Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nope, No Intel Chip Recall After Spectre and Meltdown, CEO Says (cnet.com)

Posted by msmash on from the aftermath dept.

Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, that's not on the cards. From a report: Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. "This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches." On Thursday, Intel said it was aiming to fix 90 percent of all Intel products that have been introduced within the past year by end of next week. CNET asked if the company was looking at older Intel processors? From the report: "We're working with [computer makers] to determine which ones to prioritize based on what they see as systems in the field," an executive at the company said. Intel also is fixing the problem in future chips, starting with products that will arrive later this year. Intel is effectively taking the software fixes being released now and building them directly into hardware, he said.

10 of 372 comments (clear)

  1. It isn't his decision by 110010001000 · · Score: 5, Insightful

    Once the lawsuits come rolling in he won't have a choice. This isn't fixable. The best you can do is mitigate the damage. Good thing he sold all his stock before this went public.

    1. Re:It isn't his decision by 110010001000 · · Score: 5, Informative

      FROM THE PEOPLE WHO ACTUALLY FOUND THE FLAW:

      https://spectreattack.com/

      Which systems are affected by Meltdown?
      Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors.

      Really, are you that ill-informed?

    2. Re:It isn't his decision by Anonymous Coward · · Score: 5, Informative

      FROM THE PEOPLE WHO ACTUALLY FOUND THE FLAW:

      The GP's "Citation please" was referring to the fact that "MELTDOWN is INTEL ONLY." AFAICT. Which it is. From Section 6.4 of the Meltdown paper:

      We also tried to reproduce the Meltdown bug on several ARM and AMD CPUs. However, we did not manage to successfully leak kernel memory with the attack described in Section 5, neither on ARM nor on AMD.

      In summary:
      * Meltdown: Intel-only
      * Specture: everyone

  2. A recall is absurd. Software is a thing. by Anonymous Coward · · Score: 5, Insightful

    It's not possible recall all the processors that ever existed. Society doesn't have the resources even to think about such a thing.

    Besides, computers run software, which is almost infinitely malleable; it can be crafted to mitigate the problems of hardware—as it has always done. So much of programming is about working around someone else's boneheaded mistakes.

    Now, that being said, this is actually a good reason to support FOSS. You cannot trust other people (especially large, flush corporations) to care enough about your particular situation to fix up the software so as to mitigate such problems. If only more software in the world were open to inspection, then at least people who really care could go about fixing things themselves, and the rest of you consumer nitwits could at least benefit from their hard work, too.

    We'll get there one day.

  3. Sorry, but no, sorry. It's not "fixed" by Opportunist · · Score: 5, Informative

    Well, maybe in the veterinary sense, but I didn't plan to buy a castrated CPU.

    First, the problem is in the processor logic itself. We're talking about a design flaw that could only "really" be patched by re-etching the silicon. I highly doubt that he has found a way to rework the die. This isn't some BIOS feature we have to patch. Intel's promise now is that they found a way to manage the problem in microcode. And whether the microcode patch will do any good is still to be seen. Personally, my stance is "seeing is believing".

    Mostly because there is a second aspect: ALL, and I do mean ALL, possible approaches to fixing this can only be done with a drop in performance. There is no way this can be addressed without taking a performance hit. Especially high I/O applications like database processing is severely affected by the current patches, postgresql cited performance drops of up to 30%.

    Simply having the gall to state that this is no reason for a recall takes quite the chutzpah. I kinda wonder whether various high performance data centers will simply swallow this.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Lawsuits on what grounds? by 110010001000 · · Score: 5, Interesting

    Yes, it is insecure by design. What do you think the bug is? You cannot fix Meltdown because the flaw is in the hardware. You can only mitigate the effects.

  5. Intel *will* settle at some point... by MetricT · · Score: 5, Interesting

    The bug primarily affects large cloud vendors like Google, Facebook (who have entire buildings filled with lawyers) and HPC clusters (many of which have law *schools*).

    Without the patch, the computers are vulnerable, and large data centers *must* upgrade given the size and value of the target they are. However, the loss in performance may be substantial. I help manage a ~2000 server HPC cluster. If the patch causes us to lose 5% of our performance, that's like throwing 100 computers away. Which is completely and utterly unacceptable, and we as well as others have the resources to make that crystal clear to Intel.

  6. Re:Lawsuits on what grounds? by Anne+Thwacks · · Score: 5, Informative
    OTOH if the "lock" won't remain closed if you "look at it from the wrong angle", then its not a lock, its a scam.

    This design error contains at least three features worthy of "www.wtf.com":

    • The branch prediction trains on other people's threads: that is like your satnav giving you directions based on other cars movements.
    • The speculative execution can access data it is not supposed to: that is like you can imagine your are in a different person's house, and nick their things. Even in the 1970's the data returned by other 16 bit machines in this situation would have been "0xf001" and by 24 bit ones "FOOL" as 6-bit baudot code. Its not like this is not a well documented situation.
    • You can read the pipeline cache for speculative stuff that was abandoned when not in kernel AND debug mode that on its own is a completely unacceptable design defect. Worse, since it was known to contain other threads' data (at least by Intel).

    That is the three no-nos we know about. There must be at least one more we don't know being held back because it is even worse.

    Whoever designed this stuff MUST have known it would behave like that, same way the Volkswagen engineers knew what was going on. Someone signed the designs into production. Presumably the first time round it was "let's chance it" and subsequently "well, we got away with it last time".

    I am guessing quite a few people knew about some of it - like people debugging the compilers for example.

    If you want to know why NDAs should not be permitted this is it! Use an Open Source architecture if you want accountability.

    --
    Sent from my ASR33 using ASCII
  7. Question on Timing by ytene · · Score: 5, Interesting

    A lot of people are commenting on the fact that Intel's CEO sold the maximum permissible amount of company stock [or options - it isn't clear which] *after* Intel were notified of the bug and *before* this was made public.

    But I'm interested in this for a slightly different reason. In mid-December 2017 I purchased a new computer system. I had been saving up for it for a very considerable period of time... It is based around the Core i7-7700T processor, which I now understand to be one which will be impacted and likely to "slow down" as the patches for Windows and Linux are deployed.

    But Intel knew that the chip that I would be buying was materially defective. Whilst I accept that they have taken steps to apply corrective software fixes, that doesn't detract from the fact that I could have chosen to defer my purchase until a "clean" chip was released. Here we have the CEO saying "no recall", yet how are Intel's actions any different from i.e. the Ford Motor Company / Firestone Tire issue?

    Are Intel claiming that they have no legal obligation to sell working product? Or to take appropriate steps to notify customers in a timely manner? If they knew about this in October, has it *really* taken this long to get patches ready and come clean? And what about all the product already in the supply chain?

    I would be *very* interested to see any data from Intel's distributors or channel suppliers to get a better handle on shipment volumes in the time slot in question. Very interested to know if Intel made a push to "get rid" of known bad stock. Very interested to know what the lead time is for good silicon.

    Anyone got any real-world experience of these scenarios?

  8. Re:Lawsuits on what grounds? by networkBoy · · Score: 5, Insightful

    I'm guessing you don't work on this stuff do you...

    I never worked on the CPUs (I was chipsets), but I certainly have plenty of experience with unintended effects.

    * That it trains on other data is a non issue.
    * That it allows privileged access as part of a prediction is a mild (at best) issue.
    * That it doesn't have a prediction fail recovery mechanism (e.g. zero the cache for the failed prediction) is a minor issue.

    HOWEVER
    When these component issues combine together it is a *huge* flaw.

    How can this happen?
    * designers are idiots?
    -no, if they were idiots they certainly wouldn't have a working part at all. This stuff is _complex_

    * different smart designers worked on different parts, but in isolation?
    -ding! winner. It is highly likely that there was more than one team involved and as a result each validated their block works, and they validated that the system works. No one person saw the *whole* picture and as a result this vulnerability exists.

    Now, once a designed block is done, the industry standard is to leave it the fsck alone! So this block of VHDL likely was re-used and tweaked for process changes, but never actually fully re-factored, so no one ever saw the big picture at all.

    That is how bugs like this come to be.

    If you want to beat people up about it, it's not the engineers that should be beaten, it is management that keeps the engineers under such schedule pressure that there is *never* a window to review and refactor something unless it's flatly broken. Beat up senior management for how they're handling this whole thing...

    But leave the guys in the trenches out of it. I guarantee you they were doing their best.

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump