Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Hit With Three Class-Action Lawsuits Over Meltdown and Spectre Bugs (theguardian.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from The Guardian: Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week. Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel's delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it "can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment." The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns, which Intel disputes is a major factor. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel said in an earlier statement.

24 of 220 comments (clear)

  1. Naturally.. by Junta · · Score: 4, Insightful

    This is an obvious outcome. It's worth keeping in mind that filing a suit does not vindicate or disprove anyone, as there's no way to ascertain whether there will be merit in the suit at this point. All it means is there's enough lawyers willing to make a wager when faced with such a *huge* potential payout.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  2. Intel ME by Anonymous Coward · · Score: 2, Interesting

    ...while nobody's suing them for their Management Engine garbage. The two bugs may or may not be intentional, but the Intel Management Engine is absolutely intentional and cannot be disabled.

    Of course nothing will ever come out of these lawsuits other than the lawyers getting richer.

    1. Re:Intel ME by Hal_Porter · · Score: 2, Funny

      Of course nothing will ever come out of these lawsuits other than the lawyers getting richer.

      Shut up! We're all going to get free replacement i5s and i7s with the bug fixed! I want to believe!

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  3. Stop buying Intel chips. by Gravis+Zero · · Score: 4, Interesting

    If you just look at Intel's legal history, you'll see they have been mired in accusations and convictions of unethical and anti-competitive business practices since the early 1980s. Buying from Intel has always been a devil's bargain, it's just now that you are realizing what you have done because it's directly affecting you.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Stop buying Intel chips. by Archtech · · Score: 2

      "Power tends to corrupt and absolute power corrupts absolutely". - Lord Acton, 1887

      A corporation like Intel represents a very great concentration of power. It has enormous wealth, and controls not only the working lives of all its employees but the computing abilities of all its customers, and their customers all the way downstream.

      In a near-monoculture of Microsoft-on-Intel, any serious defects such as Meltdown and Spectre are inevitably inflicted on millions of individuals, corporations and governments, as there is little choice of supplier and most will go for the cheapest and most popular.

      --
      I am sure that there are many other solipsists out there.
    2. Re:Stop buying Intel chips. by HiThere · · Score: 2

      Every chip that has speculative execution has the Spectre problem. The Meltdown problem is because the Intel chips execute code that they could know is invalid rather than detecting that it's invalid before they execute it. AFAIK, nobody but Intel has that problem.

      OTOH, the entire family of weaknesses means that EVERYBODY is going to need to redesign their chips. So far Spectre hasn't been shown to be usable in a way that breaks protection, but I think everyone believes it's only a matter of time.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  4. This Will Go Nowhere by alternative_right · · Score: 5, Insightful

    Court: "OK, so your chip turned out to have a flaw, the company took extra time to investigate, and now your computer is slower sometimes. How is that different than the average Microsoft or Apple update?"

    Intel's lawyers will delay this until the hype is forgotten, and either kill it in court or settle for some absurdly low sum, so that all of the plaintiffs get checks for $0.64 if they remember to sign up at IntelProcessorSlowdownLawsuit.com before December 31, 2019.

    --
    Alternative Right.
    1. Re:This Will Go Nowhere by WankerWeasel · · Score: 2

      Remember that there's zero requirement to upgrade. The processor still performs as originally claimed. It's only if they choose to be secure that they may see a performance hit. There was never any guarantee that there'd be no security issues or that performance would be as advertised always no matter what patching was applied.

    2. Re:This Will Go Nowhere by Zuriel · · Score: 4, Interesting

      As I understand it, it's not the cheating, it's sloppy cheating that's the problem. If they did a privilege check like AMD claims to then speculation in a user process couldn't lead to fetching kernel data into the cache. Zeroing the unnecessarily fetched data after speculation would mean it wasn't left sitting in the cache. Intel could have done either of these things, probably with no real performance penalty but they didn't think to.

      If you want a CPU that doesn't 'cheat', go get yourself a 2011 Intel Atom. They run like ass. Have fun.

    3. Re:This Will Go Nowhere by Zocalo · · Score: 4, Interesting

      Actually, it's kind of in the middle. The problem isn't really that Intel tried to take a shortcut and boost performance with speculative execution, it's that they tried to take too big a shortcut and dropped some (all?) of the bounds checking as well. Since bounds checking provides security, and they must know this, they basically took a design decision to roll the dice with potential security flaws in exchange for a couple of extra perforance points and, potentially, a slightly simpler design.

      The current approach is to do any bounds checking *after* the speculative execution in the event that the branch is to be executed, which is what enables the kernel memory to be leaked to userspace programmes. The secure way of doing it would be to do the bounds checking *during* the speculative execution, just as you would with normal execution, and in the event of a page fault fall back to the non-speculative execution approach. That would still be slightly slower, but not as bad as forcing the non-speculative execution approach every time, which is what the patches have now enforced.

      It's a deliberate design decision, they should have known what the risks were, and there are a growing number of real world instances of applications showing repeatable ~30% performance hits directly attributable to the "fixes" (I've seen one myself firsthand that resulting in a public transport time tabling system failing). It might not work out so lucrative for an individual John Q. Public in a class action lawsuit, but it's starting to look quite likely that Intel is going to get reamed in the courts over this if they can't come up with a better workaround P.D.Q.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:This Will Go Nowhere by mikael · · Score: 4, Informative

      They did do bounds tests. That generates exceptions, but a thread or process can catch those exceptions and ignore them, Because the CPU is pipelined, and different instruction sub-tasks take different amounts of time, it's more efficient to assume reads will be successful and to start those sub-tasks that take the longest time first. A memory fetch from off-CPU memory chips takes way longer than a bounds check. So it's better off sending out the request to load that memory location into cache on the chance that it will be a valid address, then do the bounds test to generate an exception, then roll back the speculative state if an error occurs. But the state of the cache wasn't rolled back. So some data values were evicted to make way for the new data. Those could be read back.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    5. Re:This Will Go Nowhere by Wrath0fb0b · · Score: 4, Insightful

      It's not sloppy cheating, it's following the machine model. The way we all understood this 3 weeks ago is that speculative execution can have no visible side effects on the program-observable state of registers/memory. Now we've changed the model to extend the idea that speculative execution across privilege boundaries must also not have any observable side-channels.

      This really is a change to the x86 machine model.

    6. Re:This Will Go Nowhere by DontBeAMoran · · Score: 4, Funny

      Well, there's always the quad-core Atom, which runs like four asses.

      --
      #DeleteFacebook
  5. Bloody idiots by gnasher719 · · Score: 4, Insightful

    If Intel had disclosed that as soon as they knew, with no fix known or available, _that's_ when you would have a reason to sue them. My Mac got mostly protected some time in December. If Intel had disclosed this, there would have been 5 months open to hackers to attack me.

    1. Re:Bloody idiots by hcs_$reboot · · Score: 3, Insightful

      This is not how it worked. Intel has been aware for quite a long time, a year or more probably. Google found the problem in June, and vendors were made aware around that time. If it wasn't for Google, the issues would probably still be kept secret by Intel (until a hacker or another country find and take advantage of the vulnerability). Intel should have informed vendors a long time ago, like Google did, without of course making the issue a public story until a fix is installed. But Intel admitting the flaw would have triggered many compensation requests. This is one reason why the class action makes sense.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Bloody idiots by GuB-42 · · Score: 3, Insightful

      What makes you think Intel knew that a year ago?
      All Intel CPUs with speculative execution are affected by Meltdown, and all CPUs with speculative execution, including those by AMD and ARM are vulnerable to Spectre. Intel discovering that a year before Google would be a coincidence. It is not just a bug, it is a fundamental issue in the way all modern CPUs are designed.

    3. Re:Bloody idiots by Kohath · · Score: 2

      Class action lawsuits are about lawyers getting paid. In order for lawyers to get paid more, they have to say Intel did the wrong thing. Therefore, Intel did the wrong thing, regardless. If they waited, it's wrong. If they didn't wait, it's wrong. If they both waited and didn't wait, it's doubly wrong. Because money for lawyers.

  6. Computers are undecidable by info6568 · · Score: 2

    Computers have sense because they are general usage (i.e. universal) machines.

    Then, it is possible to do many things with them, even more than the original designers visualized. This is why we have Windows, Linux, MacOS, Virtualization and many embedded applications using exactly the same chips, making the effort to create complex solutions extremely cheap and in timely fasion.

    But this means that the undecidable nature of what can be done with the computer brain, the CPU, tends to create some undesired circumstances. In fact where a person will see a problem, another one will devise an opportunity to create some interesting type of functionality.

    The real problem is that we have been building a very complex infrastructure thinking that the behavior for some CPU characteristic was A when it was really B, and now that the difference has been discovered that infrastructure and its capacity becomes dangerous to use as it is. And ... we need to evolve. Of course people is angry, but this is not the first time and neither will be the last one something like this will happen, particularly with clever people trying to expand the computer capacities.

    What to do? Understand, Change (if you call that change a "fix" or an "improvement" it is OK) and Continue. And never to put all the eggs in the same basket, because we are not clear when this type of things will happen again.

  7. Suits may be dismissed by Kohath · · Score: 4, Insightful

    Since there are zero cases where the flaw has been exploited to cause any problems, no one has suffered any economic harm. You need to have been harmed in some way to have standing to sue.

    And Intel will also argue that they never promised any different chip behavior. They are not issuing any errata. The chips work correctly as designers intended, just like other vendors’ chips.

    I expect at least a couple of these lawsuits to be thrown out by judges. Maybe all of them will be dismissed.

    1. Re:Suits may be dismissed by Nkwe · · Score: 2, Insightful

      Since there are zero cases where the flaw has been exploited to cause any problems, no one has suffered any economic harm. You need to have been harmed in some way to have standing to sue.

      If your processor performs even 1% slower because of a bug in the hardware itself, you can easily call that being harmed, especially if you're a business that relies on that performance in any way.

      Intel is not making your existing processor run 1% (or any percentage) slower. Your processor runs the same speed as the day you purchased it. If you or on your behalf Microsoft or some other operating system vendor plan on changing / patching your operating system with a version that runs slower than a previous version, how is this Intel's fault? Machines will only run slower if you change the software that runs on them.

      The computing industry makes security vs. performance and usability design decisions all the time. Intel made such a decision when they designed the cache behavior during speculative execution. Operating system vendors are making such a decision with the patches that are being / have been written. With respect to case of this specific patch that decreases performance in favor of security, if you want to sue someone sue your operating system vendor for forcing a patch on you that you don't want. That is if you actually don't want the patch. My guess is that you do want the patch and if you do want the patch it means you would rather have security over performance. If you do want security over performance, you don't really have a law suit. Just because you want both security and performance doesn't mean that you can have both.

  8. Re: God bless America!! by Archtech · · Score: 5, Insightful

    You seem to have a design fault: an extra inverter somewhere.

    Socialism is concerned with other people and how a community can be run in the interests of all its members. In practice, there is no other way for humans to live decently. Among others, it was warmly recommended by Jesus Christ.

    The people who cry "Me me me!!! It's all about ME!" are rabid ultra-capitalists - as represented, I take it, by the Republican Party. Unfortunately, the Democratic Party has chosen to be a carbon copy of the Republicans rather than an alternative.

    --
    I am sure that there are many other solipsists out there.
  9. Depends on what happens during discovery by rsilvergun · · Score: 2

    I'd expect subpoenas here. This is a 20 year old bug, and one that gave Intel a significant performance edge over AMD. It's entirely possible Intel has known for decades. One stray email is all it would take to blow this up like you wouldn't believe.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  10. Re:It's easy to show harm, actually.... by Anonymous Coward · · Score: 2, Informative

    You are always wrong

  11. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion