Intel Hit With Three Class-Action Lawsuits Over Meltdown and Spectre Bugs

An anonymous reader quotes a report from The Guardian: Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week. Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel's delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it "can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment." The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns, which Intel disputes is a major factor. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel said in an earlier statement.

Naturally..

[Junta]

This is an obvious outcome. It's worth keeping in mind that filing a suit does not vindicate or disprove anyone, as there's no way to ascertain whether there will be merit in the suit at this point. All it means is there's enough lawyers willing to make a wager when faced with such a *huge* potential payout.

Stop buying Intel chips.

[Gravis+Zero]

If you just look at Intel's legal history, you'll see they have been mired in accusations and convictions of unethical and anti-competitive business practices since the early 1980s. Buying from Intel has always been a devil's bargain, it's just now that you are realizing what you have done because it's directly affecting you.

This Will Go Nowhere

[alternative_right]

Court: "OK, so your chip turned out to have a flaw, the company took extra time to investigate, and now your computer is slower sometimes. How is that different than the average Microsoft or Apple update?"

Intel's lawyers will delay this until the hype is forgotten, and either kill it in court or settle for some absurdly low sum, so that all of the plaintiffs get checks for $0.64 if they remember to sign up at IntelProcessorSlowdownLawsuit.com before December 31, 2019.

Re:This Will Go Nowhere

[Zuriel]

As I understand it, it's not the cheating, it's sloppy cheating that's the problem. If they did a privilege check like AMD claims to then speculation in a user process couldn't lead to fetching kernel data into the cache. Zeroing the unnecessarily fetched data after speculation would mean it wasn't left sitting in the cache. Intel could have done either of these things, probably with no real performance penalty but they didn't think to.

If you want a CPU that doesn't 'cheat', go get yourself a 2011 Intel Atom. They run like ass. Have fun.

Re:This Will Go Nowhere

[Zocalo]

Actually, it's kind of in the middle. The problem isn't really that Intel tried to take a shortcut and boost performance with speculative execution, it's that they tried to take too big a shortcut and dropped some (all?) of the bounds checking as well. Since bounds checking provides security, and they must know this, they basically took a design decision to roll the dice with potential security flaws in exchange for a couple of extra perforance points and, potentially, a slightly simpler design.

The current approach is to do any bounds checking *after* the speculative execution in the event that the branch is to be executed, which is what enables the kernel memory to be leaked to userspace programmes. The secure way of doing it would be to do the bounds checking *during* the speculative execution, just as you would with normal execution, and in the event of a page fault fall back to the non-speculative execution approach. That would still be slightly slower, but not as bad as forcing the non-speculative execution approach every time, which is what the patches have now enforced.

It's a deliberate design decision, they should have known what the risks were, and there are a growing number of real world instances of applications showing repeatable ~30% performance hits directly attributable to the "fixes" (I've seen one myself firsthand that resulting in a public transport time tabling system failing). It might not work out so lucrative for an individual John Q. Public in a class action lawsuit, but it's starting to look quite likely that Intel is going to get reamed in the courts over this if they can't come up with a better workaround P.D.Q.

Re:This Will Go Nowhere

[mikael]

They did do bounds tests. That generates exceptions, but a thread or process can catch those exceptions and ignore them, Because the CPU is pipelined, and different instruction sub-tasks take different amounts of time, it's more efficient to assume reads will be successful and to start those sub-tasks that take the longest time first. A memory fetch from off-CPU memory chips takes way longer than a bounds check. So it's better off sending out the request to load that memory location into cache on the chance that it will be a valid address, then do the bounds test to generate an exception, then roll back the speculative state if an error occurs. But the state of the cache wasn't rolled back. So some data values were evicted to make way for the new data. Those could be read back.

Re:This Will Go Nowhere

[Wrath0fb0b]

It's not sloppy cheating, it's following the machine model. The way we all understood this 3 weeks ago is that speculative execution can have no visible side effects on the program-observable state of registers/memory. Now we've changed the model to extend the idea that speculative execution across privilege boundaries must also not have any observable side-channels.

This really is a change to the x86 machine model.

Re:This Will Go Nowhere

[DontBeAMoran]

Well, there's always the quad-core Atom, which runs like four asses.

Bloody idiots

[gnasher719]

If Intel had disclosed that as soon as they knew, with no fix known or available, _that's_ when you would have a reason to sue them. My Mac got mostly protected some time in December. If Intel had disclosed this, there would have been 5 months open to hackers to attack me.

Re:Bloody idiots

[hcs_$reboot]

This is not how it worked. Intel has been aware for quite a long time, a year or more probably. Google found the problem in June, and vendors were made aware around that time. If it wasn't for Google, the issues would probably still be kept secret by Intel (until a hacker or another country find and take advantage of the vulnerability). Intel should have informed vendors a long time ago, like Google did, without of course making the issue a public story until a fix is installed. But Intel admitting the flaw would have triggered many compensation requests. This is one reason why the class action makes sense.

Re:Bloody idiots

[GuB-42]

What makes you think Intel knew that a year ago?
All Intel CPUs with speculative execution are affected by Meltdown, and all CPUs with speculative execution, including those by AMD and ARM are vulnerable to Spectre. Intel discovering that a year before Google would be a coincidence. It is not just a bug, it is a fundamental issue in the way all modern CPUs are designed.

Suits may be dismissed

[Kohath]

Since there are zero cases where the flaw has been exploited to cause any problems, no one has suffered any economic harm. You need to have been harmed in some way to have standing to sue.

And Intel will also argue that they never promised any different chip behavior. They are not issuing any errata. The chips work correctly as designers intended, just like other vendors’ chips.

I expect at least a couple of these lawsuits to be thrown out by judges. Maybe all of them will be dismissed.

Re: God bless America!!

[Archtech]

You seem to have a design fault: an extra inverter somewhere.

Socialism is concerned with other people and how a community can be run in the interests of all its members. In practice, there is no other way for humans to live decently. Among others, it was warmly recommended by Jesus Christ.

The people who cry "Me me me!!! It's all about ME!" are rabid ultra-capitalists - as represented, I take it, by the Republican Party. Unfortunately, the Democratic Party has chosen to be a carbon copy of the Republicans rather than an alternative.