OpenBSD's De Raadt Pans 'Incredibly Bad' Disclsoure of Intel CPU Bug

troublemaker_23 quotes ITWire: Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled "in an incredibly bad way" by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. "Only Tier-1 companies received advance information, and that is not responsible disclosure -- it is selective disclosure," De Raadt told iTWire in response to queries. "Everyone below Tier-1 has just gotten screwed."
In the interview de Raadt also faults intel for moving too fast in an attempt to beat their competition. "There are papers about the risky side-effects of speculative loads -- people knew... Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies -- so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk."

He points out this will make it more difficult to develop kernel software, since "Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture." And he also complains that Intel "has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public's eyes..."

"It is a scandal, and I want repaired processors for free."

"I want repaired processors for free"

[Lisandro]

You know, he's not wrong. This is, in impact, way bigger than Intel's FDIV fiasco and that ended up in recalls.

Re: "I want repaired processors for free"

How far does the recall go? Should there just be a recall for Meltdown, or does that also extend to Spectre?

There wasn't a software workaround for the FDIV bug, which is why there was a recall. The F00F bug did have a software workaround, which is why there wasn't a recall for that bug. Meltdown also has a software workaround, though one with a potentially significant performance hit. Meltdown seems more like the F00F bug in that respect. Arguably, Spectre is a better candidate for a recall than Meltdown. Although there is a software workaround for it (see retopline), it cannot be implemented just by patching the operating system.

The problem here is that some of these features were designed over 20 years ago, when security wasn't as much of a priority. The feature worked and didn't present obvious security issues, so nobody tried to fix what didn't seem to be broken. It wouldn't surprise me at all if many other potentially serious vulnerabilities were lurking in hardware.

Re:"I want repaired processors for free"

[thegarbz]

Isn't he? Firstly clearly the distribution was too wide as it was given there was a moratorium on disclosure scheduled for tomorrow to allow all patching to be in place in advance.

Secondly he has in the past jumped the gun on responsible disclosure, parroting OpenBSD as the secure alternative patting himself on the back for being the first.

Thirdly there are multiple groups now that refuse to work with him for this very reason. The OpenSSL team also disclosed to others before OpenBSD for the same reason.

He shat in his bed, and now is complaining that he has to sleep in it.

Re:"I want repaired processors for free"

[nctritech]

A recall of every CPU since 2006 would decimate (if the recall isn't heavily utilized) or likely even bankrupt Intel. The Core 2 generation is the oldest practical Intel CPU (yes, I know this is a subjective statement, thus "practical") on which you can run Windows 10 and modern software. Every computer running Windows 10 and an Intel chip would need CPU replacement. We are talking quite literally several billion processors since Intel sells a few hundred million per year. Intel's market cap is over 200 billion dollars, but even if they were expected to replace 1 billion $100 processors that's half of the company's value. Since we're talking about 11 years worth of processors there is potential for the number to be more like 3-4 billion processors. This is purely the financial side and ignores all of the logistics which would be a totally separate nightmare. Intel is incapable of manufacturing anywhere close to that many processors in a year ESPECIALLY if they continue to sell new processors while doing the recall.

Intel simply cannot afford to recall all affected processors. Do not expect it to happen because it won't. They will obscurity-by-corporate-speak their way out of this in a way that could make Enron's obfuscated lies look tame. If there were no software mitigation they would have few straws to grasp at, but the OS workarounds give them a tiny escape door and you better believe that they'll hire a whole crew of bulldozers to force this massve elephant through it.

Re:"I want repaired processors for free"

[StormReaver]

Firstly clearly the distribution was too wide as it was given there was a moratorium on disclosure scheduled for tomorrow to allow all patching to be in place in advance.

You largely validated his posting with this one sentence. This is exactly what he's complaining about. How do you expect patching to be in place in advance for OpenBSD if the kernel developers weren't notified? Since OpenBSD isn't Tier-1, so they weren't notified. Apparently, only Microsoft was notified in advance, which is a clusterfuck so big, that should be reason enough to prove willful negligence by Intel.

I completely agree with Theo.

Re:"I want repaired processors for free"

[MSG]

How do you expect patching to be in place in advance for OpenBSD if the kernel developers weren't notified?

You're missing the point. The OpenBSD team would be notified if they cooperated with the temporary embargoes that are in place to provide vendors time to patch before attacks are developed and deployed. They haven't, in the past, so they're no longer in the group that gets advance notice.

Re:"I want repaired processors for free"

[thegarbz]

You largely validated his posting with this one sentence. This is exactly what he's complaining about.

And if you don't take that sentence out of context you'll have seen the point. What happened to OpenBSD and Theo is the fault of precisely one person: Theo.

Hell when we discussed this on Slashdot there were a lot of posters saying that Theo's actions at the time would hurt the OpenBSD community as people would not disclose the vulnerabilities to them. Looks like they were right too.

I agree the OpenBSD community is in a bad place. I also agree with Theo, but only in that his actions have spoken louder than his words.

Re:Disagree

[TheRaven64]

That doesn't explain why FreeBSD wasn't notified until 5-6 months after Intel and ARM knew about the issue and until after Apple had shipped a patch. It also wasn't helped that there was no real coordination in releases. Apple shipped a binary update and there were patches in the Linux tree containing mitigation before the official end of the embargo period.

Re:Freedom demands Open Hardware also

[Wootery]

This is a question of quality, not idealism and perverse incentives.

We aren't talking about IME here. You seem to be blindly assuming that Open hardware is always free of faults.

Re:"I bet they were instructed to ignore the risk"

[lucasnate1]

Funny, both me and my friend worked at companies where we were told to ignore risk. Why would intel be different?

He and Linus are Spot On

[segedunum]

This has been extremely worrying. What's more worrying are the number of 'security researchers' regurgitating Intel's bullshit verbatim. We have yet to fully see the fallout from this.

He's also dead right in that Intel has been mixing up the two issues, Meltdown and Spectre, deliberately, so they could tell everyone that it wasn't just Intel that was affected, and they also gave the impression that Spectre had been fixed when it was Meltdown that had been mitigated - with a patch that creates unacceptable performance problems, to a lesser or a greater extent.

Yes, all processor manufacturers are affected by Spectre, but it is Intel that is mostly affected because they implemented speculative loads badly without much attempt at segregation. They've also attempted to pass this off as 'historical architectural decisions we can do nothing about, but it is working as designed'.

Open hardware is going to be hard

[sjbe]

Open Hardware doesn't fix problems in silicon that has already been manufactured. It might help with the next generation but it won't prevent bugs from appearing in the first place.

Bear in mind that the reason Open Source software works so well is that the marginal cost of (re)production is close to zero and that there are (comparatively) minimal capital costs. Really you just need a PC and a lot of time. Open Hardware is a worthy goal but it's going to be a LOT trickier to pull off in the real world for mostly economic reasons. Furthermore hardware isn't protected by copyright for the most part. It's protected by patents and those are expensive. Worse once someone has one on a piece of kit they can basically shut down any open hardware that uses that idea for the next 20 years.

Re:Disagree

[Zocalo]

Sure it does. If you want to keep something quiet until you are ready to announce it, then you DO NOT tell any of the people who have a track record of spilling the beans. Regardless of where you personally stand on the idea of embargos and standing up for principles, Theo refused to go along with an embargo previously and it was quite likely that he wouldn't do so this time either. Google's Project Zero team presumably had discussions with Intel and select others they felt they could trust about what was required to address the problem and how long it would take, and that group collectively agreed on the original release date of January 9th, plus who else to notify and when. Clearly that larger group did not include anyone in the BSD camp.

Standing up for your principles can have a cost attached, and I suspect we've just seen what that was for Theo and the BSD developers.

Re:Disagree

[Freultwah]

You do realise that OpenBSD and FreeBSD are two different entities, right?

Not the same

[sjbe]

Of course, when Linux was new the argument was that an OS was just too big for a bunch of Free Software fans to manage.

You are making a false equivalency here. Making and distributing software is COMPLETELY different than making and distributing hardware. The economics could not be more dissimilar. The legal protections (patents vs copyright) are different. The amount of up front capital required is different. You can modify software after it has been release but you cannot do that with (most) hardware. Basically just because it worked out well for software is does not mean it will work out well for hardware. Hope for the best of course but it's likely to be a difficult nut to crack.

Only a big corporate structure could support development of anything as complex as an OS.

Ultimately that turned out to be true. Basically all the developers of linux and most other major OSS projects are employed at large tech firms (and a few large foundations) and are paid to maintain them. It isn't a bunch of hobbyists in their garages.

Open hardware is harder, but probably not impossible.

Not impossible but for non-trivial applications it appears pretty close to it. The obstacles are predominately economic ones and some legal ones and they aren't minor obstacles. I'm not about to hold my breath for patent reform anytime soon and the patent swamp is a real problem. And the economics of making and distributing hardware are immutable. I think Open Hardware is a very worthy goal but it's going to be quite the challenge.

Cost of outsourcing

[sjbe]

From a big picture perspective, the making of the hardware has already been detached from the design of the system.

Doesn't matter. You still have to make it and that still will cost money. Doesn't matter if you make it in house or if you hire someone else to do it. If doesn't matter if you have the secret formula for Coke, you still have to put sugar water in bottles and ship it somewhere which is expensive. It's FAR harder to bootstrap the funding for an open source hardware design than open source software.

Would a manufacturer take the risk of making a huge investment that relies on Open Source designs? They already do. Most mobile phones are entirely worthless without Android, an Open Source software.

You're conflating issues. You can already send an open source chip design to a chip fab or a hardware design to a contract manufacturer. My day job is general manager of a contract manufacturer (wire harnesses) so I'm more than passingly familiar. But just because you have outsourced production doesn't mean that the costs for it go away. Your analogy to Android is a meaningless one here.

Just because someone else makes it doesn't make the patent swamp go away. Open source software works precisely because how copyright law is written. The GPL and every other license basically only works because of copyright law. That doesn't apply to hardware. To protect hardware designs you have to get patents on the design and that costs serious money. Not only that you have to avoid infringing other companies patents which is not a trivial exercise when companies like IBM, Google, Apple, etc are getting thousands of new ones every year.

Companies that rely heavily on open source software can do so because they have an alternative revenue source. Typically service or engineering - sometimes ads. What is the alternative revenue source for open hardware? Service? Maybe but the revenue streams aren't quite as clear for open hardware. And even if they become clear it still doesn't solve the capital costs and patent issues.

I'm not saying it's impossible but it definitely will be difficult for open hardware to achieve the sort of success we've seen with open software.

Re:"I bet they were instructed to ignore the risk"

(Posting anon to protect myself.)

I was involved with Intel and their Curie module.

If you know how bad that was and how many silicon level bugs there were, well, at this point I think you would believe it.

They made a TV series from that chip (as a PR move). Just a year later, they EOLd the chip and now Mouser/etc have thousands of unsellable Curie chips that no one wants. Intel even removed all traces of their TV show event, as if it was an embarassment to them. Everyone that was part of that event left Intel, as far as I know.

The Intel CEO grabbed a lot of the glory of dealing with celebrities and just wanted to be on TV. I can tell you that people who worked that project were treated like crap, but the execs got TV time and glory.

The chip still sucked and its unsellable, now.

Intel gave up on IoT. They had to. They would not listen to anyone and of course they failed since this is not their core competancy.

Intel is now a joke. H1B's walk the hallways. And contractors, tons of contractors. What does that tell you, when they hire temps more than fulltime people?

I would not integrate with Intel chips, given what I've seen.