaps they should notify all goverments (Score:2)
...should notifications go out alphabetically?
Cuba, Iran, North Korea, Russia, oh yes, and then the United States.
Not that there wouldn't be certain arguments for notifying the government where the company's headquarters is located, but how exactly would Intel (or any other company working on a global scale) be expected to comply with the myriad of governments that could pass laws requiring that they get notified first. It's a lot simpler and a lot more elegant if everyone finds out at the same time.
Let's do, and say we didn't (Score:1)
don't believe anything else.
That is how moratoriums work. (Score:2)
Why on earth would anyone other than the people directly responsible for patching a security flaw get told about a security flaw. That is the entire point of moratoriums and the whole responsible disclosure business.
The government has no business knowing. Oh and despite the fact that this seems to have hit the popular news today, we actually already covered this here on Slashdot. https://it.slashdot.org/story/... [slashdot.org] I think I need to buy a lottery ticket.
Paid Intel shill lying that AMD = same in 3,2,1... (Score:4, Informative)
Netburst was Intel's utter x86 architecture disaster- but at the time every major tech outlet declared it FAR superior to AMD's infinitely better Athlon 64, cos of Intel's Payolla.
Netburst was going to 10GHz, didn't ya know, and that was all that mattered. But Intel knew the truth, killed Netburst, and rebooted the Pentium 3, crossed with AMD innovations available to Intel via its cross patent licence with AMD.
So CORE 2 was born (now just called core). Only problem was, the dreadful 'engineers' at Intel Israel had sabotaged the design by removing all data privilege tests- the process by which a thread is blocked from accessing data owned by another thread of different privilege.
By dropping these hardware data blocks, Intel's architecture got faster- MUCH faster. And the NSA, GCHQ etc were guaranteed a method by which any user code injection would have access to any data on an Intel part.
Here's the current risk table- Intel since Netburst vs AMD's new amazing Ryzen:
Intel (core2/Core) AMD (Ryzen)
Meltdown: 1000 0
Spectre 500 0.1
AMD is a LITTLE slower per clock per thread on current compiler output down to the fact that Ryzen has low level hardware data privilege circuits, whereas Intel does not. Intel relies on DOMAIN methods- a hybrid technique that relies on trust and the OS.
All current Intel chips are broken by design and unfixable unless you only run one thread at a time on the entire chip and flush every chip asset each time you time slice a new thread. But to do this would reduce Intel's performance by perhaps 80-95%.
Intel cannot fix its architecture within even two years from this date. It needs a from scartch redesign. So Intel instead floods outlets all across the net with anti-AMD FUD.
Smart (Score:5, Interesting)
Intel Chills Abound (Score:1)
They are everywhere, All I want to Know is When Intel is going to Replace the Broken Chips they Sold Everyone???????
In Computers there is no GREY Area it is YES or NO or Right and Wrong Intel Did it the Wrong Way to Get Ahead in the MHZ Race in the END all there CPU's are Broken, Just Take a look at Spot Prices for Replacements the only ones holding there own are Not Intel.
Bullshit. Fake news. (Score:1)
There are many departments in the government, and they don't talk to each other because of secrecy. I'm sure Intel told the "deep state" in both US and Israel. They told the people who hoarde 0-days. And there's no way you would know about it if they did. They just didn't tell all these spinup fragmented Cyberwehr offices all over the place that have no record of keeping secrets, and now one of them is whining about it.
WTF? (Score:1)
Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities
Nice to see them being so proactive over the situation...Oh wait, what's the opposite of that ?
By Intel's standards, I shouldn't need locks on my front door since I haven't been burgled yet.
How do Intel know that nobody had exploited it, or at least weren't developing an exploit.
Makes you wonder, how many other security vulnerabilities there are in Intel chips that they're keeping quiet about ?
Times like this make me glad for the NSA (Score:1)
I hope the US intelligence agencies have deep hacks in place to harvest this kind of intel (pun?). These tech companies should be required to submit full, real-time, access to any possible security violations. Especially those operating as US companies or with a physical presence in the US.
The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't
Stupid Americans (Score:5, Insightful)
The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't
It doesn't, the US gov works for the banks and corporations.
That's why banks get bail outs and CEOs get big bonuses.
Re: (Score:2)
What convinced you to trust at least one of them? That was a non-obvious move on your part, and a lot more interesting than how you decided which one to trust.
Re: (Score:1)
Let me know next time the entire US gets a chance to vote Intel out of office.
Re: (Score:1)
Figured that would be the response. Sorry it don't work like that at all. Even if everyone didn't buy an Intel product today, and I challenge you to figure out a way to identify every single product that has Intel-something inside of it, the Intel company would not lose power right away. For one thing, being a global multinational corporation, they are soo diversified that they can withstand the collapse of any number of markets. Any of the these large companies can do that; their only vulnerability is if t
Re: (Score:2)
Re: (Score:1)
#1 leaked: would have been good. It would help embarrass these tech companies so they might stop releasing all this breach ridden trash on us.
#2 shared: isn't that a core principle of /. readers? And are we not also of the view that more eyes on a problem/code is better?
#3 abused it: good. I hope they would have abused it against our opfor
I get all the "who watches the watchers" stuff and I'm not a huge fan of the gov't pervasive invasive, but I trust the big tech companies even less. I made a great career
Re: (Score:1)
If it's not leaked it's not fixed and there is no motivation to be more diligent in the future. We now have mountains of examples about how large MNC tech companies deny, deflect, delay-fixing their security breaches/vulnerabilities while they seek to make new insecure products to sell us.
Let all the security vulnerabilities out in the wild the moment they are noticed; that will simultaneously make all the creators more diligent and all the consumers more selective in what they buy and what parts of their l
A likely story (Score:1)
Just last month there was a story about them notifying the chinese government or something.
I don't think there is anything wrong with that. They should. But at the same time, they should notify the US government (and EU etc) as well.
This is why I think the whole "responsible disclosure" thing is bullshit.
The reality has shown that the companies do nothing in the meantime, and sit on it until the latest possible day.
Better to just let everyone know immediately and put pressure on them to fix it.
Re: (Score:1)
^This. That CPU bug has been known for years and years. Since the vulnerability is a basic design principle that became a core foundation of virtually every CPU manufacturer way beyond just Intel, HOW over these past 20 years, how many engineers and scientists reviewed and made use of this design? 10,000? 100,000? I venture that in 20 years about 1,000,000 engineers, scientists, and students came in contact with this low-level engineering information and I am absolutely certain a whole lot of them realized
Two reasons all recent Intel CPUs have this flaw (Score:2, Interesting)
Go back a few years to AMD's 'terrible' new architecture, Bulldozer (the reason many today still don't trust the insanely good Ryzen design).
The best x86 CPU analyst on the planet discovered that a L1-cache exclusive thread on one bulldozer module ran at 10 (relative performance rating). On the other module also 10, of course. But if both modules ran threads (in L1 cache) at the same time, with ZERO inter-thread code or data dependency, the two threads ran at 8+8, not 10+10. Why? Because SPECULATIVE data de
Re: (Score:3)
Because AMD is careful not to cross privilege levels but Spectre attacks are user mode to user mode. So even though they may be two different users they are still in Ring 3. Spectre can only be used against kernel code if the kernel is convinced to run a user's code for some reason. Like an eBPF byte-code, for example.
But it can work really well for a sandboxed program to steal information from outside the sandbox.
So AMD is still vulnerable to speculation attacks.
NSA Did Not Tell Intel About Flaw Until Public (Score:1)
LEAKED ??? (Score:1)
Who says the feds have to be the first to know?
Not me.
So? (Score:1)
The Great Government Boohoo (Score:2)
Once again, we get to hear about risks to national security. Laughable ones, at that.
You have to assume that every endpoint on your network can be compromised. If your network security model cannot cope with widespread host infection, then your security is garbage. If they really cared about security, their networks should already have mitigations for Meltdown/Spectre-class malware in place.
Meltdown and Spectre aren't the first exploits either. They should have a plan for unexpected malware. There is no rea
Re: (Score:2)
I'm betting that's why Google has a network that's wide open, but access to anything is carefully controlled in other ways.
Re: (Score:2)
You have to wonder too how much the AI is pouring over every new virustotal submission, and web scrape, giving the Google researchers insights as to what vulnerabilities are really out there as the bad guys try to develop them undetected.