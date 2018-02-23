Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public (reuters.com) 35
Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.
At least as likely would be an almost instantaneous leak of the information to the press...
Of course intelligence agencies knew about it. While I'm not a huge fan (or detractor though) of Assange, he made a good case for Google being essentially an arm of the State Department. Why do you think that China has such an issue with Google? The US now warns about Chinese cell phone manufacturers and that their products are possibly unsafe, but this is very much a case of the fire pit calling the kettle black.
The NSA certainly knew of, and have likely been exploiting this for years. The only positiv
Actually, the US govt would have kept it secret (or as secret as they can be - which at best, is pretty poor in general) and allowed the US security services (one of the many 3-letter 'above/outside the law' agencies) to use to exploit for domestic spying activities.
Is the Feds can ban Kaspersky and Huawei for not being secure for US government usage, perhaps Intel chips should be banned for use in government use.
Oh yeah, Intel is a US company, they can't do that now.
The problem with your argument is that nothing on the component-level is manufactured in the US. Even "domestically-produced" equipment relies on parts manufactured in China, etc.
Further, when we say 'components' we don't mean merely things like resistors, we are talking about full circuit boards complete with critical security related firmware, if not the whole system (though the whole system isn't really that much more risky than complete motherboards).
The ship has pretty much sailed for any semblance of diversity of sourcing electronics. The government is left having to do 'secure' looking gestures without being able to address real threats in any significant way.
Correct. "Made in the USA" stickers nowadays only apply to the sticker.
I'm sure Intel dabbles in plenty of government contracts, but processors are a consumer good, not a defense product.
If Intel had to choose between selling on the international consumer market and selling to the US government, I'm pretty sure they'd dump the government in about 5 seconds.
If the US government really wants a secure processor, they should get a secure processor... instead of using the same consumer-grade contraption that I use to surf the web.
The NSA has it's own CPU fabrication facility as well. I don't even want to think about what the per-unit cost is on those.
...should notifications go out alphabetically?
Cuba, Iran, North Korea, Russia, oh yes, and then the United States.
Not that there wouldn't be certain arguments for notifying the government where the company's headquarters is located, but how exactly would Intel (or any other company working on a global scale) be expected to comply with the myriad of governments that could pass laws requiring that they get notified first. It's a lot simpler and a lot more elegant if everyone finds out at the same time.
don't believe anything else.
Why on earth would anyone other than the people directly responsible for patching a security flaw get told about a security flaw. That is the entire point of moratoriums and the whole responsible disclosure business.
The government has no business knowing. Oh and despite the fact that this seems to have hit the popular news today, we actually already covered this here on Slashdot. https://it.slashdot.org/story/... [slashdot.org] I think I need to buy a lottery ticket.
I hope the US intelligence agencies have deep hacks in place to harvest this kind of intel (pun?). These tech companies should be required to submit full, real-time, access to any possible security violations. Especially those operating as US companies or with a physical presence in the US.
The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't